From firewalls-owner Wed Nov 1 03:22:57 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id DAA26881 for firewalls-outgoing; Wed, 1 Nov 1995 03:16:32 -0800 (PST) Received: from maildrop.micrognosis.com (supernova.micrognosis.com [192.233.13.3]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id DAA26874 for ; Wed, 1 Nov 1995 03:16:27 -0800 (PST) Received: by maildrop.micrognosis.com (4.1/SMI-4.1) id AA18184; Wed, 1 Nov 95 06:16:28 EST Received: from singhi.corp.micrognosis.com(193.32.166.28) by supernova.micrognosis.com via smap (V1.3) id sma018177; Wed Nov 1 06:16:10 1995 Received: from becks (becks.corp.micrognosis.com) by corp.micrognosis.com (4.1/1.0-integ.cf) id AA24465; Wed, 1 Nov 95 06:18:53 EST Date: Wed, 1 Nov 1995 06:18:51 -0500 (EST) From: Adam Jack X-Sender: ajack@becks To: Mike Shaver Cc: hal@netmarket.com, mam@ssds.com, scott@disclosure.com, mjr@iwi.com, firewalls@greatcircle.com Subject: Re: What about the next 20 Java-like applications? ( was Re: Java): In-Reply-To: <199511010517.AAA05319@neon.ingenia.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 1 Nov 1995, Mike Shaver wrote : > > HotJava can be hard-coded-configured shut by an Admin (though this sucks) > > and you can filter out http://*.class to keep it out. > > The issue Hal raised (you're right, it's an old one) is of untrusted > versions of software coming in. You can't solve that without > eliminating execution permissions on anywhere that they have write > access. Possible for some user communities, not at all for others. > Fine - then it isn't a Java issue - and the risk is contained by only allowing write to a directory decided by the firewall manager. If there is no possibility to do this - then write is disallowed. (For what it is worth, and I only browsed the documentation, there isn't any mechanism in Java to set file permissions.) > > > I really hoped, given the experience on this list, that a better informed > > discussion might occur. Unfortunately there doesn't appear to be anybody, > > with experience, spending any real time analyzing it. > > Analyzing what? > It's not a finished system yet, and Sun isn't releasing the source to > the pre-beta JDK stuff, so it's hard for anyone outside Sun to do any > serious analysis of what _is_ there. > There is plenty of stuff to get started on. Their white papers cover most of the issues I've seen raised here. If it is the interpreter you want to review - and not the 'applets & Java language' (which have been discussed so far) - then I must agree with you. This discussion started w/ the threats of applets - not the threats of overwriting interpreter stacks. However - this is consistent w/ my mumbled point. This thing is out (and prolific) and it needs to be dealt w/ with reasoning. Agreed - Sun did a dirty by piggybacking HTTP - but any marketing savvy organisation would do that. Things, like Java, can gain more momentum long before they have been analyzed by the field. (I guess sendmail is an example ;-) > > What I don't hear from this list are criteria for quantifying > > risk. > > I think quantification of risk is a slippery slope, but that's > personal opinion. (Leads towards pigeonholing problems/solutions in > potentially inappropriate ways, IMVHO.) > An excellant point - and one I'd say I was too inexperienced to counter. All I am saying is that there needs to be a way to let firewall managers deal with the hordes of new applications on more than a Yes/No Safe/Dodgy basis - w/o months of personal analysis. Compared to the known holes of NFS - HotJava might be considered safe. Compared to Work Macros in e-mail - safe. Compared to FTP - unsafe. But where in that range does it sit? > > Or proposals for rapid response certification bodies. > > I'm unfamiliar with the term (been away from firewalls@greatcircle for > a while, if that's a good excuse), but I think the current system of > incremental, earned trust in a good one. If Ed deHart says "X is a > hole. Y fixes it." then I'm likely to believe him, etc. Sure, it > creates potential for abuse (imagine the horror if Eric Allman went > bad!), but that's the nature of trust. > I made the term up on the spot - so no suprizes. My point was that these individuals were already occupied and unlikely to be in a position to trust N new technologies per day. Incremental earning of trust is OK when technologies grow incrementally ... like Netscape ;-) ? Adam -- +1-203-730-5437 | http://www.micrognosis.com/~ajack/index.html From firewalls-owner Wed Nov 1 03:53:10 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id DAA27216 for firewalls-outgoing; Wed, 1 Nov 1995 03:48:23 -0800 (PST) Received: from neon.ingenia.com (neon.ingenia.com [134.117.55.86]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id DAA27209 for ; Wed, 1 Nov 1995 03:48:13 -0800 (PST) Received: (from shaver@localhost) by neon.ingenia.com (8.6.12/8.6.9) id GAA06724; Wed, 1 Nov 1995 06:52:16 -0500 From: Mike Shaver Message-Id: <199511011152.GAA06724@neon.ingenia.com> Subject: Re: What about the next 20 Java-like applications? ( was Re: Java): To: ajack@corp.micrognosis.com (Adam Jack) Date: Wed, 1 Nov 1995 06:52:16 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: from "Adam Jack" at Nov 1, 95 06:18:51 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Adam Jack mumbled something vague about: > On Wed, 1 Nov 1995, Mike Shaver wrote : > Fine - then it isn't a Java issue - and the risk is contained by only > allowing write to a directory decided by the firewall manager. If there > is no possibility to do this - then write is disallowed. Under HotJava/Netscape, only applets loaded from the "local" filesystem can access the filesystem. Network-loaded ones can't do jack, which is, IMHO, the way to do things. > (For what it is > worth, and I only browsed the documentation, there isn't any mechanism in > Java to set file permissions.) I think you're right. It might be available through some mucking with the file I/O classes, but I don't recall seeing a way. > However - this is consistent w/ my mumbled point. This thing is out > (and prolific) and it needs to be dealt w/ with reasoning. Agreed > - Sun did a dirty by piggybacking HTTP - but any marketing savvy > organisation would do that. Things, like Java, can gain more > momentum long before they have been analyzed by the field. (I > guess sendmail is an example ;-) Sun didn't really pick HTTP... you can (and I have) used FTP to load applets on a web page. Or gopher. Or.... HTTP is used in most cases because that's the most common way of transporting HTML, in which is embedded the magic tag that makes it all work. Sun provided HotJava as a means of demonstrating the features of its new toy, java. These features included architecture-neutral bytecode, secure execution of potentially untrusted code, and dynamic loading, among others. HotJava doesn't define the limits of java any more than Netscape defines the limits of HTML. It uses the technology, but if people have a problem with executable content, they shouldn't confuse it with having a problem with java. I'm confident enough in Sun's implementation of java and the security mechanisms that I let my users run HotJava inside our 'wall. In fact, I'm encouraging them to develop applications with java instead of CGI, since it requires no access to servers, etc., and IMHO the applets operate in a more secure context. YMMV, of course. My confidence in the implementation comes from the reputation of Sun as a corporation and from my own perusal of the source. > Compared to the known holes of NFS - HotJava might be considered > safe. Compared to Work Macros in e-mail - safe. Compared to FTP > - unsafe. But where in that range does it sit? Depends on how secure you're making the other protocols at your site. NFS over encrypted IP might be more secure than HotJava. A mis-configured ftpd could be thousands of times worse than HotJava. I figure I'm a lot more likely to be burned by a sendmail hole or a library bug or bad IP fragment handling or whatever than I am by a malicious applet, so I'm not losing anything by allowing HotJava to run (with the appropriate security modes) internally. And then we're back to the policy issue... personally, I'd rather have a user load an applet from the network and have it run with the restrictions than FTP it and run it without them. > I made the term up on the spot - so no suprizes. My point was that these > individuals were already occupied and unlikely to be in a position to > trust N new technologies per day. Incremental earning of trust is OK > when technologies grow incrementally ... like Netscape ;-) ? But if people aren't going to trust Sun, Netscape, etc., who's to say that they'll trust the One True Certification Authority? _That_ trust has to be built incrementally... Mike -- #> Mike Shaver (shaver@ingenia.com) Ingenia Communications Corporation <# #> UNIX medicine man -- dark magick, cheap! <# #> <# #> When the going gets tough, the tough give cryptic error messages. <# #> "We believe in rough consensus and running code." <# From firewalls-owner Wed Nov 1 05:52:57 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id FAA29209 for firewalls-outgoing; Wed, 1 Nov 1995 05:37:36 -0800 (PST) Received: from gauntlet-1.trusted.com (gauntlet-1.trusted.com [192.94.214.88]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id FAA29201 for ; Wed, 1 Nov 1995 05:37:33 -0800 (PST) Received: by gauntlet-1.trusted.com; id IAA20267; Wed, 1 Nov 1995 08:39:29 -0500 Message-Id: <199511011339.IAA20267@gauntlet-1.trusted.com> Received: from vanidor.tis.com(192.94.214.98) by gauntlet-1.trusted.com via smap (g3.0.3) id xmah20224; Wed, 1 Nov 95 08:38:57 -0500 X-Sender: avolio@gauntlet-1.trusted.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 01 Nov 1995 09:30:56 -0500 To: Benoit Dicaire , Firewalls@greatcircle.com From: Frederick M Avolio Subject: Re: TIS implementation question Cc: Mike.Jones@aule-tek.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:20 AM 10/31/95 -0500, Benoit Dicaire wrote: >Mike Jones wrote : > >>I'm trying to make an estimate of how long it would take to have a >>reasonably competent engineer get and set up the TIS toolkit on a SunOS >>4.1.4 system. I'd appreciate it if anyone who has done this could give >>me a ballpark figure. > >Okay, let's define some stuff first : > >Reasonably competent engineer : someone who know *well* the platform, >he want to use for the firewall. Good knowledge of TCP/IP, read Cheswick & >Bellovin book and read the list for more than two months. > >Setup a firewall (technical side) : install the core module of TIS and several >modules from public domain. Write scripts to automate thing, parse log, etc ... You left out modifying the operating system source code or configuring routers to take care of the things that the FWTK proxies do not. f From firewalls-owner Wed Nov 1 06:23:16 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id FAA29189 for firewalls-outgoing; Wed, 1 Nov 1995 05:33:41 -0800 (PST) Received: from interlock.reston.ans.net (interlock.reston.ans.net [192.77.167.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id FAA29182 for ; Wed, 1 Nov 1995 05:33:36 -0800 (PST) Received: by interlock.reston.ans.net id AA14000 (InterLock SMTP Gateway 3.0 for firewalls@greatcircle.com); Wed, 1 Nov 1995 08:32:51 -0500 Message-Id: <199511011332.AA14000@interlock.reston.ans.net> Received: by interlock.reston.ans.net (Internal Mail Agent-1); Wed, 1 Nov 1995 08:32:51 -0500 Date: Wed, 1 Nov 1995 08:32:50 +0500 From: sangster@reston.ans.net (Paul Sangster) To: switzel@gwdg.de, firewalls@greatcircle.com Reply-To: sangster@reston.ans.net Subject: Re: tunneling using ssl ??? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article <9510241511.AA01010@gwdu03.gwdg.de.ans-relay>, you write: |> Is it possible to set up a gateway/firewall for tunneling replacing |> the swIPe protocol by SSL? Should I do it? (It's just an idea, not |> a projects!) FYI, SSL is a much higher layered protocol than swIPe. swIPe is intended for packet level encryption, so everything from TCP (or UDP) on up is protected. SSL is intended for just protecting application layer data. Is there a reason you think that SSL will be more appropriate for your envionment? If your safely running swIPe right now, why mess with a good thing (except maybe to play catchup with IETF IPSEC protocols)? Paul |> |> Stefan Witzel email: switzel@gwdg.de |> Universitaet Goettingen / Stabsstelle DV fon: +49 551 394160 |> Gosslerstrasse 5/7 fax: +49 551 399612 |> 37073 Goettingen, Germany ---------------------- |> ____________________________________________________________________________ Paul Sangster ANS Senior Software Engineer 1875 Campus Commons Dr. sangster@reston.ans.net Suite 220, Reston VA 22091 (703) 758-7706 ____________________________________________________________________________ From firewalls-owner Wed Nov 1 06:32:49 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id FAA29327 for firewalls-outgoing; Wed, 1 Nov 1995 05:46:02 -0800 (PST) Received: from balder.ssds.com (balder.ssds.com [204.131.72.62]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id FAA29320 for ; Wed, 1 Nov 1995 05:45:59 -0800 (PST) Received: (from mail@localhost) by balder.ssds.com (8.6.9/8.6.9.SSDSnet-hub) id GAA25637; Wed, 1 Nov 1995 06:45:57 -0700 Received: from denver(134.127.16.1) by balder via smap (V1.3) id sma025635; Wed Nov 1 06:45:37 1995 Received: from baltimore.ssds.com (baltimore.ssds.com [134.127.34.1]) by denver.ssds.com (8.6.9/8.6.9.SSDSnet-hub) with ESMTP id GAA28202; Wed, 1 Nov 1995 06:45:35 -0700 Received: (from mam@localhost) by baltimore.ssds.com (8.6.9/8.6.9.SSDSnet-site) id IAA05137; Wed, 1 Nov 1995 08:45:33 -0500 Date: Wed, 1 Nov 1995 08:45:33 -0500 (EST) From: Mike Malik -- Dover DE X-Sender: mam@baltimore To: Hal Pomeranz cc: Mike Shaver , firewalls@GreatCircle.COM Subject: Re: Java In-Reply-To: <199511010241.VAA22828@tannis.netmarket.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > I'm very worried about Java, but all I hear are reassurances about > memory protection and default security levels. I, for one, am not > reassured. > > Hal Pomeranz > <<< In no way speaking for my employer >>> > > This is the point I was trying to get at. I mean how many times have the Vendors told us "trust us its secure" or "trust us they can't use that hole on our software" and how many times do we have to be bit by the "string too long" hole before we learn. Mike ( ( | ( Mike Malik (mam@ssds.com) ) ) (| ), inc. 9841 Broken Land Parkway,Suite 100 business driven Columbia, MD 21046 technology solutions 410-381-4313 FAX: 410-381-2170 "as always my rants and raves are my own !" From firewalls-owner Wed Nov 1 06:57:35 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id FAA29318 for firewalls-outgoing; Wed, 1 Nov 1995 05:45:27 -0800 (PST) Received: from gatekeeper.ddp.state.me.us (gatekeeper.ddp.state.me.us [141.114.130.70]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id FAA29311 for ; Wed, 1 Nov 1995 05:45:23 -0800 (PST) Received: from localhost by gatekeeper.ddp.state.me.us (8.6.5/1.37) id IAA26762; Wed, 1 Nov 1995 08:38:35 -0500 Date: Wed, 1 Nov 1995 08:38:34 -0500 (EST) From: David Miller Subject: Re: tool for IP-source-routed packets To: Ken Hardy cc: bret@real.com, firewalls@greatcircle.com In-Reply-To: <199510311556.AA28131@ignatz.bridge.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 31 Oct 1995, Ken Hardy wrote: > Per bret@real.com (Bret McDanel): > > >> This comes up from time to time. The BSD telnet will do it, meaning that > >> you can get it from any of the BSD source archives. You're already using > >> it with your FreeBSD, NetBSD, &c. (Don't know about Linux.) > >> > >> The trick is that it's not documented in the man page. The syntax is > >> discernable from the source. It's something like "telnet @hop1@hop2:dest". > >All failed because it tried to do a dns lookup on @hop1:dest (yes I used > >real machine names :) > > Because those are not using the BSD telnet, I'd guess; wouldn't expect > it of any except perhaps Linux. And/or the syntax is not exactly what > I wrote (as I implied was possible.) Your syntax worked on my bsdi system. So did @host1@host2@dest. Note the final '@' rather than ':'. Perhaps that would confuse some telnets? > > Using the proper telnet, how can I use tcpdump or etherfind or snoop to > determine whether it's actually source routing?? I'm not seeing what I > expect to see (and supect my expectations). Look at the packets coming from the source. They should have TCP option 137 set for loose source routing and the hops specified in the @hop1@hop2 should be in the header as well. --- David Miller ---------------------------------------------------------------------------- It's *amazing* what one can accomplish when one doesn't know what one can't do! From firewalls-owner Wed Nov 1 07:17:19 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id FAA29006 for firewalls-outgoing; Wed, 1 Nov 1995 05:27:59 -0800 (PST) Received: from interlock.reston.ans.net (interlock.reston.ans.net [192.77.167.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id FAA28998 for ; Wed, 1 Nov 1995 05:27:54 -0800 (PST) Received: by interlock.reston.ans.net id AA13962 (InterLock SMTP Gateway 3.0 for firewalls@greatcircle.com); Wed, 1 Nov 1995 08:26:57 -0500 Message-Id: <199511011326.AA13962@interlock.reston.ans.net> Received: by interlock.reston.ans.net (Internal Mail Agent-1); Wed, 1 Nov 1995 08:26:57 -0500 Date: Wed, 1 Nov 1995 08:26:55 +0500 From: sangster@reston.ans.net (Paul Sangster) To: jna@echonyc.com (jna, who else?), firewalls@greatcircle.com Reply-To: sangster@reston.ans.net Subject: Re: A note on java... Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article , you write: |> >On Oct 24, 10:45am, Scott Barman wrote: |> >> |> >> Since RealAudio refuses to let people see the protocols and analyze the |> |> I don't see their reasoning... Anyone can run a sniffer on their network |> and analyze the protocol. Since when can another company make looking at |> your OWN NETWORK illegial? |> Its not always that simple to reverse engineer the context of the bits that you see on the sniffer. Even when possible (like for RealAudio) you have to understand how the different connections interrelate. Fortunately, this won't be necessary because the RealAudio folks have decided to work with firewall vendors and are scheduled to present their new proxyable protocol at the NCSA Firewall Vendors meeting later this week. I have a copy of their spec (marked confidential), so they are trying to open up enough that this issue can be addressed. They deserve alot of credit for the change of position, even though it took some proding from firewall vendors (like us.) Paul ____________________________________________________________________________ Paul Sangster ANS Senior Software Engineer 1875 Campus Commons Dr. sangster@reston.ans.net Suite 220, Reston VA 22091 (703) 758-7706 ____________________________________________________________________________ From firewalls-owner Wed Nov 1 07:22:56 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id GAA01389 for firewalls-outgoing; Wed, 1 Nov 1995 06:52:58 -0800 (PST) Received: from tuna.wang.com (tuna.wang.com [150.124.136.4]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id GAA01364 for ; Wed, 1 Nov 1995 06:52:52 -0800 (PST) Received: from mail.wangfed.com (ns.wangfed.com [159.94.10.19]) by tuna.wang.com (8.6.12/8.6.12tf1) with SMTP id JAA21649 for ; Wed, 1 Nov 1995 09:52:53 -0500 Received: from [159.94.10.15] by mail.wangfed.com (1.37.109.4/A.09.00a) id AA13532; Wed, 1 Nov 95 09:45:52 -0600 Received: from [159.94.14.48] by hfsi (BULL 5.61++/B.O.S 02.01) id AA07741; Wed, 1 Nov 95 09:43:32 -0500 Date: Wed, 1 Nov 95 09:43:32 -0500 Message-Id: <9511011443.AA07741@hfsi> From: "K Goertzel" Reply-To: "K Goertzel" To: Firewalls@GreatCircle.COM Subject: Anyone know about this URL? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have been trying, without success ("Connection Refused") to access a set of URLs that begin: http://ibd.ar.com/lists/comp/firewalls/* Does anyone know about these URLs? Do you know of some reason why my connection would continually be refused? Has the URL moved, without leaving a forwarding address? Any help would be appreciated, as the set of URLs I'm trying to reach contains a discussion of implementing firewalls on multilevel secure hosts, a topic in which I'm extremely interested. Karen Goertzel goertzek@wangfed.com From firewalls-owner Wed Nov 1 07:53:42 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id GAA00651 for firewalls-outgoing; Wed, 1 Nov 1995 06:47:27 -0800 (PST) Received: from hosaka.smallworks.com (hosaka.SmallWorks.COM [192.207.126.1]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id GAA00644 for ; Wed, 1 Nov 1995 06:47:22 -0800 (PST) Received: from steve.smallworks.com by hosaka.smallworks.com (5.x/SMI-SVR4) id AA17040; Wed, 1 Nov 1995 08:47:22 -0600 Date: Wed, 1 Nov 1995 08:47:22 -0600 Message-Id: <9511011447.AA17040@hosaka.smallworks.com> X-Sender: steve@smallworks.com X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls From: jim (Jim Thompson) (by way of Steve Bagwell ) Subject: soon to be available Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We failed to mention that 1st qtr. 96 we will be offering an interview type GUI as an optional item. Please call ph512-338-0619 or email if you have further questions. (Steve is the sales guy, Jim is our principle engineer please contact either one of us for help) Steve Bagwell > > >Now that I've determined that buying a firewall may just be the way to go, I'd >like all those firewall product representatives out there reading the list to >duke it out and see which one will fit our needs. So, I've made up a little >survey which you representatives can fill out (or others, if you feel a need to >advocate a particular solution) I will summarize on a web page for others >reference purposes. > >==BEGIN== Product Name: NetGate Informational URL: http://www.smallworks.com Pricing URL: http://www.smallworks.com:80/netgate/price.html Pricing Info: Binary distribution: $2500 US, Source distribution: $5000 US Features: low cost packet filter Standard Services (proxies, standalone): SmallWorks' NetGate firewall security software is a rule-based packet filtering and routing package for administering TCP/IP networks. NetGate performs filtering, logging and forwarding on networks or subnetworks of TCP/IP based computers. In addition to allowing configuration and management of the packet forwarding via a rules database, NetGate can filter datagrams on source or destination and provide statistics and audit information to help protect your network gateway from hostile attacks. Degree of User Configuration allowed (eg, can I add new services easily): yes Management Methods (gui, command line, etc): Config file. Comments: >==END== > > >Thanks! > > >-- >- Matthew E Cable / Systems Administrator / Internet Technologies Group, Inc. From firewalls-owner Wed Nov 1 08:24:39 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id GAA29734 for firewalls-outgoing; Wed, 1 Nov 1995 06:15:41 -0800 (PST) Received: from interlock.reston.ans.net (interlock.reston.ans.net [192.77.167.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id GAA29718 for ; Wed, 1 Nov 1995 06:15:23 -0800 (PST) Received: by interlock.reston.ans.net id AA14252 (InterLock SMTP Gateway 3.0 for firewalls@greatcircle.com); Wed, 1 Nov 1995 09:14:46 -0500 Message-Id: <199511011414.AA14252@interlock.reston.ans.net> Received: by interlock.reston.ans.net (Internal Mail Agent-1); Wed, 1 Nov 1995 09:14:46 -0500 Date: Wed, 1 Nov 1995 09:14:41 +0500 From: sangster@reston.ans.net (Paul Sangster) To: lresch@relay.nswc.navy.mil, firewalls@greatcircle.com Reply-To: sangster@reston.ans.net Subject: Re: PC vs Workstation Firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article <9510261248.AA05515@oanews.ans-relay>, you write: |> |> I have been reading discussions on the pros & cons of using a |> PC vs a 'real' workstation for the firewall. My long-winded |> question is Should I even consider using a PC for a firewall |> system (in particular with Guantlet) or will it get bogged down? |> My plans are to have a Cisco - Guantlet - Cisco config protecting |> my internal network and use the Guantlet as a proxy server (for |> the internal users to have Telnet, FTP, and maybe web browsing) and |> to let in mail to my SMTP gateway inside. Larry, The answer to your question is a resounding "it depends on your traffic mix, distribution and load". Answering these type of performance related issues is difficult for anyone without knowing (at least) how much e-mail and HTTP transactions will occur at peak load, how often large data files will be ftp'ed, and are you talking about hundreds of concurrent telnet session during all this other stuff. >From my experiences, the protocols that will most quickly kill a box are those that require lots of process to handle the load, due to the load of process creates/deletes and context switches required. Then heavy loads of big file transfers and encryption will stress your CPU and networking code (got enough mbuf space for the interfaces?). As you can tell there's lots of issues here. |> |> Thanks for any/all advice. |> My advice (since you asked ;-)) is why plan for today's load when you know that tomorrows will be much greater (particularly web use). Smaller machines (like PCs and low-end workstations) can become overwhelmed by very heavy web use, or very heavy mail use particularly if other protocols are also being stressed. Bottom line is you need to understand and quantify your traffic needs for tomorrow (peak time) and let that dictate the decision. Paul |> <>----------------------------------------------------<> |> <> Larry Resch <> |> <> lresch@relay.nswc.navy.mil <> |> <> <> |> <> My thoughts are mine alone, and do not necessarily <> |> <> reflect the thoughts of those for whom I work. <> |> <>----------------------------------------------------<> -- ____________________________________________________________________________ Paul Sangster ANS Senior Software Engineer 1875 Campus Commons Dr. sangster@reston.ans.net Suite 220, Reston VA 22091 (703) 758-7706 ____________________________________________________________________________ From firewalls-owner Wed Nov 1 08:48:47 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id GAA00364 for firewalls-outgoing; Wed, 1 Nov 1995 06:40:06 -0800 (PST) Received: from gmap-gw.leeds.ac.uk (gmap15.leeds.ac.uk [129.11.84.200]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id GAA00348 for ; Wed, 1 Nov 1995 06:39:55 -0800 (PST) Received: from gmap3 (gmap-mailhub.leeds.ac.uk [129.11.200.3]) by gmap-gw.leeds.ac.uk (8.6.12/8.6.9) with ESMTP id OAA22968 for ; Wed, 1 Nov 1995 14:15:15 GMT Received: from gmap.leeds.ac.uk (dannyc@gmap124 [129.11.200.124]) by gmap3 (8.6.12/8.6.9) with SMTP id MAA08854 for ; Wed, 1 Nov 1995 12:03:17 GMT From: Danny Cox Date: Wed, 1 Nov 1995 11:57:54 GMT Message-Id: <938.9511011157@gmap.leeds.ac.uk> X-Planation: X-Faces images can be viewed with the XFaces program To: firewalls@greatcircle.com Subject: screened host/subnet fws X-Sun-Charset: US-ASCII X-Face: (:_YnQcTM$q\Nl0.mYy:C'Y|(;&7.2m~Rc%xt; Wed, 1 Nov 1995 07:59:39 -0800 (PST) Received: by gateway.damark.com; id JAA00726; Wed, 1 Nov 1995 09:33:50 -0600 Received: from unknown(172.31.254.231) by gateway.damark.com via smap (g3.0.1) id sme000724; Wed, 1 Nov 95 09:33:33 -0600 Received: by damark.com (5.65/1.2-eef) id AA18505; Wed, 1 Nov 95 09:32:08 -0600 Message-Id: <9511011532.AA18505@damark.com> From: "william.wells" To: FIREWALLS Subject: Re: Java Date: Wed, 01 Nov 95 09:34:00 CST Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To what Mike Shaver and Hal Pomeranz say, I add at the end: ---------------------------------------------------------------------------- -- Hal Pomeranz mumbled something vague about: > } 1) An applet running under the default security mode has _no_ access > } to the filesystem, read, write or other. > > This is the crux of the issue. Given the lack of a centralized > security configuration file for Java run-time binaries, security > policy discretion is left to each and every individual in your > organization-- this can only lead (at least in some instances) to bad > security policy decisions. ... If you're trying to prevent _malicious_ users from mangling your network resources, then the solution to the "java problem" is a bonus for solving the original problem: malicious people shouldn't have access to sensitive resources. ... User: "I need to give this applet access to the filesystem." You: "Why?" User: "It needs to write a high-score file." You: "Let me see the source." || "Run it as this unprivileged user." || "It shouldn't have to touch our filesystems." || ... ... It sounds like you're worried about your users intentionally perforating your security mechanisms, in which case it's not java you have to fear... --- My comments follow My concern isn't UNIX users but the PC users. Since there is no security mechanisms on a PC, there isn't anything to prevent access to files; including scripts which run every time a PC boots. You say the default mode is "no access", is that true on a PC? So the applet runs and twiddles files on a PC, is that a problem? In some cases 'no'. But in others, because of the server data that person legitimately has access to, 'yes'. I can have policies against bringing in diskettes from home and people pretty much understand the rational behind them. Its harder to have a policy that says that you can't browse any URL which run applets; especially since I'm not sure that one can tell the URL has applets. I have hundreds of PCs running which have been tightened to the point that our resident hackers have extreme problems accessing anything other than selected canned Windows applications (yes, you can achieve that but it takes work). The thought of some application which appears to be benign having the capability of diddling with any file unexpectedly (or even under explicit user control as in a "Save as" menu) bugs me immensely. I manage those hundreds of PCs remotely through PC scripts and applications and I'm very aware of how easy it is to hijack a PC through script modification. Since I've been able to easily lock down a PC running Windows (not 95) so that it functions more as a dedicated entry terminal with great graphics, I feel it would be only slightly more complicated to hijack a PC running Windows with a 'spy' program to report information somewhat invisibly and restart the program when Windows starts up again. I'm less concerned about someone writing an applet to bash a PC than I am with someone writing an applet to gather information and mail the results back or change the .INI files to start a 'spy' program next time (I'm wouldn't be concerned about someone discovering my changes: how many users look or understand their .INI files?). These concerns aren't limited to Java; from the writings about Java though, it seems like Java may be the golden apple which can't be refused by my users. After hearing all of the discussions for some months about Java, it seems like the basic concern is that Java appears to allow someone outside your organization to 'execute' a foreign program on internal systems and, worse, may provide a means for that program to affect the behavior of the internal systems beyond the scope of a "normal" program. From a non-users perspective, Java appears to be a 'blessed' virus. William Wells Manager, Technical Support Damark International, Inc The opinions are mine and, having not knowingly run any Java program, may not be based in reality. From firewalls-owner Wed Nov 1 09:23:56 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id IAA05544 for firewalls-outgoing; Wed, 1 Nov 1995 08:46:07 -0800 (PST) Received: from wsj2 (wsj2.wsj.dowjones.com [143.131.186.5]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id IAA05522 for ; Wed, 1 Nov 1995 08:45:58 -0800 (PST) Received: by wsj2 (5.0/SMI-SVR4) id AA19345; Wed, 1 Nov 1995 11:32:17 -0500 >Received: from dscott.eng.dowjones.com by eng.dowjones.com (5.x/SMI-SVR4) id AA11475; Wed, 1 Nov 1995 11:49:32 -0500 Received: from dowjone by wsj2.wsj.dowjones.com; Wed, 1 Nov 1995 11:32 EST Received: from dscott.eng.dowjones.com by eng.dowjones.com (5.x/SMI-SVR4) id AA11475; Wed, 1 Nov 1995 11:49:32 -0500 Received: by dscott.eng.dowjones.com (4.1/SMI-4.1) id AA05625; Wed, 1 Nov 95 11:44:11 EST Date: Wed, 1 Nov 95 11:44:11 EST From: dscott@eng.dowjones.com (Dave Scott) Message-Id: <9511011644.AA05625@dscott.eng.dowjones.com> To: firewalls@greatcircle.com Subject: Exporting a Gauntlet Firewall Cc: dscott@eng.dowjones.com Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all, I need to have a Gauntlet in Europe... I can buy it through a German reseller (for a lot more money) and get full maintenance & support, etc. Or I can buy it here, configure and test it here, etc. and ship it out to Europe - but I wont get the support. It would be good to buy it here in the U.S. so I can configure and test it in the lab - the support issue will be handled by management. I'd like to know if, other than having no encryption capabilities, are there any other gotchas I have to worry about for the PC version of the Gauntlet ? Anything involving DES for Unix passwords ? Thanks for any info, Dave Scott From firewalls-owner Wed Nov 1 10:20:30 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id IAA05486 for firewalls-outgoing; Wed, 1 Nov 1995 08:45:06 -0800 (PST) Received: from beach.sctc.com (beach.sctc.com [192.55.214.50]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id IAA05465 for ; Wed, 1 Nov 1995 08:44:47 -0800 (PST) Received: from beach.sctc.com (daemon@localhost) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id LAA14890; Wed, 1 Nov 1995 11:17:05 -0600 Received: from sphinx.sctc.com (sphinx.sctc.com [172.17.192.3]) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id LAA14886; Wed, 1 Nov 1995 11:17:04 -0600 Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by sphinx.sctc.com (8.7.1/8.6.10) with SMTP id KAA00827; Wed, 1 Nov 1995 10:45:04 -0600 (CST) Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id KAA29804; Wed, 1 Nov 1995 10:45:04 -0600 From: Rick Smith Message-Id: <199511011645.KAA29804@shade.sctc.com> Subject: Re: Email and FTP virus protection To: njb@knoware.nl (Niels Bjergstrom) Date: Wed, 1 Nov 1995 10:45:04 -0600 (CST) Cc: smith@sctc.com, firewalls@greatcircle.com In-Reply-To: <199511010103.CAA29095@utrecht.knoware.nl> from "Niels Bjergstrom" at Nov 1, 95 02:03:23 am X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I wrote: > >Behavior blocking is a wonderful concept. I've seen the technique > >succeed (it's the essence of type enforcement) and I've seen it fail > >on workstations where the behavioral profile poorly matched the > >application. Niels responded: > I don't think that is a fault inherent to the technique. There are, however, > many ways to define the behavioural profile, and a number of > economy/security trade-offs are as usual involved. On small networks it is > quite cheap and manageable to define general rules combined with > workstation-specific rules for software behaviour. We are in the side of > intrusion detection concerned with detecting attacks on known weak spots. Type Enforcement takes the opposite tack. Instead of saying "Restrict behavior V because it is used by attack W," it says "Restrict behavior V because program X doesn't need it." In other words, use the concept of least privilege to prevent _and_ detect whole classes of attacks. The other approach is reactive, and that leaves openings for future attacks. Type Enforcement blocks attacks proactively and detects behavior marked as abberant. So even if you didn't fully block the attack, you at least get a real time warning. Traditionally we've deployed Type Enforcement as a form of mandatory access control, and I'm not entirely sure how good of a countermeasure it is on a platform without a protected kernel (MSDOS, Mac). Perhaps it's better than nothing. Clearly, checksum and virus signature based countermeasures have similar vulnerabilities since they aren't protected from integrity attacks either. Rick. smith@sctc.com secure computing corporation From firewalls-owner Wed Nov 1 10:33:05 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id IAA05254 for firewalls-outgoing; Wed, 1 Nov 1995 08:37:37 -0800 (PST) Received: from Disclosure.COM ([205.156.194.11]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id IAA05242 for ; Wed, 1 Nov 1995 08:37:33 -0800 (PST) Received: by Disclosure.COM (4.1/SMI-4.1) id AA29911; Wed, 1 Nov 95 11:39:32 EST Date: Wed, 1 Nov 1995 11:39:32 -0500 (EST) From: Scott Barman To: Jonny Llama Cc: firewalls@greatcircle.com Subject: Re: Attacks on ports 1392 and 1395? In-Reply-To: <199511010122.UAA08159@randomc.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There was a discussion at one time as to when to report problems to CERT and when to wait. I am bringing this up because this was a case of when to wait and check things out before running. A few days ago I wrote: > > Why would anyone want to attack a system on ports 1392 and 1395? And I > > am not talking about a port scan either. There were repeated attempts > > on these ports (especially 1392) and I am wondering what they're for? This was triggered when we received a note from CERT saying that our bastion host was trying to access someone on port 1392 and 1395. Of course we took this seriously. The administrator and I combed the system looking for any evidence of a problem. We plugged a few holes but did not notice anything major. Then again a good hacker may know how to cover his/her tracks. I looked up the two ports in RFC 1700 and posted my message to the list, hoping to figure out what someone could have been trying. I got the following response. Then, on Tue, 31 Oct 1995, Jonny Llama wrote: > Is pcnfs run on any of your machines? looks like an older, more obscure > attempt at exploiting the bugs in it. I would like to thank Mr. Llama, the only person to respond. However, we are not running NFS or PC-NFS nor are we running any RPC-based services on the machine. Upon further review by the people who made the inquiry and CERT, it was discovered that the probes were not break-in attempts but an attempt by our ftp server to respond to a PORT/RETR combo. It was the ftp client that assigned ports 1392 and 1395 for the transfer. When our server went to connect, the requests were blocked at their router, which set off that site's security alarms. Later in the day, we recieved a note from CERT informing us it was a false alarm and of the router configuration problem. The note told us about the router misconfiguration and the author was very apologetic for the trouble this might have caused. MORAL OF THE STORY: Please check your configuration and what you're people are doing first before giving us, and anyone else, a heart attack! We had visions of the system being used as a haven for hackers! :-) scott barman -- scott barman DISCLAIMER: I speak to anyone who will listen, scott@disclosure.com and I speak only for myself. barman@ix.netcom.com "I don't know if security explains why the Win95 support Web servers run BSDI 2.0--an Intel-based Unix--rather than Windows NT, which Microsoft insists is the ideal Web software solution. Does Redmond know something we don't know?" -Robert X. Cringely, INFORWORLD, 9/11/95 From firewalls-owner Wed Nov 1 10:46:45 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id KAA08391 for firewalls-outgoing; Wed, 1 Nov 1995 10:18:17 -0800 (PST) Received: from uu2.psi.com (uu2.psi.com [128.145.228.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id KAA08378 for ; Wed, 1 Nov 1995 10:18:11 -0800 (PST) Received: by uu2.psi.com (5.65b/4.0.940727-PSI/PSINet) via UUCP; id AA09165 for ; Wed, 1 Nov 95 13:03:51 -0500 Received: from samadams.aule-tek.com (samadams.ARPA) by aule-tek.com (4.1/3.2.083191-Aule-Tek Inc.) id AA04347; Wed, 1 Nov 95 12:42:24 EST Received: by samadams.aule-tek.com (5.x/SMI-SVR4) id AA05343; Wed, 1 Nov 1995 12:37:36 -0500 Date: Wed, 1 Nov 1995 12:37:36 -0500 From: Mike.Jones@aule-tek.com (Mike Jonesa) Message-Id: <9511011737.AA05343@samadams.aule-tek.com> To: lresch@relay.nswc.navy.mil, firewalls@greatcircle.com, sangster@reston.ans.net Subject: Re: PC vs Workstation Firewall X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk lresch@relay.nswc.navy.mil writes... > In article <9510261248.AA05515@oanews.ans-relay>, you write: > |> I have been reading discussions on the pros & cons of using a > |> PC vs a 'real' workstation for the firewall. My long-winded > |> question is Should I even consider using a PC for a firewall > |> system (in particular with Guantlet) or will it get bogged down? > |> My plans are to have a Cisco - Guantlet - Cisco config protecting > |> my internal network and use the Guantlet as a proxy server (for > |> the internal users to have Telnet, FTP, and maybe web browsing) and > |> to let in mail to my SMTP gateway inside. > The answer to your question is a resounding "it depends on your > traffic mix, distribution and load". Answering these type of performance > related issues is difficult for anyone without knowing (at least) how much > e-mail and HTTP transactions will occur at peak load, how often large data > files will be ftp'ed, and are you talking about hundreds of concurrent > telnet session during all this other stuff. Actually, I think there's another issue to consider. If you get, for example, a firewall that runs on a Sun, you can purchase maintenance for it. That means that if you lose a disk at 2am in a snowstorm in the middle of January, the *Sun* guy gets to come out and replace the disk within 4 hours. Sure beats playing with PC hardware for my dollar. The same is true of HP, SGI, IBM, etc., of course. Mike Jones | jonesmd@aule-tek.com I've been trying for some time to develop a lifestyle that doesn't require my presence. - Garry Trudeau From firewalls-owner Wed Nov 1 10:53:47 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id JAA07381 for firewalls-outgoing; Wed, 1 Nov 1995 09:49:39 -0800 (PST) Received: from mlfire.ml.com (mlfire.ml.com [192.246.100.1]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id JAA07374 for ; Wed, 1 Nov 1995 09:49:35 -0800 (PST) From: John_Reinke_at_NYTRP@pcmailgw.ml.com Received: from commpost.ml.com ([146.125.4.24]) by mlfire.ml.com (8.6.12/8.6.12) with ESMTP id MAA14780 for ; Wed, 1 Nov 1995 12:49:37 -0500 Received: from pcmailgw.ml.com (unixccgw3.pcmailgw.ml.com [146.125.77.72]) by commpost.ml.com (8.6.12/8.6.12) with SMTP id MAA10914 for ; Wed, 1 Nov 1995 12:50:01 -0500 Received: from cc:Mail by pcmailgw.ml.com id AA815258525; Wed, 01 Nov 95 08:22:17 est Date: Wed, 01 Nov 95 08:22:17 est Encoding: 28 Text Message-Id: <9510018152.AA815258525@pcmailgw.ml.com> To: firewalls@greatcircle.com Subject: Risk metric Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Author: Adam Jack at UNIXGTWY >Date: 11/1/95 9:04 AM > safe. Compared to Work Macros in e-mail - safe. Compared to FTP > - unsafe. But where in that range does it sit? >> Or proposals for rapid response certification bodies. > I made the term up on the spot - so no suprizes. My point was that these > individuals were already occupied and unlikely to be in a position to Adam makes an interesting case for a risk metric. Different industries may wish to be at different points on the risk reward curve. If the metric was probability of a loss greater than $100,000, then I could see brokerages taking more risk than a bank. The difficulty is assessing the a priori probabilities. Opponents of any expenditure for security usually argue from "posterior" statistics (i.e., it hasn't happened; therefore it can't happen). When the breech occurs, as it always does sooner or later usually sooner rather than later, the security officer is taken to task for not presenting forceful enough arguments. So once again, you are damned if you fight hard with the label "doesn't understand" and damned again when the loss occurs with "unable to express the arguments for the position". Perhaps, risk metrics are a valid way to express it. What would be the appropriate measurement applying this concept to firewalls. Mean time to failure, Estimated dollars lost, ... ? From firewalls-owner Wed Nov 1 10:56:02 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id JAA06402 for firewalls-outgoing; Wed, 1 Nov 1995 09:15:21 -0800 (PST) Received: from ace.cisco.com (ace.cisco.com [171.68.225.137]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id JAA06395 for ; Wed, 1 Nov 1995 09:15:16 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by ace.cisco.com (8.6.11/CA/950118) with SMTP id JAA16663; Wed, 1 Nov 1995 09:14:37 -0800 Message-Id: <199511011714.JAA16663@ace.cisco.com> X-Authentication-Warning: ace.cisco.com: Host localhost didn't use HELO protocol To: Hal Pomeranz cc: Mike Shaver , mam@ssds.com (Mike Malik -- Dover DE), firewalls@greatcircle.com Subject: Re: Java In-reply-to: Your message of "Tue, 31 Oct 1995 21:41:24 EST." <199511010241.VAA22828@tannis.netmarket.com> Zippy-Sez: I hope I bought the right relish... zzzzzzzzz... Date: Wed, 01 Nov 1995 09:14:36 -0800 From: John Stewart Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -> How is this any different from the way life is today? After all, -> there's plenty of source code out there that your users could compile -> that is damaging from a security perspective. However, by -> constructing my firewall properly, I can provide a safe "sandbox" -> environment for users who unintentionally open security holes on their -> machine, and guard and monitor against malicious internal users. I don't know that I agree with you on this, given that many "properly constructed firewalls" are port filtering. Just because you only let port 25 connect to this machine doesn't mean that machine is allowing SMTP only on that port. Anyway... -> The difference with Java, I think, is that Java isn't "interesting" to -> most users unless it's used in the context of interacting with groups -> outside of your organization-- so I can't build a wall around it. -> Furthermore, Java applets "piggyback" themselves on protocols -> (e.g. HTTP) which users demand as part of doing their day-to-day jobs -> and which are easy for novice users to deal with-- so it's difficult -> to keep the stuff from getting in. Add to this the fact that it's just -> too damn easy to think of social engineering scenarios which would -> encourage users to reduce security restrictions on the Java run-time -> ("Gosh, my Java Monopoly(tm) applet requires filesystem access to -> write to a high score file and network access to play against -> other users"). I agree that this Java jumping on top of an existing HTTP is what causes all the shudders in the security community, and I share them. I disagree that the only reason for Java is so that groups can interact. This still can be a 1-1 relationship that is profitable. Sadly tho, for the 1-1 relationship to hold true, the 1-many is potentially opened up. For instance, if I wanted to run an applet to your browser which opened up the configuration files from a router and told me perhaps what was wrong, that would be great! However, in doing so, the applet needs filesystem access, and that is terrible. There appears to be no controls in that regard. -> I'm very worried about Java, but all I hear are reassurances about -> memory protection and default security levels. I, for one, am not -> reassured. My concern is that given the already open communications paths for an HTTP session, the quote "man in the middle" idea becomes a whole new problem. Before "secure" communications, the amount of data to be learned from the client was still minimal -- without say, asking the user in a form what the root password was to their machine :) -- but you certainly couldn't "learn" very much about their machine. When "secure" communcations came along, more sensitive data was passed, but it was rarely about the client, but rather about credit information. Here comes Java; now, an applet can learn, and tell, about the client machine and more. Where does this get stopped? Did I miss something? What happens when Microsoft runs a software license checker as an applet, and sends the entire configuration back to their server? My views are my own. --john From firewalls-owner Wed Nov 1 11:36:41 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id KAA09467 for firewalls-outgoing; Wed, 1 Nov 1995 10:50:50 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id KAA09458 for ; Wed, 1 Nov 1995 10:50:47 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950602) id KAA09590; Wed, 1 Nov 1995 10:50:46 -0800 From: cjolley@iac.net Received: from little-miami.iac.net(198.180.60.135) by mycroft via smap (V1.3mjr) id sma009585; Wed Nov 1 10:49:45 1995 Received: from 199.6.47.253 by little-miami.iac.net with SMTP id NAA21726; Wed, 1 Nov 1995 13:44:25 -0500 Message-Id: <199511011844.NAA21726@little-miami.iac.net> MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit Date: Wed, 01 Nov 95 13:45:28 -0500 Subject: Re: screened host/subnet fws To: Danny Cox , firewalls@GreatCircle.COM In-Reply-To: <938.9511011157@gmap.leeds.ac.uk> X-Mailer: SPRY Mail Version: 04.00.06.17 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I may have my definitions confused but we have a screening router between our bastion host (with two NIC cards) and the Internet. OTOH, I believe one could do it with just one NIC card. On Wed, 1 Nov 1995, Danny Cox wrote: > >I suspect this may be a dumb question but bear with me. Given a screened host or >screened subnet firewall, my understanding is that the bastion only has one >ethernet card. If I'm running proxies upon it, then don't I need two IP addresses? > >Is it easy to set two IP addresses on one ethernet card - as I assume this is what's >necessary ? > >Thanks all, >Danny > >. > From firewalls-owner Wed Nov 1 11:59:12 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id LAA10134 for firewalls-outgoing; Wed, 1 Nov 1995 11:18:07 -0800 (PST) Received: from aspensys (aspensys.aspensys.com [198.77.70.104]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id LAA10104 for ; Wed, 1 Nov 1995 11:17:51 -0800 (PST) Received: from smtpinet.aspensys.com (smtpgate.aspensys.com) by aspensys (5.0/SMI-SVR4) id AA27797; Wed, 1 Nov 1995 14:13:03 +0500 Received: from ccMail by smtpinet.aspensys.com (SMTPLINK V2.10.08) id AA815268159; Wed, 01 Nov 95 14:16:34 EST Date: Wed, 01 Nov 95 14:16:34 EST From: "Jim Meritt" Message-Id: <9510018152.AA815268159@smtpinet.aspensys.com> To: firewalls@GreatCircle.COM Subject: Network Security '95 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In DC 13-18 November. Anyone have information on attendance costs/where it will be/how to pay/...? ibid the 2-day course on Unix security cost ~$495.00 Jim Meritt Aspen Systems Corporation From firewalls-owner Wed Nov 1 12:00:41 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id LAA09867 for firewalls-outgoing; Wed, 1 Nov 1995 11:07:39 -0800 (PST) Received: from relay3.UU.NET (relay3.UU.NET [192.48.96.8]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id LAA09860 for ; Wed, 1 Nov 1995 11:07:36 -0800 (PST) Received: from usia.gov by relay3.UU.NET with SMTP id QQznzw16068; Wed, 1 Nov 1995 14:06:25 -0500 (EST) Received: from NetWare MHS (SMF70) by usia.gov via Connect2-SMTP 4.00; Wed, 1 Nov 95 14:05:09 -0500 Message-ID: <4AC097300136C8D1@usia.gov> Date: Wed, 1 Nov 95 14:01:20 -0500 From: "Lehrer, Neil" Organization: USIA To: firewalls@greatcircle.com Cc: dtoler@usia.gov, fjohnson@usia.gov, e._allen_brown@bops.voa.gov Subject: request for info X-mailer: Connect2-SMTP 4.00 MHS to SMTP Gateway Sender: firewalls-owner@GreatCircle.COM Precedence: bulk hi, we are evaluating firewalls. firewall-1, borderware, gauntlet, and smartwall. all in the intel versions because we are an intel shop. I would like any comments you would care to make about these products. i am interested in performance, ease of use, reliability, security, documentation. our internet connection is through a T-1 to sprint. we have lots of smtp in and out, http out, telnet and ftp out, and ftp in, oracle client/server to come. our routers are cisco. also: can these products handle the load from a t-1 if hosted on a high performance intel platform? what do you think of the trend of putting all the services on the same box, for example, proxies, internal and external dns, etc? any comments about their address translation facilities and the oracle secure sqlnet to firewall announcement? thanks very much. if you can cc my email address i would appreciate it. Regards +++++++++++++++++++++++++++++++++++++++ + Neil Lehrer + U.S. Information Agency + Networks and Systems Support Division + + voice 202 619-0903 + fax 202 619-3883 + internet nlehrer@usia.gov + + "oh what a tangled net we weave + when we seek to retrieve." + +++++++++++++++++++++++++++++++++++++++ From firewalls-owner Wed Nov 1 12:01:58 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id KAA09519 for firewalls-outgoing; Wed, 1 Nov 1995 10:54:10 -0800 (PST) Received: from cseic.saic.com (CSEIC.SAIC.COM [139.121.32.135]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id KAA09512 for ; Wed, 1 Nov 1995 10:54:05 -0800 (PST) Received: from [139.121.32.149] by cseic.saic.com (4.1/1.34) id AA20606; Wed, 1 Nov 95 13:48:38 EST Message-Id: <9511011848.AA20606@cseic.saic.com> X-Sender: steveg@cseic.saic.com X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 01 Nov 1995 15:00:53 -0500 To: Danny Cox From: "Stephen H. Goldstein" Subject: Re: screened host/subnet fws Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:57 AM 11/1/95 GMT, Danny Cox wrote: > >I suspect this may be a dumb question but bear with me. Given a screened host or >screened subnet firewall, my understanding is that the bastion only has one >ethernet card. If I'm running proxies upon it, then don't I need two IP addresses? > >Is it easy to set two IP addresses on one ethernet card - as I assume this is what's >necessary ? > >Thanks all, >Danny > With a screened subnet, you only need one adapter and address: +--------+ +----------+ +---------+ +----------+ +---------+ | Inside |---| Filter 1 |----| Bastion |----| Filter 2 |----| Outside | +--------+ +----------+ +---------+ +----------+ +---------+ Filter 1 is set up to only allow connections between "inside" hosts and the bastion. Filter 2 is set up to only allow connections between the bastion and "outside" hosts. Thus the combination of Filter 1 and Filter 2 prevents direct inside-outside communication, forcing everything to go through the bastion. Caveat: This is not necessarily an endorsement of this configuration, just confirmation that dual adapters and IP addresses for the bastion aren't a technical must for it to work. Some firewall implementations use dual IP stacks, one per interface to further enforce separation of inside and outside data. Based on your needs, this may or may not be overkill. Your mileage may vary. Coupon may not be photocopied. --- Stephen Goldstein steveg@cseic.saic.com My first computer: A 24K Atari 800, Rev. A ROMS, November 1980 Disclaimer: That's not what I said. From firewalls-owner Wed Nov 1 13:41:26 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id MAA10861 for firewalls-outgoing; Wed, 1 Nov 1995 12:15:11 -0800 (PST) Received: from habanero.jmu.edu (habanero.jmu.edu [134.126.70.210]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id MAA10854 for ; Wed, 1 Nov 1995 12:15:07 -0800 (PST) Message-Id: <199511012015.MAA10854@miles.greatcircle.com> Received: by habanero.jmu.edu (1.37.109.16/16.2) id AA104214903; Wed, 1 Nov 1995 14:41:43 -0500 Date: Wed, 1 Nov 1995 14:41:43 -0500 From: gary flynn To: firewalls@greatcircle.com Subject: skey/opie/NRL/logdamon or what on fwtk/hpux??? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm trying to compile skey on hpux for incorporation into the TIS fwtk. The version of skey that is at thumper.bellcore under skey appears to support only BSD systems. The NRL version at thumper doesn't have any hpux/sysv parameters. Opie 2.x at NRL has the hpux/sysv parameters but all the system calls have been renamed from skeyXXXX to opieXXXX which fwtk won't understand. I'm told that skey1.1b has a sysv parameter on the Makefile but I don't know where to get it. I was hoping for a version of skey that would work on hpux and with fwtk without a lot of modifications. Is there such a beast? Thank you for any assistance. Gary Flynn James Madison University From firewalls-owner Wed Nov 1 13:53:19 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id NAA11425 for firewalls-outgoing; Wed, 1 Nov 1995 13:07:25 -0800 (PST) Received: from tuna.wang.com (tuna.wang.com [150.124.136.4]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id NAA11417 for ; Wed, 1 Nov 1995 13:07:22 -0800 (PST) Received: from mail.wangfed.com (ns.wangfed.com [159.94.10.19]) by tuna.wang.com (8.6.12/8.6.12tf1) with SMTP id QAA07876 for ; Wed, 1 Nov 1995 16:07:22 -0500 Received: from [159.94.10.15] by mail.wangfed.com (1.37.109.4/A.09.00a) id AA17604; Wed, 1 Nov 95 16:00:17 -0600 Received: from [159.94.14.48] by hfsi (BULL 5.61++/B.O.S 02.01) id AA09510; Wed, 1 Nov 95 15:57:56 -0500 Date: Wed, 1 Nov 95 15:57:56 -0500 Message-Id: <9511012057.AA09510@hfsi> From: "K Goertzel" Reply-To: "K Goertzel" To: Firewalls@GreatCircle.COM Subject: idb.ar.com...the mystery continues Sender: firewalls-owner@GreatCircle.COM Precedence: bulk For those that are wondering, several listers have tried the same URL I did, with the following variety of results: User #1: "I get a 'server not responding' when I try this." User #2: "I tried accessing http://idb.ar.com and got 'Remote server down or not responding.'" User #3: "When I tried it, I too did not get connected, but the error message was 'server timed out'." I'm going to continue trying to sort this out, but if there is anyone who can enlighten us on who ibd.ar.com is, and how one might contact them, I'd really appreciate it. Karen Goertzel goertzek@wangfed.com From firewalls-owner Wed Nov 1 15:09:30 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id OAA12729 for firewalls-outgoing; Wed, 1 Nov 1995 14:31:21 -0800 (PST) Received: from citecuh.citec.qld.gov.au (citecuh.citec.qld.gov.au [203.5.10.10]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id OAA12722 for ; Wed, 1 Nov 1995 14:31:16 -0800 (PST) Received: (from mail@localhost) by citecuh.citec.qld.gov.au (8.6.10/8.6.10) id IAA24597; Thu, 2 Nov 1995 08:26:04 +1000 Received: from citecub.citec.qld.gov.au(131.242.4.98) by citecuh.citec.qld.gov.au via smap (V1.3) id /mail/incoming/sma024592; Thu Nov 2 08:25:56 1995 Received: by citecub.citec.qld.gov.au (5.0/SMI-SVR4) id AA13330; Thu, 2 Nov 1995 08:28:45 +1000 From: sgcccdc@citec.qld.gov.au (Colin Campbell) Message-Id: <9511012228.AA13330@citecub.citec.qld.gov.au> Subject: Re: screened host/subnet fws To: dannyc@gmap.leeds.ac.uk (Danny Cox) Date: Thu, 2 Nov 95 8:28:45 EST Cc: firewalls@greatcircle.com In-Reply-To: <938.9511011157@gmap.leeds.ac.uk>; from "Danny Cox" at Nov 1, 95 11:57 am X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, My mailer thinks Danny Cox said: > > > I suspect this may be a dumb question but bear with me. Given a screened host or > screened subnet firewall, my understanding is that the bastion only has one > ethernet card. If I'm running proxies upon it, then don't I need two IP addresses? > Correct, you do not need two addresses. The firewall I manage is configured the same as what you describe. "outside" | | router | | ------------------------ | | | | bastion router | | "inside" As I said, there is no need for two addresses. You configure the routers' filters to force all traffic through the bastion. This however only provides a logical path through the bastion. My personal preference is to force a physical path as well by dual-homing the bastion, as shown below. As well as the router filters, I would consider putting filters on the bastion - if a packet gets rejected by the bastion you know there is something wrong on one of the routers. "outside" | | router | | ------------------------ "outside" lan | | bastion | | ------------------------ "inside" lan | | router | | "inside" A lot of people will call this "belt and braces" but it also allows you to put public servers on the "outside" lan which IMHO you cannot do safely in the first configuration. > Is it easy to set two IP addresses on one ethernet card - as I assume this is what's > necessary ? > It isn't necessary but can be done - I know how on BSDI and Solaris. Colin From firewalls-owner Wed Nov 1 16:34:26 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id PAA14607 for firewalls-outgoing; Wed, 1 Nov 1995 15:56:37 -0800 (PST) Received: from strydr.strydr.com (strydr.strydr.com [199.217.201.1]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id PAA14600 for ; Wed, 1 Nov 1995 15:56:34 -0800 (PST) Received: (from ds3721@localhost) by strydr.strydr.com (8.6.12/8.6.11) id RAA16480 for firewalls@greatcircle.com; Wed, 1 Nov 1995 17:56:33 -0600 From: David Schnardthorst Message-Id: <199511012356.RAA16480@strydr.strydr.com> Subject: Internet Security W3 Directory To: firewalls@greatcircle.com Date: Wed, 1 Nov 1995 17:56:32 -0600 (CST) Organization: Stryder Communications, Inc. Address: 869 St. Francois, Florissant, Mo. 63031 Telephone: (314)838-6839 Fax: (314)838-8527 X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Do you have a URL relating to internet security. If it is information on products, RFC's, or general information, please add it to our W3 directory, http://www.strydr.com/cgi-bin/www_sites This information is public information for members of the internet community. Thanks for your help ============================================================================ David Schnardthorst, Systems/Network Eng. * Phone: (314)838-6839 Stryder Communications, Inc. * Fax: (314)838-8527 869 St. Francois * E-Mail: ds3721@strydr.com Florissant, MO 63031 * URL: http://www.strydr.com ============================================================================ From firewalls-owner Wed Nov 1 16:53:36 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id QAA16438 for firewalls-outgoing; Wed, 1 Nov 1995 16:49:17 -0800 (PST) Received: from acsweb (acsweb.acs.usm.maine.edu [130.111.128.23]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id QAA16430 for ; Wed, 1 Nov 1995 16:49:14 -0800 (PST) Received: from doc.cs.usm.maine.edu by acsweb (5.x/SMI-SVR4) id AA13512; Wed, 1 Nov 1995 19:49:20 -0500 Received: by doc.cs.usm.maine.edu; (5.65/1.1.8.2/04Oct95-1047AM) id AA25854; Wed, 1 Nov 1995 19:49:09 -0500 From: Edward Maillet Message-Id: <9511020049.AA25854@doc.cs.usm.maine.edu> Subject: Spoofing ISDN To: firewalls@greatcircle.com Date: Wed, 1 Nov 1995 19:49:09 -0500 (EST) X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hey All, Some folks at work want to setup an ISDN dial-in connection relying solely on the inbound caller ID as the security measure. Is it possible to spoof the D channel to send fake info? I'm fairly certain there is a way to do it. Can anyone point me to some references so I can make a decent technical argument agaisnt this? Thanx. ----- Ed Maillet maillet@cs.usm.maine.edu From firewalls-owner Wed Nov 1 17:20:22 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id QAA14802 for firewalls-outgoing; Wed, 1 Nov 1995 16:01:22 -0800 (PST) Received: from gw1.octel.com (gw1.octel.com [148.147.1.12]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id QAA14787 for ; Wed, 1 Nov 1995 16:01:16 -0800 (PST) Received: (from daemon@localhost) by gw1.octel.com (8.6.10/8.6.10) id QAA06642; Wed, 1 Nov 1995 16:01:16 -0800 Received: from curly.eng.octel.com(148.147.200.26) by gw1.octel.com via smap (V1.3) id sma006621; Wed Nov 1 16:01:05 1995 Received: from laura.eng.octel.com (laura.eng.octel.com [148.147.206.4]) by curly.eng.octel.com (8.6.12/8.6.12) with ESMTP id QAA10877; Wed, 1 Nov 1995 16:01:04 -0800 Received: (from hbo@localhost) by laura.eng.octel.com (8.6.12/8.6.12) id QAA16168; Wed, 1 Nov 1995 16:01:04 -0800 Date: Wed, 1 Nov 1995 16:01:04 -0800 Message-Id: <199511020001.QAA16168@laura.eng.octel.com> From: Howard B Owen To: nlehrer@usia.gov CC: firewalls@GreatCircle.COM In-reply-to: <4AC097300136C8D1@usia.gov> (nlehrer@usia.gov) Subject: Re: request for info Sender: firewalls-owner@GreatCircle.COM Precedence: bulk /sys/admin has a web page devoted to commercial firewalls. It's a good starting point: http://www.sysadmin.com -- Howard Owen hbo@octel.com Octel Communications Corporation 1024/DC671C31 = Internet Guy/Webmaster 1001 Murphy Ranch Rd. 37 A0 46 EE BE 408-324-6576 Voice and FAX Milpitas CA 95035-7912 95 DB 92 E8 39 I am not a pay TV service! http://www.egbok.com/hbo.html 80 89 A9 F9 3D FB From firewalls-owner Wed Nov 1 17:54:05 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id RAA19645 for firewalls-outgoing; Wed, 1 Nov 1995 17:45:29 -0800 (PST) Received: from colt.milepost.com (colt.milepost.com [164.57.50.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id RAA19637 for ; Wed, 1 Nov 1995 17:45:19 -0800 (PST) Received: (from phil@localhost) by colt.milepost.com (8.6.12/8.6.9) id TAA05185; Wed, 1 Nov 1995 19:44:49 -0600 From: Phil Howard Message-Id: <199511020144.TAA05185@colt.milepost.com> Subject: Re: screened host/subnet fws To: steveg@cseic.saic.com (Stephen H. Goldstein) Date: Wed, 1 Nov 1995 19:44:49 -0600 (CST) Cc: firewalls@GreatCircle.COM In-Reply-To: <9511011848.AA20606@cseic.saic.com> from "Stephen H. Goldstein" at Nov 1, 95 03:00:53 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Stephen H. Goldstein writes: > With a screened subnet, you only need one adapter and address: > > > +--------+ +----------+ +---------+ +----------+ +---------+ > | Inside |---| Filter 1 |----| Bastion |----| Filter 2 |----| Outside | > +--------+ +----------+ +---------+ +----------+ +---------+ > > Filter 1 is set up to only allow connections between "inside" hosts and the > bastion. Filter 2 is set up to only allow connections between the bastion > and "outside" hosts. Thus the combination of Filter 1 and Filter 2 > prevents direct inside-outside communication, forcing everything to > go through the bastion. > > Caveat: This is not necessarily an endorsement of this configuration, just > confirmation that dual adapters and IP addresses for the bastion aren't > a technical must for it to work. Some firewall implementations use > dual IP stacks, one per interface to further enforce separation of > inside and outside data. Based on your needs, this may or may not be > overkill. Your mileage may vary. Coupon may not be photocopied. This kind of configuration also makes the packet filter rule sets in each of the filter routers a lot simpler and easier to code. This is especially so if the filter "language" is limited to "linear match and commit" logic. By "linear match and commit" I refer to rules where if the test does have a positive match, you are committed to either deny the packet or accept the packet without applying any other tests. It's like programming without any "if" statements, loops, or function calls. From firewalls-owner Wed Nov 1 18:45:38 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id RAA20407 for firewalls-outgoing; Wed, 1 Nov 1995 17:59:11 -0800 (PST) Received: from yarrina.connect.com.au (yarrina.connect.com.au [192.189.54.17]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id RAA20399 for ; Wed, 1 Nov 1995 17:59:03 -0800 (PST) Received: (from root@localhost) by yarrina.connect.com.au with UUCP id MAA22978 (8.6.12/IDA-1.6); Thu, 2 Nov 1995 12:57:30 +1100 Received: by junkers.lochard.com.au id AA20822 (5.65c/IDA-1.5); Thu, 2 Nov 1995 02:52:54 GMT From: Mark Message-Id: <199511020252.AA20822@junkers.lochard.com.au> Subject: Re: Tightening up SunOS 5.4 (was Re: Hardened OS) To: cmcurtin@gatekeeper.cb.att.com (C Matthew Curtin) Date: Thu, 2 Nov 1995 12:52:53 +1000 (EET) Cc: Eric_Sheppard.BCI@bbs.bellsouth.com, firewalls@GreatCircle.COM In-Reply-To: <9510312244.ZM5480@gatekeeper> from "C Matthew Curtin" at Oct 31, 95 10:44:52 pm Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Since you've already blown away everything that isn't directly needed >by your system or the applications you run to support necessary services, >things like tar, ar, cc, cpio, etc. are gone. If someone does break in, >make it impossible for them to bring in archives and build binaries. Do >you really need to have an ftp command on the system? I even removed vi :-) Unfortunately this wont work. Unless you remove shells as well from the machine people can still import binaries. I had a friend once in a chroot'd guest environment with reasonably low quotas and they still managed to import a binary and "talk" to the sendmail daemon on the machine. It was a cute trick and more of a proof of concept but it was enough to show me you can't really stop someone on a standard unix model. If anyone got on a firewall setup like this it is simple to compile a binary offsite to suit the architecture, static if necessary, and import it, run it and then have that binary act as a personal ftp/shell/port login process. Have a nice day Mark mark@lochard.com.au From firewalls-owner Wed Nov 1 18:47:45 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id RAA17766 for firewalls-outgoing; Wed, 1 Nov 1995 17:10:21 -0800 (PST) Received: from bast.livingston.com (bast.livingston.com [149.198.247.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id RAA17752 for ; Wed, 1 Nov 1995 17:10:17 -0800 (PST) Received: from server.livingston.com (server.livingston.com [149.198.1.70]) by bast.livingston.com (8.7.1/8.6.9) with ESMTP id RAA17007 for ; Wed, 1 Nov 1995 17:13:01 -0800 (PST) Received: (from cdr@localhost) by server.livingston.com (8.7.1/8.6.9) id RAA04275; Wed, 1 Nov 1995 17:08:28 -0800 (PST) Date: Wed, 1 Nov 1995 17:08:28 -0800 (PST) From: Carl Rigney Message-Id: <199511020108.RAA04275@server.livingston.com> To: firewalls@livingston.com Subject: Firewall Discussion at PC Week Cc: portmaster-users@livingston.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk PC Week is hosting a Discussion on "Protecting the company LAN from Internet intruders" at Protecting the company LAN from Internet intruders ISS, Checkpoint & Livingston are on hand to answer questions, so feel free to drop by on the web and join in. -- Carl Rigney cdr@livingston.com From firewalls-owner Wed Nov 1 18:57:21 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id RAA17597 for firewalls-outgoing; Wed, 1 Nov 1995 17:07:43 -0800 (PST) Received: from acsweb (acsweb.acs.usm.maine.edu [130.111.128.23]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id RAA17584 for ; Wed, 1 Nov 1995 17:07:39 -0800 (PST) Received: from doc.cs.usm.maine.edu by acsweb (5.x/SMI-SVR4) id AA13701; Wed, 1 Nov 1995 20:07:44 -0500 Received: by doc.cs.usm.maine.edu; (5.65/1.1.8.2/04Oct95-1047AM) id AA25053; Wed, 1 Nov 1995 20:07:39 -0500 From: Edward Maillet Message-Id: <9511020107.AA25053@doc.cs.usm.maine.edu> Subject: A defense against sniffing attacks for mere mortals To: firewalls@greatcircle.com Date: Wed, 1 Nov 1995 20:07:38 -0500 (EST) X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hey All, Sorry to step on the toes of you S/Key, Keberos, it's-only-safe-if-it's- encrypted types but it seems that there are other ways of defeating packet sniffers. Both active and passive. Under certain network topologies, sniffing can be rendered useless without encryption. Consider an ethernet that contains an ethernet switch and some 10Base-T hubs. The switch itself can prevent connections from being sniffed or hijacked simply because packets don't get transmitted down that particular segment. If your hubs are somewhat decent, they'll have an option that "scrambles" data not destined for that port. So even that segment is protected from everything except blind guessing. (Which may get lucky for the truely paranoid.) I realize that this is a rather specific topology but it is an interesting and rather simple solution. Flame away! ----- Ed Maillet maillet@cs.usm.maine.edu From firewalls-owner Wed Nov 1 19:00:56 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id RAA20121 for firewalls-outgoing; Wed, 1 Nov 1995 17:53:24 -0800 (PST) Received: from citecuh.citec.qld.gov.au (citecuh.citec.qld.gov.au [203.5.10.10]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id RAA19999 for ; Wed, 1 Nov 1995 17:52:35 -0800 (PST) Received: (from mail@localhost) by citecuh.citec.qld.gov.au (8.6.10/8.6.10) id LAA02321; Thu, 2 Nov 1995 11:47:07 +1000 Received: from citecub.citec.qld.gov.au(131.242.4.98) by citecuh.citec.qld.gov.au via smap (V1.3) id /mail/incoming/sma002313; Thu Nov 2 11:46:55 1995 Received: by citecub.citec.qld.gov.au (5.0/SMI-SVR4) id AA08615; Thu, 2 Nov 1995 11:49:33 +1000 From: sgcccdc@citec.qld.gov.au (Colin Campbell) Message-Id: <9511020149.AA08615@citecub.citec.qld.gov.au> Subject: Re: screened host/subnet fws To: steveg@cseic.saic.com (Stephen H. Goldstein) Date: Thu, 2 Nov 95 11:49:32 EST Cc: firewalls@greatcircle.com In-Reply-To: <9511011848.AA20606@cseic.saic.com>; from "Stephen H. Goldstein" at Nov 1, 95 3:00 pm X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My mailer thinks Stephen H. Goldstein said: > > At 11:57 AM 11/1/95 GMT, Danny Cox wrote: > > > >I suspect this may be a dumb question but bear with me. Given a screened > host or > >screened subnet firewall, my understanding is that the bastion only has one > >ethernet card. If I'm running proxies upon it, then don't I need two IP > addresses? > > > >Is it easy to set two IP addresses on one ethernet card - as I assume this > is what's > >necessary ? > > > >Thanks all, > >Danny > > > With a screened subnet, you only need one adapter and address: > The why did you show one with TWO interfaces? There are a lot of newbies on this list (who probably shouldn't be attempting building firewalls without a lot of study first) who on seeing "pictures" like this and then an explanation that seemingly contradicts it, will only be more confused. > > +--------+ +----------+ +---------+ +----------+ +---------+ > | Inside |---| Filter 1 |----| Bastion |----| Filter 2 |----| Outside | > +--------+ +----------+ +---------+ +----------+ +---------+ > [chomp] IMHO, what you should have drawn, was: +--------+ +----------+ +----------+ +---------+ | Inside |---| Filter 1 |-----| Filter 2 |----| Outside | +--------+ +----------+ | +----------+ +---------+ | +---------+ | Bastion | +---------+ Colin From firewalls-owner Wed Nov 1 19:31:46 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id SAA23085 for firewalls-outgoing; Wed, 1 Nov 1995 18:59:29 -0800 (PST) Received: from london.micrognosis.com (midas.london.micrognosis.com [193.114.123.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id SAA23078 for ; Wed, 1 Nov 1995 18:59:24 -0800 (PST) Received: by london.micrognosis.com (4.1/NAR-Gateway) id AA09937; Thu, 2 Nov 95 02:59:24 GMT Received: from zeus.london.micrognosis.com(192.83.165.17) by midas via smap (V1.0mjr) id sma009935; Thu Nov 2 02:59:22 1995 Received: by zeus.london.micrognosis.com (4.1/SMI-4.1) id AA07723; Thu, 2 Nov 95 02:59:15 GMT From: nreadwin@london.micrognosis.com (Neil Readwin) Message-Id: <9511020259.AA07723@zeus.london.micrognosis.com> Subject: Re: What about the next 20 Java-like applications? ( was Re: Java) To: ajack@corp.micrognosis.com (Adam Jack) Date: Thu, 2 Nov 1995 02:59:14 +0000 (GMT) Cc: firewalls@greatcircle.com In-Reply-To: from "Adam Jack" at Nov 1, 95 00:00:10 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [ Even the author considers this post mind-numbingly tedious. firewalls types not interested in risk analysis should bail here. ] Adam Jack writes: > What I don't hear from this list are criteria for quantifying risk. Well, it's a very hard problem and very few of us know much about it. To do risk analysis properly you need to be some mutant hybrid of accountant and computer wizard. 20/20 foresight helps too. It doesn't get much coverage on the list because accountancy is boring :-) > What I find depressing is the apparent - "its unknown - be scared" > mentality. Surely - with an internet as diverse and rapidly > changing as todays - it is one that is outdated. OK, imagine we have some new service on the Internet. Ideally we would list the potential threats related to that service and calculate the likelihood of them materializing and the associated cost. We must also look at the benefit of enabling that service (ie the cost of denying it). Now, we must have some default decision on whether the service should be enabled before the risk analysis is done. You seem to be arguing the default should be yes. It seems to me that there is a cost to doing the risk analysis and also some cost to disallowing the feature until it is given the OK. There is also the potential cost that we might incur from an un-analyzed service or feature (which we know to be unknown since by definition we have not determined it). If the cost of disallowing the service is smaller than the cost of doing the analysis then it should be disabled. If the cost of disallowing the service is greater than the cost of doing the analysis plus the (unknown) cost of enabling the service then we should enable it. Of course we never know how big the unknown is :-) That is, giving a service the benefit of the doubt is sometimes clearly wrong and never clearly right. On the other hand, you could argue that the cost of disabling services unnecessarily is so large (or rather will be because of the high utility of future developments on the Internet) that the unknown risk associated with them cannot be large enough to justify disabling them by default. That is, enabling them until the analysis is done is critical to the health of your business. Depending on your business and what the future developments are you might be right. What works for a 2 man software company might not work for a multi-billion dollar financial services company or a nuclear power station. Neil (whose risk-analysis of HTTP was basically "I've got a VP screaming for it and TIS have a proxy, so it can't be all bad - I'll do it!") -- nreadwin@micrognosis.co.uk Phone: +1 908 855 1221 x519 Anything is a cause for sorrow that my mind or body has made From firewalls-owner Wed Nov 1 19:38:47 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id RAA18240 for firewalls-outgoing; Wed, 1 Nov 1995 17:18:39 -0800 (PST) Received: from beach.sctc.com (beach.sctc.com [192.55.214.50]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id RAA18233 for ; Wed, 1 Nov 1995 17:18:30 -0800 (PST) Received: from beach.sctc.com (daemon@localhost) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id TAA27214; Wed, 1 Nov 1995 19:50:10 -0600 Received: from sphinx.sctc.com (sphinx.sctc.com [172.17.192.3]) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id TAA27210; Wed, 1 Nov 1995 19:50:07 -0600 Received: from hector.sctc.com (hector.sctc.com [172.17.192.85]) by sphinx.sctc.com (8.7.1/8.6.10) with SMTP id TAA12309; Wed, 1 Nov 1995 19:17:57 -0600 (CST) Received: (from stockwel@localhost) by hector.sctc.com (8.6.12/8.6.9) id TAA06918; Wed, 1 Nov 1995 19:17:54 -0600 Date: Wed, 1 Nov 1995 19:17:54 -0600 From: Ted Stockwell Message-Id: <199511020117.TAA06918@hector.sctc.com> To: Mike.Jones@aule-tek.com CC: lresch@relay.nswc.navy.mil, sangster@reston.ans.net, firewalls@GreatCircle.COM Subject: Re: PC vs Workstation Firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Date: Wed, 1 Nov 1995 12:37:36 > From: Mike.Jones@aule-tek.com (Mike Jonesa) > [text deleted] > > Actually, I think there's another issue to consider. If you get, for > example, a firewall that runs on a Sun, you can purchase maintenance > for it. That means that if you lose a disk at 2am in a snowstorm in the > middle of January, the *Sun* guy gets to come out and replace the disk > within 4 hours. Sure beats playing with PC hardware for my dollar. The > same is true of HP, SGI, IBM, etc., of course. > > Mike Jones | jonesmd@aule-tek.com You can get 7 x 24 support for PC hardware. Workstations do not present an advantage here. PC's may have a cost advantage if you want a hot-swap. -- Ted Stockwell, stockwel@sctc.com, Sidewinder From firewalls-owner Wed Nov 1 19:50:32 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id RAA18871 for firewalls-outgoing; Wed, 1 Nov 1995 17:27:56 -0800 (PST) Received: from colt.milepost.com (colt.milepost.com [164.57.50.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id RAA18853 for ; Wed, 1 Nov 1995 17:27:50 -0800 (PST) Received: (from phil@localhost) by colt.milepost.com (8.6.12/8.6.9) id TAA05078; Wed, 1 Nov 1995 19:27:17 -0600 From: Phil Howard Message-Id: <199511020127.TAA05078@colt.milepost.com> Subject: Re: Firewall Survey To: mec@itg.net (Matthew Cable) Date: Wed, 1 Nov 1995 19:27:16 -0600 (CST) Cc: firewalls@GreatCircle.COM In-Reply-To: <9510311859.ZM1140@squiggy.itg.net> from "Matthew Cable" at Oct 31, 95 06:59:14 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Matthew Cable writes... > ==BEGIN== > =Product Name: > > =Informational URL: > > =Pricing URL: > > =Pricing Info: > > =Features: > > =Standard Services (proxies, standalone): > > =Degree of User Configuration allowed (eg, can I add new services easily): > > =Management Methods (gui, command line, etc): > > =Comments: > > ==END== I definitely want to see a full list of what services application level firewall proxies are able to support, and how sophisticated they can do it. For example, FTP. Can I let anyone in my organization go ftp anything from any site that passes a rule check, using their regular ftp client? Also when listing management methods, please be sure to list all the choices. Some of us prefer editing files so we can see the overall logic that has been configured and can easily do things like rearrange the order of things... stuff not easy, if even possible, with GUI. Also, can configurations be saved as a file or package of files, for the purpose of backup? Suppose the hardware goes belly up, and new hardware and software is now in place. Can you get the original configuration back on the machine and on the air in 5 minutes? From firewalls-owner Wed Nov 1 19:53:09 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id RAA18946 for firewalls-outgoing; Wed, 1 Nov 1995 17:29:22 -0800 (PST) Received: from beach.sctc.com (beach.sctc.com [192.55.214.50]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id RAA18922 for ; Wed, 1 Nov 1995 17:29:05 -0800 (PST) Received: from beach.sctc.com (daemon@localhost) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id SAA25924 for ; Wed, 1 Nov 1995 18:31:32 -0600 Received: from sphinx.sctc.com (sphinx.sctc.com [172.17.192.3]) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id SAA25552; Wed, 1 Nov 1995 18:09:39 -0600 Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by sphinx.sctc.com (8.7.1/8.6.10) with SMTP id RAA08756; Wed, 1 Nov 1995 17:37:29 -0600 (CST) Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id RAA19827; Wed, 1 Nov 1995 17:37:30 -0600 Date: Wed, 1 Nov 1995 17:37:30 -0600 From: Rick Smith Message-Id: <199511012337.RAA19827@shade.sctc.com> To: firewalls@greatcircle.com Cc: smith@sctc.com, cmcurtin@gatekeeper.cb.att.com Subject: Re: Tightening up SunOS 5.4 (was Re: Hardened OS) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "C Matthew Curtin" suggests: >Basically, I define: > * What services we need > * What applications we use to support those services > * What system commands/drivers/etc are needed to support those apps >And blew away everything else. >If your only user is root, there is no point in having setuid on things like >ps, since anyone non-root trying to run that is obviously someone who broke >in, right? I removed all of the setuid/setgid bits, made them only runnable >by root. >Since you've already blown away everything that isn't directly needed >by your system or the applications you run to support necessary services, >things like tar, ar, cc, cpio, etc. are gone. If someone does break in, >make it impossible for them to bring in archives and build binaries... Of course, RTM didn't use a C compiler to exploit the old fingerd buffer overrun vulnerability, just the fact that fingerd was running as root on most systems. Doesn't this cast some doubt on the notion of eliminating every user but root? Or did we skip a step here? Rick. smith@sctc.com secure computing corporation From firewalls-owner Wed Nov 1 20:31:49 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id RAA19306 for firewalls-outgoing; Wed, 1 Nov 1995 17:38:12 -0800 (PST) Received: from acsweb (acsweb.acs.usm.maine.edu [130.111.128.23]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id RAA19292 for ; Wed, 1 Nov 1995 17:38:07 -0800 (PST) Received: from doc.cs.usm.maine.edu by acsweb (5.x/SMI-SVR4) id AA13880; Wed, 1 Nov 1995 20:38:14 -0500 Received: by doc.cs.usm.maine.edu; (5.65/1.1.8.2/04Oct95-1047AM) id AA25452; Wed, 1 Nov 1995 20:38:08 -0500 From: Edward Maillet Message-Id: <9511020138.AA25452@doc.cs.usm.maine.edu> Subject: Man in the Middle Attacks (Over rated?) To: firewalls@greatcircle.com Date: Wed, 1 Nov 1995 20:38:07 -0500 (EST) X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hey All, Wouldn't it be more accurate to say that Man in the Middle attacks are really Man at the End attacks? I've been reading the IP-Watch Web Page about hijacking TCP connections and active packet sniffing. The "threat to the whole Internet" seems a bit exaggerated for the average Joe. (http://www.EnGarde.com/software/ipwatcher) TCP connections flying over Internet today from say A.com to B.com aren't likely to be crossing over a network controlled by evil.com. What is the REAL potential of someone being able to nail a A.com to B.com connection without being inside A.com or B.com? Most companies connect to the 'net using a commercial Intner provider. Let's say MCI. I know for a fact MCI routes data internally along its DS3 back bone as much as it can so if you and I both use MCI we never leave MCI land. What is the real potential of someone tapping, hacking or sniffing one of MCI's links? Sure the possibility exists but so does the possibility I put a bomb in your car while you were reading this. The real potential threat seems to be from the inside of B.com or A.com where direct access to the network is MUCH more easy to abtain. Or even worse is evil.com directly attacking A.com or B.com like the Tsutomu Shimomura attack last year. Is the real potential threat the Man at the End rather than the Man that maybe in the Middle? Particularly my end. My company seems to not view it this way so internal security is much looser than our outbound connections. As a side thought, anyone got any numbers of how many hacks come from inside versus outside? Flame Away! ----- Ed Maillet maillet@cs.usm.maine.edu From firewalls-owner Wed Nov 1 20:36:36 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id RAA18638 for firewalls-outgoing; Wed, 1 Nov 1995 17:24:35 -0800 (PST) Received: from beach.sctc.com (beach.sctc.com [192.55.214.50]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id RAA18628 for ; Wed, 1 Nov 1995 17:24:22 -0800 (PST) Received: from beach.sctc.com (daemon@localhost) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id TAA27270; Wed, 1 Nov 1995 19:55:50 -0600 Received: from sphinx.sctc.com (sphinx.sctc.com [172.17.192.3]) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id TAA27266; Wed, 1 Nov 1995 19:55:50 -0600 Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by sphinx.sctc.com (8.7.1/8.6.10) with SMTP id TAA12384; Wed, 1 Nov 1995 19:23:39 -0600 (CST) Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id TAA23834; Wed, 1 Nov 1995 19:23:38 -0600 Date: Wed, 1 Nov 1995 19:23:38 -0600 From: Rick Smith Message-Id: <199511020123.TAA23834@shade.sctc.com> To: firewalls@greatcircle.com Cc: smith@sctc.com, ajack@corp.micrognosis.com Subject: Re: What about the next 20 Java-like applications? ( was Re: Java) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Adam Jack writes a manifesto: > Sun aren't complete cretins. They have a tonne of experience of break- > ins (through their own software on their machines ;-). HotJava can deal > with the threats that any non-firewall-professionals - can dream up - > and most that this list has raised. Perhaps I'm sounding like a broken record, but you've got to plan for tomorrow's threats, not yesterday's. The "firewall professional's" threats of today are the bread and butter of tomorrow's attackers. Or maybe I got that reversed.. :-> For the (broken) record, I think the Java developers did a fine job of dealing with early '80s style security issues. But they didn't get a handle on the desktop security issues early enough in the HotJava design. It's a tough problem and they don't really have many models to follow, so I'm not surprised they're having trouble. At least the Java folks could follow the instruction set and pcode security traditions. >> I'm very worried about Java, but all I hear are reassurances about >> memory protection and default security levels. I, for one, am not >> reassured. > > This is the statement that has been getting to me more and more > through this Java thread. (Scott Barman irrated me to silence!) > Reassurance isn't a right! ... Competent firewall and security vendors do NOT subscribe to this mindset. If a customer is concerned enough about security to seek a quality product, they have every right to (re)assurance that the protections they expect are in place. They deserve to know what security measures are effective and deployed. They deserve evidence. > I really hoped, given the experience on this list, that a better informed > discussion might occur. Unfortunately there doesn't appear to be anybody, > with experience, spending any real time analyzing it. ... As you've probably figured out, this is expensive and time consuming work. We do it for our own products. I admit it depresses me to have the same, tired security questions go unanswered, and that I do not have the time myself to try things out. On the other hand, it shouldn't be so much to ask other vendors to do their own job, too. It makes our life easier, and lets us help our customers better. I had a hard time quantifying risks for customers intending to use Netscape until the appropriate group of hackers did the costly research Netscape didn't do. My hat's off to them. I hope those guys will tackle HotJava now, unless Sun and/or Netscape pumps in the resources to do it. Somehow I doubt they will -- security doesn't appear to have much of a priority in their institutional cultures. But it's nice that they're getting efficient at fixing their security bugs after they occur. Reactive security, anyway. > What I find depressing is the apparent - "its unknown - be scared" > mentality. ... > Surely - with an internet as diverse and rapidly changing as todays - it is > one that is outdated. It is too obvious. (Facist 'old' Admin vs Coool $tuff) > It is an expression of discomfort - not an approach to solve the problems. It really is sensible to be cautious when handling a live wire of unknown voltage. Things were much easier back in the Good Old Days when we just used the 'Net for R&D and transcontinental Adventure games. Things get a bit squirrely when you use it to run a business, and your livelihood depends on correct results whose integrity you can depend on. The raw, theoretical risk of running arbitrary, possibly hostile code in numerous workstations... well, the mind boggles. > Applications on the Internet are racing ahead. Despite the common sense > demand for security - pressure for functionality is higher. It depends on who you talk to. Our customers want both, but they recognize there is a tradeoff. How many will put their back office operations at risk just for "coool stuff" on desktops?? Not many. > Java is just > one of many emerging 'technologies' that will strain current firewall > models. Firewall technology needs to evolve with the technological 'advances' > (- and so do individuals.) Evolving attack methodologies also strain current firewall models, even without throwing HotJava into the picture. Sites concerned about security want finer grained awareness of what crosses their boundary. It's not clear how we meet their needs and also pass applets. Magic doesn't exist, and firewalls can't perform mathematical miracles. > What I don't hear from this list are criteria for quantifying risk. If our customers are going to run Java/HotJava, they want it on every desk, not just those belonging to a couple of R&D propellerheads with some blue-sky proprietary data on their filesystems. The CEO and the Director of Mergers and Acquisitions and the Custodian of Insider Information will all want the spiffy stuff, too. It is not clear that spiffy stuff will run on a HotJava system configured to run securely. >.. How are firewalls going to deal with the next 20 Java's? The same way this one is dealt with: a refusal to throw caution to the wind simply because it's Kool Stuff. I hate long postings. Rick. smith@sctc.com secure computing corporation From firewalls-owner Wed Nov 1 20:52:25 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id QAA16206 for firewalls-outgoing; Wed, 1 Nov 1995 16:43:48 -0800 (PST) Received: from aurora.intel.com (aurora.intel.com [143.183.152.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id QAA16197 for ; Wed, 1 Nov 1995 16:43:40 -0800 (PST) Received: from argus.intel.com by aurora.intel.com (5.65/10.0i); Wed, 1 Nov 95 16:42:08 -0800 Received: by argus.intel.com (5.65/10.0i); Wed, 1 Nov 95 16:40:22 -0800 From: sedayao@argus.intel.com (Jeffrey C. Sedayao) Message-Id: <9511020040.AA22823@argus.intel.com> Subject: Re: idb.ar.com...the mystery continues To: goertzek@wangfed.com Date: Wed, 1 Nov 95 16:40:21 PST Cc: Firewalls@GreatCircle.COM In-Reply-To: <9511012057.AA09510@hfsi> from "K Goertzel" at Nov 1, 95 03:57:56 pm X-Mailer: ELM [version 2.4dev PL66] Mime-Version: 1.0 Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [stuff deleted] > I'm going to continue trying to sort this out, but if there is anyone who can > enlighten us on who ibd.ar.com is, and how one might contact them, I'd really > appreciate it. The Internic says: [xterm] InterNIC > whois ar.com Connecting to the rs Database . . . . . . Connected to the rs Database Rick Wesson (AR3-DOM) 1278 Sandia Dr. Sunnyvale, CA 94089 Domain Name: AR.COM Administrative Contact: Wesson, Rick (RW56) wessorh@AR.COM (408) 749-1175 Technical Contact, Zone Contact: InterNex Information Services (INEX-NOC) noc@internex.net 408-496-5466 voice 408-496-5485 fax Record last updated on 25-Jul-95. Record created on 11-Feb-94. Domain servers in listed order: idb.ar.com doesn't respond to pings, telnet idb.ar.com 80 fails, so it looks like the system is dead. A better question - is there really a subject for firewalls? I don't think so. > Karen Goertzel > goertzek@wangfed.com -- Jeff Sedayao Intel Corporation sedayao@argus.intel.com From firewalls-owner Wed Nov 1 20:53:01 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id UAA28484 for firewalls-outgoing; Wed, 1 Nov 1995 20:35:34 -0800 (PST) Received: from london.micrognosis.com (midas.london.micrognosis.com [193.114.123.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id UAA28470 for ; Wed, 1 Nov 1995 20:35:28 -0800 (PST) Received: by london.micrognosis.com (4.1/NAR-Gateway) id AA10197; Thu, 2 Nov 95 04:35:27 GMT Received: from zeus.london.micrognosis.com(192.83.165.17) by midas via smap (V1.0mjr) id sma010194; Thu Nov 2 04:34:49 1995 Received: by zeus.london.micrognosis.com (4.1/SMI-4.1) id AA08312; Thu, 2 Nov 95 04:34:45 GMT From: nreadwin@london.micrognosis.com (Neil Readwin) Message-Id: <9511020434.AA08312@zeus.london.micrognosis.com> Subject: Re: Tightening up SunOS 5.4 (was Re: Hardened OS) To: smith@sctc.com (Rick Smith) Date: Thu, 2 Nov 1995 04:34:45 +0000 (GMT) Cc: firewalls@greatcircle.com In-Reply-To: <199511012337.RAA19827@shade.sctc.com> from "Rick Smith" at Nov 1, 95 05:37:30 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Rick Smith writes: > Of course, RTM didn't use a C compiler to exploit the old fingerd > buffer overrun vulnerability, just the fact that fingerd was running > as root on most systems. Ahem ... RTM did use a C compiler (to compile the grappling hook that pulled over the rest of the worm) and it didn't require root (since the worm made no efforts to exploit the fact that it was privileged and if fingerd had been running as another user the worm would still have worked). That said, I agree that if your firewall platform is a typical "Almost C2" Unix then there is no point in stripping it down - if the bad guys can get a login or just execute a shell script then you are toast. Neil. -- nreadwin@micrognosis.co.uk Phone: +1 908 855 1221 x519 Anything is a cause for sorrow that my mind or body has made From firewalls-owner Wed Nov 1 21:06:51 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id TAA25942 for firewalls-outgoing; Wed, 1 Nov 1995 19:52:24 -0800 (PST) Received: from citecuh.citec.qld.gov.au (citecuh.citec.qld.gov.au [203.5.10.10]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id TAA25927 for ; Wed, 1 Nov 1995 19:52:14 -0800 (PST) Received: (from mail@localhost) by citecuh.citec.qld.gov.au (8.6.10/8.6.10) id NAA07276; Thu, 2 Nov 1995 13:47:09 +1000 Received: from citecub.citec.qld.gov.au(131.242.4.98) by citecuh.citec.qld.gov.au via smap (V1.3) id /mail/incoming/sma007269; Thu Nov 2 13:46:47 1995 Received: by citecub.citec.qld.gov.au (5.0/SMI-SVR4) id AA23456; Thu, 2 Nov 1995 13:49:33 +1000 From: sgcccdc@citec.qld.gov.au (Colin Campbell) Message-Id: <9511020349.AA23456@citecub.citec.qld.gov.au> Subject: Re: PC vs Workstation Firewall To: Mike.Jones@aule-tek.com (Mike Jonesa) Date: Thu, 2 Nov 95 13:49:31 EST Cc: firewalls@greatcircle.com In-Reply-To: <9511011737.AA05343@samadams.aule-tek.com>; from "Mike Jonesa" at Nov 1, 95 12:37 pm X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My mailer thinks Mike Jonesa said: > [chomp] > > Actually, I think there's another issue to consider. If you get, for > example, a firewall that runs on a Sun, you can purchase maintenance > for it. That means that if you lose a disk at 2am in a snowstorm in the > middle of January, the *Sun* guy gets to come out and replace the disk > within 4 hours. Sure beats playing with PC hardware for my dollar. The > same is true of HP, SGI, IBM, etc., of course. > Actually, the amount you pay in maintenance could probably be put into buying spares for everything. This would alleviate the Sun Engineer from having to come out - only you would need to go out. After all you were there to let him into the building and onto the bastion, weren't you? :-) Colin From firewalls-owner Wed Nov 1 21:23:14 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id VAA00551 for firewalls-outgoing; Wed, 1 Nov 1995 21:09:28 -0800 (PST) Received: from sunthing.sjsinc.com (sunthing.sjsinc.com [140.174.165.1]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id VAA00543 for ; Wed, 1 Nov 1995 21:09:23 -0800 (PST) Received: by sunthing.sjsinc.com Mailer: sendmail (8.6.12/8.6.9) Protocol: Id: VAA17081; Wed, 1 Nov 1995 21:06:35 -0800 Date: Wed, 1 Nov 1995 21:06:35 -0800 From: sjs@sunthing.sjsinc.com (Stefan Jon Silverman) Message-Id: <199511020506.VAA17081@sjsinc.com> To: goertzek@wangfed.com Subject: Re: idb.ar.com...the mystery continues Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Karen: > > For those that are wondering, several listers have tried the same URL I did, > with the following variety of results: > > > User #1: "I get a 'server not responding' when I try this." > > User #2: "I tried accessing http://idb.ar.com and got 'Remote server down or > not responding.'" > > User #3: "When I tried it, I too did not get connected, but the error message > was 'server timed out'." > > I'm going to continue trying to sort this out, but if there is anyone who can > enlighten us on who ibd.ar.com is, and how one might contact them, I'd really > appreciate it. > My suspicion is that all three error messages above are in fact the same message, just different text based on OS and application. I hate sending people traceroutes, but, the one below shows that all connectivity to the desired host is blocking at some intermediate point; to wit: (ttyp2@sunthing) sjs> traceroute ibd.ar.com traceroute to ibd.ar.com (199.2.25.111), 30 hops max, 40 byte packets 1 tlgrouter.tlg.org (140.174.122.3) 176 ms 163 ms 175 ms 2 gw2-sf-tlg.tlg.net (140.174.122.17) 173 ms 165 ms 175 ms 3 border-sf-tlg.tlg.net (140.174.125.5) 176 ms 167 ms 170 ms 4 border1-serial3-0.SanFrancisco.mci.net (204.70.32.45) 266 ms 170 ms 206 ms 5 core-fddi-0.SanFrancisco.mci.net (204.70.2.161) 191 ms 167 ms 188 ms 6 borderx2-fddi0-0.SanFrancisco.mci.net (204.70.3.164) 158 ms 160 ms 175 ms 7 fix-west-nap.SanFrancisco.mci.net (204.70.158.118) 176 ms 162 ms 173 ms 8 * 198.32.136.38 (198.32.136.38) 183 ms 167 ms 9 205.158.0.5 (205.158.0.5) 172 ms 168 ms 176 ms 10 * * * Both of their ISP's nameservers at internex.net seem to alive and can resolve on a zone transfer. I can't get to their internal nameserver, but this might be connectivity or it might be security. I think that either their connection to their ISP is down or they have a piece of dead equipment in the path. Hope this helps... Regards, b c++'ing u, %-) sjs PS: I am my own employer, therefore: "all opinions are twice spoken for;" and they do, in fact, scare the hell out of said employer!!! ------------------------------------------------------------------------------- Stefan Jon Silverman - President SJS Associates, N.A., Inc. 572 Chestnut Street Distributed Systems Architecture & Implementation San Francisco, Ca. 94133 Phone: 415 989 2741 Fax: 415 989 7250 E-mail: sjs@sjsinc.com Cell: 415 519 3494 ------------------------------------------------------------------------------- Weebles wobble, but they don't fall down!!! ------------------------------------------------------------------------------- From firewalls-owner Wed Nov 1 21:52:50 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id VAA01416 for firewalls-outgoing; Wed, 1 Nov 1995 21:31:35 -0800 (PST) Received: from yarrina.connect.com.au (yarrina.connect.com.au [192.189.54.17]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id VAA01401 for ; Wed, 1 Nov 1995 21:31:26 -0800 (PST) Received: from suburbia.net (suburbia.apana.org.au [192.188.107.90]) by yarrina.connect.com.au with ESMTP id QAA19539 (8.6.12/IDA-1.6); Thu, 2 Nov 1995 16:30:25 +1100 Received: (proff@localhost) by suburbia.net (8.6.12/Proff-950810) id QAA20256; Thu, 2 Nov 1995 16:21:57 +1100 From: Julian Assange Message-Id: <199511020521.QAA20256@suburbia.net> Subject: Re: Tightening up SunOS 5.4 (was Re: Hardened OS) To: mark@lochard.com.au (Mark) Date: Thu, 2 Nov 1995 16:21:50 +1100 (EST) In-Reply-To: <199511020252.AA20822@junkers.lochard.com.au> from "Mark" at Nov 2, 95 12:52:53 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > If anyone got on a firewall setup like this it is simple to compile a binary > offsite to suit the architecture, static if necessary, and import it, run it > and then have that binary act as a personal ftp/shell/port login process. > > Have a nice day > Mark > mark@lochard.com.au I modified our kernel to do trust circles (mainly mods to exec.c) quite some time ago. To put it simply, only non group and world writable binaries owned by "trusted" users (root, etc) in trusted user owned directories can be executed . This goes for #! expansion as well. If however a user is in the "exec" group then they can execute their own binaries. Bypassing this system requires the privilages of the trusted user or root. Using a flaw to create, or finding a group or world writeable file owned by a trusted user and placing your code into it will not work, unless you can turn off the group/world write permission afterwards. Attempted trust violations are klogged. Every time the latest IFS (etc) style "execute my code now", kernel call bug or race condition is found, I amuse myself by watching the frustration of people trying to exploit it. The reason the directory in which the trusted binary lays must also be trusted is that one can do things like: $ cd /tmp $ ln /sbin/reboot usr $ export IFS=/ $ neil+karl_food -y -- +----------------------------------+-----------------------------------------+ |Julian Assange | "if you think the United States has | |FAX: +61-3-9819-9066 | has stood still, who built the largest | |EMAIL: proff@suburbia.net | shopping centre in the world?" - Nixon | +----------------------------------+-----------------------------------------+ From firewalls-owner Wed Nov 1 22:23:20 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id VAA01256 for firewalls-outgoing; Wed, 1 Nov 1995 21:26:47 -0800 (PST) Received: from delta.eecs.nwu.edu (delta.eecs.nwu.edu [129.105.5.103]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id VAA01249 for ; Wed, 1 Nov 1995 21:26:43 -0800 (PST) Received: by delta.eecs.nwu.edu (8.6.12/8.6.12) id XAA07034; Wed, 1 Nov 1995 23:26:40 -0600 Date: Wed, 1 Nov 1995 23:26:40 -0600 From: Robert Bonomi Message-Id: <199511020526.XAA07034@delta.eecs.nwu.edu> To: cmcurtin@gatekeeper.cb.att.com, mark@lochard.com.au Subject: Re: Tightening up SunOS 5.4 (was Re: Hardened OS) Cc: Eric_Sheppard.BCI@bbs.bellsouth.com, firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk + From: Mark + Subject: Re: Tightening up SunOS 5.4 (was Re: Hardened OS) + Status: R + >Since you've already blown away everything that isn't directly needed + >by your system or the applications you run to support necessary services, + >things like tar, ar, cc, cpio, etc. are gone. If someone does break in, + >make it impossible for them to bring in archives and build binaries. Do + >you really need to have an ftp command on the system? I even removed vi :-) + Unfortunately this wont work. Unless you remove shells as well from the + machine people can still import binaries. To quote from Porgy & Bess... "It ain't necessarily so" + I had a friend once in a chroot'd + guest environment with reasonably low quotas and they still managed to import + a binary and "talk" to the sendmail daemon on the machine. It was a cute + trick and more of a proof of concept but it was enough to show me you can't + really stop someone on a standard unix model. All it takes to prevent this is a) proper filesystem layout (executables and 'valuable' config data being *absolutely* segrated from 'user-writable' files), and b) the right features in the O/S (e.g. a 'noexec' and/or 'nosuid' option for mount(1)). + If anyone got on a firewall setup like this it is simple to compile a binary + offsite to suit the architecture, static if necessary, and import it, run it + and then have that binary act as a personal ftp/shell/port login process. You can't do it on -my- firewall machine. any writable media is mounted with specialty options, as discussed above: 'nodev' -- won't honor device special files on that filesystem; 'noexec' -- _can't_ run an executable from that filesystem, and 'nosuid' -- won't honor 'set uid' bit on any file on that filesystem. to plug the final possibility, the 'mount' command disappears early on, when the system is coming up -- this prevents *anybody* from doing an 'update' mount, to change the filesystem permissions. All executables and configuration files (*including* /etc/passwd, even :) live on media that is _hardware_ write-protected. I can't prove there *aren't* any holes in my set-up, naturally. :) I *do* know that what anybody _can_ do, after they get in, is _very_ limited, and that a simple press of the 'reset' button will put them right back to square one. this is comforting. From firewalls-owner Wed Nov 1 22:26:03 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id UAA28330 for firewalls-outgoing; Wed, 1 Nov 1995 20:32:59 -0800 (PST) Received: from gatekeeper.glaxo.com (gatekeeper.glaxo.com [192.58.204.201]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id UAA28323 for ; Wed, 1 Nov 1995 20:32:56 -0800 (PST) Received: by gatekeeper.glaxo.com (5.65/fma-120691); id AA25777; Wed, 1 Nov 95 23:30:23 -0500 Received: from ussun2f.glaxo.com by ussun1d.glaxo.com (5.x/SMI-SVR4) id AA21760; Wed, 1 Nov 1995 23:31:11 -0500 Received: by ussun2f.glaxo.com (5.x/SMI-SVR4) id AA01934; Wed, 1 Nov 1995 23:35:52 -0500 Reply-To: ggh14854@ussun2f.glaxo.com (Gary Hull) Date: Wed, 1 Nov 1995 23:35:51 -0500 (EST) From: Gary Hull To: K Goertzel Cc: Firewalls@GreatCircle.COM Subject: Re: idb.ar.com...the mystery continues In-Reply-To: <9511012057.AA09510@hfsi> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 1 Nov 1995, K Goertzel wrote: > For those that are wondering, several listers have tried the same URL I did, > with the following variety of results: > > > User #1: "I get a 'server not responding' when I try this." > > User #2: "I tried accessing http://idb.ar.com and got 'Remote server down or > not responding.'" > > User #3: "When I tried it, I too did not get connected, but the error message > was 'server timed out'." > > I'm going to continue trying to sort this out, but if there is anyone who can > enlighten us on who ibd.ar.com is, and how one might contact them, I'd really > appreciate it. > > Karen Goertzel > goertzek@wangfed.com > > Folks - Regarding ibd.ar.com, the following is what I can glean from nslookup and dig: >From dig: ar.com. 86400 NS nic2.internex.net. ;; ADDITIONAL RECORDS: nic1.internex.net. 86400 A 199.2.14.10 nic2.internex.net. 86400 A 129.65.240.240 nslookup says: > whois ar.com Name: ar.com Address: 199.2.25.111 and > whois ibd.ar.com Non-authoritative answer: Name: ibd.ar.com Address: 199.2.25.111 |/ ---o0o-@@-o0o--------- Gary G. Hull - Technical Consultant Howard Systems International - Glaxo Wellcome Inc. Five Moore Drive - Raleigh, North Carolina 27709 Tel : (919) 941-4867 - Fax : (919) 248-2831 email: ggh14854@ussun2f.glaxo.com From firewalls-owner Wed Nov 1 22:57:45 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id UAA29642 for firewalls-outgoing; Wed, 1 Nov 1995 20:55:52 -0800 (PST) Received: from lehman.Lehman.COM (Lehman.COM [192.147.66.1]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id UAA29627 for ; Wed, 1 Nov 1995 20:55:44 -0800 (PST) From: carson@lehman.com Received: (from smap@localhost) by lehman.Lehman.COM (8.6.12/8.6.12) id XAA16592; Wed, 1 Nov 1995 23:55:37 -0500 Received: from relay.mail.lehman.com(192.9.140.112) by lehman via smap (V1.3) id tmp016585; Wed Nov 1 23:55:05 1995 Received: from kublai.lehman.com by relay.lehman.com (4.1/LB-0.6) id AA24709; Wed, 1 Nov 95 23:54:59 EST Received: from dragon.lehman.com by kublai.lehman.com (4.1/Lehman Bros. V1.6) id AA03685; Wed, 1 Nov 95 23:54:57 EST Received: by dragon.lehman.com (5.0/Lehman Bros. V1.5) id AA28920; Wed, 1 Nov 1995 23:54:56 -0500 Date: Wed, 1 Nov 1995 23:54:56 -0500 Message-Id: <9511020454.AA28920@dragon.lehman.com> To: Mark Cc: cmcurtin@gatekeeper.cb.att.com (C Matthew Curtin), Eric_Sheppard.BCI@bbs.bellsouth.com, firewalls@GreatCircle.COM Subject: Re: Tightening up SunOS 5.4 (was Re: Hardened OS) In-Reply-To: <199511020252.AA20822@junkers.lochard.com.au> References: <9510312244.ZM5480@gatekeeper> <199511020252.AA20822@junkers.lochard.com.au> Reply-To: carson@lehman.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>>> "Mark" == Mark writes: Mark> Unfortunately this wont work. Unless you remove shells as well from Mark> the machine people can still import binaries. I had a friend once in a Mark> chroot'd guest environment with reasonably low quotas and they still Mark> managed to import a binary and "talk" to the sendmail daemon on the Mark> machine. It was a cute trick and more of a proof of concept but it was Mark> enough to show me you can't really stop someone on a standard unix Mark> model. Mark> If anyone got on a firewall setup like this it is simple to compile a Mark> binary offsite to suit the architecture, static if necessary, and Mark> import it, run it and then have that binary act as a personal Mark> ftp/shell/port login process. One of my ex-employers got around that by setting the global umask to 133. If you don't give them any way to change the umask or the mode of the file, it's very difficult to execute an unknown binary. -- Carson Gaspar -- carson@cs.columbia.edu carson@lehman.com http://www.cs.columbia.edu/~carson/home.html From firewalls-owner Wed Nov 1 23:02:35 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id UAA27865 for firewalls-outgoing; Wed, 1 Nov 1995 20:26:18 -0800 (PST) Received: from access1.digex.net (access1.digex.net [205.197.245.192]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id UAA27849 for ; Wed, 1 Nov 1995 20:26:13 -0800 (PST) From: sharborth@hai-net.com Received: from houston_cc_smtp.hai-net.com (houston_cc_smtp.hai-net.com [204.91.94.67]) by access1.digex.net (8.6.12/8.6.12) with SMTP id XAA04147 ; for ; Wed, 1 Nov 1995 23:26:15 -0500 Received: from cc:Mail by houston_cc_smtp.hai-net.com id AA815297259; Wed, 01 Nov 95 23:20:20 EST Date: Wed, 01 Nov 95 23:20:20 EST Message-Id: <9510018152.AA815297259@houston_cc_smtp.hai-net.com> To: Firewalls@GreatCircle.COM, "K Goertzel" Subject: Re: idb.ar.com...the mystery continues Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Seems to me perhaps you should try a whois or DNS look-up if you haven't already. ______________________________ Reply Separator _________________________________ Subject: idb.ar.com...the mystery continues Author: "K Goertzel" at internet Date: 01-11-95 15:57 For those that are wondering, several listers have tried the same URL I did, with the following variety of results: User #1: "I get a 'server not responding' when I try this." User #2: "I tried accessing http://idb.ar.com and got 'Remote server down or not responding.'" User #3: "When I tried it, I too did not get connected, but the error message was 'server timed out'." I'm going to continue trying to sort this out, but if there is anyone who can enlighten us on who ibd.ar.com is, and how one might contact them, I'd really appreciate it. Karen Goertzel goertzek@wangfed.com From firewalls-owner Wed Nov 1 23:23:40 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id WAA03590 for firewalls-outgoing; Wed, 1 Nov 1995 22:52:57 -0800 (PST) Received: from hermes.intel.com (hermes.intel.com [143.183.152.3]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id WAA03582 for ; Wed, 1 Nov 1995 22:52:54 -0800 (PST) Received: from argus.intel.com by hermes.intel.com (5.65/10.0i); Wed, 1 Nov 95 22:52:56 -0800 Received: by argus.intel.com (5.65/10.0i); Wed, 1 Nov 95 22:52:54 -0800 From: sedayao@argus.intel.com (Jeffrey C. Sedayao) Message-Id: <9511020652.AA24440@argus.intel.com> Subject: Re: Man in the Middle Attacks (Over rated?) To: maillet@doc.cs.usm.maine.edu (Edward Maillet) Date: Wed, 1 Nov 95 22:52:54 PST Cc: firewalls@greatcircle.com In-Reply-To: <9511020138.AA25452@doc.cs.usm.maine.edu> from "Edward Maillet" at Nov 1, 95 08:38:07 pm X-Mailer: ELM [version 2.4dev PL66] Mime-Version: 1.0 Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Hey All, > Wouldn't it be more accurate to say that Man in the Middle attacks are really > Man at the End attacks? No. > I've been reading the IP-Watch Web Page about hijacking TCP connections and > active packet sniffing. The "threat to the whole Internet" seems a bit > exaggerated for the average Joe. I would disagree. > (http://www.EnGarde.com/software/ipwatcher) > TCP connections flying over Internet today from say A.com to B.com aren't > likely to be crossing over a network controlled by evil.com. What is the > REAL potential of someone being able to nail a A.com to B.com connection > without being inside A.com or B.com? Most companies connect to the 'net > using a commercial Intner provider. Let's say MCI. I know for a fact MCI > routes data internally along its DS3 back bone as much as it can so if > you and I both use MCI we never leave MCI land. What is the real potential > of someone tapping, hacking or sniffing one of MCI's links? Sure the > possibility exists but so does the possibility I put a bomb in your car > while you were reading this. There can definitely be risk. First, not every person or company connects to the Internet with a dedicated line. Many people and companies dial up into a terminal server or some other kind of remote access device. Put a network sniffer on the terminal server segment and the man in the middle scenario is definitely there. I believe that this situation happened to BARRnet (please correct me if I am wrong). There also situations where an organization's mail connectivity to the Internet is via UUCP. Penetrate the UUCP/Internet gateway host, and then you have a man in the middle scenario again. Also, an Internet Provider may have network monitor host on the backbone segment of their POP. A packet sniffer there could see a lot of things. Second, how can you always trust the phone company carrying the traffic? There are some governments with monopoly PTTs that are known to spy on foreign commercial organizations in order to gain advantage for their domestic companies. Third, sometimes what looks like a.com or b.com really isn't. This scenario happens when an organization is not diligent about deleting accounts of people that leave. I have seen situations where someone thought that they were sending mail only to internal people, but the mail message went out on the Internet because someone left a .forward in an account that should have been deleted. I remember someone sending a note about highly confidential and proprietary technology to an internal mailing list, and then getting a message from someone at a University saying, "That's cool. Can you send me more info?" > The real potential threat seems to be from the inside of B.com or A.com where > direct access to the network is MUCH more easy to abtain. Or even worse is > evil.com directly attacking A.com or B.com like the Tsutomu Shimomura attack > last year. > Is the real potential threat the Man at the End rather than the Man that > maybe in the Middle? Particularly my end. I would say that both Middle and End are real threats. > My company seems to not view it this way so internal security is much > looser than our outbound connections. As secure network perimeters in organizations become more and more porrous, this will have to change. I believe that we will see a future with multiple perimeters and firewalls within a single organization. > As a side thought, anyone got any numbers of how many hacks come from inside > versus outside? It's probably pretty substantial. Inside hacks definitely do happen. > Flame Away! > ----- Ed Maillet > maillet@cs.usm.maine.edu -- Jeff Sedayao Intel Corporation sedayao@argus.intel.com From firewalls-owner Thu Nov 2 02:23:21 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id CAA10498 for firewalls-outgoing; Thu, 2 Nov 1995 02:15:02 -0800 (PST) Received: from basic.net (basic.net [205.242.92.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id CAA10491 for ; Thu, 2 Nov 1995 02:14:51 -0800 (PST) Received: by basic.net (SMI-8.6/BN-1.20) id EAA08661; Thu, 2 Nov 1995 04:12:02 -0600 Date: Thu, 2 Nov 1995 04:12:02 -0600 (CST) From: Jim McBride To: Edward Maillet cc: firewalls@GreatCircle.COM Subject: Re: Spoofing ISDN In-Reply-To: <9511020049.AA25854@doc.cs.usm.maine.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 1 Nov 1995, Edward Maillet wrote: > Hey All, > Some folks at work want to setup an ISDN dial-in connection relying > solely on the inbound caller ID as the security measure. Is it possible > to spoof the D channel to send fake info? I'm fairly certain there is > a way to do it. Can anyone point me to some references so I can make a > decent technical argument agaisnt this? > Thanx. > > ----- Ed Maillet > maillet@cs.usm.maine.edu > > Well since neither the caller id info nor the CLID are generated by any on premise equipment -- the only thing you would have to worry about is someone playing switch pranks...and even then I dont think you could ''spoof'' a circuit since a bri's cid is its ''phone number'' which is the broadcast ascii string. And I dont believe the switch will pass clid packets straight through anyway, even if you did come up with someway to generate them on premise. So -- my answer would be no, not by any technical means that I can think of. Jim McBride jim@basic.net From firewalls-owner Thu Nov 2 03:23:08 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id DAA12122 for firewalls-outgoing; Thu, 2 Nov 1995 03:18:21 -0800 (PST) Received: from relay1.pipex.net (relay1.pipex.net [158.43.128.6]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id DAA12114 for ; Thu, 2 Nov 1995 03:18:15 -0800 (PST) Received: from smtpgty.saicuk.co.uk by flow.pipex.net with SMTP (PP); Thu, 2 Nov 1995 11:16:42 +0000 Received: by smtpgty.saicuk.co.uk with Microsoft Mail id <3098A844@smtpgty.saicuk.co.uk>; Thu, 02 Nov 95 11:15:16 GMT From: "Johnson-Bryden, Ian" To: "'firewalls@greatcircle.com'" Subject: Re: PC vs Workstation Firewall Date: Thu, 02 Nov 95 11:14:00 GMT Message-ID: <3098A844@smtpgty.saicuk.co.uk> Encoding: 44 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There is another issue. Intel/Intel clone based products come in all shapes and sizes but mostly are designed for minimum buy price and maximum volume sale. That means they tend to a lot of 'value engineering' which for some vendors means "if the customers wont notice how about taking this functionality out and not telling them". Even the best vendors arent that good at advising of planned changes to design. All of this can be a real problem for any secure or mission critical system like a firewall and can cause a lot of grief for the PBC (poor bloody customer). Folk like Sun tend to be much better at telling folk about planned changes and documenting what they have done. They arent perfect but they are usualy better. Some Intel vendors would say thats just because they dont shift much tin, but if they offer a better product/service, who cares what the reason is. Anyway lower volume sales can be explained in many ways. It can simply be that there are fewer wise buyers out there and lots of people who dont know any better than to buy cheapest product. Ian J-B ---------- From: firewalls-owner To: Mike.Jones Cc: firewalls Subject: Re: PC vs Workstation Firewall Date: Thursday, November 02, 1995 1:49PM My mailer thinks Mike Jonesa said: > [chomp] > > Actually, I think there's another issue to consider. If you get, for > example, a firewall that runs on a Sun, you can purchase maintenance > for it. That means that if you lose a disk at 2am in a snowstorm in the > middle of January, the *Sun* guy gets to come out and replace the disk > within 4 hours. Sure beats playing with PC hardware for my dollar. The > same is true of HP, SGI, IBM, etc., of course. > Actually, the amount you pay in maintenance could probably be put into buying spares for everything. This would alleviate the Sun Engineer from having to come out - only you would need to go out. After all you were there to let him into the building and onto the bastion, weren't you? :-) Colin From firewalls-owner Thu Nov 2 05:22:53 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id EAA15113 for firewalls-outgoing; Thu, 2 Nov 1995 04:54:09 -0800 (PST) Received: from gauntlet-1.trusted.com (gauntlet-1.trusted.com [192.94.214.88]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id EAA15104 for ; Thu, 2 Nov 1995 04:54:06 -0800 (PST) Received: by gauntlet-1.trusted.com; id HAA24658; Thu, 2 Nov 1995 07:56:09 -0500 Message-Id: <199511021256.HAA24658@gauntlet-1.trusted.com> Received: from vanidor.tis.com(192.94.214.98) by gauntlet-1.trusted.com via smap (g3.0.3) id xmai24621; Thu, 2 Nov 95 07:55:59 -0500 X-Sender: avolio@gauntlet-1.trusted.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 02 Nov 1995 08:47:53 -0500 To: Dave Scott , firewalls@greatcircle.com From: Frederick M Avolio Subject: Re: Exporting a Gauntlet Firewall Cc: dscott@eng.dowjones.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Questions like this really should just go to TIS, no? Yes, you can buy from us here or a reseller. I bet we can work something out with one of our German resellers to allow you to get the machine here and play with it and ship it to Germany and get support from them. Should be easy. We'd sell you the exportable version. Fred At 11:44 AM 11/1/95 EST, Dave Scott wrote: > >Hi all, I need to have a Gauntlet in Europe... > >I can buy it through a German reseller (for a lot >more money) and get full maintenance & support, etc. > >Or I can buy it here, configure and test it here, etc. >and ship it out to Europe - but I wont get the support. > >It would be good to buy it here in the U.S. so I can >configure and test it in the lab - the support issue >will be handled by management. I'd like to know if, >other than having no encryption capabilities, are there >any other gotchas I have to worry about for the PC version >of the Gauntlet ? Anything involving DES for Unix passwords ? > >Thanks for any info, >Dave Scott > > From firewalls-owner Thu Nov 2 05:53:16 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id FAA15974 for firewalls-outgoing; Thu, 2 Nov 1995 05:49:40 -0800 (PST) Received: from relay.puug.pt (relay.puug.pt [193.126.4.65]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id FAA15967 for ; Thu, 2 Nov 1995 05:49:35 -0800 (PST) Received: from q950.bvl.pt by relay.puug.pt with UUCP id AA11023 (5.67a/IDA-1.5 for firewalls@GreatCircle.COM); Thu, 2 Nov 1995 14:49:06 +0100 Received: from q950 (q950.bvl.pt) by jessica.bvl.pt with SMTP id AA15031 (5.65c/IDA-1.4.4); Thu, 2 Nov 1995 14:40:45 GMT Message-Id: <199511021440.AA15031@jessica.bvl.pt> Date: 2 Nov 1995 14:37:48 +0000 From: "Antonio Vasconcelos" Subject: RE: Spoofing ISDN To: "Edward Maillet" , "Jim McBride" Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >And I dont believe the switch will pass clid packets straight through >anyway, even if you did come up with someway to generate them on premise. > >So -- my answer would be no, not by any technical means that I can think of. Short from taking over the phone switch, of course... From firewalls-owner Thu Nov 2 06:24:07 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id FAA16178 for firewalls-outgoing; Thu, 2 Nov 1995 05:57:19 -0800 (PST) Received: from hp01.vak12ed.edu (hp01.vak12ed.edu [141.104.150.251]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id FAA16171 for ; Thu, 2 Nov 1995 05:57:14 -0800 (PST) Message-Id: <199511021357.FAA16171@miles.greatcircle.com> Received: by hp01.vak12ed.edu (1.38.193.5/16.2) id AA11677; Thu, 2 Nov 1995 08:56:11 -0500 From: "W.C. Epperson" Subject: Re: PC vs Workstation Firewall To: stockwel@sctc.com (Ted Stockwell) Date: Thu, 2 Nov 95 8:56:11 EST Cc: firewalls@greatcircle.com In-Reply-To: <199511020117.TAA06918@hector.sctc.com>; from "Ted Stockwell" at Nov 1, 95 7:17 pm Mailer: Elm [revision: 70.85.2.1] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ted Stockwell, stockwel@sctc.com, Sidewinder wrote: > You can get 7 x 24 support for PC hardware. Workstations do not > present an advantage here. PC's may have a cost advantage if you want > a hot-swap. > I believe that workstations on which the hardware and operating software are produced/controlled by the primary manufacturer tend to offer better integration of the components. Because of that better integration, the manufacturer typically can offer integrated hardware/software support. With an an integrated support contract, I can say "Hardware/software/smoftware: component isolation and integration not my problem. They're all [HP|IBM|DEC] components: fix it." Although this costs you some flexibility in the marketplace, the flexibility I've gotten from PC hardware running Unix-named-after-California-city has generally been used for bending over. Your mileage may vary. My opinions, but you can help yourself: I got plenty. -- W.C. Epperson "I have great faith in fools. Senior SE Self-confidence, my friends call it." Information Security Officer --Edgar Allan Poe-- DBA Emeritus Curmudgeon-for-Life Virginia Dept. of Education epperson@pen.k12.va.us From firewalls-owner Thu Nov 2 06:53:58 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id GAA16372 for firewalls-outgoing; Thu, 2 Nov 1995 06:03:00 -0800 (PST) Received: from hobbes.orl.mmc.com (hobbes.orl.mmc.com [141.240.192.100]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id GAA16365 for ; Thu, 2 Nov 1995 06:02:56 -0800 (PST) Date: Thu, 2 Nov 1995 9:02:58 -0500 (EST) From: "A. Padgett Peterson, P.E. Information Security" To: firewalls@greatcircle.com Message-Id: <951102090258.20200396@hobbes.orl.mmc.com> Subject: Firewall discussion at PC Week Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >PC Week is hosting a Discussion on "Protecting the company LAN from Internet >intruders" at > Protecting the company LAN from Internet intruders And if you can make sense out of that address, you probably do not need any more help 8*). P.fla From firewalls-owner Thu Nov 2 07:26:31 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id GAA16801 for firewalls-outgoing; Thu, 2 Nov 1995 06:18:03 -0800 (PST) Received: from kgbvax.network.com (kgbvax.network.com [129.191.202.58]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id GAA16778 for ; Thu, 2 Nov 1995 06:17:57 -0800 (PST) Received: (from ted@localhost) by kgbvax.network.com (8.6.9/8.6.9) id IAA28060; Thu, 2 Nov 1995 08:14:41 -0500 Date: Thu, 2 Nov 1995 08:14:41 -0500 From: Ted Doty Message-Id: <199511021314.IAA28060@kgbvax.network.com> To: maillet@doc.cs.usm.maine.edu, firewalls@greatcircle.com Subject: Re: Man in the Middle Attacks (Over rated?) In-Reply-To: Mail from 'Edward Maillet ' dated: Wed, 1 Nov 1995 20:38:07 -0500 (EST) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Edward Maillet wrote: > > Wouldn't it be more accurate to say that Man in the Middle attacks are really > Man at the End attacks? [snip] > TCP connections flying over Internet today from say A.com to B.com aren't > likely to be crossing over a network controlled by evil.com. What is the > REAL potential of someone being able to nail a A.com to B.com connection > without being inside A.com or B.com? Most companies connect to the 'net > using a commercial Intner provider. Let's say MCI. I know for a fact MCI > routes data internally along its DS3 back bone as much as it can so if > you and I both use MCI we never leave MCI land. What is the real potential > of someone tapping, hacking or sniffing one of MCI's links? Sure the > possibility exists but so does the possibility I put a bomb in your car > while you were reading this. There is a long history of folks penetrating the public switched phone network for either recreation or profit. The example that I think is funniest was when (on June 13, 1989) caller to the Palm Beach (Florida) Probation office found themselves connected to a phone sex number in New York. I'm sure that The Authorities at the telephone company do not share my amusement. As you point out, so what? Well, there are two forces driving the phone companies towards a much more open architecture for data networks. The first is the realization that they are losing out on an enormous opportunity to sell data service (to PSI, UUnet, and company, but also to Wiltel and others). Much of this is because their service offerings are much less flexible than that of their competition's. There is a feeling at many of the phone companies that new technologies would allow customers to connect in and provision a higher quality (and more expensive) service, as needed, and this would be a major competative edge that the phone companies could use to get in the game. The second is the "Equal Access" laws. Basically these are a holdover from the days when The Powers That Be in Washington decreed that my mom and dad (in Orono, Maine) should get the same service as I get here in the Washington DC area, although it costs much less for a phone company to provide it to me. As it turns out, many of the technologies that would allow customers to provision their own service also help out here. Nevermind when the NFSnet routing nodes were subverted (January 1994?), and sniffer programs installed. [snip] > As a side thought, anyone got any numbers of how many hacks come from inside > versus outside? Haven't seen any numbers, but (as the police say) the insiders have the opportunity, motive, and means. They also know where the Good Stuff is. This is an extremely ugly topic, but there it is. I'd be *very* surprised if there were more than 25% external jobs, but that's a guess. (and you thought that YOU were flame bait, Ed!) -- - Ted -------------------------------------------------------------------------- Ted Doty, Network Systems Corporation | phone: +1 301 596-2270 8965 Guilford Road, Suite 250 | fax: +1 410 381-3320 Columbia, MD, 21046 USA | voice mail: (800) 233-1485 -------------------------------------------------------------------------- The opinion expressed in this message is fictitious. Any resemblence to real opinions, living or dead, is purely coincidental. From firewalls-owner Thu Nov 2 08:50:12 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id HAA18310 for firewalls-outgoing; Thu, 2 Nov 1995 07:24:31 -0800 (PST) Received: from intex.intex.net (intex.intex.net [204.255.96.10]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id HAA18302 for ; Thu, 2 Nov 1995 07:24:21 -0800 (PST) Received: from dialupb56.intex.net (dialupb56.intex.net [204.255.103.56]) by intex.intex.net (8.6.12/4.1.4) with SMTP id JAA09853 for ; Thu, 2 Nov 1995 09:23:47 -0600 Message-Id: <199511021523.JAA09853@intex.intex.net> X-Sender: lpierce@intex.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 02 Nov 1995 09:29:28 -0600 To: firewalls@greatcircle.com From: lpierce@intex.net (S. Lane Pierce) Subject: URL for netcat? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Would a kind soul post the URL or netcat for me. I have lost that message. Thanks in advance. S. Lane Pierce lpierce@intex.net From firewalls-owner Thu Nov 2 08:56:28 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id HAA18222 for firewalls-outgoing; Thu, 2 Nov 1995 07:21:53 -0800 (PST) Received: from tuna.wang.com (tuna.wang.com [150.124.136.4]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id HAA18215 for ; Thu, 2 Nov 1995 07:21:46 -0800 (PST) Received: from mail.wangfed.com (ns.wangfed.com [159.94.10.19]) by tuna.wang.com (8.6.12/8.6.12tf1) with SMTP id KAA15155 for ; Thu, 2 Nov 1995 10:21:44 -0500 Received: from [159.94.10.15] by mail.wangfed.com (1.37.109.4/A.09.00a) id AA23067; Thu, 2 Nov 95 10:14:39 -0600 Received: from [159.94.14.48] by hfsi (BULL 5.61++/B.O.S 02.01) id AA13335; Thu, 2 Nov 95 10:12:19 -0500 Date: Thu, 2 Nov 95 10:12:19 -0500 Message-Id: <9511021512.AA13335@hfsi> From: "K Goertzel" Reply-To: "K Goertzel" To: firewalls@GreatCircle.COM Subject: Re: Exporting a Gauntlet Firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message <199511021256.HAA24658@gauntlet-1.trusted.com> Frederick M Avolio writes: > Questions like this really should just go to TIS, no? > > Yes, you can buy from us here or a reseller. > > I bet we can work something out with one of our German resellers to allow > you to get the machine here and play with it and ship it to Germany and get > support from them. Should be easy. > > We'd sell you the exportable version. I was under the impression that TIS now has an office in the UK. Would this not be a more logical place for Dave Scott to go, given the version sold by the UK would (presumably) already be "exportable", along with the lack of tariffs within the EC? Karen Goertzel Manager, International Programmes Secure Systems and Services Operation Wang Federal, Inc. goertzek@wangfed.com From firewalls-owner Thu Nov 2 08:58:01 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id HAA18502 for firewalls-outgoing; Thu, 2 Nov 1995 07:31:13 -0800 (PST) Received: from cseic.saic.com (CSEIC.SAIC.COM [139.121.32.135]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id HAA18495 for ; Thu, 2 Nov 1995 07:31:09 -0800 (PST) Received: from [139.121.32.149] by cseic.saic.com (4.1/1.34) id AA21560; Thu, 2 Nov 95 10:28:55 EST Message-Id: <9511021528.AA21560@cseic.saic.com> X-Sender: steveg@cseic.saic.com X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 02 Nov 1995 11:41:14 -0500 To: sgcccdc@citec.qld.gov.au (Colin Campbell) From: "Stephen H. Goldstein" Subject: Re: screened host/subnet fws Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:49 AM 11/2/95 EST, Colin Campbell wrote: >The why did you show one with TWO interfaces? There are a lot of newbies >on this list (who probably shouldn't be attempting building firewalls >without a lot of study first) who on seeing "pictures" like this and >then an explanation that seemingly contradicts it, will only be more >confused. >> >> +--------+ +----------+ +---------+ +----------+ +---------+ >> | Inside |---| Filter 1 |----| Bastion |----| Filter 2 |----| Outside | >> +--------+ +----------+ +---------+ +----------+ +---------+ >> > [chomp] > >IMHO, what you should have drawn, was: > > > +--------+ +----------+ +----------+ +---------+ > | Inside |---| Filter 1 |-----| Filter 2 |----| Outside | > +--------+ +----------+ | +----------+ +---------+ > | > +---------+ > | Bastion | > +---------+ You're right, but I had a hard enough time as it was getting the dashes an plus signs to line up. :-) To anyone who's confused by this, think of my picture as the "logical" flow of data, and Colin's as the physical, and I think it'll be clearer. --- Stephen Goldstein steveg@cseic.saic.com My first computer: A 24K Atari 800, Rev. A ROMS, November 1980 Disclaimer: That's not what I said. From firewalls-owner Thu Nov 2 09:43:10 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id HAA18362 for firewalls-outgoing; Thu, 2 Nov 1995 07:25:47 -0800 (PST) Received: from devnull (devnull.mpd.tandem.com [131.124.4.29]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id HAA18343 for ; Thu, 2 Nov 1995 07:25:34 -0800 (PST) Received: from galil.austnsc.tandem.com. by devnull (8.6.8/8.6.6) id JAA14178; Thu, 2 Nov 1995 09:25:21 -0600 Received: (from dreschs@localhost) by galil.austnsc.tandem.com. (8.7.1/8.7.1) id JAA04881; Thu, 2 Nov 1995 09:27:45 -0600 (CST) Date: Thu, 2 Nov 1995 09:27:45 -0600 (CST) From: Sten Drescher Message-Id: <199511021527.JAA04881@galil.austnsc.tandem.com.> To: Edward Maillet CC: firewalls@GreatCircle.COM In-reply-to: Edward Maillet's message of Wed, 1 Nov 1995 20:38:07 -0500 (EST) Subject: Re: Man in the Middle Attacks (Over rated?) References: <9511020138.AA25452@doc.cs.usm.maine.edu> Cc: Edward Maillet Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Edward Maillet said: EM> Hey All, Wouldn't it be more accurate to say that Man in the Middle EM> attacks are really Man at the End attacks? EM> I've been reading the IP-Watch Web Page about hijacking TCP EM> connections and active packet sniffing. The "threat to the whole EM> Internet" seems a bit exaggerated for the average Joe. EM> (http://www.EnGarde.com/software/ipwatcher) TCP connections flying EM> over Internet today from say A.com to B.com aren't likely to be EM> crossing over a network controlled by evil.com. What is the REAL EM> potential of someone being able to nail a A.com to B.com connection EM> without being inside A.com or B.com? Most companies connect to the EM> 'net using a commercial Intner provider. Let's say MCI. I know for a EM> fact MCI routes data internally along its DS3 back bone as much as EM> it can so if you and I both use MCI we never leave MCI land. What is EM> the real potential of someone tapping, hacking or sniffing one of EM> MCI's links? Sure the possibility exists but so does the possibility EM> I put a bomb in your car while you were reading this. The real EM> potential threat seems to be from the inside of B.com or A.com where EM> direct access to the network is MUCH more easy to abtain. Or even EM> worse is evil.com directly attacking A.com or B.com like the Tsutomu EM> Shimomura attack last year. Is the real potential threat the Man at EM> the End rather than the Man that maybe in the Middle? Particularly EM> my end. My company seems to not view it this way so internal EM> security is much looser than our outbound connections. EM> As a side thought, anyone got any numbers of how many hacks come EM> from inside versus outside? I can't give any specific percentages, but, yes, more security problems occur from disgruntled/larcenous current and former employees than from outside sources, whether you are talking about computer cracks or bank losses. But unless every single one of your systems talks directly to MCIinternet, you are vulnerable to MitM attacks within your organization. Then you have MitM attacks within MCIinternet by their employees (note: I'm not saying that MCIinternet is hiring more dishonest employees than anyone else. I'm just saying that they're probably not hiring _less_ than anyone else, either). Then, unless every single one of the systems at the other organization is connected to MCIinternet, you have MitM attacks there. The real danger with the internal MitM asttacks is that they are probably more likely to go unnoticed for prolonged periods, because the perpetrator is 'supposed' to be there, just like a bank manager siphoning of a small fraction of deposits periodically is going to be more likely to go unnoticed than someone walking into the lobby with a ski mask and a Uzi. But that bank manager (if he's good enough of an accountant to cook the books well enough to get past auditors) it likely to be able to do much more damage. Sten -- #include /* Sten Drescher */ To get my PGP public key, send me email with your public key and Subject: PGP key exchange Key fingerprint = 90 5F 1D FD A6 7C 84 5E A9 D3 90 16 B2 44 C4 F3 From firewalls-owner Thu Nov 2 09:55:54 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id JAA20625 for firewalls-outgoing; Thu, 2 Nov 1995 09:12:25 -0800 (PST) Received: from guardian.EnGarde.com (guardian.EnGarde.com [199.165.219.1]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id JAA20618 for ; Thu, 2 Nov 1995 09:12:21 -0800 (PST) Received: (from mcn@localhost) by guardian.EnGarde.com (8.7.1/8.6.12) id LAA05223; Thu, 2 Nov 1995 11:11:22 -0600 (CST) Date: Thu, 2 Nov 1995 11:11:22 -0600 (CST) From: Mike Neuman Message-Id: <199511021711.LAA05223@guardian.EnGarde.com> To: maillet@doc.cs.usm.maine.edu, firewalls@greatcircle.com Reply-To: mcn@EnGarde.com Subject: Re: Man in the Middle Attacks (Over rated?) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article <9511020138.AA25452@doc.cs.usm.maine.edu> you write: > I've been reading the IP-Watch Web Page about hijacking TCP connections and >active packet sniffing. The "threat to the whole Internet" seems a bit >exaggerated for the average Joe. > (http://www.EnGarde.com/software/ipwatcher) I don't think the statement is exaggerated (of course, I wrote it) :-) I won't repeat the statements of some of the other people who have replied to your message, but I will make one other point. I find it fascinating how many people are trying to discount the threat as being irrelevant. Myself (with IP-Watcher, sequence number prediction, and other tools), Laurent Joncheray (with his hijacking tool), Steve Bellovin (with his description of the sequence number attack more than 6 years ago), Jim Alves-Foss (with SNIF), and the people at Berkeley with the Netscape hack have all shown the following INESCAPABLE FACTS: 1) IP can can be monitored 2) TCP connections can be hijacked (REGARDLESS of where the attacker is) 3) UDP pseudo-connections can have data inserted midstream. 4) IP Source addresses are meaningless This means: 1) You can't trust the source of any packet, regardless of whether it's in the middle of a connection. 2) You can't trust that a packet sent by you will arrive at the destination. 3) You can't trust that your traffic won't be seen by a third party. Any solution other than full encryption, or at least packet-level authentication (ie IPv6), is merely delaying the inevitable. -Mike mcn@EnGarde.com http://www.engarde.com From firewalls-owner Thu Nov 2 10:23:32 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id IAA20181 for firewalls-outgoing; Thu, 2 Nov 1995 08:52:56 -0800 (PST) Received: from sunthing.sjsinc.com (sunthing.sjsinc.com [140.174.165.1]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id IAA20174 for ; Thu, 2 Nov 1995 08:52:52 -0800 (PST) Received: by sunthing.sjsinc.com Mailer: sendmail (8.6.12/8.6.9) Protocol: Id: IAA18898; Thu, 2 Nov 1995 08:52:26 -0800 Date: Thu, 2 Nov 1995 08:52:26 -0800 From: sjs@sunthing.sjsinc.com (Stefan Jon Silverman) Message-Id: <199511021652.IAA18898@sjsinc.com> To: colt@isavax.isa.com Subject: Re: idb.ar.com...the mystery continues Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk George: > > >From the keyboard of Stefan Jon Silverman: Should have further read: >>>From the keyboard of goertzek@wangfed.com If you had followed the brackets, you would have discovered that I was trying to answer her post... In the future can you be a little more careful about attribution of quoted material before you post to the list. I don't mind being challanged on incorrect information, or even flamed for stupidity, but misquoted and made to appear a simpleton for not knowing about basic network utilities...ahem...this I take objection to... You also, in your snipping of text, might in the future leave some of the original text from each progressive indent so that other readers can figure out the authorship chain... > > > I'm going to continue trying to sort this out, but if there is anyone who can > > > enlighten us on who ibd.ar.com is, and how one might contact them, I'd really > > > appreciate it. > > Whois is a wonderful service... :-) > I know, how do you think I found out who the offending site's nameservers are so that I could investigate their pointers to that site. Regards, b c++'ing u, %-) sjs PS: I am my own employer, therefore: "all opinions are twice spoken for;" and they do, in fact, scare the hell out of said employer!!! ------------------------------------------------------------------------------- Stefan Jon Silverman - President SJS Associates, N.A., Inc. 572 Chestnut Street Distributed Systems Architecture & Implementation San Francisco, Ca. 94133 Phone: 415 989 2741 Fax: 415 989 7250 E-mail: sjs@sjsinc.com Cell: 415 519 3494 ------------------------------------------------------------------------------- Weebles wobble, but they don't fall down!!! ------------------------------------------------------------------------------- From firewalls-owner Thu Nov 2 10:47:40 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id JAA21563 for firewalls-outgoing; Thu, 2 Nov 1995 09:42:51 -0800 (PST) Received: from smtpgate.saa-cons.co.uk (haddock.demon.co.uk [158.152.16.191]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id JAA21532 for ; Thu, 2 Nov 1995 09:42:07 -0800 (PST) Received: from haddock.saa-cons.co.uk by smtpgate.saa-cons.co.uk with SMTP (5.65/1.3-eef) id AA21234; Thu, 2 Nov 95 17:42:06 GMT Received: by haddock.saa-cons.co.uk (AIX 3.2/UCB 5.64/5.00) id AA31244; Thu, 2 Nov 1995 17:43:35 GMT Date: Thu, 2 Nov 1995 17:43:35 +0000 (GMT) From: Dave Roberts To: Firewalls Mailing List Subject: Proxy FTP - Client issues Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm wondering what kind of changes are required to FTP clients to allow them to use a proxy on a bastion. Brent and Elizabeth's book states that it can sometimes be overcome by the user being trained and responding to the login prompt with something like "anonymous@ftp.domain.co.uk". TIS's fwtk ftp seems to be compiled with various options, open up a connection to the bastion, and offer it the command "PASSERVE actual.host.com". I appreciate that this is limited research but, this suggests a lack of standard between different proxy servers. Is this actually true? What if I wanted to write a new FTP client (perhaps I'm really bored with lot's of time)? Obviously I want to be firewall conscious and friendly, but would I be able to provide a client that would work with all servers, or would I have to start providing command line options (ftp -p [fwtk | borderware | nt :-)] ) to cope with it all? TIA - Dave From firewalls-owner Thu Nov 2 11:41:33 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id JAA21700 for firewalls-outgoing; Thu, 2 Nov 1995 09:52:57 -0800 (PST) Received: from ismael.gmv.es (ismael.gmv.es [193.127.51.205]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id JAA21678 for ; Thu, 2 Nov 1995 09:52:36 -0800 (PST) Received: (from uucp@localhost) by ismael.gmv.es (8.6.9/1.1) id SAA10809 for ; Thu, 2 Nov 1995 18:47:49 +0100 Received: from melmac.gmv.es(193.127.48.3) by ismael via smap (g3.0.3) id xma010806; Thu, 2 Nov 95 18:47:32 +0100 Received: by gmv.es (4.1/GMV-1.10) id AA09894; Thu, 2 Nov 95 18:52:19 +0100 To: gmv-gw-lists-firewalls@gmv.es Path: not-for-mail From: jsanchez@gmv.es (Julio Sanchez) Newsgroups: gmv.gw-lists.firewalls Subject: Re: International Encryption Protocols Date: 2 Nov 1995 17:52:18 GMT Organization: GMV, SA., Tres Cantos, Spain Lines: 19 Message-Id: <47b0gi$6g4@melmac.gmv.es> References: <199510112230.SAA16369@thor.cs.umass.edu> Nntp-Posting-Host: melmac.gmv.es X-Newsreader: TIN [UNIX 1.3 950824BETA PL0] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Futplex (futplex@pseudonym.com) wrote: : As far as CoCom was concerned, you could generally sell crypto from Britain : to most of the net. This is a far cry from the position of the U.S. ITAR, : which prohibits the export of strong confidentiality-protecting crypto to the : U.K., for example. : : Most of the other CoCom signatories do _not_ enforce export controls similar : to the U.S. ones. We had our lawyers look into this. Essentially we could export to most places without even asking first. For some countries, things were more difficult. I don't have their report at hand. Julio -- Julio Sanchez, SGI Soluciones Globales Internet Tel/Fax: 91/804 14 05 WWW: http://www.esegi.es jsanchez@esegi.es jsanchez@gmv.es PGP Key fingerprint = E5 29 93 6F 41 4E 00 E2 90 11 A1 8C 72 D0 DE 71 From firewalls-owner Thu Nov 2 11:51:44 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id JAA21104 for firewalls-outgoing; Thu, 2 Nov 1995 09:27:14 -0800 (PST) Received: from tidbit.fhda.edu. (tidbit.fhda.edu [153.18.12.252]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id JAA21095 for ; Thu, 2 Nov 1995 09:26:51 -0800 (PST) Received: (from lanning@localhost) by tidbit.fhda.edu. (8.6.12/8.6.9) id KAA17111; Thu, 2 Nov 1995 10:33:22 -0800 From: Bob Lanning Message-Id: <199511021833.KAA17111@tidbit.fhda.edu.> Subject: Re: idb.ar.com...the mystery continues To: ggh14854@ussun2f.glaxo.com Date: Thu, 2 Nov 1995 10:33:21 -0800 (PST) Cc: goertzek@wangfed.com, Firewalls@GreatCircle.COM In-Reply-To: from "Gary Hull" at Nov 1, 95 11:35:51 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ---- As written by Gary Hull: > > On Wed, 1 Nov 1995, K Goertzel wrote: > > > For those that are wondering, several listers have tried the same URL I did, > > with the following variety of results: > > > > > > User #1: "I get a 'server not responding' when I try this." [SNIP] > > Karen Goertzel > > goertzek@wangfed.com > > Folks - Regarding ibd.ar.com, the following is what I can glean from > nslookup and dig: > ar.com. 86400 NS nic2.internex.net. > [SNIP] > > |/ > ---o0o-@@-o0o--------- > > Gary G. Hull - Technical Consultant > Howard Systems International - Glaxo Wellcome Inc. > Five Moore Drive - Raleigh, North Carolina 27709 > Tel : (919) 941-4867 - Fax : (919) 248-2831 > email: ggh14854@ussun2f.glaxo.com > Some info about ar.com: % whois ar.com [rs.internic.net] Rick Wesson (AR3-DOM) 1278 Sandia Dr. Sunnyvale, CA 94089 Domain Name: AR.COM Administrative Contact: Wesson, Rick (RW56) wessorh@AR.COM (408) 749-1175 Technical Contact, Zone Contact: InterNex Information Services (INEX-NOC) noc@internex.net 408-496-5466 voice 408-496-5485 fax Record last updated on 25-Jul-95. Record created on 11-Feb-94. Domain servers in listed order: NIC1.INTERNEX.NET 199.2.14.10 NIC2.INTERNEX.NET 129.65.240.240 The InterNIC Registration Services Host contains ONLY Internet Information (Networks, ASN's, Domains, and POC's). Please use the whois server at nic.ddn.mil for MILNET Information. -- Robert Hajime Lanning "It's the FROSTING!" The opinions expressed here are not mine, nor are they anyone else's. lanning@tidbit.fhda.edu <--for fun && for profit--> lanning@cup.hp.com From firewalls-owner Thu Nov 2 11:54:54 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id KAA22474 for firewalls-outgoing; Thu, 2 Nov 1995 10:22:41 -0800 (PST) Received: from tuna.wang.com (tuna.wang.com [150.124.136.4]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id KAA22466 for ; Thu, 2 Nov 1995 10:22:37 -0800 (PST) Received: from mail.wangfed.com (ns.wangfed.com [159.94.10.19]) by tuna.wang.com (8.6.12/8.6.12tf1) with SMTP id NAA22931 for ; Thu, 2 Nov 1995 13:22:40 -0500 Received: from [159.94.10.15] by mail.wangfed.com (1.37.109.4/A.09.00a) id AA25563; Thu, 2 Nov 95 13:15:38 -0600 Received: from [159.94.14.48] by hfsi (BULL 5.61++/B.O.S 02.01) id AA14242; Thu, 2 Nov 95 13:13:16 -0500 Date: Thu, 2 Nov 95 13:13:16 -0500 Message-Id: <9511021813.AA14242@hfsi> From: "K Goertzel" Reply-To: "K Goertzel" To: firewalls@GreatCircle.COM Subject: It's working now Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Just a note to everyone, the ibd.ar.com/lists/comp/firewalls/ URL is working now. Surprise, surprise -- it seems to be the archive for *this* mailing list. Now my only complaint is that the list of links is so long, my Netscape keeps running out of memory before it can list them all. Karen Goertzel Manager, International Programmes Secure Systems and Services Operation Wang Federal, Inc. From firewalls-owner Thu Nov 2 12:40:03 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id KAA23898 for firewalls-outgoing; Thu, 2 Nov 1995 10:59:32 -0800 (PST) Received: from neon.ingenia.com (neon.ingenia.com [134.117.55.86]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id KAA23891 for ; Thu, 2 Nov 1995 10:59:28 -0800 (PST) Received: (from shaver@localhost) by neon.ingenia.com (8.6.12/8.6.9) id OAA14050; Thu, 2 Nov 1995 14:04:28 -0500 From: Mike Shaver Message-Id: <199511021904.OAA14050@neon.ingenia.com> Subject: Re: Java To: william.wells@damark.com (william.wells) Date: Thu, 2 Nov 1995 14:04:28 -0500 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <9511011532.AA18505@damark.com> from "william.wells" at Nov 1, 95 09:34:00 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk william.wells mumbled something vague about: > My concern isn't UNIX users but the PC users. Since there is no security > mechanisms on a PC, there isn't anything to prevent access to files; > including scripts which run every time a PC boots. You say the default mode > is "no access", is that true on a PC? Yes. > Its harder to have a policy that says that you can't browse any URL > which run applets; especially since I'm not sure that one can tell the URL > has applets. You can't tell which pages will have applets, but you _can_ mandate that the users only use non-Java(tm)-aware browsers. (Yes, Netscape is releasing such beasts.) > These concerns aren't limited to Java; from the writings about > Java though, it seems like Java may be the golden apple which can't be > refused by my users. Java-aware browsers are just another application. If you've got the place locked down so that they can't load their own applications, then don't allow Java-aware ones as part of the standard package. If they complain _and_ you feel the need to placate them, provide a few isolated machines that will run a 'J' version of Netscape, and don't allow those machines to access the internal networked resources, etc. > After hearing all of the discussions for some months about Java, it seems > like the basic concern is that Java appears to allow someone outside your > organization to 'execute' a foreign program on internal systems and, worse, > may provide a means for that program to affect the behavior of the internal > systems beyond the scope of a "normal" program. From a non-users > perspective, Java appears to be a 'blessed' virus. Think of an applet as a script executed by the browser, and you're closer to the truth. If you run a safe-perl script with all file access disabled, then they can't muck with the filesystem. If you do it with file access wide open, you're asking for trouble. Same deal with Java-aware browsers. Mike -- #> Mike Shaver (shaver@ingenia.com) Ingenia Communications Corporation <# #> Technical Specialist -- will tame sendmail(8) for food <# #> <# #> "You are a very perverse individual, and I think I'd like to get to <# #> know you better." --- eric@reference.com <# From firewalls-owner Thu Nov 2 12:55:07 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id MAA26682 for firewalls-outgoing; Thu, 2 Nov 1995 12:24:36 -0800 (PST) Received: from hernsvr.med.osd.mil (hernsvr.med.osd.mil [161.14.8.101]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id MAA26662 for ; Thu, 2 Nov 1995 12:24:26 -0800 (PST) Received: from ae938.med.osd.mil by hernsvr.med.osd.mil with SMTP (5.65/25-eef) id AA29216; Thu, 2 Nov 95 15:24:11 -0500 From: "John P. Morton" Message-Id: <9511021520.ZM16023@unknown.zmail.host> Date: Thu, 2 Nov 1995 15:20:30 -0500 X-Mailer: ZM-Win (3.2.1 11Sep94) To: firewalls@greatcircle.com Subject: Firewall Study Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello all, I am a novice to the internet firewall concepts however, I am involved in a graduate project; attempting to quantify or measure the effectiveness of an internet firewall. My research must support that internet firewalls are effective against hackers. From your experience(s) when making firewall configurations what criteria do you analyze within the enterprise and organization to determine the cost-effective firewall configuration? Are there other factors I should consider in attempting to measure firewalls to secure corporate data. Please advise with any information. Thank You From firewalls-owner Thu Nov 2 13:30:10 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id MAA26659 for firewalls-outgoing; Thu, 2 Nov 1995 12:24:14 -0800 (PST) Received: from hernsvr.med.osd.mil (hernsvr.med.osd.mil [161.14.8.101]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id MAA26648 for ; Thu, 2 Nov 1995 12:23:53 -0800 (PST) Received: from ae938.med.osd.mil by hernsvr.med.osd.mil with SMTP (5.65/25-eef) id AA29191; Thu, 2 Nov 95 15:23:33 -0500 From: "John P. Morton" Message-Id: <9511021519.ZM16023@unknown.zmail.host> Date: Thu, 2 Nov 1995 15:19:51 -0500 X-Mailer: ZM-Win (3.2.1 11Sep94) To: firewalls@greatcircle.com Subject: Firewall Study Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello all, I am a novice to the internet firewall concepts however, I am involved in a graduate project; attempting to quantify or measure the effectiveness of an internet firewall. My research must support that internet firewalls are effective against hackers. From your experience(s) when making firewall configurations what criteria do you analyze within the enterprise and organization to determine the cost-effective firewall configuration? Are there other factors I should consider in attempting to measure firewalls to secure corporate data. Please advise with any information. Thank You -- ---------------------------------------------------------------------- John P. Morton Internet : jmorton@hernsvr.med.osd.mil EDS-D/SIDDOMS Phone : (703)-733-3529 13600 EDS DR. Fax : (703)-742-2479 MAIL STOP: A4S-D12 Herndon, VA 22071 ---------------------------------------------------------------------- From firewalls-owner Thu Nov 2 13:54:36 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id NAA29204 for firewalls-outgoing; Thu, 2 Nov 1995 13:45:27 -0800 (PST) Received: from gatekeeper.glaxo.com (gatekeeper.glaxo.com [192.58.204.201]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id NAA29190 for ; Thu, 2 Nov 1995 13:45:22 -0800 (PST) Received: by gatekeeper.glaxo.com (5.65/fma-120691); id AA08141; Thu, 2 Nov 95 16:45:20 -0500 Received: from ussun2f.glaxo.com by ussun1d.glaxo.com (5.x/SMI-SVR4) id AA22515; Thu, 2 Nov 1995 16:46:06 -0500 Received: by ussun2f.glaxo.com (5.x/SMI-SVR4) id AA07731; Thu, 2 Nov 1995 16:50:46 -0500 Reply-To: ggh14854@ussun2f.glaxo.com (Gary Hull) Date: Thu, 2 Nov 1995 16:50:45 -0500 (EST) From: Gary Hull To: Firewalls@GreatCircle.COM Cc: goertzek@wangfed.com Subject: Re: idb.ar.com...the mystery continues In-Reply-To: <199511021833.KAA17111@tidbit.fhda.edu.> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 2 Nov 1995, Bob Lanning wrote: > ---- As written by Gary Hull: > > > > On Wed, 1 Nov 1995, K Goertzel wrote: > > > > > For those that are wondering, several listers have tried the same URL I did, > > > with the following variety of results: > > > > > > > > > User #1: "I get a 'server not responding' when I try this." > [SNIP] Mighty large SNIP there, Bob... > > > Karen Goertzel > > > goertzek@wangfed.com > > > > Folks - Regarding ibd.ar.com, the following is what I can glean from > > nslookup and dig: > > ar.com. 86400 NS nic2.internex.net. > > > [SNIP] Bob, again another large SNIP...glad you know how to use telent and whois though. > Some info about ar.com: > % whois ar.com > [rs.internic.net] > Rick Wesson (AR3-DOM) > 1278 Sandia Dr. > Sunnyvale, CA 94089 > > Domain Name: AR.COM > > Administrative Contact: > Wesson, Rick (RW56) wessorh@AR.COM > (408) 749-1175 > Technical Contact, Zone Contact: > InterNex Information Services (INEX-NOC) noc@internex.net > 408-496-5466 voice 408-496-5485 fax > > > > Record last updated on 25-Jul-95. > Record created on 11-Feb-94. > > Domain servers in listed order: > > NIC1.INTERNEX.NET 199.2.14.10 > NIC2.INTERNEX.NET 129.65.240.240 > > > The InterNIC Registration Services Host contains ONLY Internet Information > (Networks, ASN's, Domains, and POC's). > Please use the whois server at nic.ddn.mil for MILNET Information. > > > -- > Robert Hajime Lanning "It's the FROSTING!" > The opinions expressed here are not mine, nor are they anyone else's. > lanning@tidbit.fhda.edu <--for fun && for profit--> lanning@cup.hp.com From firewalls-owner Thu Nov 2 14:23:22 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id NAA29597 for firewalls-outgoing; Thu, 2 Nov 1995 13:59:21 -0800 (PST) Received: from services ([168.166.0.67]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id NAA29590 for ; Thu, 2 Nov 1995 13:59:18 -0800 (PST) Received: from services by services (SMI-8.6/SMI-SVR4) id QAA09319; Thu, 2 Nov 1995 16:01:08 -0600 Date: Thu, 2 Nov 1995 16:01:06 -0600 (CST) From: "Frank K. Senter" X-Sender: fsenter@services To: firewalls@greatcircle.com Subject: Sales Opportunity for FW Vendors Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The State of Missouri has issued IFB B600265, requesting bids for a firewall contract. For (a little) more info, reference http://www.state.mo.us/oa/purch/purch.htm. Direct enquiries to Laurie Borchelt, ph. 314.751.1702. Frank Senter Senior Information Specialist Missouri Highway and Transportation Department From firewalls-owner Thu Nov 2 14:26:05 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id MAA26181 for firewalls-outgoing; Thu, 2 Nov 1995 12:04:49 -0800 (PST) Received: from bwh.harvard.edu (bwh.harvard.edu [134.174.81.34]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id MAA26174 for ; Thu, 2 Nov 1995 12:04:37 -0800 (PST) Received: from cushing.bwh.harvard.edu (cushing.bwh.harvard.edu [134.174.81.60]) by bwh.harvard.edu (8.6.9/8.6.9) with ESMTP id PAA14555; Thu, 2 Nov 1995 15:04:38 -0500 From: Adam Shostack X-Organization: Brigham & Womens Hospital, A Teaching Affiliate of Harvard Medical School Received: by cushing.bwh.harvard.edu (8.6.9) id OAA03674; Thu, 2 Nov 1995 14:51:40 -0500 Message-Id: <199511021951.OAA03674@cushing.bwh.harvard.edu> Subject: Re: skey/opie/NRL/logdamon or what on fwtk/hpux??? To: gary@habanero.jmu.edu (gary flynn) Date: Thu, 2 Nov 1995 14:51:40 -0500 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <199511012015.MAA10854@miles.greatcircle.com> from "gary flynn" at Nov 1, 95 02:41:43 pm X-PGP: 0xE794DA91 FD3C3450FEB4A0B8 18F2E72CA82D29B8 X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Gary Flynn wrote: | I'm trying to compile skey on hpux for incorporation | into the TIS fwtk. The version of skey that is at | thumper.bellcore under skey appears to support only BSD systems. | | I'm told that skey1.1b has a sysv parameter on the Makefile | but I don't know where to get it. | | I was hoping for a version of skey that would work on hpux and | with fwtk without a lot of modifications. I've used the logdaemon S/key stuff with FWTK recently. Should work fine. ftp.win.tue.nl:/pub/security Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Thu Nov 2 14:46:14 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id MAA27162 for firewalls-outgoing; Thu, 2 Nov 1995 12:39:56 -0800 (PST) Received: from echonyc.com (echonyc.com [198.67.15.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id MAA27155 for ; Thu, 2 Nov 1995 12:39:52 -0800 (PST) Received: (from jna@localhost) by echonyc.com (8.6.12/echo-relay) id PAA10053; Thu, 2 Nov 1995 15:38:21 -0500 Date: Thu, 2 Nov 1995 15:38:15 -0500 (EST) From: John Adams X-Sender: jna@echonyc To: Edward Maillet cc: firewalls@GreatCircle.COM Subject: Re: A defense against sniffing attacks for mere mortals In-Reply-To: <9511020107.AA25053@doc.cs.usm.maine.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 1 Nov 1995, Edward Maillet wrote: > Flame away! > ----- Ed Maillet > maillet@cs.usm.maine.edu > Okay, I will! :) > Hey All, > Sorry to step on the toes of you S/Key, Keberos, it's-only-safe-if-it's- > encrypted types but it seems that there are other ways of defeating > packet sniffers. Both active and passive. > Under certain network topologies, sniffing can be rendered useless without > encryption. Consider an ethernet that contains an ethernet switch and some > 10Base-T hubs. Yes, you're describing 'Intelligent Hubs' available from HP and other vendores. They work well, but what happens when that data flows up to your WAN, or the company backbone and someone sniffs there? I think what we were trying to prevent was attacks upon data crossing the internet. > I realize that this is a rather specific topology but it is an interesting > and rather simple solution. > Your solution is a good one, but doesn't cover all the bases. .. : : : : : : .. : : : : : : .. : : : : : .. : : : : : .. : : : : : .. John Adams jna@echonyc.com EchoNYC Systems Administrator (212) 292-0900 From firewalls-owner Thu Nov 2 14:55:03 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id MAA26731 for firewalls-outgoing; Thu, 2 Nov 1995 12:26:31 -0800 (PST) Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id MAA26720 for ; Thu, 2 Nov 1995 12:26:24 -0800 (PST) Received: from bwh.harvard.edu by relay2.UU.NET with SMTP id QQzodt03374; Thu, 2 Nov 1995 15:23:03 -0500 (EST) Received: from cushing.bwh.harvard.edu (cushing.bwh.harvard.edu [134.174.81.60]) by bwh.harvard.edu (8.6.9/8.6.9) with ESMTP id PAA14524; Thu, 2 Nov 1995 15:02:00 -0500 From: Adam Shostack X-Organization: Brigham & Womens Hospital, A Teaching Affiliate of Harvard Medical School Received: by cushing.bwh.harvard.edu (8.6.9) id OAA03631; Thu, 2 Nov 1995 14:49:03 -0500 Message-Id: <199511021949.OAA03631@cushing.bwh.harvard.edu> Subject: Re: A defense against sniffing attacks for mere mortals To: maillet@doc.cs.usm.maine.edu (Edward Maillet) Date: Thu, 2 Nov 1995 14:49:02 -0500 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <9511020107.AA25053@doc.cs.usm.maine.edu> from "Edward Maillet" at Nov 1, 95 08:07:38 pm X-PGP: 0xE794DA91 FD3C3450FEB4A0B8 18F2E72CA82D29B8 X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk | Sorry to step on the toes of you S/Key, Keberos, it's-only-safe-if-it's- | encrypted types but it seems that there are other ways of defeating | packet sniffers. Both active and passive. (Use ethernet bridges/switches) | I realize that this is a rather specific topology but it is an interesting | and rather simple solution. What happens when I sniff your internet connection instead of your LAN? Bridges protect your students from each other; they don't protect them when they telnet in over Thanksgiving break. Kerberos, S/Key, ssh, deslogin, and the like protect you from sniffing every time they are used. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Thu Nov 2 16:34:36 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id PAA02493 for firewalls-outgoing; Thu, 2 Nov 1995 15:24:46 -0800 (PST) Received: from firewall.supertex.com (firewall.supertex.com [204.178.240.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id PAA02455 for ; Thu, 2 Nov 1995 15:24:34 -0800 (PST) Received: from cmos.supertex.com (cmos.supertex.com [204.178.240.200]) by firewall.supertex.com (8.6.12/8.6.9) with SMTP id PAA10090 for ; Thu, 2 Nov 1995 15:18:33 -0800 Received: from skill.supertex.com by cmos.supertex.com (4.1/SMI-4.1) id AA02772; Thu, 2 Nov 95 15:17:53 PST Date: Thu, 2 Nov 95 15:17:53 PST From: jimk@cmos.supertex.com (Jim Kendall) Message-Id: <9511022317.AA02772@cmos.supertex.com> To: firewalls@GreatCircle.COM Subject: LINUX firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm a newguy to this list and would be interested in talking to anyone utilizing a LINUX box as a firewall running ipfwadm. I need to talk about my filter setup and make sure that I'm squeezing all of the security out of it that's possible. I've inherited this setup and am wondering if it's any good. Also, I may replace it with a Sun Sparc2 and need pointers to decent firewall software that doesn't cost 82 grillion bucks (a.k.a Sun) Any help will be appreciated....... Cheers! Jim Kendall jimk@supertex.com (408) 745-1923 x 281 From firewalls-owner Thu Nov 2 16:40:06 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id PAA02367 for firewalls-outgoing; Thu, 2 Nov 1995 15:23:11 -0800 (PST) Received: from relay1.pipex.net (relay1.pipex.net [158.43.128.6]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id GAA18582 for ; Tue, 31 Oct 1995 06:09:23 -0800 (PST) Received: from smtpgty.saicuk.co.uk by flow.pipex.net with SMTP (PP); Tue, 31 Oct 1995 14:08:56 +0000 Received: by smtpgty.saicuk.co.uk with Microsoft Mail id <30962D87@smtpgty.saicuk.co.uk>; Tue, 31 Oct 95 14:07:03 GMT From: "Johnson-Bryden, Ian" To: "'firewalls@greatcircle.com'" Subject: In search of an OS for firewalling Date: Tue, 31 Oct 95 14:05:00 GMT Message-ID: <30962D87@smtpgty.saicuk.co.uk> Encoding: 148 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have watched with facination the flow of postings on the subjects of NT, hardened OS and related subjects. I have only been in the business 30 odd years, so there is much I still dont know and much more probably than I have time to learn. One thing I did learn very early on is that there is no such thing as total elimination of risk. Therefore, risk management is a process of trade offs to achieve an acceptable level of risk reduction. That also implies 'affordable' but there are so many ways of measuring 'affordable'. >From watching postings here and on other groups, 'affordable' seems to mean low visibility cost at time of acquisition. For example, I have seen firewall systems where very little software was purchased and special cables were built in the MIS department, so that the visible cost of the firewall was only a few $K. That looks pretty cheap until you cost up all the labour and 'diverted' hardware it took to painfully build the firewall and all the labour it then takes to keep it running. When you start pulling those costs into the equation you can very rapidly find that it would have cost less to hire the greediest (well maybe thats a rash statement) consultants, buy commercial firewalling products, or even use a set of TCSEC/ITSEC certified products. The other aspect is the cost to the corporation of having a large part of its MIS department playing firewalls for months. OK it may be that the department is grossly over staffed with over qualified engineers and scientists and this has had no impact at all on the rest of MIS operations, but if you disclose the location of this facility your Human Resources department will get buried under applications for jobs. OK its also possible that your scientists and engineers know far more about security and risk containment than any vendor will ever know, but thats pretty unlikely also, or you would have been out there selling those skills at a good profit and out 'Bill'ing 'Bill'. As I am old enough to remember (well on a good day when senility is less pronounced) the days before packaged software and clone hardware, I have heard most of these arguments before. There were computer scientists and professionals who tried to make the case for proprietary product and those who believed that only they had the skill to produce a reliable product with the aid of source code. Of course most of us ignored them and went out to buy ever cheaper packages anyway. In terms of risk management, it raises some interesting debating points. The general wisdom still applies to information systems as with anything else, "you dont get something for nothing", or "you get what you pay for". In this world, nothing which is within the wit of man to invent cannot be made cheaper and nastier by another man, and the undiscerning are his natural prey. However, if we were still faced with proprietary mainframe prices and the astronomical cost of maintaining custom engineered software, the computer would not be the ubiquetous tool which it is today. Therefore, there are those who will argue that the risks associated with operating badly designed, poorly engineered systems, using largely unskilled operators and minimum levels of maintenance are more than balanced by the enormous savings which result from computerisation. Of course no one ever really tries to find out exactly what those 'enormous savings' are. The simple yard stick is often firing x number of people to justify the cost of the system and then making those who remain work to succeed in the new environment. If you take that line of reasoning, as some senior managers do, you can argue that there is absolutely no justification for implementing a firewall, or any other form of risk management technology. What happens is that the firewall is taken as a panacea at lowest price. To borrow something someone commented to me recently, firewalls and security are like dieting and exercise. You know you are eating too much and not taking enough exercise and you also know that the answer is to eat wisely and take regular exercise, but there are these slimming pills on the market. Working out a diet and exercise chart takes skill and time. Keeping to the chart instructions is a bore. Buying the slimming pills is easy and looks cheap. 'Bill' has got where he is today largely because he produced products which were well marketed (or over sold - depends on your viewpoint) to people who did not really know what they were buying but had access to those cash levels. One thing I see frequently in risk analysis is an MIS department trying to use 'security' as a way of regaining control over the computing assets in their organisation, because today the unskilled users in concert hold more processing, storage and communications power than the MIS department does. I dont think that anyone can fairly claim any one product is 'all good' or 'all bad'. Millions of people have recently found out that Microsoft is more interested in selling Windows95 that in the customers who now have crippled their old PCs and have to buy new hardware or go back to Windows 3.x. What surprises me is that they are surprised by that discovery, but then 30 years of risk management can make one cynical. Right now NT doesnt have enough track record for that sort of discovery but one day it will. Also being old enough to remember not only the pre-'Bill' days, but also the pre-UNIX days, I remember how some respected computer scientists said that UNIX was total crap. Back then they had a point, the OS had several *VERY* unlovely features (which have mostly been removed 20 odd years on) and there was little choice of hardware. What was available was pretty puny which explains why RDBMS coming from a proprietry background tends to be much fatter than products like Informix which had to live with the UNIX hosts of the early 80s. I think what UNIX brought was a flexible market. If you want to buy pre-packaged, its there. If you buy HP (or any other type) hardware today and want to change to something else tomorrow you have that choice and even the toughest re-porting is not that much hassle. If you are a control freak or have a massive ego, you can always have source. OTOH, the option to buy source reduces risk, even if you dont buy it right now. You may take the view that the folk who built the OS and ported it onto the hardware knew what they were doing (probably a lot better than you) and you paid for their time anyway. However, the fact that you can always buy source later puts a pressure on that vendor to make sure they do a good job and if any time in the future you have reason to doubt that, you can always go back to source. A proprietary vendor (and that includes 'Bill') does not have that pressure and when things go wrong he can point the finger at another vendor or at the user. Perish the thought that 'Bill' would ever do anything like that. There are anti 'Bill' folk around (hard though it may be to believe), but one should not forget the story reported a while back. It seems that some VARs in Europe who received early copies of Windows 95 also got a virus they didnt want. According to the report, Microsoft immediately leapt to their assistance by identifying a Microsoft sub-contractor as the guilty person and stating quite clearly that he would never produce media for Microsoft again - could you ask for more from a supplier? Now if a small vendor provided product with virus included, he would cause his customers a lot of inconvenience in taking him through the courts for the loss he caused and some would say that he would be justly put out of business. Dealing with a 'Bill' is so much easier because you know you cant afford to take him through the courts so you just write it off to experience and trust him not to let it happen again (maybe). Although I think the potential availability of source code is important, I dont agree that it has to be the sole deciding factor, or that it should be used necessarily. If you are taking a trusted operating system which has been developed through extensive testing by a reputable company working government contracts, and then been evaluated by a third party, the resulting product will be very good but not perfect. However, the people who built it have considerable skills and many thousands of hours have gone into the development. The chances of a sysad finding a real fault in the code is relatively remote unless he can devote a few lifetimes to pulling it apart. When that type of product is available as source code, the cost of source is naturally fairly high. The question therefore is - "is the cost of buying source justified by forecast benefits?" What I see is a lot of people trying to teach themselves security and hardened OS. Re-inventing the wheel has always been a popular human activity so maybe this is just a natural thing. OTOH there are people out there and products which have been around a while and work pretty well and as has been pointed out, users dont normally expect to buy source from people like Cisco. I noticed one posting recently, from someone working for an automobile manufacturer, where the individual was clearly stating that he and his employers knew far more than any lesser mortal and would only ever buy product which they could strip down and rebuild correctly. The same company was also advertising how their expertise in vehicle design was beyond equal (and NO, 'Bill' has not moved into car manufacture). One wonders what their reaction would be to customers who would only buy their vehicles if every piece of development information was included in the sale - probably similar to the reacion of the same auto manufacturer in the early 80s when they tried beating a supplier up to give them US domestic market prices in every country. The demand went when the supplier said OK you give me that deal on all the vehicles I buy from you and you can have the deal on what you buy from me. Yes - you guessed it - the auto manufacturer got more bucks from that supplier than the supplier would ever get back. Ian J-B From firewalls-owner Thu Nov 2 16:53:23 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id QAA03914 for firewalls-outgoing; Thu, 2 Nov 1995 16:07:19 -0800 (PST) Received: from bugfix.ikos2.iao.fhg.de (bugfix.ikos2.iao.fhg.de [141.58.133.88]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id QAA03907 for ; Thu, 2 Nov 1995 16:07:14 -0800 (PST) Received: by bugfix.ikos2.iao.fhg.de (ikos2.iao.fhg.de:9507140) id BAA01626; Fri, 3 Nov 1995 01:07:15 +0100 Date: Fri, 3 Nov 1995 01:07:15 +0100 From: Wolfram Schmidt Message-Id: <199511030007.BAA01626@bugfix.ikos2.iao.fhg.de> To: firewalls@GreatCircle.COM Subject: Re: Tightening up SunOS 5.4 (was Re: Hardened OS) X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ] Unfortunately this wont work. Unless you remove shells as well from the ] machine people can still import binaries. I had a friend once in a chroot'd ] guest environment with reasonably low quotas and they still managed to import ] a binary and "talk" to the sendmail daemon on the machine. It was a cute ] trick and more of a proof of concept but it was enough to show me you can't ] really stop someone on a standard unix model. ] ] If anyone got on a firewall setup like this it is simple to compile a binary ] offsite to suit the architecture, static if necessary, and import it, run it ] and then have that binary act as a personal ftp/shell/port login process. We patched the exec stub of libc.so in the chroot environment to prevent people from importing binaries. The replacement only allows to exec files in certain directory trees. It also checks for xxx/../yyy tricks. LD_* environment variables are removed. All static binaries have beem removed from the guest environment. -Wolfram From firewalls-owner Thu Nov 2 17:40:22 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id PAA03649 for firewalls-outgoing; Thu, 2 Nov 1995 15:58:39 -0800 (PST) Received: from squiggy.itg.net (squiggy.itg.net [206.64.176.3]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id PAA03642 for ; Thu, 2 Nov 1995 15:58:35 -0800 (PST) Received: (from mec@localhost) by squiggy.itg.net (8.7.1/8.7.1) id SAA13346 for firewalls@GreatCircle.COM; Thu, 2 Nov 1995 18:58:03 -0500 (EST) From: "Matthew Cable" Message-Id: <9511021858.ZM13344@squiggy.itg.net> Date: Thu, 2 Nov 1995 18:58:01 -0500 X-Zippy: TONY RANDALL! Is YOUR life a PATIO of FUN?? X-Face: "C;v@b&3G'&t`!U]y,BST?i$}M3C>;`ezuniL&>e$G@[c3:?SEDH@8V;(-)J<6x2>@y^YGf#\XDP*1+\*Q']&9I[Q3'9&t&ORC#l#VFWu8)~@}I$PqG8#:C'qHfG[O)c*)?!Ea3|h{|EiupBHXM6G+dkg\6[65,j?7#t{#`{;F%9!]a4q[##n9b55'E;"GN#6is7Mf"Bl+D?CR?I- X-Mailer: Z-Mail (3.2.2 10apr95 MediaMail) To: Firewalls Subject: Opinions? Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We're working on a major network overhaul in anticipation of future demands... Our current setup is quite simple, and serves only as a temporary setup until the new layout is hashed out. To get a little perspective on what we're trying to do, let me tell you a bit about the company. Its an ISP of sorts, but we deal soley with corporate customers or bulk buyers. As a result, our security policy has to be loose enough to allow them to do the things clients want to do, while at the same time, protecting our office from being overrun with little kneebiters... Here's a peek at the current setup current ======= +----------+ +---------+ +---|portmaster| +---|mail/news| | +----------+ | +---------+ +--------+ +----------+ | | +------+ |internet|-T1-|cisco 2501|--inside net--+---------+-----|office| +--------+ +----------+ | +------+ | +-------+ +---|webhost| +-------+ cisco currently filters out all incoming traffic but http to webhost, smtp and nntp to mail/news, ssh to webhost, dns datagrams to webhost and mail/news host, and ports over 1024. Obviously this is a problem as a large network space is wide open. Our planned network would look something like the following... planned ======= +-------------------+ +---|co-located machines| +----+ | +-------------------+ |isdn|---+ | +----------+ +---------+ +----+ | | +---|portmaster| +---|news/mail| | | | +----------+ | +---------+ +--------+ +-----+----+ | | +--------+ +-----+ | +------+ |internet|-T1-|cisco 7000|--outside net--|firewall|--|cisco|--inside--|office| +--------+ +-----+----+ +--------+ +-----+ | +------+ | | +-------+ | +------------+ +---|webhost| +---|leased lines| +-------+ +------------+ in the planned network, the cisco 7000 filters out all unnecessary incoming traffic to the outside net. Filters for leased lines, isdn will be handled on an individual basis. Co-located machines are web servers, ftp servers, etc that clients have paid to locate on our network. The firewall will run http, smtp, nntp, and pop proxies (at least) which will retrieve things from the appropriate host on the inside net. An important requirement of the firewall is that we be able to easily add proxies as needed for other services. In addition, adding virtual interfaces to the external firewall interface would be very useful as we serve several domain's on our internal network. Ideally nothing would actually be hosted on the firewall. Internal and external dns servers will also be run on the firewall. The cisco on the other side of the firewall would simply filter out all traffic not coming from the firewall. I'm looking for any critique's/suggestions you all might have as to what sort of firewall product/machine we should look into, and how feasible/secure the above setup is. Thanks! -- - Matthew E Cable / Systems Administrator / Internet Technologies Group, Inc. / Cambridge, MA / http://www.itg.net/~mec From firewalls-owner Thu Nov 2 17:51:58 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id PAA02405 for firewalls-outgoing; Thu, 2 Nov 1995 15:23:45 -0800 (PST) Received: from relay5.UU.NET (relay5.UU.NET [192.48.96.15]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id LAA25783 for ; Tue, 31 Oct 1995 11:11:27 -0800 (PST) Received: from uucp2.UU.NET by relay5.UU.NET with SMTP id QQznwe26310; Tue, 31 Oct 1995 14:11:24 -0500 (EST) Received: from amgen.UUCP by uucp2.UU.NET with UUCP/RMAIL ; Tue, 31 Oct 1995 14:11:26 -0500 Received: from spice.amgen.com by amgen.com (5.0/SMI-SVR4) id AA17793; Tue, 31 Oct 1995 10:44:56 -0800 Received: from amgen.com (amgengate) by spice.amgen.com (4.1/SMI-4.1) id AA15679; Tue, 31 Oct 95 10:44:52 PST Message-Id: Date: 31 Oct 1995 10:43:12 U From: "Yalda Mirzai" Subject: Vendors wanting access thru To: "GreatCircle" X-Mailer: Mail*Link SMTP/QM 3.0.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mike Papais asked that I compile the responses to my question below and send it to everyone. So here goes... ************************************************************ MY QUESTION WAS: ************************************************************ On Wed, 25 Oct 1995, Yalda Mirzai wrote: > We have been receiving many requests from our system administrators to >allow "vendors" access to our internal network via the firewall for "technical > support" or "troubleshooting" purposes. > > Any philosophical thoughts regarding this issue in general? > > Specifically, we use a Gauntlet Box. > We would like feedback if possible. > > Regards... ************************************************************ THE RESPONSES WERE : ************************************************************My old company had a few such requests. The answer was "no". What we did was allow a few vendors dial in access to only the machine(s) that we allowed them on. With some kind of password protected Network Terminal Server inbetween your computer and the phone line, this, as insecure as it is, is far more secure than allowing them to come in over the Internet, IMHO. Besides, the telephone bills will disuade them from coming in any more than is necessary (presuming it's long distance). Lastly, many rack mounted modems have a "busy" switch to give out a busy signal; you leave the modem they use in the "busy" position unless you are having them dial in. This will keep out the curious who dial every number in the area code looking for modems (let's face it, today they are probably pinging IP addresses, not dialing telephones). Another option is to leave the modem unplugged when not in use, or turn the power off, etc. If you trust your system administrators to faithfully shut it down when not in use, you can even put the modem somewhere that they have access to so that they don't have to bug you to flip the busy switch for them. Garry Garry.Garrett@abii.com ______________________ My personal recommendation for your situation is to have a modem connected to a terminal server, where the modem connection is disconnected when there is no reason for the connection, IF YOU WANT TO ALLOW FOR ANY VENDOR ACCESS. Unfortunately, difficult maintenance is a part of security, because maintenance people usually require superuser privileges. I would strongly recommend that your admins be forced to live with the situation, but that is solely from a security perspective. Allowing the modem connection facilitates a somewhat secure connection, that is easily monitored. However, it can be social engineered to give a hacker access. Perhaps an alternative is to have you be the person that monitors the connection, but that would cause you a lot of work. Talk to you later, Ira ______________________ Non-authoritative response: How much do you trust your vendors and technical support people? Do they have the same understanding of your security policy as your employees? Do you run the same background checks on vendors and support people as you do on your own employees? Do your vendors and technical support people have the same loyalty to your company as your employees do? Is your internal security (security on individual network nodes) tight enough to deny access to unauthorized users on each and _every_ node on your network? Are you sure, especially for machines which have entries in other machines' .rhosts or hosts.equiv files? Once you have answered the above (obvious?) questions, put a value on the data and resources exposed on your internal network. Then, ask yourself if the value of the data and resources is higher than the cost of _not_ letting vendors and technical support people through your firewall and onto your internal network. Personally, my employer has flatly stated that there will be no intentional access to our internal network through our firewall. All access to internal systems must be through a dialup using one-time access tokens. dharris@kcp.com Delmer D. Harris ______________________ How you handle this _type_ of request should be something covered by your security policy. If it isn't, it needs to be added. That being said, there may be case-by-case exceptions. One approach to vendors that want to provide information/files electronicly is to have them provide access to THEIR servers and the appropriate people at your site can do an inside initiated telnet or FTP to them. I would really hesitate to provide your SecureId card to anyone that your organization does not have "administrative control" over, i.e. you can't fire a vendor since they are not your employee. **** cjolley@iac.net ______________________ Hi, whithout knowing more about your specific situation I would think the answer is no. If in fact they are troubleshooting they would be moving info that describes your internal network and maybe protential weaknesses. I make it a habit to inform my clients _not_ to permit any security analysis of their network via the internet for this reason. If there is a need for vendors to access your internal net I suggest a dial-up account that you can enable and disable at will. I would also question why a sysadmin is willing to let venders muck about on their network. msk e-mail @ kadrich@uni.ins.com ______________________ There are many ways to skin a cat. For instance: We do not allow our vendors access through the firewall. Instead, we allow them to dial in, through our dial security system, to the specific machine that they need to access. ______________________ Authentication and acknowledgement of the request from both parties, by each party, involved would be a good start. Why not use SecureId ? If you've given the vendor one, it's their job to manage it in a suitable way for responding to your support calls. If they end up with a cabinet full of those cards, that's their problem, not yours :) I'd be very wary of such requests though... "hi, I'm trying to login to your firewall to get through to abc for xyz and it doesn't seem to work yet..." ...opens up lots of scope for possible social engineering tricks. darren reed ______________________ >Any philosophical thoughts regarding this issue in general? Yes, set up a bastion host and don't let vendors into your internal net. See the Zwicky and Chapman book. Steve Simmons ______________________ If you have a tech regularly getting in, give them a secureID card. If it's someone different, or different vendors, have them call *you* (or some trusted party) to get a number off *your* card. Card never goes to vendor. David Miller ______________________ How you handle this _type_ of request should be something covered by your security policy. If it isn't, it needs to be added. That being said, there may be case-by-case exceptions. One approach to vendors that want to provide information/files electronicly is to have them provide access to THEIR servers and the appropriate people at your site can do an inside initiated telnet or FTP to them. I would really hesitate to provide your SecureId card to anyone that your organization does not have "administrative control" over, i.e. you can't fire a vendor since they are not your employee. **** cjolley@iac.net ______________________ I would NEVER allow outside vendors to access my network unless they are physically inside my facility, behind my security. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=- W.S. "Skip" Harborth Manager & Senior Engineer Information Systems Security Engineering Houston Associates, Incorporated 4601 North Fairfax Dr, Suite 1001 Arlington, Virginia 22203 USA (703) 284-8732 812-5099 (fax) sharborth@hai-net.com -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=- ______________________ Philosophically, you ask? Don't do it. There are plenty of other methods that can be used. Why not? say the vendors. Because, ultimately, you can not trust the vendor to have _your_ best interest at heart (no matter how much $$$ your throw their way), but _their_ best interest. And that probably does not include ensuring that your network and information security policies are followed, and so on. If they need to shoot problems or provide support, 28.8 modems work fine. It is not as sexy as doing it over the net, or whatever. But dial up (especially if the modem is disconnected from the phone line between calls...which means that the vendor has to alert the customer when they need access...not just call in anytime...) has been working quite well for a long time, and, I think, will continue to be so. Yes, it is a *bit* more cumbersome. So is running a SEAL or Gauntlet or whatever. But, there accountability and control. Just my $.02. -- Bryan D. Boyle | EMAIL: bdboyle@erenj.com ______________________ Non-authoritative response: How much do you trust your vendors and technical support people? Do they have the same understanding of your security policy as your employees? Do you run the same background checks on vendors and support people as you do on your own employees? Do your vendors and technical support people have the same loyalty to your company as your employees do? Is your internal security (security on individual network nodes) tight enough to deny access to unauthorized users on each and _every_ node on your network? Are you sure, especially for machines which have entries in other machines' .rhosts or hosts.equiv files? Once you have answered the above (obvious?) questions, put a value on the data and resources exposed on your internal network. Then, ask yourself if the value of the data and resources is higher than the cost of _not_ letting vendors and technical support people through your firewall and onto your internal network. Personally, my employer has flatly stated that there will be no intentional access to our internal network through our firewall. All access to internal systems must be through a dialup using one-time access tokens. dharris@kcp.com Delmer D. Harris ______________________ My old company had a few such requests. The answer was "no". What we did was allow a few vendors dial in access to only the machine(s) that we allowed them on. With some kind of password protected Network Terminal Server inbetween your computer and the phone line, this, as insecure as it is, is far more secure than allowing them to come in over the Internet, IMHO. Besides, the telephone bills will disuade them from coming in any more than is necessary (presuming it's long distance). Lastly, many rack mounted modems have a "busy" switch to give out a busy signal; you leave the modem they use in the "busy" position unless you are having them dial in. This will keep out the curious who dial every number in the area code looking for modems (let's face it, today they are probably pinging IP addresses, not dialing telephones). Another option is to leave the modem unplugged when not in use, or turn the power off, etc. If you trust your system administrators to faithfully shut it down when not in use, you can even put the modem somewhere that they have access to so that they don't have to bug you to flip the busy switch for them. Garry Garry.Garrett@abii.com ______________________ For the type of access needed, TCP/IP access to the systems seems very dangerous to me and I don't see why it would be needed. Vendor remote connection support can be very useful and even vital, but firewall or no firewall vender reps. shouldn't be blindly trusted. Here at JMU the Digital, TGV, and other vendors connect to our system whenever there is a major problem, but... The vendors connect via the support modem and new accounts/passwords are issued for each session. The modem connection requires multiple passwords and is normally only used by one person, so it's easy to track usage in the log files. The actual session is duplicated on the system administrators workstation so that she can watch everything (and interrupt the session if needed). She also normally talks to the support rep. on the phone most (if not all) of the time they are connected to the system. Vendor support reps can crash a system and do other damage that have nothing to do with networks and security. We learned that the hard way. Modem dial-up and single session passwords along with a human monitoring the session should provide sufficient security. I don't think that the convenience of TCP/IP over dial-up terminal access makes it worth the enhanced dangers. Charles Cooley Network Services James Madison University _________________________________ If access of this type is unavoidable, you may want to consider using dial up access on a selective basis, via a terminal server with the equivalent of TACACS or RADIUS support. Paul Ferguson _________________________________ There are many ways to skin a cat. For instance: We do not allow our vendors access through the firewall. Instead, we allow them to dial in, through our dial security system, to the specific machine that they need to access. uunet!itthartford.com!pwright _________________________________ Yalda: We provided a mechanism to do the following: 1. Require someone at "company name" (I'll say) to turn on the ability for a vendor to connect, authenticate, and connect to one inside machine, determined by the person at "company name" and based on the problem. 2. Have a time limit on this connection (I think... I could be wrong on this). 3. Have this only work once. If the vendor needed to reconnect, "our company" would have to reset things. We provided a management screen to allow this to be done easily by "company name" when a trouble call was logged with a vendor and the vendor indicated access was needed. Yes, one time password mechanisms were used (SecurID, SNK cards, etc.). Fred Avolio _________________________________ I like to set up a S/Key password, and tell them the next one-time pass phrase over the telephone for that session. Peter Da Silva _________________________________ How you handle this _type_ of request should be something covered by your security policy. If it isn't, it needs to be added. That being said, there may be case-by-case exceptions. One approach to vendors that want to provide information/files electronicly is to have them provide access to THEIR servers and the appropriate people at your site can do an inside initiated telnet or FTP to them. I would really hesitate to provide your SecureId card to anyone that your organization does not have "administrative control" over, i.e. you can't fire a vendor since they are not your employee. Carl Jolley _________________________________ Sorry if I missed someones comments... There were so many. From firewalls-owner Thu Nov 2 19:52:52 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id TAA12841 for firewalls-outgoing; Thu, 2 Nov 1995 19:51:14 -0800 (PST) Received: from access.netaxs.com (access.netaxs.com [198.69.186.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id TAA12834 for ; Thu, 2 Nov 1995 19:51:10 -0800 (PST) Received: from unix3.netaxs.com (morph_1@unix3.netaxs.com [198.69.186.5]) by access.netaxs.com (8.6.12/8.6.11) with ESMTP id WAA13774 for ; Thu, 2 Nov 1995 22:50:51 -0500 From: ELYTENE$$ Received: (morph_1@localhost) by unix3.netaxs.com (8.6.12/8.6.9) id WAA20363 for firewalls@GreatCircle.com; Thu, 2 Nov 1995 22:50:40 -0500 Message-Id: <199511030350.WAA20363@unix3.netaxs.com> Subject: Re: mountd Security To: firewalls@GreatCircle.com Date: Thu, 2 Nov 1995 22:50:38 -0500 (EST) X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is there any real reason mountd should not be run on machines inside of a secure firewall, and what sort of access should users on those machines have to mount? Is there any way to secure mountd from attack, while exporting only to trusted machines? -- Morph_1 Witty Quote Here morph_1@netaxs.com Disclaimer Here blah blah blah Phone Numbers etc. From firewalls-owner Thu Nov 2 21:23:27 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id VAA14161 for firewalls-outgoing; Thu, 2 Nov 1995 21:03:36 -0800 (PST) Received: from odin.community.net (odin.community.net [140.174.119.10]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id VAA14146 for ; Thu, 2 Nov 1995 21:03:26 -0800 (PST) Received: from [140.174.226.120] (n120.coco.community.net [140.174.226.120]) by odin.community.net with SMTP id VAA23932 for ; Thu, 2 Nov 1995 21:02:57 -0800 Date: Thu, 2 Nov 1995 21:02:57 -0800 Message-Id: <199511030502.VAA23932@odin.community.net> Subject: Advantage of Filtering in Router vs Firewall From: Bill Husler To: Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I know I have read here that You have a stronger, more secure, setup if you keep IP filtering in your router and use the Firewall for Application level stuff - like proxies, but I don't remember the reasoning behind it. Please, somebody, run through it again for me. Thanks, Bill The opinions expressed here-in are my own. Any similarities between these opinions and those of any other person - living or not - including my employer are purely coincidental. From firewalls-owner Thu Nov 2 23:23:16 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id XAA16799 for firewalls-outgoing; Thu, 2 Nov 1995 23:18:13 -0800 (PST) Received: from psyche.the-wire.com (psyche.the-wire.com [198.53.192.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id XAA16792 for ; Thu, 2 Nov 1995 23:18:10 -0800 (PST) Received: from rcooper.the-wire.com (rcooper.the-wire.com [198.53.159.74]) by psyche.the-wire.com (8.6.10/8.6.9) with SMTP id CAA24512; Fri, 3 Nov 1995 02:17:51 -0500 Received: by rcooper.the-wire.com with Microsoft Mail id <01BAA992.77E00780@rcooper.the-wire.com>; Fri, 3 Nov 1995 02:17:04 -0500 Message-ID: <01BAA992.77E00780@rcooper.the-wire.com> From: Russ Cooper To: "'Mike Shaver'" , "william.wells" Cc: "firewalls@GreatCircle.COM" Subject: RE: Java Date: Fri, 3 Nov 1995 02:17:03 -0500 Encoding: 10 TEXT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Would it be possible to embed a virus into a .GIF file? or .AVI file? or .WAV file? These guys are all downloaded and stored in a cache on your local workstation, and in turn invoke an application on the local workstation. What is the difference between this and Java? Cheers, Russ Cooper Senior Internet Integration Engineer SHL/Computer Innovations RCooper@the-wire.com - Express@msn.com - 74323.364@compuserve.com From firewalls-owner Thu Nov 2 23:54:01 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id XAA17194 for firewalls-outgoing; Thu, 2 Nov 1995 23:35:32 -0800 (PST) Received: from neon.ingenia.com (neon.ingenia.com [134.117.55.86]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id XAA17187 for ; Thu, 2 Nov 1995 23:35:28 -0800 (PST) Received: (from shaver@localhost) by neon.ingenia.com (8.6.12/8.6.9) id CAA04073; Fri, 3 Nov 1995 02:32:38 -0500 From: Mike Shaver Message-Id: <199511030732.CAA04073@neon.ingenia.com> Subject: Re: Java To: rcooper@the-wire.com (Russ Cooper) Date: Fri, 3 Nov 1995 02:32:38 -0500 (EST) Cc: william.wells@damark.com, firewalls@GreatCircle.COM In-Reply-To: <01BAA992.77E00780@rcooper.the-wire.com> from "Russ Cooper" at Nov 3, 95 02:17:03 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Russ Cooper mumbled something vague about: > Would it be possible to embed a virus into a .GIF file? or .AVI file? or > .WAV file? These guys are all downloaded and stored in a cache on your > local workstation, and in turn invoke an application on the local > workstation. What is the difference between this and Java? A better, if still flawed, analogy is to PostScript, which contains among its primitives means of accessing filesystems, etc. People are worried about an applet breaking out of its cage and mangling their network and associated resources (*). Granted, the language contains a number of methods of doing things that could be subverted. So do newer (non-Java(tm)) versions of Netscape. And Word. Etc. It's a matter of trust, I guess. Do you trust Sun's and Netscape's words that they've done everything in their power to both _design_ and _implement_ the java systems in a secure way? Perhaps not. But if you _don't_, then perhaps you should start questioning your faith in other applications, too. Like Word, X, PS viewers, Netscape v2.0bN, etc. I'm beginning to think it's a case of "damnant quod non intellegerunt", but that might just be a sign of me swinging the other way. (*) Some people, it seems, are also worried about similar abuses by a hostile user community. To me, this is an issue related not at all to the "java problem", nor really to firewalls. Kinda sci.psychology meets bugtraq, I guess. =) Mike -- #> Mike Shaver (shaver@ingenia.com) Ingenia Communications Corporation <# #> UNIX medicine man -- dark magick, cheap! <# #> <# #> When the going gets tough, the tough give cryptic error messages. <# #> "We believe in rough consensus and running code." <# From firewalls-owner Fri Nov 3 00:53:11 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id AAA20092 for firewalls-outgoing; Fri, 3 Nov 1995 00:49:02 -0800 (PST) Received: from tidbit.fhda.edu. (tidbit.fhda.edu [153.18.12.252]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id AAA20078 for ; Fri, 3 Nov 1995 00:48:58 -0800 (PST) Received: (from lanning@localhost) by tidbit.fhda.edu. (8.6.12/8.6.9) id BAA18217; Fri, 3 Nov 1995 01:57:40 -0800 From: Bob Lanning Message-Id: <199511030957.BAA18217@tidbit.fhda.edu.> Subject: Re: Java To: rcooper@the-wire.com (Russ Cooper) Date: Fri, 3 Nov 1995 01:57:40 -0800 (PST) Cc: firewalls@GreatCircle.COM In-Reply-To: <01BAA992.77E00780@rcooper.the-wire.com> from "Russ Cooper" at Nov 3, 95 02:17:03 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ---- As written by Russ Cooper: > > Would it be possible to embed a virus into a .GIF file? or .AVI file? or > .WAV file? These guys are all downloaded and stored in a cache on your > local workstation, and in turn invoke an application on the local > workstation. What is the difference between this and Java? > > Cheers, > Russ Cooper > Senior Internet Integration Engineer > SHL/Computer Innovations > RCooper@the-wire.com - Express@msn.com - 74323.364@compuserve.com > .GIF, .AVI, .WAV... are basically compressed raw data streams. The "viewer" decompresses the stream and sticks it on your monitor or your audio device. JAVA on the other hand is a programming language. It can manipulate files watch the mouse/keyboard/network for traffic. This is simular to the Micro$oft Word Macro trojanhorse. The document (HTML, Word) is harmless. It is when you have attachments that get executed that thing go wrong. -- Robert Hajime Lanning "It's the FROSTING!" The opinions expressed here are not mine, nor are they anyone else's. lanning@tidbit.fhda.edu <--for fun && for profit--> lanning@cup.hp.com From firewalls-owner Fri Nov 3 01:24:19 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id BAA20901 for firewalls-outgoing; Fri, 3 Nov 1995 01:07:08 -0800 (PST) Received: from access.netaxs.com (access.netaxs.com [198.69.186.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id BAA20894 for ; Fri, 3 Nov 1995 01:07:04 -0800 (PST) Received: from unix3.netaxs.com (morph_1@unix3.netaxs.com [198.69.186.5]) by access.netaxs.com (8.6.12/8.6.11) with ESMTP id EAA28118; Fri, 3 Nov 1995 04:07:05 -0500 Received: (morph_1@localhost) by unix3.netaxs.com (8.6.12/8.6.9) id EAA25347; Fri, 3 Nov 1995 04:07:01 -0500 Date: Fri, 3 Nov 1995 04:06:59 -0500 (EST) From: "W0W!@# ELYTENESS#@!" To: Phil Howard cc: firewalls@GreatCircle.com Subject: Re: mountd Security In-Reply-To: <199511030506.XAA07170@colt.milepost.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 2 Nov 1995, Phil Howard wrote: > > Is there any real reason mountd should not be run on machines inside of > > a secure firewall, and what sort of access should users on those machines > > have to mount? > > Is there any way to secure mountd from attack, while exporting only to > > trusted machines? > > Define "trusted machine". One with a certain IP address? If your > firewall is rock solid, then of course you don't need to worry about > the outside. But you better trust EVERY machine on the inside, or > else partition them from each other with more firewalls. > and then I said: Well the firewall itself isn't in question, it's the fact that mountd is running between the machines that have users on them inside the firewall, is there any security problem with running mountd that can be locally exploited? If there is then i would just disable the daemon; not exporting anything nesc at this point. Limiting access would work too, but first I wanted to establish if much of a risk exists. As far as what's being exported goes, it's only (rw) filesystems to the machines inside the firewall. From firewalls-owner Fri Nov 3 02:23:27 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id CAA24654 for firewalls-outgoing; Fri, 3 Nov 1995 02:03:23 -0800 (PST) Received: from mailbox.swip.net (mailbox.swip.net [193.12.122.1]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id CAA24639 for ; Fri, 3 Nov 1995 02:03:17 -0800 (PST) Received: from enterprise (dialup100-122.swipnet.se [130.244.100.122]) by mailbox.swip.net (8.6.12/8.6.12) with SMTP id LAA14538 for ; Fri, 3 Nov 1995 11:03:18 +0100 Date: Fri, 3 Nov 1995 11:03:18 +0100 Message-Id: <199511031003.LAA14538@mailbox.swip.net> X-Sender: m-18213@mailbox.swip.net X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.com From: Martin Fredriksson Subject: DES export restrictions and ZyXEL Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sorry if this is not directly fw related (it sure does relate to one fw system at my site...). This is a copy of a post to comp.security.misc. Dear Security and (DES) encryption politics and export rules specialists: Our network group has just begun testing a new ZyXEL ISDN capable modem, the "ZyXEL Elite 2864I". According to the local distributor, this modem supports _data_ encryption using 112 bit DES technology. We are a Swedish company, and thus subject to the not so very liberal US export restrictions for cryptographic "stuff"(?). Or so I thought. The local distributor for the ZyXEL modem can only forward questions to ZyXEL corporation. Thus without having a direct line to the ZyXEL corp., I have received following answer to my question about how (if they really) they can export DES based data encryption. > Federal Information Processing Standards are issued by the National Bureau > of Standards pursuant to the Federal Property and Administrative Services > Act of 1949, as amended, Public Law 89-306(79 stat 1127). Excutive Order > 11717 (38 FR 12315, dated May ,1, 1973) and Part 6 of Title 15 Code of > Federal Regulations(CFR). > > Name of Standard: Data Encryption Standard (DES). > > Patents: Crytographic devices implementing this standard may be covered by > U.S. and foreign patents issued to the International Business Machines > Corporation. However, IBM has granted nonexclusive, royalty-free licenses > under the patents to make, use and sell apparatus which complies with the > standard. The terms, conditions and scope of the licenses are set out in > notices published in the May 13, 1975 and August 31, 1976 issue of the > Official Gazette of the United State Patent and Trademark Office (934 O. G. > 452 and 949 O. G. 1717). > > If you need more information about these document above, please check with > librarian who will help you a lot. The local distributor reads this as "well, DES is in the public domain, how nice". I read this as ZyXEL answered someone else's question.... I will of course follow this up with the local distributor, and thus with ZyXEL. The reason for my posting/mailing this here, is that I feel I need an external opinion. My questions now are mainly: (1) Is it possible for a large US company to export products using DES data encryption? I mean even if they get a "non-USA DES" can they export products including this? (2) Is anyone familiar with the modem in question (2864I), and know if it really provides DES data encryption? (3) Where should I have posted this. Thanks in advance, for any pointers!, Martin Fredriksson Systems Integration and Security Ericsson Microwave Systems AB, Molndal, Sweden From firewalls-owner Fri Nov 3 02:53:04 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id CAA25332 for firewalls-outgoing; Fri, 3 Nov 1995 02:23:51 -0800 (PST) Received: from access.netaxs.com (access.netaxs.com [198.69.186.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id CAA25302 for ; Fri, 3 Nov 1995 02:23:44 -0800 (PST) Received: from unix3.netaxs.com (morph_1@unix3.netaxs.com [198.69.186.5]) by access.netaxs.com (8.6.12/8.6.11) with ESMTP id FAA29898; Fri, 3 Nov 1995 05:23:33 -0500 Received: (morph_1@localhost) by unix3.netaxs.com (8.6.12/8.6.9) id FAA26103; Fri, 3 Nov 1995 05:23:28 -0500 Date: Fri, 3 Nov 1995 05:23:27 -0500 (EST) From: "W0W!@# ELYTENESS#@!" To: Bob Lanning cc: Russ Cooper , firewalls@GreatCircle.COM Subject: Re: JAVA is the Devil In-Reply-To: <199511030957.BAA18217@tidbit.fhda.edu.> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 3 Nov 1995, Bob Lanning wrote: > ---- As written by Russ Cooper: > > > > Would it be possible to embed a virus into a .GIF file? or .AVI file? or > > .WAV file? These guys are all downloaded and stored in a cache on your > > local workstation, and in turn invoke an application on the local > > workstation. What is the difference between this and Java? > > > > Cheers, > > Russ Cooper > > Senior Internet Integration Engineer > > SHL/Computer Innovations > > RCooper@the-wire.com - Express@msn.com - 74323.364@compuserve.com > > > .GIF, .AVI, .WAV... are basically compressed raw data streams. > The "viewer" decompresses the stream and sticks it on your monitor or your > audio device. JAVA on the other hand is a programming language. It can > manipulate files watch the mouse/keyboard/network for traffic. > > This is simular to the Micro$oft Word Macro trojanhorse. The document (HTML, > Word) is harmless. It is when you have attachments that get executed that > thing go wrong. > > -- > Robert Hajime Lanning "It's the FROSTING!" > The opinions expressed here are not mine, nor are they anyone else's. > lanning@tidbit.fhda.edu <--for fun && for profit--> lanning@cup.hp.com > Interesting, but there are neat "virii" that exist in compressed image files .JPG etc, where the picture itself keeps getting larger by infinitly expanding itself when you try and view it. Plus you never get to see the picture! evil. -- Morph_1 Witty Phrase Here morph_1@netaxs.net Some Phone Numbers Here and so on. Jazzy Title Here From firewalls-owner Fri Nov 3 03:22:56 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id CAA25673 for firewalls-outgoing; Fri, 3 Nov 1995 02:44:41 -0800 (PST) Received: from student.uq.edu.au (student.uq.edu.au [130.102.2.20]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id CAA25666 for ; Fri, 3 Nov 1995 02:44:38 -0800 (PST) Received: from student.uq.edu.au (cs324342@localhost [127.0.0.1]) by student.uq.edu.au (8.6.12/8.6.12) with SMTP id UAA07842 for ; Fri, 3 Nov 1995 20:44:41 +1000 Date: Fri, 3 Nov 1995 20:44:35 +1000 (GMT+1000) From: John Dean To: Firewalls@GreatCircle.COM Subject: How do I unsubscribe to firewalls Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --------------------------------------------------- J.E.Dean BSc III University of Queensland Australia From firewalls-owner Fri Nov 3 05:57:31 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id FAA00590 for firewalls-outgoing; Fri, 3 Nov 1995 05:42:46 -0800 (PST) Received: from gatekeeper.glaxo.com (gatekeeper.glaxo.com [192.58.204.201]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id FAA00583 for ; Fri, 3 Nov 1995 05:42:43 -0800 (PST) Received: by gatekeeper.glaxo.com (5.65/fma-120691); id AA17490; Fri, 3 Nov 95 08:42:45 -0500 Received: from ussun2f.glaxo.com by ussun1d.glaxo.com (5.x/SMI-SVR4) id AA22889; Fri, 3 Nov 1995 08:43:31 -0500 Received: by ussun2f.glaxo.com (5.x/SMI-SVR4) id AA10054; Fri, 3 Nov 1995 08:48:15 -0500 Reply-To: ggh14854@ussun2f.glaxo.com (Gary Hull) Date: Fri, 3 Nov 1995 08:48:13 -0500 (EST) From: Gary Hull To: Bob Lanning Cc: firewalls Subject: Re: idb.ar.com...the mystery continues In-Reply-To: <199511030910.BAA18145@tidbit.fhda.edu.> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 3 Nov 1995, Bob Lanning wrote: > Uhh... What the hell are you talking about? > > The pieces that were snipped were already posted to the list. I see no need > in the duplicating. > > P.S. I'm a sysadmin, I better know how to use telnet, whois and a whole > lot more! Bob -- Yes, I realize that and I apologize for my rash reaction. Like me, you too were offering assistance to the list and I know it is appreciated. I also offer my apologies to the list membership as a whole. Yesterday was a bad day for me with my focus being on draining the swamp but the darn alligators wouldn't let me near the plug. Have a nice day! |/ ---o0o-@@-o0o--------- Gary G. Hull - Technical Consultant Howard Systems International - Glaxo Wellcome Inc. Five Moore Drive - Raleigh, North Carolina 27709 Tel : (919) 941-4867 - Fax : (919) 248-2831 email: ggh14854@ussun2f.glaxo.com From firewalls-owner Fri Nov 3 06:24:03 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id GAA01007 for firewalls-outgoing; Fri, 3 Nov 1995 06:18:34 -0800 (PST) Received: from Fe3.rust.net (Fe3.rust.net [204.157.12.254]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id GAA00990 for ; Fri, 3 Nov 1995 06:18:29 -0800 (PST) Received: from dtw-16.rust.net by Fe3.rust.net via SMTP (940816.SGI.8.6.9/940406.SGI.AUTO) id JAA25232; Fri, 3 Nov 1995 09:25:32 -0800 Date: Fri, 3 Nov 1995 09:25:32 -0800 Message-Id: <199511031725.JAA25232@Fe3.rust.net> X-Sender: janken@rust.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: "A. Padgett Peterson, P.E. Information Security" From: janken@rust.net (Kenneth J. Stephens) Subject: Re: Firewall discussion at PC Week Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>PC Week is hosting a Discussion on "Protecting the company LAN from Internet >>intruders" at >> Protecting the company LAN from Internet intruders > >And if you can make sense out of that address, you probably do not need any >more help 8*). > P.fla > I may just change a few bytes and use it for my PGP key :^)> Ain't CGI a wonderful tool. Ken [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] [] [] [] Ken Stephens Senior Capacity Planner/Data Security Officer [] [] email: Ken_Stephens@miconsulting.com Voice (313) 876-5081 [] [] Michigan Employment Security Commission (MESC) Fax (313) 876-6827 [] [] 7th Fl. I.S. [] [] 7310 Woodward Ave [] [] Detroit, MI 48202 [] [] [] [] Millennium Consulting Your Security Policy is only [] [] 28234 Diesing Dr. as strong as your organization's [] [] Madison Heights, MI 48071 commitment to it. [] [] [] [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] From firewalls-owner Fri Nov 3 06:54:21 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id GAA01124 for firewalls-outgoing; Fri, 3 Nov 1995 06:28:34 -0800 (PST) Received: from kgbvax.network.com (kgbvax.network.com [129.191.202.58]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id GAA01117 for ; Fri, 3 Nov 1995 06:28:30 -0800 (PST) Received: (from ted@localhost) by kgbvax.network.com (8.6.9/8.6.9) id IAA28999; Fri, 3 Nov 1995 08:23:36 -0500 Date: Fri, 3 Nov 1995 08:23:36 -0500 From: Ted Doty Message-Id: <199511031323.IAA28999@kgbvax.network.com> To: martin@msp.se, firewalls@greatcircle.com Subject: Re: DES export restrictions and ZyXEL In-Reply-To: Mail from 'Martin Fredriksson ' dated: Fri, 3 Nov 1995 11:03:18 +0100 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk martin@msp.se wrote: [stuff about DES deleted] > My questions now are mainly: > > (1) Is it possible for a large US company to export products using DES > data encryption? I mean even if they get a "non-USA DES" can they > export products including this? Yes. We do, and many others do as well. The export restrictions have many (well, some) instances where strong encryption can be exported. Note that what you are talking about looks like Triple DES (3 passes thru DES using 2 different keys, for an effective key length of 112 bits). I have no direct knowledge of any american company exporting Triple DES, altho IDEA seems to be at least as strong. You should know, however, that most of the instances where DES is exported from the USA are when it is shipped to Banks or to subsidiaries of american companies. Commercial, non-US companies can not get DES (easily) from US companies. > (3) Where should I have posted this. You should check out the sci.crypt newsgroup. -- - Ted -------------------------------------------------------------------------- Ted Doty, Network Systems Corporation | phone: +1 301 596-2270 8965 Guilford Road, Suite 250 | fax: +1 410 381-3320 Columbia, MD, 21046 USA | voice mail: (800) 233-1485 -------------------------------------------------------------------------- The opinion expressed in this message is fictitious. Any resemblence to real opinions, living or dead, is purely coincidental. From firewalls-owner Fri Nov 3 07:24:31 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id HAA02435 for firewalls-outgoing; Fri, 3 Nov 1995 07:20:33 -0800 (PST) Received: from maildrop.micrognosis.com (supernova.micrognosis.com [192.233.13.3]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id HAA02428 for ; Fri, 3 Nov 1995 07:20:27 -0800 (PST) Received: by maildrop.micrognosis.com (4.1/SMI-4.1) id AA06554; Fri, 3 Nov 95 10:20:31 EST Received: from singhi.corp.micrognosis.com(193.32.166.28) by supernova.micrognosis.com via smap (V1.3) id sma006552; Fri Nov 3 10:20:26 1995 Received: from becks (becks.corp.micrognosis.com) by corp.micrognosis.com (4.1/1.0-integ.cf) id AA08471; Fri, 3 Nov 95 10:23:48 EST Date: Fri, 3 Nov 1995 10:23:45 -0500 (EST) From: Adam Jack X-Sender: ajack@becks To: Rick Smith Cc: firewalls@greatcircle.com Subject: Re: What about the next 20 Java-like applications? ( was Re: Java) In-Reply-To: <199511020123.TAA23834@shade.sctc.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 1 Nov 1995, Rick Smith wrote: > For the (broken) record, I think the Java developers did a fine job of > dealing with early '80s style security issues. But they didn't get a > handle on the desktop security issues early enough in the HotJava > design. > Interesting comment. Please elaborate w/ some examples - privately, if you think this thread is noise or it is undue repetition. > > Reassurance isn't a right! ... > > Competent firewall and security vendors do NOT subscribe to this > mindset. If a customer is concerned enough about security to seek a > quality product, they have every right to (re)assurance that the > protections they expect are in place. They deserve to know what > security measures are effective and deployed. They deserve evidence. > Precisly. Customers pay you to prove something. Sun aren't selling to you - they are testing a concept in good old Internet fashion - by letting 'net individuals do some of the leg work. Sun have made a lot of information availble - it just takes time to injest. I don't neccessarily condone it (except maybe from a business standpoint) - but it is happening. And it will continue to ... > > As you've probably figured out, this is expensive and time consuming > work. We do it for our own products. I admit it depresses me to have > the same, tired security questions go unanswered, and that I do not > have the time myself to try things out. > This is exactly my point. Mustn't something be done to try to change that - now that money & livelyhood are getting involved. > > Applications on the Internet are racing ahead. Despite the common sense > > demand for security - pressure for functionality is higher. > > It depends on who you talk to. Our customers want both, but they > recognize there is a tradeoff. How many will put their back office > operations at risk just for "coool stuff" on desktops?? Not many. > Hmm - sorry - I was wrong to say "is higher". My experience is a tad slanted by proppeller-heads. Maybe I should take a note from you - and say we should plan for the future. The pace of this 'Net explosion is such that soon will want everything. Not for 'coool' reasons - but for functional reasons. > > Evolving attack methodologies also strain current firewall models, > even without throwing HotJava into the picture. Sites concerned about > security want finer grained awareness of what crosses their boundary. > It's not clear how we meet their needs and also pass applets. Magic > doesn't exist, and firewalls can't perform mathematical miracles. > I am not able to comment on other than Java - but your point seems very sound. Maybe one of the benefits of this Internet explosion will be heightened user awareness - and reduced requirement for transparancy at the firewall. If users will accept a bit more pain for their functionality maybe the need for magic can be removed. Java : Remember when Chuck McManis suggested the possibility of a firewall resident Java based applet-proxy? There would, of course, be overhead (but then downloading Java applets is slow so there is CPU idle time!) That would be a valuable addition to the firewall - since the proxy was to provided 'firewall manager configurable' applet sanitation. > It is not clear that > spiffy stuff will run on a HotJava system configured to run securely. > I agree. This is, and the bandwidth abuse, is why I have lost most interest in HotJava. There are more effective and less contraversial ways to do pretty graphics. Partly this is why I asked about the next ones. The perceived need is there and if HotJava doesn't serve that need - other will try. > >.. How are firewalls going to deal with the next 20 Java's? > > The same way this one is dealt with: a refusal to throw caution to the > wind simply because it's Kool Stuff. > Cheap retort to a serious question. Do you expect the Internet to wait 'cos you imply they are being immature? People will push the boundaries to attempt to make money - that is business. What you might think of as Kool - may, to others, be big dollars. You (firewall security types) will need better arguements than yours above. No doubt I am naive - and maybe there are historical models for ways to deal with this kind of swelling (if not scale). Interoperability constriants of the last few decades, plus limited financial gain, have kept Internet applications at bay. No longer so. Some applications will be worthwhile - some will not be. Rick - I know you have taken time & effort to learn about Java - and I respect that choice of investment. However there is too much coming for individuals to continually keep abreast of. Adam > I hate long postings. > BTW : Comments like this suit what purpose? Like above - if you want me to stop - give me a better reason. -- +1-203-730-5437 | http://www.micrognosis.com/~ajack/index.html From firewalls-owner Fri Nov 3 07:55:40 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id HAA02621 for firewalls-outgoing; Fri, 3 Nov 1995 07:31:28 -0800 (PST) Received: from smtp.interramp.com (smtp.interramp.com [38.8.45.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id HAA02614 for ; Fri, 3 Nov 1995 07:31:24 -0800 (PST) Received: from [38.12.98.76] by smtp.interramp.com (8.6.12/SMI-4.1.3-PSI-irsmtp) id KAA10605; Fri, 3 Nov 1995 10:31:23 -0500 X-Sender: us008809@pop3.interramp.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 3 Nov 1995 11:30:00 -0500 To: firewalls@greatcircle.com From: russo@interramp.com (Bob Russo) Subject: An *UN* UNIX Firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My mailer told me that someone posted the following: >what are people using for software. we feel that gauntlet is a unix based >software product and we have very little unix knowledge. our network is either >pc/mac or ibm mainframe (VM/ESA). we do have a couple of applications on unix >but only 1 person to staff this area. a gateway application running on a unix >platform wouldn't be bad if it were a database application, requiring little >to no knowledge of unix. ========================================================================= Then Padgett said: Unfortunately, what you want does not exist. Security, particularly Internet Insecurity, is different from RAC-F administration. While many firewalls are drawn from Unix backgrounds (though more precisely they use UNIX-like interfaces, rarely are they built on top of plain-jane UNIX), this is because most people who have the necessary background in the TCP/IP protocols and addressing used on the Internet to be able to set up a good firewall come from Unix backgrounds and are most familiar with that syntax. =========================================================================== Now I'm saying: You should have a look at FireWall/Plus. This product is a DOS-Based firewall. *WAIT*...before you dismiss it by saying "How good can it be if it's DOS" you should know that it is much much more. FireWall/Plus is a "Stateful" packet filtering firewall. It is as robust as most UNIX based firewalls...in all cases easier to setup and manage...less costly to purchase and maintain...Filters and reports on frame level, transport level, application level, node level and even down to the byte level with no UNIX scripting by simply utilizing the most intuitive GUI...Blah Blah Blah Sorry for the sales pitch...but have a look at it on our home page and you can even down-load a copy and try from there as well. Good luck, Bob Russo _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ + _______ _______ Network-1 Software & Technology, Inc. _______ _______ + + | _____\\\\____ | | ____////_____ | + + | | \\\\ | | Designers of *FireWall/Plus* | | //// | | + + | | \\\\\\\ | | The Only *DOS* based firewall | | /////// | | + + | | \\\ | | | | /// | | + + | | \\\\\\\ | | New York Corporate Office | | /////// | | + + | | \\ | | 909 Third Ave. | | // | | + + | 1___\\______1 | New York, NY 10022 | 1______//___1 | + + 1______\\_______1 1_______//______1 + + 1 - k r o w t e N N e t w o r k - 1 + + + + Voice: 212-293-3068 Fax: 212-293-3090 Email: russo@network-1.com + + + + HTTP: //www.network-1.com/n1 + _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ From firewalls-owner Fri Nov 3 08:23:30 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id IAA03271 for firewalls-outgoing; Fri, 3 Nov 1995 08:03:08 -0800 (PST) Received: from aads.com (aads.net [198.111.96.42]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id IAA03264 for ; Fri, 3 Nov 1995 08:03:04 -0800 (PST) Received: from [198.111.96.11] (agnew.aads.net [198.111.96.11]) by aads.com (8.6.11/aads2.0) with SMTP id LAA22636; Fri, 3 Nov 1995 11:02:05 -0500 X-Sender: jgs@home.aads.net Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 3 Nov 1995 11:03:18 -0500 To: firewalls@GreatCircle.COM From: jgs@aads.net (John G. Scudder) Subject: Re: Man in the Middle Attacks (Over rated?) Cc: maillet@doc.cs.usm.maine.edu, Ted Doty , curtis@ans.net Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 8:14 AM 11/2/95, Ted Doty wrote: [...] >Nevermind when the NFSnet routing nodes were subverted (January 1994?), and >sniffer programs installed. [...] As I discussed with Ted in private email, this isn't correct. The CERT advisory (and various news stories in the popular media) reported sniffer attacks in general. Neither the advisory nor any news stories ever mentioned the NSFNET, and in fact no sniffer programs were ever installed on any NSFNET routers. Yours for keeping the record straight, --John Scudder Ameritech Former NSFNET guy From firewalls-owner Fri Nov 3 08:54:21 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id IAA03798 for firewalls-outgoing; Fri, 3 Nov 1995 08:32:10 -0800 (PST) Received: from westie.gi.net (westie.gi.net [198.247.250.16]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id IAA03791 for ; Fri, 3 Nov 1995 08:32:06 -0800 (PST) Received: from gaijin.mid.net (gaijin.gi.net [198.247.250.28]) by westie.gi.net (8.7.1/8.7.1) with ESMTP id KAA03715 for ; Fri, 3 Nov 1995 10:32:03 -0600 (CST) From: Alan Hannan Received: by gaijin.mid.net (8.7.1) id KAA08828; Fri, 3 Nov 1995 10:32:01 -0600 (CST) Message-Id: <199511031632.KAA08828@gaijin.mid.net> Subject: Anecdotes or Firewall/NetSec Jokes To: firewalls@greatcircle.com (Firewalls Mailing List) Date: Fri, 3 Nov 1995 10:31:59 -0600 (CST) X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'll be speaking at a number of seminars in the next three weeks, and I think it would be nice to have some intelligent humerous jokes or anecdotes to start my talks off. If anyone has any good ones, I'd love to hear them, and I think the list members would benefit from their discussion. I can't recall any of mine (I'm sure there are) and the only one I remember is Marcus's one about some trading chairman listening to the security folks debate policy, and yelling "We will trade" and storming off..... I look forward to hearing from you, thanks! -- Alan Hannan alan@gi.net Network Engineer (402) 472-0239 Global Internet Network Operations http://www.gi.net/~alan Global Internet - Secure Internetworking Around the Globe -=( Formerly MIDnet )=- From firewalls-owner Fri Nov 3 10:15:24 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id JAA05296 for firewalls-outgoing; Fri, 3 Nov 1995 09:46:56 -0800 (PST) Received: from quark.foobar.co.uk (quark.foobar.co.uk [193.122.182.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id JAA05289 for ; Fri, 3 Nov 1995 09:46:49 -0800 (PST) Received: (from mjc@localhost) by quark.foobar.co.uk (8.6.11/8.6.9) id RAA23766; Fri, 3 Nov 1995 17:40:24 GMT Message-Id: <199511031740.RAA23766@quark.foobar.co.uk> Subject: Re: Tightening up SunOS 5.4 (was Re: Hardened OS) To: smith@sctc.com (Rick Smith) Date: Fri, 3 Nov 1995 17:40:23 +0000 (GMT) From: "Martin Cooper" Cc: firewalls@greatcircle.com In-Reply-To: <199511031718.LAA09560@shade.sctc.com> from "Rick Smith" at Nov 3, 95 11:18:54 am X-Mailer: ELM [version 2.4 PL24 ME6] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > No, but then you can hardly eliminate root can you? ;) > > That's what we did on Sidewinder. It's a liability in a highly secure > system, not a benefit. Nobody, not even root, can bypass the > mandatory aspects of the security mechanisms while the system is in > normal operation and on the Net. Oh, ok. I thought it wasn't possible. I'm happy that root is just a name for uid 0, but what about processes that need to be started at boot time? Will it be possible to run these at boot time without an entry for root in the password file, and without the setuid bits on executable binaries? If it is, then this seems like a fine security measure for a bastion host. Martin -- Martin Cooper http://www.foobar.co.uk/~mjc/ mjc@foobar.co.uk Foobar Internet http://www.foobar.co.uk/ sales@foobar.co.uk Phone: +44 (0)116 2330033 Fax: +44 (0)116 2330035 The Magazine Business Centre, Newarke Street, LEICESTER, LE1 5SS From firewalls-owner Fri Nov 3 10:34:05 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id KAA05841 for firewalls-outgoing; Fri, 3 Nov 1995 10:03:25 -0800 (PST) Received: from incog.com (ns.incog.com [199.190.177.251]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id KAA05828 for ; Fri, 3 Nov 1995 10:03:21 -0800 (PST) From: mulligan@future.incog.com Received: from coslabs.incog.com by incog.com (SMI-8.6/94082501) id KAA20778; Fri, 3 Nov 1995 10:01:55 -0800 Received: from future.incog.com by coslabs.incog.com (5.x/SMI-SVR4) id AA14680; Fri, 3 Nov 1995 11:03:04 -0700 Received: from future (localhost) by future.incog.com (5.x/SMI-SVR4) id AA09630; Fri, 3 Nov 1995 11:03:06 -0700 Message-Id: <9511031803.AA09630@future.incog.com> To: jgs@aads.net (John G. Scudder) Cc: firewalls@GreatCircle.COM, maillet@doc.cs.usm.maine.edu, Ted Doty , curtis@ans.net Subject: Re: Man in the Middle Attacks (Over rated?) Reply-To: mulligan@incog.com In-Reply-To: Your message of "Fri, 03 Nov 1995 11:03:18 EST." Date: Fri, 03 Nov 1995 11:03:05 -0700 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk John Scudder wrote: > As I discussed with Ted in private email, this isn't correct. The CERT > advisory (and various news stories in the popular media) reported sniffer > attacks in general. Neither the advisory nor any news stories ever > mentioned the NSFNET, and in fact no sniffer programs were ever installed > on any NSFNET routers. This is sort of a cagey answer. Quite probably "no sniffer programs were ever installed on any NSFNET routers." ------- If they were pure routers and not general purpose machines running as routers I don't think you COULD install a sniffer, but this doesn't say that sniffers were not installed on other (non router) machines attached to the NSFNET backbone. I do know FOR A FACT that a sniffer program was installed on a machine attached to the BARRnet backbone and did sniff a huge number of passwords. geoff From firewalls-owner Fri Nov 3 11:09:17 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id JAA04296 for firewalls-outgoing; Fri, 3 Nov 1995 09:02:30 -0800 (PST) Received: from spider.lloyd.com (spider.lloyd.com [158.222.1.5]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id JAA04289 for ; Fri, 3 Nov 1995 09:02:28 -0800 (PST) Received: from tomewing.entexcal.com by spider.lloyd.com with smtp (Smail3.1.29.1 #5) id m0tBPVg-000TriC; Fri, 3 Nov 95 09:02 PST Message-Id: Date: Fri, 3 Nov 95 09:02 PST X-Sender: tewing@spider.lloyd.com X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: tewing@spider.lloyd.com (Thomas Ewing) Subject: Novell based firewalls / IP managers Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings, I realize this is perhaps an ancient information request, but: What are everyone's view of the various (if various) products designed as Novell Netware (4.x) centric firewalls / IP address space managers? Please e-mail direct, and I will summarize. Thanks, Tom -- Tom Ewing Your fingers are the original System Consulting Manager personal computer ENTEX Information Services 980 9th Street, Suite 380 Sacramento, CA 95814 PH: 916-325-2976 PG: 916-736-5606 From firewalls-owner Fri Nov 3 11:25:54 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id KAA06490 for firewalls-outgoing; Fri, 3 Nov 1995 10:37:06 -0800 (PST) Received: from gauntlet-1.trusted.com (gauntlet-1.trusted.com [192.94.214.88]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id KAA06483 for ; Fri, 3 Nov 1995 10:37:03 -0800 (PST) Received: by gauntlet-1.trusted.com; id NAA29813; Fri, 3 Nov 1995 13:39:16 -0500 Message-Id: <199511031839.NAA29813@gauntlet-1.trusted.com> Received: from vanidor.tis.com(192.94.214.98) by gauntlet-1.trusted.com via smap (g3.0.3) id xma029811; Fri, 3 Nov 95 13:39:13 -0500 X-Sender: avolio@gauntlet-1.trusted.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 03 Nov 1995 14:30:57 -0500 To: Bob Russo , firewalls@greatcircle.com From: Frederick M Avolio Subject: Re: An *UN* UNIX Firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:30 AM 11/3/95 -0500, Bob Russo wrote: >My mailer told me that someone posted the following: > >>what are people using for software. we feel that gauntlet is a unix based >>software product and we have very little unix knowledge. our network is either >>pc/mac or ibm mainframe (VM/ESA). we do have a couple of applications on unix >>but only 1 person to staff this area. a gateway application running on a unix >>platform wouldn't be bad if it were a database application, requiring little >>to no knowledge of unix. A firewall, such as our Gauntlet Internet Firewall, does not require UNIX expertise, or even much UNIX knowledge. ANY connection to the Internet requires knowledge of IP networks, especially DNS and SMTP. Fred From firewalls-owner Fri Nov 3 11:26:33 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id IAA03400 for firewalls-outgoing; Fri, 3 Nov 1995 08:08:14 -0800 (PST) Received: from maildrop.micrognosis.com (supernova.micrognosis.com [192.233.13.3]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id IAA03393 for ; Fri, 3 Nov 1995 08:08:10 -0800 (PST) Received: by maildrop.micrognosis.com (4.1/SMI-4.1) id AA08497; Fri, 3 Nov 95 11:08:09 EST Received: from singhi.corp.micrognosis.com(193.32.166.28) by supernova.micrognosis.com via smap (V1.3) id sma008470; Fri Nov 3 11:07:46 1995 Received: from becks (becks.corp.micrognosis.com) by corp.micrognosis.com (4.1/1.0-integ.cf) id AA08641; Fri, 3 Nov 95 11:11:02 EST Date: Fri, 3 Nov 1995 11:11:01 -0500 (EST) From: Adam Jack X-Sender: ajack@becks To: Mike Shaver Cc: "william.wells" , firewalls@greatcircle.com Subject: Re: Java In-Reply-To: <199511021904.OAA14050@neon.ingenia.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 2 Nov 1995, Mike Shaver wrote: > > > Its harder to have a policy that says that you can't browse any URL > > which run applets; especially since I'm not sure that one can tell the URL > > has applets. > > You can't tell which pages will have applets, but you _can_ mandate > that the users only use non-Java(tm)-aware browsers. (Yes, Netscape is > releasing such beasts.) > My turn at playing the broken record. However - since Sun have left few centralized control options (using HTTP & user config) - I think this is a useful tip. Trap all http://*.class requests at the firewalls HTTP proxy. Denying them should affect only Java applets. (OK - application firewall soln only. But even packet filter only sites should have an internal cached HTTPD IMHO.) Adam -- +1-203-730-5437 | http://www.micrognosis.com/~ajack/index.html From firewalls-owner Fri Nov 3 11:38:47 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id JAA05039 for firewalls-outgoing; Fri, 3 Nov 1995 09:38:21 -0800 (PST) Received: from neon.ingenia.com (neon.ingenia.com [134.117.55.86]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id JAA05032 for ; Fri, 3 Nov 1995 09:38:14 -0800 (PST) Received: (from shaver@localhost) by neon.ingenia.com (8.6.12/8.6.9) id MAA06284; Fri, 3 Nov 1995 12:38:32 -0500 From: Mike Shaver Message-Id: <199511031738.MAA06284@neon.ingenia.com> Subject: Re: Java To: ajack@corp.micrognosis.com (Adam Jack) Date: Fri, 3 Nov 1995 12:38:31 -0500 (EST) Cc: william.wells@damark.com, firewalls@greatcircle.com In-Reply-To: from "Adam Jack" at Nov 3, 95 11:11:01 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Adam Jack mumbled something vague about: > > You can't tell which pages will have applets, but you _can_ mandate > > that the users only use non-Java(tm)-aware browsers. (Yes, Netscape is > > releasing such beasts.) > > My turn at playing the broken record. However - since Sun have left few > centralized control options (using HTTP & user config) - I think this is > a useful tip. > > Trap all http://*.class requests at the firewalls HTTP proxy. Denying > them should affect only Java applets. (OK - application firewall > soln only. But even packet filter only sites should have an internal > cached HTTPD IMHO.) Works great iff the person writing the page doesn't get wise and rename the class file to MyApplet.wonky or some such. I suspect that many people will try the *.class solution, and it will quickly become standard for anyone who "really wants people to see their cool applet" to rename it. Mike -- #> Mike Shaver (shaver@ingenia.com) Ingenia Communications Corporation <# #> Technical Specialist -- will tame sendmail(8) for food <# #> <# #> "You are a very perverse individual, and I think I'd like to get to <# #> know you better." --- eric@reference.com <# From firewalls-owner Fri Nov 3 11:53:08 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id JAA05339 for firewalls-outgoing; Fri, 3 Nov 1995 09:48:14 -0800 (PST) Received: from maildrop.micrognosis.com (supernova.micrognosis.com [192.233.13.3]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id JAA05331 for ; Fri, 3 Nov 1995 09:48:03 -0800 (PST) Received: by maildrop.micrognosis.com (4.1/SMI-4.1) id AA12185; Fri, 3 Nov 95 12:48:01 EST Received: from singhi.corp.micrognosis.com(193.32.166.28) by supernova.micrognosis.com via smap (V1.3) id sma012182; Fri Nov 3 12:47:37 1995 Received: from becks (becks.corp.micrognosis.com) by corp.micrognosis.com (4.1/1.0-integ.cf) id AA09077; Fri, 3 Nov 95 12:50:54 EST Date: Fri, 3 Nov 1995 12:50:53 -0500 (EST) From: Adam Jack X-Sender: ajack@becks To: Mike Shaver Cc: william.wells@damark.com, firewalls@greatcircle.com Subject: Re: Java In-Reply-To: <199511031738.MAA06284@neon.ingenia.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 3 Nov 1995, Mike Shaver (who needs a new reply to comment) wrote : > Adam Jack mumbled something vague about: > > > > Trap all http://*.class requests at the firewalls HTTP proxy. Denying > > them should affect only Java applets. (OK - application firewall > > soln only. But even packet filter only sites should have an internal > > cached HTTPD IMHO.) > > Works great iff the person writing the page doesn't get wise and > rename the class file to MyApplet.wonky or some such. > > I suspect that many people will try the *.class solution, and it will > quickly become standard for anyone who "really wants people to see > their cool applet" to rename it. > It isn't the page author that chooses this. Yes an individual might start the .wonky craze - but they would have to communicate this to people who would then have to similarly re-code their Java-enabled browsers. These individuals might also chose to attach a C++ compiler/loader to their browser and mess up their lives similarly. I think these people would find ftp easier. Adam -- +1-203-730-5437 | http://www.micrognosis.com/~ajack/index.html From firewalls-owner Fri Nov 3 12:37:26 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id KAA06204 for firewalls-outgoing; Fri, 3 Nov 1995 10:20:19 -0800 (PST) Received: from neon.ingenia.com (neon.ingenia.com [134.117.55.86]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id KAA06197 for ; Fri, 3 Nov 1995 10:20:14 -0800 (PST) Received: (from shaver@localhost) by neon.ingenia.com (8.6.12/8.6.9) id NAA06640; Fri, 3 Nov 1995 13:17:37 -0500 From: Mike Shaver Message-Id: <199511031817.NAA06640@neon.ingenia.com> Subject: Re: Java To: ajack@corp.micrognosis.com (Adam Jack) Date: Fri, 3 Nov 1995 13:17:37 -0500 (EST) Cc: william.wells@damark.com, firewalls@greatcircle.com In-Reply-To: from "Adam Jack" at Nov 3, 95 12:50:53 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Adam Jack brought forth: > On Fri, 3 Nov 1995, Mike Shaver (who needs a new reply to comment) wrote : True, true... > It isn't the page author that chooses this. Yes an individual might > start the .wonky craze - but they would have to communicate this > to people who would then have to similarly re-code their Java-enabled > browsers. Not much recoding to do... distribute a wrapper applet that includes its own class loader. But that's the "illegal software" debate, and I'm getting a little sick of it. > These individuals might also chose to attach a C++ compiler/loader to > their browser and mess up their lives similarly. I think these people > would find ftp easier. Indeed. See the codebase variable in the tag. Or "gopher://", etc. (Java's only piggybacked on HTTP because that's where most of the HTML gets transported.) Mike -- #> Mike Shaver (shaver@ingenia.com) Ingenia Communications Corporation <# #> Ignore the man behind the curtain. <# #> <# #> "And then I realized that it never should have worked in the first <# #> place. Thus, it would not work again until rewritten." --- Anon. <# From firewalls-owner Fri Nov 3 12:59:00 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id LAA07294 for firewalls-outgoing; Fri, 3 Nov 1995 11:11:30 -0800 (PST) Received: from relay5.UU.NET (relay5.UU.NET [192.48.96.15]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id LAA07287 for ; Fri, 3 Nov 1995 11:11:27 -0800 (PST) Received: from uucp1.UU.NET by relay5.UU.NET with SMTP id QQzohg23646; Fri, 3 Nov 1995 14:11:14 -0500 (EST) Received: from amgen.UUCP by uucp1.UU.NET with UUCP/RMAIL ; Fri, 3 Nov 1995 14:11:27 -0500 Received: from spice.amgen.com by amgen.com (5.0/SMI-SVR4) id AA00772; Fri, 3 Nov 1995 10:19:01 -0800 Received: from amgen.com (amgengate) by spice.amgen.com (4.1/SMI-4.1) id AA05968; Fri, 3 Nov 95 10:18:52 PST Message-Id: Date: 3 Nov 1995 10:16:25 U From: "Yalda Mirzai" Subject: Re: Firewall Study To: "John P. Morton" , uunet!greatcircle.com!firewalls@uunet.uu.net X-Mailer: Mail*Link SMTP/QM 3.0.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Reply to: RE>Firewall Study I would begin by learning about the various types of firewalls since quantifying or measuring the effectiveness of an internet firewall is partially due to the "type" of firewall in question as well as how well it is implemented. As for measuring the cost-effectiveness of a firewall configuration and other factors, Gartner Group has written papers on this topic. Mr. Mike Zboray is a Gartner Group analyst who is quite knowledgeable of security related issues. Regards, Yalda Mirzai -------------------------------------- Date: 11/2/95 3:16 PM To: Yalda Mirzai From: John P. Morton Hello all, I am a novice to the internet firewall concepts however, I am involved in a graduate project; attempting to quantify or measure the effectiveness of an internet firewall. My research must support that internet firewalls are effective against hackers. From your experience(s) when making firewall configurations what criteria do you analyze within the enterprise and organization to determine the cost-effective firewall configuration? Are there other factors I should consider in attempting to measure firewalls to secure corporate data. Please advise with any information. Thank You ------------------ RFC822 Header Follows ------------------ Received: by amgen.com with SMTP;2 Nov 1995 15:11:31 U Received: by amgen.com (5.0/SMI-SVR4) id AA01752; Thu, 2 Nov 1995 15:11:25 -0800 >Received: from miles.greatcircle.com by relay3.UU.NET with ESMTP id QQzoea09551; Thu, 2 Nov 1995 17:09:16 -0500 (EST) Received: from uunet by amgen.amgen.com; Thu, 2 Nov 1995 15:11 PST Received: from miles.greatcircle.com by relay3.UU.NET with ESMTP id QQzoea09551; Thu, 2 Nov 1995 17:09:16 -0500 (EST) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id MAA26682 for firewalls-outgoing; Thu, 2 Nov 1995 12:24:36 -0800 (PST) Received: from hernsvr.med.osd.mil (hernsvr.med.osd.mil [161.14.8.101]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id MAA26662 for ; Thu, 2 Nov 1995 12:24:26 -0800 (PST) Received: from ae938.med.osd.mil by hernsvr.med.osd.mil with SMTP (5.65/25-eef) id AA29216; Thu, 2 Nov 95 15:24:11 -0500 From: "John P. Morton" Message-Id: <9511021520.ZM16023@unknown.zmail.host> Date: Thu, 2 Nov 1995 15:20:30 -0500 X-Mailer: ZM-Win (3.2.1 11Sep94) To: uunet!greatcircle.com!firewalls Subject: Firewall Study Mime-Version: 1.0 Sender: uunet!GreatCircle.COM!firewalls-owner Precedence: bulk Content-Type: text/plain; charset=us-ascii Content-Length: 669 From firewalls-owner Fri Nov 3 13:33:08 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id MAA09400 for firewalls-outgoing; Fri, 3 Nov 1995 12:52:39 -0800 (PST) Received: from beach.sctc.com (beach.sctc.com [192.55.214.50]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id MAA09393 for ; Fri, 3 Nov 1995 12:52:32 -0800 (PST) Received: from beach.sctc.com (daemon@localhost) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id PAA22839; Fri, 3 Nov 1995 15:25:40 -0600 Received: from sphinx.sctc.com (sphinx.sctc.com [172.17.192.3]) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id PAA22835; Fri, 3 Nov 1995 15:25:40 -0600 Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by sphinx.sctc.com (8.7.1/8.6.10) with SMTP id OAA21683; Fri, 3 Nov 1995 14:52:36 -0600 (CST) Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id OAA20691; Fri, 3 Nov 1995 14:52:35 -0600 Date: Fri, 3 Nov 1995 14:52:35 -0600 From: Rick Smith Message-Id: <199511032052.OAA20691@shade.sctc.com> To: firewalls@greatcircle.com Cc: smith@sctc.com, maillet@doc.cs.usm.maine.edu Subject: Re: A defense against sniffing attacks for mere mortals Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Edward Maillet writes: > Sorry to step on the toes of you S/Key, Keberos, it's-only-safe-if-it's- >encrypted types but it seems that there are other ways of defeating >packet sniffers. Both active and passive. .... >I realize that this is a rather specific topology but it is an interesting >and rather simple solution. This might be simple from a technical standpoint, the first time out the chute. But it poses the same question addressed in Ian J-B's recent testament on build vs buy in security. How much is the lifecycle cost? Moreover, there's a policy problem. Step back a minute and consider the fundamental objective: You're trying to protect information while transferring it across a set of communications devices. You have a policy statement that says the information must be protected, and describe the general measures that must be used. In this case, the security measures are properties of the specific communications media being used. Thus, you can not change those devices without revisiting and reevaluating your security policy, and the measures by which the policy is achieved. If you can guarantee that this evaluation and analysis will always occur, then the network is already under pretty good security control. The real trouble is with traffic outside your region of control. These security measures depend on properties of external connections ("We have a direct feed to Sprint's backbone"), but the functional behavior of the feed itself does _not_ depend on these properties. Here's the rub. If a network manager somewhere in the path changes the configuration, your traffic will still go through but your security posture will have invisibly changed. Maybe you can produce diagnostics or probe procedures to detect any such changes, but that doesn't sound like the right allocation of analytical resources. It becomes a losing race with patching a bad job. Rick. smith@sctc.com secure computing corporation From firewalls-owner Fri Nov 3 13:56:35 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id MAA08460 for firewalls-outgoing; Fri, 3 Nov 1995 12:01:04 -0800 (PST) Received: from habanero.jmu.edu (habanero.jmu.edu [134.126.70.210]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id MAA08443 for ; Fri, 3 Nov 1995 12:00:59 -0800 (PST) Message-Id: <199511032000.MAA08443@miles.greatcircle.com> Received: by habanero.jmu.edu (1.37.109.16/16.2) id AA069408777; Fri, 3 Nov 1995 14:59:37 -0500 Date: Fri, 3 Nov 1995 14:59:37 -0500 From: gary flynn To: firewalls@greatcircle.com Subject: Success and thanks...re: OPIE on FWTK Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Many thanks to all those who offered suggestions to me on how to get an SKEY derived package integrated into FWTK on hpux. For various reasons, I've chosen to use the OPIE product and it seems to be working fine at this time. I have to clean up my kludged modifications and do more testing but I think I'm in the clear. Thanks again, gary From firewalls-owner Fri Nov 3 14:24:49 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id LAA07975 for firewalls-outgoing; Fri, 3 Nov 1995 11:37:11 -0800 (PST) Received: from tidbit.fhda.edu. (tidbit.fhda.edu [153.18.12.252]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id LAA07965 for ; Fri, 3 Nov 1995 11:37:06 -0800 (PST) Received: (from lanning@localhost) by tidbit.fhda.edu. (8.6.12/8.6.9) id MAA00880; Fri, 3 Nov 1995 12:46:20 -0800 From: Bob Lanning Message-Id: <199511032046.MAA00880@tidbit.fhda.edu.> Subject: Re: idb.ar.com...the mystery continues To: ggh14854@ussun2f.glaxo.com Date: Fri, 3 Nov 1995 12:46:20 -0800 (PST) Cc: Firewalls@GreatCircle.COM In-Reply-To: from "Gary Hull" at Nov 3, 95 08:48:13 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ---- As written by Gary Hull: > > Bob -- Yes, I realize that and I apologize for my rash reaction. Like > me, you too were offering assistance to the list and I know it is > appreciated. I also offer my apologies to the list membership > as a whole. Yesterday was a bad day for me with my focus being on > draining the swamp but the darn alligators wouldn't let me near > the plug. Have a nice day! > |/ > ---o0o-@@-o0o--------- > > Gary G. Hull - Technical Consultant > Howard Systems International - Glaxo Wellcome Inc. > Five Moore Drive - Raleigh, North Carolina 27709 > Tel : (919) 941-4867 - Fax : (919) 248-2831 > email: ggh14854@ussun2f.glaxo.com > > apology accepted. Just keep away from them alligator snouts! :) -- Robert Hajime Lanning "It's the FROSTING!" The opinions expressed here are not mine, nor are they anyone else's. lanning@tidbit.fhda.edu <--for fun && for profit--> lanning@cup.hp.com From firewalls-owner Fri Nov 3 14:26:09 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id LAA08026 for firewalls-outgoing; Fri, 3 Nov 1995 11:39:20 -0800 (PST) Received: from aads.com (aads.net [198.111.96.42]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id LAA08019 for ; Fri, 3 Nov 1995 11:39:16 -0800 (PST) Received: from [198.111.96.11] (agnew.aads.net [198.111.96.11]) by aads.com (8.6.11/aads2.0) with SMTP id OAA23896; Fri, 3 Nov 1995 14:38:07 -0500 X-Sender: jgs@home.aads.net Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 3 Nov 1995 14:39:25 -0500 To: mulligan@incog.com From: jgs@aads.net (John G. Scudder) Subject: Re: Man in the Middle Attacks (Over rated?) Cc: firewalls@GreatCircle.COM, maillet@doc.cs.usm.maine.edu, Ted Doty , curtis@ans.net Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Geoff, At 11:03 AM 11/3/95, mulligan@future.incog.com wrote: [...] >This is sort of a cagey answer. Quite probably "no sniffer programs >were ever installed on any NSFNET routers." My message wasn't meant to be cagey. I'm sorry you found it too ambiguous. Try this: No sniffer programs were installed on any components of the NSFNET backbone. >If they were pure routers and not general purpose machines running as >routers I don't think you COULD install a sniffer, but this doesn't say >that sniffers were not installed on other (non router) machines attached >to the NSFNET backbone. Since all the (then) NSFNET regionals and, by transitivity, the entire Internet was attached to the NSFNET backbone in some sense it wouldn't make sense to make this claim if we are splitting hairs. But the point is that the NSFNET backbone service wasn't compromised. Your packets might have been sniffed getting there or away, as they transited other people's networks, but not as they crossed the NSFNET. >I do know FOR A FACT that a sniffer program was installed on a machine >attached to the BARRnet backbone and did sniff a huge number of >passwords. BARRnet's not the NSFNET backbone of course, so this doesn't prove anything. Hopefully this message makes things clear to all but the most inveterate hair-splitters. If you want further clarification, perhaps we could take this to private email. Regards, --John Scudder From firewalls-owner Fri Nov 3 14:27:31 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id MAA08542 for firewalls-outgoing; Fri, 3 Nov 1995 12:06:42 -0800 (PST) Received: from beach.sctc.com (beach.sctc.com [192.55.214.50]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id MAA08535 for ; Fri, 3 Nov 1995 12:06:38 -0800 (PST) Received: from beach.sctc.com (daemon@localhost) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id OAA21573; Fri, 3 Nov 1995 14:40:13 -0600 Received: from sphinx.sctc.com (sphinx.sctc.com [172.17.192.3]) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id OAA21569; Fri, 3 Nov 1995 14:40:12 -0600 Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by sphinx.sctc.com (8.7.1/8.6.10) with SMTP id OAA20316; Fri, 3 Nov 1995 14:07:10 -0600 (CST) Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id OAA17966; Fri, 3 Nov 1995 14:07:09 -0600 From: Rick Smith Message-Id: <199511032007.OAA17966@shade.sctc.com> Subject: Re: Tightening up SunOS 5.4 (was Re: Hardened OS) To: mjc@quark.foobar.co.uk (Martin Cooper) Date: Fri, 3 Nov 1995 14:07:08 -0600 (CST) Cc: smith@sctc.com, firewalls@greatcircle.com In-Reply-To: <199511031740.RAA23766@quark.foobar.co.uk> from "Martin Cooper" at Nov 3, 95 05:40:23 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I'm happy that root is just a name for uid 0, but what about > processes that need to be started at boot time? Will it be > possible to run these at boot time without an entry for root in > the password file, and without the setuid bits on executable > binaries? Actually, the term "root" is getting overloaded in this discussion. It has two fundamental properties of interest here: 1) it has uid 0 which is really necessary in most Unix systems, and 2) it can override lots of access protections on the system. We left in 1) and constrained 2) using our type enforcement mechanism. Some standard Unix systems try to get a similar effect with chroot, with varying degrees of success. Rick. > If it is, then this seems like a fine security measure for a > bastion host. I think the industry has proven there's a huge market for host systems with limited security. So we at least need to make strong firewalls. Rick. smith@sctc.com secure computing corporation From firewalls-owner Fri Nov 3 14:28:53 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id LAA08153 for firewalls-outgoing; Fri, 3 Nov 1995 11:43:42 -0800 (PST) Received: from gatekeeper.alpharel.com (gatekeeper.ALPHAREL.COM [204.118.5.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id LAA08146 for ; Fri, 3 Nov 1995 11:43:39 -0800 (PST) Received: (from mail@localhost) by gatekeeper.alpharel.com (8.6.8/8.6.6a) id LAA01979; Fri, 3 Nov 1995 11:43:44 -0800 Received: from optigfx.optigfx.com(147.203.1.30) by gatekeeper.alpharel.com via smap (V1.5mrm) id sma001977; Fri Nov 3 11:43:43 1995 Received: from visalia.optigfx.com by optigfx.optigfx.com (4.1/SMI-4.1-3) id AA07093; Fri, 3 Nov 95 11:40:40 PST Received: (from mrm@localhost) by visalia.optigfx.com (8.6.9/8.6.9) id LAA08495; Fri, 3 Nov 1995 11:40:37 -0800 Date: Fri, 3 Nov 1995 11:40:37 -0800 From: Mike Murphy Message-Id: <199511031940.LAA08495@visalia.optigfx.com> To: scs@lokkur.dexter.mi.us Subject: Re: None Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From: Steve Simmons >Subject: Re: None >To: amgen!Yalda.Mirzai@uunet.uu.net (Yalda Mirzai) >Date: Wed, 25 Oct 1995 21:22:47 -0400 (EDT) >In-Reply-To: from "Yalda Mirzai" at Oct 25, 95 12:10:14 pm > >>Any philosophical thoughts regarding this issue in general? > >Yes, set up a bastion host and don't let vendors into your internal net. >See the Zwicky and Chapman book. > >From the viewpoint of a vendor ;-) If you have net access and you let us in to do maintenance via the Internet it is less expensive for you, and you get better service. If you have dialin access and you let us in to do maintenance via the dialin it more expensive for us, takes more time, you get slightly less responsive service, and you pay slightly more. If you decide not to let us into your system that we need to maintain unless we show up in person, you pay more... time, travel, and expenses. You may not get response that is as rapid as you might desire. Flights from point A to point B are generally not quite as quick as telnet. You may also not get a response from as knowledgeable a service person. It is the choice of the customer, but the customer should be aware that a security policy defines tradeoffs that involve money. -- Mike Murphy mrm@alpharel.com +1.619.625.3000 x265 ALPHAREL 9339 Carroll Park Drive San Diego, CA 92121 Any opinions above are mine and not those of my employer. From firewalls-owner Fri Nov 3 14:30:20 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id LAA08359 for firewalls-outgoing; Fri, 3 Nov 1995 11:56:55 -0800 (PST) Received: from quark.foobar.co.uk (quark.foobar.co.uk [193.122.182.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id LAA08352 for ; Fri, 3 Nov 1995 11:56:42 -0800 (PST) Received: (from mjc@localhost) by quark.foobar.co.uk (8.6.11/8.6.9) id TAA26509; Fri, 3 Nov 1995 19:50:36 GMT Message-Id: <199511031950.TAA26509@quark.foobar.co.uk> Subject: Re: Anecdotes or Firewall/NetSec Jokes To: alan@gi.net (Alan Hannan) Date: Fri, 3 Nov 1995 19:50:35 +0000 (GMT) From: "Martin Cooper" Cc: firewalls@greatcircle.com In-Reply-To: <199511031632.KAA08828@gaijin.mid.net> from "Alan Hannan" at Nov 3, 95 10:31:59 am X-Mailer: ELM [version 2.4 PL24 ME6] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Alan Hannan wrote: > I'll be speaking at a number of seminars in the next three weeks, > and I think it would be nice to have some intelligent humerous > jokes or anecdotes to start my talks off. > > If anyone has any good ones, I'd love to hear them, and I think > the list members would benefit from their discussion. > > I can't recall any of mine (I'm sure there are) and the only one I > remember is Marcus's one about some trading chairman listening to > the security folks debate policy, and yelling "We will trade" and > storming off..... > > I look forward to hearing from you, thanks! Customer to ISP: Hello, is the Internet broken tonight? ---- Regarding a University sysadmin: [snip] Whilst reading a posting in [local newsgroup] in which the poster told of how he asked [the sysadmin] (aka. [login]/root/dude with long hair) when the news feed would resume, I quivvered, quaked and generally spasmed that a lesser mortal would dare to approach the great one with such a trivial request. It then struck upon me to impart the fourth year guide to requesting help from the long-haired one. The trick, my dear friends, is in the glasses - more specifically, in the shade of the lenses. If, when you approach the door to effect that first inquisitive knock, you can only see the man's eyes through his shades, then you must seriosly question the importance and validity of your request. *DO NOT PROCEDE* under any circumstances if said request falls into any of the following catagories: * can you stop the printer printing that postscript file I just sent it * i've just hit the reset button on my workstation * what happened to those 30 .GIF files I had in my directory * I'm sure somebody has already told you, but did you know that [hostname] has crashed etc. If you are lucky enough to chance upon the man whilst his face is devoid of his come-nearer scopes, you will be subjected to gentle ridicule, with a dose of dry humour and intellectually challenging conversation in a matey-matey sort of way and your request will be dealt with promptly and courteously. HOWEVER - if the shades are soooo goddamn dark that you can see your own reflection in them, then forget it! Walk away. Live to fight another day and all that rather than face the rath of Mr. [name]. We, quite simply, are not worthy! Yours coweringly.... [snip] Can't think of anything else particularly funny at the moment. Martin -- Martin Cooper http://www.foobar.co.uk/~mjc/ mjc@foobar.co.uk Foobar Internet http://www.foobar.co.uk/ sales@foobar.co.uk Phone: +44 (0)116 2330033 Fax: +44 (0)116 2330035 The Magazine Business Centre, Newarke Street, LEICESTER, LE1 5SS From firewalls-owner Fri Nov 3 14:31:50 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id LAA08342 for firewalls-outgoing; Fri, 3 Nov 1995 11:55:56 -0800 (PST) Received: from beach.sctc.com (beach.sctc.com [192.55.214.50]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id LAA08335 for ; Fri, 3 Nov 1995 11:55:50 -0800 (PST) Received: from beach.sctc.com (daemon@localhost) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id OAA21357; Fri, 3 Nov 1995 14:29:23 -0600 Received: from sphinx.sctc.com (sphinx.sctc.com [172.17.192.3]) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id OAA21353; Fri, 3 Nov 1995 14:29:22 -0600 Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by sphinx.sctc.com (8.7.1/8.6.10) with SMTP id NAA20124; Fri, 3 Nov 1995 13:56:21 -0600 (CST) Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id NAA17221; Fri, 3 Nov 1995 13:56:20 -0600 From: Rick Smith Message-Id: <199511031956.NAA17221@shade.sctc.com> Subject: Re: What about the next 20 Java-like applications? ( was Re: Java) To: ajack@corp.micrognosis.com (Adam Jack) Date: Fri, 3 Nov 1995 13:56:19 -0600 (CST) Cc: smith@sctc.com, firewalls@greatcircle.com In-Reply-To: from "Adam Jack" at Nov 3, 95 10:23:45 am X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Continuing my discussion with Adam Jack on Java: > On Wed, 1 Nov 1995, Rick Smith wrote: > > > For the (broken) record, I think the Java developers did a fine job of > > dealing with early '80s style security issues. But they didn't get a > > handle on the desktop security issues early enough in the HotJava > > design. > > > Interesting comment. Please elaborate w/ some examples - privately, > if you think this thread is noise or it is undue repetition. The '80s security problem I'm referring to is the implementation of pcodes that defend themselves from programming errors (i.e. bad vectors or array offsets) or overt attempts at subversion. This is a software extension of the storage protection and multiple mode work in computer architectures to support multiprogramming, which dates back to the late '50s. I think the industry's understanding of such mechanisms really flowered in the late '70s and early '80s after having a variety of worked examples to review. The unaddressed problem is that of running code from arbitrary sources on a workstation without threatening the workstation's integrity. They could have taken the easy way out and just fielded HotJava without functions that observe or modify workstation information -- pretty pictures, mousedowns and key presses, but no file reading. If HotJava only sent back stuff that was clearly and unambiguously provided to it by explicit user actions, then it presents a much smaller threat. Once they gave HotJava a way to read files the genie was out. Now it's like X-windows: only safe for certain on virtual private networks. At least that's how it looks right now. > Java : > Remember when Chuck McManis suggested the possibility of a firewall > resident Java based applet-proxy? There would, of course, be overhead > (but then downloading Java applets is slow so there is CPU idle time!) Some form of that is going to happen eventually. The hard question will be one of policy: why let in one applet but not another? It will be tough to manage it on the basis of behavior (i.e. what functions does the applet use) since behavior could be masked through some elaborate chain of procedure inheritance. That leaves authentication and decisionmaking based on whose digital signature vouches for the applet's behavior. Needs an infrastructure that's not deployed yet. > > >.. How are firewalls going to deal with the next 20 Java's? > > > > The same way this one is dealt with: a refusal to throw caution to the > > wind simply because it's Kool Stuff. > > > Cheap retort to a serious question. Do you expect the Internet to > wait 'cos you imply they are being immature? People will push the > boundaries to attempt to make money - that is business. What you might > think of as Kool - may, to others, be big dollars. You (firewall > security types) will need better arguements than yours above. I think we were both drawing lines in the sand. You're right: that's the wrong way to fix the problem. The solutions will require teamwork, and the ability to deal with the whole universe of problems, not just functional ones nor just security ones. > Some applications will be worthwhile - some will not be. Rick - I know you > have taken time & effort to learn about Java - and I respect that choice of > investment. However there is too much coming for individuals to > continually keep abreast of. The only reason I spent so much time on Java was because we had a client that was very, very interested in it, tho' not interested enough to fund a real security audit of it. But it represents a fundamental technological problem in computer security. Even if Java fails in the marketplace, the issues it raises will reappear. > > I hate long postings. > > > BTW : Comments like this suit what purpose? Like above - if you want > me to stop - give me a better reason. Sorry, I was just letting off steam. My response just took longer to compose than I expected and I was late leaving for home. Rick. smith@sctc.com secure computing corporation From firewalls-owner Fri Nov 3 14:33:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id NAA10413 for firewalls-outgoing; Fri, 3 Nov 1995 13:32:58 -0800 (PST) Received: from services ([168.166.0.67]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id NAA10406 for ; Fri, 3 Nov 1995 13:32:55 -0800 (PST) Received: from services by services (SMI-8.6/SMI-SVR4) id PAA17720; Fri, 3 Nov 1995 15:34:39 -0600 Date: Fri, 3 Nov 1995 15:34:37 -0600 (CST) From: "Frank K. Senter" X-Sender: fsenter@services To: firewalls@greatcircle.com Subject: Replacing From: field Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Could someone point me to instruction on altering the "From: user@myplace" field in outbound email? It doesn't make much sense for me to hide our naming structure with a dual DNS system around our firewall if outbound mail informs our readers of userids and hostnames. Frank Senter Senior Information Specialist Missouri Highway and Transportation Department P.O. Box 270 Jefferson City MO 65102 From firewalls-owner Fri Nov 3 14:34:46 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id OAA11174 for firewalls-outgoing; Fri, 3 Nov 1995 14:10:10 -0800 (PST) Received: from relay-4.mail.demon.net (relay-4.mail.demon.net [158.152.1.64]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id OAA11167 for ; Fri, 3 Nov 1995 14:10:01 -0800 (PST) Received: from post.demon.co.uk by relay-4.mail.demon.net id sg.ah25088; 3 Nov 95 21:54 GMT Received: from relay-4.mail.demon.net by relay-3.mail.demon.net id aa24547; 3 Nov 95 21:51 GMT Received: by mntcmp2.demon.co.uk (Smail3.1.28.1 #5) id m0tBU0t-0006r9C; Fri, 3 Nov 95 21:51 GMT Message-Id: From: Jon Whitton Subject: Re: Anecdotes or Firewall/NetSec Jokes To: Alan Hannan Date: Fri, 3 Nov 1995 21:51:03 +0000 (GMT) Cc: firewalls@greatcircle.com In-Reply-To: <199511031632.KAA08828@gaijin.mid.net> from "Alan Hannan" at Nov 3, 95 10:31:59 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > I'll be speaking at a number of seminars in the next three weeks, > and I think it would be nice to have some intelligent humerous > jokes or anecdotes to start my talks off. > How about Microsoft, they are the biggest joke going. -- ================================================================================ Jon Whitton. Internet Address: jonw@mntcmp2.demon.co.uk ================================================================================ -- From firewalls-owner Fri Nov 3 14:36:39 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id MAA08716 for firewalls-outgoing; Fri, 3 Nov 1995 12:19:44 -0800 (PST) Received: from blackgold.ab.ca (tnc.com [198.53.152.12]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id MAA08709 for ; Fri, 3 Nov 1995 12:19:40 -0800 (PST) Received: from ppp1.tnc.com by blackgold.ab.ca (4.1/SMI-4.1) id AA17237; Fri, 3 Nov 95 13:23:10 MST Message-Id: <9511032023.AA17237@blackgold.ab.ca> X-Sender: lbickley@tnc.com X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 03 Nov 1995 14:18:38 -0400 To: firewalls@greatcircle.com From: Lachlan Bickley Subject: Re: An *UN* UNIX Firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:30 03/11/95 -0500, you wrote: >My mailer told me that someone posted the following: > >>what are people using for software. we feel that gauntlet is a unix based >>software product and we have very little unix knowledge. our network is either >>pc/mac or ibm mainframe (VM/ESA). we do have a couple of applications on unix >>but only 1 person to staff this area. a gateway application running on a unix >>platform wouldn't be bad if it were a database application, requiring little >>to no knowledge of unix. > >========================================================================= >Then Padgett said: > >Unfortunately, what you want does not exist. Security, particularly Internet >Insecurity, is different from RAC-F administration. > >While many firewalls are drawn from Unix backgrounds (though >more precisely they use UNIX-like interfaces, rarely are they built on top >of plain-jane UNIX), this is because most people who have the necessary >background in the TCP/IP protocols and addressing used on the Internet >to be able to set up a good firewall come from Unix backgrounds and are >most familiar with that syntax. > > > >=========================================================================== > >Now I'm saying: > >You should have a look at FireWall/Plus. This product is a DOS-Based >firewall. > >*WAIT*...before you dismiss it by saying "How good can it be if it's DOS" >you should know that it is much much more. > >FireWall/Plus is a "Stateful" packet filtering firewall. It is as robust as >most UNIX based firewalls...in all cases easier to setup and manage...less >costly to purchase and maintain...Filters and reports on frame level, >transport level, application level, node level and even down to the byte >level with no UNIX scripting by simply utilizing the most intuitive >GUI...Blah Blah Blah > >Sorry for the sales pitch...but have a look at it on our home page and you >can even down-load a copy and try from there as well. > >Good luck, >Bob Russo > > I don't recall seeing the first message on this list, however I thought that you might want to have a look at Blackhole from Milkyway (http://www.milkyway.com/). They have a UNIX firewall which comes with a front end GUI interface to add and modify any "rules" that you want to setup. Just my two bits. ------------------------------------------------------------------- TNC The Network Centre Ltd. Internetworking Consultants & Service Providers +++++++++++++++++++++++++++++++++++++++++++++++ Lachlan Bickley 11211 76 Avenue lbickley@tnc.com Edmonton, Alberta, Canada T6G 0K2 (403)955-7166 (403)470-7846-pager ------------------------------------------------------------------- From firewalls-owner Fri Nov 3 17:56:26 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id RAA16682 for firewalls-outgoing; Fri, 3 Nov 1995 17:30:23 -0800 (PST) Received: from Disclosure.COM (di2.disclosure.com [205.156.194.11]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id RAA16607 for ; Fri, 3 Nov 1995 17:29:50 -0800 (PST) Received: by Disclosure.COM (4.1/SMI-4.1) id AA08440; Fri, 3 Nov 95 20:32:48 EST Date: Fri, 3 Nov 1995 20:32:46 -0500 (EST) From: Scott Barman To: Adam Jack Cc: Rick Smith , firewalls@greatcircle.com Subject: Re: What about the next 20 Java-like applications? ( was Re: Java) In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 3 Nov 1995, Adam Jack wrote: > On Wed, 1 Nov 1995, Rick Smith wrote: > > > (third level referecnes unattributed): > > > Reassurance isn't a right! ... > > > > Competent firewall and security vendors do NOT subscribe to this > > mindset. If a customer is concerned enough about security to seek a > > quality product, they have every right to (re)assurance that the > > protections they expect are in place. They deserve to know what > > security measures are effective and deployed. They deserve evidence. > > > Precisly. Customers pay you to prove something. Sun aren't selling > to you - they are testing a concept in good old Internet fashion > - by letting 'net individuals do some of the leg work. Sun have > made a lot of information availble - it just takes time to injest. The problem is that they are not only testing it, they are test marketing it as well. It is a topic in almost every sales pitch, press release, etc. One cannot have a talk with a Sun employee without Java being mention in the conversation--and sounding like the sales litterature. Then I walk into a company and hear "oh neat, where can I get this Java thingy." All they know is what is put out by Sun's marketing machine, but they're out and ready to buy a non-existant product. Is this right? I hate to say this, but Sun is doing to Java what M$ did to Windoze 95. Will it fizzle like Win95 has? I also have a problem with this concept "in good old Internet fashion - by letting 'net individuals do some of the leg work." Oh really?? What a way to get cheap labor. Get every out there with two seconds free time to play with this and go "oooo neat!" instead of doing a proper evaluation. I think they would be better off hiring a few independent contractors (as in independent from Sun) to do a proper analysis on this from all aspects, including for security! > I don't neccessarily condone it (except maybe from a business > standpoint) - but it is happening. And it will continue to ... Just because Sun is doing it doesn't make it right! > > Evolving attack methodologies also strain current firewall models, > > even without throwing HotJava into the picture. Sites concerned about > > security want finer grained awareness of what crosses their boundary. > > It's not clear how we meet their needs and also pass applets. Magic > > doesn't exist, and firewalls can't perform mathematical miracles. > > > I am not able to comment on other than Java - but your point seems > very sound. Maybe one of the benefits of this Internet explosion > will be heightened user awareness - and reduced requirement for > transparancy at the firewall. If users will accept a bit more pain > for their functionality maybe the need for magic can be removed. Don't count on it. I am now talking to people (trying to sell my services :-) who do not know the first thing about the internet or internet security except what they read in Time or Newsweek (basically). It is amazing the look of shock and fear when I explain what is really going on and shove a few examples under their noses. I don't know why I keep arguing this point, especially since I just installed a firewall for a customer whose systems were hacked into. I'm making a good living. I guess I'm just tired of the mop-up roll. > > >.. How are firewalls going to deal with the next 20 Java's? > > > > The same way this one is dealt with: a refusal to throw caution to the > > wind simply because it's Kool Stuff. > > > Cheap retort to a serious question. Do you expect the Internet to > wait 'cos you imply they are being immature? People will push the > boundaries to attempt to make money - that is business. What you might > think of as Kool - may, to others, be big dollars. You (firewall > security types) will need better arguements than yours above. I don't think it's a cheap retort, I think it's a valid answer! Why should I just open my (virtual) doors and allow the (net) traffic in if I cannot trust it, just because it's neat and wonderful? I think horses are neat and wonderful animals, but I'm not going to let one in my house! (POINT: Even the best of intentions have their consequences) > Some applications will be worthwhile - some will not be. Rick - I know you > have taken time & effort to learn about Java - and I respect that choice of > investment. However there is too much coming for individuals to > continually keep abreast of. Live by information, die by ignorance. It is the responsibility of the person who has the guard the door to understand the threats. Watching over this, security and systems, is more than a full time job. This is where this list comes in, to help keep those of us who requires this information up to date. I've had no problems keeping up--well, maybe I should s/no/only a few/ !! :-) scott barman -- scott barman DISCLAIMER: I speak to anyone who will listen, scott@disclosure.com and I speak only for myself. barman@ix.netcom.com "I don't know if security explains why the Win95 support Web servers run BSDI 2.0--an Intel-based Unix--rather than Windows NT, which Microsoft insists is the ideal Web software solution. Does Redmond know something we don't know?" -Robert X. Cringely, INFORWORLD, 9/11/95 From firewalls-owner Fri Nov 3 18:24:00 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id SAA18216 for firewalls-outgoing; Fri, 3 Nov 1995 18:08:02 -0800 (PST) Received: from research.att.com (research.att.com [192.20.225.3]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id SAA18209 for ; Fri, 3 Nov 1995 18:07:59 -0800 (PST) From: smb@research.att.com Message-Id: <199511040207.SAA18209@miles.greatcircle.com> Date: Fri, 3 Nov 95 21:06:53 EST To: firewalls@greatcircle.com Subject: defending against sequence number attacks Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Folks on this list may want to retrieve draft-rfced-info-bellovin-00.txt from their favorite internet-drafts directory. It describes a simple change to TCP servers the provides strong protection against sequence number guessing attacks. --Steve Bellovin From firewalls-owner Fri Nov 3 18:52:57 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id SAA18116 for firewalls-outgoing; Fri, 3 Nov 1995 18:04:26 -0800 (PST) Received: from TIS.COM (neptune.tis.com [192.94.214.96]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id SAA18109 for ; Fri, 3 Nov 1995 18:04:23 -0800 (PST) Received: from relay.tis.com by neptune.TIS.COM id aa27763; 3 Nov 95 20:50 EST Received: from sol.tis.com(192.33.112.100) by relay.tis.com via smap (g3.0.1) id xma010223; Fri, 3 Nov 95 20:29:44 -0500 Received: by tis.com (4.1/SUN-5.64) id AA26787; Fri, 3 Nov 95 20:50:00 EST Date: Fri, 3 Nov 95 20:50:00 EST From: Frederick M Avolio Message-Id: <9511040150.AA26787@tis.com> To: firewalls@greatcircle.com, fsenter@mail.state.mo.us Subject: Re: Replacing From: field Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Get a fine sendmail book such as SENDMAIL: THEORY AND PRACTICE (Digital Press, ISBN 1-55558 127 7) You can also check out the sendmail.cf that (I think) is supplied with the FWTK. You can check out the book's sendmail.cf in users/avolio/book.cf on ftp.tis.com. fred From firewalls-owner Fri Nov 3 19:20:08 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id SAA19461 for firewalls-outgoing; Fri, 3 Nov 1995 18:45:13 -0800 (PST) Received: from colt.milepost.com (colt.milepost.com [164.57.50.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id SAA19454 for ; Fri, 3 Nov 1995 18:45:08 -0800 (PST) Received: (from phil@localhost) by colt.milepost.com (8.6.12/8.6.9) id UAA08423; Fri, 3 Nov 1995 20:43:04 -0600 From: Phil Howard Message-Id: <199511040243.UAA08423@colt.milepost.com> Subject: Re: mountd Security To: morph_1@netaxs.com (W0W!@# ELYTENESS#@!) Date: Fri, 3 Nov 1995 20:43:04 -0600 (CST) Cc: firewalls@GreatCircle.COM In-Reply-To: from "!" at Nov 3, 95 04:06:59 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Well the firewall itself isn't in question, it's the fact that mountd is > running between the machines that have users on them inside the firewall, > is there any security problem with running mountd that can be locally > exploited? If there is then i would just disable the daemon; not exporting > anything nesc at this point. Limiting access would work too, but first > I wanted to establish if much of a risk exists. > As far as what's being exported goes, it's only (rw) filesystems to the > machines inside the firewall. Your inside users could take advantage of the mountd. Maybe they won't. If you trust those users, then you don't need to worry about them. IP addresses can be faked. Userids can be faked from machines where someone has root access or physical machine access. Security comes from a combination of trust and distrust that is correctly attributed. If you know correctly who you can trust and who you cannot trust, you will do the right thing, given the right information. I have found a situation where I was exporting a filesystem ro to all hosts and rw to two hosts. However, it turned out that all hosts had rw. I do not know what was wrong, and because it wasn't anything important, I just removed it all and never investigated. From firewalls-owner Fri Nov 3 19:22:17 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id RAA17756 for firewalls-outgoing; Fri, 3 Nov 1995 17:54:38 -0800 (PST) Received: from Disclosure.COM (di2.disclosure.com [205.156.194.11]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id RAA17749 for ; Fri, 3 Nov 1995 17:54:34 -0800 (PST) Received: by Disclosure.COM (4.1/SMI-4.1) id AA08487; Fri, 3 Nov 95 20:57:23 EST Date: Fri, 3 Nov 1995 20:57:23 -0500 (EST) From: Scott Barman To: Mike Murphy Cc: scs@lokkur.dexter.mi.us, firewalls@greatcircle.com Subject: Re: None In-Reply-To: <199511031940.LAA08495@visalia.optigfx.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 3 Nov 1995, Mike Murphy wrote: > From the viewpoint of a vendor ;-) (good description of the vendor's point of view regarding maintenance via various means deleted) > It is the choice of the customer, but the customer should be > aware that a security policy defines tradeoffs that involve > money. > -- > Mike Murphy mrm@alpharel.com +1.619.625.3000 x265 > ALPHAREL 9339 Carroll Park Drive San Diego, CA 92121 > Any opinions above are mine and not those of my employer. I wish every vendor had your outlook on this! I just had a very well known vendor request access via the internet (not here) to fix a problem. When this person (a former customer) asked me what I thought about it, we had a discussion and he decided to find an alternative. So I set up a modem on a system to allow the vendor come in using PPP. I turned IP forwarding turned off, the DNS was disabled, and the /etc/hosts file was empty. For all practical purposes, it was an isloated system. This was also the production system which we were taking off line! I was called everything from a jerk to a jack*ss by the manager of technical support for this large vendor and wondered why we didn't trust them. He told me that this setup was unacceptible. When the lawyers were finished with the "breech of contract" speil, they logged in and fixed the problem. Funny thing, though. The person who logged in did some interesting things. Looked at the /etc/passwd file (which was cut down quite a bit), tried to look at the /etc/shadow file, found the /etc/hosts, tried various nis* commands to check the network copies out, and did a netstat (to see where the connections were from). I can see doing things like who, ls and w--I do those as a nervous-like thing while thinking. But why try to get this information. Good thing he didn't run a ps to see I was not running a standard shell. I was running a modified "script" and saved all the output. The output was sent via FedEx to the tech support manager who promptly wrote a letter of apology. MORAL OF THIS STORY (can be summed up by paraphrasing an old joke): How does one business man tell another business man f**k you? TRUST ME! scott barman -- scott barman DISCLAIMER: I speak to anyone who will listen, scott@disclosure.com and I speak only for myself. barman@ix.netcom.com "I don't know if security explains why the Win95 support Web servers run BSDI 2.0--an Intel-based Unix--rather than Windows NT, which Microsoft insists is the ideal Web software solution. Does Redmond know something we don't know?" -Robert X. Cringely, INFORWORLD, 9/11/95 From firewalls-owner Fri Nov 3 19:23:34 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id RAA17630 for firewalls-outgoing; Fri, 3 Nov 1995 17:52:49 -0800 (PST) Received: from netcom.netcom.com (netcom.netcom.com [192.100.81.100]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id RAA17612 for ; Fri, 3 Nov 1995 17:52:42 -0800 (PST) Received: by netcom.netcom.com (8.6.12/Netcom) id RAA13876; Fri, 3 Nov 1995 17:52:00 -0800 Date: Fri, 3 Nov 1995 17:51:59 -0800 (PST) From: Bob Bosen Subject: SafeWord new www page To: Mark_W_Loveless@smtp.bnr.com cc: firewalls@greatcircle.com In-Reply-To: <9509308150.AA815091475@smtp.bnr.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk All this discussion about sniffers has prompted me to accelerate the following announcement: Enigma Logic's www page, under development for the past several weeks, is now up and running at: http://www.safeword.com It has a lot of links to firewall-related stuff, and offers the ability to instantly download free demonstration versions of SafeWord's software- based, non-replayable dynamic password system. This is not full encryption, but it offers very good protection against unathorized breakins, even if sniffers are capturing and compromising conventional passwords. It has interfaces to TACACS, TACACS+, RADIUS, and to several commercial and/or public-domain firewall packages. This web page is still under development, and I don't know for sure how our 128K ISDN link will stand up to the strain if everybody tries to access at once, but I'd like to get some feedback. I hope you like it. Bob Bosen Enigma Logic Inc. 2151 Salvio St. #301 Concord, CA 94520 USA Tel: +1 510 827-5707 Internet: bbosen@netcom.com anonymous ftp archives: ftp.safeword.com /pub/Safeword ************************************************************************** * "It wasn't me!!! Somebody must have captured my username/password!!!" * ************************************************************************** On Mon, 30 Oct 1995 Mark_W_Loveless@smtp.bnr.com wrote: > 1 - You assume Unix in most cases. Non-IP cards can still get stuff, > even from IP stations, when in promiscuous mode. You're talking raw > packets here. > > 2 - Most cards have built into them the ability to report total > packets received (and passed up the OSI chain). These usually are not > protocol dependent. Certain IPX calls can retrieve this data (the IPX > Responder code, used for diagnostics). > > 3 - Bay Systems 5000 concentrators can detect and PARTITION OFF an > unauthorized sniffer. > > Mark > > > ______________________________ Reply Separator _________________________________ > Subject: Re: How protect against sniffers? > Author: mcn@EnGarde.com at internet > Date: 10/29/95 11:21 PM > > > In article you > write: > > > >>> in these day I've found several students using sniffers programs...How can I > >>> protect my systems? Can you suggest me any source of informations about > >>> sniffers programs? > > >Kerberos and S/key makes sniffing more or less obsolete. > >In addition you could code a program to scan for a promiscuous mode and > >alert the admins if found.. > > Kerberos and S/Key (or smartcards) do *NOT* make sniffing obsolete. See > > http://www.engarde.com/software/ipwatcher > > for a product which (while not it's intended purpose) can hijack S/Key or > Kerberos authenticated sessions. > > Full encryption or packet-level authentication is the only way to go, and > this will continue to be the case for the foreseeable future. There are several > good packages which will help protect from sniffing and the IP spoofing family > of attacks. > > 1) Kerberos: but MAKE SURE Encryption is not only the default, but it's > enforced. Unfortunately, Kerberos (and it's related tools) seem to only turn > on encryption if the user specifies some obscure flag (which is most likely > rarely the case). The latest telnet daemon (94.02.07) allows the admin to > force all incoming connections to be encrypted and authenticated. This is > a step in the right direction! > ftp://aeneas.mit.edu/pub/kerberos{README.KRB4, README.KRB5_BETA5} > > 2) STEL: This was probably the first stand-alone encryption connection package > out, and looked promising at the time. A paper was presented on it at Usenix > '95, and it went through the proper beta-testing cycle. (It had around 100 > very reputable people looking through the source). After Usenix, updates > to STEL seemed to stop... > ftp://idea.sec.dsi.unimi.it/pub/security/cert-it/{STEL.ps, f95_stel.ps, stel} > > 3) SSH: This has a lot more features than STEL and the author is very > responsive if any problems are found. Fortunately (or unfortunately), many are. > I remember one weekend when 3 versions were released in a matter of hours. > :-) I'd definitely suggest picking this package up--it supports encrypted > X displays among other nice things. > ftp://ftp.cs.hut.fi/pub/ssh/{README, ssh-1.2.0.tar.gz} > > As for more information on sniffers, Chris Klaus ocasionally posts a > sniffer FAQ to the comp.security.* newsgroups. > http://www.iss.net/iss/addsec.html > > Hope that's helpful! > > -Mike Neuman > mcn@EnGarde.com > http://www.engarde.com > > From firewalls-owner Fri Nov 3 19:25:56 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id SAA19914 for firewalls-outgoing; Fri, 3 Nov 1995 18:55:39 -0800 (PST) Received: from akasha.tic.com (akasha.tic.com [192.135.128.129]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id SAA19906 for ; Fri, 3 Nov 1995 18:55:35 -0800 (PST) From: smoot@tic.com Received: from xfrsparc.tic.com by akasha.tic.com (8.7.1/akasha.1.21) id UAA20128; Fri, 3 Nov 1995 20:55:45 -0600 (CST) Received: from localhost by xfrsparc.tic.com (8.7.1/sub.1.6) id UAA21606; Fri, 3 Nov 1995 20:54:47 -0600 (CST) Message-Id: <199511040254.UAA21606@xfrsparc.tic.com> To: firewalls@greatcircle.com Subject: Re: Replacing From: field In-reply-to: Your message of "Fri, 03 Nov 95 15:34:37 CST." Date: Fri, 03 Nov 95 20:54:46 -0600 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Could someone point me to instruction on altering the "From: >user@myplace" field in outbound email? It doesn't make much sense for me >to hide our naming structure with a dual DNS system around our firewall if >outbound mail informs our readers of userids and hostnames. With sendmail it is fairly easy, if cryptic. You also need to rip out the Received: lines in the message header, if you really want to hide internal names. Here is a mailer which replaces user@internalhost.domain with user@domain. The D macro is the site's domain. Mtcp, P=[IPC], F=msDFMuX, S=22, R=22, A=IPC $h, E=\r\n S22 R$*<@$+>$* $@$1<@$2>$3 R$+ $@$1<@$D> ~ From firewalls-owner Fri Nov 3 22:52:50 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id WAA25951 for firewalls-outgoing; Fri, 3 Nov 1995 22:36:33 -0800 (PST) Received: from ns.iij.ad.jp (ns.iij.ad.jp [192.244.176.33]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id WAA25932 for ; Fri, 3 Nov 1995 22:36:28 -0800 (PST) Received: from shiosai.iij.ad.jp (shiosai.iij.ad.jp [192.244.176.35]) by ns.iij.ad.jp (8.6.12+2.4W/3.3W9-NS) with SMTP id PAA22590; Sat, 4 Nov 1995 15:36:29 +0900 Message-Id: <199511040636.PAA22590@ns.iij.ad.jp> To: mulligan@incog.com cc: firewalls@GreatCircle.COM Subject: Re: Man in the Middle Attacks (Over rated?) In-reply-to: Your message of "Fri, 03 Nov 1995 11:03:05 MST." <9511031803.AA09630@future.incog.com> Date: Sat, 04 Nov 1995 15:36:29 +0900 From: David R Conrad Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >I do know FOR A FACT that a sniffer program was installed on a machine >attached to the BARRnet backbone and did sniff a huge number of >passwords. Just so people don't think BARRNet was the only organization burnt by this, let me assure you they weren't. There was a rash of break-ins a while back (a year or so ago?) in which several very large ISPs in the US (and likely elsewhere) were compromised, not just once but several times. There is a reason the major backbone providers have a *severe* allergic reaction to putting any type of general purpose host on the MAEs or NAPs (the RA machines are, as I understand it, on their own ethernet leg off the NAPs). One interesting aspect of this was some ISPs told their customers that their passwords had a very high probability of being compromised, but the ISPs couldn't be positive: after a few attacks where the sniffers kept the passwords in plaintext on disk, the sniffers evolved to encrypt the collected password files so the ISP, when they did discover their backbone was being sniffed, had no idea which of their customers were compromised. Of course, some ISPs didn't tell their customers, so the fact that people know BARRNet had been compromised can be seen to speak very highly of the integrity of BARRNet's personnel... Regards, -drc P.S. I believe the NSFNet routers were general purpose Unix machines (IBM RS6000s) with high speed serial interfaces. From firewalls-owner Sat Nov 4 03:22:51 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id DAA02467 for firewalls-outgoing; Sat, 4 Nov 1995 03:07:36 -0800 (PST) Received: from emerald.fibronics.co.il (emerald.fibronics.co.il [192.114.66.3]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id DAA02460 for ; Sat, 4 Nov 1995 03:07:23 -0800 (PST) Received: by emerald.fibronics.co.il id AA02526 (5.65c/IDA-1.4.4 for firewalls@greatcircle.com); Sat, 4 Nov 1995 13:08:46 +0200 From: "Maxim A. Guzman" Message-Id: <199511041108.AA02526@emerald.fibronics.co.il> Subject: One-Time passwords To: firewalls@greatcircle.com Date: Sat, 4 Nov 1995 13:08:45 +0200 (IST) X-Mailer: ELM [version 2.4 PL24 PGP3 *ALPHA*] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I want to use one-time passwords at my site. I don't want any "hardware", like cryptographic calculators, etc. Instead, I want to print a list of challenge/response pairs and give it to the user who wants to connect from remote site. Can anyone point me to the freeware resources list related to my needs? Thanks in advance. --- Regards, Maxim "Maguz". +--------------------------------------------------------------------------+ | Maxim "Maguz" Guzman UNIX System and Network manager | | Internet: maguz@fibronics.co.il Fibronics Ltd. | | Phone/Fax: +972-9-840556 Haifa, Israel | +--------------------------------------------------------------------------+ From firewalls-owner Sat Nov 4 05:25:02 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id EAA04036 for firewalls-outgoing; Sat, 4 Nov 1995 04:59:11 -0800 (PST) Received: from gold.uni-miskolc.hu (golde.uni-miskolc.hu [193.6.10.1]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id EAA04028 for ; Sat, 4 Nov 1995 04:59:04 -0800 (PST) Received: from zeus.iit.uni-miskolc.hu by gold.uni-miskolc.hu (AIX 3.2/UCB 5.64/4.03) id AA58808; Sat, 4 Nov 1995 13:55:11 GMT Received: from indwgy.iit.uni-miskolc.hu by zeus.iit.uni-miskolc.hu via ESMTP (940816.SGI.8.6.9/940406.SGI) id NAA21217; Sat, 4 Nov 1995 13:56:29 -0800 Received: by indwgy.iit.uni-miskolc.hu (940816.SGI.8.6.9/940406.SGI.AUTO) id NAA13032; Sat, 4 Nov 1995 13:58:46 -0800 Date: Sat, 4 Nov 1995 13:58:33 -0800 (PST) From: Wagner Gyorgy To: goertzek@wangfed.com Cc: firewalls@GreatCircle.COM Subject: Re: idb.ar.com...the mystery continues Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Karen: > For those that are wondering, several listers have tried the same URL I did, > > with the following variety of results: > User #1: "I get a 'server not responding' when I try this." > > User #2: "I tried accessing http://idb.ar.com and got 'Remote server > down or not responding.'" > > ... I tried traceroute this node. My results: 1 193.6.4.254 (193.6.4.254) 2 ms (ttl=30!) 2 ms (ttl=30!) 2 ms (ttl=30!) 2 193.6.14.125 (193.6.14.125) 2 ms (ttl=29!) 2 ms (ttl=29!) 2 ms (ttl=29!) 3 hbone.uni-miskolc.hu (193.6.10.240) 2 ms 2 ms 2 ms 4 vhb.iif.hu (193.6.21.58) 60 ms 85 ms 35 ms 5 vha.iif.hu (192.84.229.61) 26 ms 38 ms 26 ms 6 mta.iif.hu (193.6.206.13) 33 ms 29 ms 29 ms 7 mtb.iif.hu (193.6.206.18) 33 ms * 30 ms 8 Vienna-EBS1.Ebone.NET (192.121.159.89) 324 ms 703 ms 812 ms 9 Paris-EBS2.Ebone.net (192.121.156.17) 758 ms * 696 ms 10 Stockholm-ebs.ebone.net (192.121.154.21) 687 ms 306 ms 334 ms 11 Stockholm-DGIX.nordu.net (194.68.128.24) 282 ms * 705 ms 12 icm-gw.nordu.net (192.36.148.193) 924 ms (ttl=243!) * * 13 icm-uk-1-H1/0-5M.icp.net (198.67.131.41) 985 ms (ttl=244!) * * 14 icm-pen-2-H2/0-T3.icp.net (198.67.131.25) 890 ms (ttl=245!) 969 ms (ttl=24 15 icm-dc-2b-H0/0-5M.icp.net (198.67.131.17) 995 ms (ttl=246!) 930 ms (ttl=246!) 676 ms (ttl=246!) 16 icm-dc-1-F0/0.icp.net (198.67.131.36) 731 ms (ttl=245!) 620 ms (ttl=245!) * * 17 icm-mae-e-H1/0-T3.icp.net (198.67.131.9) 1002 ms (ttl=244!) 847 ms (ttl=244!) * 18 mae-east.agis.net (192.41.177.145) 780 ms (ttl=243!) 833 ms (ttl=243!) * 19 santaclara.agis.net (204.130.243.34) 1071 ms (ttl=242!) 843 ms (ttl=242! 20 InterNex-T1.agis.net (205.137.63.34) 732 ms (ttl=242!) 993 ms (ttl=242!) 822 ms (ttl=242!) * 21 area-1-rtr-S0-inex.InterNex.Net (205.158.1.14) 840 ms (ttl=240!) 1031 ms 22 webfarm-1-rtr-fddi.InterNex.Net (205.158.0.5) 941 ms (ttl=240!) 1001 ms (ttl=240!) 1028 ms (ttl=240!) * 23 ibd.ar.com (199.2.25.111) 870 ms (ttl=239!) 976 ms (ttl=239!) Regards: Gyorgy Wagner email: gyuri@indwgy.iit.uni-miskolc.hu From firewalls-owner Sat Nov 4 07:53:00 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id HAA05590 for firewalls-outgoing; Sat, 4 Nov 1995 07:50:50 -0800 (PST) Received: from incog.com (ns.incog.com [199.190.177.251]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id HAA05583 for ; Sat, 4 Nov 1995 07:50:48 -0800 (PST) From: mulligan@future.incog.com Received: from coslabs.incog.com by incog.com (SMI-8.6/94082501) id HAA20521; Sat, 4 Nov 1995 07:49:33 -0800 Received: from future.incog.com by coslabs.incog.com (5.x/SMI-SVR4) id AA18108; Sat, 4 Nov 1995 08:50:31 -0700 Received: from future (localhost) by future.incog.com (5.x/SMI-SVR4) id AA11238; Sat, 4 Nov 1995 08:50:29 -0700 Message-Id: <9511041550.AA11238@future.incog.com> To: jgs@aads.net (John G. Scudder) Cc: mulligan@incog.com, firewalls@GreatCircle.COM, maillet@doc.cs.usm.maine.edu, Ted Doty , curtis@ans.net Subject: Re: Man in the Middle Attacks (Over rated?) Reply-To: mulligan@incog.com In-Reply-To: Your message of "Fri, 03 Nov 1995 14:39:25 EST." Date: Sat, 04 Nov 1995 08:50:29 -0700 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk John, John Scudder wrote: > At 11:03 AM 11/3/95, mulligan@future.incog.com wrote: > >This is sort of a cagey answer. Quite probably "no sniffer programs > >were ever installed on any NSFNET routers." > > My message wasn't meant to be cagey. I'm sorry you found it too ambiguous. > Try this: No sniffer programs were installed on any components of the > NSFNET backbone. I'm sure that you weren't trying to be cagey in your answer. I just thought that the wording used was interesting and unecessarily limited the scope of the statement. geoff From firewalls-owner Sat Nov 4 08:22:51 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id IAA05866 for firewalls-outgoing; Sat, 4 Nov 1995 08:08:56 -0800 (PST) Received: from count01.mry.scruznet.com (count01.mry.scruznet.com [204.147.227.65]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id IAA05859 for ; Sat, 4 Nov 1995 08:08:53 -0800 (PST) From: firewalls@count01.mry.scruznet.com Received: from count01.mry.scruznet.com (localhost [127.0.0.1]) by count01.mry.scruznet.com (8.7.1/8.7.1) with ESMTP id HAA03975 for ; Sat, 4 Nov 1995 07:59:23 -0800 (PST) Message-Id: <199511041559.HAA03975@count01.mry.scruznet.com> To: firewalls@greatcircle.com Subject: Active Spoofing, Sequence Attacks, Infrastructure attacks Re: SafeWord new www page In-reply-to: Your message of "Fri, 03 Nov 1995 17:51:59 PST." Date: Sat, 04 Nov 1995 07:59:23 -0800 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Unfortunately the OTP card vendors just havent gotten a clue yet. Safeword, SNK. Enigma, S/key, Secureid, OPIE etc ad NAUSEAM.. All of these NON-encrypted methodologies have been obsolete as soon as the general hacker community learned about sequence number prediction and session hijacks(whether through attacks on the routing protocol infrastructure and,or combinational attacks with techniques like active spoofing). For those of us on the HOT seat(designing and building Internet Firewalls) WE ARE NOT serving our customer base best by recommending technologies which are at present being actively subverted. The ONLY ethical action from MY point of view is to use programs and protocols like SKIP, ssh1.2 and others(ESM, Ctcp). A lot of these may be right on the bleeding edge but they can be had and used. cheers anon From firewalls-owner Sat Nov 4 08:52:51 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id IAA06121 for firewalls-outgoing; Sat, 4 Nov 1995 08:38:15 -0800 (PST) Received: from access.netaxs.com (access.netaxs.com [198.69.186.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id IAA06114 for ; Sat, 4 Nov 1995 08:38:11 -0800 (PST) Received: from unix3.netaxs.com (morph_1@unix3.netaxs.com [198.69.186.5]) by access.netaxs.com (8.6.12/8.6.11) with ESMTP id LAA08871; Sat, 4 Nov 1995 11:38:13 -0500 Received: (morph_1@localhost) by unix3.netaxs.com (8.6.12/8.6.9) id LAA27265; Sat, 4 Nov 1995 11:38:09 -0500 Date: Sat, 4 Nov 1995 11:38:08 -0500 (EST) From: "W0W!@# ELYTENESS#@!" To: Phil Howard cc: firewalls@GreatCircle.COM Subject: Re: mountd Security In-Reply-To: <199511040243.UAA08423@colt.milepost.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 3 Nov 1995, Phil Howard wrote: > > Well the firewall itself isn't in question, it's the fact that mountd is > > running between the machines that have users on them inside the firewall, > > is there any security problem with running mountd that can be locally > > exploited? If there is then i would just disable the daemon; not exporting > > anything nesc at this point. Limiting access would work too, but first > > I wanted to establish if much of a risk exists. > > As far as what's being exported goes, it's only (rw) filesystems to the > > machines inside the firewall. > > Your inside users could take advantage of the mountd. Maybe they won't. > If you trust those users, then you don't need to worry about them. IP > addresses can be faked. Userids can be faked from machines where someone > has root access or physical machine access. > > Security comes from a combination of trust and distrust that is correctly > attributed. If you know correctly who you can trust and who you cannot > trust, you will do the right thing, given the right information. > > I have found a situation where I was exporting a filesystem ro to all hosts > and rw to two hosts. However, it turned out that all hosts had rw. I do > not know what was wrong, and because it wasn't anything important, I just > removed it all and never investigated. > How could inside users take advantage of mountd? I've heard of some strange problems on systems running mountd like the situation you pointed out. I personally don't trust mountd, so I stopped exporting, but my question was what security problems can mountd cause, is there any potential for local users to exploit it ot take advantage of it? From firewalls-owner Sat Nov 4 10:52:51 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id KAA08185 for firewalls-outgoing; Sat, 4 Nov 1995 10:44:12 -0800 (PST) Received: from basic.net (basic.net [205.242.92.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id KAA08178 for ; Sat, 4 Nov 1995 10:44:08 -0800 (PST) Received: by basic.net (SMI-8.6/BN-1.20) id MAA28600; Sat, 4 Nov 1995 12:40:40 -0600 Date: Sat, 4 Nov 1995 12:40:39 -0600 (CST) From: Jim McBride To: Martin Cooper cc: Rick Smith , firewalls@GreatCircle.COM Subject: Re: Tightening up SunOS 5.4 (was Re: Hardened OS) In-Reply-To: <199511031740.RAA23766@quark.foobar.co.uk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 3 Nov 1995, Martin Cooper wrote: > processes that need to be started at boot time? Will it be > possible to run these at boot time without an entry for root in > the password file, and without the setuid bits on executable > binaries? > > If it is, then this seems like a fine security measure for a > bastion host. > > > Martin > -- You will play hell trying to boot in single user mode... Jim McBride jim@basic.net From firewalls-owner Sat Nov 4 11:22:56 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id KAA08209 for firewalls-outgoing; Sat, 4 Nov 1995 10:47:10 -0800 (PST) Received: from basic.net (basic.net [205.242.92.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id KAA08202 for ; Sat, 4 Nov 1995 10:47:07 -0800 (PST) Received: by basic.net (SMI-8.6/BN-1.20) id MAA28613; Sat, 4 Nov 1995 12:44:14 -0600 Date: Sat, 4 Nov 1995 12:44:13 -0600 (CST) From: Jim McBride To: "Maxim A. Guzman" cc: firewalls@GreatCircle.COM Subject: Re: One-Time passwords In-Reply-To: <199511041108.AA02526@emerald.fibronics.co.il> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sat, 4 Nov 1995, Maxim A. Guzman wrote: > Hi, > > I want to use one-time passwords at my site. > I don't want any "hardware", like cryptographic calculators, etc. > Instead, I want to print a list of challenge/response pairs and give > it to the user who wants to connect from remote site. > Can anyone point me to the freeware resources list related to my > needs? > > Thanks in advance. > > --- Regards, Maxim "Maguz". Sure -- Skey, archie for it. Jim McBride jim@basic.net From firewalls-owner Sat Nov 4 11:52:51 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id KAA08046 for firewalls-outgoing; Sat, 4 Nov 1995 10:23:52 -0800 (PST) Received: from netcom.netcom.com (netcom.netcom.com [192.100.81.100]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id KAA08039 for ; Sat, 4 Nov 1995 10:23:49 -0800 (PST) Received: by netcom.netcom.com (8.6.12/Netcom) id KAA26719; Sat, 4 Nov 1995 10:21:30 -0800 Date: Sat, 4 Nov 1995 10:21:30 -0800 (PST) From: Bob Bosen Subject: Re: One-Time passwords To: "Maxim A. Guzman" cc: firewalls@greatcircle.com In-Reply-To: <199511041108.AA02526@emerald.fibronics.co.il> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Max: Our "SafeWord" software is commercial (not freeware) but a free demonstration copy could be set up with our "soft token" to meet your needs. You can retrieve a copy right now from: http://www.safeword.com I hope you like it. Regards, Bob Bosen Enigma Logic Inc. 2151 Salvio St. #301 Concord, CA 94520 USA Tel: +1 510 827-5707 Internet: bbosen@netcom.com anonymous ftp archives: ftp.netcom.com /pub/bb/bbosen/Enigma read.me also: (bigger archives) ftp.netcom.com /pub/sa/safeword readme.001 ************************************************************************** * "It wasn't me!!! Somebody must have captured my username/password!!!" * ************************************************************************** On Sat, 4 Nov 1995, Maxim A. Guzman wrote: > Hi, > > I want to use one-time passwords at my site. > I don't want any "hardware", like cryptographic calculators, etc. > Instead, I want to print a list of challenge/response pairs and give > it to the user who wants to connect from remote site. > Can anyone point me to the freeware resources list related to my > needs? > > Thanks in advance. > > --- Regards, Maxim "Maguz". > > +--------------------------------------------------------------------------+ > | Maxim "Maguz" Guzman UNIX System and Network manager | > | Internet: maguz@fibronics.co.il Fibronics Ltd. | > | Phone/Fax: +972-9-840556 Haifa, Israel | > +--------------------------------------------------------------------------+ > From firewalls-owner Sat Nov 4 12:22:58 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id LAA08594 for firewalls-outgoing; Sat, 4 Nov 1995 11:30:21 -0800 (PST) Received: from little-miami.iac.net (little-miami.iac.net [198.180.60.135]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id LAA08587 for ; Sat, 4 Nov 1995 11:30:17 -0800 (PST) Received: by little-miami.iac.net id OAA24931; Sat, 4 Nov 1995 14:29:48 -0500 Date: Sat, 4 Nov 1995 14:29:46 -0500 (EST) From: Carl Jolley To: Bob Bosen cc: Mark_W_Loveless@smtp.bnr.com, firewalls@GreatCircle.COM Subject: Re: SafeWord new www page In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 3 Nov 1995, Bob Bosen wrote: > > All this discussion about sniffers has prompted me to accelerate the > following announcement: > > Enigma Logic's www page, under development for the past several weeks, > is now up and running at: > > http://www.safeword.com > > It has a lot of links to firewall-related stuff, and offers the ability > to instantly download free demonstration versions of SafeWord's software- > based, non-replayable dynamic password system. This is not full encryption, > but it offers very good protection against unathorized breakins, even if ^^^^^^^^^^^ Uhh, Is there any other kind? Or are you the chief head director of the Department of Redundancy Department? > sniffers are capturing and compromising conventional passwords. It has > interfaces to TACACS, TACACS+, RADIUS, and to several commercial and/or > public-domain firewall packages. > > This web page is still under development, and I don't know for sure how > our 128K ISDN link will stand up to the strain if everybody tries to > access at once, but I'd like to get some feedback. I hope you like it. > > > > Bob Bosen > Enigma Logic Inc. > 2151 Salvio St. #301 > Concord, CA 94520 > USA > > Tel: +1 510 827-5707 > Internet: bbosen@netcom.com > anonymous ftp archives: ftp.safeword.com /pub/Safeword > ************************************************************************** > * "It wasn't me!!! Somebody must have captured my username/password!!!" * > ************************************************************************** > > On Mon, 30 Oct 1995 Mark_W_Loveless@smtp.bnr.com wrote: > > > 1 - You assume Unix in most cases. Non-IP cards can still get stuff, > > even from IP stations, when in promiscuous mode. You're talking raw > > packets here. > > > > 2 - Most cards have built into them the ability to report total > > packets received (and passed up the OSI chain). These usually are not > > protocol dependent. Certain IPX calls can retrieve this data (the IPX > > Responder code, used for diagnostics). > > > > 3 - Bay Systems 5000 concentrators can detect and PARTITION OFF an > > unauthorized sniffer. > > > > Mark > > > > > > ______________________________ Reply Separator _________________________________ > > Subject: Re: How protect against sniffers? > > Author: mcn@EnGarde.com at internet > > Date: 10/29/95 11:21 PM > > > > > > In article you > > write: > > > > > >>> in these day I've found several students using sniffers programs...How can I > > >>> protect my systems? Can you suggest me any source of informations about > > >>> sniffers programs? > > > > >Kerberos and S/key makes sniffing more or less obsolete. > > >In addition you could code a program to scan for a promiscuous mode and > > >alert the admins if found.. > > > > Kerberos and S/Key (or smartcards) do *NOT* make sniffing obsolete. See > > > > http://www.engarde.com/software/ipwatcher > > > > for a product which (while not it's intended purpose) can hijack S/Key or > > Kerberos authenticated sessions. > > > > Full encryption or packet-level authentication is the only way to go, and > > this will continue to be the case for the foreseeable future. There are several > > good packages which will help protect from sniffing and the IP spoofing family > > of attacks. > > > > 1) Kerberos: but MAKE SURE Encryption is not only the default, but it's > > enforced. Unfortunately, Kerberos (and it's related tools) seem to only turn > > on encryption if the user specifies some obscure flag (which is most likely > > rarely the case). The latest telnet daemon (94.02.07) allows the admin to > > force all incoming connections to be encrypted and authenticated. This is > > a step in the right direction! > > ftp://aeneas.mit.edu/pub/kerberos{README.KRB4, README.KRB5_BETA5} > > > > 2) STEL: This was probably the first stand-alone encryption connection package > > out, and looked promising at the time. A paper was presented on it at Usenix > > '95, and it went through the proper beta-testing cycle. (It had around 100 > > very reputable people looking through the source). After Usenix, updates > > to STEL seemed to stop... > > ftp://idea.sec.dsi.unimi.it/pub/security/cert-it/{STEL.ps, f95_stel.ps, stel} > > > > 3) SSH: This has a lot more features than STEL and the author is very > > responsive if any problems are found. Fortunately (or unfortunately), many are. > > I remember one weekend when 3 versions were released in a matter of hours. > > :-) I'd definitely suggest picking this package up--it supports encrypted > > X displays among other nice things. > > ftp://ftp.cs.hut.fi/pub/ssh/{README, ssh-1.2.0.tar.gz} > > > > As for more information on sniffers, Chris Klaus ocasionally posts a > > sniffer FAQ to the comp.security.* newsgroups. > > http://www.iss.net/iss/addsec.html > > > > Hope that's helpful! > > > > -Mike Neuman > > mcn@EnGarde.com > > http://www.engarde.com > > > > > From firewalls-owner Sat Nov 4 12:52:56 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id MAA09775 for firewalls-outgoing; Sat, 4 Nov 1995 12:36:18 -0800 (PST) Received: from lint.cisco.com (lint.cisco.com [171.68.235.77]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id MAA09768 for ; Sat, 4 Nov 1995 12:36:15 -0800 (PST) Received: from pferguso-pc.cisco.com (sl-chanty-02.cisco.com [171.69.126.156]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id MAA06785; Sat, 4 Nov 1995 12:33:46 -0800 Date: Sat, 4 Nov 1995 12:33:46 -0800 Message-Id: <199511042033.MAA06785@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Bob Bosen From: Paul Ferguson Subject: Re: One-Time passwords Cc: "Maxim A. Guzman" , firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bob, It appears that you're site is not being routed across CIX: % ping www.safeword.com PING www.safeword.com (204.242.227.134): host unreachable from 149.20.64.33 % lookup 149.20.64.33 Official Name: psi-too.west.cix.net IP Address: 149.20.64.33 - paul At 10:21 AM 11/4/95 -0800, Bob Bosen wrote: > >Our "SafeWord" software is commercial (not freeware) but a free demonstration >copy could be set up with our "soft token" to meet your needs. You can >retrieve a copy right now from: > >http://www.safeword.com > -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Sat Nov 4 13:22:51 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id NAA10316 for firewalls-outgoing; Sat, 4 Nov 1995 13:18:15 -0800 (PST) Received: from switchblade.iwi.com (switchblade.iwi.com [137.39.156.214]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id NAA10302 for ; Sat, 4 Nov 1995 13:18:11 -0800 (PST) Received: (from mjr@localhost) by switchblade.iwi.com (8.6.9/8.6.9) id QAA20513; Sat, 4 Nov 1995 16:18:21 -0500 From: "Marcus J. Ranum" Message-Id: <199511042118.QAA20513@switchblade.iwi.com> Subject: Re: What about the next 20 Java-like applications? ( was Re: Java) To: ajack@corp.micrognosis.com (Adam Jack) Date: Sat, 4 Nov 1995 16:18:21 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: from "Adam Jack" at Nov 1, 95 00:00:10 am Reply-To: mjr@iwi.com Organization: Information Warehouse! Inc, Baltimore, MD URL: mjr's web page Phone: 410-889-8569 Coredump: Infocalypse Now!!! X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If Java applets run with write permissions turned off, is it possible to write an applet that, when you run it, FTPs your password file, .rhosts file, $MAIL, etc, to a dead-drop? There might be useful stuff in those. Basically, for Java to not leave the user vulnerable to something nasty, the language will have to have a lot of the properties of a TCB; which means it won't do a lot of the things people will *want* to do, which means that they'll just make everything writeable and "damn the torpedoes." mjr. From firewalls-owner Sat Nov 4 13:52:51 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id NAA10921 for firewalls-outgoing; Sat, 4 Nov 1995 13:42:39 -0800 (PST) Received: from su1.in.net (su1.in.net [199.0.62.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id NAA10914 for ; Sat, 4 Nov 1995 13:42:29 -0800 (PST) Received: from pm1-13.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA25047; Sat, 4 Nov 95 16:41:44 -0500 Date: Sat, 4 Nov 95 16:41:44 -0500 Message-Id: <9511042141.AA25047@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.com From: frankw@in.net (Frank Willoughby) Subject: Re: None Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My mailer claims Scott Barman wrote: >On Fri, 3 Nov 1995, Mike Murphy wrote: > >> From the viewpoint of a vendor ;-) > >(good description of the vendor's point of view regarding maintenance >via various means deleted) > >> It is the choice of the customer, but the customer should be >> aware that a security policy defines tradeoffs that involve >> money. >> -- >> Mike Murphy mrm@alpharel.com +1.619.625.3000 x265 >> ALPHAREL 9339 Carroll Park Drive San Diego, CA 92121 >> Any opinions above are mine and not those of my employer. > >I wish every vendor had your outlook on this! I just had a very well >known vendor request access via the internet (not here) to fix a >problem. When this person (a former customer) asked me what I thought >about it, we had a discussion and he decided to find an alternative. > >So I set up a modem on a system to allow the vendor come in using PPP. >I turned IP forwarding turned off, the DNS was disabled, and the >/etc/hosts file was empty. For all practical purposes, it was an >isloated system. This was also the production system which we were >taking off line! > >I was called everything from a jerk to a jack*ss by the manager of >technical support for this large vendor and wondered why we didn't trust >them. He told me that this setup was unacceptible. When the lawyers >were finished with the "breech of contract" speil, they logged in and >fixed the problem. > >Funny thing, though. The person who logged in did some interesting >things. Looked at the /etc/passwd file (which was cut down quite a >bit), tried to look at the /etc/shadow file, found the /etc/hosts, tried >various nis* commands to check the network copies out, and did a netstat >(to see where the connections were from). I can see doing things like >who, ls and w--I do those as a nervous-like thing while thinking. But >why try to get this information. > >Good thing he didn't run a ps to see I was not running a standard shell. >I was running a modified "script" and saved all the output. The output >was sent via FedEx to the tech support manager who promptly wrote a >letter of apology. Scott, This goes without saying (but I will anyway), you have a gold mine with the output you saved. The next time a vendor wants to log into your system to fix something, you have excellent documentation which justifies not allowing the vendor in. The easiest way for hackers to crack systems is to get a tech-support job which permits them to log in & set up a couple of accounts, trojan horses, etc. (Why bother to try to break into a system when the customer will let you in - and usually without so much as a wimper?). Thanks for posting our example. Best Regards, Frank > >MORAL OF THIS STORY (can be summed up by paraphrasing an old joke): >How does one business man tell another business man f**k you? TRUST ME! > >scott barman >-- >scott barman DISCLAIMER: I speak to anyone who will listen, >scott@disclosure.com and I speak only for myself. >barman@ix.netcom.com > "I don't know if security explains why the Win95 support Web servers run BSDI > 2.0--an Intel-based Unix--rather than Windows NT, which Microsoft insists is > the ideal Web software solution. Does Redmond know something we don't know?" > -Robert X. Cringely, INFORWORLD, 9/11/95 > > > > From firewalls-owner Sat Nov 4 14:24:47 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id OAA12305 for firewalls-outgoing; Sat, 4 Nov 1995 14:13:18 -0800 (PST) Received: from psyche.the-wire.com (psyche.the-wire.com [198.53.192.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id OAA12286 for ; Sat, 4 Nov 1995 14:13:07 -0800 (PST) Received: from rcooper.the-wire.com (rcooper.the-wire.com [198.53.159.74]) by psyche.the-wire.com (8.6.10/8.6.9) with SMTP id RAA01336; Sat, 4 Nov 1995 17:12:37 -0500 Received: by rcooper.the-wire.com with Microsoft Mail id <01BAAAD8.BFD86E00@rcooper.the-wire.com>; Sat, 4 Nov 1995 17:12:41 -0500 Message-ID: <01BAAAD8.BFD86E00@rcooper.the-wire.com> From: Russ Cooper To: "'Bob Bosen'" Cc: "'Firewalls'" Subject: RE: One-Time passwords Date: Sat, 4 Nov 1995 17:12:40 -0500 Encoding: 9 TEXT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Rather than continuing to plug your product, you might want to put some effort into getting the web page UP!!! Tried Nov. 3, and 4, several times to access www.safeword.com with no luck. Cheers, Russ Cooper Senior Internet Integration Engineer SHL/Computer Innovations RCooper@the-wire.com - Express@msn.com - 74323.364@compuserve.com From firewalls-owner Sat Nov 4 15:56:36 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id PAA15725 for firewalls-outgoing; Sat, 4 Nov 1995 15:43:51 -0800 (PST) Received: from access.netaxs.com (access.netaxs.com [198.69.186.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id PAA15717 for ; Sat, 4 Nov 1995 15:43:48 -0800 (PST) Received: from unix3.netaxs.com (morph_1@unix3.netaxs.com [198.69.186.5]) by access.netaxs.com (8.6.12/8.6.11) with ESMTP id SAA29162; Sat, 4 Nov 1995 18:43:28 -0500 Received: (morph_1@localhost) by unix3.netaxs.com (8.6.12/8.6.9) id SAA05324; Sat, 4 Nov 1995 18:43:22 -0500 Date: Sat, 4 Nov 1995 18:43:20 -0500 (EST) From: "W0W!@# ELYTENESS#@!" To: Jim McBride cc: "Maxim A. Guzman" , firewalls@GreatCircle.COM Subject: Re: One-Time passwords In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk SuM D0oDuR SaYS: > > > On Sat, 4 Nov 1995, Maxim A. Guzman wrote: > > > Hi, > > > > I want to use one-time passwords at my site. > > I don't want any "hardware", like cryptographic calculators, etc. > > Instead, I want to print a list of challenge/response pairs and give > > it to the user who wants to connect from remote site. > > Can anyone point me to the freeware resources list related to my > > needs? > > > > Thanks in advance. > > > > --- Regards, Maxim "Maguz". > > Sure -- Skey, archie for it. > > Jim McBride > jim@basic.net > So DeN EyE G0eS: SKey! ARchie! Dis WholE InTerNeT THinG Iz So E-Z! Morph_1 - archie phore _ME_ From firewalls-owner Sat Nov 4 18:24:26 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id RAA20839 for firewalls-outgoing; Sat, 4 Nov 1995 17:56:04 -0800 (PST) Received: from randomc.com (ra1.randomc.com [205.160.16.20]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id RAA20825 for ; Sat, 4 Nov 1995 17:55:58 -0800 (PST) Received: (llama@localhost) by randomc.com (8.6.10/8.6.10) id UAA04752; Sat, 4 Nov 1995 20:55:54 -0500 From: Jonny Llama Message-Id: <199511050155.UAA04752@randomc.com> Subject: Re: SafeWord new www page To: cjolley@iac.net (Carl Jolley) Date: Sat, 4 Nov 1995 20:55:53 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: from "Carl Jolley" at Nov 4, 95 02:29:46 pm X-Info: finger llama@randomc.com | pgp -fka +force X-Mailer: ELM [version 2.4 PL22] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Uhh, > >Is there any other kind? Or are you the chief head director of the >Department of Redundancy Department? Please help me understand why you quoted ~150 lines of text to frame 2 lines of a snide comment? From firewalls-owner Sun Nov 5 09:22:57 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id JAA07557 for firewalls-outgoing; Sun, 5 Nov 1995 09:13:45 -0800 (PST) Received: from uuneo.neosoft.com (uuneo.neosoft.com [206.109.1.3]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id JAA07550 for ; Sun, 5 Nov 1995 09:13:42 -0800 (PST) Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.7.1/8.7.1) with UUCP id LAA05332 for GreatCircle.COM!firewalls; Sun, 5 Nov 1995 11:11:19 -0600 (CST) Received: by ris1.nmti.com (smail2.5) id AA29715; 5 Nov 95 11:16:41 CST (Sun) Received: by sonic.nmti.com; id AA02221; Sun, 5 Nov 1995 10:45:54 -0600 From: peter@nmti.com (Peter da Silva) Message-Id: <9511051645.AA02221@sonic.nmti.com.nmti.com> Subject: Re: What about the next 20 Java-like applications? ( was Re: Java) To: scott@Disclosure.COM (Scott Barman) Date: Sun, 5 Nov 1995 10:45:53 -0600 (CST) Cc: ajack@corp.micrognosis.com, smith@sctc.com, firewalls@GreatCircle.COM In-Reply-To: from "Scott Barman" at Nov 3, 95 08:32:46 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Just ask them... "would you put a TV in your house with a remotely operated surveillance camera built in? That's what you could be doing if you just run untrusted applications on an Internet-connected computer." From firewalls-owner Sun Nov 5 09:52:55 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id JAA07623 for firewalls-outgoing; Sun, 5 Nov 1995 09:15:46 -0800 (PST) Received: from uuneo.neosoft.com (uuneo.neosoft.com [206.109.1.3]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id JAA07614 for ; Sun, 5 Nov 1995 09:15:43 -0800 (PST) Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.7.1/8.7.1) with UUCP id LAA05326 for GreatCircle.COM!firewalls; Sun, 5 Nov 1995 11:11:14 -0600 (CST) Received: by ris1.nmti.com (smail2.5) id AA29582; 5 Nov 95 11:11:50 CST (Sun) Received: by sonic.nmti.com; id AA01999; Sun, 5 Nov 1995 10:41:03 -0600 From: peter@nmti.com (Peter da Silva) Message-Id: <9511051641.AA01999@sonic.nmti.com.nmti.com> Subject: Re: Anecdotes or Firewall/NetSec Jokes To: jonw@mntcmp2.demon.co.uk (Jon Whitton) Date: Sun, 5 Nov 1995 10:41:02 -0600 (CST) Cc: alan@gi.net, firewalls@GreatCircle.COM In-Reply-To: from "Jon Whitton" at Nov 3, 95 09:51:03 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > I'll be speaking at a number of seminars in the next three weeks, > > and I think it would be nice to have some intelligent humerous > > jokes or anecdotes to start my talks off. > How about Microsoft, they are the biggest joke going. Unfortunately this is sounding more and more like graveyard humor. They're selling very effectively, no matter how awful their product is. From firewalls-owner Sun Nov 5 10:23:01 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id JAA07830 for firewalls-outgoing; Sun, 5 Nov 1995 09:25:15 -0800 (PST) Received: from asp.cdev.com (asp.cdev.com [160.207.1.254]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id JAA07811 for ; Sun, 5 Nov 1995 09:25:10 -0800 (PST) Received: from asp.cdev.com (daemon@localhost) by asp.cdev.com (8.6.12/8.6.12) with ESMTP id LAA27651 for ; Sun, 5 Nov 1995 11:17:05 -0600 Received: from aurora.cdev.com ([160.207.114.200]) by asp.cdev.com (8.6.12/8.6.12) with SMTP id LAA27647 for ; Sun, 5 Nov 1995 11:17:04 -0600 Message-Id: <199511051717.LAA27647@asp.cdev.com> Received: from cdicisco3.cdev.com by aurora.cdev.com id SMTP-001309cf3c9022299; Sun, 5 Nov 95 11:26:35 -0600 X-Sender: djs3wn39@aurora.cdev.com X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 05 Nov 1995 05:58:23 -0800 To: Firewalls@GreatCircle.com From: Donald.J.Smith@.cdev.com (Donald J Smith) Subject: TIS setup on sun4.1.1 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From: Benoit Dicaire >Date: Tue, 31 Oct 1995 09:20:39 -0500 >Subject: TIS implementation question > >Mike Jones wrote : > >>I'm trying to make an estimate of how long it would take to have a >>reasonably competent engineer get and set up the TIS toolkit on a SunOS >>4.1.4 system. I'd appreciate it if anyone who has done this could give >>me a ballpark figure. > Hopefully your firewall is more than just the tis toolkit. But you don't say so I'll assume that TIS is going on a dual-homed-gateway which is the only outside access to your system. Otherwise you could have a bastion/dhg with TIS and some screening router(s). If you choose the later (based on a defined security policy) then you need someone to setup the screening routers. >Okay, let's define some stuff first : > >Reasonably competent engineer : someone who know *well* the platform, >he want to use for the firewall. Good knowledge of TCP/IP, read Cheswick & >Bellovin book and read the list for more than two months. > Reading this list does help alot. The answers I find here are often not what I was thinking at all. Also is already familuar with all the apps that will be passed thru the firewall. (He has to test doesn't he). Also helps if he has unix sysadm knowledge (assuming he works directly on your firewall, he needs to know how to use: an editor, make, tar,) Also helps if he has years of knowledge of your network. >Setup a firewall (technical side) : install the core module of TIS and several >modules from public domain. Write scripts to automate thing, parse log, etc ... OK if you've done it before maybe but it took me over a week to get the netacl, a chrooted ftp, and smap working. I did have to do some extra stuff like hiding dns and ip addresses behind the 3 nic addresses I used on the firewall. > >Setup a firewall (political side) : write security policies in collaboration >with management, decide services to allow and discrimate who will get it. > >The whole thing can take six months if you're lucky ;-) > >For the tech side, you should have something running in three days. Only if he has some of the skills I listed. Else he has months to learn the system before he starts getting productive. > >- --- > Benoit Dicaire - Unix - NRJ Informatique Inc. > bdicaire@nrj.com - Consultant - (514) 593-9747 > Donald J Smith Network Security Engineer @Computing Devices International "@begin design in the security and ease_of_use != A*(1/Data_Security)" (my opinions are mine and so are the spelling errors ;-) From firewalls-owner Sun Nov 5 10:53:08 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id KAA08647 for firewalls-outgoing; Sun, 5 Nov 1995 10:12:38 -0800 (PST) Received: from sdata.no (breim.sdata.no [193.216.8.130]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id KAA08640 for ; Sun, 5 Nov 1995 10:12:34 -0800 (PST) Received: from breng ([193.216.12.65]) by sdata.no (4.1/SMI-4.1) id AA20461; Sun, 5 Nov 95 19:12:37 +0100 From: Einar.Landre@sdata.no (Einar Landre) Received: by breng (5.x) id AA00352; Sun, 5 Nov 1995 19:11:48 +0100 Date: Sun, 5 Nov 1995 19:11:48 +0100 Message-Id: <9511051811.AA00352@breng> To: firewalls@greatcircle.com Subject: Info about Secure Net and Secure ID X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, The documentation from TIS regarding user authentification, two commercial vendors / products are mentioned. Digital Pathways with Secure Net Security Dynamics with Secuure ID Can sombody tell me where to find information about the two ?? Regards Einar ------------------------------------------------------ Einar Landre, Senior Consultant Skrivervik Data AS Phone: +47 22 18 58 27 Post Box 3885 Fax: +47 22 18 59 98 Ullevaal Hageby E-mail: einar.landre@sdata.no N-0805 Oslo, Norway From firewalls-owner Sun Nov 5 11:34:04 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id KAA09610 for firewalls-outgoing; Sun, 5 Nov 1995 10:46:59 -0800 (PST) Received: from neon.ingenia.com (neon.ingenia.com [134.117.55.86]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id KAA09602 for ; Sun, 5 Nov 1995 10:46:56 -0800 (PST) Received: (from shaver@localhost) by neon.ingenia.com (8.6.12/8.6.9) id NAA15824; Sun, 5 Nov 1995 13:48:53 -0500 From: Mike Shaver Message-Id: <199511051848.NAA15824@neon.ingenia.com> Subject: Re: What about the next 20 Java-like applications? ( was Re: Java) To: mjr@iwi.com Date: Sun, 5 Nov 1995 13:48:52 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: <199511042118.QAA20513@switchblade.iwi.com> from "Marcus J. Ranum" at Nov 4, 95 04:18:21 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thus spake Marcus J. Ranum: > If Java applets run with write permissions turned off, is > it possible to write an applet that, when you run it, FTPs your > password file, .rhosts file, $MAIL, etc, to a dead-drop? There > might be useful stuff in those. As per the Java documentation, applets do not (under the default configuration) have any (direct) access to the filesystem. It's possible that they could impact the filesystem in some way if the browser caches images, etc. loaded by the applet, and there's always virtual memory exhaustion, but there's no direct access. No reading, no writing, no executing, no ogling of inodes, nothing. Mike -- #> Mike Shaver (shaver@ingenia.com) Ingenia Communications Corporation <# #> UNIX medicine man -- dark magick, cheap! <# #> <# #> When the going gets tough, the tough give cryptic error messages. <# #> "We believe in rough consensus and running code." <# From firewalls-owner Sun Nov 5 13:23:01 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id MAA13875 for firewalls-outgoing; Sun, 5 Nov 1995 12:54:48 -0800 (PST) Received: from lint.cisco.com (lint.cisco.com [171.68.235.77]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id MAA13868 for ; Sun, 5 Nov 1995 12:54:45 -0800 (PST) Received: from pferguso-pc.cisco.com (sl-charm-06.cisco.com [171.69.126.144]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id MAA10544; Sun, 5 Nov 1995 12:54:23 -0800 Date: Sun, 5 Nov 1995 12:54:23 -0800 Message-Id: <199511052054.MAA10544@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Einar.Landre@sdata.no (Einar Landre) From: Paul Ferguson Subject: Re: Info about Secure Net and Secure ID Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Contact information about both of these is contained in Christopher Klaus' Sniffer FAQ, located at http://iss.net/iss/sniff.html. - paul At 07:11 PM 11/5/95 +0100, Einar Landre wrote: > >The documentation from TIS regarding user authentification, >two commercial vendors / products are mentioned. > > Digital Pathways with Secure Net > Security Dynamics with Secuure ID > >Can sombody tell me where to find information about the two ?? > >Regards Einar >------------------------------------------------------ >Einar Landre, Senior Consultant >Skrivervik Data AS Phone: +47 22 18 58 27 >Post Box 3885 Fax: +47 22 18 59 98 >Ullevaal Hageby E-mail: einar.landre@sdata.no >N-0805 Oslo, Norway > > -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Sun Nov 5 13:55:15 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id NAA14909 for firewalls-outgoing; Sun, 5 Nov 1995 13:36:38 -0800 (PST) Received: from switchblade.iwi.com (switchblade.iwi.com [137.39.156.214]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id NAA14902 for ; Sun, 5 Nov 1995 13:36:34 -0800 (PST) Received: (from mjr@localhost) by switchblade.iwi.com (8.6.9/8.6.9) id QAA26845 for firewalls@greatcircle.com; Sun, 5 Nov 1995 16:37:01 -0500 From: "Marcus J. Ranum" Message-Id: <199511052137.QAA26845@switchblade.iwi.com> Subject: OTPs: clarification To: firewalls@greatcircle.com Date: Sun, 5 Nov 1995 16:37:00 -0500 (EST) Reply-To: mjr@iwi.com Organization: Information Warehouse! Inc, Baltimore, MD URL: mjr's web page Phone: 410-889-8569 Coredump: Infocalypse Now!!! X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk mdr@vodka.sse.att.com writes: >That leads one to try to implement something else and claim that its a >OTP. One such method would be to use a Random Number Generator in This is called an "autokey cipher" and is not terribly secure. When I talked to the folks from Elementrix I found that they *are* aware of the distinction and are aware of the fact that they have abused the terminology. Their claim is that their system has the *properties* of a OTP. Which I find quite interesting, since the main interesting property of an OTP is that it is absolutely unbreakable if used properly. >This is *NOT* a true OTP. Correct, it is not. Elementrix is also aware of this. When I spoke with the guy who developed the scheme in question it is clear that he is aware of the distinction. :) A lot of cryptographers have jumped all over them (rightly) for abusing a trade term for marketing purposes. >The real problem of course is finding a source of random data that is >available to *both* parties. By the *definition* of randomness, this is impossible. Note that the guys at Elementrix are aware of this impossibility, too. :) They claim to have a way around it. I do not believe they do - unless they've got a selective repeal of laws of nature, or are not using true randomness. Be that as it may: avoid misusing terms of the trade. There is no such thing as random data available to both parties without a communication channel someplace in the system to convey it. Unless you accept action at a distance. In which case you still only have one source of randomness. :) >> Synchronization is a piece of cake. Since the pad is secure, >> you simply call the other party on the phone and say "offset 129198L" >> and crank away. > >I caveated that with: > Giving away the offset is inconsequential for a true OTP, but > for a algorithmically generated OTP it makes cryptoanalyis > much easier. Please do not abuse terms of the trade. THERE IS NO SUCH THING AS AN ALGORITHMICALLY GENERATED OTP. You know that. I know that. If you keep abusing the terminology, other people who do not will keep getting confused. >If the OTP has been "generated" then synchronization is a pain because THERE IS NO SUCH THING AS A "GENERATED" OTP. You know that. I know that. If you keep abusing the terminology, other people who do not will keep getting confused. >I'm trying to say that the devil is in the details, is their >implentation of a OTP really a OTP, or just another cypher? It's not an OTP. They have said as much in the past. They're willing to describe their technique under NDA and I'm probably going to meet with them sometime in the next few weeks and find out what's up. It's not an OTP; it sounds like they've come up with what they (rightly or wrongly) feel is an extremely clever wrinkle on some kind of generalized autokey cipher. They've explained it to a number of folks who are involved with cryptography but none who I know have great credentials as a cryptographer. So it remains to be seen. I'd be *impressed* if Whit Diffie or Ron Rivest said it was good. I'm less impressed that Winn Schwartau has said it was good. :) mjr. From firewalls-owner Sun Nov 5 16:02:47 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id PAA18418 for firewalls-outgoing; Sun, 5 Nov 1995 15:43:10 -0800 (PST) Received: from dcc.com (ns.dcc.com [204.147.95.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id PAA17686 for ; Sun, 5 Nov 1995 15:23:27 -0800 (PST) Received: by gateway.dcc.com id <79364>; Sun, 5 Nov 1995 17:28:25 -0600 From: "Moubray, Steve" To: "'firewalls@greatcircle.com'" Subject: Re: WWW & Proxy Servers Date: Sun, 5 Nov 1995 19:19:00 -0600 Encoding: 72 TEXT X-Mailer: Microsoft Mail V3.0 Message-Id: <95Nov5.172825cst.79364@gateway.dcc.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From: sangster@reston.ans.net (Paul Sangster) Date: Tue, 31 Oct 1995 07:58:20 +0500 Subject: Re: WWW & Proxy Servers > In article , stuart@loddon.demon.co.uk writes: |> Apologies if the following questions has been asked before - if they have, I can't |> find them ! |> |> i) Is/Are there any proxy servers for WWW to restrict access to the WWW on |> a username basis AND to further restrict use of 'sub-protocols' supported |> by WWW such as ftp, gopher ... again on a username basis ? _____________________________ I recently dealt with this and found out that only ANS supported such a system (at least they were the only ones to respond to my v-mail, e-mail and letters). A few manufacturers claimed to have something in the works but many of them have been selling non-existent features such as e-mail scanning and virus protection for some time. Other vendors may have this feature by now but make sure that you aren't getting vapor-ware. I also have a general problem with the concept of keeping passwords on my firewall. I know these will only be used for outgoing traffic but those same passwords will be used by users to access everything else. ANS had to keep the passwords on the firewall at that time but you might want to check with them anyway. I couldn't use ANS anyway because my customer went out and purchased a Gauntlet before defining all of the needs. The solution that we found was a Netscape Proxy Server. This assumes that you are using Netscape and allows the passwords to be kept on a separate box. You also gain all of the performance advantages of the Netscape Proxy Server. We used the configuration below. Outside Router | -----Services | Firewall | | -----Proxy | | Screen | | Internal Network Traffic is only allowed to go between the firewall and the proxy and the proxy and the screen. No direct traffic is allowed. I like this method for security. This also has some advantages with the logs. The security manager is mainly concerned with someone trying to get in and the Gauntlet logs give him that information quite well. The administrators are interested in user ID, passwords and traffic and can get those logs from the proxy. The security guys only need to manage the firewall and the administrators only need to manage the proxy. Download the Netscape proxy and check it out. We have ours running on FreeBSD but are converting it to BSDI (some people like to spend money). ------------------------------------- Steve Moubray DCC, Inc. (612) 378-4469 Fax (612) 378-4401 smoubray@dcc.com http://www.dcc.com/ From firewalls-owner Sun Nov 5 16:23:02 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id PAA18482 for firewalls-outgoing; Sun, 5 Nov 1995 15:44:35 -0800 (PST) Received: from neon.ingenia.com (neon.ingenia.com [134.117.55.86]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id LAA10370 for ; Sun, 5 Nov 1995 11:07:38 -0800 (PST) Received: (from shaver@localhost) by neon.ingenia.com (8.6.12/8.6.9) id OAA15910 for firewalls@greatcircle.com; Sun, 5 Nov 1995 14:09:43 -0500 From: Mike Shaver Message-Id: <199511051909.OAA15910@neon.ingenia.com> Subject: Java(tm) security documentation To: firewalls@greatcircle.com Date: Sun, 5 Nov 1995 14:09:42 -0500 (EST) X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Warning: this is a long message. There's been a lot of speculation about Java's security features on this list of late, and it's starting to tend towards FUD. In the interests of having everyone on the same page, I've snipped relevant (IMHO, as is this whole paragraph) chunks of Sun's Java documentation for interested parties to read. I've kept the URLs intact, in case anyone wants to read the rest of it, or make sure I haven't doctored it for my own nefarious purposes. The language's security features (not just applets): (http://java.sun.com/whitePaper/javawhitepaper_6.html#HEADING15) 4.2 Security in the Java Environment Security commands a high premium in the growing use of the Internet for products and services ranging from electronic distribution of software and multimedia content, to "digital cash". The area of security with which we're concerned here is how the Java compiler and run-time system restrict application programmers from creating subversive code. The Java language compiler and run-time system implement several layers of defense against potentially incorrect code. One of the Java compiler's primary lines of defense is its memory allocation and reference model. Simply put, Java does not have "pointers" in the traditional C and C++ sense--memory cells that contain the addresses of other memory cells. Memory layout decisions are not made by the compiler, as they are in C and C++. Rather, memory layout is deferred to run-time, and will potentially differ depending on the characteristics of the hardware and software platforms on which the Java language system is executing. The Java interpreter references memory via symbolic "handles" that are resolved to real memory addresses at run time. Java programmers can't forge pointers to memory, because the memory allocation and referencing model is completely opaque to the programmer and controlled entirely by the underlying run-time system. Very late binding of structures to memory means that programmers can't infer the physical memory layout of a class by looking at its declaration. By removing the C/C++ memory layout and pointer models, the Java language has eliminated the programmer's ability to get behind the scenes and manufacture pointers to memory. These features must be viewed as positive benefits rather than a restriction on the programmer, because they ultimately lead to more reliable and secure applications. The Byte Code Verification Process What about the concept of a "hostile compiler"? Although the Java compiler ensures that Java source code doesn't violate the safety rules, when an application such as the HotJava web browser imports a code fragment from anywhere, it doesn't actually know if code fragments follow the Java language rules for safety--the code may not have been produced by a known-to-be trustworthy Java compiler. In such a case, how is the Java run-time system on your machine to trust the incoming byte code stream? The answer is simple--it doesn't trust the incoming code, but subjects it to byte code verification. The tests range from simple verification that the format of a code fragment is correct, to passing through a simple theorem prover to establish that the code fragment plays by the rules--that it doesn't forge pointers, it doesn't violate access restrictions, and it accesses objects as what they are (for example, that "InputStream" objects are always used as "InputStreams" and never as anything else). A language that is safe, plus run-time verification of generated code, establishes a base set of guarantees that interfaces cannot be violated. The Byte Code Verifier The last phase of the byte code loader is the verifier. It traverses the byte codes, constructs the type state information, and verifies the types of the parameters to all the byte code instructions. The illustration [see the HTML] shows the flow of data and control from Java language source code through the Java compiler, to the byte code verifier and hence on to the Java interpreter. The important issue is that the Java class loader and the byte code verifier make no assumptions about the primary source of the byte code stream--the code may have come from the local system, or it may have travelled halfway around the planet. The byte code verifier acts as a sort of gatekeeper. The byte code verifier ensures that the code passed to the Java interpreter is in a fit state to be executed and can run without fear of breaking the Java interpreter. Imported code is not allowed to execute by any means until after it has passed the verifier's tests. Once the verifier is done, a number of important properties are known: There are no operand stack overflows or underflows The types of the parameters of all byte code instructions are known to always be correct No illegal data conversions are done, like converting integers to pointers Object field accesses are known to be legal--private or public or protected While all this checking appears excruciatingly detailed, by the time the byte code verifier has done its work, the Java interpreter can proceed knowing that the code will run securely. Knowing these properties makes the Java interpreter much faster, because it doesn't have to check anything. There are no operand type checks and no stack overflow checks. The interpreter can thus function at full speed without compromising reliability. Security Checks in the Class Loader After incoming code has been vetted and determined clean by the byte code verifier, the next line of defense is the Java class loader. The environment seen by a thread of execution running Java byte codes can be visualized as a set of classes partitioned into separate name spaces. There is one name space for classes that come from the local file system, and a separate name space for each network source. When a class is imported from across the network it is placed into the private name space associated with its origin. When a class references another class, it is first looked for in the name space for the local system (built-in classes), then in the name space of the referencing class. There is no way that an imported class can "spoof" a built-in class. Built-in classes can never accidentally reference classes in imported name spaces--they can only reference such classes explicitly. Similarly, classes imported from different places are separated from each other. Security in the Java Networking Package Java's networking package provides the interfaces to handle the various network protocols (FTP, HTTP, Telnet, and so on). This is your front line of defense at the network interface level. The networking package can be set up with configurable levels of paranoia. You can: Disallow all network accesses Allow all network accesses Allow network accesses to only the hosts from which the code was imported Allow network accesses only outside the firewall if the code came from outside -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Applet-specific security: (written for the 1.0a3 release of HotJava(tm)... there will be a rewrite for the 1.0b release when that occurs. I'm assuming, perhaps incorrectly, that the Netscape implementation is similar. As I understand it, they licensed the HJ code from Sun, so I think it's all very close to the truth.) (http://java.sun.com/1.0alpha3/doc/security/security.html) [ A rehash of the above text, snipped ] Security level four: protecting the file system and network access HotJava enforces security policies confident that its security interfaces are secure. The three lower levels of security guarantee that all local classes, e.g., the file access primitives, are themselves protected from being supplanted, replaced, or extended by imported code. The file access primitives implement an access control list that controls read and write access to files by imported code (or code invoked by imported code). The defaults for these access control lists are very restrictive[*]. If an attempt is made by a piece of imported code to access a file to which access has not been granted, a dialog box pops up to allow the user to decide whether or not to allow that specific access. These security policies err on the conservative side in order to ensure maximum security. This conservative approach may make writing some applets more difficult or awkward. For network security, HotJava provides a variety of mechanisms that can provide information about the trustworthiness of imported code. These mechanisms cover a wide range of possibilities. At the simple end the system can check on the origin of a code fragment to determine if it came from inside or outside a firewall. At the sophisticated end of the range a mechanism exists whereby public keys and cryptographic message digests can be securely attached to code fragments that not only identify who originated the code, but guarantee its integrity as well. This latter mechanism will be implemented in future releases. The security policies implemented by the runtime system can be dynamically adjusted based on the information available concerning the origin of a code fragment. The Socket class provides such an example. The Socket class implements security policies that are adjusted to reflect the trustworthiness of the code that invoked it, and transitively, the code that invoked the invoker. The information about what code began the chain of execution is available to the class in the form of which namespace contains the invoking code and what parameters are associated with that class. The class loader puts the classes it has loaded in a specific namespace, allowing the Socket class to determine the network host from which a class is loaded. Knowing the network host allows the HotJava security mechanism to determine whether the class originated inside or outside a firewall. Knowledgable users of HotJava can decide which category of hosts to trust when loading executable code. For example, the Socket class can implement the policy of only allowing new connections to be created that terminate at the host from whence the code was loaded. This restriction means that code loaded from outside a firewall cannot connect to other machines on the net behind the firewall. Code that comes from more trusted sources can be allowed more freedom to make connections to other machines. As an additional defense against untrusted sources HotJava's security can be set to prevent any code from being loaded. The level of security is configurable by HotJava users. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- [*] For exactly how "very restrictive" it is, I suggest people check the source. Mike (don't work for Sun/Netscape, etc., etc.) -- #> Mike Shaver (shaver@ingenia.com) Ingenia Communications Corporation <# #> Technical Specialist -- will tame sendmail(8) for food <# #> <# #> "You are a very perverse individual, and I think I'd like to get to <# #> know you better." --- eric@reference.com <# From firewalls-owner Sun Nov 5 17:53:16 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id RAA22892 for firewalls-outgoing; Sun, 5 Nov 1995 17:24:15 -0800 (PST) Received: from ic.co.at (ic.co.at [193.81.168.69]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id RAA22878 for ; Sun, 5 Nov 1995 17:24:08 -0800 (PST) Received: from ic.co.at (ic.co.at [193.81.168.69]) by ic.co.at (8.7.1/8.7.1) with SMTP id DAA05303 for ; Mon, 6 Nov 1995 03:27:44 -0100 Date: Mon, 6 Nov 1995 03:27:44 -0100 (GMT-0100) From: Michael Haberler To: firewalls@GreatCircle.COM Subject: ssh secure tunnels anybody? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Did anybody try to do a secure point-to-point tunnel with the ssh package from ftp.cs.hut.fi:/pub/ssh? -michael Michael Haberler mah@eunet.co.at EUnet Austria Ltd MH182 A-1090 Vienna, Austria, Thurngasse 8/16 Tel: +43 (1) 31376 fax: +43 (1) 3106926 From firewalls-owner Sun Nov 5 18:23:17 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id RAA23734 for firewalls-outgoing; Sun, 5 Nov 1995 17:55:36 -0800 (PST) Received: from bass.com.my (bass.com.my [161.142.248.42]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id RAA23727 for ; Sun, 5 Nov 1995 17:55:10 -0800 (PST) Received: from bass.bass.com.my (gw.bass.com.my) by bass.com.my with SMTP id AA14271 (5.67a/IDA-1.5 for ); Mon, 6 Nov 1995 09:55:49 +0800 Received: by bass.bass.com.my (4.1/SMI-4.1) id AA16621; Mon, 6 Nov 95 09:53:08 MYT Date: Mon, 6 Nov 1995 09:41:17 +0800 (MYT) From: Tham Huei Hwan Subject: Check point firewall-1 and firewall-2 To: firewalls Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I have some simple question relating how to setup firewall-1 or firewall-2 in sun Netra i with sbus quad ehternet card. what are the procedure should I follow to configure the quad ethernet so that my local net can talk to Internet ? What are the precaution step should I follow to configure firewall-2 to work with this quad ethetnet card. Thank you From firewalls-owner Sun Nov 5 18:53:15 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id SAA24027 for firewalls-outgoing; Sun, 5 Nov 1995 18:06:17 -0800 (PST) Received: from jedi.perth.wgc.com.au (jedi.perth.wgc.com.au [203.8.204.250]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id SAA24014 for ; Sun, 5 Nov 1995 18:06:09 -0800 (PST) Received: (from root@localhost) by jedi.perth.wgc.com.au (8.6.9/) id KAA05312 Received: from cael.perth.wgc.com.au(203.8.204.3) by jedi via smap (V1.3) id sma005310; Mon Nov 6 10:17:19 1995 Received: (from peter@localhost) by cael.perth.wgc.com.au (8.6.10/8.6.10) id KAA03098 for firewalls@greatcircle.com; Mon, 6 Nov 1995 10:05:34 +0800 From: Peter Musca Message-Id: <199511060205.KAA03098@cael.perth.wgc.com.au> Subject: sendmail mc files?? To: firewalls@greatcircle.com (Firewalls Mailing List) Date: Mon, 6 Nov 1995 10:05:33 +0800 (WST) X-Mailer: ELM [version 2.4 PL11] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all, Many months ago someone posted the appropriate m4 macro files for sendmail which configured one as a client and one as a mailhost which handles all incoming and outgoing mail, where canI getthese from??? (stupid me didn't keep a copy) ....peter -- -------------------------------------------------------------- Peter Musca System/Network Administrator Email: peter@perth.wgc.com.au World Geoscience Corp Phone: +61-9-273-6400 Western Australia fax: +61-9-273-6466 -------------------------------------------------------------- From firewalls-owner Sun Nov 5 19:23:22 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id SAA24889 for firewalls-outgoing; Sun, 5 Nov 1995 18:55:50 -0800 (PST) Received: from dns.eng.auburn.edu (dns.eng.auburn.edu [131.204.10.13]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id SAA24879 for ; Sun, 5 Nov 1995 18:55:46 -0800 (PST) Received: from strangelove.eng.auburn.edu.eng.auburn.edu (20663@strangelove.eng.auburn.edu [131.204.12.12]) by dns.eng.auburn.edu (8.6.12/8.6.4) with SMTP id UAA00307 for ; Sun, 5 Nov 1995 20:55:45 -0600 Date: Sun, 5 Nov 1995 20:55:45 -0600 From: Doug Hughes Message-Id: <199511060255.UAA00307@dns.eng.auburn.edu> To: firewalls@GreatCircle.COM Subject: Re: Java(tm) security documentation Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It becomes readily apparent that Java may in fact be free from program correctness flaws, but it isn't at all aparent that it is free from other security flaws. The main problem I see, over and over again, is that all the security is user configurable. This leaves Java wide open to social engineering type attacks.. "Click here for a really cool demo, and don't forget to disable network security!" Not having to worry about the program accessing memory it shouldn't and pointer abuses is good, but having file and network security user configurable is scary. This is especially so when you've got 5000 undergraduates to worry about. No amount of policy can prevent somebody from eventually doing something wrong (or at least naive). I'm still not reassured that I want to give this tool to everybody... It still sounds easily subverted via social engineering. There are a lot of things subject to this kind of attack, but something which sits out on the web, looks "really cool", and might be fun, with explicit instructions on how to get it to run by disabling something is just too easy. It could even do something really cool, but be doing something not so cool behind the scenes. Doug Hughes Engineering Network Services doug@eng.auburn.edu Auburn University From firewalls-owner Sun Nov 5 19:53:04 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id RAA23145 for firewalls-outgoing; Sun, 5 Nov 1995 17:32:28 -0800 (PST) Received: from yarrina.connect.com.au (yarrina.connect.com.au [192.189.54.17]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id RAA23097 for ; Sun, 5 Nov 1995 17:32:10 -0800 (PST) Received: (from root@localhost) by yarrina.connect.com.au with UUCP id MAA06136 (8.6.12/IDA-1.6); Mon, 6 Nov 1995 12:31:43 +1100 Received: by junkers.lochard.com.au id AA41991 (5.65c/IDA-1.5); Mon, 6 Nov 1995 01:58:48 GMT From: Mark Message-Id: <199511060158.AA41991@junkers.lochard.com.au> Subject: Re: Spoofing ISDN To: maillet@doc.cs.usm.maine.edu (Edward Maillet) Date: Mon, 6 Nov 1995 11:58:48 +1000 (EET) Cc: firewalls@GreatCircle.COM In-Reply-To: <9511020049.AA25854@doc.cs.usm.maine.edu> from "Edward Maillet" at Nov 1, 95 07:49:09 pm Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Some folks at work want to setup an ISDN dial-in connection relying >solely on the inbound caller ID as the security measure. Is it possible >to spoof the D channel to send fake info? I'm fairly certain there is >a way to do it. Can anyone point me to some references so I can make a >decent technical argument agaisnt this? Throw words at them like corporate espionage, phreakers reprogramming switches and malicious telco employees. Remind them that link level encryption and authentication is not that much more difficult so there is no excuse not to use it on the production system. Ask them how much their security is worth to them and how much more peace of mind they will get by knowing a heck of a lot of mathematics is protecting their transmissions. Cheers, Mark mark@lochard.com.au From firewalls-owner Sun Nov 5 22:23:08 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id VAA01433 for firewalls-outgoing; Sun, 5 Nov 1995 21:52:08 -0800 (PST) Received: from neon.ingenia.com (neon.ingenia.com [205.207.219.29]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id VAA01426 for ; Sun, 5 Nov 1995 21:52:04 -0800 (PST) Received: (from shaver@localhost) by neon.ingenia.com (8.6.12/8.6.9) id BAA02160; Mon, 6 Nov 1995 01:08:51 -0500 From: Mike Shaver Message-Id: <199511060608.BAA02160@neon.ingenia.com> Subject: Re: Java(tm) security documentation To: Doug.Hughes@Eng.Auburn.EDU (Doug Hughes) Date: Mon, 6 Nov 1995 01:08:51 -0500 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <199511060255.UAA00307@dns.eng.auburn.edu> from "Doug Hughes" at Nov 5, 95 08:55:45 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thus spake Doug Hughes: > It becomes readily apparent that Java may in fact be free from > program correctness flaws, but it isn't at all aparent that it is > free from other security flaws. The main problem I see, over and > over again, is that all the security is user configurable. Well, you could always write your own SecurityManager.class (talk to Anselm Baird-Smith... he's working on one right now) to drop into the appropriate directory and then have the security hard-configured. (I don't think there's a security-config option relating to Java in Netscape 2.0b, so I'll assume we're talking about HotJava. Actually, there might be something in the .INI... should check that out.) > It still sounds easily subverted via social engineering. What isn't? If you allow outbound TCP, you're wide open for someone to distribute a Netscape plug-in, or a new version of ws_ftp, or what have you, and have it do nasty things security-leak-wise. OK, let's assume that Java(tm) really is a Bad Thing. What are you going to do about it? It's out there, and if you can't trust your users to listen to your policy about "no Java!", then you can't keep it from getting in. And if you _can_ trust them to listen to you, then you can solve this with policy. Mike -- #> Mike Shaver (shaver@ingenia.com) Ingenia Communications Corporation <# #> UNIX medicine man -- dark magick, cheap! <# #> <# #> When the going gets tough, the tough give cryptic error messages. <# #> "We believe in rough consensus and running code." <# From firewalls-owner Sun Nov 5 22:53:02 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id WAA02483 for firewalls-outgoing; Sun, 5 Nov 1995 22:46:56 -0800 (PST) Received: from crimson.cadvision.com (cadb184.cadvision.com [204.50.59.184]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id WAA02476 for ; Sun, 5 Nov 1995 22:46:50 -0800 (PST) Received: (from root@localhost) by crimson.cadvision.com (8.6.9/8.6.9) id FAA01684; Fri, 2 Dec 1994 05:33:11 -0700 Date: Fri, 2 Dec 1994 05:33:02 -0700 (MST) From: root To: David R Conrad cc: mulligan@incog.com, firewalls@GreatCircle.COM Subject: Re: Man in the Middle Attacks (Over rated?) In-Reply-To: <199511040636.PAA22590@ns.iij.ad.jp> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sat, 4 Nov 1995, David R Conrad wrote: > > while back (a year or so ago?) in which several very large ISPs in the > US (and likely elsewhere) were compromised, not just once but several > times. Yes, and to be honest I see no reason why we should not assume most if not all of the major ISP's out there have serious or at least some security troubles. BBN who owns BARRNET as well as other internet concerns got burned quite recently. And rather severely I might add. > > the ISPs couldn't be positive: after a few attacks where the sniffers > kept the passwords in plaintext on disk, the sniffers evolved to > encrypt the collected password files so the ISP, when they did Sniffers with export setups are common place on the net. Ie. The sniffer sitting on your machine sends packets across the net to a listening port on another. Some variations include the packets being encrypted via IDEA or whatnot and then sent, while others are simply encrypting the traffic once it is recieved. Not only this but some hackers are couching their traffic in ICMP echo requests or other such non-standard (to be monitered) protocols. Al H. Mcphee ****************************************************************************** "Freedom is a meal easy to eat, but difficult to digest". -Rosseau Send all replies to mcpheea@cadvision.com ****************************************************************************** From firewalls-owner Sun Nov 5 23:23:09 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id XAA02818 for firewalls-outgoing; Sun, 5 Nov 1995 23:01:28 -0800 (PST) Received: from hk.super.net (hk.super.net [202.14.67.4]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id XAA02811 for ; Sun, 5 Nov 1995 23:01:14 -0800 (PST) Received: from rssd.hk.olivetti.com (rssd.hk.olivetti.com [202.64.192.5]) by hk.super.net (8.7.1/8.7.1) with SMTP id PAA04967 for <@hk.super.net:firewalls@greatcircle.com>; Mon, 6 Nov 1995 15:00:58 +0800 (HKT) Message-Id: <199511060700.PAA04967@hk.super.net> Subject: Re: DES export restrictions and ZyXEL To: ted@kgbvax.network.com (Ted Doty) Date: Mon, 6 Nov 1995 14:46:25 +0800 (HKT) From: "Raju M. Daryanani" Cc: firewalls@greatcircle.com In-Reply-To: <199511031323.IAA28999@kgbvax.network.com> from "Ted Doty" at Nov 3, 95 08:23:36 am X-Mailer: ELM [version 2.4 PL21] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to Ted Doty: > > (1) Is it possible for a large US company to export products using DES > > data encryption? I mean even if they get a "non-USA DES" can they > > export products including this? > Yes. We do, and many others do as well. The export restrictions have many > (well, some) instances where strong encryption can be exported. Note that Zyxel is a Taiwanese company isn't it? Why should it care about US export restrictions when it can ship product from Taiwan straight to Sweden or anywhere else in the world for that matter. Raju -- Raju M. Daryanani | Email: raju@rssd.hk.olivetti.com Technical Support Manager | raju@hk.super.net, raju@air.org Products Division | Tel: +852 2979 2450 / Fax: +852 2802 6650 Olivetti (HK) Ltd. | [Finger for PGP key] [MIME understood] From firewalls-owner Sun Nov 5 23:53:06 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id XAA03838 for firewalls-outgoing; Sun, 5 Nov 1995 23:43:34 -0800 (PST) Received: from hermes.intel.com (hermes.intel.com [143.183.152.3]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id XAA03831 for ; Sun, 5 Nov 1995 23:43:32 -0800 (PST) Received: from argus.intel.com by hermes.intel.com (5.65/10.0i); Sun, 5 Nov 95 23:43:35 -0800 Received: by argus.intel.com (5.65/10.0i); Sun, 5 Nov 95 23:43:34 -0800 From: sedayao@argus.intel.com (Jeffrey C. Sedayao) Message-Id: <9511060743.AA13245@argus.intel.com> Subject: Re: Man in the Middle Attacks (Over rated?) To: firewalls@greatcircle.com Date: Sun, 5 Nov 95 23:43:33 PST X-Mailer: ELM [version 2.4dev PL66] Mime-Version: 1.0 Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anyone heard of "Man in the middle attacks" at trade shows? I would think that they would be the best place to do that. I am always amazed that people login and read their mail over the Internet at shows like InterOP. Think of all the sniffers that must be there! I have seen reports that sniffing of regular voice conversations (i.e. eavesdropping) is a problem at such trade shows, but haven't heard any confirmed reports about data sniffing. -- Jeff Sedayao Intel Corporation sedayao@argus.intel.com From firewalls-owner Mon Nov 6 04:23:45 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id EAA09618 for firewalls-outgoing; Mon, 6 Nov 1995 04:12:52 -0800 (PST) Received: from icnucevx.cnuce.cnr.it (icnucevx.cnuce.cnr.it [131.114.1.30]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id EAA09604 for ; Mon, 6 Nov 1995 04:12:42 -0800 (PST) Received: from fly.cnuce.cnr.it by mailsrv.cnuce.cnr.it (PMDF V5.0-4 #9955) id <01HXBOHQ2RS6A4L6PM@mailsrv.cnuce.cnr.it> for firewalls@greatcircle.com; Mon, 06 Nov 1995 13:12:32 +0100 (MET) Received: by fly.cnuce.cnr.it (Smail3.1.26.7 #1) id m0tCQQC-00021XC; Mon, 06 Nov 1995 13:13 +0100 (MET) Date: Mon, 06 Nov 1995 13:13 +0100 (MET) From: claudio@fly.CNUCE.CNR.IT (Claudio Telmon) Subject: Re: Java(tm) security documentation To: firewalls@greatcircle.com Message-id: Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The Byte Code Verifier [...] Looks a little more complex than sendmail or telnetd... :) - Claudio From firewalls-owner Mon Nov 6 04:55:25 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id EAA10079 for firewalls-outgoing; Mon, 6 Nov 1995 04:45:50 -0800 (PST) Received: from pegase.total.fr (pegase.total.fr [146.249.152.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id EAA10072 for ; Mon, 6 Nov 1995 04:45:35 -0800 (PST) Received: from tidtest.total.fr by pegase.total.fr with SMTP (16.6/16.2) id AA17702; Mon, 6 Nov 95 13:22:26 +0100 Received: by tidtest.total.fr (4.1/SMI-4.1) id AA00333; Mon, 6 Nov 95 13:44:49 GMT Message-Id: <9511061344.AA00333@tidtest.total.fr> To: Rick Smith Cc: firewalls@greatcircle.com Subject: Re: Tightening up SunOS 5.4 (was Re: Hardened OS) In-Reply-To: Your message of "Fri, 03 Nov 1995 14:07:08 CST." <199511032007.OAA17966@shade.sctc.com> Date: Mon, 06 Nov 1995 13:44:49 +0000 From: Michel Lavondes Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message <199511032007.OAA17966@shade.sctc.com>, Rick Smith writes: > > I'm happy that root is just a name for uid 0, but what about > > processes that need to be started at boot time? Will it be > > possible to run these at boot time without an entry for root in > > the password file, and without the setuid bits on executable > > binaries? > > Actually, the term "root" is getting overloaded in this discussion. > It has two fundamental properties of interest here: 1) it has uid 0 > which is really necessary in most Unix systems, and 2) it can override > lots of access protections on the system. We left in 1) and > constrained 2) using our type enforcement mechanism. Some standard > Unix systems try to get a similar effect with chroot, with varying > degrees of success. > > Rick. > smith@sctc.com secure computing corporation Apologies if this sounds like nit-picking, but isn't it uid 0 that has property 2) ? If so, and assuming that each "privilege area" needs its own superuser uid, and that some commands need superuser privilege in more than one area (this may well be wrong - I don't know enough about the way you implemented TE to figure it out,) it seems to me that you may wind up with up to n^n different uid's, where n is the number of privilege areas. That looks like a lot of user names to make secure. OTOH, though, breaking through one may compromise your firewall far less than breaking through root on a standard Un*x box. But n^n still is quite a lot. Plus we still don't know what are the provileges of a process started at boot time with your scheme. Did I misunderstood the thread ? Am I hopelessly clueless ? Or is that a real issue ? Just my $0.0034 (FF 0.02 at 5.9 FF/$) Michel Lavondes (lavondes@tidtest.total.fr) #include ============================================================ = When Privacy Is Outlawed, Only Outlaws Will Have Privacy = = I Support the Phil Zimmermann Legal Defense Fund! = = email: zldf@clark.net http://www.netresponse.com/zldf = ============================================================ (with thanks to those who lead me into it :-)) From firewalls-owner Mon Nov 6 06:25:17 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id GAA12805 for firewalls-outgoing; Mon, 6 Nov 1995 06:15:05 -0800 (PST) Received: from dns.eng.auburn.edu (dns.eng.auburn.edu [131.204.10.13]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id GAA12798 for ; Mon, 6 Nov 1995 06:15:01 -0800 (PST) Received: from netman.eng.auburn.edu (netman.eng.auburn.edu [131.204.12.24]) by dns.eng.auburn.edu (8.6.12/8.6.4) with ESMTP id IAA16884; Mon, 6 Nov 1995 08:15:02 -0600 From: Doug Hughes Received: from localhost (doug@localhost) by netman.eng.auburn.edu (8.6.4/8.6.4) id IAA21823; Mon, 6 Nov 1995 08:14:59 -0600 Date: Mon, 6 Nov 1995 08:14:59 -0600 Subject: Re: Java(tm) security documentation To: shaver@neon.ingenia.com Cc: firewalls@greatcircle.com Message-Id: In-Reply-To: <199511060608.BAA02160@neon.ingenia.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >Well, you could always write your own SecurityManager.class (talk to >Anselm Baird-Smith... he's working on one right now) to drop into the >appropriate directory and then have the security hard-configured. > >(I don't think there's a security-config option relating to Java in >Netscape 2.0b, so I'll assume we're talking about HotJava. Actually, >there might be something in the .INI... should check that out.) > Yeah, I could, but when anybody can download a free clean copy from the Internet, what good does all that effort do me? (Yes, I'm talking about HotJava) >> It still sounds easily subverted via social engineering. > >What isn't? >If you allow outbound TCP, you're wide open for someone to distribute >a Netscape plug-in, or a new version of ws_ftp, or what have you, and >have it do nasty things security-leak-wise. > The point is, that java makes it much easier. There's no need for the user to write a sockets program or anything. Plus, Java has the magic phrase "WWW - Internet - Information Superhighway" associated with it. The problem is that Java is so user-friendly for the novice, while these other things aren't. Undergrads with absolutely no knowledge of computers can use Java to click and navigate the Internet, and can use somebody else's "new improved copy from some.site.somewhere.net" >OK, let's assume that Java(tm) really is a Bad Thing. What are you >going to do about it? It's out there, and if you can't trust your >users to listen to your policy about "no Java!", then you can't keep >it from getting in. And if you _can_ trust them to listen to you, >then you can solve this with policy. > >Mike > So, I should just accept it's going to get in and write some words on paper that if you use it you get your hands slapped? I'd rather that they be convinced to take out the user-configurable security. I don't think Java is a bad thing, I think user-configurable security "could" be a very bad thing. -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug@eng.auburn.edu Apple T-shirt on Win95 - "Been there, done that" From firewalls-owner Mon Nov 6 06:53:59 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id GAA13170 for firewalls-outgoing; Mon, 6 Nov 1995 06:48:05 -0800 (PST) Received: from basic.net (basic.net [205.242.92.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id GAA13162 for ; Mon, 6 Nov 1995 06:48:02 -0800 (PST) Received: by basic.net (SMI-8.6/BN-1.20) id IAA10717; Mon, 6 Nov 1995 08:44:30 -0600 Date: Mon, 6 Nov 1995 08:44:30 -0600 (CST) From: Jim McBride To: Mark cc: Edward Maillet , firewalls@GreatCircle.COM Subject: Re: Spoofing ISDN In-Reply-To: <199511060158.AA41991@junkers.lochard.com.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 6 Nov 1995, Mark wrote: > > Some folks at work want to setup an ISDN dial-in connection relying > >solely on the inbound caller ID as the security measure. Is it possible > >to spoof the D channel to send fake info? I'm fairly certain there is > >a way to do it. Can anyone point me to some references so I can make a > >decent technical argument agaisnt this? > > Throw words at them like corporate espionage, phreakers reprogramming switches > and malicious telco employees. Remind them that link level encryption and > authentication is not that much more difficult so there is no excuse not to > use it on the production system. > > Ask them how much their security is worth to them and how much more peace of > mind they will get by knowing a heck of a lot of mathematics is protecting > their transmissions. > > Cheers, > Mark > mark@lochard.com.au > And keep in mind while spouting this that you are completely and utterly full of sh*t. Again, per my previous post, I would like somebody to explain to me how you think you can forge a clid even with switch access, if you can prove me wrong, great...but I dont think you can. --Jim From firewalls-owner Mon Nov 6 08:27:55 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id IAA14469 for firewalls-outgoing; Mon, 6 Nov 1995 08:11:40 -0800 (PST) Received: from netcom.netcom.com (netcom.netcom.com [192.100.81.100]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id IAA14462 for ; Mon, 6 Nov 1995 08:11:36 -0800 (PST) Received: by netcom.netcom.com (8.6.12/Netcom) id IAA20139; Mon, 6 Nov 1995 08:09:35 -0800 Date: Mon, 6 Nov 1995 08:09:35 -0800 (PST) From: Bob Bosen Subject: Re: Info about Secure Net and Secure ID To: Einar Landre cc: firewalls@greatcircle.com In-Reply-To: <9511051811.AA00352@breng> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, 5 Nov 1995, Einar Landre wrote: > Hi, > > The documentation from TIS regarding user authentification, > two commercial vendors / products are mentioned. > > Digital Pathways with Secure Net > Security Dynamics with Secuure ID > > Can sombody tell me where to find information about the two ?? > > Regards Einar > ------------------------------------------------------ > Einar Landre, Senior Consultant > Skrivervik Data AS Phone: +47 22 18 58 27 > Post Box 3885 Fax: +47 22 18 59 98 > Ullevaal Hageby E-mail: einar.landre@sdata.no > N-0805 Oslo, Norway > Both of these companies have web pages: www.securid.com www.digpath.com Regards, Bob Bosen Enigma Logic Inc. 2151 Salvio St. #301 Concord, CA 94520 USA Tel: +1 510 827-5707 Internet: bbosen@netcom.com http://www.safeword.com ftp://ftp.safeword.com/ ************************************************************************** * "It wasn't me!!! Somebody must have captured my username/password!!!" * ************************************************************************** From firewalls-owner Mon Nov 6 09:11:12 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id IAA14975 for firewalls-outgoing; Mon, 6 Nov 1995 08:46:59 -0800 (PST) Received: from tuna.wang.com (tuna.wang.com [150.124.136.4]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id IAA14968 for ; Mon, 6 Nov 1995 08:46:56 -0800 (PST) Received: from mail.wangfed.com (ns.wangfed.com [159.94.10.19]) by tuna.wang.com (8.6.12/8.6.12tf1) with SMTP id LAA14919 for ; Mon, 6 Nov 1995 11:47:01 -0500 Received: from [159.94.10.15] by mail.wangfed.com (1.37.109.4/A.09.00a) id AA16475; Mon, 6 Nov 95 11:39:54 -0600 Received: from [159.94.14.48] by hfsi (BULL 5.61++/B.O.S 02.01) id AA00475; Mon, 6 Nov 95 11:37:28 -0500 Date: Mon, 6 Nov 95 11:37:28 -0500 Message-Id: <9511061637.AA00475@hfsi> From: "K Goertzel" Reply-To: "K Goertzel" To: firewalls@GreatCircle.COM Subject: Re: Anecdotes or Firewall/NetSec Jokes Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message <9511051641.AA01999@sonic.nmti.com.nmti.com> Peter da Silva writes: > > > I'll be speaking at a number of seminars in the next three weeks, > > > and I think it would be nice to have some intelligent humerous > > > jokes or anecdotes to start my talks off. > > > How about Microsoft, they are the biggest joke going. > > Unfortunately this is sounding more and more like graveyard humor. They're > selling very effectively, no matter how awful their product is. And McDonald's is never going to rate even 1 Michelin star, let alone five. Those of us who are more discerning in what we eat, and what software we buy, refuse to accept the lowest common denominator just because it's popular. Karen Goertzel Manager, International Programmes Secure Systems and Services Operation Wang Federal, Inc. 7900 Westpark Drive - MS 700 McLean, Virginia 22102-4299 TEL: 703-827 3914 FAX: 703-827 3161 Internet: goertzek@wangfed.com +-----------------------------------------------------------+ | So far, everybody will agree with me. This proves either | | that I am hopelessly wrong, or that the world has had at | | least a half century to think the matter over in. | | - George Bernard Shaw | +-----------------------------------------------------------+ From firewalls-owner Mon Nov 6 09:23:19 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id HAA14273 for firewalls-outgoing; Mon, 6 Nov 1995 07:56:05 -0800 (PST) Received: from quark.foobar.co.uk (quark.foobar.co.uk [193.122.182.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id HAA14266 for ; Mon, 6 Nov 1995 07:55:50 -0800 (PST) Received: (from mjc@localhost) by quark.foobar.co.uk (8.6.11/8.6.9) id OAA05862; Mon, 6 Nov 1995 14:55:17 GMT Message-Id: <199511061455.OAA05862@quark.foobar.co.uk> Subject: Re: Tightening up SunOS 5.4 (was Re: Hardened OS) To: lavondes@tidtest.total.fr (Michel Lavondes) Date: Mon, 6 Nov 1995 14:55:17 +0000 (GMT) From: "Martin Cooper" Cc: firewalls@greatcircle.com In-Reply-To: <9511061344.AA00333@tidtest.total.fr> from "Michel Lavondes" at Nov 6, 95 01:44:49 pm X-Mailer: ELM [version 2.4 PL24 ME6] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > In message <199511032007.OAA17966@shade.sctc.com>, Rick Smith writes: > > > I'm happy that root is just a name for uid 0, but what about > > > processes that need to be started at boot time? Will it be > > > possible to run these at boot time without an entry for root in > > > the password file, and without the setuid bits on executable > > > binaries? > > > > Actually, the term "root" is getting overloaded in this discussion. > > It has two fundamental properties of interest here: 1) it has uid 0 > > which is really necessary in most Unix systems, and 2) it can override > > lots of access protections on the system. We left in 1) and > > constrained 2) using our type enforcement mechanism. Some standard > > Unix systems try to get a similar effect with chroot, with varying > > degrees of success. > > > > Rick. > > smith@sctc.com secure computing corporation > > Apologies if this sounds like nit-picking, but isn't it uid 0 that > has property 2) ? If so, and assuming that each "privilege area" needs > its own superuser uid, and that some commands need superuser privilege > in more than one area (this may well be wrong - I don't know enough > about the way you implemented TE to figure it out,) it seems to me > that you may wind up with up to n^n different uid's, where n is the > number of privilege areas. That looks like a lot of user names to > make secure. OTOH, though, breaking through one may compromise your > firewall far less than breaking through root on a standard Un*x box. > But n^n still is quite a lot. > > Plus we still don't know what are the provileges of a process > started at boot time with your scheme. > > Did I misunderstood the thread ? Am I hopelessly clueless ? Or is > that a real issue ? What I'm not yet sure of, is whether it is possible to have no users, and have all necessary processes be spawned at boot time from uid 0 processes, and any sub-processes be spawned from them, without an entry for root in the passwd file. I thought Rick had posted to the list saying that having no root entry for uid 0 would cause problems with booting into single user mode, but perhaps it was someone else. Rick, are you saying that although you have removed root's passwd entry, you have created other usernames and given them permissions specific to specific tasks? Is it possible to boot into single user mode, or reboot at all, on your system as it is? Martin -- Martin Cooper http://www.foobar.co.uk/~mjc/ mjc@foobar.co.uk Foobar Internet http://www.foobar.co.uk/ sales@foobar.co.uk Phone: +44 (0)116 2330033 Fax: +44 (0)116 2330035 The Magazine Business Centre, Newarke Street, LEICESTER, LE1 5SS From firewalls-owner Mon Nov 6 09:53:31 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id JAA15505 for firewalls-outgoing; Mon, 6 Nov 1995 09:22:04 -0800 (PST) Received: from uuneo.neosoft.com (uuneo.neosoft.com [206.109.1.3]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id JAA15498 for ; Mon, 6 Nov 1995 09:22:00 -0800 (PST) Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.7.1/8.7.1) with UUCP id KAA01254 for GreatCircle.COM!firewalls; Mon, 6 Nov 1995 10:14:21 -0600 (CST) Received: by ris1.nmti.com (smail2.5) id AA00137; 6 Nov 95 10:14:17 CST (Mon) Received: by sonic.nmti.com; id AA01837; Mon, 6 Nov 1995 09:43:31 -0600 From: peter@nmti.com (Peter da Silva) Message-Id: <9511061543.AA01837@sonic.nmti.com.nmti.com> Subject: Re: OTPs: clarification To: mjr@iwi.com Date: Mon, 6 Nov 1995 09:43:31 -0600 (CST) Cc: firewalls@GreatCircle.COM In-Reply-To: <199511052137.QAA26845@switchblade.iwi.com> from "Marcus J. Ranum" at Nov 5, 95 04:37:00 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Be that as it may: avoid misusing terms of the trade. > There is no such thing as random data available to both parties > without a communication channel someplace in the system to > convey it. Unless you accept action at a distance. In which > case you still only have one source of randomness. :) Back to the Aspect Experiment and Quantum Mechanical crypto? From firewalls-owner Mon Nov 6 10:31:59 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id JAA15572 for firewalls-outgoing; Mon, 6 Nov 1995 09:27:11 -0800 (PST) Received: from uuneo.neosoft.com (uuneo.neosoft.com [206.109.1.3]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id JAA15565 for ; Mon, 6 Nov 1995 09:27:07 -0800 (PST) Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.7.1/8.7.1) with UUCP id KAA01338 for GreatCircle.COM!firewalls; Mon, 6 Nov 1995 10:14:37 -0600 (CST) Received: by ris1.nmti.com (smail2.5) id AA00523; 6 Nov 95 10:29:46 CST (Mon) Received: by sonic.nmti.com; id AA11325; Mon, 6 Nov 1995 09:58:55 -0600 From: peter@nmti.com (Peter da Silva) Message-Id: <9511061558.AA11325@sonic.nmti.com.nmti.com> Subject: Re: Java(tm) security documentation To: shaver@neon.ingenia.com (Mike Shaver) Date: Mon, 6 Nov 1995 09:58:55 -0600 (CST) Cc: Doug.Hughes@Eng.Auburn.EDU, firewalls@GreatCircle.COM In-Reply-To: <199511060608.BAA02160@neon.ingenia.com> from "Mike Shaver" at Nov 6, 95 01:08:51 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > It still sounds easily subverted via social engineering. > What isn't? > If you allow outbound TCP, you're wide open for someone to distribute > a Netscape plug-in, or a new version of ws_ftp, or what have you, and > have it do nasty things security-leak-wise. Yeh, but that's not something that can be subverted with two apparently innocent clicks. From firewalls-owner Mon Nov 6 10:53:21 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id KAA17529 for firewalls-outgoing; Mon, 6 Nov 1995 10:29:14 -0800 (PST) Received: from webisys.com (webisys.com [205.186.45.16]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id KAA17522 for ; Mon, 6 Nov 1995 10:29:09 -0800 (PST) Received: from tiger.webisys.com (tiger.webisys.com [205.186.45.130]) by webisys.com (8.6.12/8.6.12) with ESMTP id LAA13919 for ; Mon, 6 Nov 1995 11:29:51 -0700 Received: (from rkandari@localhost) by tiger.webisys.com (8.6.12/8.6.12) id LAA23080 for firewalls@GreatCircle.COM; Mon, 6 Nov 1995 11:30:45 -0700 Date: Mon, 6 Nov 1995 11:30:45 -0700 From: Richard Kandarian Message-Id: <199511061830.LAA23080@tiger.webisys.com> Subject: Re: Anecdotes or Firewall/NetSec Jokes Content-Type: text Apparently-To: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > I'll be speaking at a number of seminars in the next three weeks, > > > and I think it would be nice to have some intelligent humerous > > > jokes or anecdotes to start my talks off. > > > How about Microsoft, they are the biggest joke going. > > Unfortunately this is sounding more and more like graveyard humor. They're > selling very effectively, no matter how awful their product is. Brings to mind the joke which ends: ...billions and billions of flies can't be wrong! From firewalls-owner Mon Nov 6 11:39:09 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id LAA18669 for firewalls-outgoing; Mon, 6 Nov 1995 11:18:55 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id LAA18660 for ; Mon, 6 Nov 1995 11:18:52 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950602) id LAA25518; Mon, 6 Nov 1995 11:18:51 -0800 Received: from relay-4.mail.demon.net(158.152.1.64) by mycroft via smap (V1.3mjr) id sma025516; Mon Nov 6 11:18:44 1995 Received: by relay-4.mail.demon.net id msg.aa17505; 6 Nov 95 19:13 GMT Received: from post.demon.co.uk by relay-4.mail.demon.net id g.ac15399; 6 Nov 95 18:36 GMT Received: from relay-4.mail.demon.net by relay-3.mail.demon.net id msg.aa20172; 6 Nov 95 18:35 GMT From: Mike Williams To: firewalls@greatcircle.com Subject: Generic Proxy Date: Mon, 06 Nov 1995 18:34:36 GMT X-Mailer: Forte Agent .99b.112 Message-ID: <9511061835.msg.aa20172@relay-3.mail.demon.net> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I can't believe this hasn't been discussed before but as I'm relatively new to the list please forgive my ignorance. Does anybody know of a generic tcp/udp proxy which does not suffer from the limitations of the likes of plug-gw (no slight intended), i.e. will support one-to-many connections to the same destination port? Is the answer to this client code that always connects to the proxy but furnishes it with a name and destination port number of the ultimate destination? Does a, dare I suggest, standard exist for such communication? Grateful for any feedback, Mike. From firewalls-owner Mon Nov 6 11:56:09 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id LAA19107 for firewalls-outgoing; Mon, 6 Nov 1995 11:38:46 -0800 (PST) Received: from uuneo.neosoft.com (uuneo.neosoft.com [206.109.1.3]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id LAA19100 for ; Mon, 6 Nov 1995 11:38:43 -0800 (PST) Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.7.1/8.7.1) with UUCP id KAA01287 for GreatCircle.COM!firewalls; Mon, 6 Nov 1995 10:14:28 -0600 (CST) Received: by ris1.nmti.com (smail2.5) id AA00395; 6 Nov 95 10:23:57 CST (Mon) Received: by sonic.nmti.com; id AA10983; Mon, 6 Nov 1995 09:53:10 -0600 From: peter@nmti.com (Peter da Silva) Message-Id: <9511061553.AA10983@sonic.nmti.com.nmti.com> Subject: Re: Java(tm) security documentation To: shaver@neon.ingenia.com (Mike Shaver) Date: Mon, 6 Nov 1995 09:53:09 -0600 (CST) Cc: firewalls@GreatCircle.COM In-Reply-To: <199511051909.OAA15910@neon.ingenia.com> from "Mike Shaver" at Nov 5, 95 02:09:42 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > The tests range from simple verification that the format of a code > fragment is correct, to passing through a simple theorem prover to > establish that the code fragment plays by the rules--that it doesn't > forge pointers, it doesn't violate access restrictions, and it > accesses objects as what they are (for example, that "InputStream" > objects are always used as "InputStreams" and never as anything > else). I would be much happier if this read "the Java bytecode interpreter doesn't provide any mechanism to forge pointers, violate access restrictions, and access objects other than what they are (for example, an "InputStream" object is always accessed through the "InputStream" mechanism... the interpreter won't allow anything else to manipulate it). This whole "theorem prover" business strikes me as very very dangerous. A full interpreter that presented a higher level interface to the bytecode stream would perhaps be less efficient, but it would be inherently safe. This seems very much like the Burroughs approach to virtual memory and access control... without the requirement that a compiler be a trusted piece of code. I simply don't trust it. Sorry. From firewalls-owner Mon Nov 6 12:12:29 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id KAA17557 for firewalls-outgoing; Mon, 6 Nov 1995 10:30:25 -0800 (PST) Received: from quark.foobar.co.uk (quark.foobar.co.uk [193.122.182.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id KAA17550 for ; Mon, 6 Nov 1995 10:30:05 -0800 (PST) Received: (from mjc@localhost) by quark.foobar.co.uk (8.6.11/8.6.9) id SAA12821; Mon, 6 Nov 1995 18:25:54 GMT Message-Id: <199511061825.SAA12821@quark.foobar.co.uk> Subject: Re: What about the next 20 Java-like applications? ( was Re: Java) To: peter@nmti.com (Peter da Silva) Date: Mon, 6 Nov 1995 18:25:54 +0000 (GMT) From: "Martin Cooper" Cc: firewalls@greatcircle.com In-Reply-To: <9511051645.AA02221@sonic.nmti.com.nmti.com> from "Peter da Silva" at Nov 5, 95 10:45:53 am X-Mailer: ELM [version 2.4 PL24 ME6] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Just ask them... "would you put a TV in your house with a remotely operated > surveillance camera built in? That's what you could be doing if you just run > untrusted applications on an Internet-connected computer." More like a remote controlled bomb with on-board surveillance camera in your TV, I would have said. Martin -- Martin Cooper http://www.foobar.co.uk/~mjc/ mjc@foobar.co.uk Foobar Internet http://www.foobar.co.uk/ sales@foobar.co.uk Phone: +44 (0)116 2330033 Fax: +44 (0)116 2330035 The Magazine Business Centre, Newarke Street, LEICESTER, LE1 5SS From firewalls-owner Mon Nov 6 12:26:52 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id LAA18634 for firewalls-outgoing; Mon, 6 Nov 1995 11:17:13 -0800 (PST) Received: from beach.sctc.com (beach.sctc.com [192.55.214.50]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id LAA18625 for ; Mon, 6 Nov 1995 11:16:36 -0800 (PST) Received: from beach.sctc.com (daemon@localhost) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id NAA20730; Mon, 6 Nov 1995 13:51:29 -0600 Received: from sphinx.sctc.com (sphinx.sctc.com [172.17.192.3]) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id NAA20726; Mon, 6 Nov 1995 13:51:28 -0600 Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by sphinx.sctc.com (8.7.1/8.6.10) with SMTP id NAA18142; Mon, 6 Nov 1995 13:17:00 -0600 (CST) Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id NAA20280; Mon, 6 Nov 1995 13:16:58 -0600 From: Rick Smith Message-Id: <199511061916.NAA20280@shade.sctc.com> Subject: Re: Tightening up SunOS 5.4 (was Re: Hardened OS) To: lavondes@tidtest.total.fr (Michel Lavondes) Date: Mon, 6 Nov 1995 13:16:58 -0600 (CST) Cc: smith@sctc.com, firewalls@greatcircle.com In-Reply-To: <9511061344.AA00333@tidtest.total.fr> from "Michel Lavondes" at Nov 6, 95 01:44:49 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Apologies if this sounds like nit-picking, but isn't it uid 0 that > has property 2) ? If so, and assuming that each "privilege area" needs > its own superuser uid, and that some commands need superuser privilege > in more than one area (this may well be wrong - I don't know enough > about the way you implemented TE to figure it out,) it seems to me > that you may wind up with up to n^n different uid's, where n is the > number of privilege areas. Type Enforcement essentially breaks the system up into a bunch of separate "domains," each with a set of access permissions for talking to other resources on the system. Resources are assigned "types" and access permissions are assigned on a domain-type or domain-domain basis. If you're running uid 0 (or any other uid) within a given domain, your access permissions are constrained first by your uid (i.e. hardly at all if you're root) and second by Type Enforcement, even if you are root. For example, if you're running as root in the context of the Web server software, you can override the standard Unix protections on the password file, but you'll be blocked by Type Enforcement, which doesn't allow the Web server to access the password file (well, at least the one with hashed passwords). So you get the effect of nxn privilege areas without actually defining a zillion new uids and associated user names. > Plus we still don't know what are the provileges of a process > started at boot time with your scheme. > Did I misunderstood the thread ? Am I hopelessly clueless ? Or is > that a real issue ? As far as Type Enforcement is concerned, the permissions are all set up in a static data file that can't be changed during normal system operation. And in a sense this is the "real issue." If somebody (root, for instance) can change privileges during normal system operation, then an attacker can probably do so, too. Rick. From firewalls-owner Mon Nov 6 12:53:25 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id MAA20117 for firewalls-outgoing; Mon, 6 Nov 1995 12:34:33 -0800 (PST) Received: from beach.sctc.com (beach.sctc.com [192.55.214.50]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id MAA20098 for ; Mon, 6 Nov 1995 12:34:17 -0800 (PST) Received: from beach.sctc.com (daemon@localhost) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id PAA23292; Mon, 6 Nov 1995 15:08:21 -0600 Received: from sphinx.sctc.com (sphinx.sctc.com [172.17.192.3]) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id PAA23288; Mon, 6 Nov 1995 15:08:21 -0600 Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by sphinx.sctc.com (8.7.1/8.6.10) with SMTP id OAA19637; Mon, 6 Nov 1995 14:33:50 -0600 (CST) Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id OAA24039; Mon, 6 Nov 1995 14:33:49 -0600 Date: Mon, 6 Nov 1995 14:33:49 -0600 From: Rick Smith Message-Id: <199511062033.OAA24039@shade.sctc.com> To: firewalls@greatcircle.com Cc: smith@sctc.com, shaver@neon.ingenia.com Subject: Re: What about the next 20 Java-like applications? ( was Re: Java) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mike Shaver writes: >As per the Java documentation, applets do not (under the default >configuration) have any (direct) access to the filesystem. ...etc. Note the dirty word: DEFAULT. The whole problem is that they have a bunch of different configuration settings. When you read about "really kool stuff" in Java, it usually turns out that none of it works when you're in the DEFAULT mode. Now you've placed policy enforcement in the hands of the most vulnerable people: untrained workstation users who might not know what the security implications of Default/UnDefault HotJava really are. Rick. smith@sctc.com secure computing corporation From firewalls-owner Mon Nov 6 13:23:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id NAA21254 for firewalls-outgoing; Mon, 6 Nov 1995 13:16:01 -0800 (PST) Received: from beach.sctc.com (beach.sctc.com [192.55.214.50]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id NAA21237 for ; Mon, 6 Nov 1995 13:15:34 -0800 (PST) Received: from beach.sctc.com (daemon@localhost) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id PAA24600; Mon, 6 Nov 1995 15:49:54 -0600 Received: from sphinx.sctc.com (sphinx.sctc.com [172.17.192.3]) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id PAA24596; Mon, 6 Nov 1995 15:49:53 -0600 Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by sphinx.sctc.com (8.7.1/8.6.10) with SMTP id PAA20265; Mon, 6 Nov 1995 15:15:21 -0600 (CST) Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id PAA25628; Mon, 6 Nov 1995 15:15:20 -0600 Date: Mon, 6 Nov 1995 15:15:20 -0600 From: Rick Smith Message-Id: <199511062115.PAA25628@shade.sctc.com> To: firewalls@greatcircle.com Cc: smith@sctc.com, mjr@iwi.com Subject: Firewall Sales Tactics Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "Marcus J. Ranum" wrote: > Don't dignify such scummy sales practices by even deigning >to respond to them. I've run into about a dozen situations in the >last year where sales reptiles have claimed that their competitors' >products have been compromised. Whether it's true or not (and I >doubt it usually is) there is only one correct response, and that >is to look the sales rep in the eye and tell it something like: > "Thank you for your time, but by telling me unsubstantiated >stories about how bad your competition's product is, you are doing >nothing more than putting the entire market area where you work >(firewalls) in doubt. Your business practices are something we >have to take into account when we purchase a product, and you've >just shown that you'll stop at nothing to make a sale. Good day." >Show them the door. Thank you, Marcus, for starting this thread. It led to lots of discussion among sales people and engineers around here. Our VP of Sales has just passed the word (for those unsure) that sales people are not to talk directly about competitors or disparage competing products. Anything less skates too close to the edge of unethical behavior. I think it's interesting that IBM long held such a policy, according to ex-IBMers around here. I grew up loathing OS/JCL, punched cards, and mainframe mentality. I'm charmed to finally figure out what they were doing right. Rick. smith@sctc.com secure computing corporation From firewalls-owner Mon Nov 6 13:55:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id NAA21811 for firewalls-outgoing; Mon, 6 Nov 1995 13:24:38 -0800 (PST) Received: from gauntlet-1.trusted.com ([204.254.155.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id NAA21803 for ; Mon, 6 Nov 1995 13:24:31 -0800 (PST) Received: by gauntlet-1.trusted.com; id QAA07788; Mon, 6 Nov 1995 16:26:57 -0500 Received: from unknown(10.0.1.126) by gauntlet-1.trusted.com via smap (g3.0.3) id xma007784; Mon, 6 Nov 95 16:26:40 -0500 Received: from vanidor.trusted.com by hilo.trusted.com with SMTP (1.37.109.4/16.2) id AA01619; Mon, 6 Nov 95 16:24:27 -0500 Message-Id: <9511062124.AA01619@hilo.trusted.com> X-Sender: avolio@hilo.trusted.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 06 Nov 1995 16:24:20 -0500 To: "Moubray, Steve" , "'firewalls@greatcircle.com'" From: Frederick M Avolio Subject: Re: WWW & Proxy Servers Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 07:19 PM 11/5/95 -0600, Moubray, Steve wrote: >I recently dealt with this and found out that only ANS supported such a >system (at least they were the only ones to respond to my v-mail, e-mail and >letters). Yes, they support it with reusabable passwords. Fred From firewalls-owner Mon Nov 6 14:24:19 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id LAA19296 for firewalls-outgoing; Mon, 6 Nov 1995 11:46:46 -0800 (PST) Received: from sunthing.sjsinc.com (sunthing.sjsinc.com [140.174.165.1]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id LAA19287 for ; Mon, 6 Nov 1995 11:46:38 -0800 (PST) Received: by sunthing.sjsinc.com Mailer: sendmail (8.6.12/8.6.9) Protocol: Id: LAA04561; Mon, 6 Nov 1995 11:46:23 -0800 Date: Mon, 6 Nov 1995 11:46:23 -0800 From: sjs@sunthing.sjsinc.com (Stefan Jon Silverman) Message-Id: <199511061946.LAA04561@sjsinc.com> To: firewalls@greatcircle.com Subject: Re: Anecdotes or Firewall/NetSec Jokes Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Folks: > > > I'll be speaking at a number of seminars in the next three weeks, > > > and I think it would be nice to have some intelligent humerous > > > jokes or anecdotes to start my talks off. The attached is more atuned to Unix sys/net-admins rather than purely firewall maintainers, BUT, since several of us double up on jobs, or have to prove to our clients that we are indeed super-natural, I submit the following from alt.folklore.computers a couple of months ago ....and don't forget to sarifice a goat today... Regards, b c++'ing u, %-) sjs ------------------------------------------------------------------------------- Stefan Jon Silverman - President SJS Associates, N.A., Inc. 572 Chestnut Street Distributed Systems Architecture & Implementation San Francisco, Ca. 94133 Phone: 415 989 2741 Fax: 415 989 7250 E-mail: sjs@sjsinc.com Cell: 415 519 3494 ------------------------------------------------------------------------------- Weebles wobble, but they don't fall down!!! ------------------------------------------------------------------------------- ----- Begin Included Message ----- Subject: The Dark Rituals of Unix Date: Wed, 13 Sep 1995 12:46:41 GMT From: ogre@netcom.com (Mr. Ogre) Organization: ftp://ftp.netcom.com/pub/og/ogre/home.html Newsgroups: alt.religion.kibology, alt.folklore.computers, alt.irc, alt.religion.emacs Recently I've been spending some of my valuable free time hanging out on IRC, mostly on #unix, the channel where crusty old fart^H^H^H^HUnix gurus /kick people for asking questions. Note I didn't say "stupid questions" or "questions unrelated to Unix" I just said questions. Anyway, I, as a good samaritan, occasionally try to answer a question. Now what really bugs me is that people never take me seriously. Animal sacrifice is no joking matter, if I tell you you need to sacrifice a goat with a vorpal blade on an altar of granite in order to untar your file, I mean it. The man page for tar even says so. The reason most people don't realize this is that the man page is purposefully confusing in order to keep the unskilled practictioners from hurting themselves. Furthermore, the number of cats present in your household is an important factor in determining the exact ritual for virtually every Unix command. When I ask you to supply this information, I am not being frivolous or misleading. To answer your question about what program you use to rename a file, I desperately need to know the strength of the feline aura in your vicinity. In the future, please realize that I know more than you, and that all my questions are relative to your problem, whether or not it seems that way to you. Joe AKA MrOgre, often found on #unix in the dark hours when the mana runs hot through the circuits of Unix boxen. ----- End Included Message ----- From firewalls-owner Mon Nov 6 15:18:29 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id OAA25961 for firewalls-outgoing; Mon, 6 Nov 1995 14:49:02 -0800 (PST) Received: from dns.sprintcorp.com (dns.sprintcorp.com [144.230.1.35]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id JAA16350 for ; Mon, 6 Nov 1995 09:56:54 -0800 (PST) Received: from qm.sprintcorp.com by dns.sprintcorp.com (5.4R3.10/200.2.1.5) id AA27541; Mon, 6 Nov 1995 11:57:58 -0600 Message-Id: Date: 6 Nov 1995 12:00:11 -0500 From: "Ken Melrose" Subject: HELP ! Advice Needed. To: "firewalls-digest@GreatCircle.CO" Cc: "Ken Melrose" X-Mailer: Mail*Link SMTP-QM 3.0.2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Subject: Time: 11:29 AM OFFICE MEMO HELP ! Advice Needed. Date: 11/6/95 PROBLEM: I need to establish a "temporary" Firewall/Gateway using the workstation mentioned below in order to connect three internal networks. Two of these networks use "Private Address Space" allocated from the NIC, and the other uses "Legal Address Space" allocated from the NIC. Currently I have the following workstation: Sun SPARC 2 Solaris 1.1.1/SunOS 4.1.3 U1 64 Meg RAM 340 Meg Hard Drive Ethernet Interface Card 3 1/2 Floppy Disk Drive The first Network - serves the business community (mail, applications, etc.) in addition to connecting to the Internet. The second Network, serves internal management and control systems and is completely internal with no external connections (outside world). The third Network, serves internal labs and is completely internal with no external connections (outside world). 1) How can I best utilize the workstation above to establish the appropriate Firewall/Gateway? 2) What are the steps to actually go about doing this? - configuration of workstation - configuration of routers - deleting of specific workstation software - etc. I would appreciate any help/input anyone can provide. I don't have much time to accomplish this task (about 2 weeks). Again this is just for "temporary" use only Thanks, Ken From firewalls-owner Mon Nov 6 15:54:34 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id PAA26990 for firewalls-outgoing; Mon, 6 Nov 1995 15:25:14 -0800 (PST) Received: from icicle (icicle.winternet.com [198.174.169.5]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id PAA26983 for ; Mon, 6 Nov 1995 15:25:10 -0800 (PST) Received: from parka (dufresne@parka.winternet.com [198.174.169.9]) by icicle (8.6.12/8.6.12) with ESMTP id RAA14761 for ; Mon, 6 Nov 1995 17:25:19 -0600 Received: (from dufresne@localhost) by parka (8.6.12/8.6.12) id RAA24696; Mon, 6 Nov 1995 17:25:18 -0600 Posted-Date: Mon, 6 Nov 1995 17:25:18 -0600 Date: Mon, 6 Nov 1995 17:25:17 -0600 (CST) From: Ron DuFresne To: firewalls@GreatCircle.COM Subject: fairly recent web server compromise... Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Peoples, Wasn't but a couple of months ago that a major Hollywood motion pictures firm's web server was compromised and files served up by it were altered. I think it was something like www.umga.com or some such thing, was in retalliation for the pending release of the movie hackers... Anyway, does anyone have info reguarding such tid-bits as: OS of this box WWW server SW that was in use various other goodies? Thanks, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From firewalls-owner Mon Nov 6 16:42:07 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id PAA27114 for firewalls-outgoing; Mon, 6 Nov 1995 15:29:48 -0800 (PST) Received: from dns.sprintcorp.com (dns.sprintcorp.com [144.230.1.35]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id PAA27105 for ; Mon, 6 Nov 1995 15:29:44 -0800 (PST) Received: from qm.sprintcorp.com by dns.sprintcorp.com (5.4R3.10/200.2.1.5) id AA01695; Mon, 6 Nov 1995 17:30:24 -0600 Message-Id: Date: 6 Nov 1995 17:30:35 -0500 From: "Ken Melrose" Subject: FWD>HELP ! Advice Needed. To: "firewalls-digest@GreatCircle.CO" Cc: "Ken Melrose" X-Mailer: Mail*Link SMTP-QM 3.0.2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Subject: Time: 11:29 AM OFFICE MEMO FWD>HELP ! Advice Needed. Date: 11/6/95 PROBLEM: I need to establish a "temporary" Firewall/Gateway using the workstation mentioned below in order to connect three internal networks. Two of these networks use "Private Address Space" allocated from the NIC, and the other uses "Legal Address Space" allocated from the NIC. Currently I have the following workstation: Sun SPARC 2 Solaris 1.1.1/SunOS 4.1.3 U1 64 Meg RAM 340 Meg Hard Drive Ethernet Interface Card 3 1/2 Floppy Disk Drive The first Network - serves the business community (mail, applications, etc.) in addition to connecting to the Internet. The second Network, serves internal management and control systems and is completely internal with no external connections (outside world). The third Network, serves internal labs and is completely internal with no external connections (outside world). 1) How can I best utilize the workstation above to establish the appropriate Firewall/Gateway? 2) What are the steps to actually go about doing this? - configuration of workstation - configuration of routers - deleting of specific workstation software - etc. I would appreciate any help/input anyone can provide. I don't have much time to accomplish this task (about 2 weeks). Again this is just for "temporary" use only Thanks, Ken From firewalls-owner Mon Nov 6 19:29:16 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id TAA02290 for firewalls-outgoing; Mon, 6 Nov 1995 19:00:03 -0800 (PST) Received: from su1.in.net (su1.in.net [199.0.62.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id SAA02257 for ; Mon, 6 Nov 1995 18:59:56 -0800 (PST) Received: from pm3-07.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA07320; Mon, 6 Nov 95 19:59:22 -0500 Date: Mon, 6 Nov 95 19:59:22 -0500 Message-Id: <9511070059.AA07320@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.com From: frankw@in.net (Frank Willoughby) Subject: Re: Firewall Sales Tactics Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >"Marcus J. Ranum" wrote: > >> Don't dignify such scummy sales practices by even deigning >>to respond to them. I've run into about a dozen situations in the >>last year where sales reptiles have claimed that their competitors' >>products have been compromised. Whether it's true or not (and I >>doubt it usually is) there is only one correct response, and that >>is to look the sales rep in the eye and tell it something like: >> "Thank you for your time, but by telling me unsubstantiated >>stories about how bad your competition's product is, you are doing >>nothing more than putting the entire market area where you work >>(firewalls) in doubt. Your business practices are something we >>have to take into account when we purchase a product, and you've >>just shown that you'll stop at nothing to make a sale. Good day." >>Show them the door. > >Thank you, Marcus, for starting this thread. It led to lots of >discussion among sales people and engineers around here. Our VP of >Sales has just passed the word (for those unsure) that sales people >are not to talk directly about competitors or disparage competing >products. Anything less skates too close to the edge of unethical >behavior. > Speaking of ethical behaviour, I take it then that the infamous "Challenge" has been dropped and replaced by a true contest where people are challenged to go _thru_ the firewall to a system on the inside (which mirrors a real-world environment), and that the nonexistent (if it isn't being shipped, it is nonexistent) "content filtering" has been retracted/recalled from brochures, web pages, etc. >I think it's interesting that IBM long held such a policy, according >to ex-IBMers around here. I grew up loathing OS/JCL, punched cards, >and mainframe mentality. I'm charmed to finally figure out what they >were doing right. I share your love of Big Blue. 8^) One must admit however, that their sales force must be pretty awesome to keep selling the mainframes like they have/are - in spite of the advances in the advances in technology and the money they are asking. BTW, their crypto people aren't too shabby either. Best Regards, Frank > >Rick. >smith@sctc.com secure computing corporation > > > From firewalls-owner Mon Nov 6 19:53:00 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id TAA02643 for firewalls-outgoing; Mon, 6 Nov 1995 19:22:24 -0800 (PST) Received: from the-link.com (master.the-link.com [204.221.32.253]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id TAA02636 for ; Mon, 6 Nov 1995 19:22:20 -0800 (PST) Received: (from endrizzi@localhost) by the-link.com (8.6.9/8.6.9) id QAA03075; Mon, 6 Nov 1995 16:31:32 -0500 Date: Mon, 6 Nov 1995 16:31:31 +0000 From: "Michael J. Endrizzi" Subject: Facts on Break-Ins To: firewalls@GreatCircle.COM Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm looking for research on computer security violations. Any data is great but more specifically: 1) Ratio of internal (e.g. employee) attacks vs external attacks 2) Ratio of dial-in vs. firewall attacks I am familiar with the latest Sept 95 CSI report. thanks, dreez ----------------------------------------------- Michael J. Endrizzi/InterSec Communications Inc. 7020 145th Street West, Apple Valley, MN 55124 mje@the-link.com 612-432-0509/1107 Internet and Computer Security Consulting From firewalls-owner Tue Nov 7 09:38:36 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id IAA28626 for firewalls-outgoing; Tue, 7 Nov 1995 08:32:07 -0800 (PST) Received: from ncar.UCAR.EDU (ncar.ucar.edu [192.52.106.6]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id IAA28610 for ; Tue, 7 Nov 1995 08:32:03 -0800 (PST) Message-Id: <199511071631.JAA00560@ncar.ucar.EDU> Received: by ncar.ucar.EDU (NCAR Local/ NCAR Central Post Office 03/11/93) id JAA00560; Tue, 7 Nov 1995 09:31:49 -0700 (MST) Subject: Re: Info about Secure Net and Secure ID To: vin@shore.net (Vin McLellan) Date: Tue, 7 Nov 95 9:31:49 MST Cc: einar.landre@sdata.no, firewalls@GreatCircle.COM, sdi@shore.net In-Reply-To: ; from "Vin McLellan" at Nov 7, 95 2:48 am From: woods@ncar.ucar.edu (Greg Woods) X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > The DPI token is called a "SecureNet Key" and is generally > supported by DPI's Defender software. > The SDI token, called a SecurID, is supported by SDI's ACE access > control software. Contact info follows: You can also use the SecureNet Key with the TIS toolkit, without any additional software. To use SecurID, with our without TIS, you *must* buy and license the ACE software (and they charge through the nose for it). The users who have helped us with testing tend to prefer the SecurID because it is somewhat less awkward to use (SecurID just gives you a password that changes with time, for SecureNet you have to enter a PIN and a challenge into the token which then computes the proper response to the challenge). SecurID also has partnerships with several vendors (cisco, annex/xylogics) so that their cards can be used with these vendors' devices without modification to vendor software (I'm working on modifying the Annex "erpcd" code to work with the SecureNet Key; anybody done this already?) --Greg From firewalls-owner Tue Nov 7 10:27:23 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id JAA05013 for firewalls-outgoing; Tue, 7 Nov 1995 09:11:09 -0800 (PST) Received: from relay5.UU.NET (relay5.UU.NET [192.48.96.15]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id JAA05007 for ; Tue, 7 Nov 1995 09:11:01 -0800 (PST) Received: from uucp6.UU.NET by relay5.UU.NET with SMTP id QQzovs16143; Tue, 7 Nov 1995 12:11:06 -0500 (EST) Received: from vanguard.UUCP by uucp6.UU.NET with UUCP/RMAIL ; Tue, 7 Nov 1995 12:11:06 -0500 Received: by vanguard.hmp.com (UUPC/extended 1.12b); Tue, 07 Nov 1995 09:16:10 MST Date: Tue, 07 Nov 1995 09:16:09 MST From: "Scott Deshaies" Message-ID: <309f864a.vanguard@vanguard.hmp.com> Organization: High Mountain Press, Inc. To: "Firewalls Mailing List" Subject: Weird Netscape Navigator functions? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all- In two different trade magazine recently, I've read a few things about Netscape's Navigator that made me go "Hmm?". The first was the CEO of Netscape saying something to the effect that "..we know how many people are using our browsers because every time you access a site, a message is set to one of our servers telling us what version you have, if it's a trial beta or registered, etc". I havent had a chance to run a packet trace on it yet, but does anyone know if this is true? Next, there is a company that is now marketing a program that goes beyond recording hits on a Web page from just counting IP addresses. It apparently uses "Netscape function calls" to obtain user info, even if that user is behind a firewall or a proxy. My guess is that it could pull your e-mail address from the Mail: setup fields, but what else could it possibly do? (OK, sure, there are many things that it *could* do, but what does it currently offer up as free info to anyone who asks the right question?) Just another paranoid firewall admin... -- >> Scott R. Deshaies <> High Mountain Press, Inc. << >> MIS Manager <> 2530 Camino Entrada * Santa Fe, NM 87505 << >> sdeshaies@hmp.com <> Direct:505/474-5103 http://www.hmp.com << From firewalls-owner Tue Nov 7 10:27:22 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id IAA27493 for firewalls-outgoing; Tue, 7 Nov 1995 08:27:21 -0800 (PST) Received: from zeus.lyceum.com (zeus.lyceum.com [205.142.28.7]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id IAA27428 for ; Tue, 7 Nov 1995 08:27:02 -0800 (PST) Received: (from jhoward@localhost) by zeus.lyceum.com (8.6.12/8.6.12) id LAA25218; Tue, 7 Nov 1995 11:23:53 -0500 From: jim howard Message-Id: <199511071623.LAA25218@zeus.lyceum.com> Subject: Re: Generic Proxy To: mikew@smartpt.demon.co.uk Date: Tue, 7 Nov 1995 11:23:53 -0500 (EST) Cc: firewalls@greatcircle.com, fwtk-users@tis.com Reply-To: firewalls@greatcircle.com, fwtk-users@tis.com In-Reply-To: <199511071454.JAA17593@zeus.lyceum.com> from "lcrawley@lyceum.com>" at Nov 7, 95 09:54:26 am X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Does anybody know of a generic tcp/udp proxy which does not suffer > from the limitations of the likes of plug-gw (no slight intended), > i.e. will support one-to-many connections to the same destination > port? I have built from the TIS plug-gw, a "multiplug" that listens on a single port number and a single ip address. (tcp only) The key is that it runs stand-alone and not from inetd. By using multiple instances of this "multiplug" I can listen on the same port in much the same way as a virtual WWW server, and perform a different task based on which address I'm listening for. I'm sure there are probably better ways of doing this, like a stand-alone process listening on the generic (0.0.0.0) address that extracts the connection information from the socket, but I didn't have a lot of time to put research into it. The code is very rough, about a days work for an emergency "plug". If there is enough interest, I can clean it up and send it back over to TIS (after all, it was their code I built it from.) Jim Howard Network Engineer Lyceum Internet From firewalls-owner Tue Nov 7 10:52:55 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id JAA11951 for firewalls-outgoing; Tue, 7 Nov 1995 09:59:00 -0800 (PST) Received: from future.dreamscape.com (future.dreamscape.com [206.64.128.3]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id JAA11916 for ; Tue, 7 Nov 1995 09:58:52 -0800 (PST) Received: from future.dreamscape.com (matkoski@future.dreamscape.com [206.64.128.3]) by future.dreamscape.com (8.6.12/8.6.12) with SMTP id MAA27823 for ; Tue, 7 Nov 1995 12:44:32 -0500 Date: Tue, 7 Nov 1995 12:44:32 -0500 (EST) From: Steve Matkoski To: Firewalls@GreatCircle.COM Subject: connecting several networks to firewall. In-Reply-To: <199511061941.LAA19174@miles.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I am going to be using the IBM NetSP firewall for connecting several IP networks to our corporate backbone. I wanted to know the best way to implement this? I want to use a multi-port router with several serial line and one ethernet port. The ethernet would connect directly to one port of the firewall. The other port of the firewall would connect to the internal network. How do I connect all the serial lines to the router without having them talk to each other? If I use static routes and eliminate any dynamic updates would this do the job? or do I have to set up filtering between ports too? Any help appreciated! -steve. matkoski@dreamscape.com From firewalls-owner Tue Nov 7 11:28:48 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id FAA07019 for firewalls-outgoing; Tue, 7 Nov 1995 05:50:15 -0800 (PST) Received: from mail1.digital.com (mail1.digital.com [204.123.2.50]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id FAA07014 for ; Tue, 7 Nov 1995 05:50:11 -0800 (PST) Received: from ilosrv.ilo.dec.com by mail1.digital.com; (5.65 EXP 4/12/95 for V3.2/1.0/WV) id AA13226; Tue, 7 Nov 1995 05:41:56 -0800 Received: from ilofrs.ilo.dec.com by ilosrv.ilo.dec.com; (5.65/1.1.8.2/12Nov94-8.2MPM) id AA07130; Tue, 7 Nov 1995 13:40:53 GMT Received: by fwsrtr.fws.ilo.dec.com; (5.65/1.3/10May95) id AA12056; Tue, 7 Nov 1995 13:42:27 GMT Received: from localhost by philby.fws.ilo.dec.com; (5.65/1.1.8.2/31Aug95-8.2MPM) id AA02540; Tue, 7 Nov 1995 13:39:37 GMT Message-Id: <9511071339.AA02540@philby.fws.ilo.dec.com> To: "Michael J. Endrizzi" Cc: firewalls@greatcircle.com, fod@fws.ilo.dec.com Subject: Re: Facts on Break-Ins In-Reply-To: Your message of "Mon, 06 Nov 1995 16:31:31 GMT." X-Mailer: exmh version 1.4.1 7/21/94 Date: Tue, 07 Nov 1995 13:39:27 +0000 From: "Frank O'Dwyer" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I'm looking for research on computer security > violations. Any data is great but more specifically: > > 1) Ratio of internal (e.g. employee) attacks vs external attacks > 2) Ratio of dial-in vs. firewall attacks > > I am familiar with the latest Sept 95 CSI report. I think the British DTI did a report some time back which covers some of the aspects you mention, if that's any help. I saw it a couple of years ago, but it may have been updated since. As I recall, the greatest risks were from much more low-tech things such as fire, power surges, user error, and so on. Cheers, Frank O'Dwyer From firewalls-owner Tue Nov 7 11:28:49 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id JAA12227 for firewalls-outgoing; Tue, 7 Nov 1995 09:59:58 -0800 (PST) Received: from switchblade.iwi.com (switchblade.iwi.com [137.39.156.214]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id JAA12204 for ; Tue, 7 Nov 1995 09:59:51 -0800 (PST) Received: (from mjr@localhost) by switchblade.iwi.com (8.6.9/8.6.9) id NAA16076 for firewalls@greatcircle.com; Tue, 7 Nov 1995 13:00:15 -0500 From: "Marcus J. Ranum" Message-Id: <199511071800.NAA16076@switchblade.iwi.com> Subject: MORE about one-time-pads :) To: firewalls@greatcircle.com Date: Tue, 7 Nov 1995 13:00:14 -0500 (EST) Reply-To: mjr@iwi.com Organization: Information Warehouse! Inc, Baltimore, MD URL: mjr's web page Phone: 410-889-8569 Coredump: Infocalypse Now!!! X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I was just stumbling around on the 'web and it turns out the NSA home page has a lot of interesting information about one of the more famous one-time-pad cracking incidents, which was codenamed VENONA. The VENONA documents were extremely interesting material, and are an example of what can happen if you screw up your use of OTPs. :) http://www.nsa.gov:8080/docs/venona/venona.html mjr. From firewalls-owner Tue Nov 7 12:03:08 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id KAA15449 for firewalls-outgoing; Tue, 7 Nov 1995 10:11:51 -0800 (PST) Received: from Disclosure.COM (di2.disclosure.com [205.156.194.11]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id KAA15417 for ; Tue, 7 Nov 1995 10:11:44 -0800 (PST) Received: by Disclosure.COM (4.1/SMI-4.1) id AA15806; Tue, 7 Nov 95 13:14:48 EST Date: Tue, 7 Nov 1995 13:14:47 -0500 (EST) From: Scott Barman To: firewalls@greatcircle.com Subject: Changing shared libraries and how is ld.so finding real libraries? Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Gee... this started out as a question and, after some investigation, has evolved into "what the heck is it doing?" Let's start with the original question: Now that the advisory is out regarding telnet and resetting the LD_LIBRARY_PATH environment variable I have a question: Is it possible for someone who has acquired unauthorized access to a system using an ordinary userid to upload in their own copy of libc.so.*, change LD_LIBRARY_PATH (or LD_RUN_PATH) so that /bin/login dynamically links with their hacked version rather than the one /usr/lib? I decided to do some investigating. Under Solaris 2.4 on a SPARC 1000E, I set up a "simulated" environment by creating some empty files that had the name of libraries under /tmp and tried to run the login program. The following is what I did: cd /usr/lib foreach i (lib*.so*) echo -n > /tmp/$i end cd security <--- hmmm this was an intersting find! foreach i (*) echo -n > /tmp/$i end setenv LD_LIBRARY_PATH /tmp setenv LD_RUN_PATH /tmp /usr/bin/login The login program seemed to work fine. It prompted me for my userid and password... no problems. In fact, any setuid or setgid program (ps and mail, for example) ran with no problems. Others, such as ls and who, came back with errors that they didn't like my "new" libraries, giving me a message like: ld.so.1: who: fatal: /tmp/libc.so.1: unknown file type This is what I expected. But why are the setuid/setgid finding the right libraries? What is Solaris doing to get around the settings of these environment variables? Interestingly, I found /usr/lib/security (with lsof) with one library and a symbolic link to it. /usr/lib/security/unix_scheme.so.1 seems to contain the "guts" to login, passwd, etc. (assumption based on an examination of the output from nm and strings). But even with my stubs in /tmp, login ran with no problems. Can anyone enlighten me as to what is happening? TIA scott barman -- scott barman DISCLAIMER: I speak to anyone who will listen, scott@disclosure.com and I speak only for myself. barman@ix.netcom.com "I don't know if security explains why the Win95 support Web servers run BSDI 2.0--an Intel-based Unix--rather than Windows NT, which Microsoft insists is the ideal Web software solution. Does Redmond know something we don't know?" -Robert X. Cringely, INFORWORLD, 9/11/95 From firewalls-owner Tue Nov 7 12:24:33 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id KAA20671 for firewalls-outgoing; Tue, 7 Nov 1995 10:48:55 -0800 (PST) Received: from delfin.com (delfin.com [192.129.85.1]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id KAA20666 for ; Tue, 7 Nov 1995 10:48:51 -0800 (PST) Received: from delfinsd.delfinsd.delfin.com ([192.187.198.1]) by delfin.com (4.1/SMI-4.1 - 6/21/93 ) id AA28187; Tue, 7 Nov 95 10:48:18 PST Received: from felixpc (felixpc.delfinsd.delfin.com) by delfinsd.delfinsd.delfin.com (4.1/SMI-4.1) id AA10310; Tue, 7 Nov 95 10:50:44 PST Message-Id: <9511071850.AA10310@delfinsd.delfinsd.delfin.com> X-Sender: felix@delfinsd-gw X-Mailer: Windows Eudora Version 2.1.1 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 07 Nov 1995 10:48:55 -0800 To: Ron DuFresne From: Robin Felix Subject: Re: fairly recent web server compromise... Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 05:25 PM 11/6/95 -0600, Ron DuFresne wrote: >Wasn't but a couple of months ago that a major Hollywood motion pictures >firm's web server was compromised and files served up by it were >altered. I think it was something like www.umga.com or some such thing, >was in retalliation for the pending release of the movie hackers... As I recall, the problem was not in the www server but in the globally-mountable disk drive on which the actual "Hackers" web page was resident. Someone just mounted it remotely and altered the page. There is some suspicion that this "insecurity" was intentionally left available to encourage this, as the hack itself was subsequently used as PR for the movie. -- Robin Felix; felix@delfin.com; felix@nosc.mil 619-291-2194(work), 619-291-5852(fax), 619-991-5081(alt) http://www.delfinsd.delfin.com/ From firewalls-owner Tue Nov 7 12:43:58 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id EAA26781 for firewalls-outgoing; Tue, 7 Nov 1995 04:08:33 -0800 (PST) Received: from relay1.pipex.net (relay1.pipex.net [158.43.128.6]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id EAA26773 for ; Tue, 7 Nov 1995 04:08:28 -0800 (PST) Received: from smtpgty.saicuk.co.uk by flow.pipex.net with SMTP (PP); Tue, 7 Nov 1995 12:08:18 +0000 Received: by smtpgty.saicuk.co.uk with Microsoft Mail id <309F4BB1@smtpgty.saicuk.co.uk>; Tue, 07 Nov 95 12:06:09 GMT From: "Johnson-Bryden, Ian" To: "'firewalls@greatcircle.com'" Subject: Re: Anecdotes or Firewall/NetSec Jokes Date: Tue, 07 Nov 95 12:00:00 GMT Message-ID: <309F4BB1@smtpgty.saicuk.co.uk> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From: firewalls-owner >To: firewalls >Subject: Re: Anecdotes or Firewall/NetSec Jokes >Date: Monday, November 06, 1995 11:37AM In message <9511051641.AA01999@sonic.nmti.com.nmti.com> Peter da Silva writes: >> > > I'll be speaking at a number of seminars in the next three weeks, >> > > and I think it would be nice to have some intelligent humerous > >> > jokes or anecdotes to start my talks off. > > > >> How about Microsoft, they are the biggest joke going. > > >> Unfortunately this is sounding more and more like graveyard humor. They're >> selling very effectively, no matter how awful their product is. and Karen Goertzel wrote >And McDonald's is never going to rate even 1 Michelin star, let alone five. >Those of us who are more discerning in what we eat, and what software we buy, >refuse to accept the lowest common denominator just because it's popular. A joke appropriate to firewalls discussion could be:- The Ark was built by unskilled amateurs, The Titannic was built by skilled professionals!!! A very good multi-purpose joke which you can use to illustrated any of the opposing points of view. Ian J-B From firewalls-owner Tue Nov 7 12:43:59 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id LAA22370 for firewalls-outgoing; Tue, 7 Nov 1995 11:58:30 -0800 (PST) Received: from relay1.pipex.net (relay1.pipex.net [158.43.128.6]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id LAA22361 for ; Tue, 7 Nov 1995 11:58:26 -0800 (PST) Received: from smtpgty.saicuk.co.uk by flow.pipex.net with SMTP (PP); Tue, 7 Nov 1995 19:58:10 +0000 Received: by smtpgty.saicuk.co.uk with Microsoft Mail id <309FB9EB@smtpgty.saicuk.co.uk>; Tue, 07 Nov 95 19:56:27 GMT From: "Johnson-Bryden, Ian" To: "'firewalls@greatcircle.com'" Subject: Re: Facts on Break-Ins Date: Tue, 07 Nov 95 18:55:00 GMT Message-ID: <309FB9EB@smtpgty.saicuk.co.uk> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Frank is correct in saying British DTI produced a report, although the more accurate statement is that the IT Security section of DTI, which supplies half of the British reps for the British ITSEC team, commissioned someone to do a study and then published the result. I have a copy of the draft (of what I think is the document Frank refers to) but not a final released version so DTI may not have credited the study team. From memory National Physical Laboratory did that particular study on contract to DTI. Different parts of DTI and CCTA carryout or commission studies into these issues, and many others, with great frequency and make the results available publically, not always with the greatest accuracy. For example a recent CCTA study concluded that the Internet was populated with an undisciplined rabble and totally unsuited for any serious communications use, being unlikely to survive as an Information Byeway. Ian J-B ---------- From: firewalls-owner To: Michael J. Endrizzi Cc: firewalls; fod Subject: Re: Facts on Break-Ins Date: Tuesday, November 07, 1995 1:39PM > I'm looking for research on computer security > violations. Any data is great but more specifically: > > 1) Ratio of internal (e.g. employee) attacks vs external attacks > 2) Ratio of dial-in vs. firewall attacks > > I am familiar with the latest Sept 95 CSI report. I think the British DTI did a report some time back which covers some of the aspects you mention, if that's any help. I saw it a couple of years ago, but it may have been updated since. As I recall, the greatest risks were from much more low-tech things such as fire, power surges, user error, and so on. Cheers, Frank O'Dwyer From firewalls-owner Tue Nov 7 12:59:03 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id MAA23093 for firewalls-outgoing; Tue, 7 Nov 1995 12:36:48 -0800 (PST) Received: from bastion.sware.com (bastion.sware.com [139.131.15.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id MAA23088 for ; Tue, 7 Nov 1995 12:36:45 -0800 (PST) Received: from shlep.sware.com (shlep.sware.com [139.131.1.14]) by bastion.sware.com (8.6.5/8.6.5) with SMTP id PAA08306; Tue, 7 Nov 1995 15:36:39 -0500 Received: by shlep.sware.com (5.65/2.0) from guinan.sware.com id AA28653; Tue, 7 Nov 95 15:32:42 -0500 Received: by guinan.sware.com (AIX 3.2/UCB 5.64/2.1) from localhost id AA37378; Tue, 7 Nov 1995 15:32:27 -0500 Message-Id: <9511072032.AA37378@guinan.sware.com> From: Shan Bell X-Mailer: SecureMail [2.2] Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Ooops. To: firewalls@greatcircle.com, fwtk-users@tis.com Date: Tue, 7 Nov 95 15:32:27 EST Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sorry about sending that response to the list. I didn't check the Reply-to address closely enough. Shannon Bell Email: shan.bell@sware.com - Voice: +1 404 321 6597 x163 - Fax: +1 404 315 0293 SecureWare, Inc. / 2957 Clairmont Rd Suite 200 / Atlanta GA 30329-1647 GCS -d+@ H>++ s+:- g+ p?>!p !au>* a- w+ v- C++$ U[BLUAVHSCX]++++$ P+ L+>+++ 3>+++ E- !N>N++ K W M+ V- -po+ Y+ t+>+(+++) 5+ j R(+) G'('') tv+ b+++ !D B-- e++ u** h--- f+ r+++ n-- y+++ From firewalls-owner Tue Nov 7 13:22:55 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id MAA22550 for firewalls-outgoing; Tue, 7 Nov 1995 12:02:49 -0800 (PST) Received: from bastion.sware.com (bastion.sware.com [139.131.15.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id MAA22544 for ; Tue, 7 Nov 1995 12:02:46 -0800 (PST) Received: from shlep.sware.com (shlep.sware.com [139.131.1.14]) by bastion.sware.com (8.6.5/8.6.5) with SMTP id PAA08052; Tue, 7 Nov 1995 15:02:39 -0500 Received: by shlep.sware.com (5.65/2.0) from guinan.sware.com id AA28014; Tue, 7 Nov 95 14:58:42 -0500 Received: by guinan.sware.com (AIX 3.2/UCB 5.64/2.1) from localhost id AA35897; Tue, 7 Nov 1995 14:58:27 -0500 Message-Id: <9511071958.AA35897@guinan.sware.com> From: Shan Bell X-Mailer: SecureMail [2.2] Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: firewalls@GreatCircle.COM, fwtk-users@tis.com Subject: Re: Generic Proxy In-Reply-To: Your message of Tue, 7 Nov 1995 11:23:53 -0500 (EST). <199511071623.LAA25218@zeus.lyceum.com> Date: Tue, 7 Nov 95 14:58:27 EST Sender: firewalls-owner@GreatCircle.COM Precedence: bulk jim howard writes: > > Does anybody know of a generic tcp/udp proxy which does not suffer > > from the limitations of the likes of plug-gw (no slight intended), > > i.e. will support one-to-many connections to the same destination > > port? > > I have built from the TIS plug-gw, a "multiplug" that > listens on a single port number and a single ip address. (tcp only) > The key is that it runs stand-alone and not from inetd. > > By using multiple instances of this "multiplug" I can > listen on the same port in much the same way as a virtual WWW server, > and perform a different task based on which address I'm listening for. > > I'm sure there are probably better ways of doing this, > like a stand-alone process listening on the generic (0.0.0.0) address > that extracts the connection information from the socket, > but I didn't have a lot of time to put research into it. > > The code is very rough, about a days work for an emergency "plug". > If there is enough interest, I can clean it up and send it back over > to TIS (after all, it was their code I built it from.) > > Jim Howard > Network Engineer > Lyceum Internet > I would very much like to see this, if you don't mind... can you send me your code? Shannon Bell Email: shan.bell@sware.com - Voice: +1 404 321 6597 x163 - Fax: +1 404 315 0293 SecureWare, Inc. / 2957 Clairmont Rd Suite 200 / Atlanta GA 30329-1647 GCS -d+@ H>++ s+:- g+ p?>!p !au>* a- w+ v- C++$ U[BLUAVHSCX]++++$ P+ L+>+++ 3>+++ E- !N>N++ K W M+ V- -po+ Y+ t+>+(+++) 5+ j R(+) G'('') tv+ b+++ !D B-- e++ u** h--- f+ r+++ n-- y+++ From firewalls-owner Tue Nov 7 13:52:51 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id CAA19966 for firewalls-outgoing; Tue, 7 Nov 1995 02:47:37 -0800 (PST) Received: from TIS.COM (neptune.tis.com [192.94.214.96]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id CAA19961 for ; Tue, 7 Nov 1995 02:47:33 -0800 (PST) Received: from relay.tis.com by neptune.TIS.COM id aa27191; 7 Nov 95 5:43 EST Received: from gauntlet.demon.co.uk(158.152.143.226) by relay.tis.com via smap (g3.0.1) id xma017137; Tue, 7 Nov 95 05:18:02 -0500 Received: from gauntlet.demon.co.uk by gauntlet.demon.co.uk with SMTP id AA815740528 ; Tue, 07 Nov 95 10:35:28 gmt Received: by gauntlet.demon.co.uk with Microsoft Mail id <01BAACFC.C1055C40@gauntlet.demon.co.uk>; Tue, 7 Nov 1995 10:35:27 -0500 Message-ID: <01BAACFC.C1055C40@gauntlet.demon.co.uk> From: "Jeffrey R. Jones" To: "'Firewalls@greatcircle.com'" Subject: RE: Exporting nonUS DES Date: Tue, 7 Nov 1995 10:35:25 -0500 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="---- =_NextPart_000_01BAACFC.C10E8400" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ------ =_NextPart_000_01BAACFC.C10E8400 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable The answer is that where it was developed has no relevancy. Once it is = imported into the US, then US export laws apply for re-exporting it. = So, 40-bit DES could be provided, larger-key DES could be provided to = some government customers and Banks, and (presumably) 64-bit DES with = key escrow could be provided to countries having appropriate agreements = with the US. (1) Is it possible for a large US company to export products using DES data encryption? I mean even if they get a "non-USA DES" can they export products including this? (2) Is anyone familiar with the modem in question (2864I), and know if it really provides DES data encryption? (3) Where should I have posted this. Thanks in advance, for any pointers!, Martin Fredriksson Systems Integration and Security Ericsson Microwave Systems AB, Molndal, Sweden ------ =_NextPart_000_01BAACFC.C10E8400 Content-Type: application/x-tnef Content-Transfer-Encoding: base64 eJ8+IhsPAQaQCAAEAAAAAAABAAEAAQeQBgAIAAAA5AQAAAAAAADoAAENgAQAAgAAAAIAAgABBJAG ADgBAAABAAAADAAAAAMAADADAAAACwAPDgAAAAACAf8PAQAAAFEAAAAAAAAAgSsfpL6jEBmdbgDd AQ9UAgAAAABGaXJld2FsbHNAZ3JlYXRjaXJjbGUuY29tAFNNVFAARmlyZXdhbGxzQGdyZWF0Y2ly Y2xlLmNvbQAAAAAeAAIwAQAAAAUAAABTTVRQAAAAAB4AAzABAAAAGgAAAEZpcmV3YWxsc0BncmVh dGNpcmNsZS5jb20AAAADABUMAQAAAAMA/g8GAAAAHgABMAEAAAAcAAAAJ0ZpcmV3YWxsc0BncmVh dGNpcmNsZS5jb20nAAIBCzABAAAAHwAAAFNNVFA6RklSRVdBTExTQEdSRUFUQ0lSQ0xFLkNPTQAA AwAAOQAAAAALAEA6AQAAAAIB9g8BAAAABAAAAAAAAAOJPgEIgAcAGAAAAElQTS5NaWNyb3NvZnQg TWFpbC5Ob3RlADEIAQSAAQAYAAAAUkU6IEV4cG9ydGluZyBub25VUyBERVMAwAcBBYADAA4AAADL BwsABwAKACMAGQACACwBASCAAwAOAAAAywcLAAcACgAfABsAAgAqAQEJgAEAIQAAADM2M0RGQ0Iz RUExOENGMTFBODhFMDAwMEMwQUU1RTc5AFEHAQOQBgC0BAAAEgAAAAsAIwAAAAAAAwAmAAAAAAAL ACkAAAAAAAMANgAAAAAAQAA5ACA1x6gmrboBHgBwAAEAAAAYAAAAUkU6IEV4cG9ydGluZyBub25V UyBERVMAAgFxAAEAAAAWAAAAAbqtJqi/s/w9NxjqEc+ojgAAwK5eeQAAHgAeDAEAAAAFAAAAU01U UAAAAAAeAB8MAQAAABwAAABKSm9uZXNAZ2F1bnRsZXQuZGVtb24uY28udWsAAwAGEP7QZXMDAAcQ pgIAAB4ACBABAAAAZQAAAFRIRUFOU1dFUklTVEhBVFdIRVJFSVRXQVNERVZFTE9QRURIQVNOT1JF TEVWQU5DWU9OQ0VJVElTSU1QT1JURURJTlRPVEhFVVMsVEhFTlVTRVhQT1JUTEFXU0FQUExZRk9S UkUAAAAAAgEJEAEAAAAxAwAALQMAAAcFAABMWkZ1H6bU4P8ACgEPAhUCqAXrAoMAUALyCQIAY2gK wHNldDI3BgAGwwKDMgPFAgBwckJxEeJzdGVtAoMzdwLkBxMCgH0KgAjPCdk78RYPMjU1AoAKgQ2x C2DgbmcxMDMUUAsKFFFBC/EgVGhlIABxd2UEkCAEACB0EYAFQHdvGsAWEBtQG8FhBCANsHZqZRWg cAmAIBGABCBuNG8gFhBsHMAAcGN58C4gIE8eIBwjG2EHcO5wFbEdIQuAdB2gG5Aa0DhVUywgAgOg IFAgZSp4H1IgC2B3BCBhcLkLUHkgAhAFwBYQLSEUTQuAZxwxHlFTbyBwNMgwLWIcQURFBfAFoDR1 bB0wYhrQE1BvdpppDbBkIHALYHJnBJD4LWtlIhAkTyVSG4AdoPZzA3Aa0GclMASRB4ACMH0mkHUT wCgBEaAa4R0wQtkAcGtzIHApkigTUAeQBnUAwAJgeSkgNjR3I/cD8BuQICYiB5AFAG//B+Amryey LQECMAiBBCARgP8lQCMRIdEDYBNQBzAT0BrgXwnCKKIEICwDIBQuCots+GkzNg3wGdwKjxoXFXBP AEAznDJvGoEoMSswIN5JHxEFQB9QBBBpAmAa0P0iMmElpCDSBaAfQABwIhDHH+EhFSURZHVjMKEp AO8jAiZhM6U8c2QbsDkgCfBVBQB5BTBpAiA/N9Eg/weAA5EcwQOgBpAgAiIQJeBLBUA5ICIdkG4t IFBB/SZSIizwA5E+4jwaOo4LgLpjCkBkIwIbkAQAPzOleTOlKDI3xDoRAiA4wWG+bQMQBzAFwDDX BGJtH7G8IHEKUBPAPZFEcTgrUPRJKSokax2QB+AGkDwa/xxBFhAHQCIBJRUEICZiPN6VQ60zN8FX G/NzaCST/z3wLvEk8ThgH4JDUjGGM6WnGrAp4kbiYWQeAmUgcJ844zohH1AfwSlRISwzpeZNCsAi 8SBGFhEFECoA3SfwbjOlE6QEIElSEQnAvxuwR3IpkgZgKPAFEHRA5vpFBRBjU9IF0FcQLMFOUvlU hkFCIHAF0AbwKaAHQP1YwVMbIA2wVAY1nQHBNG8LNXcVMQBdYAAAAAMAEBAAAAAAAwAREAAAAABA AAcwAKnjGiatugFAAAgwAKnjGiatugEeAD0AAQAAAAUAAABSRTogAAAAAM1M ------ =_NextPart_000_01BAACFC.C10E8400-- From firewalls-owner Tue Nov 7 13:52:52 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id CAA19810 for firewalls-outgoing; Tue, 7 Nov 1995 02:32:43 -0800 (PST) Received: from TIS.COM (neptune.tis.com [192.94.214.96]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id CAA19805 for ; Tue, 7 Nov 1995 02:32:39 -0800 (PST) Received: from relay.tis.com by neptune.TIS.COM id aa27004; 7 Nov 95 5:29 EST Received: from gauntlet.demon.co.uk(158.152.143.226) by relay.tis.com via smap (g3.0.1) id xma017073; Tue, 7 Nov 95 05:07:34 -0500 Received: from gauntlet.demon.co.uk by gauntlet.demon.co.uk with SMTP id AA815739854 ; Tue, 07 Nov 95 10:24:14 gmt Received: by gauntlet.demon.co.uk with Microsoft Mail id <01BAACFB.2F323BE0@gauntlet.demon.co.uk>; Tue, 7 Nov 1995 10:24:13 -0500 Message-ID: <01BAACFB.2F323BE0@gauntlet.demon.co.uk> From: "Jeffrey R. Jones" To: "'Firewalls@greatcircle.com'" Subject: Re: Generic Proxy Date: Tue, 7 Nov 1995 10:24:11 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mike, The plug-gw suffers this problem because the proxy can't determine = which destination of several to actually connect to. Anyway, the plug-gw in the TIS Gauntlet Internet Firewall can do one to = many with the plug-gw because with transparency, the destination can be = pulled from the packet. If you really want to roll your own, I suggest you might want to contact = jsanchez@gmv.es and ask for his Linux transparency mods for the fwtk. Best Regards, Jeff Jones - - - - - - - - - - - - - Jeffrey R. Jones JJones@tis.com Firewalls and Network Security, Europe = JJones@gauntlet.demon.co.uk Trusted Informations Systems (UK) Ltd phone: +44 1734 304 413 Commerce Park, Brunel Road fax: +44 1734 304 412 Theale, Berkshire RG7 4AB United Kingdom - - - - - - - - - - - - - - - - - - - - - - - - = - PGP Key fingerprint =3D C5 EF 8F 3F D5 ED 1C 61 09 63 90 3C 3B F2 46 = 2E - - - - - - - - - - - - - - - - - - - - - - - - = -=20 From: Mike Williams Date: Mon, 06 Nov 1995 18:34:36 GMT Subject: Generic Proxy I can't believe this hasn't been discussed before but as I'm relatively new to the list please forgive my ignorance. Does anybody know of a generic tcp/udp proxy which does not suffer from the limitations of the likes of plug-gw (no slight intended), i.e. will support one-to-many connections to the same destination port? Is the answer to this client code that always connects to the proxy but furnishes it with a name and destination port number of the ultimate destination? Does a, dare I suggest, standard exist for such communication? Grateful for any feedback, Mike. From firewalls-owner Tue Nov 7 13:52:53 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id CAA19947 for firewalls-outgoing; Tue, 7 Nov 1995 02:46:53 -0800 (PST) Received: from nt.neurotec.de (nt.neurotec.de [194.120.241.3]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id CAA19942 for ; Tue, 7 Nov 1995 02:46:41 -0800 (PST) Received: from nt.neurotec.de (194.120.241.3) by nt.neurotec.de id ; Tue, 07 Nov 1995 11:41:52 +0100 Message-ID: <309F37ED.572F@neurotec.de> Date: Tue, 07 Nov 1995 11:41:49 +0100 From: Jan Schubert X-Mailer: Mozilla 2.0b1J (Windows; I; 32bit) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: Q: FTP-GW Port retsricting References: <199510240506.WAA05678@miles.greatcircle.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello FireAlls ;-), has anyone experience with restricting the Ports for DataConnections using the FTP-GW included in the TIS FWTK ?? I like to use a special Port or a PortRange because of filtering the connections. I use the TIS FWTK 1.3 and Linux 1.2.8. Or, how is it possible to filter these Data-Connections in the Linux-Kernel ? May anyone help ? Thanx a lot, Jan -- Ing. Jan Schubert e-Mail: jan@neurotec.de NEUROTEC WWW : http://www.inf-gr.htw-zittau.de/~longint Ehlersstr. 15 Tel. : +49 7541 3012 156 D-88046 Friedrichshafen FAX : +49 7541 33013 From firewalls-owner Tue Nov 7 13:52:54 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id BAA12070 for firewalls-outgoing; Tue, 7 Nov 1995 01:11:57 -0800 (PST) Received: from bastion1.bazis.nl (bastion1.bazis.nl [130.78.143.1]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id BAA12064 for ; Tue, 7 Nov 1995 01:11:53 -0800 (PST) Received: from bazu05.bazis.nl by bastion1.bazis.nl id aa04438; 7 Nov 95 10:12 WET From: Rene Doove To: Firewalls@greatcircle.com, mikew@smartpt.demon.co.uk Subject: RE: Generic Proxy X-Mailer: ScoMail 1.0 Date: Tue, 7 Nov 1995 10:11:41 +0100 (WET) Message-ID: <9511071011.aa07064@bazu05.bazis.nl> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mike says: >> Does anybody know of a generic tcp/udp proxy which does not suffer >> from the limitations of the likes of plug-gw (no slight intended), >> i.e. will support one-to-many connections to the same destination >> port? Yep, It's name is SOCKS. You can get more info at the following site: http://www.socks.nec.com greetings, (o o) ---------------------------oOO--(_)--OOo--------------------------------- Rene Doove, HISCOM, afd. Systeembeheer, Schipholweg 97, Postbus 901, 2300 AX Leiden, Nederland 071 5256830 (kantoor), 071 5256862 (secr.), 071 219856 (FAX) ------------------------------------------------------------------------- From firewalls-owner Tue Nov 7 13:52:56 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id XAA07932 for firewalls-outgoing; Mon, 6 Nov 1995 23:20:30 -0800 (PST) Received: from capx.co.gva.es (cap.cap.gva.es [193.144.104.4]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id XAA07921 for ; Mon, 6 Nov 1995 23:20:23 -0800 (PST) Message-Id: <199511070720.XAA07921@miles.greatcircle.com> Received: from pc9.cap.gva.es by capx.co.gva.es with SMTP (1.38.193.5/16.2) id AA26990; Tue, 7 Nov 1995 08:17:54 +0100 Date: Tue, 7 Nov 1995 08:17:54 +0100 X-Sender: alfon@capx.co.gva.es X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: alfon@gva.es (Alfonso Jimenez) Subject: proxy's questions Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It's my first posting in this list and maybe It's not an apropiate question for this list, but I'll try. I've been earing a lot about proxy servers and clients recently, but I've some questions about It: - How can I manage to configure an UNX server to work as a real proxy server?, must I get any aditional software?. - What must I do in the clients (PCs) to work as proxy clients (not only for web, but also for telnet, ftp,...). - what realtionship is betwen proxy servers and firewalls?. Thank you very much in advance. ================================================ Alfonso Jimenez Cantos - Analista de Sistemas. Tlf: 96 - 38 63 906 Fax: 96 - 38 66 303 Cons. Admon. Publica - Generalitat Valenciana - ================================================ From firewalls-owner Tue Nov 7 13:52:57 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id WAA07231 for firewalls-outgoing; Mon, 6 Nov 1995 22:43:13 -0800 (PST) Received: from northshore.ecosoft.com (northshore.ecosoft.com [192.233.85.129]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id WAA07226 for ; Mon, 6 Nov 1995 22:43:10 -0800 (PST) Received: from [198.115.177.203] (slip-3-26.shore.net) by northshore.ecosoft.com with SMTP id AA26757 (5.67a/IDA-1.5 for ); Tue, 7 Nov 1995 01:43:00 -0500 Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 7 Nov 1995 02:48:24 -0500 To: einar.landre@sdata.no From: vin@shore.net (Vin McLellan) Subject: Info about Secure Net and Secure ID Cc: firewalls@greatcircle.com, sdi@shore.net Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Einar Landre queried the List: > Digital Pathways with Secure Net > Security Dynamics with Secuure ID >Can sombody tell me where to find information about the two ?? Both DPI and SDI market one-time password ID tokens. The DPI token is called a "SecureNet Key" and is generally supported by DPI's Defender software. The SDI token, called a SecurID, is supported by SDI's ACE access control software. Contact info follows: _Digital Pathways_ URL: Suite 700 201 Ravendale Drive Mountain View, CA 94043-5216 USA TEL: 415-964-0707 FAX: 415-961-7487 Digital Pathways lists offices or reps in both the UK and Belgium. DPI/Europe Sales Contact: Antwerpsesteen w124/B25 Belgium Bernard@digpath.com TEL: 32.3.870.4625 FAX: 32.3.870.4651 ==== ==== ==== _Security Dynamics Inc._ URL: One Alewife Center Cambridge, Ma. 02150-2312 USA Tel. (617) 547-7820 or 1 (800) SECURID Fax. (617) 354-8836 E-mail: Security Dynamics lists six SDI offices overseas and 21 international distributors. SDI/Norway Contact: Ericsson Computer Products Nebruveien 75, Nebru P.O. Box 34 N-1361 Billingstad Attn: Lars H. Nordin Tel 47 66 84 16 50 Fax 47 66 84 16 51 I don't think either company has formally annouced their web sites. Neither may be ready for prime time, but both are accessible and offer useful and interesting information. Suerte, _vbm Vin McLellan +The Privacy Guild+ 53 Nichols St., Chelsea, Ma., USA Tel: (617) 884-5548 <*><*><*><*><*><*><*><*><*> From firewalls-owner Tue Nov 7 13:52:55 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id NAA23959 for firewalls-outgoing; Tue, 7 Nov 1995 13:24:22 -0800 (PST) Received: from uuneo.neosoft.com (uuneo.neosoft.com [206.109.1.3]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id NAA23954 for ; Tue, 7 Nov 1995 13:24:16 -0800 (PST) Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.7.1/8.7.1) with UUCP id PAA19613 for GreatCircle.COM!firewalls; Tue, 7 Nov 1995 15:12:38 -0600 (CST) Received: by ris1.nmti.com (smail2.5) id AA11401; 7 Nov 95 15:29:11 CST (Tue) Received: by sonic.nmti.com; id AA14847; Tue, 7 Nov 1995 14:58:26 -0600 From: peter@nmti.com (Peter da Silva) Message-Id: <9511072058.AA14847@sonic.nmti.com.nmti.com> Subject: Re: Weird Netscape Navigator functions? To: sdeshaies@pioneer.hmp.com (Scott Deshaies) Date: Tue, 7 Nov 1995 14:58:26 -0600 (CST) Cc: firewalls@GreatCircle.COM In-Reply-To: <309f864a.vanguard@vanguard.hmp.com> from "Scott Deshaies" at Nov 7, 95 09:16:09 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > The first was the CEO of Netscape saying something to the effect that > "..we know how many people are using our browsers because every time > you access a site, a message is set to one of our servers telling us > what version you have, if it's a trial beta or registered, etc". Not through my firewall they're not. My proxy only speaks HTTP and logs everything, and there's no way for netscape to find my firewall address. I suspect the guy meant "every time you access our site"... see below: > Next, there is a company that is now marketing a program that goes > beyond recording hits on a Web page from just counting IP addresses. > It apparently uses "Netscape function calls" to obtain user info, > even if that user is behind a firewall or a proxy. Netscape puts a lot of stuff in the headers it sends out. From firewalls-owner Tue Nov 7 14:52:56 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id NAA24773 for firewalls-outgoing; Tue, 7 Nov 1995 13:53:15 -0800 (PST) Received: from vulcan.iss.bnr.com (vulcan.iss.bnr.com [139.51.128.1]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id NAA24760 for ; Tue, 7 Nov 1995 13:53:02 -0800 (PST) From: Mark_W_Loveless@smtp.bnr.com Received: from smtp.bnr.com by vulcan.iss.bnr.com (4.1/BNR/v1.0/910819) id AA28865; Tue, 7 Nov 95 15:53:04 CST Received: from cc:Mail by smtp.bnr.com id AA815787920; Tue, 07 Nov 95 13:09:12 CST Date: Tue, 07 Nov 95 13:09:12 CST Message-Id: <9510078157.AA815787920@smtp.bnr.com> To: firewalls@GreatCircle.COM Subject: Re: fairly recent web server compromise... Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Not much to say except you could mount the filesystem containing the Web page in question from any PC on the planet. An interesting "coincidence" that a Hollywood advertisement for a movie about hackers got so much free press from the compromise... Since the "firewall" amounted to a firecurb you could call this off-topic ;-) ______________________________ Reply Separator _________________________________ Subject: fairly recent web server compromise... Author: Ron DuFresne at internet Date: 11/7/95 9:24 AM Peoples, Wasn't but a couple of months ago that a major Hollywood motion pictures firm's web server was compromised and files served up by it were altered. I think it was something like www.umga.com or some such thing, was in retalliation for the pending release of the movie hackers... Anyway, does anyone have info reguarding such tid-bits as: OS of this box WWW server SW that was in use various other goodies? Thanks, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From firewalls-owner Tue Nov 7 15:00:59 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id NAA24137 for firewalls-outgoing; Tue, 7 Nov 1995 13:31:00 -0800 (PST) Received: from NS1.stl.net (stl.net [199.217.196.1]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id NAA24132 for ; Tue, 7 Nov 1995 13:30:56 -0800 (PST) Received: (from jym@localhost) by NS1.stl.net (8.6.11/8.6.9) id QAA12554; Tue, 7 Nov 1995 16:27:48 -0600 Date: Tue, 7 Nov 1995 16:27:48 -0600 (CST) From: Jym Barnes To: Scott Deshaies cc: Firewalls Mailing List Subject: Re: Weird Netscape Navigator functions? In-Reply-To: <309f864a.vanguard@vanguard.hmp.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 7 Nov 1995, Scott Deshaies wrote: > Hi all- > > In two different trade magazine recently, I've read a few things about > Netscape's Navigator that made me go "Hmm?". > > The first was the CEO of Netscape saying something to the effect that > "..we know how many people are using our browsers because every time > you access a site, a message is set to one of our servers telling us > what version you have, if it's a trial beta or registered, etc". > I havent had a chance to run a packet trace on it yet, but does anyone > know if this is true? > Any web site can keep track of what type of browser visits their site by simply logging the HTTP_USER_AGENT field. This is not specific to Netscape and is quite valuable to Webmasters as they have a way to serve the proper HTML depending on what type of browser the user is using. Netscape can put whatever they want in this field when they ship the browser. The field usually contains the browser type and version. This field will also pass through most proxies and usually contains both what proxy was used and the original value. Since most people do not change their home from http://home.netscape.com Netscape has a great way to keep track of what versions of their browsers are being used. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Jym Barnes STL.NET Email: jym@stl.net St. Louis MO We are here.. Phone: (314) 939-6450 You should be too ! Online Advertising | Homepage Construction | Internet Consulting =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > > -- > >> Scott R. Deshaies <> High Mountain Press, Inc. << > >> MIS Manager <> 2530 Camino Entrada * Santa Fe, NM 87505 << > >> sdeshaies@hmp.com <> Direct:505/474-5103 http://www.hmp.com << > From firewalls-owner Tue Nov 7 15:43:27 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id OAA26405 for firewalls-outgoing; Tue, 7 Nov 1995 14:55:50 -0800 (PST) Received: from sigma.ifpan.edu.pl (sigma.ifpan.edu.pl [148.81.44.1]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id OAA26400 for ; Tue, 7 Nov 1995 14:55:43 -0800 (PST) Received: by sigma.ifpan.edu.pl (4.1/1.100) id AA01251; Tue, 7 Nov 95 23:51:36 +0100 From: kwojci@sigma.ifpan.edu.pl (K. Wojcicki) Message-Id: <9511072251.AA01251@sigma.ifpan.edu.pl> Subject: IP over X25 To: firewalls@greatcircle.com Date: Tue, 7 Nov 1995 23:51:34 +0100 (MET) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am new to the list so please forgive me any misbehaviour. Is it possible to filter IP packets comming from X25 or ISDN link on input side of router (say Cisco) counting on the NTN of the other side router? I mean, I would like some kind of dynamic filtering to be sure that guy at NTN 1000 is sending only frames with source address 1.2.3.4 while guy at NTN 2000 can send only frames with source address 5.6.7.8 and 9.10.11.12. Using simple ip_to_X25 access restriction is not enough, since it applies only to link establishment phase. Thanks to all who have a while to glance at above Andrzej Zagrodzinski Network Planning Mgr. From firewalls-owner Tue Nov 7 16:37:07 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id OAA25878 for firewalls-outgoing; Tue, 7 Nov 1995 14:33:52 -0800 (PST) Received: from echonyc.com (echonyc.com [198.67.15.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id OAA25873 for ; Tue, 7 Nov 1995 14:33:48 -0800 (PST) Received: (from jna@localhost) by echonyc.com (8.6.12/echo-relay) id RAA06602; Tue, 7 Nov 1995 17:32:22 -0500 Date: Tue, 7 Nov 1995 17:32:22 -0500 (EST) From: John Adams To: Ron DuFresne cc: firewalls@GreatCircle.COM Subject: Re: fairly recent web server compromise... In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 6 Nov 1995, Ron DuFresne wrote: > > Peoples, > > Wasn't but a couple of months ago that a major Hollywood motion pictures > firm's web server was compromised and files served up by it were > altered. I think it was something like www.umga.com or some such thing, > was in retalliation for the pending release of the movie hackers... It's highly debatable if the machine was really compromised, or if it was a publicity stunt on the part of MGM/UMA. > Anyway, does anyone have info reguarding such tid-bits as: > > OS of this box FreeBSD, and rumor has it that if it was really compromised, not saying it was, but they came in via a hole in and old copy of sendmail. > WWW server SW that was in use NCSA .. : : : : : : .. : : : : : : .. : : : : : .. : : : : : .. : : : : : .. John Adams jna@echonyc.com EchoNYC Systems Administrator (212) 292-0900 From firewalls-owner Tue Nov 7 16:52:55 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id QAA00447 for firewalls-outgoing; Tue, 7 Nov 1995 16:47:57 -0800 (PST) Received: from gatekeeper.nytimes.com (gatekeeper.nytimes.com [199.181.175.201]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id QAA00442 for ; Tue, 7 Nov 1995 16:47:54 -0800 (PST) Received: from mailgate.nytimes.com by gatekeeper.nytimes.com; (5.65/1.1.8.2/30Mar95-0352PM) id AA31934; Tue, 7 Nov 1995 19:51:48 -0500 Received: from [170.149.63.91] by mailgate.nytimes.com; (5.65/1.1.8.2/25Jul94-1134AM) id AA29339; Tue, 7 Nov 1995 19:49:46 -0500 Date: Tue, 7 Nov 1995 19:49:46 -0500 Message-Id: <9511080049.AA29339@mailgate.nytimes.com> X-Sender: jon@mailgate.nytimes.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: jon@nytimes.com (Jon E. Price) Subject: gated and bgp4 secure? Cc: dgbrown@nytimes.com, gordy@nytimes.com, stan@nytimes.com, theresa@nytimes.com X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We now have two connections to the Internet. The routers connecting the t1 lines to our bastion host are running the bgp4 protocol. So that our bastion host utilizes the two connections to their fullest, we are considering running the gated protocol on the bastion host. (We currently use a static route to one of the routers) Does running gated on the bastion host compromise security of our internet firewall in any way? Is any security dependent on the o.s being used? Thanks, Jon --------------------------------------------------------------- Jon E. Price Systems Analyst Publishing Systems The New York Times --------------------------------------------------------------- From firewalls-owner Tue Nov 7 17:21:38 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id PAA26965 for firewalls-outgoing; Tue, 7 Nov 1995 15:15:28 -0800 (PST) Received: from ns1.eds.com (ns1.eds.com [192.85.154.78]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id PAA26960 for ; Tue, 7 Nov 1995 15:15:25 -0800 (PST) Received: by ns1.eds.com (hello) id SAA14614; Tue, 7 Nov 1995 18:15:36 -0500 Received: by nnsa.eds.com (hello) id SAA17685; Tue, 7 Nov 1995 18:15:06 -0500 Received: from koicdu24.icdc.delcoelect.com by kocrsv01.delcoelect.com with SMTP id AA19364 (5.65c/IDA-1.5/CORE for ); Tue, 7 Nov 1995 18:15:03 -0500 Received: from localhost by koicdu24.icdc.delcoelect.com (8.6.4/16.6) id SAA09236; Tue, 7 Nov 1995 18:15:02 -0500 From: "Thomas V. Myers" Message-Id: <199511072315.SAA09236@koicdu24.icdc.delcoelect.com> Subject: Re: Weird Netscape Navigator functions? To: peter@nmti.com (Peter da Silva) Date: Tue, 7 Nov 1995 18:15:01 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: <9511072058.AA14847@sonic.nmti.com.nmti.com> from "Peter da Silva" at Nov 7, 95 02:58:26 pm X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> The first was the CEO of Netscape saying something to the effect that >> "..we know how many people are using our browsers because every time >> you access a site, a message is set to one of our servers telling us >> what version you have, if it's a trial beta or registered, etc". > > Not through my firewall they're not. My proxy only speaks HTTP and logs > everything, and there's no way for netscape to find my firewall address. > > I suspect the guy meant "every time you access our site"... see below: I think they mean any site that's running NetScape HTTP servers. Many of them now have cute little messages that tell the user they're running obsolete software and offers a link to NetScape's home page so they can get an upgrade. As you say, NetScape goes significantly beyond the HTML specifications with respect to what information the browsers provide to the server. My NCSA HTTPd server ignores the excess at least as far as I can tell using CGI. It also isn't getting any information about the machine where I'm running the browser, just the name and address of the proxy machine. Cheers, Tom -- Tom Myers, Network Manager; IC Design Center, P.O. Box 9005, M/S D18 Delco Electronics Corporation, Kokomo IN, 46904-9005 E-Mail: tvmyers@icdc.delcoelect.com Voice:(317)451-3051 From firewalls-owner Tue Nov 7 17:32:46 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id PAA27453 for firewalls-outgoing; Tue, 7 Nov 1995 15:33:15 -0800 (PST) Received: from chook.cs.adelaide.edu.au (chook.cs.adelaide.edu.au [129.127.8.8]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id PAA27448 for ; Tue, 7 Nov 1995 15:33:11 -0800 (PST) Received: from sysmac.cs.adelaide.edu.au [129.127.8.52] by chook.cs.adelaide.edu.au (8.6.12/AndrewR-MatthewD-950530-CS) with SMTP id KAA23539 for ; Wed, 8 Nov 1995 10:03:08 +1030 X-Sender: stuart@chook Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 8 Nov 1995 10:05:09 +1030 To: firewalls@GreatCircle.COM From: stuart@cs.adelaide.edu.au (Stuart Beck) Subject: Re: Changing shared libraries and how is ld.so finding real libraries? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Scott Barman checked some things out .. > >I decided to do some investigating. Under Solaris 2.4 on a SPARC 1000E, >I set up a "simulated" environment by creating some empty files that had >the name of libraries under /tmp and tried to run the login program. >The following is what I did: > > cd /usr/lib > foreach i (lib*.so*) > echo -n > /tmp/$i > end > cd security <--- hmmm this was an intersting find! > foreach i (*) > echo -n > /tmp/$i > end > setenv LD_LIBRARY_PATH /tmp > setenv LD_RUN_PATH /tmp > /usr/bin/login > >The login program seemed to work fine. It prompted me for my userid and >password... no problems. In fact, any setuid or setgid program (ps >and mail, for example) ran with no problems. Others, such as ls and >who, came back with errors that they didn't like my "new" libraries, >giving me a message like: > > ld.so.1: who: fatal: /tmp/libc.so.1: unknown file type > >This is what I expected. But why are the setuid/setgid finding the >right libraries? What is Solaris doing to get around the settings of >these environment variables? > >Interestingly, I found /usr/lib/security (with lsof) with one library >and a symbolic link to it. /usr/lib/security/unix_scheme.so.1 seems >to contain the "guts" to login, passwd, etc. (assumption based on an >examination of the output from nm and strings). But even with my stubs >in /tmp, login ran with no problems. > >Can anyone enlighten me as to what is happening? > Whist checking some things of my own, totally unrelated to this question, I found ... ... Setuid programs do not use the LD_LIBRARY_PATH environment variable, that would make them a target for hackers...... [info came from sun-managers: SUMMARY: X11R5 xterm and solaris 2.2, from a Q as to why setuid xterm didnt work while non setuid did] Hope this is useful. SAb. From firewalls-owner Tue Nov 7 18:05:26 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id HAA17641 for firewalls-outgoing; Tue, 7 Nov 1995 07:10:25 -0800 (PST) Received: from count01.mry.scruznet.com (count01.mry.scruznet.com [204.147.227.65]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id HAA17634 for ; Tue, 7 Nov 1995 07:10:21 -0800 (PST) From: firewalls@count01.mry.scruznet.com Received: from count01.mry.scruznet.com (localhost [127.0.0.1]) by count01.mry.scruznet.com (8.7.1/8.7.1) with ESMTP id HAA03327; Tue, 7 Nov 1995 07:00:30 -0800 (PST) Message-Id: <199511071500.HAA03327@count01.mry.scruznet.com> To: Jim McBride cc: Mark , Edward Maillet , firewalls@GreatCircle.COM, firewalls@count01.mry.scruznet.com Subject: Re: Spoofing ISDN In-reply-to: Your message of "Mon, 06 Nov 1995 08:44:30 CST." Date: Tue, 07 Nov 1995 07:00:29 -0800 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk before you accuse someone of being full of shit you might want to check your facts more carefully CLID is implemented under CLASS programming on the #5ess... Switch reprogramming and the relatively trivial masquareding of Caller-iD (really trivial with switch access) or the more fascinating subject of spoofing ANI or AMA has been a salient feature of MANY security Attacks in Silicon Vally... and austin and new york etc ad nauseam These attacks are NOT mentioned in CUD or the Washington post... you would have to be an insider to the industry to know how prevalent this is... but for the totally clueless... Kevin Mitnicks adventures involved LOTS of Switch reprogramming... for other reasons... cheers kelly From firewalls-owner Tue Nov 7 18:12:53 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id RAA02723 for firewalls-outgoing; Tue, 7 Nov 1995 17:32:48 -0800 (PST) Received: from hybrid.com (ops.hybrid.com [198.13.12.1]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id RAA02718 for ; Tue, 7 Nov 1995 17:32:43 -0800 (PST) Received: from ronix.hybrid.com (ronix.hybrid.com [198.13.12.30]) by hybrid.com (8.6.6.Beta9/8.6.6.Beta9) with SMTP id RAA15697 for ; Tue, 7 Nov 1995 17:31:59 -0800 Received: by ronix.hybrid.com (5.x/SMI-SVR4) id AA13533; Tue, 7 Nov 1995 17:31:00 -0800 From: ronaldp@hybrid.com (Ronald Przybylski) Message-Id: <9511080131.AA13533@ronix.hybrid.com> To: firewalls@GreatCircle.COM Date: Tue, 7 Nov 95 17:30:59 PST X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -- \\ INTERNET VIA CABLE TV Hybrid Networks, Inc. ================\\ The Ronix Connection Network Operations ================// http://www.hybrid.com 10201 Bubb Road <-----------//--- ftp://ftp.hybrid.com Cupertino, CA 95014 From firewalls-owner Tue Nov 7 18:22:55 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id RAA02819 for firewalls-outgoing; Tue, 7 Nov 1995 17:38:37 -0800 (PST) Received: from ucsu.colorado.edu (ucsu.Colorado.EDU [128.138.129.83]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id RAA02814 for ; Tue, 7 Nov 1995 17:38:34 -0800 (PST) Received: (from sieber@localhost) by ucsu.colorado.edu (8.6.12/8.6.12/CNS-3.6) id SAA28631; Tue, 7 Nov 1995 18:38:44 -0700 Date: Tue, 7 Nov 1995 18:38:43 -0700 (MST) From: chris sieber To: firewalls@greatcircle.com Subject: security policy Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings: A while back( within the last month), someone briefly mentioned a URL that contained security policy documents for several universities. In my absentmindednes, I deleted the message. if anyone knows of that site, could they please e-mail it to me directly? Thanks alot, Chris Sieber From firewalls-owner Tue Nov 7 19:22:55 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id SAA05012 for firewalls-outgoing; Tue, 7 Nov 1995 18:47:49 -0800 (PST) Received: from aads.com (aads.net [198.111.96.42]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id SAA05007 for ; Tue, 7 Nov 1995 18:47:46 -0800 (PST) Received: from [198.111.96.11] (agnew.aads.net [198.111.96.11]) by aads.com (8.6.11/aads2.0) with SMTP id VAA18679; Tue, 7 Nov 1995 21:46:02 -0500 X-Sender: jgs@home.aads.net Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 7 Nov 1995 21:47:36 -0500 To: David R Conrad From: jgs@aads.net (John G. Scudder) Subject: Re: Man in the Middle Attacks (Over rated?) Cc: mulligan@incog.com, firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 3:36 PM 11/4/95, David R Conrad wrote: >P.S. I believe the NSFNet routers were general purpose Unix machines >(IBM RS6000s) with high speed serial interfaces. Correct. Each serial interface has its own forwarder and sends packets directly across the uChannel to the egress interface. The CPU doesn't see the packets. There's no publically documented interface to the serial interface, and certainly no /dev/nit. As a result, it would be no easier to sniff packets on an NSFNET router than on your favorite router vendor's (non-workstation based) router. --John From firewalls-owner Tue Nov 7 19:51:16 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id SAA05047 for firewalls-outgoing; Tue, 7 Nov 1995 18:52:28 -0800 (PST) Received: from access.netaxs.com (access.netaxs.com [198.69.186.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id SAA05042 for ; Tue, 7 Nov 1995 18:52:25 -0800 (PST) Received: from unix3.netaxs.com (morph_1@unix3.netaxs.com [198.69.186.5]) by access.netaxs.com (8.6.12/8.6.11) with ESMTP id VAA08148; Tue, 7 Nov 1995 21:52:26 -0500 Received: (morph_1@localhost) by unix3.netaxs.com (8.6.12/8.6.9) id VAA14434; Tue, 7 Nov 1995 21:52:19 -0500 Date: Tue, 7 Nov 1995 21:52:12 -0500 (EST) From: FEH Systems Philadelphia To: John Adams cc: Ron DuFresne , firewalls@GreatCircle.COM Subject: Re: fairly recent web server compromise... In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The Fact Is, John, The "Hackers" website was compromised and it was done by an elite group of fellas known as the PLA. You can amuse yourself with how the account was breached, it could have just been a weak password. BUT I HEAR they used the old httpd exploit. -- MORPH : .|.: Federal Electronic morph_1@netaxs.com F.|E|.H Hardware Commission Security and System Manager :||:||:. ------------------- FEH Systems Inc. [Philadelphia] .:SYSTEMS:. [215] 271-0006 ext 69 On Tue, 7 Nov 1995, John Adams wrote: > On Mon, 6 Nov 1995, Ron DuFresne wrote: > > > > > Peoples, > > > > Wasn't but a couple of months ago that a major Hollywood motion pictures > > firm's web server was compromised and files served up by it were > > altered. I think it was something like www.umga.com or some such thing, > > was in retalliation for the pending release of the movie hackers... > > It's highly debatable if the machine was really compromised, or if it was > a publicity stunt on the part of MGM/UMA. > > > Anyway, does anyone have info reguarding such tid-bits as: > > > > OS of this box > > FreeBSD, and rumor has it that if it was really compromised, not saying > it was, but they came in via a hole in and old copy of sendmail. > > > WWW server SW that was in use > > NCSA > > .. : : : : : : .. : : : : : : .. : : : : : .. : : : : : .. : : : : : .. > John Adams jna@echonyc.com > EchoNYC Systems Administrator (212) 292-0900 > > > From firewalls-owner Tue Nov 7 19:52:55 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id SAA05111 for firewalls-outgoing; Tue, 7 Nov 1995 18:56:34 -0800 (PST) Received: from access.netaxs.com (access.netaxs.com [198.69.186.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id SAA05106 for ; Tue, 7 Nov 1995 18:56:30 -0800 (PST) Received: from unix3.netaxs.com (morph_1@unix3.netaxs.com [198.69.186.5]) by access.netaxs.com (8.6.12/8.6.11) with ESMTP id VAA08290; Tue, 7 Nov 1995 21:54:53 -0500 Received: (morph_1@localhost) by unix3.netaxs.com (8.6.12/8.6.9) id VAA14493; Tue, 7 Nov 1995 21:54:49 -0500 Date: Tue, 7 Nov 1995 21:54:47 -0500 (EST) From: FEH Systems Philadelphia To: firewalls@count01.mry.scruznet.com cc: Jim McBride , Mark , Edward Maillet , firewalls@GreatCircle.COM, firewalls@count01.mry.scruznet.com Subject: Re: Spoofing ISDN In-Reply-To: <199511071500.HAA03327@count01.mry.scruznet.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk W0W! Kevin Mitnick Reprogrammed Switches!#@? I heard he had a portable phone that he had opened up and modified do that he could make free ld calls. -- MORPH : .|.: Federal Electronic morph_1@netaxs.com F.|E|.H Hardware Commission Security and System Manager :||:||:. ------------------- FEH Systems Inc. [Philadelphia] .:SYSTEMS:. [215] 271-0006 ext 69 On Tue, 7 Nov 1995 firewalls@count01.mry.scruznet.com wrote: > > > before you accuse someone of being full of shit you might want to check your > facts more carefully > CLID is implemented under CLASS programming on the #5ess... > > Switch reprogramming and the relatively trivial masquareding of Caller-iD > (really trivial with switch access) or the more fascinating > subject of spoofing ANI or AMA has been a salient feature of MANY security > Attacks in Silicon Vally... and austin and new york etc ad nauseam > These attacks are NOT mentioned in CUD or the Washington post... > you would have to be an insider to the industry to know > how prevalent this is... > > but for the totally clueless... Kevin Mitnicks adventures involved > LOTS of Switch reprogramming... for other reasons... > > cheers > kelly > From firewalls-owner Tue Nov 7 22:22:55 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id VAA09640 for firewalls-outgoing; Tue, 7 Nov 1995 21:52:52 -0800 (PST) Received: from montag33.residence.gatech.edu (montag33.residence.gatech.edu [199.77.171.12]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id VAA09635 for ; Tue, 7 Nov 1995 21:52:46 -0800 (PST) Received: (from brain21@localhost) by montag33.residence.gatech.edu (8.6.12/8.6.9) id AAA26760; Wed, 8 Nov 1995 00:52:06 -0500 Date: Wed, 8 Nov 1995 00:52:00 -0500 (EST) From: Brain21 To: John Adams cc: Ron DuFresne , firewalls@GreatCircle.COM Subject: Re: fairly recent web server compromise... In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 7 Nov 1995, John Adams wrote: > > It's highly debatable if the machine was really compromised, or if it was > a publicity stunt on the part of MGM/UMA. I don't think that it was a publicity stunt. The rumors going around were that ILF (Internet Liberation Front) did it. I seriously doubt that anyone at MGM/UA has ever heard enough about ILF to start rumors about them. They would prolly not be wise to do so anyway. > FreeBSD, and rumor has it that if it was really compromised, not saying > it was, but they came in via a hole in and old copy of sendmail. > Did anyone check to see what version of sendmail they were running? Ther are plenty of holes on NCSA's httpd too. Anyone know what version they were running, or if the place was even firewalled off? Brain21 From firewalls-owner Tue Nov 7 22:52:55 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id HAA17052 for firewalls-outgoing; Tue, 7 Nov 1995 07:02:38 -0800 (PST) Received: from count01.mry.scruznet.com (count01.mry.scruznet.com [204.147.227.65]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id HAA17033 for ; Tue, 7 Nov 1995 07:02:34 -0800 (PST) From: firewalls@count01.mry.scruznet.com Received: from count01.mry.scruznet.com (localhost [127.0.0.1]) by count01.mry.scruznet.com (8.7.1/8.7.1) with ESMTP id GAA03317; Tue, 7 Nov 1995 06:52:27 -0800 (PST) Message-Id: <199511071452.GAA03317@count01.mry.scruznet.com> To: Jim McBride cc: Mark , Edward Maillet , firewalls@GreatCircle.COM, firewalls@count01.mry.scruznet.com Subject: Re: Spoofing ISDN In-reply-to: Your message of "Mon, 06 Nov 1995 08:44:30 CST." Date: Tue, 07 Nov 1995 06:52:26 -0800 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have been using it for secure customer access and firewall maintenance for 3 months now... works mostly ok BUT break because of temporary resource shortages under SUN 4.1.3 I tried Ctcp but was totally unsucessful From firewalls-owner Wed Nov 8 00:22:55 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id XAA12608 for firewalls-outgoing; Tue, 7 Nov 1995 23:50:15 -0800 (PST) Received: from yarrina.connect.com.au (yarrina.connect.com.au [192.189.54.17]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id XAA12602 for ; Tue, 7 Nov 1995 23:50:08 -0800 (PST) Received: (from root@localhost) by yarrina.connect.com.au with UUCP id SAA02719 (8.6.12/IDA-1.6); Wed, 8 Nov 1995 18:44:57 +1100 Received: by junkers.lochard.com.au id AA05363 (5.65c/IDA-1.5); Wed, 8 Nov 1995 08:25:41 GMT From: Mark Message-Id: <199511080825.AA05363@junkers.lochard.com.au> Subject: Re: Spoofing ISDN To: morph_1@netaxs.com (FEH Systems Philadelphia) Date: Wed, 8 Nov 1995 18:25:40 +1000 (EET) Cc: firewalls@count01.mry.scruznet.com, jim@basic.net, mark@lochard.com.au, maillet@doc.cs.usm.maine.edu, firewalls@GreatCircle.COM, ex-gavin@lochard.com.au In-Reply-To: from "FEH Systems Philadelphia" at Nov 7, 95 09:54:47 pm Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >W0W! Kevin Mitnick Reprogrammed Switches!#@? I heard he had a portable >phone that he had opened up and modified do that he could make free ld >calls. He reprogrammed a switch in Raleigh NC to show his calls as coming from another carrier. This slowed Shimomura down a little as they figured out that the switch was breached. Then Shimomura and a techie from the telco went crusing in a van and using a directional scanner, [illegally] monitored the cell frequencies and found the dwelling Mitnik was residing in. There is a number of articles on this topic in the NYT giving a general sequence of events. Mitnik also reprogrammed the ESN's of cell phones to steal 1000's of hours of air time. What makes sense (to me) is him setting an ESN to a unique value and having the cell switch do his mind games with that particular ESN. Wether this is the case one would have to ask Kevin. From all accounts I hear he isnt talking :). Smart boy. >> Switch reprogramming and the relatively trivial masquareding of Caller-iD >> (really trivial with switch access) or the more fascinating >> subject of spoofing ANI or AMA has been a salient feature of MANY security >> Attacks in Silicon Vally... and austin and new york etc ad nauseam >> These attacks are NOT mentioned in CUD or the Washington post... >> you would have to be an insider to the industry to know >> how prevalent this is... Being full of shit, I wouldnt know this or associate with telco employees that have had to track down such incidents :) FW Relevance: Trusting a connection based solely on "I am from node 12345" is similar to trusting a TCP connection based on the IP number. It may stop the average "Jim" Schmoe, but some day someone with the know how and time will do your sorry butt. Cheers, Mark mark@lochard.com.au From firewalls-owner Wed Nov 8 02:52:55 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id CAA20335 for firewalls-outgoing; Wed, 8 Nov 1995 02:33:13 -0800 (PST) Received: from su1.in.net (su1.in.net [199.0.62.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id CAA20298 for ; Wed, 8 Nov 1995 02:33:06 -0800 (PST) Received: from pm3-10.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA29842; Wed, 8 Nov 95 05:32:34 -0500 Date: Wed, 8 Nov 95 05:32:34 -0500 Message-Id: <9511081032.AA29842@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.com From: frankw@in.net (Frank Willoughby) Subject: Re: Man in the Middle Attacks (Over rated?) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Four of the many risks at trade shows are: Video cameras which are used to record the user logging in to their system. The tape is later played back in slow motion to obtain the password. Sniffers are used by hackers (and some unethical competitors)to sniff the network to obtain competitive info and to cause problems during demos. (Denial of service attacks generally have a negative impact on sales). 8^( Sabotage by a competitor or malicious persons. A pair of wire cutters or even a small pin through a coax cable will cause an immediate denial of service. Theft of Equipment. Anything which isn't nailed down will suddenly sprout legs and walk away. Many of your better trade shows will post guards to help prevent thefts/sabotage Best Regards, Frank http://www.fortified.com/fortified >Has anyone heard of "Man in the middle attacks" at trade shows? I would >think that they would be the best place to do that. I am always amazed >that people login and read their mail over the Internet at shows like >InterOP. Think of all the sniffers that must be there! I have seen >reports that sniffing of regular voice conversations (i.e. >eavesdropping) is a problem at such trade shows, but haven't heard any >confirmed reports about data sniffing. >-- >Jeff Sedayao >Intel Corporation >sedayao@argus.intel.com > > > From firewalls-owner Wed Nov 8 03:24:32 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id DAA20802 for firewalls-outgoing; Wed, 8 Nov 1995 03:07:36 -0800 (PST) Received: from ns.iij.ad.jp (ns.iij.ad.jp [192.244.176.33]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id DAA20797 for ; Wed, 8 Nov 1995 03:07:32 -0800 (PST) Received: from shiosai.iij.ad.jp (shiosai.iij.ad.jp [192.244.176.35]) by ns.iij.ad.jp (8.6.12+2.4W/3.3W9-NS) with SMTP id UAA01264; Wed, 8 Nov 1995 20:07:11 +0900 Message-Id: <199511081107.UAA01264@ns.iij.ad.jp> To: jgs@aads.net (John G. Scudder) cc: David R Conrad , mulligan@incog.com, firewalls@GreatCircle.COM, davidc@ns.iij.ad.jp Subject: Re: Man in the Middle Attacks (Over rated?) In-reply-to: Your message of "Tue, 07 Nov 1995 21:47:36 EST." Date: Wed, 08 Nov 1995 20:07:11 +0900 From: David R Conrad Sender: firewalls-owner@GreatCircle.COM Precedence: bulk John, Right -- didn't mean to imply the NSFNet routers were susceptible to the same sort of attack as putting a network management station or service machine (or similar) on a transit wire. For the record, ANS/NSFNet was not one of the ISPs I heard about getting compromised (not that that mans anything :-))... Regards, -drc >At 3:36 PM 11/4/95, David R Conrad wrote: >>P.S. I believe the NSFNet routers were general purpose Unix machines >>(IBM RS6000s) with high speed serial interfaces. > >Correct. Each serial interface has its own forwarder and sends packets >directly across the uChannel to the egress interface. The CPU doesn't see >the packets. There's no publically documented interface to the serial >interface, and certainly no /dev/nit. As a result, it would be no easier >to sniff packets on an NSFNET router than on your favorite router vendor's >(non-workstation based) router. > >--John > > From firewalls-owner Wed Nov 8 03:52:55 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id DAA21150 for firewalls-outgoing; Wed, 8 Nov 1995 03:39:12 -0800 (PST) Received: from lint.cisco.com (lint.cisco.com [171.68.235.77]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id DAA21145 for ; Wed, 8 Nov 1995 03:39:03 -0800 (PST) Received: from pferguso-pc.cisco.com (sl-chanty-03.cisco.com [171.69.126.157]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id DAA21098; Wed, 8 Nov 1995 03:38:58 -0800 Date: Wed, 8 Nov 1995 03:38:58 -0800 Message-Id: <199511081138.DAA21098@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: jon@nytimes.com (Jon E. Price) From: Paul Ferguson Subject: Re: gated and bgp4 secure? Cc: firewalls@GreatCircle.COM, dgbrown@nytimes.com, gordy@nytimes.com, stan@nytimes.com, theresa@nytimes.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From the 'For What Its Worth Department' - I would venture to say that this is less an issue of the related operating system of the device and more an issue of route acceptance policy and the underlying methods of doing so. :-) Blindly accepting dynamic routing information from upstream sources can be a dangerous thing. That is one of the reasons why we (cisco Systems) now have the abilitity to use an MD5 hashing authentication on BGP and OSPF routing peer/neighbor sources. - paul At 07:49 PM 11/7/95 -0500, Jon E. Price wrote: > >We now have two connections to the Internet. The routers connecting the t1 >lines to our bastion host are running the bgp4 protocol. So that our bastion >host utilizes the two connections to their fullest, we are considering >running the gated protocol on the bastion host. >(We currently use a static route to one of the routers) > >Does running gated on the bastion host compromise security of our internet >firewall in any way? > >Is any security dependent on the o.s being used? > >Thanks, >Jon > >--------------------------------------------------------------- >Jon E. Price >Systems Analyst >Publishing Systems >The New York Times >--------------------------------------------------------------- > -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Wed Nov 8 04:22:55 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id EAA21755 for firewalls-outgoing; Wed, 8 Nov 1995 04:08:11 -0800 (PST) Received: from mail2.digital.com (mail2.digital.com [204.123.2.56]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id EAA21750 for ; Wed, 8 Nov 1995 04:08:08 -0800 (PST) Received: from ilosrv.ilo.dec.com by mail2.digital.com; (5.65 EXP 4/12/95 for V3.2/1.0/WV) id AA01924; Wed, 8 Nov 1995 03:53:57 -0800 Received: from ilofrs.ilo.dec.com by ilosrv.ilo.dec.com; (5.65/1.1.8.2/12Nov94-8.2MPM) id AA13693; Wed, 8 Nov 1995 11:53:40 GMT Received: by fwsrtr.fws.ilo.dec.com; (5.65/1.3/10May95) id AA01996; Wed, 8 Nov 1995 11:55:15 GMT Received: from localhost by philby.fws.ilo.dec.com; (5.65/1.1.8.2/31Aug95-8.2MPM) id AA03645; Wed, 8 Nov 1995 11:52:25 GMT Message-Id: <9511081152.AA03645@philby.fws.ilo.dec.com> To: "Johnson-Bryden, Ian" Cc: fod@fws.ilo.dec.com, firewalls@greatcircle.com Subject: Re: Facts on Break-Ins In-Reply-To: Your message of "Tue, 07 Nov 1995 18:55:00 GMT." <309FB9EB@smtpgty.saicuk.co.uk> X-Mailer: exmh version 1.4.1 7/21/94 Date: Wed, 08 Nov 1995 11:52:06 +0000 From: "Frank O'Dwyer" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Frank is correct in saying British DTI produced a report, although the more > accurate statement is that the IT Security section of DTI, which supplies > half of the British reps for the British ITSEC team, commissioned someone to > do a study and then published the result. I have a copy of the draft (of > what I think is the document Frank refers to) but not a final released > version so DTI may not have credited the study team. From memory National > Physical Laboratory did that particular study on contract to DTI. The one I saw wasn't a draft, but a finished publication. It was quite some time back, though. Perhaps they have updated it? Anyhow, I guess the reason I liked the study is that it supports my own belief that security risks should be broadly ranked as follows: - boring stuff (no backup, user error, incorrect data entry, fire, power surges, etc.) - insiders working within their assigned privileges - insiders breaking out of their assigned privileges - outsiders 'cracking' systems via dialup, internet, and so forth. In that order - with the first two being by far the most important, and the Mitnicks of this world trailing a very poor fourth. In short, anyone who has a firewall but not an offsite backup is seriously out of touch with reality. > Different parts of DTI and CCTA carryout or commission studies into these > issues, and many others, with great frequency and make the results available > publically, not always with the greatest accuracy. For example a recent CCTA > study concluded that the Internet was populated with an undisciplined rabble > and totally unsuited for any serious communications use, being unlikely to > survive as an Information Byeway. Yes, but do you have any examples of an _inaccurate_ study they did? :-) Cheers, Frank O'Dwyer. From firewalls-owner Wed Nov 8 08:14:35 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id HAA24628 for firewalls-outgoing; Wed, 8 Nov 1995 07:26:40 -0800 (PST) Received: from mail2.digital.com (mail2.digital.com [204.123.2.56]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id HAA24600 for ; Wed, 8 Nov 1995 07:26:32 -0800 (PST) Received: from ilosrv.ilo.dec.com by mail2.digital.com; (5.65 EXP 4/12/95 for V3.2/1.0/WV) id AA14053; Wed, 8 Nov 1995 06:56:34 -0800 Received: from ilofrs.ilo.dec.com by ilosrv.ilo.dec.com; (5.65/1.1.8.2/12Nov94-8.2MPM) id AA15274; Wed, 8 Nov 1995 14:55:22 GMT Received: by fwsrtr.fws.ilo.dec.com; (5.65/1.3/10May95) id AA03980; Wed, 8 Nov 1995 14:56:57 GMT Received: from localhost by philby.fws.ilo.dec.com; (5.65/1.1.8.2/31Aug95-8.2MPM) id AA03860; Wed, 8 Nov 1995 14:54:06 GMT Message-Id: <9511081454.AA03860@philby.fws.ilo.dec.com> To: Scott Barman Cc: firewalls@greatcircle.com, fod@fws.ilo.dec.com Subject: Re: Changing shared libraries and how is ld.so finding real libraries? In-Reply-To: Your message of "Tue, 07 Nov 1995 13:14:47 EST." X-Mailer: exmh version 1.4.1 7/21/94 Date: Wed, 08 Nov 1995 14:53:57 +0000 From: "Frank O'Dwyer" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > This is what I expected. But why are the setuid/setgid finding the > right libraries? What is Solaris doing to get around the settings of > these environment variables? Some Unices constrain setuid/setgid programs to load shared libs from the standard directories only, for (you guessed it) "security reasons". I don't know if Solaris does, however. It's generally also possible to specify a library search path at link time (via LD_RUN_PATH, I think), so that the binary 'knows where to look' independently of the environment settings. In my experience, these mechanisms are usually poorly documented, and the best thing to do is to experiment in order to determine the effect of the various environment variables, and what precedence they have and so forth. It's also about the best way to understand what's going on. Lastly, another peculiarity with shared libs is that individual functions are generally not bound until they are used. In principle, you could have a daemon which ran for a year, then called its 'year_end' routine only to find that the latest and greatest lib no longer contained that routine. From memory, there is (in SVR4 anyhow) a variable called LD_BIND_NOW which if you set it to 1 will have the binary bind everything when it starts. If anything's missing from the libs you'll then find it out right away. Hope this is of some help, Cheers, Frank O'Dwyer. From firewalls-owner Wed Nov 8 08:44:53 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id IAA26376 for firewalls-outgoing; Wed, 8 Nov 1995 08:21:00 -0800 (PST) Received: from uuneo.neosoft.com (uuneo.neosoft.com [206.109.1.3]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id IAA26371 for ; Wed, 8 Nov 1995 08:20:52 -0800 (PST) Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.7.1/8.7.1) with UUCP id KAA25269 for GreatCircle.COM!firewalls; Wed, 8 Nov 1995 10:12:55 -0600 (CST) Received: by ris1.nmti.com (smail2.5) id AA01123; 8 Nov 95 10:42:50 CST (Wed) Received: by sonic.nmti.com; id AA05562; Wed, 8 Nov 1995 10:12:12 -0600 From: peter@nmti.com (Peter da Silva) Message-Id: <9511081612.AA05562@sonic.nmti.com.nmti.com> Subject: Re: fairly recent web server compromise... To: brain21@montag33.residence.gatech.edu (Brain21) Date: Wed, 8 Nov 1995 10:12:12 -0600 (CST) Cc: jna@echonyc.com, dufresne@winternet.com, firewalls@GreatCircle.COM In-Reply-To: from "Brain21" at Nov 8, 95 00:52:00 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > It's highly debatable if the machine was really compromised, or if it was > > a publicity stunt on the part of MGM/UMA. > I don't think that it was a publicity stunt. The rumors going around > were that ILF (Internet Liberation Front) did it. I seriously doubt that > anyone at MGM/UA has ever heard enough about ILF to start rumors about > them. They would prolly not be wise to do so anyway. Nah, what they apparently did was deliberately leave a hole and hope some crackers snuck in. They lucked out. From firewalls-owner Wed Nov 8 08:46:12 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id IAA26350 for firewalls-outgoing; Wed, 8 Nov 1995 08:13:13 -0800 (PST) Received: from beach.sctc.com (beach.sctc.com [192.55.214.50]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id IAA26345 for ; Wed, 8 Nov 1995 08:12:58 -0800 (PST) Received: from beach.sctc.com (daemon@localhost) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id KAA17446; Wed, 8 Nov 1995 10:48:13 -0600 Received: from sphinx.sctc.com (sphinx.sctc.com [172.17.192.3]) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id KAA17433; Wed, 8 Nov 1995 10:47:52 -0600 Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by sphinx.sctc.com (8.7.1/8.6.10) with SMTP id KAA19383; Wed, 8 Nov 1995 10:12:28 -0600 (CST) Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id KAA13050; Wed, 8 Nov 1995 10:12:27 -0600 Date: Wed, 8 Nov 1995 10:12:27 -0600 From: Rick Smith Message-Id: <199511081612.KAA13050@shade.sctc.com> To: firewalls@greatcircle.com Cc: smith@sctc.com, mjc@quark.foobar.co.uk Subject: Re: Tightening up SunOS 5.4 (was Re: Hardened OS) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "Martin Cooper" writes: >I thought Rick had posted to the list saying that having no root >entry for uid 0 would cause problems with booting into single >user mode, but perhaps it was someone else. The explanation took a wrong turn, then. Yes, there is an entry for UID 0 and a user called "root." It's just that the behavior of this "root" user is still constrained by Type Enforcement rules. In particular, nobody, not even root, can install executables or change Type Enforcement rules when the system is in normal operation. We designed the system so we could easily port network server software and run it securely. That requires an execution context that pretty much looks and acts like root (UID 0, etc), while being constrained by enforcing "least privilege" on its behavior. Rick. smith@sctc.com From firewalls-owner Wed Nov 8 08:48:13 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id IAA26226 for firewalls-outgoing; Wed, 8 Nov 1995 08:05:37 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id IAA26203 for ; Wed, 8 Nov 1995 08:05:30 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950602) id IAA03492; Wed, 8 Nov 1995 08:05:29 -0800 Received: from kgbvax.network.com(129.191.202.58) by mycroft via smap (V1.3mjr) id sma003476; Wed Nov 8 08:04:32 1995 Received: (from ted@localhost) by kgbvax.network.com (8.6.9/8.6.9) id KAA00198; Wed, 8 Nov 1995 10:01:03 -0500 Date: Wed, 8 Nov 1995 10:01:03 -0500 From: Ted Doty Message-Id: <199511081501.KAA00198@kgbvax.network.com> To: pferguso@cisco.com, jon@nytimes.com Subject: Re: gated and bgp4 secure? In-Reply-To: Mail from 'Paul Ferguson ' dated: Wed, 8 Nov 1995 03:38:58 -0800 Cc: firewalls@greatcircle.com, dgbrown@nytimes.com, gordy@nytimes.com, stan@nytimes.com, theresa@nytimes.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Paul Ferguson wrote: > >From the 'For What Its Worth Department' - > > I would venture to say that this is less an issue of the related > operating system of the device and more an issue of route acceptance > policy and the underlying methods of doing so. :-) > > Blindly accepting dynamic routing information from upstream sources > can be a dangerous thing. Agreed. However, routing protocols are only a single instance of traffic that requires authentication. That's why everyone should Run Not Walk to their router/workstation vendor and ask about their plans for RFC 1826 (The IP Authentication Header). Note that there will be some people who want to run Virtual Private Networks across an internet, and want to hide routing information (as opposed to simply authenticating it). These folks will want to ask their vendor about RFC 1827 (IP Encapsulating Security Payload). Note that encapsulating routing information should be done with care, lest you introduce routing loops and hopelessly wedge your net. ;-) -- - Ted -------------------------------------------------------------------------- Ted Doty, Network Systems Corporation | phone: +1 301 596-2270 8965 Guilford Road, Suite 250 | fax: +1 410 381-3320 Columbia, MD, 21046 USA | voice mail: (800) 233-1485 -------------------------------------------------------------------------- The opinion expressed in this message is fictitious. Any resemblence to real opinions, living or dead, is purely coincidental. From firewalls-owner Wed Nov 8 09:43:27 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id IAA26757 for firewalls-outgoing; Wed, 8 Nov 1995 08:29:34 -0800 (PST) Received: from beach.sctc.com (beach.sctc.com [192.55.214.50]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id IAA26752 for ; Wed, 8 Nov 1995 08:29:30 -0800 (PST) Received: from beach.sctc.com (daemon@localhost) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id LAA17915; Wed, 8 Nov 1995 11:05:36 -0600 Received: from sphinx.sctc.com (sphinx.sctc.com [172.17.192.3]) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id LAA17911; Wed, 8 Nov 1995 11:05:35 -0600 Received: from mario.sctc.com (mario.sctc.com [172.17.192.177]) by sphinx.sctc.com (8.7.1/8.6.10) with SMTP id KAA19770; Wed, 8 Nov 1995 10:30:11 -0600 (CST) Received: (from dowd@localhost) by mario.sctc.com (8.6.12/8.6.9) id KAA03177; Wed, 8 Nov 1995 10:30:08 -0600 Date: Wed, 8 Nov 1995 10:30:06 -0600 (CST) From: Alan Dowd To: chris sieber cc: firewalls@GreatCircle.COM Subject: Re: security policy In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings, Chris! On Tue, 7 Nov 1995, chris sieber wrote: > A while back( within the last month), someone briefly mentioned a URL > that contained security policy documents for several universities. In my > absentmindednes, I deleted the message. if anyone knows of that site, could > they please e-mail it to me directly? Try the subdirectories under ftp://coast.cs.purdue.edu/pub/doc/policy . Regards, Alan Dowd dowd@sctc.com secure computing corporation From firewalls-owner Wed Nov 8 09:48:44 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id IAA26898 for firewalls-outgoing; Wed, 8 Nov 1995 08:46:49 -0800 (PST) Received: from uu5.psi.com (uu5.psi.com [38.145.226.3]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id IAA26893 for ; Wed, 8 Nov 1995 08:46:45 -0800 (PST) Received: by uu5.psi.com (5.65b/4.0.071791-PSI/PSINet) via UUCP; id AA02022 for ; Wed, 8 Nov 95 11:23:57 -0500 Date: Wed, 8 Nov 95 11:19:04 EST From: hhs@teleoscom.com (Chip Sharp X-6424) Received: by teleoscom.com (4.1/3.2.083191-Teleos Communications Inc.) id AA26943; Wed, 8 Nov 95 11:19:04 EST Message-Id: <9511081619.AA26943@teleoscom.com> To: Firewalls@GreatCircle.COM In-Reply-To: firewalls-digest-owner@GreatCircle.COM's message of Mon, 6 Nov 1995 11:41:17 -0800 (PST) <199511061941.LAA19174@miles.greatcircle.com> Subject: Re: Spoofing ISDN Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From: Jim McBride : .... >Again, per my previous post, I would like somebody to explain to me >how you think you can forge a clid even with switch access, if you can >prove me wrong, great...but I dont think you can. The signaling network ISDN uses is a network of computers. Computers can be hacked, especially by insiders. The security of the system is only as good as its weakest link. Hacking telephone network computers is an interesting topic. If a malicious telephone employee has inside access to the computer system and has the knowledge (it is available), that person could possibly fake out the CLID. I personally don't think it is probable, but if enough money is at stake, it will be done. An employee could configure the switch to not validate the CLID on an inside port (e.g., test port), then generate calls with a fake CLID to the destination. If a local telco employee knew that a certain number of lines were connected to a call center, that employee could probably monitor those lines and pull off whatever traffic was going over the lines (depending on the internal security of the CO). ======================================================================= Hascall H. ("Chip") Sharp Teleos Communications, Inc. Sr. Systems Engineer 2 Meridian Road Eatontown, NJ 07724 USA voice: +1 908 544 6424 fax: +1 908 544 9890 email: hhs@teleoscom.com web: http://www.teleoscom.com/ ======================================================================== From firewalls-owner Wed Nov 8 10:00:30 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id JAA27622 for firewalls-outgoing; Wed, 8 Nov 1995 09:27:46 -0800 (PST) Received: from incog.com (ns.incog.com [199.190.177.251]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id JAA27617 for ; Wed, 8 Nov 1995 09:27:43 -0800 (PST) From: mulligan@future.incog.com Received: from coslabs.incog.com by incog.com (SMI-8.6/94082501) id JAA02974; Wed, 8 Nov 1995 09:26:32 -0800 Received: from future.incog.com by coslabs.incog.com (5.x/SMI-SVR4) id AA01136; Wed, 8 Nov 1995 10:27:37 -0700 Received: from future (localhost) by future.incog.com (5.x/SMI-SVR4) id AA00614; Wed, 8 Nov 1995 10:27:37 -0700 Message-Id: <9511081727.AA00614@future.incog.com> To: "Scott Deshaies" Cc: "Firewalls Mailing List" Subject: Re: Weird Netscape Navigator functions? Reply-To: mulligan@incog.com In-Reply-To: Your message of "Tue, 07 Nov 1995 09:16:09 MST." <309f864a.vanguard@vanguard.hmp.com> Date: Wed, 08 Nov 1995 10:27:36 -0700 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Nov 7 Scott Deshaies was purported to have written: > The first was the CEO of Netscape saying something to the effect that > "..we know how many people are using our browsers because every time > you access a site, a message is set to one of our servers telling us > what version you have, if it's a trial beta or registered, etc". > I havent had a chance to run a packet trace on it yet, but does anyone > know if this is true? I have run packet traces on my connections and haven't yet seen any of these "messages", but I certinaly may have missed it! A packet is not sent at the start of every connection. It may be sent at some random time after the initiation of a connection or only once per day. geoff From firewalls-owner Wed Nov 8 10:28:46 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id KAA28747 for firewalls-outgoing; Wed, 8 Nov 1995 10:20:33 -0800 (PST) Received: from count01.mry.scruznet.com (count01.mry.scruznet.com [204.147.227.65]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id KAA28740 for ; Wed, 8 Nov 1995 10:20:29 -0800 (PST) From: firewalls@security-gw.mry.scruznet.com Received: from security-gw.mry.scruznet.com (security-gw [192.187.227.222]) by count01.mry.scruznet.com (8.7.1/8.7.1) with ESMTP id KAA01802; Wed, 8 Nov 1995 10:10:35 -0800 (PST) Received: from security-gw.mry.scruznet.com (localhost [127.0.0.1]) by security-gw.mry.scruznet.com (8.7.1/8.7.1) with ESMTP id KAA02183; Wed, 8 Nov 1995 10:13:14 -0800 (PST) Message-Id: <199511081813.KAA02183@security-gw.mry.scruznet.com> To: FEH Systems Philadelphia cc: firewalls@count01.mry.scruznet.com, Jim McBride , Mark , Edward Maillet , firewalls@GreatCircle.COM, firewalls@count01.mry.scruznet.com Subject: Re: Spoofing ISDN In-reply-to: Your message of "Tue, 07 Nov 1995 21:54:47 EST." Date: Wed, 08 Nov 1995 10:13:14 -0800 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Wed Nov 8 10:30:07 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id JAA27315 for firewalls-outgoing; Wed, 8 Nov 1995 09:09:25 -0800 (PST) Received: from imonics.com (netadmin.imonics.com [192.154.44.24]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id JAA27310 for ; Wed, 8 Nov 1995 09:09:21 -0800 (PST) Received: from thyrsus.imonics.com (thyrsus.imonics.com [205.139.209.197]) by imonics.com (8.6.12/8.6.12) with SMTP id MAA18259; Wed, 8 Nov 1995 12:09:09 -0500 From: Stephen Schaefer - Network Computing Solutions Received: by thyrsus.imonics.com (5.x/SMI-SVR4) id AA01186; Wed, 8 Nov 1995 12:08:53 -0500 Date: Wed, 8 Nov 1995 12:08:53 -0500 Message-Id: <9511081708.AA01186@thyrsus.imonics.com> To: firewalls@greatcircle.com Reply-To: stephen@networks.com In-Reply-To: (message from FEH Systems Philadelphia on Tue, 7 Nov 1995 21:52:12 -0500 (EST)) Subject: Re: fairly recent web server compromise... Sender: firewalls-owner@GreatCircle.COM Precedence: bulk So far, I've seen on this list three theories on what the perpetrators call themselves (MGM/UA, ILF, PLA) and three theories on how they did it (world read/write-mountable file system, sendmail, httpd). If I were trying to get hard numbers for risk assessment, I'd be lost. Can anyone identify someone personally involved in the details of the incident, and produce a statement from them? Thanks, Stephen P. Schaefer stephen@networks.com My opinions are independent of those of my employer and my clients. From firewalls-owner Wed Nov 8 10:31:24 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id JAA27764 for firewalls-outgoing; Wed, 8 Nov 1995 09:34:37 -0800 (PST) Received: from nova.ucd.ie (nova.ucd.ie [137.43.1.5]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id JAA27754 for ; Wed, 8 Nov 1995 09:34:33 -0800 (PST) Received: from yeats.ucd.ie by nova.ucd.ie id <25114-0@nova.ucd.ie>; Wed, 8 Nov 1995 17:34:29 +0000 Date: Wed, 8 Nov 1995 17:35:02 +0000 (GMT) From: Gerry Tierney X-Sender: gtierney@yeats To: FEH Systems Philadelphia cc: John Adams , Ron DuFresne , firewalls@GreatCircle.COM Subject: Re: fairly recent web server compromise... In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 7 Nov 1995, FEH Systems Philadelphia wrote: > > BUT I HEAR they used the old httpd exploit. > > -- > MORPH : .|.: Federal Electronic Sorry if I sound too ignorant, but just what is/was the old httpd exploit. I'm aware that there were problems with string overruns in older versions of the NCSA httpd but I thought that they had been solved. +---------------------------------+------------------------------------+ | Gerry Tierney, | You know there ain't no devil | | Computer Science Dept, | There's just God when he's drunk! | | University College Dublin. | ... Tom Waits | +---------------------------------+------------------------------------+ From firewalls-owner Wed Nov 8 10:32:39 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id IAA27019 for firewalls-outgoing; Wed, 8 Nov 1995 08:54:54 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id IAA26988 for ; Wed, 8 Nov 1995 08:54:45 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950602) id IAA03459; Wed, 8 Nov 1995 08:03:27 -0800 Received: from uu5.psi.com(38.145.226.3) by mycroft via smap (V1.3mjr) id sma003455; Wed Nov 8 08:02:53 1995 Received: by uu5.psi.com (5.65b/4.0.071791-PSI/PSINet) via UUCP; id AA09978 for ; Wed, 8 Nov 95 10:44:30 -0500 Date: Wed, 8 Nov 95 10:38:32 EST From: hhs@teleoscom.com (Chip Sharp X-6424) Received: by teleoscom.com (4.1/3.2.083191-Teleos Communications Inc.) id AA25964; Wed, 8 Nov 95 10:38:32 EST Message-Id: <9511081538.AA25964@teleoscom.com> To: Firewalls@GreatCircle.COM In-Reply-To: Michael C. Berch's message of Sun, 5 Nov 1995 15:13:01 +0000 <199511052313.PAA17359@miles.greatcircle.com> Subject: Re: Spoofing ISDN Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From: Edward Maillet > Some folks at work want to setup an ISDN dial-in connection relying >solely on the inbound caller ID as the security measure. Is it >possible to spoof the D channel to send fake info? I'm fairly certain >there is a way to do it. Can anyone point me to some references so I >can make a decent technical argument agaisnt this? Thanx. The Caller ID is delivered from the remote phone company over the telecom network (through computer-controlled switches) to your local phone company and then delivered to your equipment over the local loop. It is as secure as anything can be that goes over the phone network. If someone has compromised the security of the phone companies' computer, then they can inject whatever Calling Line ID they want to into the call. At least one CO switch validates the incoming Calling Line ID for calls coming into the network. One other problem is that Caller ID is not ubiquitous, so you will have to have a policy for endpoints that can't send it. ======================================================================= Hascall H. ("Chip") Sharp Teleos Communications, Inc. Sr. Systems Engineer 2 Meridian Road Eatontown, NJ 07724 USA voice: +1 908 544 6424 fax: +1 908 544 9890 email: hhs@teleoscom.com web: http://www.teleoscom.com/ ======================================================================== From firewalls-owner Wed Nov 8 11:59:14 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id LAA00153 for firewalls-outgoing; Wed, 8 Nov 1995 11:48:03 -0800 (PST) Received: from services ([168.166.0.67]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id LAA00148 for ; Wed, 8 Nov 1995 11:47:56 -0800 (PST) Received: from services by services (SMI-8.6/SMI-SVR4) id NAA10660; Wed, 8 Nov 1995 13:49:58 -0600 Date: Wed, 8 Nov 1995 13:49:56 -0600 (CST) From: "Frank K. Senter" X-Sender: fsenter@services To: Steve Matkoski cc: Firewalls@GreatCircle.COM Subject: Re: connecting several networks to firewall. In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Build filters on each serial interface of the router so that only outbound packets originating from your corporate backbone are permitted. (Or permit only inbound packets destined to your corporate backbone). If I understood correctly, you are only building connectivity from corporate backbone to each remote site, not trying to provide firewalling between the remote sites. Frank Senter Senior Information Specialist Missouri Highway and Transportation Department P.O. Box 270 Jefferson City MO 65102 On Tue, 7 Nov 1995, Steve Matkoski wrote: > Hi, I am going to be using the IBM NetSP firewall for connecting several > IP networks to our corporate backbone. I wanted to know the best way > to implement this? I want to use a multi-port router with several > serial line and one ethernet port. The ethernet would connect directly to > one port of the firewall. The other port of the firewall would connect to > the internal network. How do I connect all the serial lines to the router > without having them talk to each other? If I use static routes and eliminate > any dynamic updates would this do the job? or do I have to set up > filtering between ports too? Any help appreciated! > > -steve. > matkoski@dreamscape.com > From firewalls-owner Wed Nov 8 13:52:55 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id NAA02355 for firewalls-outgoing; Wed, 8 Nov 1995 13:25:54 -0800 (PST) Received: from sampson.cbn.org (sampson.cbn.org [159.26.240.128]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id NAA02350 for ; Wed, 8 Nov 1995 13:25:51 -0800 (PST) Received: by sampson.cbn.org; id QAA11545; Wed, 8 Nov 1995 16:25:14 -0500 Received: from u6.cbn.org(159.26.64.16) by sampson.cbn.org via smap (g3.0.3) id xma011534; Wed, 8 Nov 95 16:24:48 -0500 Received: by u6 (SMI-8.6/SMI-SVR4) id QAA25272; Wed, 8 Nov 1995 16:26:25 -0500 Date: Wed, 8 Nov 1995 16:26:25 -0500 From: gbrown@cbn.org (Greg Brown) Message-Id: <199511082126.QAA25272@u6> To: firewalls@greatcircle.com Subject: fwtk smap & multiple domains X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk FR&C: Has anyone had to configure sendmail.cf for smap/fwtk to handle multiple domains? I am getting some occasionally bizarre behavior (not unusual for sendmail, I guess). Please respond directly. TIA. Cordially, ------------------------------------------------------------------- Greg Brown email: gbrown@cbn.org Unix Systems Administrator voice: +1 804 579 3285 Christian Broadcasting Network fax: +1 804 579 3019 977 Centerville Turnpike TELEX: 710 882 9356 CBN VABH Virginia Beach, VA 23463.0001 ------------------------------------------------------------------- Opinions are mine, wholly mine, and no one else's but mine, SHMG. ------------------------------------------------------------------- I am Pentium, a Borg. Division is futile. You will be approximated. You are doomed to repeat history regardless of what you remember. Nostradamus From firewalls-owner Wed Nov 8 14:45:11 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id OAA02791 for firewalls-outgoing; Wed, 8 Nov 1995 14:04:57 -0800 (PST) Received: from suned1.Nswses.Navy.Mil (suned1.nswses.navy.mil [137.24.30.40]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id OAA02786 for ; Wed, 8 Nov 1995 14:04:54 -0800 (PST) Received: from ed4a07a (ed4a07a.nswses.navy.mil) by suned1.Nswses.Navy.Mil (4.1/Nswses4.1.2_920723eb) id AA06575; Wed, 8 Nov 95 14:05:03 PST Date: Wed, 8 Nov 95 14:05:03 PST Message-Id: <9511082205.AA06575@suned1.Nswses.Navy.Mil> X-Sender: lev@suned1.nswses.navy.mil Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.com From: lev@suned1.Nswses.Navy.Mil (Lloyd Vancil) Subject: Re: Weird Netscape Navigator functions? X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Did it occur to anyone that what may have been said was that "When you connect on one of our sites a message abot who what where when and HOW" is collected? Sounds like logging to me. Netscape has the ability (i understand) to report the type of and rev number for the browser. >> Nov 7 Scott Deshaies was purported to have written: >> The first was the CEO of Netscape saying something to the effect that >> "..we know how many people are using our browsers because every time >> you access a site, a message is set to one of our servers telling us >> what version you have, if it's a trial beta or registered, etc". >> I havent had a chance to run a packet trace on it yet, but does anyone >> know if this is true? > >I have run packet traces on my connections and haven't yet seen any of >these "messages", but I certinaly may have missed it! A packet is not >sent at the start of every connection. It may be sent at some random >time after the initiation of a connection or only once per day. > > geoff > > +-----------------------------------------------------------------+ |lev@suned1.nswses.navy.mil or lev@phantom.com or LEVANCIL@aol.com| +-----------------------------------------------------------------+ | THE ABOVE IS MY PERSONAL OPINION. I DO NOT SPEAK FOR PHD NSWC | +-----------------------------------------------------------------+ From firewalls-owner Wed Nov 8 14:52:55 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id OAA02856 for firewalls-outgoing; Wed, 8 Nov 1995 14:10:49 -0800 (PST) Received: from bogon.tach.net (Bogon.Tach.Net [199.0.8.5]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id OAA02844 for ; Wed, 8 Nov 1995 14:10:46 -0800 (PST) Received: from spam.blenke.com (iblenke@PPP-5.Dialup.Bayanet.Com [163.125.35.205]) by bogon.tach.net (8.6.10/8.6.11) with ESMTP id RAA14535; Wed, 8 Nov 1995 17:10:56 -0500 Received: (from iblenke@localhost) by spam.blenke.com (8.6.11/8.6.11) id QAA00901; Mon, 6 Nov 1995 16:24:57 -0500 Date: Mon, 6 Nov 1995 16:24:55 -0500 (EST) From: "Ian C. Blenke" To: stephen@networks.com cc: firewalls@GreatCircle.COM Subject: Re: fairly recent web server compromise... In-Reply-To: <9511081708.AA01186@thyrsus.imonics.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I cannot believe this has continued on for as long as it has. Let's stop this before someone suggests that Mitnick did it.. ;) On Wed, 8 Nov 1995, Stephen Schaefer - Network Computing Solutions wrote: > ... > (can) anyone identify someone personally involved in the details of the > incident, and produce a statement from them? Thanks, The hack in question was of the site hosting pages for "Hackers" the movie. The modifications took place during DEFCON III, you may read more about it via: http://www.defcon.org/ The origional "Hackers" page is located: http://www.mgmua.com/hackers/ A quick mirror of the hacked page can be found on aleph1's site: http://www.underground.org/misc/hackers/ By *ALL* knowledgable reports, the gaping security whole was a world read/write NFS export (either administered by a total fool, or a media attempt to lure the inevidable). - Ian Blenke From firewalls-owner Wed Nov 8 15:25:23 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id PAA03835 for firewalls-outgoing; Wed, 8 Nov 1995 15:09:26 -0800 (PST) Received: from ncelec.com ([199.238.59.23]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id PAA03830 for ; Wed, 8 Nov 1995 15:09:23 -0800 (PST) Received: from mike_pc by ncelec.com (5.4R3.10/200.2.1.5) id AA27527; Wed, 8 Nov 1995 15:06:26 -0800 Date: Wed, 8 Nov 1995 15:06:26 -0800 Message-Id: <9511082306.AA27527@ncelec.com> X-Sender: mculver@ncelec.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: Mike Culver Subject: Restricting URL's Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Think I hit on such a simple way to restrict URL's that we all looked right past it! Yes, I see all the "buts" associated with this approach, but after all it's free, simple, and will trip up the average attempt. I'm assuming that most users use DNS with name resolution, instead of IP addresses. To deny resolution to sex.com, simply add an entry to named.boot for bogusns. This directive will tell your DNS that the name server for sex.com is bogus, and your DNS will never ask sex.com's DNS anything. From firewalls-owner Wed Nov 8 15:52:56 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id PAA03682 for firewalls-outgoing; Wed, 8 Nov 1995 15:00:59 -0800 (PST) Received: from montag33.residence.gatech.edu (montag33.residence.gatech.edu [199.77.171.12]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id PAA03673 for ; Wed, 8 Nov 1995 15:00:55 -0800 (PST) Received: (from brain21@localhost) by montag33.residence.gatech.edu (8.6.12/8.6.9) id SAA29193; Wed, 8 Nov 1995 18:00:12 -0500 Date: Wed, 8 Nov 1995 18:00:09 -0500 (EST) From: Brain21 To: FEH Systems Philadelphia cc: firewalls@GreatCircle.COM Subject: Re: fairly recent web server compromise... In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 7 Nov 1995, FEH Systems Philadelphia wrote: > > The Fact Is, John, The "Hackers" website was compromised and it was done > by an elite group of fellas known as the PLA. You can amuse yourself with > how the account was breached, it could have just been a weak password. > > BUT I HEAR they used the old httpd exploit. > As stated in my earlier post, it was the ILF (probably a guy known as "wing" I think). ANyway, that's what I know. I *thought* that they might have used an httpd hole. brain21 From firewalls-owner Wed Nov 8 16:24:41 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id PAA04137 for firewalls-outgoing; Wed, 8 Nov 1995 15:30:45 -0800 (PST) Received: from yarrina.connect.com.au (yarrina.connect.com.au [192.189.54.17]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id PAA04132 for ; Wed, 8 Nov 1995 15:30:41 -0800 (PST) Received: (from root@localhost) by yarrina.connect.com.au with UUCP id KAA08026 (8.6.12/IDA-1.6); Thu, 9 Nov 1995 10:29:14 +1100 Received: by junkers.lochard.com.au id AA44111 (5.65c/IDA-1.5); Thu, 9 Nov 1995 00:11:14 GMT From: Mark Message-Id: <199511090011.AA44111@junkers.lochard.com.au> Subject: Re: fairly recent web server compromise... To: stephen@networks.com Date: Thu, 9 Nov 1995 10:11:14 +1000 (EET) Cc: firewalls@GreatCircle.COM In-Reply-To: <9511081708.AA01186@thyrsus.imonics.com> from "Stephen Schaefer - Network Computing Solutions" at Nov 8, 95 12:08:53 pm Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >So far, I've seen on this list three theories on what the perpetrators >call themselves (MGM/UA, ILF, PLA) and three theories on how they did My understanding is MGM/UA still have root access to the files. Panic! :) >it (world read/write-mountable file system, sendmail, httpd). If I >were trying to get hard numbers for risk assessment, I'd be lost. Can >anyone identify someone personally involved in the details of the >incident, and produce a statement from them? Thanks, Who cares. Mark From firewalls-owner Wed Nov 8 16:53:01 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id QAA05912 for firewalls-outgoing; Wed, 8 Nov 1995 16:38:57 -0800 (PST) Received: from iiu.my (its.iiu.my [161.142.64.1]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id QAA05907 for ; Wed, 8 Nov 1995 16:38:53 -0800 (PST) Received: by its.iiu.my (5.x/SMI-SVR4) id AA21022; Thu, 9 Nov 1995 08:30:00 +0800 Date: Thu, 9 Nov 1995 08:30:00 +0800 (MYT) From: Arman Ali Anwar X-Sender: aanwar@its To: firewalls@GreatCircle.COM Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greeting ... I'm considering running Kerberos on our local net .. We have a variety of systems running : Win NT, Win 95, OSF, LINUX. What is the current position of the export liscence for Kerberos ..!! As far as I know foriegn users have to get something called eBones and integrate a cryptography scheme into it and ... . I tried it once without much success .. :-) I would be grateful if somebody could weigh the pains and gains in running a Kerberos and/or eBones system and or possibly a third equivalent S/key ???? Thanks in advance, Arman. From firewalls-owner Wed Nov 8 17:22:56 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id QAA05328 for firewalls-outgoing; Wed, 8 Nov 1995 16:09:54 -0800 (PST) Received: from salsa.gv.ssi1.com (salsa.gv.ssi1.com [146.252.44.194]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id QAA05323 for ; Wed, 8 Nov 1995 16:09:50 -0800 (PST) Received: (from gdonl@localhost) by salsa.gv.ssi1.com (8.7.1/8.7) id QAA07714; Wed, 8 Nov 1995 16:09:53 -0800 (PST) Message-Id: <199511090009.QAA07714@salsa.gv.ssi1.com> From: gdonl@gv.ssi1.com (Don Lewis) Date: Wed, 8 Nov 1995 16:09:53 -0800 In-Reply-To: Mike Culver "Restricting URL's" (Nov 8, 3:06pm) X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: Mike Culver , firewalls@GreatCircle.COM Subject: Re: Restricting URL's Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Nov 8, 3:06pm, Mike Culver wrote: } Subject: Restricting URL's } Think I hit on such a simple way to restrict URL's that we all looked right } past it! Yes, I see all the "buts" associated with this approach, but after } all it's free, simple, and will trip up the average attempt. } } I'm assuming that most users use DNS with name resolution, instead of IP } addresses. security through obscurity } To deny resolution to sex.com, simply add an entry to named.boot for } bogusns. This directive will tell your DNS that the name server for sex.com } is bogus, and your DNS will never ask sex.com's DNS anything. This won't work so well if the name server in question is ns.uu.net or some other server that serves a lot of zones that you probably still want to access. --- Truck From firewalls-owner Wed Nov 8 19:22:56 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id SAA10010 for firewalls-outgoing; Wed, 8 Nov 1995 18:55:01 -0800 (PST) Received: from fastlane.net (fastlane.net [204.251.16.10]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id SAA10005 for ; Wed, 8 Nov 1995 18:54:56 -0800 (PST) Received: from dal41.fastlane.net (dal41.fastlane.net [204.251.16.141]) by fastlane.net (8.6.8/8.6.6) with SMTP id UAA12727 for ; Wed, 8 Nov 1995 20:53:56 -0600 Message-Id: <199511090253.UAA12727@fastlane.net> X-Sender: hbarnett@mail.fastlane.net Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 08 Nov 1995 22:05:06 -0500 To: firewalls@GreatCircle.COM From: hbarnett@fastlane.net (Howard Barnett) Subject: Encrypted Sessions X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have a clients who has a requirement to install a software encryptions scheme over several operating systems and several platforms. The product must be exportable (from the U.S.) Does anyone know of such a product or any product that may come close. Thanks. Howard Barnett hbarnett@fastlane.net voice/fax (214) 612-8638 ______ ______ ____/_ _\__/_ _\____ / \_\__/_/ \_\__/_/ \ \______/ |______| \______/ / /\ \ \__\/__/ Fax From firewalls-owner Wed Nov 8 22:22:55 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id VAA16703 for firewalls-outgoing; Wed, 8 Nov 1995 21:35:46 -0800 (PST) Received: from mail06.mail.aol.com (mail06.mail.aol.com [152.163.172.108]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id VAA16688 for ; Wed, 8 Nov 1995 21:35:40 -0800 (PST) From: RMckay3967@aol.com Received: by mail06.mail.aol.com (8.6.12/8.6.12) id AAA21641 for firewalls@greatcircle.com; Thu, 9 Nov 1995 00:35:54 -0500 Date: Thu, 9 Nov 1995 00:35:54 -0500 Message-ID: <951109003553_101910357@mail06.mail.aol.com> To: firewalls@greatcircle.com Subject: Re: Budget Time / Firewall Scare/ Looking for Numbers Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can anyone tell me were I can download a copy of the NetWork-1 Executive Briefing on Internet Threats, Security and the Need for Firewalls? I'm doing a research paper on computer security in the non-government market place and any other information (documents, internet locations, home pages) along this line of thought would be greatly appreciated. Thanks for the help. From firewalls-owner Wed Nov 8 22:52:55 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id WAA20014 for firewalls-outgoing; Wed, 8 Nov 1995 22:39:23 -0800 (PST) Received: from fountain.village.org (fountain.village.org [198.137.146.37]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id WAA20009 for ; Wed, 8 Nov 1995 22:39:11 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by fountain.village.org (8.6.11/8.6.6) with SMTP id XAA11022 for ; Wed, 8 Nov 1995 23:39:19 -0700 Message-Id: <199511090639.XAA11022@fountain.village.org> To: firewalls@greatcircle.com Subject: rfc-1597 addresses and transparent proxies Date: Wed, 08 Nov 1995 23:39:19 -0700 From: Dieter Dworkin Muller Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I would like to use an rfc-1597 (reserved private) network internally, with only my intended-to-be-externally-visible hosts using addresses not on the private network. However, my user community needs to be able to do things like ftp and telnet from their desks. Ideally, I want a proxy server that handles all dns queries for external names by allocating a temporary address from the internal network, configuring a virtual interface to that address, and returning the synthetic address to the requestor. Then, the internal host connects to this virtual interface, and a proxy starts up that connects to the real host out on the Internet. Obviously, this requires some fancy footwork on the part of the DNS server running on the proxy host, as well as some intelligence on the part of the proxy servers. The latter is relatively easy -- just have the DNS server provide the correct name for a reverse lookup, and then query an external server for the real address (other possibilities exist, that's just the easiest to describe). The problem I have is the dynamic allocation of addresses, remembering what ones have been allocated, playing with virtual interfaces, and all the cruft that's going to have to go with it. Conceptually, I know exactly what I want. I even know that it's been done. What I don't know is if there's a version of all this available without spending $10,000 to get it. I want to keep my network as secure as possible, but we're not exactly an organization flush with money (we're all-volunteer, no funding other than what people feel like donating). I've tried searching through the archives, because I know this has been discussed before, but I can't find it. Suggestions? Dworkin From firewalls-owner Thu Nov 9 00:22:56 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id XAA22545 for firewalls-outgoing; Wed, 8 Nov 1995 23:56:36 -0800 (PST) Received: from westie.gi.net (ns1.gi.net [198.247.250.16]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id XAA22538 for ; Wed, 8 Nov 1995 23:56:33 -0800 (PST) Received: from gaijin.mid.net (gaijin.gi.net [198.247.250.28]) by westie.gi.net (8.7.1/8.7.1) with ESMTP id BAA17487; Thu, 9 Nov 1995 01:56:46 -0600 (CST) From: Alan Hannan Received: by gaijin.mid.net (8.7.1) id BAA02068; Thu, 9 Nov 1995 01:56:47 -0600 (CST) Message-Id: <199511090756.BAA02068@gaijin.mid.net> Subject: Re: security policy To: sieber@colorado.edu (chris sieber) Date: Thu, 9 Nov 1995 01:56:46 -0600 (CST) Cc: firewalls@GreatCircle.COM In-Reply-To: from "chris sieber" at Nov 7, 95 06:38:43 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ] A while back( within the last month), someone briefly mentioned a URL ] that contained security policy documents for several universities. In my ] absentmindednes, I deleted the message. if anyone knows of that site, could ] they please e-mail it to me directly? Bookmarks are wonderful: http://musie.phlab.missouri.edu/Policy/copies/tamu-collection1.html I post publically because this one is mainly related to academic policies. Does anyone have a site consisting of one or more corporate network security policies? I would be interested in this for several folks at my talks who have been developing such. -alan From firewalls-owner Thu Nov 9 00:52:56 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id AAA23992 for firewalls-outgoing; Thu, 9 Nov 1995 00:39:17 -0800 (PST) Received: from funet.fi (funet.fi [130.230.1.1]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id AAA23987 for ; Thu, 9 Nov 1995 00:39:13 -0800 (PST) Received: from relevantum.fi (actually user nobody@relevantum.fi) by funet.fi with SMTP (PP); Thu, 9 Nov 1995 10:39:13 +0200 Received: by relevantum.fi (4.1/SMI-4.1-MHS-7.0) id AA04263; Thu, 9 Nov 95 10:39:03 +0200 Date: Thu, 9 Nov 1995 10:39:02 +0200 (EET) From: Keinanen Vesa To: Dieter Dworkin Muller Cc: firewalls@greatcircle.com Subject: Re: rfc-1597 addresses and transparent proxies In-Reply-To: <199511090639.XAA11022@fountain.village.org> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You can have outbound connectivity from your RFC1597 network, it can be transparent to users, it costs about 5000$ and doesn't require that fancy DNS spoofing you describe. Any Firewall with transparent proxies will work for you. > external names by allocating a temporary address from the internal > network, configuring a virtual interface to that address, and > returning the synthetic address to the requestor. Then, the internal It sounds to me that you want to allocate virtual addresses to EXTERNAL hosts. That's not necessary. DNS can return real addresses for external hosts. IP packets to those hosts are routed to firewall, which automatically starts proxy for each connection. Firewall automatically hides internall addresses. All connections look like they come from Firewall host. Firewall just allocates different TCP port number for each connection, and that port is active just as long TCP connection is active. VK -- Vesa Keinanen Nasilinnankatu 24 D, 33210 Tampere, Finland Relevantum Oy Phone +358 31 2147200, Fax +358 31 2147402 From firewalls-owner Thu Nov 9 01:02:40 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id XAA22433 for firewalls-outgoing; Wed, 8 Nov 1995 23:53:56 -0800 (PST) Received: from westie.gi.net (westie.gi.net [198.247.250.16]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id XAA22426 for ; Wed, 8 Nov 1995 23:53:53 -0800 (PST) Received: from gaijin.mid.net (gaijin.gi.net [198.247.250.28]) by westie.gi.net (8.7.1/8.7.1) with ESMTP id BAA17476; Thu, 9 Nov 1995 01:54:00 -0600 (CST) From: Alan Hannan Received: by gaijin.mid.net (8.7.1) id BAA02049; Thu, 9 Nov 1995 01:53:59 -0600 (CST) Message-Id: <199511090753.BAA02049@gaijin.mid.net> Subject: Re: rfc-1597 addresses and transparent proxies To: dworkin@village.org (Dieter Dworkin Muller) Date: Thu, 9 Nov 1995 01:53:58 -0600 (CST) Cc: firewalls@GreatCircle.COM In-Reply-To: <199511090639.XAA11022@fountain.village.org> from "Dieter Dworkin Muller" at Nov 8, 95 11:39:19 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ......... Dieter Dworkin Muller is rumored to have said: ] ] I would like to use an rfc-1597 (reserved private) network internally, ] with only my intended-to-be-externally-visible hosts using addresses ] not on the private network. However, my user community needs to be ] able to do things like ftp and telnet from their desks. Use the existing terribly useful FWTK from tis. Your goofy users will go to the app-gw which will originate packets to the world w/ originating addresses of a single legal ip address. | | Goofy_User ----10.1.1/24----[ App Proxy GW ] --real.ip.net/24-- Internet | | ] Ideally, I want a proxy server that handles all dns queries for ] external names by allocating a temporary address from the internal ] network, configuring a virtual interface to that address, and ] returning the synthetic address to the requestor. Then, the internal ] host connects to this virtual interface, and a proxy starts up that ] connects to the real host out on the Internet. Yeah, pretty nifty, eh? Called transparent application proxies. Ranum wrote some really cool ones, and you can buy commercial firewalls that employ variants of them for 5-100K. Whether the application is to protect an internal network or gain legitimate traffic w/ illegal/1597 addresses, the principal here is the same. ] Obviously, this requires some fancy footwork on the part of the DNS ] server running on the proxy host, as well as some intelligence on the ] part of the proxy servers. The latter is relatively easy -- just have ] the DNS server provide the correct name for a reverse lookup, and then ] query an external server for the real address (other possibilities ] exist, that's just the easiest to describe). This doesn't begin to deal w/ issues like DNS caching, and all sorts of other problems. Lots of hard work for my feeble skills. ] Suggestions? W/out money or work your users don't get transparency. I saw rumours on this list about Linux having some kernel mods allowing one to do this, but anything I haven't done myself w/ Linux I consider a rumour :) However, go to the archives and look for that thread. As well, imho if you don't have cash, the transparency is not all that likely. Email will be transparent at the user level. Telnet/ftp will require they use the fw as a gateway, netscape/http clients can be modified in configs to use a firewall. This should be 'good enough'. -alan From firewalls-owner Thu Nov 9 02:23:13 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id CAA26826 for firewalls-outgoing; Thu, 9 Nov 1995 02:08:16 -0800 (PST) Received: from mail1.digital.com (mail1.digital.com [204.123.2.50]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id CAA26817 for ; Thu, 9 Nov 1995 02:08:07 -0800 (PST) Received: from ilosrv.ilo.dec.com by mail1.digital.com; (5.65 EXP 4/12/95 for V3.2/1.0/WV) id AA20399; Thu, 9 Nov 1995 02:01:15 -0800 Received: from ilofrs.ilo.dec.com by ilosrv.ilo.dec.com; (5.65/1.1.8.2/12Nov94-8.2MPM) id AA19272; Thu, 9 Nov 1995 10:01:07 GMT Received: by fwsrtr.fws.ilo.dec.com; (5.65/1.3/10May95) id AA12178; Thu, 9 Nov 1995 10:02:43 GMT Received: from karpov.fws.ilo.dec.com by hubba.fws.ilo.dec.com; (5.65/1.1.8.2/21Aug95-8.2MPM) id AA11129; Thu, 9 Nov 1995 10:01:52 GMT Organization: Digital Firewall Engineering Received: by karpov.fws.ilo.dec.com; (5.65v3.2/1.1.8.2/18Aug95-0213PM) id AA29062; Thu, 9 Nov 1995 10:02:04 GMT From: Dermot Tynan Message-Id: <9511091002.AA29062@karpov.fws.ilo.dec.com> Subject: Re: fairly recent web server compromise... To: stephen@networks.com Date: Thu, 9 Nov 1995 10:02:03 +0000 (GMT) Cc: firewalls@greatcircle.com In-Reply-To: <9511081708.AA01186@thyrsus.imonics.com> from "Stephen Schaefer - Network Computing Solutions" at Nov 8, 95 12:08:53 pm Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Stephen Schaefer - Network Computing Solutions wrote: > > So far, I've seen on this list three theories on what the perpetrators > call themselves (MGM/UA, ILF, PLA) Hmmm. I'm way off subject here, but MGM/UA is the abbreviation for the amalgamated production studio "Metro-Golwyn-Mayer/United Artists". - Der -- Dermot Tynan +353 91 754608 dtynan@ilo.dec.com DTN: 822-4608 Digital Equipment International BV, Galway, Ireland From firewalls-owner Thu Nov 9 02:59:59 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id CAA27144 for firewalls-outgoing; Thu, 9 Nov 1995 02:14:15 -0800 (PST) Received: from relay1.pipex.net (relay1.pipex.net [158.43.128.6]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id CAA27129 for ; Thu, 9 Nov 1995 02:14:05 -0800 (PST) Received: from smtpgty.saicuk.co.uk by flow.pipex.net with SMTP (PP); Thu, 9 Nov 1995 10:14:10 +0000 Received: by smtpgty.saicuk.co.uk with Microsoft Mail id <30A1D3FF@smtpgty.saicuk.co.uk>; Thu, 09 Nov 95 10:12:15 GMT From: "Johnson-Bryden, Ian" To: "'firewalls@greatcircle.com'" Subject: Re: security policy Date: Thu, 09 Nov 95 09:39:00 GMT Message-ID: <30A1D3FF@smtpgty.saicuk.co.uk> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If someone has produced a real risk/security policy it should not be released to anyone other than authorised users for obvious reasons. If it is similar to a 'Corporate Mission Statement' it wont be worth much. If it is a fully detailed document which someone has unwisely made public, it should only be meaningful to the owner because of those unique elements to that enterprise, other than it shows how one outfit approached the issues. There are now a range of books which cover risk/security policy generation in varying detail and from different perspectives. Ian J-B ---------- From: firewalls-owner To: sieber Cc: firewalls Subject: Re: security policy Date: Thursday, November 09, 1995 1:56AM ] A while back( within the last month), someone briefly mentioned a URL ] that contained security policy documents for several universities. In my ] absentmindednes, I deleted the message. if anyone knows of that site, could ] they please e-mail it to me directly? Bookmarks are wonderful: http://musie.phlab.missouri.edu/Policy/copies/tamu-collection1.html I post publically because this one is mainly related to academic policies. Does anyone have a site consisting of one or more corporate network security policies? I would be interested in this for several folks at my talks who have been developing such. -alan From firewalls-owner Thu Nov 9 03:18:46 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id CAA27033 for firewalls-outgoing; Thu, 9 Nov 1995 02:11:49 -0800 (PST) Received: from mail1.digital.com (mail1.digital.com [204.123.2.50]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id CAA27019 for ; Thu, 9 Nov 1995 02:11:39 -0800 (PST) Received: from ilosrv.ilo.dec.com by mail1.digital.com; (5.65 EXP 4/12/95 for V3.2/1.0/WV) id AA17266; Thu, 9 Nov 1995 02:05:04 -0800 Received: from ilofrs.ilo.dec.com by ilosrv.ilo.dec.com; (5.65/1.1.8.2/12Nov94-8.2MPM) id AA19299; Thu, 9 Nov 1995 10:04:59 GMT Received: by fwsrtr.fws.ilo.dec.com; (5.65/1.3/10May95) id AA12221; Thu, 9 Nov 1995 10:06:35 GMT Received: from karpov.fws.ilo.dec.com by hubba.fws.ilo.dec.com; (5.65/1.1.8.2/21Aug95-8.2MPM) id AA11141; Thu, 9 Nov 1995 10:05:44 GMT Organization: Digital Firewall Engineering Received: by karpov.fws.ilo.dec.com; (5.65v3.2/1.1.8.2/18Aug95-0213PM) id AA29219; Thu, 9 Nov 1995 10:05:55 GMT From: Dermot Tynan Message-Id: <9511091005.AA29219@karpov.fws.ilo.dec.com> Subject: Re: Restricting URL's To: mculver@ncelec.com (Mike Culver) Date: Thu, 9 Nov 1995 10:05:55 +0000 (GMT) Cc: firewalls@greatcircle.com In-Reply-To: <9511082306.AA27527@ncelec.com> from "Mike Culver" at Nov 8, 95 03:06:26 pm Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mike Culver wrote: > > To deny resolution to sex.com, simply add an entry to named.boot for > bogusns. This directive will tell your DNS that the name server for sex.com > is bogus, and your DNS will never ask sex.com's DNS anything. Nice idea, but... Most of these one-host-wonder sites actually use their ISP as a name server. Disallowing the ISPs name server is a bit drastic. Look at playboy.com for example... - Der prompt% whois playboy.com Playboy Enterprises (PLAYBOY-DOM) 680 N. Lake Shore Drive Chicago, IL 60611 Domain Name: PLAYBOY.COM Administrative Contact, Technical Contact, Zone Contact: Norton, Steve (SN9) steve@INTERACCESS.COM (708) 498-3842 Record last updated on 14-Feb-94. Record created on 14-Feb-94. Domain servers in listed order: MAILHOST.INTERACCESS.COM 198.80.0.6 BACKUP.INTERACCESS.COM 198.80.0.11 -- Dermot Tynan +353 91 754608 dtynan@ilo.dec.com DTN: 822-4608 Digital Equipment International BV, Galway, Ireland From firewalls-owner Thu Nov 9 04:53:20 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id EAA08861 for firewalls-outgoing; Thu, 9 Nov 1995 04:24:02 -0800 (PST) Received: from pina1.telecom.at (pina1.telecom.at [194.37.252.41]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id EAA08839 for ; Thu, 9 Nov 1995 04:23:46 -0800 (PST) Received: from pina2.telecom.at (pina2.telecom.at [194.37.252.42]) by pina1.telecom.at (8.6.10/8.6.6) with ESMTP id NAA34020 for ; Thu, 9 Nov 1995 13:14:03 +0100 Received: (from ilias@localhost) by pina2.telecom.at (8.6.10/8.6.6) id NAA23492 for firewalls@GreatCircle.COM; Thu, 9 Nov 1995 13:18:54 +0100 From: Ilias Liakopoulos Message-Id: <199511091218.NAA23492@pina2.telecom.at> Subject: tacacs config question To: firewalls@GreatCircle.COM Date: Thu, 9 Nov 1995 13:18:54 +0100 (MEZ) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all! does anybody know if it's possible to configure tacacs in a way, that if a dial-in user of an CS-2511 tries to connect a second time, he gets something like "connection refused" or "allready connected", if he has an active connection on an other port? thank you all for your suggestions, iLiAS -- ---------------------------------------------------------------------- Ilias Liakopoulos | Email: ilias@telecom.at Spardat AG & Co KG | Tel: 0043/1/74045-4762 Fax -5704 Geiselbergstr. 21-25 | WWW: http://pina2.telecom.at/~lia 1110-Vienna | nic-hdl: IL7-RIPE Austria | Europe | ---------------------------------------------------------------------- From firewalls-owner Thu Nov 9 05:23:13 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id EAA09880 for firewalls-outgoing; Thu, 9 Nov 1995 04:58:30 -0800 (PST) Received: from SINGER.ASRI.EDU (SINGER.ASRI.EDU [192.5.7.1]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id EAA09875 for ; Thu, 9 Nov 1995 04:58:27 -0800 (PST) From: HALE@asri.edu Received: from asri.edu by asri.edu (PMDF V4.3-10 #5687) id <01HXFKEJKD4C00E9TX@asri.edu>; Thu, 09 Nov 1995 07:58:37 -0500 (EST) Date: Thu, 09 Nov 1995 07:58:36 -0500 (EST) To: firewall mailserver Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am interested if anyone has developed a vision statement for the security function? From firewalls-owner Thu Nov 9 06:53:13 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id GAA11927 for firewalls-outgoing; Thu, 9 Nov 1995 06:22:46 -0800 (PST) Received: from fountain.village.org (fountain.village.org [198.137.146.37]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id GAA11922 for ; Thu, 9 Nov 1995 06:22:24 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by fountain.village.org (8.6.11/8.6.6) with SMTP id HAA11951 for ; Thu, 9 Nov 1995 07:22:17 -0700 Message-Id: <199511091422.HAA11951@fountain.village.org> To: Firewalls@greatcircle.com Subject: clarification on rfc-1597 addresses and transparent proxies In-reply-to: Your message of Thu, 09 Nov 1995 02:27:37 PST Date: Thu, 09 Nov 1995 07:22:16 -0700 From: Dieter Dworkin Muller Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I wrote: : However, my user community needs to be : able to do things like ftp and telnet from their desks. In writing that, I left out the important bits, aka the implementation requirements: - I'm not allowed to modify what software they run - it has to be completely transparent - isolate us from having to change network addresses Partly, it's a political restriction (``I won't change how I do things, therefore anything you do has to work with my existing tools without me seeing any difference''), and partly practical (I don't want to deal with trying to create proxy-aware dos, windows, nt, and os/2 applications for the non-standard things being done on our net). The address change requirement is because we are currently in the `swamp', as it is referred to by various major ISPs. They're threatening to stop routing single networks in that range, so we're looking at having to renumber soon. We'd rather do it once (to an ISP-provided net number), and not have to worry about it again if we ever change ISPs. Changing to an internal rfc-1597 network and an external-only ISP-provided network should give us the desired isolation -- no one internal will have to do anything if/when we change to a different ISP and ISP-provided network number. These restrictions are why I am looking at the (admittedly non-trivial) concept of virtual addresses and weird DNS. On to the replies I've gotten so far: Keinanen Vesa wrote: : : You can have outbound connectivity from your RFC1597 : network, it can be transparent to users, it costs about : 5000$ and doesn't require that fancy DNS spoofing you We're having trouble coming up with the couple hundred bucks needed to fix our somewhat flaky ftp/http server. Five thousand is completely infeasible. : > external names by allocating a temporary address from the internal : > network, configuring a virtual interface to that address, and : > returning the synthetic address to the requestor. Then, the internal : : It sounds to me that you want to allocate virtual addresses to : EXTERNAL hosts. That's not necessary. DNS can return real addresses : for external hosts. IP packets to those hosts are routed to : firewall, which automatically starts proxy for each connection. This is sloppy wording on my part. I should have said ``...handles all dns queries from internal systems for external names by...''. Certainly, there's no need to do anything special about externally-generated queries, other than make sure they get replied to with externally-visible addresses. That's a standard split-DNS thing. Alan Hannan wrote: : Use the existing terribly useful FWTK from tis. Your goofy users : will go to the app-gw which will originate packets to the world w/ : originating addresses of a single legal ip address. I looked at the fwtk before sending my message. It requires either changing my users' habits, or their software. Neither one is a practical option. : ] part of the proxy servers. The latter is relatively easy -- just have : ] the DNS server provide the correct name for a reverse lookup, and then : ] query an external server for the real address (other possibilities : ] exist, that's just the easiest to describe). : : This doesn't begin to deal w/ issues like DNS caching, and all : sorts of other problems. Lots of hard work for my feeble skills. My ``solution'' to that is to only have one DNS server for the network. Daemons I can control, to some extent. Just not applications.... : W/out money or work your users don't get transparency. I saw Quite true. I'm very willing to do the work (I've set up several firewalls of various models in the past, including the one we're using now). I just don't want to do work I don't have to -- I'd rather spend the time installing something known to be right, instead of writing it myself and getting it wrong the first few times. : the user level. Telnet/ftp will require they use the fw as a This is completely unacceptable to my users, unless it can be completely hidden from them. : gateway, netscape/http clients can be modified in configs to use a We're already doing this part. It was a major battle, and there are users that still won't do it. It's partly why I'm convinced that anything that requires the users to do something different is doomed to failure. Dworkin From firewalls-owner Thu Nov 9 07:23:13 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id HAA13638 for firewalls-outgoing; Thu, 9 Nov 1995 07:20:10 -0800 (PST) Received: from gatekeeper.mpsisys.com (ppp.mpsisys.com [198.65.132.134]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id HAA13633 for ; Thu, 9 Nov 1995 07:20:06 -0800 (PST) Received: (from smap@localhost) by gatekeeper.mpsisys.com (8.6.10/8.6.10) id JAA28781 for ; Thu, 9 Nov 1995 09:20:18 -0600 Received: from mpsi.mpsisys.com(139.45.3.26) by gatekeeper.mpsisys.com via smap (V1.3) id sma028779; Thu Nov 9 09:20:16 1995 Received: from omni.mpsisys.com by mpsi.mpsisys.com (AIX 3.2/UCB 5.64/4.03) id AA14559; Thu, 9 Nov 1995 09:20:14 -0600 Received: by omni.mpsisys.com (AIX 4.1/UCB 5.64/4.03) id AA23042; Thu, 9 Nov 1995 09:20:00 -0600 Date: Thu, 9 Nov 1995 09:20:00 -0600 From: ralph@omni.mpsisys.com (Ralph Mitchell) Message-Id: <9511091520.AA23042@omni.mpsisys.com> To: firewalls@GreatCircle.COM Subject: Re: Restricting URL's Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Md5: DFWxHe1smjmGdgDYaIW5/A== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Mike Culver wrote: > > > > To deny resolution to sex.com, simply add an entry to named.boot for > > bogusns. This directive will tell your DNS that the name server for sex.com > > is bogus, and your DNS will never ask sex.com's DNS anything. > > Nice idea, but... Most of these one-host-wonder sites actually > use their ISP as a name server. Disallowing the ISPs name server > is a bit drastic. Look at playboy.com for example... Then how about putting an entry in my internal DNS that points sex.com to either a non-existent internal address or to something like a PC running Linux+httpd with a single web page that says "Gotcha !" ?? The outside world can't see my internal DNS so I won't be polluting anyone elses DNS... Of course the user could telnet to rs.internic.net and use whois to establish the actual IP address... Ralph Mitchell From firewalls-owner Thu Nov 9 07:53:13 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id HAA14064 for firewalls-outgoing; Thu, 9 Nov 1995 07:49:05 -0800 (PST) Received: from erenj.com (ereapp.ERENJ.COM [159.70.31.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id HAA14059 for ; Thu, 9 Nov 1995 07:49:01 -0800 (PST) Received: from eredns.erenj.com(159.70.1.252) by ereapp.erenj.com via smap (V1.3) id sma020964; Thu Nov 9 10:48:31 1995 Posted-Date: Thu, 9 Nov 1995 10:48:29 -0500 From: "Bryan D. Boyle" Message-Id: <9511091048.ZM12232@maverick.erenj.com> Date: Thu, 9 Nov 1995 10:48:28 -0500 In-Reply-To: ralph@omni.mpsisys.com (Ralph Mitchell) "Re: Restricting URL's" (Nov 9, 9:20am) References: <9511091520.AA23042@omni.mpsisys.com> X-Phone: (908) 730-3338 X-Saying: Strange problems call for strange solutions. X-Face: "Pd&4kXWsi"3Hc_Y~I-ts24DN$w~Hh)&L-P9DZvE"~_~m),~Y&N_]TUIM*4.r@z$SxVL]}v=+IP>Fuq{zx%{KKj"Kys1Q5{|m*l}:[T;N:/=@5[xOIpR$%skp$f0#6^j\1+ -?l%Yk/+S8Y!3J@{~!Ao4-COV:Ft}{]oZ&1=!@<>UIh2s X-Mailer: Z-Mail (3.2.1 10apr95) To: ralph@omni.mpsisys.com (Ralph Mitchell) Subject: Re: Restricting URL's Cc: firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Nov 9, 9:20am, Ralph Mitchell wrote: > > is a bit drastic. Look at playboy.com for example... > > Then how about putting an entry in my internal DNS that points sex.com to > either a non-existent internal address or to something like a PC running > Linux+httpd with a single web page that says "Gotcha !" ?? The outside > world can't see my internal DNS so I won't be polluting anyone elses DNS... > > Of course the user could telnet to rs.internic.net and use whois to establish > the actual IP address... Of course, if you are running a cern or netscape proxy (the same person had input into the design and coding of both, btw...) server on the inside of the wall, it is possible to map urls that point to pages like http://sexstuff.com/testosterone/fotos.html to some page on your own server without having to futz around with dns records, ip addresses, or even the firewall configuration itself. The url never gets thru the wall. Judicious use of proxy servers provides a number of advantages with little administrative overhead: 1) single point of contact for all the browsers, and caching of outside pages inside the DMZ for better response. 2) reduction of overall line loading, since you have queued requests to the outside world from ONE machine rather than n-1 machines to the internet router. 3) tighter control of security, since you can now limit the machines that talk to the firewall, and force the applications to stay inside the screen. There is also security on the inside proxy, so you can control who even has access to the information. 4) Better logging and audit control. 5) Single point of control from inside to outside. Absolute forbidding of people getting to non-acceptable pages and absolute protection against this behavior? That is a good theoretical exercise, but, in practice, has a real low return for a high level of work. For garden variety stuff, you can stop 99.9% of the users from ever seeing this through elegant internal web support design and controls. the other .1% is going to give you trouble no matter what. And that .1% is going to take up 99% of your administrivia time. Of course, you can disconnect from the net. Then you can be SURE that no one is using the full-period line to get to forbidden sites. Of course, make sure you have a modem policy also, to prevent that way to the world. Just my .02 -- Bryan D. Boyle | EMAIL: bdboyle@erenj.com 908-730-3338 | PAGE: bboyle@apt1.pagemart.com #include | http://www.access.digex.net/~bdboyle/index.html "It seems that 'national security' is the root password to the Constitution. As with any dishonest superuser, the best countermeasure is strong encryption." -Phil Karn From firewalls-owner Thu Nov 9 08:23:13 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id IAA14384 for firewalls-outgoing; Thu, 9 Nov 1995 08:00:39 -0800 (PST) Received: from rs6000.owensboro.k12.ky.us ([170.182.245.74]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id IAA14378 for ; Thu, 9 Nov 1995 08:00:35 -0800 (PST) Received: from MSMAIL by rs6000.owensboro.k12.ky.us (AIX 3.2/UCB 5.64/4.03) id AA17861; Thu, 9 Nov 1995 09:55:57 -0600 Received: by msmail.owensboro.k12.ky.us with Microsoft Mail id <30A24204@msmail.owensboro.k12.ky.us>; Thu, 09 Nov 95 10:01:40 PST From: "Wilburn,Ted-Dept of Technology" To: "'Firewalls'" Subject: FW: Firewall Software Date: Thu, 09 Nov 95 09:59:00 PST Message-Id: <30A24204@msmail.owensboro.k12.ky.us> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A request from a colleague, Thanks Ted Wilburn, twilburn@msmail.owensboro.k12.ky.us. Forwarded message begin: ---------- From: owner-kydtc[SMTP:owner-kydtc@UKCC.UKY.EDU] Sent: Thursday, November 09, 1995 10:14 AM To: Multiple recipients of list KYDTC Subject: Firewall Software Pendleton County has a wide area network installed and is now in the process of getting acceptable use policies signed by students and parents. I am experiencing a good deal of pressure to install a firewall to prevent access to some of the "bad stuff." Is anyone out there successfully using firewall software and how is it setup. Thanks lsutton@pendleton.k12.ky.us From firewalls-owner Thu Nov 9 08:53:13 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id IAA14745 for firewalls-outgoing; Thu, 9 Nov 1995 08:20:57 -0800 (PST) Received: from imonics.com (netadmin.imonics.com [192.154.44.24]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id IAA14738 for ; Thu, 9 Nov 1995 08:20:53 -0800 (PST) Received: from thyrsus.imonics.com (thyrsus.imonics.com [205.139.209.197]) by imonics.com (8.6.12/8.6.12) with SMTP id LAA11644; Thu, 9 Nov 1995 11:21:03 -0500 From: Stephen Schaefer - Network Computing Solutions Received: by thyrsus.imonics.com (5.x/SMI-SVR4) id AA03101; Thu, 9 Nov 1995 11:20:53 -0500 Date: Thu, 9 Nov 1995 11:20:53 -0500 Message-Id: <9511091620.AA03101@thyrsus.imonics.com> To: IJB@saicuk.co.uk Reply-To: stephen@networks.com Cc: firewalls@GreatCircle.COM In-Reply-To: <30A1D3FF@smtpgty.saicuk.co.uk> (IJB@saicuk.co.uk) Subject: Re: security policy Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please don't misinterpret me, I am genuinely in search of a practical, reasonable opinion: how does one distinguish security through obscurity from ``real'' security? Should one apply that standard to a corporate security policy? Why or why not? - Stephen stephen@networks.com From: "Johnson-Bryden, Ian" Date: Thu, 09 Nov 95 09:39:00 GMT X-Mailer: Microsoft Mail V3.0 Sender: owner-gateway-firewalls@imonics.com Precedence: bulk If someone has produced a real risk/security policy it should not be released to anyone other than authorised users for obvious reasons. If it is similar to a 'Corporate Mission Statement' it wont be worth much. If it is a fully detailed document which someone has unwisely made public, it should only be meaningful to the owner because of those unique elements to that enterprise, other than it shows how one outfit approached the issues. There are now a range of books which cover risk/security policy generation in varying detail and from different perspectives. Ian J-B From firewalls-owner Thu Nov 9 09:26:24 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id JAA16127 for firewalls-outgoing; Thu, 9 Nov 1995 09:18:11 -0800 (PST) Received: from devel.dejong.com (devel.dejong.com [198.235.24.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id JAA16122 for ; Thu, 9 Nov 1995 09:18:05 -0800 (PST) From: Chris Tyler To: Firewalls@GreatCircle.COM Date: Thu, 9 Nov 1995 12:18 EST Subject: Re: tool for IP-source-routed packets Content-Type: text/plain Message-ID: <30a237e10.557@devel.dejong.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk BTW, the @host1@host2@host3:dest syntax appears to work with the telnet distributed with UnixWare, which is SVR4.2MP; thus other SysV Unixes may now also have this functionality. As with the BSD versions, it's not in the man pages. Chris Tyler Chris@DeJong.Com CTyler@Oxford.Net Systems Development Manager, Wm. De Jong Enterprises Inc. +1-519-424-9007 / fax +1-519-424-2399 From firewalls-owner Thu Nov 9 10:23:16 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id JAA16028 for firewalls-outgoing; Thu, 9 Nov 1995 09:12:24 -0800 (PST) Received: from little-miami.iac.net (little-miami.iac.net [198.180.60.135]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id JAA16017 for ; Thu, 9 Nov 1995 09:11:58 -0800 (PST) From: cjolley@iac.net Received: from 199.6.47.253 by little-miami.iac.net with SMTP id MAA16064; Thu, 9 Nov 1995 12:10:46 -0500 Message-Id: <199511091710.MAA16064@little-miami.iac.net> MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit Date: Thu, 09 Nov 95 12:11:54 -0500 Subject: Internic Port Scanning To: firewalls@greatcircle.com X-Mailer: SPRY Mail Version: 04.00.06.17 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Recently one of my co-workers sent an e-mail to hostmaster@internic.net. The message was not delivered immediately and is still waiting at the firewall for retry (i.e. every four hours for 5 days). However very shortly after the attempt to send this message, our firewall began seeing attempts to connect to high _TCP_ (not UDP) port numbers. The IP address appears to be that of the InterNic. Does anyone know what's going on? Is this the InterNic trying to validate the e-mail as coming from my site or might this be someone spoofing the InterNic address while trying to do some port scanning? **** cjolley@iac.net **** All opinions are my own and not necessarily those of my employer **** From firewalls-owner Thu Nov 9 10:46:55 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id JAA16034 for firewalls-outgoing; Thu, 9 Nov 1995 09:12:27 -0800 (PST) Received: from montag33.residence.gatech.edu (montag33.residence.gatech.edu [199.77.171.12]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id JAA16022 for ; Thu, 9 Nov 1995 09:12:22 -0800 (PST) Received: (from brain21@localhost) by montag33.residence.gatech.edu (8.6.12/8.6.9) id MAA31362; Thu, 9 Nov 1995 12:11:47 -0500 Date: Thu, 9 Nov 1995 12:11:47 -0500 (EST) From: Brain21 To: Firewalls@GreatCircle.COM Subject: CID spoofing In-Reply-To: <9511081538.AA25964@teleoscom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > >From: Edward Maillet > > Some folks at work want to setup an ISDN dial-in connection relying > >solely on the inbound caller ID as the security measure. Is it > >possible to spoof the D channel to send fake info? I'm fairly certain > >there is a way to do it. Can anyone point me to some references so I > >can make a decent technical argument agaisnt this? Thanx. > Your call coming inot work is not a direct call. It goes to you CO, which makes the connection. A tru connection is NOT established until the other end picks up (a rise in voltage over the lines, I believe). CID is sent to the recieving party FROM THE CO, at approx. 400ms after the first ring. In order for someone to hack the CID, they must first hack the CO, and then get access to that *specific* part of the system, and really know what they are doing. CID is pretty safe against all but the most sophisticated attackers. You might want to inquire if ANI is available as an alternative to CID. It is more reliable, and there are no "private number" or "out of area" type messages over ANI. It send no matter what. I don't know if this service is available to the general public though. brain21 (no .sig) From firewalls-owner Thu Nov 9 10:48:47 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id IAA14552 for firewalls-outgoing; Thu, 9 Nov 1995 08:08:48 -0800 (PST) Received: from smtpgate.saa-cons.co.uk (haddock.demon.co.uk [158.152.16.191]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id IAA14545 for ; Thu, 9 Nov 1995 08:08:41 -0800 (PST) Received: from haddock.saa-cons.co.uk by smtpgate.saa-cons.co.uk with SMTP (5.65/1.3-eef) id AA06307; Thu, 9 Nov 95 16:07:59 GMT Received: by haddock.saa-cons.co.uk (AIX 3.2/UCB 5.64/5.00) id AA19316; Thu, 9 Nov 1995 16:09:37 GMT Date: Thu, 9 Nov 1995 16:09:37 +0000 (GMT) From: Dave Roberts To: Firewalls Mailing List Subject: Re: Restricting URL's In-Reply-To: <9511091520.AA23042@omni.mpsisys.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 9 Nov 1995, Ralph Mitchell wrote: > Then how about putting an entry in my internal DNS that points sex.com to > either a non-existent internal address or to something like a PC running > Linux+httpd with a single web page that says "Gotcha !" ?? The outside > world can't see my internal DNS so I won't be polluting anyone elses DNS... I missed the original, so I could be off on a completely different tangent. Are you applying this to all client applications on your site, so are therefore looking to prevent all connections to a given site? In which case, can you not alter the packet filter rules (providing you have a filter). And if you're just talking about WWW, then how about altering the source code to filter out URL's that contain keywords that you put in a look up table. You could filter by protocol, hostname or pathname. OK extra code = extra possibility of bugs, but it seems straight forward enough to me (although I've never tried it :-). -- Dave Roberts, Unix Systems Administrator, SAA Consultants Ltd, Plymouth, UK. "smap has the advantage [over bare sendmail] that it was written by somone who is almost certifiably paranoid" - Brent Chapman, London, 19 Oct 95. From firewalls-owner Thu Nov 9 10:53:13 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id JAA15887 for firewalls-outgoing; Thu, 9 Nov 1995 09:01:04 -0800 (PST) Received: from gatekeeper.hcc.com (GATEKEEPER.HCC.COM [148.163.104.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id JAA15882 for ; Thu, 9 Nov 1995 09:01:01 -0800 (PST) Received: by gatekeeper.hcc.com (5.65/jj-092193); id AA10191; Thu, 9 Nov 1995 12:01:05 -0500 Received: by mailgate.bridgewater.ne.hcc.com (5.65/ejc-092393< Who Loves Class M Planets>); id AA15136; Thu, 9 Nov 1995 12:01:04 -0500 Received: from localhost (localhost [127.0.0.1]) by gumby.bridgewater.ne.hcc.com (8.6.10/8.6.10) with SMTP id MAA00983; Thu, 9 Nov 1995 12:01:03 -0500 From: "Edward J.M. Carley Jr." Message-Id: <199511091701.MAA00983@gumby.bridgewater.ne.hcc.com> X-Authentication-Warning: gumby.bridgewater.ne.hcc.com: Host localhost didn't use HELO protocol To: ralph@omni.mpsisys.com (Ralph Mitchell) Cc: firewalls@GreatCircle.COM, ejc@gumby.bridgewater.ne.hcc.com Subject: Re: Restricting URL's In-Reply-To: Your message of "Thu, 09 Nov 95 09:20:00 CST." <9511091520.AA23042@omni.mpsisys.com> Date: Thu, 09 Nov 95 12:00:57 -0500 X-Mts: smtp Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Folks Two things come to mind, depending upon your net configuration you could configure your access point with a static route that puts whatever.com's IP network, address on your side of the net. User's would simply time out trying to reach them. Important safety tip is to remember not to propagate this misinformation. Also most of the httpd implementations I've seen, I note the use of URL, have a feature to map, pass or redirect access attempts. This could be useful if you are using proxy access to the net. Am I close, comments?? cheers ejc //////////////////////////////////////////////////////////////////////// // Ed Carley // // ejc@hcc.com || ejc@gumby.bridgewater.ne.hcc.com // // Work (908)231-2525 Home (908)969-8688 // //////////////////////////////////////////////////////////////////////// From firewalls-owner Thu Nov 9 11:53:13 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id IAA14754 for firewalls-outgoing; Thu, 9 Nov 1995 08:21:15 -0800 (PST) Received: from roble.com (roble.com [204.188.93.50]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id IAA14748 for ; Thu, 9 Nov 1995 08:21:10 -0800 (PST) Received: by roble.com (4.1/SMI-4.1/roble) id AA26606; Thu, 9 Nov 95 08:21:24 PST Date: Thu, 9 Nov 1995 08:16:38 -0800 (PST) From: Roger Marquis Subject: FireWall-1 licensing To: Firewalls@GreatCircle.COM In-Reply-To: <199511072344.PAA27954@miles.greatcircle.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A word of warning regarding FireWall-1. First let me say that this is a great product, easy to install and very effective for packet filtering and authentication. I've recommended and installed it at many sites. It has one potentially serious flaw however, the licensing. FireWall-1 ships with a demo license that expires after 30 days. If you install this product at a client site be sure the administrator follows-up and gets the permanent license as soon as possible. If you're supporting the product directly consider not installing the demo license at all. The problem is that the demo license will expire without warning, exposing the internal network. This has happened to me twice now. There is no way to verify whether the installed license is a demo or permanent. There is also no way to verify that a permanent license was (properly) installed. The real problem is Sun Licensing. The software they use to generate licenses (from serial number + hostid) is very buggy, crashes often, takes hours or days to generate a license, and may forget your license request altogether. If you call or email for a license don't expect to be emailed / faxed back on the first try regardless of what the operator says. I can recommend this software almost without reservation. Just be sure to get the permanent license _before_ doing the installation, and save the "fw putlic" command line in a safe place. Roger Marquis Sr. Systems Analyst, Roble Systems (marquis@roble.com, 415-494-9250) From firewalls-owner Thu Nov 9 12:23:13 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id IAA14918 for firewalls-outgoing; Thu, 9 Nov 1995 08:30:15 -0800 (PST) Received: from count01.mry.scruznet.com (count01.mry.scruznet.com [204.147.227.65]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id IAA14913 for ; Thu, 9 Nov 1995 08:30:11 -0800 (PST) From: firewalls@security-gw.mry.scruznet.com Received: from security-gw.mry.scruznet.com (security-gw [192.187.227.222]) by count01.mry.scruznet.com (8.7.1/8.7.1) with ESMTP id IAA04033; Thu, 9 Nov 1995 08:20:32 -0800 (PST) Received: from security-gw.mry.scruznet.com (localhost [127.0.0.1]) by security-gw.mry.scruznet.com (8.7.1/8.7.1) with ESMTP id IAA04732; Thu, 9 Nov 1995 08:23:13 -0800 (PST) Message-Id: <199511091623.IAA04732@security-gw.mry.scruznet.com> To: Scott Barman cc: firewalls@GreatCircle.COM, firewalls@count01.mry.scruznet.com Subject: Re: Changing shared libraries and how is ld.so finding real libraries? In-reply-to: Your message of "Tue, 07 Nov 1995 13:14:47 EST." Date: Thu, 09 Nov 1995 08:23:12 -0800 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On November 7 Scott Barman asked about LD_LIBRARY_PATH and other LD paths and linkage options affecting access to shared libraries (Message inbox:287) From: Scott Barman To: firewalls@GreatCircle.COM Subject: Changing shared libraries and how is ld.so finding real libraries? > >Gee... this started out as a question and, after some investigation, has >evolved into "what the heck is it doing?" Let's start with the original >question: > > Now that the advisory is out regarding telnet and resetting > the LD_LIBRARY_PATH environment variable I have a question: > > Is it possible for someone who has acquired unauthorized > access to a system using an ordinary userid to upload in their > own copy of libc.so.*, change LD_LIBRARY_PATH (or LD_RUN_PATH) > so that /bin/login dynamically links with their hacked version > rather than the one /usr/lib? > >I decided to do some investigating. Under Solaris 2.4 on a SPARC 1000E, >I set up a "simulated" environment by creating some empty files that had >the name of libraries under /tmp and tried to run the login program. >The following is what I did: > > cd /usr/lib > foreach i (lib*.so*) > echo -n > /tmp/$i > end > cd security <--- hmmm this was an intersting find! > foreach i (*) > echo -n > /tmp/$i > end > setenv LD_LIBRARY_PATH /tmp > setenv LD_RUN_PATH /tmp > /usr/bin/login > >The login program seemed to work fine. It prompted me for my userid and >password... no problems. In fact, any setuid or setgid program (ps >and mail, for example) ran with no problems. Others, such as ls and >examination of the output from nm and strings). But even with my stubs >Can anyone enlighten me as to what is happening? > >TIA > >scott barman >-- >scott barman DISCLAIMER: I speak to anyone who will listen, >scott@disclosure.com and I speak only for myself. >barman@ix.netcom.com I suspect is whats going on here is that either a LD_PRELOAD_PATH is in use OR whats possibly closer to the truth that CERTAIN programs in SUNOS and Solaris are linked statically to assist in recovering AFTER a disaster involving shared libraries. Usually while working around at the different OS vendors, I found them to follow this policy. I know SUN did at one time and according to one of the founders of microport(business associate) this was also done(with the originals of Microport unix), I havent verified ANY other OS that uses shared libs for this property so I dont know if it holds true. . I suggest you look mostly at the programs in /usr/sbin(Standalone BINaries?? :) and run truss against them to verify WHICH libs are REALLY being accessed, truss will tell you that. You can also tag EVERY OS access with truss.. have FUN kelly p.s. Round about Solaris Version 2 Solaris programs involving the network lost the ability to ever be linked statically again because of the getxx routines I worked several SUN customers on the issue AND found the BUG ids, that had been filed by a then current coworker and friend while he was working client side kerberos checkout for SUN, while I DONT agree with the reasons(sensitive binaries should ALWAYS be linked statically particulary when the code handles information that has been classified) I do recall that SOME binaries had at one point before being found and fixed some hardcoded internal paths. From firewalls-owner Thu Nov 9 12:24:20 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id IAA14447 for firewalls-outgoing; Thu, 9 Nov 1995 08:05:15 -0800 (PST) Received: from beach.sctc.com (beach.sctc.com [192.55.214.50]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id IAA14438 for ; Thu, 9 Nov 1995 08:05:10 -0800 (PST) Received: from beach.sctc.com (daemon@localhost) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id KAA16255; Thu, 9 Nov 1995 10:41:46 -0600 Received: from sphinx.sctc.com (sphinx.sctc.com [172.17.192.3]) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id KAA16248; Thu, 9 Nov 1995 10:41:45 -0600 Received: from mario.sctc.com (mario.sctc.com [172.17.192.177]) by sphinx.sctc.com (8.7.1/8.6.10) with SMTP id KAA06757; Thu, 9 Nov 1995 10:05:52 -0600 (CST) Received: (from dowd@localhost) by mario.sctc.com (8.6.12/8.6.9) id KAA00314; Thu, 9 Nov 1995 10:05:50 -0600 Date: Thu, 9 Nov 1995 10:05:49 -0600 (CST) From: Alan Dowd To: "Johnson-Bryden, Ian" cc: "'firewalls@greatcircle.com'" Subject: Re: security policy In-Reply-To: <30A1D3FF@smtpgty.saicuk.co.uk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings, All! This topic came up last August, with much the same response the Mr. Johnson-Bryden produced: On Thu, 9 Nov 1995, Johnson-Bryden, Ian wrote: > If someone has produced a real risk/security policy it should not be > released to anyone other than authorised users for obvious reasons. If it is > similar to a 'Corporate Mission Statement' it wont be worth much. If it is a > fully detailed document which someone has unwisely made public, it should > only be meaningful to the owner because of those unique elements to that > enterprise, other than it shows how one outfit approached the issues. There > are now a range of books which cover risk/security policy generation in > varying detail and from different perspectives. > Ian J-B > ---------- Aside from the fact that an enormous number of security policies and internet usage guidelines are freely available on the net, there is a fundamental breakdown of communication here. Warren S. Moore, CISSP, produced a good set of definitions of terms and I quote his message to provide that information once again. BTW, IMHO the policy must be a public document. Regards, Al Dowd dowd@sctc.com secure computing corporation begin quoted material <*>=<*>=<*>=<*>=<*>=<*>=<*>=<*>=<*>=<*>=<*>=<*>=<*>=<*>=<*>=<*>=<*>=<*>=<*>=<*> From: warren.moore@cbis.com Warren Moore 10 Aug 95 8:10:51 EDT List: firewalls-owner@greatcircle.com Message-Id: 9508101515.AA4890@notes John Cougar writes: >give away a copy of an organisations Security Policy?!? Not only must >you be kidding, but also: fat chance. That'd be as negligent as giving >away company trade secrets! I may have missed something here, and certainly not to start a war, but that's wrong. Copies of real, in-use, corporate security policies are available from many different sources--starting with the Computer Security Institute's old "Computer Security Handbook," and the MIS Training Institute's "Information Security Resource Manual." (IBM, First American National Bank, yadatayada). In some cases they're slightly sanitized, but the base document is there. And, there's really no reason not to provide samples (if management approves), simply because a true Corporate Security Policy statement isn't going to say very much anyway -- it should be nothing more than a short statement of what your corporate entity's leaders expect. Perhaps it's splitting hairs, but many people don't understand (and often confuse) the base meanings of the words "Policy," "Standards," "Guidelines," and "Procedures." If you use the definitions below, there's no reason not to let people know your policy, but quite a few to guard your standards, guidelines, and procedures closely. Policy: A statement of *what* management expects; not how those expectations will be met. Standard(s): The criteria against which results are to be judged. Guideline(s): Items that *should* be considered when a particular subject is studied and analyzed. Guidelines are not always an exhaustive list, nor are they always applicable to all things in all cases. Procedure(s): A detailed step-by-step description of *how* a job is done, defining *who* does *what*. Procedures are written to support policy, meet standards, use guidelines when necessary, and *show the way to do something.* Warren S. Moore, CISSP Information Security Specialist Cincinnati Bell Information Systems Inc. My Opinions Are Mine Only -- Who Else Would Claim Them? <*>=<*>=<*>=<*>=<*>=<*>=<*>=<*>=<*>=<*>=<*>=<*>=<*>=<*>=<*>=<*>=<*>=<*>=<*>=<*> end quoted material I don't claim them, but I sure do quote them. {ad} ;-) From firewalls-owner Thu Nov 9 12:25:13 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id IAA15394 for firewalls-outgoing; Thu, 9 Nov 1995 08:39:47 -0800 (PST) Received: from tigger.dir.texas.gov (tigger.dir.STATE.TX.US [141.198.192.97]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id IAA15389 for ; Thu, 9 Nov 1995 08:39:43 -0800 (PST) Received: from DIR-Message_Server by tigger.dir.texas.gov with Novell_GroupWise; Thu, 09 Nov 1995 10:44:41 -0600 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 09 Nov 1995 10:39:52 -0600 From: William Tompkins To: sieber@colorado.edu, alan@gi.net Cc: firewalls@GreatCircle.COM Subject: Re: security policy -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk These two URLs may provide some useable information to assist in setting up a security policy. these documents are the [1] rules and [2] guidelines for all Texas state agencies and universities. gopher://phoenix.stac.dir.texas.gov:70/00/rules/instr/security/tac gopher://phoenix.stac.dir.texas.gov:70/00/rules/instr/security/irpolicy you can get to these through our web page- http://www.dir.texas.gov/ my agency is responsible for information resources oversight to all agencies and universities in the state. feel free to give me a call if i can be of any further assistance. William Tompkins Texas Dept. of Information Resources (512) 475-3335 -------------------------------------------------------- >>> Alan Hannan 11/09/95 01:56am >>> ] A while back( within the last month), someone briefly mentioned a URL ] that contained security policy documents for several universities. In my ] absentmindednes, I deleted the message. if anyone knows of that site, could ] they please e-mail it to me directly? Bookmarks are wonderful: http://musie.phlab.missouri.edu/Policy/copies/tamu-collection1.html I post publically because this one is mainly related to academic policies. Does anyone have a site consisting of one or more corporate network security policies? I would be interested in this for several folks at my talks who have been developing such. -alan From firewalls-owner Thu Nov 9 12:31:26 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id IAA15674 for firewalls-outgoing; Thu, 9 Nov 1995 08:51:13 -0800 (PST) Received: from charles.polymer.uakron.edu (charles.polymer.uakron.edu [130.101.8.8]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id IAA15669 for ; Thu, 9 Nov 1995 08:51:01 -0800 (PST) Received: from iris.polymer.uakron.edu by charles.polymer.uakron.edu (950511.SGI.8.6.12.PATCH526/Polymer/CPC(1.34-main)) id QAA18242; Thu, 9 Nov 1995 16:52:39 GMT Received: by iris.polymer.uakron.edu (950511.SGI.8.6.12.PATCH526/Polymer/CPC(940406.SGI)) id LAA15553; Thu, 9 Nov 1995 11:52:04 -0500 Date: Thu, 9 Nov 1995 11:52:01 -0500 (EST) From: Chris Cole To: Lloyd Vancil cc: firewalls@GreatCircle.com Subject: Re: Weird Netscape Navigator functions? In-Reply-To: <9511082205.AA06575@suned1.Nswses.Navy.Mil> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>> The first was the CEO of Netscape saying something to the effect that >>> "..we know how many people are using our browsers because every time >>> you access a site, a message is set to one of our servers telling us >>> what version you have, if it's a trial beta or registered, etc". >>> I havent had a chance to run a packet trace on it yet, but does anyone >>> know if this is true? Not totally true. By default, the 'N' build of the Netscape Navigator connects to netscape's homepage on the net. Likewise, the 'S' build of the navigator defaults to Silicon Graphics' Homepage, etc. When the Netscape navigator connects to an http host, the client initiates the connection with something similar to the following asci text: GET / HTTP/1.0 Connection: Keep-Alive User-Agent: Mozilla/2.0b2N (X11; I; Solaris 5.4 sun4m) Host: www.toyota.com:80 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */* This text is read by the WWW server being connected to, and the only thing usually logged and kept is the 'User-Agent:' line. The next transaction is the html ascii which is sent to the client... (index.html - from the 'GET /'). If the default homepage of the Netscape navigator is changed by either a command line option or a shell script to start it up, Netscape's homepage won't be obtaining any of this information. Only the site that your browser initially connects to will receive this information. >> I have run packet traces on my connections and haven't yet seen any of >> these "messages", but I certinaly may have missed it! A packet is not >> sent at the start of every connection. It may be sent at some random >> time after the initiation of a connection or only once per day. I haven't yet run a long-term snoop to see if indeed there are some 'random' connections to netscape. I hope not! My experience agrees with yours: When snooping all packets on our subnet, NO packets go to netscape's site. The only packets I see are those for the intended web host. I started up netscape saying: netscape http://www.toyota.com whilst snooping our segment, I DID see the text I stated above which went straight to www.toyota.com. Nothing went to Netscape. > Did it occur to anyone that what may have been said was that "When you > connect on one of our sites a message abot who what where when and HOW" is > collected? Sounds like logging to me. Netscape has the ability (i > understand) to report the type of and rev number for the browser. Type and rev, yes. Remote site, yes. Who, NO. The machine type is obtained from the 'User-Agent' line which tells the platform the navigator was built for. -Chris +-->>> Chris Cole <<<----+----------------------------------------------------+ |/voice: (216) 972-6104 \| eMail: chris@polymer.uakron.edu /=/| |\ fax: (216) 972-5396 /| http: www.polymer.uakron.edu/users/chris \=\| | \/\/\/\/\/\/\/\/\/\/\/ | ftp: ftp.polymer.uakron.edu/users/chris /=/| | Experience is something you don't get until just after you need it. \=\| +------------------------+----------------------------------<<>>--+ From firewalls-owner Thu Nov 9 12:53:13 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id LAA19010 for firewalls-outgoing; Thu, 9 Nov 1995 11:03:25 -0800 (PST) Received: from beldar.fshops.sfsu.edu ([130.212.46.10]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id LAA18998 for ; Thu, 9 Nov 1995 11:03:20 -0800 (PST) Received: from [130.212.46.5] (mis1.fshops.sfsu.edu [130.212.46.5]) by beldar.fshops.sfsu.edu (8.7.1/8.6.9) with SMTP id MAA13742 for ; Thu, 9 Nov 1995 12:22:05 -0800 Date: Thu, 9 Nov 1995 12:22:05 -0800 X-Sender: sansom@beldar.fshops.sfsu.edu Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: sansom@fshops.sfsu.edu (Rob Sansom) Subject: POP Access Thru router Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There are some at my organization (upper management) who believe that there is little danger in allowing access to POP accounts on my Unix host thru our router. My attitude is that the fewer types of connections that I allow through the router to our internal hosts the better, and a good solution to allowing access to POP accounts from the outside would be to set up terminal server/modem access with SLIP/PPP functionality so that people can dial in and download their mail via Eudora or whatever, over a SLIP connection. In light of the recent syslog(3)/Telnet problems, it scares the hell out of me to allow this type of connection. Besides sending passwords in the clear over unsecured nets, I don't want to find out the hard way that there is some bug in my POP server, or function call that it uses. Am I being overly cautious (loaded question)? Thanks in advance, __________________________________________________________________ Rob Sansom Tech. Resources Mrg. Franciscan Shops Inc. (The Bookstore) San Francisco State University (415) 338-1538 __________________________________________________________________ From firewalls-owner Thu Nov 9 12:56:29 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id KAA18859 for firewalls-outgoing; Thu, 9 Nov 1995 10:59:41 -0800 (PST) Received: from virginia.edu (uvaarpa.Virginia.EDU [128.143.2.7]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id KAA18854 for ; Thu, 9 Nov 1995 10:59:34 -0800 (PST) Received: from fulton.seas.virginia.edu by uvaarpa.virginia.edu id aa15746; 9 Nov 95 13:59 EST Received: (from zjk2h@localhost) by fulton.seas.Virginia.EDU (8.7.1/8.6.6) id NAA205613 for firewalls@greatcircle.com; Thu, 9 Nov 1995 13:59:43 -0500 Date: Thu, 9 Nov 1995 13:59:43 -0500 From: boz boze ghandi Message-Id: <199511091859.NAA205613@fulton.seas.Virginia.EDU> X-Mailer: Mail User's Shell (7.2.5 10/14/92) To: firewalls@greatcircle.com Subject: Re: Restricting URLs Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Nov 9, 9:20, Ralph Mitchell wrote: > Subject: Re: Restricting URL's > > Mike Culver wrote: > > > > > > To deny resolution to sex.com, simply add an entry to named.boot for > > > bogusns. This directive will tell your DNS that the name server for sex.com > > > is bogus, and your DNS will never ask sex.com's DNS anything. > > > > Nice idea, but... Most of these one-host-wonder sites actually > > use their ISP as a name server. Disallowing the ISPs name server > > is a bit drastic. Look at playboy.com for example... > > Then how about putting an entry in my internal DNS that points sex.com to > either a non-existent internal address or to something like a PC running > Linux+httpd with a single web page that says "Gotcha !" ?? The outside > world can't see my internal DNS so I won't be polluting anyone elses DNS... > > Of course the user could telnet to rs.internic.net and use whois to establish > the actual IP address... > > Ralph Mitchell > -- End of excerpt from Ralph Mitchell even simpler. a user could simply use nslookup providing any dns server non-internal. if resolution failed for me personally, regardless of dns failure or specific resolution denial, that would be my first reaction. why not filter out the ip of specific sites on the external routers? (i am relatively new to networking hardware and am unsure of the feasibility of this) -zach kelly From firewalls-owner Thu Nov 9 13:53:13 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id MAA21717 for firewalls-outgoing; Thu, 9 Nov 1995 12:52:49 -0800 (PST) Received: from usia.gov (XGATE.USIA.GOV [198.67.64.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id MAA21711 for ; Thu, 9 Nov 1995 12:52:43 -0800 (PST) Received: from NetWare MHS (SMF70) by usia.gov via Connect2-SMTP 4.00; Thu, 9 Nov 95 15:52:28 -0500 Message-ID: <9069A2300136C8D1@usia.gov> Date: Thu, 9 Nov 95 15:50:19 -0500 From: "Lehrer, Neil" Organization: USIA To: firewalls@greatcircle.com Subject: windows ftp client and challenge/response firewall X-mailer: Connect2-SMTP 4.00 MHS to SMTP Gateway Sender: firewalls-owner@GreatCircle.COM Precedence: bulk hi, anybody have any ideas about how to answer a challenge (digital pathways, sdk, skey, etc.) from a firewall using a gui windows ftp client? if possible can you cc my email address? thanks. Regards +++++++++++++++++++++++++++++++++++++++ + Neil Lehrer + U.S. Information Agency + Networks and Systems Support Division + + voice 202 619-0903 + fax 202 619-3883 + internet nlehrer@usia.gov + + "oh what a tangled net we weave + when we seek to retrieve." + +++++++++++++++++++++++++++++++++++++++ From firewalls-owner Thu Nov 9 14:04:21 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id LAA19312 for firewalls-outgoing; Thu, 9 Nov 1995 11:18:09 -0800 (PST) Received: from cnj.digex.net (cnj.digex.net [199.34.50.3]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id LAA19307 for ; Thu, 9 Nov 1995 11:18:05 -0800 (PST) Received: (from grina@localhost) by cnj.digex.net (8.6.12/8.6.12) id OAA00637 ; for ; Thu, 9 Nov 1995 14:18:20 -0500 Date: Thu, 9 Nov 1995 14:18:20 -0500 From: Peter Grina Message-Id: <199511091918.OAA00637@cnj.digex.net> To: ralph@omni.mpsisys.com Subject: Re: Restricting URL's Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You're not cutting off access to sex.com by messing with the name sex.com in your DNS files. Every browser I've used supports URL's with the IP address, so http://169.69.69.69 will still get you to sex.com's WWW pages. Regards, Pete Grina p.s. with my luck, I've probably just exposed that the Pope's linux box as 169.69.69.69. From firewalls-owner Thu Nov 9 14:53:13 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id KAA18485 for firewalls-outgoing; Thu, 9 Nov 1995 10:44:23 -0800 (PST) Received: from ncelec.com ([199.238.59.23]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id KAA18480 for ; Thu, 9 Nov 1995 10:44:20 -0800 (PST) Received: from mike_pc by ncelec.com (5.4R3.10/200.2.1.5) id AA16923; Thu, 9 Nov 1995 10:41:24 -0800 Date: Thu, 9 Nov 1995 10:41:24 -0800 Message-Id: <9511091841.AA16923@ncelec.com> X-Sender: mculver@ncelec.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: Mike Culver Subject: Re: Restricting URL's Sender: firewalls-owner@GreatCircle.COM Precedence: bulk OK, so lots of people don't like the idea about using bogusns to restrict URL's. But no one else has put a more workable solution on the table. LET'S NOT MAKE THIS INTO A NOISE THREAD! Take the idea for what you think think it's worth/not worth, but don't beat it to death on the list. And no, I'm not being defensive. But this list has too much noise without me starting more. Original Message from Mike Culver: >> > >> > To deny resolution to sex.com, simply add an entry to named.boot for >> > bogusns. This directive will tell your DNS that the name server for sex.com >> > is bogus, and your DNS will never ask sex.com's DNS anything. From firewalls-owner Thu Nov 9 15:39:33 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id PAA25991 for firewalls-outgoing; Thu, 9 Nov 1995 15:04:11 -0800 (PST) Received: from nda.nda.com (fw1.NDA.COM [204.57.47.254]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id PAA25979 for ; Thu, 9 Nov 1995 15:04:07 -0800 (PST) Received: (kovar@localhost) by nda.nda.com (8.7.1/8.6.4) id SAA24881; Thu, 9 Nov 1995 18:04:07 -0500 (EST) From: David Kovar Message-Id: <199511092304.SAA24881@nda.nda.com> Subject: Re: FireWall-1 licensing To: marquis@roble.com (Roger Marquis) Date: Thu, 9 Nov 1995 18:04:06 -0500 (EST) Cc: Firewalls@GreatCircle.COM In-Reply-To: from "Roger Marquis" at Nov 9, 95 08:16:38 am X-Mailer: ELM [version 2.4 PL20] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > The problem is that the demo license will expire without warning, > exposing the internal network. This has happened to me twice now. > There is no way to verify whether the installed license is a demo or > permanent. There is also no way to verify that a permanent license was > (properly) installed. The real problem is Sun Licensing. The software 'fw printlic' will tell you what licenses you have installed and running. -David From firewalls-owner Thu Nov 9 15:48:48 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id OAA23939 for firewalls-outgoing; Thu, 9 Nov 1995 14:19:48 -0800 (PST) Received: from igate1.hac.com (igate1.HAC.COM [192.48.33.10]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id OAA23934 for ; Thu, 9 Nov 1995 14:19:45 -0800 (PST) Received: from pizza.pizza.hac.com ([147.19.105.118]) by igate1.hac.com (4.1/SMI-4.1) id AA23267; Thu, 9 Nov 95 14:17:46 PST Received: from [147.19.1.99] (tomn.HAC.COM [147.19.1.99]) by pizza.pizza.hac.com (8.6.12/8.6.12) with SMTP id OAA11155; Thu, 9 Nov 1995 14:17:12 -0800 Message-Id: <199511092217.OAA11155@pizza.pizza.hac.com> X-Sender: tnaka@sed.hac.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 9 Nov 1995 14:20:05 -0800 To: firewalls@greatcircle.com From: nakamura@sed.hac.com (Tom Nakamura) Subject: Re: Weird Netscape Navigator functions? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >In two different trade magazine recently, I've read a few things about >Netscape's Navigator that made me go "Hmm?". > >The first was the CEO of Netscape saying something to the effect that >"..we know how many people are using our browsers because every time >you access a site, a message is set to one of our servers telling us >what version you have, if it's a trial beta or registered, etc". >I havent had a chance to run a packet trace on it yet, but does anyone >know if this is true? > An easy way to view one aspect of what a browser tranmits is to connect to the BrowserWatch site (URL http://www.ski.mskcc.org/browserwatch/). If you connect via a proxy server it will also indicate what additional information the server transmits. Since I use both Netscape and Mosaic I use neither "bookmarks" nor "hotlists". Instead I maintain a local html file of "hotmarks" which I use as my homepage. Nothing should be transmitted until I explicitly connect outside my own machine. Tom Nakamura From firewalls-owner Thu Nov 9 16:01:30 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id NAA22558 for firewalls-outgoing; Thu, 9 Nov 1995 13:27:10 -0800 (PST) Received: from gauntlet-1.trusted.com ([204.254.155.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id NAA22546 for ; Thu, 9 Nov 1995 13:27:03 -0800 (PST) Received: by gauntlet-1.trusted.com; id QAA22687; Thu, 9 Nov 1995 16:29:46 -0500 Received: from hilo.trusted.com(10.0.1.126) by gauntlet-1.trusted.com via smap (g3.0.3) id xma022683; Thu, 9 Nov 95 16:29:33 -0500 Received: from vanidor.trusted.com by hilo.trusted.com with SMTP (1.37.109.4/16.2) id AA26735; Thu, 9 Nov 95 16:26:59 -0500 Message-Id: <9511092126.AA26735@hilo.trusted.com> X-Sender: avolio@hilo.trusted.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 09 Nov 1995 16:26:53 -0500 To: Rob Sansom , firewalls@greatcircle.com From: Frederick M Avolio Subject: Re: POP Access Thru router Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You are not being overly cautious, of course. 1. Passwords used are the same as to user accounts. 2. Mail can be stolen (this is not considered important or a concern???). I don't advovate using filtering routers anyway, but even with a firewall the password issue is the same. You'd certainly want to use a POP3 proxy and use APOP for authentication. Fred At 12:22 PM 11/9/95 -0800, Rob Sansom wrote: >There are some at my organization (upper management) who believe that there >is little danger in allowing access to POP accounts on my Unix host thru >our router. My attitude is that the fewer types of connections that I >allow through the router to our internal hosts the better, and a good >solution to allowing access to POP accounts from the outside would be to >set up terminal server/modem >access with SLIP/PPP functionality so that people can dial in and download >their mail via Eudora or whatever, over a SLIP connection. In light of the >recent syslog(3)/Telnet problems, it scares the hell out of me to allow >this type of connection. Besides sending passwords in the clear over >unsecured nets, I don't want to find out the hard way that there is some >bug in my POP server, or function call that it uses. Am I being overly >cautious (loaded question)? > >Thanks in advance, > >__________________________________________________________________ >Rob Sansom >Tech. Resources Mrg. >Franciscan Shops Inc. (The Bookstore) >San Francisco State University >(415) 338-1538 >__________________________________________________________________ > > > From firewalls-owner Thu Nov 9 16:21:07 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id PAA28229 for firewalls-outgoing; Thu, 9 Nov 1995 15:50:46 -0800 (PST) Received: from lint.cisco.com (lint.cisco.com [171.68.235.77]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id PAA28224 for ; Thu, 9 Nov 1995 15:50:41 -0800 (PST) Received: from pferguso-pc.cisco.com (sl-charm-01.cisco.com [171.69.126.139]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id PAA21070; Thu, 9 Nov 1995 15:50:01 -0800 Message-Id: <199511092350.PAA21070@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 09 Nov 1995 18:52:09 -0500 To: sansom@fshops.sfsu.edu (Rob Sansom) From: Paul Ferguson Subject: Re: POP Access Thru router Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 12:22 PM 11/9/95 -0800, Rob Sansom wrote: >There are some at my organization (upper management) who believe that there >is little danger in allowing access to POP accounts on my Unix host thru >our router. My attitude is that the fewer types of connections that I >allow through the router to our internal hosts the better, and a good >solution to allowing access to POP accounts from the outside would be to >set up terminal server/modem >access with SLIP/PPP functionality so that people can dial in and download >their mail via Eudora or whatever, over a SLIP connection. In light of the >recent syslog(3)/Telnet problems, it scares the hell out of me to allow >this type of connection. Besides sending passwords in the clear over >unsecured nets, I don't want to find out the hard way that there is some >bug in my POP server, or function call that it uses. Am I being overly >cautious (loaded question)? > No, not really. These are certainly valid concerns. It would, however, be (almost) harmless if the remote users were dialing into your internal network directly via a terminal server behind your firewall. Of course, you would be well advised to use a reliable authentication mechanism to allow the PPP/SLIP logins. If this (loaded question) were POP traffic traversing your firewall from external networks, then it would be extremely foolish. ;-) - paul -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Thu Nov 9 16:23:13 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id PAA28437 for firewalls-outgoing; Thu, 9 Nov 1995 15:56:36 -0800 (PST) Received: from actcom.co.il (actcom.co.il [192.114.47.1]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id PAA28416 for ; Thu, 9 Nov 1995 15:55:35 -0800 (PST) Received: by actcom.co.il (8.6.12/actcom-0.1) id BAA27089; Fri, 10 Nov 1995 01:17:34 +0200 (rfc931-sender: guyd@localhost) Date: Fri, 10 Nov 1995 01:17:33 +0200 (EET) From: Daniel Guy To: firewalls@greatcircle.com Subject: Re: I got an intruder In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 9 Nov 1995, Daniel Guy wrote: > [SNIP] > > Prosecute, prosecute, prosecute - but of course you may have to get > > the laws changed to make intrusion an illegal act first of all. And > > if the intruder is from across the pond (either way) you've got an > > International indicent to deal with. CERT (the Computer Emergency > > Response Team) can be of assistance (esp. if the intruder you > > detected happens to part of a larger organized attack). The FBI is > > the agency in the USA which is the contact for InterPol, if you have > > an international incident.. > > > > > I suggest to find the place where the intruder work, ask the > > > company *nicely* to fire the guy, then kill his dog and burn the house :) > > > > I'd also sugget they sever all his computer accounts, and Internet > > access. Of course, he/she can go down the street to any ISP (Internet > > Service Provider) and continue his/her games and tricks. > > I think we're getting a little rash here, alot of cracker activity comes > from bogus or hijacked accounts, prosecuting away without running a full > investigation first would be foolish and could get a decent user behind > bars, in addition, before you run to prosecute a teenager, think if he'd > really done some damage.. flame-bait but it's been to long since my last flame ;) > is it worthy > to put a 17 years old kid for 5yrs if all he did was being curious > without causing any damage? > Again, determining who the attacker *really* is is hell on a university > or an ISP site where the users allow themselves poor passwords, sharing > accounts etc., use caution before naming the culprit > > > Getting cooperation from the other guy's employer is a whole different matter. > > Maybe, he's being paid to examine your work. Then what? > > > > The best offense if a good defense - keep them out in the first > > place, and hide (encrypt) business mission critical information. > No, if you have really important things keeyp themm off the internet, > encryption can be broken, it is sufficient if a cracker hears of a bug > before you do to get all your machines compromised > __ > St. Viper the one who doesn't sleep O:-) > **guyd@actcom.co.il** > > > > > > From firewalls-owner Thu Nov 9 16:50:43 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id PAA26390 for firewalls-outgoing; Thu, 9 Nov 1995 15:14:59 -0800 (PST) Received: from uuneo.neosoft.com (uuneo.neosoft.com [206.109.1.3]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id PAA26385 for ; Thu, 9 Nov 1995 15:14:56 -0800 (PST) Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.7.1/8.7.1) with UUCP id RAA12163 for GreatCircle.COM!Firewalls; Thu, 9 Nov 1995 17:10:53 -0600 (CST) Received: by ris1.nmti.com (smail2.5) id AA27920; 9 Nov 95 17:18:23 CST (Thu) Received: by sonic.nmti.com; id AA04904; Thu, 9 Nov 1995 16:47:46 -0600 From: peter@nmti.com (Peter da Silva) Message-Id: <9511092247.AA04904@sonic.nmti.com.nmti.com> Subject: Re: FireWall-1 licensing To: marquis@roble.com (Roger Marquis) Date: Thu, 9 Nov 1995 16:47:45 -0600 (CST) Cc: Firewalls@GreatCircle.COM In-Reply-To: from "Roger Marquis" at Nov 9, 95 08:16:38 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My emphasis added: > The problem is that the demo license will expire without warning, > EXPOSING THE INTERNAL NETWORK. That's enough for me to consider FW-1 unacceptable. If the license manager fucks up, you're open to the world. A firewall should fail in the *closed* position. From firewalls-owner Thu Nov 9 16:53:13 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id OAA25585 for firewalls-outgoing; Thu, 9 Nov 1995 14:55:34 -0800 (PST) Received: from avalon.newsedge.com ([199.183.183.202]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id OAA25580 for ; Thu, 9 Nov 1995 14:55:28 -0800 (PST) Date: Thu, 9 Nov 95 17:52:21 EST Message-Id: <9511091752.AA17400@avalon.newsedge.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii From: "chris brenton" Reply-To: X-Sender: To: firewalls@greatcircle.com Subject: FireWall-1 licensing X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Original-From: Roger Marquis Original-Date: Thu, 9 Nov 1995 08:16:38 -0800 (PST) >A word of warning regarding FireWall-1. First let me say that this is >a great product, easy to install and very effective for packet >filtering and authentication. I've recommended and installed it at >many sites. It has one potentially serious flaw however, the >licensing. > >FireWall-1 ships with a demo license that expires after 30 days. If >you install this product at a client site be sure the administrator >follows-up and gets the permanent license as soon as possible. If >you're supporting the product directly consider not installing the demo >license at all. The other bug I've seen with this is that it checks may check both internal and _external_ hosts for license compliance. If the number of external sites visited exceeds your user license the software hangs and starts generating tons of mail to root (once a minute if memory serves) claiming you have violated the licence agreement. From firewalls-owner Thu Nov 9 17:09:27 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id NAA22531 for firewalls-outgoing; Thu, 9 Nov 1995 13:25:56 -0800 (PST) Received: from Fe3.rust.net (Fe3.rust.net [204.157.12.254]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id NAA22526 for ; Thu, 9 Nov 1995 13:25:52 -0800 (PST) Received: from dtw-21.rust.net by Fe3.rust.net via SMTP (940816.SGI.8.6.9/940406.SGI.AUTO) id QAA00325; Thu, 9 Nov 1995 16:25:54 -0800 Date: Thu, 9 Nov 1995 16:25:54 -0800 Message-Id: <199511100025.QAA00325@Fe3.rust.net> X-Sender: janken@rust.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: stephen@networks.com From: janken@rust.net (Kenneth J. Stephens) Subject: Re: security policy Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Security through Obscurity (StO) Examples: 1. Security controls are to allow access (by default) and deny access by specific rule 2. Hide data and access "in plain sight." 3. Generally viewed as "simple to manage" or "the easy way out." "Real" Security Examples: 1. Security controls are to deny access (by default) and allow access by specific rule 2. Hide data and access to the best of your ability. 3. Generally be willing to "bust your butt" to keep the bad guys out. Given the above, would you want your corporate security policy in the hands of the bad guys? Which examples best describe your security policy? The only limiting factors are (in order): a. Your backing from management. b. Your budget. c. Your skill level d. Your available time and staff Note: Strong support for item (a) can generally fix items (b,c,d) and lack of support for items (a) and (b) usually is the reason item (d) suffers. My $.02. Ken I think you said: >Please don't misinterpret me, I am genuinely in search of a practical, >reasonable opinion: how does one distinguish security through >obscurity from ``real'' security? Should one apply that standard to a >corporate security policy? Why or why not? > > - Stephen > stephen@networks.com > > From: "Johnson-Bryden, Ian" > Date: Thu, 09 Nov 95 09:39:00 GMT > X-Mailer: Microsoft Mail V3.0 > Sender: owner-gateway-firewalls@imonics.com > Precedence: bulk > > > If someone has produced a real risk/security policy it should not be > released to anyone other than authorised users for obvious reasons. If it is > similar to a 'Corporate Mission Statement' it wont be worth much. If it is a > fully detailed document which someone has unwisely made public, it should > only be meaningful to the owner because of those unique elements to that > enterprise, other than it shows how one outfit approached the issues. There > are now a range of books which cover risk/security policy generation in > varying detail and from different perspectives. > Ian J-B > > [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] [] [] [] Ken Stephens Senior Capacity Planner/Data Security Officer [] [] email: Ken_Stephens@miconsulting.com Voice (313) 876-5081 [] [] Michigan Employment Security Commission (MESC) Fax (313) 876-6827 [] [] 7th Fl. I.S. [] [] 7310 Woodward Ave [] [] Detroit, MI 48202 [] [] [] [] Millennium Consulting Your Security Policy is only [] [] 28234 Diesing Dr. as strong as your organization's [] [] Madison Heights, MI 48071 commitment to it. [] [] [] [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] From firewalls-owner Thu Nov 9 17:23:13 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id RAA01971 for firewalls-outgoing; Thu, 9 Nov 1995 17:16:27 -0800 (PST) Received: from roble.com (roble.com [204.188.93.50]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id RAA01966 for ; Thu, 9 Nov 1995 17:16:24 -0800 (PST) Received: by roble.com (4.1/SMI-4.1/roble) id AA27840; Thu, 9 Nov 95 17:16:34 PST Date: Thu, 9 Nov 1995 17:10:58 -0800 (PST) From: Roger Marquis Subject: Re: FireWall-1 licensing To: Adam Horwitz Cc: firewalls@greatcircle.com In-Reply-To: <199511092341.RAA04489@vger.tripcom.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 9 Nov 1995, Adam Horwitz wrote: > I don't know about how Sun generates the licenses or what difficulty > they may have in doing so. But regarding being able to determine > what license is installed, the command > > fw printlic Thanks for the tip. I wonder why this isn't in the documentation, or the output of 'fw -help'? Roger Marquis Roger Marquis Sr. Systems Analyst, Roble Systems (marquis@roble.com, 415-494-9250) From firewalls-owner Thu Nov 9 17:28:04 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id PAA27939 for firewalls-outgoing; Thu, 9 Nov 1995 15:42:59 -0800 (PST) Received: from mickey.ovid.com (mickey.ovid.com [198.242.51.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id PAA27914 for ; Thu, 9 Nov 1995 15:42:52 -0800 (PST) Received: by mickey.ovid.com (AIX 3.2/UCB 5.64/4.03) id AA11482; Thu, 9 Nov 1995 16:42:32 -0700 Date: Thu, 9 Nov 1995 16:42:31 -0700 (MST) From: Adam Prato To: Rob Sansom Cc: firewalls@greatcircle.com Subject: Re: POP Access Thru router In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 9 Nov 1995, Rob Sansom wrote: > Subject: POP Access Thru router > > There are some at my organization (upper management) who believe that there > is little danger in allowing access to POP accounts on my Unix host thru > our router. My attitude is that the fewer types of connections that I > allow through the router to our internal hosts the better, and a good ... > bug in my POP server, or function call that it uses. Am I being overly > cautious (loaded question)? > Its as dangerous as any other service you provide through the router. Some more dangerous than others. All can be used without danger if sufficient logging and accounting exists. As far as the dangers in allowing pop3. popcrack.c is probably the most danger you'll experience. It allows for repetitive attempts at passwords from a dictionary. It runs as fast as the network link between the attacking computer and the remote host. It uses plain text from a dictionary, no encryption needed since the POP protocol is plain text, thus it runs pretty fast. Adam From firewalls-owner Thu Nov 9 17:53:13 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id RAA02186 for firewalls-outgoing; Thu, 9 Nov 1995 17:21:51 -0800 (PST) Received: from avalon.immortal.net.au ([203.11.105.37]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id RAA02179 for ; Thu, 9 Nov 1995 17:21:33 -0800 (PST) Received: (from mcleod@localhost) by avalon.immortal.net.au (8.6.11/8.6.9) id LAA00292; Fri, 10 Nov 1995 11:19:02 +1000 Date: Fri, 10 Nov 1995 11:19:01 +1000 (EST) From: Shaw Innes X-Sender: mcleod@avalon.immortal.net.au To: cjolley@iac.net cc: firewalls@GreatCircle.COM Subject: Re: Internic Port Scanning In-Reply-To: <199511091710.MAA16064@little-miami.iac.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 9 Nov 1995 cjolley@iac.net wrote: > Recently one of my co-workers sent an e-mail to hostmaster@internic.net. > The message was not delivered immediately and is still waiting at the > firewall for retry (i.e. every four hours for 5 days). However very > shortly after the attempt to send this message, our firewall began > seeing attempts to connect to high _TCP_ (not UDP) port numbers. The > IP address appears to be that of the InterNic. Does anyone know what's > going on? Is this the InterNic trying to validate the e-mail as coming > from my site or might this be someone spoofing the InterNic address > while trying to do some port scanning? I have heard similar reports from several Australian ISP's. I do not know whether this is a legitamate exercise or not though, but I've heard of it four times, once near the beginning of '95 and then another twice throughout the year. Hope that helped a little, and I'd be interested to know if this is a legitimate probing. Regards, Shaw +----------------------------------------+-----------------------+ | Shaw Innes | mcleod@odyssey.com.au | | IRC: McLeod Phone: (07) 3353 0540 | mcleod@healey.com.au | | WWW: http://www.odyssey.com.au/mcleod | mcleod@cynergy.com.au | +----------------------------------------+-----------------------+ From firewalls-owner Thu Nov 9 18:23:13 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id RAA01086 for firewalls-outgoing; Thu, 9 Nov 1995 17:01:44 -0800 (PST) Received: from randomc.randomc.com (ra1.randomc.com [205.160.16.20]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id RAA01079 for ; Thu, 9 Nov 1995 17:01:37 -0800 (PST) Received: (llama@localhost) by randomc.randomc.com (8.6.10/8.6.10) id UAA18111; Thu, 9 Nov 1995 20:01:47 -0500 From: Jonny Llama Message-Id: <199511100101.UAA18111@randomc.randomc.com> Subject: Re: Spoofing ISDN To: morph_1@netaxs.com (FEH Systems Philadelphia) Date: Thu, 9 Nov 1995 20:01:46 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: from "FEH Systems Philadelphia" at Nov 7, 95 09:54:47 pm X-Info: finger llama@randomc.com | pgp -fka +force X-Mailer: ELM [version 2.4 PL22] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > W0W! Kevin Mitnick Reprogrammed Switches!#@? I heard he had a portable > phone that he had opened up and modified do that he could make free ld > calls. > > -- > MORPH : .|.: Federal Electronic Uhh. Hmm. This is almost off topic, if you were a bed wetting liberal, to end it, yes Mitnick did reprogram the switch so that he could hide in between it when using his cloned phone, but what it led up to was him being caught by simple triangulation. I guess thats what happens when you sit on an illegal phone for days at a time harassing people who really don't like you. Such is life, followups should be in email. > > > > before you accuse someone of being full of shit you might want to check your > > facts more carefully > > CLID is implemented under CLASS programming on the #5ess... > > > > Switch reprogramming and the relatively trivial masquareding of Caller-iD > > (really trivial with switch access) or the more fascinating > > subject of spoofing ANI or AMA has been a salient feature of MANY security > > Attacks in Silicon Vally... and austin and new york etc ad nauseam > > These attacks are NOT mentioned in CUD or the Washington post... > > you would have to be an insider to the industry to know > > how prevalent this is... > > > > cheers > > kelly From firewalls-owner Thu Nov 9 18:41:42 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id NAA22314 for firewalls-outgoing; Thu, 9 Nov 1995 13:15:34 -0800 (PST) Received: from cliff.bms.com (cliff.bms.com [140.176.1.102]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id NAA22309 for ; Thu, 9 Nov 1995 13:15:30 -0800 (PST) Received: from optical.bms.com (optical.bms.com) by cliff.bms.com (PMDF V5.0-5 #9246) id <01HXG1R26GQO0011DS@cliff.bms.com>; Thu, 09 Nov 1995 16:15:51 -0500 (EST) Received: from zymurgy (zymurgy.bms.com [140.176.2.78]) by optical.bms.com (8.6.12/8.6.10) with SMTP id QAA18533; Thu, 09 Nov 1995 16:15:31 -0500 Received: by zymurgy (5.x/client-1.3) id AA01429; Thu, 09 Nov 1995 16:15:29 -0500 Date: Thu, 09 Nov 1995 16:15:29 -0500 From: "James P. Anderson III" Subject: Re: FireWall-1 licensing To: Roger Marquis Cc: Firewalls@GreatCircle.com Message-id: <9511092115.AA01429@zymurgy> Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- >>>>> "Roger" == Roger Marquis writes: Roger> A word of warning regarding FireWall-1. First let me say that this is Roger> a great product, easy to install and very effective for packet Roger> filtering and authentication. I've recommended and installed it at Roger> many sites. It has one potentially serious flaw however, the Roger> licensing. Roger> FireWall-1 ships with a demo license that expires after 30 days. If Roger> you install this product at a client site be sure the administrator Roger> follows-up and gets the permanent license as soon as possible. If Roger> you're supporting the product directly consider not installing the demo Roger> license at all. Roger> The problem is that the demo license will expire without warning, Roger> exposing the internal network. This has happened to me twice now. Roger> There is no way to verify whether the installed license is a demo or Roger> permanent. There is also no way to verify that a permanent license was Roger> (properly) installed. The real problem is Sun Licensing. The software Try fw printlic. i.e: gateway / 2 # fw printlic Type Expiration Features ID-824162af Never pfm control - - -or- gateway / 2 # fw printlic Type Expiration Features Eval 31Aug95 pfm control routers will It will tell you when it thinks it will expire. Sixty days would be nice to have for evaluation purposes given the amount of time it takes sometimes to get a permanent key. I also agree that the demo should failsafe and down the external interface. Roger> they use to generate licenses (from serial number + hostid) is very Roger> buggy, crashes often, takes hours or days to generate a license, and Roger> may forget your license request altogether. If you call or email for a Roger> license don't expect to be emailed / faxed back on the first try Roger> regardless of what the operator says. Roger> I can recommend this software almost without reservation. Just be sure Roger> to get the permanent license _before_ doing the installation, and save Roger> the "fw putlic" command line in a safe place. Roger> Roger Marquis Roger> Sr. Systems Analyst, Roble Systems Roger> (marquis@roble.com, 415-494-9250) Once you have the key, though, the software is very nice to work with. Jay Anderson - -- - ------------------------------------------------------ James P. Anderson III anderson@optical.bms.com Senior Network Engineer N3JMC Bristol-Myers Squibb Pharmaceutical Research Institute Princeton, NJ 08543 Work: (609)-252-6039 -----BEGIN PGP SIGNATURE----- Version: 2.7.1 Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQCVAwUBMKJvY7Vlh7g6Vkn9AQHoxQP/ffaFEWjBXixH7XRReep66Po/7KX6oFY2 tjZYHEvaoT99c1s6wjsHcLd3JsE8aPyPSK4Tyk3GU1K9yxb4cI5ZYRktccU9phVB uCESwkkBR8O+8c8SFN8kvBw/5eOvI1f/hB9CiSwESI3DIflnKvXkLza8SVDiT07x PFeOYNjacbQ= =0JaA -----END PGP SIGNATURE----- From firewalls-owner Thu Nov 9 18:42:59 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id PAA27770 for firewalls-outgoing; Thu, 9 Nov 1995 15:41:17 -0800 (PST) Received: from vger.tripcom.com (vger.tripcom.com [198.5.220.33]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id PAA27765 for ; Thu, 9 Nov 1995 15:41:13 -0800 (PST) Received: (from adam@localhost) by vger.tripcom.com id RAA04489; Thu, 9 Nov 1995 17:41:26 -0600 From: Adam Horwitz Message-Id: <199511092341.RAA04489@vger.tripcom.com> Subject: Re: FireWall-1 licensing To: firewalls@greatcircle.com Date: Thu, 9 Nov 1995 17:41:25 -0600 (CST) Cc: marquis@roble.com (Roger Marquis) In-Reply-To: from "Roger Marquis" at Nov 9, 95 08:16:38 am X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > There is no way to verify whether the installed license is a demo or > permanent. There is also no way to verify that a permanent license was > (properly) installed. The real problem is Sun Licensing. The software > they use to generate licenses (from serial number + hostid) is very > buggy, crashes often, takes hours or days to generate a license, and > may forget your license request altogether. If you call or email for a > license don't expect to be emailed / faxed back on the first try > regardless of what the operator says. I don't know about how Sun generates the licenses or what difficulty they may have in doing so. But regarding being able to determine what license is installed, the command fw printlic which works on non-Sun supplied copies of FireWall-1 (i.e. from a VAR such as myself) will display the expiration date and type of license. If it says 'eval' it is a temporary, evaluation license, due to expire on the date shown. A permanent license will show it is permanent and never expires. I would assume the same command will work on your system. I believe this is checked when the software is started up and when you install the policy filter, in which case you're notified if it is no longer valid. (Of course if you boot the system you will likely not see the message.) So theoritically if the system is never booted it will continue to work until you install a new policy. Of course, you may be in violation of the license agreement if it is beyond the validatity date and you're still using it. (I'll leave this for the lawyers to figure out.) As a VAR for the product it is my responsibility to ensure that the permanent license is installed before the evaluation license expires. If I were to be negligent in doing so I would be sued out of business. I hope this information is of some use to you. -- Adam Horwitz (708) 778-9531 Tripcom Systems Inc. adam@tripcom.com From firewalls-owner Thu Nov 9 18:53:13 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id QAA28848 for firewalls-outgoing; Thu, 9 Nov 1995 16:03:50 -0800 (PST) Received: from lint.cisco.com (lint.cisco.com [171.68.235.77]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id QAA28843 for ; Thu, 9 Nov 1995 16:03:46 -0800 (PST) Received: from pferguso-pc.cisco.com (sl-charm-01.cisco.com [171.69.126.139]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id QAA25814; Thu, 9 Nov 1995 16:03:31 -0800 Message-Id: <199511100003.QAA25814@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 09 Nov 1995 19:05:33 -0500 To: "Wilburn,Ted-Dept of Technology" From: Paul Ferguson Subject: Re: FW: Firewall Software Cc: "'Firewalls'" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Your e-mail is probably being ignored because of its general nature. :-) Literally thousands of networks have deployed various types of 'firewalls,' and literally thousands more are in the process of doing so. There are are too many methods, philosophies, security strategies and products to respond to 'how it is set up.' Suggested reading on the Web would be the Firewall's Frequently Asked Questions file; http://www.iwi.com/pubs/faq.htm - paul At 09:59 AM 11/9/95 PST, Wilburn,Ted-Dept of Technology wrote: > >A request from a colleague, Thanks >Ted Wilburn, twilburn@msmail.owensboro.k12.ky.us. > >Forwarded message begin: > > ---------- >From: owner-kydtc[SMTP:owner-kydtc@UKCC.UKY.EDU] >Sent: Thursday, November 09, 1995 10:14 AM >To: Multiple recipients of list KYDTC >Subject: Firewall Software > >Pendleton County has a wide area network installed and is now in the >process >of getting acceptable use policies signed by students and parents. I am >experiencing a good deal of pressure to install a firewall to prevent >access >to some of the "bad stuff." Is anyone out there successfully using >firewall >software and how is it setup. Thanks > >lsutton@pendleton.k12.ky.us > > -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Thu Nov 9 18:53:58 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id PAA26334 for firewalls-outgoing; Thu, 9 Nov 1995 15:12:37 -0800 (PST) Received: from ns2.eds.com (ns2.eds.com [199.228.142.78]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id PAA26322 for ; Thu, 9 Nov 1995 15:12:33 -0800 (PST) Received: by ns2.eds.com (hello) id SAA06890; Thu, 9 Nov 1995 18:12:09 -0500 Received: by nnsp.eds.com (hello) id SAA05586; Thu, 9 Nov 1995 18:11:28 -0500 Received: from oscar.lab.nz.eds.com (oscar.lab.nz.eds.com [134.251.24.1]) by gonzo.lab.nz.eds.com (8.6.12/8.6.12) with ESMTP id MAA01326; Fri, 10 Nov 1995 12:15:38 +1300 Received: (tim@localhost) by oscar.lab.nz.eds.com (8.6.12/8.6.12) id MAA05475; Fri, 10 Nov 1995 12:10:59 +1300 Date: Fri, 10 Nov 1995 12:10:57 +1300 (NZDT) From: Tim Frost Reply-To: Tim Frost To: "Frank O'Dwyer" cc: Scott Barman , firewalls@GreatCircle.COM Subject: Re: Changing shared libraries and how is ld.so finding real libraries? In-Reply-To: <9511081454.AA03860@philby.fws.ilo.dec.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 8 Nov 1995, Frank O'Dwyer wrote: > > > This is what I expected. But why are the setuid/setgid finding the > > right libraries? What is Solaris doing to get around the settings of > > these environment variables? > > Some Unices constrain setuid/setgid programs to load shared libs from > the standard directories only, for (you guessed it) "security reasons". > I don't know if Solaris does, however. It's generally also possible > to specify a library search path at link time (via LD_RUN_PATH, I think), > so that the binary 'knows where to look' independently of the > environment settings. > > In my experience, these mechanisms are usually poorly documented, > and the best thing to do is to experiment in order to determine > the effect of the various environment variables, and what precedence > they have and so forth. It's also about the best way to understand > what's going on. SVR4, Linux and Solaris (at least - I don't have a BSD-based platform to check) all allow you to determine what libraries are loaded, by using the command ldd. I haven't tried to check the behaviour of the SVR4 system with LD_LOAD_PATH, etc set, but the default libraries for login & the X server are shown by: # ldd /bin/login dynamic linker: /bin/login: file loaded: /usr/lib/libcrypt.so dynamic linker: /bin/login: file loaded: /usr/lib/libiaf.so dynamic linker: /bin/login: file loaded: /usr/lib/libc.so.1 # /home/tim-> ldd /usr/X/bin/X dynamic linker: /usr/X/bin/X: file loaded: /usr/X/lib/libfont.so dynamic linker: /usr/X/bin/X: file loaded: /usr/X/lib/libX11.so.1 dynamic linker: /usr/X/bin/X: file loaded: /usr/lib/libnsl.so dynamic linker: /usr/X/bin/X: file loaded: /usr/lib/libc.so.1 dynamic linker: /usr/X/bin/X: file loaded: /usr/X/lib/libXIM.so.1 /home/tim-> The man page for ldd points out the one caveat: ldd does not identify libraries accessed using the dlopen() function. > > Lastly, another peculiarity with shared libs is that individual > functions are generally not bound until they are used. In principle, > you could have a daemon which ran for a year, then called its > 'year_end' routine only to find that the latest and greatest lib no longer > contained that routine. From memory, there is (in SVR4 anyhow) a > variable called LD_BIND_NOW which if you set it to 1 will have the > binary bind everything when it starts. If anything's missing > from the libs you'll then find it out right away. If you have ldd, you can detect this problem with the -r option to ldd, which checks references to data and functions. > > Hope this is of some help, > > Cheers, > Frank O'Dwyer. > Hope this is useful too. Tim Tim Frost, Systems Engineer (Unix) Email: Tim.Frost@nz.eds.com EDS (NZ) Ltd, or : Tim.Frost@eds.co.nz P.O. Box 3055, Voice: +64 4 495-0400 or +64 4 495-0504 Wellington, New Zealand. Fax: +64 4 474-5130 From firewalls-owner Thu Nov 9 19:05:17 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id PAA27213 for firewalls-outgoing; Thu, 9 Nov 1995 15:34:14 -0800 (PST) Received: from magneto.bosch.com (magneto.bosch.com [198.111.120.52]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id PAA27203 for ; Thu, 9 Nov 1995 15:34:09 -0800 (PST) Received: by magneto.bosch.com; id SAA10269; Thu, 9 Nov 1995 18:30:14 -0500 Received: from cyber.rbus(198.168.2.2) by magneto via smap (V1.3) id sma010267; Thu Nov 9 18:29:52 1995 Received: by inet.rbus; id SAA20321; Thu, 9 Nov 1995 18:32:29 -0500 Received: from mail(172.16.1.21) by inet.rbus via smap (V1.3) id sma020317; Thu Nov 9 18:32:24 1995 Received: by mail.fh.rbus; id SAA28092; Thu, 9 Nov 1995 18:31:04 -0500 Date: Thu, 9 Nov 1995 18:31:04 -0500 Message-Id: <199511092331.SAA28092@mail.fh.rbus> X-Sender: cwerner@fh.rbus X-Mailer: Windows Eudora Version 2.1.1 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.com From: "Christopher L. Werner" Subject: Re: POP Access Thru router Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 12:22 PM 11/9/95 -0800, Rob Sansom wrote: >There are some at my organization (upper management) who believe that there >is little danger in allowing access to POP accounts on my Unix host thru >our router. My attitude is that the fewer types of connections that I >allow through the router to our internal hosts the better, and a good >solution to allowing access to POP accounts from the outside would be to >set up terminal server/modem >access with SLIP/PPP functionality so that people can dial in and download >their mail via Eudora or whatever, over a SLIP connection. Without strong authentication even on private dial-up lines (like one-time passwords) your accounts may still be compromised. Part of the problem is the lack of logging/audit trail on direct dial-up. If someone scanning phone numbers looking for modems does succeed, will you have a record for the authorities if he never logs into the mail server? If the authentication occurs on the Internet side of the firewall and port 110 is plugged through to the mail server (several products force it to go to only one destination) you have logged the connection on the PPP server, the firewall and eventually the APOP supported POP server. >In light of the >recent syslog(3)/Telnet problems, it scares the hell out of me to allow >this type of connection. Besides sending passwords in the clear over >unsecured nets, I don't want to find out the hard way that there is some >bug in my POP server, or function call that it uses. Am I being overly >cautious (loaded question)? The newest version of qpopper from Qualcomm 2.1.4 now supports APOP which encrypts the users password on the client, passes it to the server, and it is decrypted on your side of the firewall. Has anyone managed to use s/key with Eudora/APOP? -------------------------------------------------------------------- Opinions expressed are mine and not those of my employer. -------------------------------------------------------------------- Christopher L. Werner Robert Bosch Corporation System Engineer 38000 Hills Tech Dr. (810)553-1389 Farmington Hills, MI 48331-3417 From firewalls-owner Thu Nov 9 19:23:13 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id RAA02670 for firewalls-outgoing; Thu, 9 Nov 1995 17:36:03 -0800 (PST) Received: from whirlwind.momentum.com.au (whirlwind.momentum.com.au [203.2.238.131]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id RAA02656 for ; Thu, 9 Nov 1995 17:35:52 -0800 (PST) Received: (from uucp@localhost) by whirlwind.momentum.com.au (8.6.12/8.6.12) id JAA00051 for ; Fri, 10 Nov 1995 09:35:24 +0800 Received: from aristoi.momentum.com.au(203.2.238.138) by whirlwind via smap (V1.3mjr) id sma000046; Fri Nov 10 09:35:04 1995 X-Sender: todd@mailhost.momentum.com.au Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 10 Nov 1995 09:35:35 +0800 To: Firewalls@GreatCircle.COM From: todd@momentum.com.au (Todd Hooper) Subject: Re: FireWall-1 licensing Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Our experience with Firewall-1 licensing has been more positive. For a start, are you talking about SunSoft Firewall-1 as opposed to Checkpoint Firewall-1? The licensing process is slightly different - obviously you send the license request to Sun rather than Checkpoint if you are running the SunSoft version. In our case, the majority of our experience is with the SunSoft version, although we have worked on sites which use the Checkpoint version. >FireWall-1 ships with a demo license that expires after 30 days. This isn't our experience. We have always had to apply to our local Sun office for a demo license. Nobody here can recall ever seeing a demo license in the Firewall-1 box. Also, all of the demo licenses we have seen expire on a given date e.g. end of October, end of November. We have never seen one which lasts for 30 days from the point of installation. >The problem is that the demo license will expire without warning, >exposing the internal network. Not automatically. In our experience, when the license expires you cannot alter the rule set but the firewall continues to operate. From memory, one other restriction is if you shut the firewall down when the demo license has expired you cannot restart it. The only reason we were exposed to this is when we received a wrong shipment of Firewall-1 on one occasion which had the wrong license papers in it, and hence we had to wait some weeks for a replacement to come from the US. In the meantime we used a demo license. Also, we have set up a couple of eval firewalls where the demo license facility was useful. >There is no way to verify whether the installed license is a demo or >permanent. Try fw putlic -check-only to get info regarding the type of license, expiry dates (if a demo) and the feature set. > The real problem is Sun Licensing. The software >they use to generate licenses (from serial number + hostid) is very >buggy, crashes often, takes hours or days to generate a license, and >may forget your license request altogether. If you call or email for a >license don't expect to be emailed / faxed back on the first try >regardless of what the operator says. We have always had a response within 24 - 48 hours. Calls from here in Australia go via SunSoft in the US, so I presume it is the same process that you would have used. >Just be sure to get the permanent license _before_ doing the installation, >and save the "fw putlic" command line in a safe place. I agree with your suggestion that using a demo license on a 'live' project is probably a bad idea. Even a 72 hour delay waiting for the real license is a small consideration in a firewall project that will probably take weeks. Whilst I don't particularly like complex licensing schemes, this has been one of the less painful ones I have encounted. We've had more trouble getting a serial number for FrameMaker (an off the shelf DTP package) than for Firewall-1. Regards, Todd -- Todd Hooper Internet : todd@momentum.com.au Momentum Pty Ltd Phone : 09 483 2649 Western Australia Fax : 09 380 4371 From firewalls-owner Thu Nov 9 19:53:13 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id RAA02918 for firewalls-outgoing; Thu, 9 Nov 1995 17:41:34 -0800 (PST) Received: from vger.tripcom.com (vger.tripcom.com [198.5.220.33]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id RAA02910 for ; Thu, 9 Nov 1995 17:41:30 -0800 (PST) Received: (from adam@localhost) by vger.tripcom.com id TAA08606; Thu, 9 Nov 1995 19:41:39 -0600 From: Adam Horwitz Message-Id: <199511100141.TAA08606@vger.tripcom.com> Subject: Re: FireWall-1 licensing To: marquis@roble.com (Roger Marquis) Date: Thu, 9 Nov 1995 19:41:37 -0600 (CST) Cc: firewalls@greatcircle.com In-Reply-To: from "Roger Marquis" at Nov 9, 95 05:10:58 pm X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > fw printlic > > Thanks for the tip. I wonder why this isn't in the documentation, or the > output of 'fw -help'? fw -help is not a valid command (again on the original product; I don't know if Sun has changed this). fw any-invalid-command displays a summary of commands. There isn't much room available on the display; another line will push the entered command off the screen so possibly it was omitted for space reasons. I'm pretty sure this has always been shown in the man page (man fw). It is in the current one. It is listed in the current documentation. -- Adam Horwitz (708) 778-9531 Tripcom Systems Inc. adam@tripcom.com From firewalls-owner Thu Nov 9 20:23:13 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id SAA03698 for firewalls-outgoing; Thu, 9 Nov 1995 18:01:10 -0800 (PST) Received: from nda.nda.com (fw1.NDA.COM [204.57.47.254]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id SAA03693 for ; Thu, 9 Nov 1995 18:01:07 -0800 (PST) Received: (kovar@localhost) by nda.nda.com (8.7.1/8.6.4) id VAA29882; Thu, 9 Nov 1995 21:01:15 -0500 (EST) From: David Kovar Message-Id: <199511100201.VAA29882@nda.nda.com> Subject: Re: FireWall-1 licensing To: peter@nmti.com (Peter da Silva) Date: Thu, 9 Nov 1995 21:01:14 -0500 (EST) Cc: marquis@roble.com, Firewalls@GreatCircle.COM In-Reply-To: <9511092247.AA04904@sonic.nmti.com.nmti.com> from "Peter da Silva" at Nov 9, 95 04:47:45 pm X-Mailer: ELM [version 2.4 PL20] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > My emphasis added: > > > The problem is that the demo license will expire without warning, > > EXPOSING THE INTERNAL NETWORK. > > That's enough for me to consider FW-1 unacceptable. If the license > manager fucks up, you're open to the world. A firewall should fail > in the *closed* position. My experience has been that FW-1 will keep on running on the expired license with no problems. When you reboot the machine, or restart FW-1, you will *then* be told that your license has expired and the FW-1 will fail "safe" and not let anything through. I would go test this to be sure, but I don't want to screw around with a production system. Please test this before you assume it to be true. -David From firewalls-owner Thu Nov 9 20:26:02 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id SAA05064 for firewalls-outgoing; Thu, 9 Nov 1995 18:24:27 -0800 (PST) Received: from uxadbsrv.asiandevbank.org (uxadbsrv.asiandevbank.org [202.0.28.68]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id SAA05022 for ; Thu, 9 Nov 1995 18:24:05 -0800 (PST) Received: from mail.asiandevbank.org ([202.0.28.77]) by uxadbsrv.asiandevbank.org (4.1/060295.01-eef) id AA07426; Fri, 10 Nov 95 10:28:33 HKT Received: from cc:Mail by mail.asiandevbank.org id AA816027744; Fri, 10 Nov 95 10:03:37 MNL Date: Fri, 10 Nov 95 10:03:37 MNL From: "Jorge P. Alcances" Message-Id: <9510108160.AA816027744@mail.asiandevbank.org> To: firewalls@greatcircle.com Subject: Firewall-1 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I'm now experiencing a problem in using Firewall-1. It seems to get saturated at a certain point, after adding a number of objects and rules. The problem appears during filter installation (after adding the objects or rules). It suddenly "core dumps", and the filters are not updated. I'm using Firewall-1 ver 1.0.7c running on SunOS with an Internet gateway license. Any idea out there? From firewalls-owner Thu Nov 9 20:41:22 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id SAA04829 for firewalls-outgoing; Thu, 9 Nov 1995 18:20:02 -0800 (PST) Received: from nda.nda.com (fw1.NDA.COM [204.57.47.254]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id SAA04824 for ; Thu, 9 Nov 1995 18:19:59 -0800 (PST) Received: (kovar@localhost) by nda.nda.com (8.7.1/8.6.4) id VAA00825; Thu, 9 Nov 1995 21:20:10 -0500 (EST) From: David Kovar Message-Id: <199511100220.VAA00825@nda.nda.com> Subject: Re: FireWall-1 licensing To: marquis@roble.com (Roger Marquis) Date: Thu, 9 Nov 1995 21:20:09 -0500 (EST) Cc: peter@nmti.com, Firewalls@GreatCircle.COM In-Reply-To: from "Roger Marquis" at Nov 9, 95 06:10:52 pm X-Mailer: ELM [version 2.4 PL20] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > My experience has been that FW-1 will keep on running on the > > expired license with no problems. When you reboot the machine, > > or restart FW-1, you will *then* be told that your license has expired > > and the FW-1 will fail "safe" and not let anything through. > > This has not been my experience, at least not in versions 1.0.8 or 1.2.1. > > > I would go test this to be sure, but I don't want to screw around > > with a production system. > > No assumptions necessary, this is how it has failed i.e., open. Definitely NOT good. There was a problem with earlier versions of FW-1 failing open under different circumstances that Checkpoint corrected. I guess they missed this issue. Damn. -David From firewalls-owner Thu Nov 9 20:49:48 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id SAA04668 for firewalls-outgoing; Thu, 9 Nov 1995 18:15:53 -0800 (PST) Received: from roble.com (roble.com [204.188.93.50]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id SAA04663 for ; Thu, 9 Nov 1995 18:15:50 -0800 (PST) Received: by roble.com (4.1/SMI-4.1/roble) id AA28068; Thu, 9 Nov 95 18:15:58 PST Date: Thu, 9 Nov 1995 18:10:52 -0800 (PST) From: Roger Marquis Subject: Re: FireWall-1 licensing To: David Kovar Cc: Peter da Silva , Firewalls@GreatCircle.COM In-Reply-To: <199511100201.VAA29882@nda.nda.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 9 Nov 1995, David Kovar wrote: > > > The problem is that the demo license will expire without warning, > > > EXPOSING THE INTERNAL NETWORK. > > > > That's enough for me to consider FW-1 unacceptable. If the license > > manager fucks up, you're open to the world. A firewall should fail > > in the *closed* position. > > My experience has been that FW-1 will keep on running on the > expired license with no problems. When you reboot the machine, > or restart FW-1, you will *then* be told that your license has expired > and the FW-1 will fail "safe" and not let anything through. This has not been my experience, at least not in versions 1.0.8 or 1.2.1. > I would go test this to be sure, but I don't want to screw around > with a production system. No assumptions necessary, this is how it has failed i.e., open. Roger Marquis Roger Marquis Sr. Systems Analyst, Roble Systems (marquis@roble.com, 415-494-9250) From firewalls-owner Thu Nov 9 20:53:13 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id SAA05347 for firewalls-outgoing; Thu, 9 Nov 1995 18:30:55 -0800 (PST) Received: from osa.osa.com.au (osa.osa.com.au [203.6.130.129]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id SAA05342 for ; Thu, 9 Nov 1995 18:30:46 -0800 (PST) Received: from redgum.osa.com.au ([15.16.33.1]) by osa.osa.com.au (8.6.12/8.6.9) with ESMTP id NAA14202 for ; Fri, 10 Nov 1995 13:30:52 +1100 Received: from aurora.osa.com.au (aurora.osa.com.au [15.16.33.8]) by redgum.osa.com.au (8.6.9/8.6.9) with ESMTP id NAA09272 for ; Fri, 10 Nov 1995 13:29:54 +1100 Received: (from tma@localhost) by aurora.osa.com.au (8.6.9/8.6.9) id NAA08313 for firewalls@GreatCircle.COM; Fri, 10 Nov 1995 13:30:47 +1100 From: Tim Adam Message-Id: <199511100230.NAA08313@aurora.osa.com.au> Subject: Re: Weird Netscape Navigator functions? To: firewalls@GreatCircle.COM Date: Fri, 10 Nov 95 12:30:45 EST In-Reply-To: ; from "Chris Cole" at Nov 9, 95 11:52 am Organization: Open Software Associates X-Mailer: ELM [version 2.2 PL8] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Chris Cole writes: > > >>> The first was the CEO of Netscape saying something to the effect that > >>> "..we know how many people are using our browsers because every time > >>> you access a site, a message is set to one of our servers telling us > >>> what version you have, if it's a trial beta or registered, etc". > >>> I havent had a chance to run a packet trace on it yet, but does anyone > >>> know if this is true? > > Not totally true. By default, the 'N' build of the Netscape Navigator > connects to netscape's homepage on the net. Likewise, the 'S' build of > the navigator defaults to Silicon Graphics' Homepage, etc. When the > Netscape navigator connects to an http host, the client initiates the > connection with something similar to the following asci text: > > GET / HTTP/1.0 > Connection: Keep-Alive > User-Agent: Mozilla/2.0b2N (X11; I; Solaris 5.4 sun4m) > Host: www.toyota.com:80 > Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */* > > ... > > My experience agrees with yours: When snooping all packets on our > subnet, NO packets go to netscape's site. The only packets I see are > those for the intended web host. > > ... > > > Did it occur to anyone that what may have been said was that "When you > > connect on one of our sites a message abot who what where when and HOW" is > > collected? Sounds like logging to me. Netscape has the ability (i > > understand) to report the type of and rev number for the browser. > > Type and rev, yes. Remote site, yes. Who, NO. The machine type is > obtained from the 'User-Agent' line which tells the platform the navigator > was built for. The following is (almost) my .netscape-cookies file for 1.1N and the same got moved to .netscape/cookies when I moved to 2.0. Contrary to its advice I have edited it here to shorten the lines. # Netscape HTTP Cookie File # http://www.netscape.com/newsref/std/cookie_spec.html # This is a generated file! Do not edit. .mcom.com TRUE / FALSE 946648799 NETSCAPE_ID c65ffb1e,c6582c0b .netscape.com TRUE / FALSE 946648799 NETSCAPE_ID c65ffb1e,c655a0cf This causes an extra header to be sent by the Navigator when it connects to one of their sites, containing the NETSCAPE_ID at the end. My guess is that when you connect to *.netscape.com without a NETSCAPE_ID set, i.e. the first time for each user, they allocate you a cookie by sending back the Set-Cookie: header, causing your Navigator to save the value given in your local cookies file. Note that cookie spec is wrong wrt. date formats. This way they could easily count roughly how many unique users they have, with the ID preserved on upgrade so they don't count you multiple times. Again, this is just my speculation. Tim. -- Tim Adam tma@osa.com.au http://www.osa.com.au/ Open Software Associates Melbourne, Australia From firewalls-owner Thu Nov 9 22:54:57 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id WAA15217 for firewalls-outgoing; Thu, 9 Nov 1995 22:25:06 -0800 (PST) Received: from nda.nda.com (fw1.NDA.COM [204.57.47.254]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id WAA15212 for ; Thu, 9 Nov 1995 22:25:03 -0800 (PST) Received: (kovar@localhost) by nda.nda.com (8.7.1/8.6.4) id BAA06745; Fri, 10 Nov 1995 01:22:10 -0500 (EST) From: David Kovar Message-Id: <199511100622.BAA06745@nda.nda.com> Subject: Re: Firewall-1 To: jalcances@mail.asiandevbank.org (Jorge P. Alcances) Date: Fri, 10 Nov 1995 01:22:09 -0500 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <9510108160.AA816027744@mail.asiandevbank.org> from "Jorge P. Alcances" at Nov 10, 95 10:03:37 am X-Mailer: ELM [version 2.4 PL20] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Hi, > I'm now experiencing a problem in using Firewall-1. It seems to get > saturated at a certain point, after adding a number of objects and > rules. The problem appears during filter installation (after adding the > objects or rules). It suddenly "core dumps", and the filters are not > updated. I'm using Firewall-1 ver 1.0.7c running on SunOS with an Internet > gateway license. > Any idea out there? Upgrade to 1.2.1B. There are a number of reasons for doing this, including several bug fixes for various causes of core dumps. -David From firewalls-owner Fri Nov 10 03:23:14 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id CAA20038 for firewalls-outgoing; Fri, 10 Nov 1995 02:54:16 -0800 (PST) Received: from bnn.com (centurina.bnn.com [202.42.221.8]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id CAA20033 for ; Fri, 10 Nov 1995 02:54:07 -0800 (PST) Received: from hobbits.brel.com.sg (hobbits [202.42.221.61]) by bnn.com (8.6.12/8.6.12) with SMTP id SAA27465 for ; Fri, 10 Nov 1995 18:55:52 +0800 Date: Fri, 10 Nov 95 18:42:26 PST From: Calvin Ng Subject: Re: Weird Netscape Navigator functions? To: Firewalls@GreatCircle.COM X-PRIORITY: 3 (Normal) X-Mailer: Chameleon V1.53, TCP/IP for Windows, NetManage Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >------------------------------ > >Not totally true. By default, the 'N' build of the Netscape Navigator >connects to netscape's homepage on the net. Likewise, the 'S' build of >the navigator defaults to Silicon Graphics' Homepage, etc. When the >Netscape navigator connects to an http host, the client initiates the >connection with something similar to the following asci text: > >GET / HTTP/1.0 >Connection: Keep-Alive >User-Agent: Mozilla/2.0b2N (X11; I; Solaris 5.4 sun4m) >Host: www.toyota.com:80 >Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */* > >This text is read by the WWW server being connected to, and the only thing >usually logged and kept is the 'User-Agent:' line. The next transaction >is the html ascii which is sent to the client... >(index.html - from the 'GET /'). > >If the default homepage of the Netscape navigator is changed by either a >command line option or a shell script to start it up, Netscape's homepage >won't be obtaining any of this information. Only the site that your >browser initially connects to will receive this information. > >>> I have run packet traces on my connections and haven't yet seen any of >>> these "messages", but I certinaly may have missed it! A packet is not >>> sent at the start of every connection. It may be sent at some random >>> time after the initiation of a connection or only once per day. > >I haven't yet run a long-term snoop to see if indeed there are some >'random' connections to netscape. I hope not! > Did anyone considered the possibility of the installation process sending a message to Netscape?!! I think it make some sense, either this or the first time the station is connected to the net. Then it will just send once and stop. >My experience agrees with yours: When snooping all packets on our >subnet, NO packets go to netscape's site. The only packets I see are >those for the intended web host. I started up netscape saying: > >Type and rev, yes. Remote site, yes. Who, NO. The machine type is >obtained from the 'User-Agent' line which tells the platform the navigator >was built for. > From firewalls-owner Fri Nov 10 03:53:14 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id DAA20428 for firewalls-outgoing; Fri, 10 Nov 1995 03:30:15 -0800 (PST) Received: from neptune.ivic.qc.ca (ivic.qc.ca [204.101.85.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id DAA20416 for ; Fri, 10 Nov 1995 03:30:10 -0800 (PST) Received: (from martin@localhost) by neptune.ivic.qc.ca (8.6.11/8.6.11) id GAA23446; Fri, 10 Nov 1995 06:37:11 -0500 Date: Fri, 10 Nov 1995 06:37:11 -0500 From: Martin Rosa Message-Id: <199511101137.GAA23446@neptune.ivic.qc.ca> To: firewalls@GreatCircle.COM, ilias.liakopoulos@telecom.at Subject: Re: tacacs config question Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > if he has an active connection on an other port, he gets something like > "connection refused" or "already connected" Check for the "numlogin" keyword in your config file. here is a short example: USER ALL HOST ALL ALL numlogin 1 That mean that for all user from any host on any request, they can be logged only once. Martin Rosa Internet Victoriaville Phone: (819) 751-8888 From firewalls-owner Fri Nov 10 04:23:14 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id DAA20235 for firewalls-outgoing; Fri, 10 Nov 1995 03:07:19 -0800 (PST) Received: from lvlmail (lvlmail.wipsys.soft.net [164.164.22.22]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id DAA20230 for ; Fri, 10 Nov 1995 03:07:12 -0800 (PST) Received: by lvlmail (5.x/SMI-SVR4) id AA09298; Fri, 10 Nov 1995 16:43:14 -0500 From: atul@lvlmail.wipsys.soft.net (Atul.Acharya) Message-Id: <9511102143.AA09298@lvlmail> Subject: winWORD 6 macro: pointers needed. To: firewalls@greatcircle.com Date: Fri, 10 Nov 1995 16:43:11 -0500 (GMT) X-Mailer: ELM [version 2.4 PL22] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Would appreciate if somebody could point me to the mail archive or discussions on the MSWord 6.0 macro bomb. Does the existence of AAAZOA and AAAZFS indicate some nasty stuff lying around? My knowledge of Word6 and macros is close to NULL. Thanks, -a -- ------------------------------------------------------------------- \o/ \o __| \ / |__ o _ \o/ _ o | /\ __\o \o | o/ o/__ /\ | /\ \__/ _/_\__|_\__/)_|____(_\__/o\__/_)____|__(\__/_|__/_\__|_\__/ /o Atul Acharya, Office: +91 (80) 221 0818 \ / Wipro Systems Ltd, Ext 106 | 40/1A, Lavelle Road +91 (80) 227 0036 /o\ Bangalore - 560 001 India Internet: atul@wipsys.soft.net ------------------------------------------------------------------- All things being equal, fat people use more soap. From firewalls-owner Fri Nov 10 04:30:46 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id DAA20305 for firewalls-outgoing; Fri, 10 Nov 1995 03:19:39 -0800 (PST) Received: from lint.cisco.com (lint.cisco.com [171.68.235.77]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id DAA20299 for ; Fri, 10 Nov 1995 03:19:36 -0800 (PST) Received: from pferguso-pc.cisco.com (sl-chanty-09.cisco.com [171.69.126.163]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id DAA09327; Fri, 10 Nov 1995 03:18:21 -0800 Message-Id: <199511101118.DAA09327@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 10 Nov 1995 06:20:28 -0500 To: Dieter Dworkin Muller From: Paul Ferguson Subject: Re: clarification on rfc-1597 addresses and transparent proxies Cc: Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Apologies if this has already been suggested, but have you taken a look at http://www.translation.com? - paul At 07:22 AM 11/9/95 -0700, Dieter Dworkin Muller wrote: > >I wrote: >: However, my user community needs to be >: able to do things like ftp and telnet from their desks. > >In writing that, I left out the important bits, aka the implementation >requirements: > >- I'm not allowed to modify what software they run >- it has to be completely transparent >- isolate us from having to change network addresses > >Partly, it's a political restriction (``I won't change how I do >things, therefore anything you do has to work with my existing tools >without me seeing any difference''), and partly practical (I don't >want to deal with trying to create proxy-aware dos, windows, nt, and >os/2 applications for the non-standard things being done on our net). > >The address change requirement is because we are currently in the >`swamp', as it is referred to by various major ISPs. They're >threatening to stop routing single networks in that range, so we're >looking at having to renumber soon. We'd rather do it once (to an >ISP-provided net number), and not have to worry about it again if we >ever change ISPs. Changing to an internal rfc-1597 network and an >external-only ISP-provided network should give us the desired >isolation -- no one internal will have to do anything if/when we >change to a different ISP and ISP-provided network number. > >These restrictions are why I am looking at the (admittedly >non-trivial) concept of virtual addresses and weird DNS. > -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Fri Nov 10 04:32:06 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id DAA20766 for firewalls-outgoing; Fri, 10 Nov 1995 03:47:17 -0800 (PST) Received: from lint.cisco.com (lint.cisco.com [171.68.235.77]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id DAA20761 for ; Fri, 10 Nov 1995 03:47:09 -0800 (PST) Received: from pferguso-pc.cisco.com (sl-chanty-09.cisco.com [171.69.126.163]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id DAA11457; Fri, 10 Nov 1995 03:41:25 -0800 Message-Id: <199511101141.DAA11457@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 10 Nov 1995 06:43:26 -0500 To: Ilias Liakopoulos From: Paul Ferguson Subject: Re: tacacs config question Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Yes, this is possible in the configuration of TACACS+. - paul At 01:18 PM 11/9/95 +0100, Ilias Liakopoulos wrote: > >does anybody know if it's possible to configure >tacacs in a way, that if a dial-in user of an >CS-2511 tries to connect a second time, he gets >something like "connection refused" or "allready >connected", if he has an active connection on an >other port? > >thank you all for your suggestions, > >iLiAS >-- >---------------------------------------------------------------------- >Ilias Liakopoulos | Email: ilias@telecom.at >Spardat AG & Co KG | Tel: 0043/1/74045-4762 Fax -5704 >Geiselbergstr. 21-25 | WWW: http://pina2.telecom.at/~lia >1110-Vienna | nic-hdl: IL7-RIPE >Austria | >Europe | >---------------------------------------------------------------------- > > -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Fri Nov 10 05:23:14 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id EAA22632 for firewalls-outgoing; Fri, 10 Nov 1995 04:51:09 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id EAA22627 for ; Fri, 10 Nov 1995 04:51:07 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950602) id EAA10884; Fri, 10 Nov 1995 04:51:06 -0800 Received: from sentinet.demon.co.uk(158.152.140.128) by mycroft via smap (V1.3mjr) id sma010881; Fri Nov 10 04:50:44 1995 Received: (from smap@localhost) by bastion.sentinet.demon.co.uk (8.6.12/8.6.12) id MAA06757 for ; Fri, 10 Nov 1995 12:41:07 GMT Received: from server.sentinet.demon.co.uk(192.168.1.100) by bastion.sentinet.demon.co.uk via smap (V1.3) id sma006755; Fri Nov 10 12:41:05 1995 Received: from server.sentinet.demon.co.uk (lyndond@[127.0.0.1]) by server.sentinet.demon.co.uk (8.6.12/8.6.12) with ESMTP id MAA14470 for ; Fri, 10 Nov 1995 12:41:02 GMT Message-Id: <199511101241.MAA14470@server.sentinet.demon.co.uk> To: firewalls@greatcircle.com Subject: web cache and dial up connections Date: Fri, 10 Nov 1995 12:39:45 +0000 From: Lyndon David Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I have set up the CERN httpd with cacheing and proxying because I want to minimise the traffic over a dialup line. When I set this up I thought that it would stop the line being brought up every time someone accessed a document that was already in the cache. This is not so I find. When you access something that is in the cache the server goes and contacts the host it was pulled from to ask if the document has changed :( and hence the dialup line is pulled up. Anyone know how I can get arround this so that it does not check? I would be happy to rely on the cache expiry times set in the config file so that you would only see the change after the cache had expired in a day or so. Any thoughts would be appreciated. Thanks Lyndon PS sorry, not directly a firewalls question From firewalls-owner Fri Nov 10 05:53:14 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id FAA22909 for firewalls-outgoing; Fri, 10 Nov 1995 05:00:25 -0800 (PST) Received: from cbisgate.cbis.com (cbisgate.cbis.com [155.90.248.205]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id EAA22835 for ; Fri, 10 Nov 1995 04:59:56 -0800 (PST) Received: from notes by cbisgate.cbis.com (5.x/SMI-SVR4) id AA14322; Fri, 10 Nov 1995 07:59:52 -0500 Received: by notes (IBM OS/2 SENDMAIL VERSION 1.3.2)/1.0) id AA1563; Fri, 10 Nov 95 08:01:55 -0800 Message-Id: <9511101601.AA1563@notes> Received: from CBIS with "Lotus Notes Mail Gateway for SMTP" id A755F28E46410C928525627000465038; Fri, 10 Nov 95 08:01:55 To: firewalls-digest From: Warren Moore Date: 10 Nov 95 7:57:13 EDT Subject: Re: Restricting URL's X-Importance: High Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 9 Nov 1995, my mailer thought that Bryan D. Boyle wrote: >Of course, if you are running a cern or netscape proxy (the same person >had input into the design and coding of both, btw...) server on the inside >of the wall, it is possible to map urls that point to pages like >http://sexstuff.com/testosterone/fotos.html to some page on your >own server without having to futz around with dns records, ip addresses, >or even the firewall configuration itself. The url never gets thru >the wall. I still like the idea someone posted awhile back, that you simply set up an internal Home Page that everyone in the company can see, and through your logging of external access, put a "TOP TEN USERS" list up...along with where they're going most of the time. I know that I wouldn't want my VP noticing that I'd had 236 accesses against http://sexstuff.com/nasty.nastier.nastiest/crotch.html, during working hours yet! While this may be equivalent to the Puritan's stocks, there is something to be said for public embarrassment. Warren S. Moore, CISSP Information Security Specialist Cincinnati Bell Information Systems Inc. From firewalls-owner Fri Nov 10 06:23:14 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id FAA23570 for firewalls-outgoing; Fri, 10 Nov 1995 05:23:56 -0800 (PST) Received: from maildrop.micrognosis.com (supernova.micrognosis.com [192.233.13.3]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id FAA23558 for ; Fri, 10 Nov 1995 05:23:49 -0800 (PST) Received: by maildrop.micrognosis.com (4.1/SMI-4.1) id AA05670; Fri, 10 Nov 95 08:24:01 EST Received: from singhi.corp.micrognosis.com(193.32.166.28) by supernova.micrognosis.com via smap (V1.3) id sma005664; Fri Nov 10 08:23:55 1995 Received: from becks (becks.corp.micrognosis.com) by corp.micrognosis.com (4.1/1.0-integ.cf) id AA17005; Fri, 10 Nov 95 08:27:17 EST Date: Fri, 10 Nov 1995 08:27:16 -0500 (EST) From: Adam Jack X-Sender: ajack@becks To: Calvin Ng Cc: Firewalls@greatcircle.com Subject: Re: Weird Netscape Navigator functions? In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Peeps, I missed much of this thread - but catching up I haven't seen a mention to Netscape 'Cookies'. http://www.netscape.com/newsref/std/cookie_spec.html This is a machanism by which information can be passed back and forward by the client & the server using yet another Netscape extension. The default cookies file on Unix is ~/.netscape/cookies and looks like : .netscape.com TRUE / FALSE 946702799 NETSCAPE_ID c65ffb1e,c64f06cd .mcom.com TRUE / FALSE 946702799 NETSCAPE_ID c65ffb1e,c67a9432 This means that when the browser is going to either of those locations it transfers the specific installation NETSCAPE_ID back to their server along with all the other browser information. Adam -- +1-203-730-5437 | http://www.micrognosis.com/~ajack/index.html From firewalls-owner Fri Nov 10 06:53:14 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id GAA25214 for firewalls-outgoing; Fri, 10 Nov 1995 06:29:08 -0800 (PST) Received: from beach.sctc.com (beach.sctc.com [192.55.214.50]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id GAA25209 for ; Fri, 10 Nov 1995 06:29:04 -0800 (PST) Received: from beach.sctc.com (daemon@localhost) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id JAA29478; Fri, 10 Nov 1995 09:06:02 -0600 Received: from sphinx.sctc.com ([172.17.192.3]) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id JAA29474; Fri, 10 Nov 1995 09:06:02 -0600 Received: from mario.sctc.com (mario.sctc.com [172.17.192.177]) by sphinx.sctc.com (8.7.1/8.6.10) with SMTP id IAA21259; Fri, 10 Nov 1995 08:29:42 -0600 (CST) Received: (from dowd@localhost) by mario.sctc.com (8.6.12/8.6.9) id IAA00617; Fri, 10 Nov 1995 08:29:38 -0600 Date: Fri, 10 Nov 1995 08:29:37 -0600 (CST) From: Alan Dowd To: Paul Ferguson cc: "Wilburn,Ted-Dept of Technology" , "'Firewalls'" Subject: Re: FW: Firewall Software In-Reply-To: <199511100003.QAA25814@lint.cisco.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 9 Nov 1995, Paul Ferguson wrote: > Your e-mail is probably being ignored because of its general nature. :-) It only reached me this morning, but I _was_ ignoring it for a very different reason. Your suggestion to read the FAQ is a good one, however. Keep on reading to find out why I wasn't going to respond. [...snip...] > At 09:59 AM 11/9/95 PST, Wilburn,Ted-Dept of Technology wrote: > > > >A request from a colleague, Thanks > >Ted Wilburn, twilburn@msmail.owensboro.k12.ky.us. > > > >Forwarded message begin: > > > > ---------- > >From: owner-kydtc[SMTP:owner-kydtc@UKCC.UKY.EDU] > >Sent: Thursday, November 09, 1995 10:14 AM > >To: Multiple recipients of list KYDTC > >Subject: Firewall Software > > > >Pendleton County has a wide area network installed and is now in the process > >of getting acceptable use policies signed by students and parents. Good idea. Plenty of examples around - check the COAST archives at http://www.cs.purdue.edu/coast/coast.html . > >I am experiencing a good deal of pressure to install a firewall to > >prevent access to some of the "bad stuff." ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Here's why I was ignoring it. This is and has been an ongoing discussion here; consider the current thread on hiding "bad" sites. It just isn't feasible for someone to build a filter set that will _prevent_ access to the "bad stuff." Firewalls aren't intended to provide censorship, they're intended to protect internal resources from outside attack. Anyway, unless Pendleton County's WAN is connected to the Internet, the only "bad stuff" on the WAN is going to be what the County officials choose to put there. > >Is anyone out there successfully using firewall software and how is it > >setup. > > > >Thanks > > > >lsutton@pendleton.k12.ky.us Regards, Al Dowd, speaking only for himself From firewalls-owner Fri Nov 10 07:23:14 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id GAA25787 for firewalls-outgoing; Fri, 10 Nov 1995 06:46:10 -0800 (PST) Received: from wabash.iac.net (wabash.iac.net [198.180.60.138]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id GAA25772 for ; Fri, 10 Nov 1995 06:45:53 -0800 (PST) Received: by wabash.iac.net id JAA29216; Fri, 10 Nov 1995 09:44:37 -0500 Date: Fri, 10 Nov 1995 09:44:35 -0500 (EST) From: Carl Jolley To: Don Lewis cc: Mike Culver , firewalls@GreatCircle.COM Subject: Re: Restricting URL's In-Reply-To: <199511090009.QAA07714@salsa.gv.ssi1.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 8 Nov 1995, Don Lewis wrote: > On Nov 8, 3:06pm, Mike Culver wrote: > } Subject: Restricting URL's > } Think I hit on such a simple way to restrict URL's that we all looked right > } past it! Yes, I see all the "buts" associated with this approach, but after > } all it's free, simple, and will trip up the average attempt. > } > } I'm assuming that most users use DNS with name resolution, instead of IP > } addresses. > > security through obscurity > > } To deny resolution to sex.com, simply add an entry to named.boot for > } bogusns. This directive will tell your DNS that the name server for sex.com > } is bogus, and your DNS will never ask sex.com's DNS anything. > > This won't work so well if the name server in question is ns.uu.net or > some other server that serves a lot of zones that you probably still > want to access. > > --- Truck > You are correct based on your "if". Wouldn't this approach work if the site in question had an internal DNS server with forwarding to an external server (so-called split DNS) for any unresolved names? The internal name server would resolve internal names as necessary and "handle" any external names that were to be restricted. **** cjolley@iac.net **** All opinions are my own and not necessarily those of my employer **** From firewalls-owner Fri Nov 10 07:57:35 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id HAA26747 for firewalls-outgoing; Fri, 10 Nov 1995 07:25:28 -0800 (PST) Received: from wabash.iac.net (wabash.iac.net [198.180.60.138]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id HAA26742 for ; Fri, 10 Nov 1995 07:25:24 -0800 (PST) Received: by wabash.iac.net id KAA29458; Fri, 10 Nov 1995 10:24:47 -0500 Date: Fri, 10 Nov 1995 10:24:46 -0500 (EST) From: Carl Jolley To: boz boze ghandi cc: firewalls@GreatCircle.COM Subject: Re: Restricting URLs In-Reply-To: <199511091859.NAA205613@fulton.seas.Virginia.EDU> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 9 Nov 1995, boz boze ghandi wrote: > On Nov 9, 9:20, Ralph Mitchell wrote: > > Subject: Re: Restricting URL's > > > Mike Culver wrote: > > > > > > > > To deny resolution to sex.com, simply add an entry to named.boot for > > > > bogusns. This directive will tell your DNS that the name server for sex.com > > > > is bogus, and your DNS will never ask sex.com's DNS anything. > > > > > > Nice idea, but... Most of these one-host-wonder sites actually > > > use their ISP as a name server. Disallowing the ISPs name server > > > is a bit drastic. Look at playboy.com for example... > > > > Then how about putting an entry in my internal DNS that points sex.com to > > either a non-existent internal address or to something like a PC running > > Linux+httpd with a single web page that says "Gotcha !" ?? The outside > > world can't see my internal DNS so I won't be polluting anyone elses DNS... > > > > Of course the user could telnet to rs.internic.net and use whois to establish > > the actual IP address... > > > > Ralph Mitchell > > -- End of excerpt from Ralph Mitchell > > even simpler. a user could simply use nslookup providing any dns server > non-internal. if resolution failed for me personally, regardless of dns > failure or specific resolution denial, that would be my first reaction. > > why not filter out the ip of specific sites on the external routers? (i > am relatively new to networking hardware and am unsure of the feasibility > of this) > > -zach kelly This should work, in theory. It does have some problems. One, IP addresses may change while the name might not. This would tend to require a lot of maintenance work trying to keep up with IP addresses either changed or new. A more robust solution (IMHO) would be to have a list of banned names and have an automated method of generating (and regularily re-generating) the list of corresponding IP addresses for use as a part of a screening router's configuration. This approach would have troubles with IP addresses which corresponded to a site that you wanted to ban but which was not registered in any DNS server. Also this (by itself) wouldn't prevent use of whois or other similar tools to find out the IP address for registered domains but it would prevent connections to the corresponding hosts. With a little bit of work, it would seem possible to intercept and redirect whois calls which referenced banned domains. This probably would not accomplish much since it would still be possible to use another system to do the whois or to request the IP address via e-mail. Of course, it _might_ be effective in avoiding future attemps to get to a banned site by the simple fact that such attempts would be logged and reported for administrative action. **** cjolley@iac.net **** All opinions are my own and not necessarily those of my employer **** From firewalls-owner Fri Nov 10 08:23:14 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id HAA27146 for firewalls-outgoing; Fri, 10 Nov 1995 07:43:05 -0800 (PST) Received: from individual.com (woolf.individual.com [192.88.202.12]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id HAA27139 for ; Fri, 10 Nov 1995 07:43:02 -0800 (PST) Received: by individual.com (5.65c/Spike-2.1) id AA25701; Fri, 10 Nov 1995 10:39:49 -0500 From: bheiser@individual.com (Bill Heiser) Message-Id: <199511101539.AA25701@individual.com> Subject: Re: FireWall-1 licensing To: adam@tripcom.com (Adam Horwitz) Date: Fri, 10 Nov 1995 10:39:49 -0500 (EST) Cc: marquis@roble.com, firewalls@greatcircle.com In-Reply-To: <199511100141.TAA08606@vger.tripcom.com> from "Adam Horwitz" at Nov 9, 95 07:41:37 pm X-Organization: Individual, Inc., Network Services X-Mailer: ELM [version 2.4 PL21] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Adam Horwitz wrote this: > > fw -help is not a valid command (again on the original product; I > don't know if Sun has changed this). fw any-invalid-command displays Is Sun actually developing and maintaining the Firewall-1 code, or are they just reselling it? Has Sun purchased Checkpoint Software? -- Bill Heiser Individual, Inc., Network Services, office: bheiser@individual.com http://www.newspage.com/ home: bill@bh.org http://www.bh.org/ From firewalls-owner Fri Nov 10 08:34:17 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id HAA27020 for firewalls-outgoing; Fri, 10 Nov 1995 07:35:45 -0800 (PST) Received: from europe.std.com (europe.std.com [192.74.137.10]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id HAA27015 for ; Fri, 10 Nov 1995 07:35:39 -0800 (PST) Received: from world.std.com by europe.std.com (8.6.12/Spike-8-1.0) id KAA05660; Fri, 10 Nov 1995 10:35:55 -0500 Received: by world.std.com (5.65c/Spike-2.0) id AA29654; Fri, 10 Nov 1995 10:35:49 -0500 From: heiser@world.std.com (Bill Heiser) Message-Id: <199511101535.AA29654@world.std.com> Subject: Web server / SecurID To: firewalls@greatcircle.com Date: Fri, 10 Nov 1995 10:35:48 -0500 (EST) X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I was asked if it's possible to use SecurID to control access to a web server ... i.e. to provide very limited access to the information presented on a server. In a way I think this doesn't make sense because by its vary nature a web server isn't secure anyway. It'd be like putting a deadbolt on the front door but leaving the windows unlocked. On the other hand, if the server is behind a firewall which provides very limited access, .... maybe it would be useful.. What do you think? And what do you think about the actual implementation? Is it doable? Thanks in advance, Bill -- Bill Heiser heiser@world.std.com From firewalls-owner Fri Nov 10 09:03:26 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id HAA26906 for firewalls-outgoing; Fri, 10 Nov 1995 07:31:29 -0800 (PST) Received: from gauntlet-1.trusted.com ([204.254.155.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id HAA26901 for ; Fri, 10 Nov 1995 07:31:26 -0800 (PST) Received: by gauntlet-1.trusted.com; id KAA26138; Fri, 10 Nov 1995 10:34:16 -0500 Received: from hilo.trusted.com(10.0.1.126) by gauntlet-1.trusted.com via smap (g3.0.3) id xma026134; Fri, 10 Nov 95 10:33:47 -0500 Received: from vanidor.trusted.com by hilo.trusted.com with SMTP (1.37.109.4/16.2) id AA01867; Fri, 10 Nov 95 10:31:08 -0500 Message-Id: <9511101531.AA01867@hilo.trusted.com> X-Sender: avolio@hilo.trusted.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 10 Nov 1995 10:31:03 -0500 To: "Christopher L. Werner" , firewalls@greatcircle.com From: Frederick M Avolio Subject: Re: POP Access Thru router Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 06:31 PM 11/9/95 -0500, Christopher L. Werner wrote: > >The newest version of qpopper from Qualcomm 2.1.4 now supports APOP which >encrypts the users password on the client, passes it to the server, and >it is decrypted on your side of the firewall. No, it uses MD5 and some random data to get MD5 hashed with your password. THe random of data and the MD5 hash is sent over the link. THe password -- encrypted or otherwise -- is never sent. F From firewalls-owner Fri Nov 10 09:16:22 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id HAA27261 for firewalls-outgoing; Fri, 10 Nov 1995 07:47:49 -0800 (PST) Received: from individual.com (woolf.individual.com [192.88.202.12]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id HAA27256 for ; Fri, 10 Nov 1995 07:47:44 -0800 (PST) Received: by individual.com (5.65c/Spike-2.1) id AA26186; Fri, 10 Nov 1995 10:44:18 -0500 From: bheiser@individual.com (Bill Heiser) Message-Id: <199511101544.AA26186@individual.com> Subject: Re: FireWall-1 licensing To: chris.brenton@newsedge.com Date: Fri, 10 Nov 1995 10:44:18 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: <9511091752.AA17400@avalon.newsedge.com> from "chris brenton" at Nov 9, 95 05:52:21 pm X-Organization: Individual, Inc., Network Services X-Mailer: ELM [version 2.4 PL21] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk chris brenton wrote this: > > >The other bug I've seen with this is that it checks may check both internal and >_external_ hosts for license compliance. If the number of external sites visited >exceeds your user license the software hangs and starts generating tons of mail >to root (once a minute if memory serves) claiming you have violated the licence >agreement. How does this number-of-hosts licensing work? Is it a certain number of hosts per time period? The number of simultaneous connections? i.e. if I have 100 hosts at site Xyz, but I only care about allowing 50 of them to simultaneously access the Internet, can I get by with just a 50-user license? Or (in the extreme case) if I want to pipe everything through an internal "bastion host" of sorts, can I get by with just 1 license? -- Bill Heiser Individual, Inc., Network Services, office: bheiser@individual.com http://www.newspage.com/ home: bill@bh.org http://www.bh.org/ From firewalls-owner Fri Nov 10 09:28:03 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id IAA28184 for firewalls-outgoing; Fri, 10 Nov 1995 08:25:29 -0800 (PST) Received: from tera.bctel.net (tera.bctel.net [204.174.66.253]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id IAA28179 for ; Fri, 10 Nov 1995 08:25:26 -0800 (PST) Received: (from nobody@localhost) by tera.bctel.net (8.7.1/8.7.1) id IAA15853; Fri, 10 Nov 1995 08:24:53 -0800 (PST) X-Authentication-Warning: tera.bctel.net: nobody set sender to using -f Received: from mocha.bctel.net(204.174.66.5) by tera via smap (V1.3) id sma015851; Fri Nov 10 08:24:43 1995 Received: (from murrell@localhost) by mocha.bctel.net (8.7.1/8.7.1) id IAA01667; Fri, 10 Nov 1995 08:21:20 -0800 (PST) Date: Fri, 10 Nov 1995 08:21:20 -0800 (PST) From: Brian Murrell Message-Id: <199511101621.IAA01667@mocha.bctel.net> To: firewalls@GreatCircle.COM, jalcances@mail.asiandevbank.org Subject: Re: Firewall-1 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-MD5: 9lqnQNMC0gJimU2PgTd6+Q== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Hi, > I'm now experiencing a problem in using Firewall-1. It seems to get > saturated at a certain point, after adding a number of objects and > rules. The problem appears during filter installation (after adding the > objects or rules). It suddenly "core dumps", and the filters are not > updated. I'm using Firewall-1 ver 1.0.7c running on SunOS with an Internet > gateway license. > Any idea out there? If you get an "arglist too long" error in the filter installation window, it's a known bug. We chased Sun for a couple of weeks on this one and were not able to get a satisfactory fix for the problem. We resigned to only have x number of rules and wait for licenses for our 1.2 release. Not really a satisfactory way to do it, but you can only burn so much time trying to chase down a bug fix. b. -- Brian J. Murrell murrell@bctel.net BCTel Advanced Communications brian@ilinx.com Vancouver, B.C. brian@wimsey.com 604 454 5261 From firewalls-owner Fri Nov 10 10:02:07 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id HAA27253 for firewalls-outgoing; Fri, 10 Nov 1995 07:47:29 -0800 (PST) Received: from intex.intex.net (intex.intex.net [204.255.96.10]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id HAA27248 for ; Fri, 10 Nov 1995 07:47:26 -0800 (PST) Received: from dialupb56.intex.net (dialupb56.intex.net [204.255.103.56]) by intex.intex.net (8.6.12/4.1.4) with SMTP id JAA19190; Fri, 10 Nov 1995 09:47:33 -0600 Message-Id: <199511101547.JAA19190@intex.intex.net> X-Sender: lpierce@intex.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 10 Nov 1995 09:54:17 -0600 To: "Wilburn,Ted-Dept of Technology" , "'Firewalls'" From: lpierce@intex.net (S. Lane Pierce) Subject: Re: FW: Firewall Software Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:59 AM 11/9/95 PST, Wilburn,Ted-Dept of Technology wrote: > >A request from a colleague, Thanks >Ted Wilburn, twilburn@msmail.owensboro.k12.ky.us. > >Forwarded message begin: > > ---------- >From: owner-kydtc[SMTP:owner-kydtc@UKCC.UKY.EDU] >Sent: Thursday, November 09, 1995 10:14 AM >To: Multiple recipients of list KYDTC >Subject: Firewall Software > >Pendleton County has a wide area network installed and is now in the >process of getting acceptable use policies signed by students and parents. >I am experiencing a good deal of pressure to install a firewall to prevent >access to some of the "bad stuff." Is anyone out there successfully using >firewall software and how is it setup. Thanks Advise your friend that identifing "bad stuff" on his wan is *very* general and there is no real way to respond to this question. If however the county is providing Internet access to the public school system, there must be some serious thought involved. Lots of liability here. There is so much "bad stuff" out there that is quickly accessed by *any* child. Everything from child porno to bomb making. IMHO the net (in general) should be rated A for Adult use only. A firewall is most often used to protect the "inside" from the outside". Although it is possible to use a firewall to restrict access to an external system, it would be easy to circumnavigate. S. Lane Pierce lpierce@intex.net From firewalls-owner Fri Nov 10 10:39:46 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id IAA29081 for firewalls-outgoing; Fri, 10 Nov 1995 08:56:13 -0800 (PST) Received: from fionn.lbl.gov (fionn.lbl.gov [128.3.128.60]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id IAA29076 for ; Fri, 10 Nov 1995 08:56:08 -0800 (PST) Received: (mike@localhost) by fionn.lbl.gov (8.6.11/8.6.5) id IAA13266; Fri, 10 Nov 1995 08:56:20 -0800 Message-Id: <199511101656.IAA13266@fionn.lbl.gov> From: mike@fionn.lbl.gov (Michael Helm) Date: Fri, 10 Nov 1995 08:56:20 PST In-Reply-To: "Christopher L. Werner" "Re: POP Access Thru router" (Nov 9, 6:31pm) Reply-To: mike@fionn.lbl.gov X-Mailer: Mail User's Shell (7.2.3 5/22/91) To: "Christopher L. Werner" Subject: Re: POP Access Thru router Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Where can information on APOP be found? From firewalls-owner Fri Nov 10 11:01:36 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id JAA00398 for firewalls-outgoing; Fri, 10 Nov 1995 09:41:14 -0800 (PST) Received: from hosaka.smallworks.com (hosaka.SmallWorks.COM [192.207.126.1]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id JAA00393 for ; Fri, 10 Nov 1995 09:41:10 -0800 (PST) From: jim@SmallWorks.COM Received: from butthead.SmallWorks.COM by hosaka.smallworks.com (5.x/SMI-SVR4) id AA18675; Fri, 10 Nov 1995 11:41:25 -0600 Received: by butthead.SmallWorks.COM (4.1/SPARCbook_POP1.3) id AA09431; Fri, 10 Nov 95 11:41:31 CST Date: Fri, 10 Nov 95 11:41:31 CST Message-Id: <9511101741.AA09431@butthead.SmallWorks.COM> To: bheiser@individual.com, chris.brenton@newsedge.com Subject: Re: FireWall-1 licensing Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My understanding of the FW-1 license is that its based on the *size* of the network behind FW-1. This is regardless of if those hosts use the FW-1 facilities, or not. The theory is that all the hosts behind the firewall are receiving at least the service of being protected by the firewall. Not all firewalls are licensed or priced this way. Jim Thompson -- Engineer Smallworks Inc. jim@smallworks.com Austin Tx. 78731 NetGate(tm) 512 338 0619 phone The Hotest Firewall in Town! 512 338 0625 fax From firewalls-owner Fri Nov 10 11:23:15 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id JAA29802 for firewalls-outgoing; Fri, 10 Nov 1995 09:20:15 -0800 (PST) Received: from spchp46.BBN.COM (SPCHP46.BBN.COM [128.89.4.149]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id JAA29790 for ; Fri, 10 Nov 1995 09:20:11 -0800 (PST) Received: by spchp46.BBN.COM (1.37.109.16/16.2) id AA054474143; Fri, 10 Nov 1995 12:22:23 -0500 Date: Fri, 10 Nov 1995 12:22:22 -0500 (EST) From: Christopher Osborn To: Bill Heiser Cc: firewalls@greatcircle.com Subject: Re: Web server / SecurID In-Reply-To: <199511101535.AA29654@world.std.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 10 Nov 1995, Bill Heiser wrote: > > I was asked if it's possible to use SecurID to control access > to a web server ... i.e. to provide very limited access to > the information presented on a server. I have not done it with SecureID but did rig up an SKEY version for the WWW. It requires that each user have an skey calculator(available for every OS I have encountered). I created a CGI script for this purpose. Just accessed SKEY KEYS file and the other required files via perl and the command line. > In a way I think this doesn't make sense because by its vary nature > a web server isn't secure anyway. It'd be like putting a deadbolt on > the front door but leaving the windows unlocked. That depends on how your WWW server is configured. With authentication and encryption so easily available on the WWW you could make the argument either way. > On the other hand, if the server is behind a firewall which provides > very limited access, .... maybe it would be useful.. I would just put it on a screened subnet. Behind the firewall==(usually) BAD > What do you think? And what do you think about the actual implementation? > Is it doable? Yes. > Thanks in advance, > -- > Bill Heiser heiser@world.std.com +======================================================================+ Christopher Osborn cosborn@bbn.com WWW/BBS Site Engineer EMail ^^ for Public Key BBN, INC. http://www.bbndomain.com/ BBN Domain Corporation My opinions may or may not reflect the views of my employer. From firewalls-owner Fri Nov 10 11:53:09 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id JAA29202 for firewalls-outgoing; Fri, 10 Nov 1995 09:00:26 -0800 (PST) Received: from gatekeeper.nytimes.com (gatekeeper.nytimes.com [199.181.175.201]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id JAA29197 for ; Fri, 10 Nov 1995 09:00:22 -0800 (PST) Received: from mailgate.nytimes.com by gatekeeper.nytimes.com; (5.65/1.1.8.2/30Mar95-0352PM) id AA25429; Fri, 10 Nov 1995 12:04:28 -0500 Received: from [170.149.163.227] by mailgate.nytimes.com; (5.65/1.1.8.2/25Jul94-1134AM) id AA06546; Fri, 10 Nov 1995 12:02:23 -0500 Message-Id: <30A3855D.4E9AB931@nytimes.com> Date: Fri, 10 Nov 1995 12:01:17 -0500 From: Josh Hartmann Organization: The New York Times X-Mailer: Mozilla 2.0b2 (X11; I; Linux 1.2.13 i586) Mime-Version: 1.0 To: Bill Heiser Cc: firewalls@GreatCircle.COM Subject: Re: Web server / SecurID References: <199511101535.AA29654@world.std.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Yes it's doable. You need to require Netscape or MS Internet Explorer (or other SSL-enabled browser) everywhere, but that's probably OK for an internal network. You need a CGI login process which accepts the securid code as input, authenticates it, and sets the Mozilla 'cookie' to allow access to the rest of the site. If the authentication fails, no cookie. :) Netscape or OpenMarket could clearly help build this system. If this is truly valuable information you need to protect, you would need one of their secure servers. -Josh Bill Heiser wrote: > > I was asked if it's possible to use SecurID to control access > to a web server ... i.e. to provide very limited access to > the information presented on a server. > > In a way I think this doesn't make sense because by its vary nature > a web server isn't secure anyway. It'd be like putting a deadbolt on > the front door but leaving the windows unlocked. > > On the other hand, if the server is behind a firewall which provides > very limited access, .... maybe it would be useful.. > > What do you think? And what do you think about the actual implementation? > Is it doable? > > Thanks in advance, > Bill > > -- > Bill Heiser heiser@world.std.com -- _____________________________________________________________________ Josh Hartmann josh@the-tech.mit.edu The New York Times josh@nytimes.com Electronic Media Company 1120 Ave. of the Americas 212 597 8057 New York, NY 10036 fax 212 597 8081 _____________________________________________________________________ From firewalls-owner Fri Nov 10 11:53:15 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id JAA29950 for firewalls-outgoing; Fri, 10 Nov 1995 09:25:40 -0800 (PST) Received: from gw1.att.com (gw1.att.com [192.20.239.133]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id JAA29943 for ; Fri, 10 Nov 1995 09:25:19 -0800 (PST) Received: from vodka.sse.att.com (vodka.gc.att.com) by ig1.att.att.com id AA03407; Fri, 10 Nov 95 11:44:50 EST Message-Id: <9511101644.AA03407@ig1.att.att.com> From: mdr@vodka.sse.att.com Subject: Re: Changing shared libraries and how is ld.so finding real libraries? To: Scott@Disclosure.COM Date: Fri, 10 Nov 1995 11:48:46 -0500 (EST) Cc: firewalls@GreatCircle.COM, firewalls@count01.mry.scruznet.com, scott@Disclosure.COM In-Reply-To: <199511091623.IAA04732@security-gw.mry.scruznet.com> from "firewalls@security-gw.mry.scruznet.com" at Nov 9, 95 08:23:12 am X-Mailer: ELM [version 2.4 PL23-upenn2.7] Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To: firewalls@GreatCircle.COM Subject: Changing shared libraries and how is ld.so finding real libraries? Scott, Scott Barman wrote about about LD__LIBRARY_PATH and LD_RUN_PATH seeming to be ineffectual on login, ps, ls and other commands. >The login program seemed to work fine. It prompted me for my userid and >password... no problems. In fact, any setuid or setgid program (ps >and mail, for example) ran with no problems. Others, such as ls and >examination of the output from nm and strings). But even with my stubs >Can anyone enlighten me as to what is happening? I believe that you are running into some special case handling for libc.so and libld.so. I traced thru some source and found that these two are always resolved to /usr/lib first. No matter what the documentation says. (This could be a SVR4'ism or a my source tree'ism) Its probably a boot-strap kindof thing for binaries that use shared libraries because libc.so or libld.so is necessary for all of the other shared lib stuff to work. Please don't move /usr/libc.so to some other directory to test that hypothesis, you'll be seriously hosed! Try LD_LIBRARY_PATH in the environment on a binary that uses something other than or in addition to libc.so. Something like '/bin/ftp' will probably fail the way that you expect it too. On SVR4 you can set LD_TRACE_LOADED_OBJECTS in the env to see what gets loaded. The binary will load its shared libs, list them and then exit. Thankfully 'unset' is a shell builtin, not a binary :) It's remotely possible that your vendor actuall set LD_RUN_PATH at compile time to make your system more secure. LD_RUN_PATH may be used by the linker to specify a library search path at compile time. This library path takes precedence over any paths in the environment. :) So if a vendors says something like "you'll have to choose between dynamic libs and security" it "'tain't necessarily so." The LD_RUN_PATH is stored in the a.out. Thus /usr/lib, /usr/ccs/lib, /usr/mytrustedlib etc can be given precedence over /home/hacker/lib without sacrificing the benefits of dynamic shared libraries. The down side is that you'll probably need administrative privileges on the host to add and use a shared library that comes with a standard name such as "libresolv.so.1". (which ain't such a bad idea :) A final note, setuid files are subject to LD_LIBRARY_PATH deflection when called by the owner of the file. The test is like this: if( (getuid() == geteuid()) && (getgid() == getegid()) ) acknowledge LD_LIBRARY_PATH Thus setuid to root files that are dynamically linked are not immune from LD_LIBRARY_PATH attacks when called directly by a daemon that is running as both real and effective root. Mark Riggins Secure Systems Engineering [AT&T|Bell] Labs From firewalls-owner Fri Nov 10 12:23:15 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id LAA03246 for firewalls-outgoing; Fri, 10 Nov 1995 11:04:45 -0800 (PST) Received: from bastion.sentinet.demon.co.uk (sentinet.demon.co.uk [158.152.140.128]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id LAA03214 for ; Fri, 10 Nov 1995 11:03:44 -0800 (PST) Received: (from smap@localhost) by bastion.sentinet.demon.co.uk (8.6.12/8.6.12) id TAA07317 for ; Fri, 10 Nov 1995 19:02:17 GMT Received: from server.sentinet.demon.co.uk(192.168.1.100) by bastion.sentinet.demon.co.uk via smap (V1.3) id sma007314; Fri Nov 10 19:02:13 1995 Received: from server.sentinet.demon.co.uk (lyndond@[127.0.0.1]) by server.sentinet.demon.co.uk (8.6.12/8.6.12) with ESMTP id TAA15483 for ; Fri, 10 Nov 1995 19:02:11 GMT Message-Id: <199511101902.TAA15483@server.sentinet.demon.co.uk> To: firewalls@greatcircle.com Subject: Re: CERN proxy Date: Fri, 10 Nov 1995 19:00:53 +0000 From: Lyndon David Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dear All, Thanks for your replies about the CERN server checking if documents have been modified. After some more manual reading and poking about I have found that it was all my fault all the time and was working just fine. The Netscape relaod button does NOT have the same effect as requesting the URL again. Hitting the reload button not only causes netscape to reload the contents of its own cache but also causes your cacheing proxy server to reload as well. You live and learn. Thanks Lyndon From firewalls-owner Fri Nov 10 12:37:13 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id KAA03035 for firewalls-outgoing; Fri, 10 Nov 1995 10:58:13 -0800 (PST) Received: from count01.mry.scruznet.com (count01.mry.scruznet.com [204.147.227.65]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id KAA03030 for ; Fri, 10 Nov 1995 10:58:09 -0800 (PST) From: firewalls@count01.mry.scruznet.com Received: from count01.mry.scruznet.com (localhost [127.0.0.1]) by count01.mry.scruznet.com (8.7.1/8.7.1) with ESMTP id KAA06376; Fri, 10 Nov 1995 10:48:16 -0800 (PST) Message-Id: <199511101848.KAA06376@count01.mry.scruznet.com> To: heiser@world.std.com (Bill Heiser) cc: firewalls@GreatCircle.COM, firewalls@count01.mry.scruznet.com Subject: Re: Web server / SecurID In-reply-to: Your message of "Fri, 10 Nov 1995 10:35:48 EST." <199511101535.AA29654@world.std.com> Date: Fri, 10 Nov 1995 10:48:14 -0800 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk BEGIN RANT With the proper firewall the authentication access wouldnt seem to be an issue(many free and costed implementations will support this in firewall technology). Problem is the OLD unbounded buffer problems noted in many internet products today seem to be almost perennial, the OEM's and vendors have proven time and time again that "normal" developers unless they are given PRECISE guidance about secure programming for libraries and applications as well as OS's will fail time and time again to produce secure code. what outlook does this hold? well if the app is insecure to this issue and it listens to a network port connected through a firewall to the outside it can still be sucessfully attacked.(providing the firewall is of a packet filtering/simple application proxy and nonencrypted.) Active spoofing is there and it does work. kelly p.s. I would be looking at web access via SKIP if I were to architect a secure access web server app(providing of course the security level of the information browsed justified it.) Otherwise the securid and other 1 time password schemes are simply no more than expensive toys, in the face of active spoofing you have to authenticate EVERY packet, there is NO solution acceptable short of this... END RANT From firewalls-owner Fri Nov 10 13:32:30 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id KAA02941 for firewalls-outgoing; Fri, 10 Nov 1995 10:53:19 -0800 (PST) Received: from pegase.total.fr (pegase.total.fr [146.249.152.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id KAA02913 for ; Fri, 10 Nov 1995 10:53:03 -0800 (PST) Received: from tidtest.total.fr by pegase.total.fr with SMTP (16.6/16.2) id AA12574; Fri, 10 Nov 95 19:47:01 +0100 Received: by tidtest.total.fr (4.1/SMI-4.1) id AA06608; Fri, 10 Nov 95 19:52:28 GMT Message-Id: <9511101952.AA06608@tidtest.total.fr> To: Tim Frost Cc: "Frank O'Dwyer" , Scott Barman , firewalls@greatcircle.com Subject: Re: Changing shared libraries and how is ld.so finding real libraries? In-Reply-To: Your message of "Fri, 10 Nov 1995 12:10:57 +1300." Date: Fri, 10 Nov 1995 19:52:27 +0000 From: Michel Lavondes Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message , Tim Frost writes: > > [snip] > > SVR4, Linux and Solaris (at least - I don't have a BSD-based platform to > check) all allow you to determine what libraries are loaded, by using the > command ldd. So does Sunos 4.1.4 > > [snip] > > The man page for ldd points out the one caveat: ldd does not identify > libraries accessed using the dlopen() function. > Doesn't say so on Sunos 4.1.4. OTOH, ldd /usr/bin/login mumbles something about /usr/lib/libdl.so.1.0. Don't know what's in there, though. > > [snip] > > If you have ldd, you can detect this problem with the -r option to ldd, > which checks references to data and functions. > Not supported under Sunos 4.1.4 (actually, it has no options at all) > > [snip] > Just my 0.02 Michel Lavondes (lavondes@tidtest.total.fr) #include ============================================================ = When Privacy Is Outlawed, Only Outlaws Will Have Privacy = = I Support the Phil Zimmermann Legal Defense Fund! = = email: zldf@clark.net http://www.netresponse.com/zldf = ============================================================ (with thanks to those who lead me into it :-)) From firewalls-owner Fri Nov 10 13:42:29 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id LAA04072 for firewalls-outgoing; Fri, 10 Nov 1995 11:40:17 -0800 (PST) Received: from vger.tripcom.com (vger.tripcom.com [198.5.220.33]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id LAA04067 for ; Fri, 10 Nov 1995 11:40:13 -0800 (PST) Received: (from adam@localhost) by vger.tripcom.com id NAA16198; Fri, 10 Nov 1995 13:40:23 -0600 From: Adam Horwitz Message-Id: <199511101940.NAA16198@vger.tripcom.com> Subject: Re: FireWall-1 licensing To: bheiser@individual.com (Bill Heiser) Date: Fri, 10 Nov 1995 13:40:20 -0600 (CST) Cc: firewalls@GreatCircle.COM (firewalls) In-Reply-To: <199511101544.AA26186@individual.com> from "Bill Heiser" at Nov 10, 95 10:44:18 am X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > How does this number-of-hosts licensing work? Is it a certain number of > hosts per time period? The number of simultaneous connections? > > i.e. if I have 100 hosts at site Xyz, but I only care about allowing > 50 of them to simultaneously access the Internet, can I get by with > just a 50-user license? Or (in the extreme case) if I want to pipe > everything through an internal "bastion host" of sorts, can I get by > with just 1 license? You're looking at this backwards. FW-1 is a protection device. The licensing (at least from CheckPoint, I don't know about Sun) is based on the number of nodes it is protecting. So you can have one person who uses the Internet but if FW-1 wasn't there 1,000 hosts on your network would be accessible. Therefore, FW-1 is protecting 1,000 hosts. The license is available in 50, 250, and unlimited-user versions, based on the number of nodes protected. There are some other issues related to control of CISCO and Wellfleet router ACLs, how many User Objects you can have if you're using the User Authentication (the numbers coencide with the license number), and whether or not you can run the control and filter modules on different workstations. These are issues that your supplier should be able to review with you. -- Adam Horwitz (708) 778-9531 Tripcom Systems Inc. adam@tripcom.com From firewalls-owner Fri Nov 10 13:53:15 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id MAA05536 for firewalls-outgoing; Fri, 10 Nov 1995 12:35:55 -0800 (PST) Received: from westie.gi.net (westie.gi.net [198.247.250.16]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id MAA05531 for ; Fri, 10 Nov 1995 12:35:51 -0800 (PST) Received: from gaijin.mid.net (gaijin.gi.net [198.247.250.28]) by westie.gi.net (8.7.1/8.7.1) with ESMTP id OAA11384; Fri, 10 Nov 1995 14:36:03 -0600 (CST) From: Alan Hannan Received: by gaijin.mid.net (8.7.1) id OAA07036; Fri, 10 Nov 1995 14:36:00 -0600 (CST) Message-Id: <199511102036.OAA07036@gaijin.mid.net> Subject: Re: Web server / SecurID To: heiser@world.std.com (Bill Heiser) Date: Fri, 10 Nov 1995 14:35:55 -0600 (CST) Cc: firewalls@GreatCircle.COM In-Reply-To: <199511101535.AA29654@world.std.com> from "Bill Heiser" at Nov 10, 95 10:35:48 am X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk 'lo. ] I was asked if it's possible to use SecurID to control access ] to a web server ... i.e. to provide very limited access to ] the information presented on a server. Yes it's possible. ] In a way I think this doesn't make sense because by its vary nature ] a web server isn't secure anyway. It'd be like putting a deadbolt on ] the front door but leaving the windows unlocked. Erm, why, because it's a web server? Make a secure web server, they do exist, if not just in my head. ] On the other hand, if the server is behind a firewall which provides ] very limited access, .... maybe it would be useful.. Then you're accepting the fact that the web server isn't sekoor, which is probably a good thing to, but not necessary. You COULD have a secure web server, but that's not your question.... ] What do you think? And what do you think about the actual implementation? ] Is it doable? I dunno, I do know that ncsa's httpd server has things like this: # # Options All # AllowOverride None # AuthUserFile /usr/local/etc/httpd.dir.CUSTOMER/conf/.htpasswd # AuthGroupFile /dev/null # AuthName By Secret Password Only! # AuthType Basic Which would imply to me that 'AuthType Basic' could be changed to 'AuthType SNK' or 'AuthType SKey' somehow..... Anyone know if work's being done w/ ncsa's server or another? -alan From firewalls-owner Fri Nov 10 14:20:42 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id MAA04811 for firewalls-outgoing; Fri, 10 Nov 1995 12:02:50 -0800 (PST) Received: from lint.cisco.com (lint.cisco.com [171.68.235.77]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id MAA04806 for ; Fri, 10 Nov 1995 12:02:44 -0800 (PST) Received: from pferguso-pc.cisco.com (sl-chanty-09.cisco.com [171.69.126.163]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id MAA14633; Fri, 10 Nov 1995 12:02:37 -0800 Message-Id: <199511102002.MAA14633@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 10 Nov 1995 15:04:39 -0500 To: firewalls@GreatCircle.com From: Paul Ferguson Subject: Correction Cc: ilias@telecom.at Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It's been brought to my attention that this is currently not a supported feature in TACACS+. Mea culpa, and apologies for any confusion. - paul > Date: Fri, 10 Nov 1995 06:43:26 -0500 > From: Paul Ferguson > Cc: firewalls@GreatCircle.COM > Sender: firewalls-owner@GreatCircle.COM > > > Yes, this is possible in the configuration of TACACS+. > > - paul > > > At 01:18 PM 11/9/95 +0100, Ilias Liakopoulos wrote: > > > > >does anybody know if it's possible to configure > >tacacs in a way, that if a dial-in user of an > >CS-2511 tries to connect a second time, he gets > >something like "connection refused" or "allready > >connected", if he has an active connection on an > >other port? > > > >thank you all for your suggestions, > > > >iLiAS > >-- > >---------------------------------------------------------------------- > >Ilias Liakopoulos | Email: ilias@telecom.at > >Spardat AG & Co KG | Tel: 0043/1/74045-4762 Fax -5704 > >Geiselbergstr. 21-25 | WWW: http://pina2.telecom.at/~lia > >1110-Vienna | nic-hdl: IL7-RIPE > >Austria | > >Europe | > >---------------------------------------------------------------------- > > -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Fri Nov 10 14:53:15 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id MAA05760 for firewalls-outgoing; Fri, 10 Nov 1995 12:41:19 -0800 (PST) Received: from chsun.eunet.ch (chsun.eunet.ch [146.228.10.15]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id MAA05754 for ; Fri, 10 Nov 1995 12:41:12 -0800 (PST) Received: from mozart.UUCP by chsun.eunet.ch (8.6.10/1.34) id VAA20227; Fri, 10 Nov 1995 21:41:24 +0100 Received: from santana.ergon.ch by mozart.ergon.ch (4.1/ERGON) id AA09910; Fri, 10 Nov 95 21:17:54 +0100 Date: Fri, 10 Nov 95 21:17:53 +0100 From: sten@ergon.CH (Sten Gunterberg) Message-Id: <9511102017.AA09910@mozart.ergon.ch> To: firewalls@GreatCircle.COM Subject: Firewall-1 logging capabilities Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Speaking of Firewall-1: I think someone mentioned that it's doing logging via syslog in the newest release. Is that true? What does it log? Can it provide bytes transferred and a duration for FTP and HTTP? --Sten From firewalls-owner Fri Nov 10 15:57:34 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id PAA10488 for firewalls-outgoing; Fri, 10 Nov 1995 15:30:49 -0800 (PST) Received: from mailhost.Ipsilon.COM ([205.226.5.12]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id PAA10477 for ; Fri, 10 Nov 1995 15:30:46 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mailhost.Ipsilon.COM (8.6.11/8.6.10) with SMTP id OAA04636; Fri, 10 Nov 1995 14:54:21 -0800 Message-Id: <199511102254.OAA04636@mailhost.Ipsilon.COM> X-Authentication-Warning: mailhost.Ipsilon.COM: Host localhost didn't use HELO protocol X-Mailer: exmh version 1.6.4 10/10/95 To: Roger Marquis cc: Firewalls@GreatCircle.COM Subject: Re: FireWall-1 licensing In-reply-to: Your message of "Thu, 09 Nov 1995 08:16:38 PST." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 10 Nov 1995 14:54:21 -0800 From: Craig Anderson Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > There is no way to verify whether the installed license is a demo or > permanent. There is also no way to verify that a permanent license was > (properly) installed. The real problem is Sun Licensing. The software Yes there is: "fw printlic" Craig > > Roger Marquis > Sr. Systems Analyst, Roble Systems > (marquis@roble.com, 415-494-9250) > From firewalls-owner Fri Nov 10 16:53:19 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id QAA15019 for firewalls-outgoing; Fri, 10 Nov 1995 16:50:09 -0800 (PST) Received: from psyche.the-wire.com (psyche.the-wire.com [198.53.192.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id QAA14988 for ; Fri, 10 Nov 1995 16:50:00 -0800 (PST) Received: from rcooper.the-wire.com (rcooper.the-wire.com [198.53.159.74]) by psyche.the-wire.com (8.6.10/8.6.9) with SMTP id TAA14863; Fri, 10 Nov 1995 19:49:51 -0500 Received: by rcooper.the-wire.com with Microsoft Mail id <01BAAFA5.AC223EA0@rcooper.the-wire.com>; Fri, 10 Nov 1995 19:49:39 -0500 Message-ID: <01BAAFA5.AC223EA0@rcooper.the-wire.com> From: Russ Cooper To: "'Firewalls'" , "'Process Maillist'" , "'Website List'" Subject: Unwanted attachments from Exchange clients. Date: Fri, 10 Nov 1995 19:49:38 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Folks, Many of you have stated your disdain with unwanted attachments being sent to you by some individuals, usually people who are using some form of Microsoft Exchange client like the Windows '95 Inbox. As I was one of the culprits of this, I did some investigating to see if there was a way to prevent it. A very kind Exchange developer was helpful in clearing up the problem. Here's how to avoid sending these unwanted attachments; Every recipient in your TO: list has associated properties. One of these properties is "Always send to this recipient in Microsoft Exchange rich-text format" Whether you know it or not, this flag gets set sometimes, seemingly without your intention. In addition, if any one of a number of TO: or CC: recipients happen to have this flag set, then all of the recipients get the message sent in RTF. When I checked the properties on the website-talk@ora.com entry in my Personal Address Book (PAB), I found that it was flagged to RTF, despite me never setting it this way. Anyway, if it is set to RTF, some people who cannot interpret RTF get the annoying attachments. So, the answer to the problem is to; a) check your existing entries in your PAB and disable any RTF flagged entries that should not be flagged (i.e. any mailing list addresses you send to) b) when sending a reply, right click on each of the recipients and choose "Properties" to see if RTF has been enabled. If it has, and you don't want it to be, then just click the check-box to disable it. I'm not sure if this is a "bug, or a "feature", and I'm also not sure if you have to keep doing this forever! I would, however, suggest that you do this for every mailing list address you send to, as they are the addresses that will generate the most grief for people. I hope this helps resolve this problem for most, if not all, people. Cheers, Russ Cooper Senior Internet Integration Engineer SHL/Computer Innovations RCooper@the-wire.com - Express@msn.com - 74323.364@compuserve.com From firewalls-owner Fri Nov 10 18:53:15 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id SAA23708 for firewalls-outgoing; Fri, 10 Nov 1995 18:35:59 -0800 (PST) Received: from salsa.gv.ssi1.com (salsa.gv.ssi1.com [146.252.44.194]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id SAA23699 for ; Fri, 10 Nov 1995 18:35:55 -0800 (PST) Received: (from gdonl@localhost) by salsa.gv.ssi1.com (8.7.1/8.7) id SAA12195; Fri, 10 Nov 1995 18:35:14 -0800 (PST) Message-Id: <199511110235.SAA12195@salsa.gv.ssi1.com> From: gdonl@gv.ssi1.com (Don Lewis) Date: Fri, 10 Nov 1995 18:35:14 -0800 In-Reply-To: mdr@vodka.sse.att.com "Re: Changing shared libraries and how is ld.so finding real libraries?" (Nov 10, 11:48am) X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: mdr@vodka.sse.att.com, Scott@Disclosure.COM Subject: Re: Changing shared libraries and how is ld.so finding real libraries? Cc: firewalls@GreatCircle.COM, firewalls@count01.mry.scruznet.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Nov 10, 11:48am, mdr@vodka.sse.att.com wrote: } Subject: Re: Changing shared libraries and how is ld.so finding real libra } To: firewalls@GreatCircle.COM } Thus setuid to root files that are dynamically linked are not immune from } LD_LIBRARY_PATH attacks when called directly by a daemon that is } running as both real and effective root. True, but non-setuid executables can also be attacked the same way and can do just as much damage when they are run by root. I think things are safe if the following two rules are followed: If uid != euid, sanitize your environment before exec()'ing anything or changing uid (setting euid back to uid should be safe). If running as root (or anything else!), don't set your environment from an untrusted source. Telnetd should not set it's environment from the network. Instead it should forward the new environment to login, and login should only set it's environment *after* it has authenticated the user and switched to the users uid. --- Truck From firewalls-owner Fri Nov 10 22:47:35 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id VAA03437 for firewalls-outgoing; Fri, 10 Nov 1995 21:26:25 -0800 (PST) Received: from mailhost1.primenet.com (mailhost1.primenet.com [198.68.32.51]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id VAA03387; Fri, 10 Nov 1995 21:25:48 -0800 (PST) Received: from usr5.primenet.com (root@usr5.primenet.com [198.68.32.15]) by mailhost1.primenet.com (8.7.1/8.7.1) with ESMTP id WAA27455; Fri, 10 Nov 1995 22:26:30 GMT Received: (from peterqz@localhost) by usr5.primenet.com (8.7.1/8.7.1) id WAA18716; Fri, 10 Nov 1995 22:25:31 -0700 (MST) Date: Fri, 10 Nov 1995 22:25:31 -0700 (MST) From: Peter Quizert Message-Id: <199511110525.WAA18716@usr5.primenet.com> To: firewalls-digest@GreatCircle.COM, list-managers-digest@GreatCircle.COM, majordomo-users@GreatCircle.COM, phonestation-digest@GreatCircle.COM, sunflash-f-usa@FlashBack.COM, sunworld@FlashBack.COM, usa@FlashBack.COM Subject: Are You Preapred? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The Problem: Most companies require a pre-employment drug test. If you are seeking employment, on probation, or in the military, you will have to take a drug test. Another Problem: Eating the wrong breakfast, or using certain over-the- counter pain relievers will falsely identify you as a drug user. The Real Problem: Public and private employers spend 1.2 billion dollars each year (1992 figures) on drug tests that are unreliable and inaccurate. Even hard working employees that do not use drugs are at risk. The Solution: ================================ Know the Facts. Know what foods and over the counter medicines are routinely mistaken for common illegal drugs. Simply eating a poppy seed bagel before a drug test can identify you as an opiate user. Know how long different illicit drugs can be detected in your system. Marijuana can be detected for more than a month if nothing is done to conceal its use. Know the different types of drug tests, especially the ones you are likely to face. GC/MS tests are almost impossible to beat, but are seldom used. The more common EMIT test is much easier to fool -- if you know how. Be Prepared! Know when the test is coming. Do not use illicit drugs, or ingest cross-reactive substances before the test. Clean your system of drug metabolites and cross-reactive substances. Drink plenty of water and urinate as often as possible before the test. Do NOT give them your first urine of the day! Use Clean 'n Clear. Clean 'n Clear is a three phase system designed to Clean out your body, so you will give Clear urine and Clear the test. The unique Clean 'n Clear Package includes: 1. Simple step-by-step instructions 2. All natural blood purifiers 3. All natural urine flow stimulators 4. Coloring vitamins to put 'yellow' back in your clear urine 5. Information you need about drug testing 6. A guarantee! This is not a simplistic "tea" or golden seal approach to the problem! This amazing three phase system is guaranteed! And not just guaranteed ... We are so sure our unique three phase system will work for you that we are including a DOUBLE YOUR MONEY BACK GUARANTEE!!! Everyone has a friend who needs this information! =================================================================== -------------------------------- P R I N T and S A V E ! ! -------------------------------- Be prepared. Stop worrying now! You will pass. We guarantee it!! Order your guaranteed Clean 'n Clear package now by sending $19.95 along with your name and address to: Clean 'n Clear 2809 East Hamilton Av #121B Eau Claire, WI 54701 Most companies require pre-employment drug screens. You may only have a few days notice of a drug test. Be Prepared. Order Now! =================================================================== Sorry, Clean 'n Clear is not legal in Texas, and will NOT be mailed to Texas addresses. Distributor inquires welcome. From firewalls-owner Fri Nov 10 23:14:47 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id WAA04968 for firewalls-outgoing; Fri, 10 Nov 1995 22:04:03 -0800 (PST) Received: from mailhost1.primenet.com (mailhost1.primenet.com [198.68.32.51]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id WAA04772; Fri, 10 Nov 1995 22:02:10 -0800 (PST) Received: from usr5.primenet.com (root@usr5.primenet.com [198.68.32.15]) by mailhost1.primenet.com (8.7.1/8.7.1) with ESMTP id XAA01866; Fri, 10 Nov 1995 23:03:15 GMT Received: (from peterqz@localhost) by usr5.primenet.com (8.7.1/8.7.1) id XAA27947; Fri, 10 Nov 1995 23:02:17 -0700 (MST) Date: Fri, 10 Nov 1995 23:02:17 -0700 (MST) From: Peter Quizert Message-Id: <199511110602.XAA27947@usr5.primenet.com> To: firewalls-digest@GreatCircle.COM, list-managers-digest@GreatCircle.COM, majordomo-users@GreatCircle.COM, phonestation-digest@GreatCircle.COM, sunflash-f-usa@FlashBack.COM, sunworld@FlashBack.COM, usa@FlashBack.COM Subject: Are You Preapred? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The Problem: Most companies require a pre-employment drug test. If you are seeking employment, on probation, or in the military, you will have to take a drug test. Another Problem: Eating the wrong breakfast, or using certain over-the- counter pain relievers will falsely identify you as a drug user. The Real Problem: Public and private employers spend 1.2 billion dollars each year (1992 figures) on drug tests that are unreliable and inaccurate. Even hard working employees that do not use drugs are at risk. The Solution: ================================ Know the Facts. Know what foods and over the counter medicines are routinely mistaken for common illegal drugs. Simply eating a poppy seed bagel before a drug test can identify you as an opiate user. Know how long different illicit drugs can be detected in your system. Marijuana can be detected for more than a month if nothing is done to conceal its use. Know the different types of drug tests, especially the ones you are likely to face. GC/MS tests are almost impossible to beat, but are seldom used. The more common EMIT test is much easier to fool -- if you know how. Be Prepared! Know when the test is coming. Do not use illicit drugs, or ingest cross-reactive substances before the test. Clean your system of drug metabolites and cross-reactive substances. Drink plenty of water and urinate as often as possible before the test. Do NOT give them your first urine of the day! Use Clean 'n Clear. Clean 'n Clear is a three phase system designed to Clean out your body, so you will give Clear urine and Clear the test. The unique Clean 'n Clear Package includes: 1. Simple step-by-step instructions 2. All natural blood purifiers 3. All natural urine flow stimulators 4. Coloring vitamins to put 'yellow' back in your clear urine 5. Information you need about drug testing 6. A guarantee! This is not a simplistic "tea" or golden seal approach to the problem! This amazing three phase system is guaranteed! And not just guaranteed ... We are so sure our unique three phase system will work for you that we are including a DOUBLE YOUR MONEY BACK GUARANTEE!!! Everyone has a friend who needs this information! =================================================================== -------------------------------- P R I N T and S A V E ! ! -------------------------------- Be prepared. Stop worrying now! You will pass. We guarantee it!! Order your guaranteed Clean 'n Clear package now by sending $19.95 along with your name and address to: Clean 'n Clear 2809 East Hamilton Av #121D Eau Claire, WI 54701 Most companies require pre-employment drug screens. You may only have a few days notice of a drug test. Be Prepared. Order Now! =================================================================== Sorry, Clean 'n Clear is not legal in Texas, and will NOT be mailed to Texas addresses. Distributor inquires welcome. From firewalls-owner Fri Nov 10 23:20:16 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id WAA07398 for firewalls-outgoing; Fri, 10 Nov 1995 22:44:03 -0800 (PST) Received: from salsa.gv.ssi1.com (salsa.gv.ssi1.com [146.252.44.194]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id WAA07393 for ; Fri, 10 Nov 1995 22:44:00 -0800 (PST) Received: (from gdonl@localhost) by salsa.gv.ssi1.com (8.7.1/8.7) id WAA12496; Fri, 10 Nov 1995 22:42:55 -0800 (PST) Message-Id: <199511110642.WAA12496@salsa.gv.ssi1.com> From: gdonl@gv.ssi1.com (Don Lewis) Date: Fri, 10 Nov 1995 22:42:54 -0800 In-Reply-To: Carl Jolley "Re: Restricting URL's" (Nov 10, 9:44am) X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: Carl Jolley , Don Lewis Subject: Re: Restricting URL's Cc: Mike Culver , firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Nov 10, 9:44am, Carl Jolley wrote: } Subject: Re: Restricting URL's } On Wed, 8 Nov 1995, Don Lewis wrote: } } > On Nov 8, 3:06pm, Mike Culver wrote: } > } Subject: Restricting URL's } > } To deny resolution to sex.com, simply add an entry to named.boot for } > } bogusns. This directive will tell your DNS that the name server for sex.com } > } is bogus, and your DNS will never ask sex.com's DNS anything. } > } > This won't work so well if the name server in question is ns.uu.net or } > some other server that serves a lot of zones that you probably still } > want to access. } } You are correct based on your "if". Wouldn't this approach work if the } site in question had an internal DNS server with forwarding to an } external server (so-called split DNS) for any unresolved names? The } internal name server would resolve internal names as necessary and } "handle" any external names that were to be restricted. That's not my point at all. If sex.com uses some popular name server, one that is used by thousands of other zones, then by declaring this server as bogus, you may also be denying yourself access to ibm.com, whitehouse.gov, or whatever. In order to implement this, you could use the configuration that you mention, but you also have to use a packet filter to block DNS traffic between the inside and outside (other than the requests that are being forwarded under your explicit control) so that J. Random User inside doesn't just point nslookup, host, or dig at some unfiltered external server to look up the address to use instead of the host name in the URL (or they could just point /etc/resolv.conf at cache00.ns.uu.net). Even if you manage to block DNS lookups on the inside, there are ways for the users to find out the IP addresses you don't want them to know. People can be resourceful when they're after the naughty bits ;-) --- Truck From firewalls-owner Fri Nov 10 23:53:15 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id XAA09162 for firewalls-outgoing; Fri, 10 Nov 1995 23:16:45 -0800 (PST) Received: from software.net (www2.software.net [204.69.144.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id XAA09143; Fri, 10 Nov 1995 23:16:36 -0800 (PST) Received: (jpp@localhost) by software.net (8.7.1/3.2W4) id XAA31467; Fri, 10 Nov 1995 23:16:52 -0800 Date: Fri, 10 Nov 1995 23:16:52 +0000 From: John Pettitt Subject: Re: Are You Preapred? cc: firewalls@GreatCircle.COM, wvfc-members@GreatCircle.COM In-Reply-To: <199511110602.XAA27939@usr5.primenet.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 10 Nov 1995, Peter Quizert wrote: ... a spam Which I received twice on the wvfc list and no doubt will see in firewalls digest ... Arrrgggh. Time for a moderator ? From firewalls-owner Sat Nov 11 00:05:39 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id XAA08526 for firewalls-outgoing; Fri, 10 Nov 1995 23:04:20 -0800 (PST) Received: from netcom18.netcom.com (netcom18.netcom.com [192.100.81.131]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id XAA08511; Fri, 10 Nov 1995 23:04:05 -0800 (PST) Received: by netcom18.netcom.com (8.6.12/Netcom) id XAA25789; Fri, 10 Nov 1995 23:02:53 -0800 From: jadestar@netcom.com (JaDe) Message-Id: <199511110702.XAA25789@netcom18.netcom.com> Subject: Re: Are You Preapred? To: peterqz@primenet.com (Peter Quizert) Date: Fri, 10 Nov 1995 23:02:51 -0800 (PST) Cc: firewalls-digest@GreatCircle.COM, list-managers-digest@GreatCircle.COM, majordomo-users@GreatCircle.COM, phonestation-digest@GreatCircle.COM, sunflash-f-usa@FlashBack.COM, sunworld@FlashBack.COM, usa@FlashBack.COM In-Reply-To: <199511110525.WAA18716@usr5.primenet.com> from "Peter Quizert" at Nov 10, 95 10:25:31 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > > The Problem: > > Most companies require a pre-employment drug test. > If you are seeking employment, on probation, or in > the military, you will have to take a drug test. I've already bounced copies two of these to my postmaster, and the postmaster at Primenet. I've also called the InterNIC administrative contact at Primenet (which is where this appears to be coming from). So, just this once, could we skip the secondary and tertiary waves of "I hate spammers" posts? (I realize that this won't be the last we hear about this -- but let's please keep the rest off the mailing lists themselves). From firewalls-owner Sat Nov 11 00:24:09 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id WAA04773 for firewalls-outgoing; Fri, 10 Nov 1995 22:02:10 -0800 (PST) Received: from mailhost1.primenet.com (mailhost1.primenet.com [198.68.32.51]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id WAA04758; Fri, 10 Nov 1995 22:01:58 -0800 (PST) Received: from usr5.primenet.com (root@usr5.primenet.com [198.68.32.15]) by mailhost1.primenet.com (8.7.1/8.7.1) with ESMTP id XAA01862; Fri, 10 Nov 1995 23:03:14 GMT Received: (from peterqz@localhost) by usr5.primenet.com (8.7.1/8.7.1) id XAA27939; Fri, 10 Nov 1995 23:02:15 -0700 (MST) Date: Fri, 10 Nov 1995 23:02:15 -0700 (MST) From: Peter Quizert Message-Id: <199511110602.XAA27939@usr5.primenet.com> To: bounces@GreatCircle.COM, firewalls-standards@GreatCircle.COM, firewalls@GreatCircle.COM, list-managers@GreatCircle.COM, majordomo-docs@GreatCircle.COM, majordomo-workers@GreatCircle.COM, wvfc-members@GreatCircle.COM Subject: Are You Preapred? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The Problem: Most companies require a pre-employment drug test. If you are seeking employment, on probation, or in the military, you will have to take a drug test. Another Problem: Eating the wrong breakfast, or using certain over-the- counter pain relievers will falsely identify you as a drug user. The Real Problem: Public and private employers spend 1.2 billion dollars each year (1992 figures) on drug tests that are unreliable and inaccurate. Even hard working employees that do not use drugs are at risk. The Solution: ================================ Know the Facts. Know what foods and over the counter medicines are routinely mistaken for common illegal drugs. Simply eating a poppy seed bagel before a drug test can identify you as an opiate user. Know how long different illicit drugs can be detected in your system. Marijuana can be detected for more than a month if nothing is done to conceal its use. Know the different types of drug tests, especially the ones you are likely to face. GC/MS tests are almost impossible to beat, but are seldom used. The more common EMIT test is much easier to fool -- if you know how. Be Prepared! Know when the test is coming. Do not use illicit drugs, or ingest cross-reactive substances before the test. Clean your system of drug metabolites and cross-reactive substances. Drink plenty of water and urinate as often as possible before the test. Do NOT give them your first urine of the day! Use Clean 'n Clear. Clean 'n Clear is a three phase system designed to Clean out your body, so you will give Clear urine and Clear the test. The unique Clean 'n Clear Package includes: 1. Simple step-by-step instructions 2. All natural blood purifiers 3. All natural urine flow stimulators 4. Coloring vitamins to put 'yellow' back in your clear urine 5. Information you need about drug testing 6. A guarantee! This is not a simplistic "tea" or golden seal approach to the problem! This amazing three phase system is guaranteed! And not just guaranteed ... We are so sure our unique three phase system will work for you that we are including a DOUBLE YOUR MONEY BACK GUARANTEE!!! Everyone has a friend who needs this information! =================================================================== -------------------------------- P R I N T and S A V E ! ! -------------------------------- Be prepared. Stop worrying now! You will pass. We guarantee it!! Order your guaranteed Clean 'n Clear package now by sending $19.95 along with your name and address to: Clean 'n Clear 2809 East Hamilton Av #121D Eau Claire, WI 54701 Most companies require pre-employment drug screens. You may only have a few days notice of a drug test. Be Prepared. Order Now! =================================================================== Sorry, Clean 'n Clear is not legal in Texas, and will NOT be mailed to Texas addresses. Distributor inquires welcome. From firewalls-owner Sat Nov 11 00:58:44 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id VAA03386 for firewalls-outgoing; Fri, 10 Nov 1995 21:25:46 -0800 (PST) Received: from mailhost1.primenet.com (mailhost1.primenet.com [198.68.32.51]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id VAA03362; Fri, 10 Nov 1995 21:25:28 -0800 (PST) Received: from usr5.primenet.com (root@usr5.primenet.com [198.68.32.15]) by mailhost1.primenet.com (8.7.1/8.7.1) with ESMTP id WAA27447; Fri, 10 Nov 1995 22:26:27 GMT Received: (from peterqz@localhost) by usr5.primenet.com (8.7.1/8.7.1) id WAA18702; Fri, 10 Nov 1995 22:25:29 -0700 (MST) Date: Fri, 10 Nov 1995 22:25:29 -0700 (MST) From: Peter Quizert Message-Id: <199511110525.WAA18702@usr5.primenet.com> To: bounces@GreatCircle.COM, firewalls-standards@GreatCircle.COM, firewalls@GreatCircle.COM, list-managers@GreatCircle.COM, majordomo-docs@GreatCircle.COM, majordomo-workers@GreatCircle.COM, wvfc-members@GreatCircle.COM Subject: Are You Preapred? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The Problem: Most companies require a pre-employment drug test. If you are seeking employment, on probation, or in the military, you will have to take a drug test. Another Problem: Eating the wrong breakfast, or using certain over-the- counter pain relievers will falsely identify you as a drug user. The Real Problem: Public and private employers spend 1.2 billion dollars each year (1992 figures) on drug tests that are unreliable and inaccurate. Even hard working employees that do not use drugs are at risk. The Solution: ================================ Know the Facts. Know what foods and over the counter medicines are routinely mistaken for common illegal drugs. Simply eating a poppy seed bagel before a drug test can identify you as an opiate user. Know how long different illicit drugs can be detected in your system. Marijuana can be detected for more than a month if nothing is done to conceal its use. Know the different types of drug tests, especially the ones you are likely to face. GC/MS tests are almost impossible to beat, but are seldom used. The more common EMIT test is much easier to fool -- if you know how. Be Prepared! Know when the test is coming. Do not use illicit drugs, or ingest cross-reactive substances before the test. Clean your system of drug metabolites and cross-reactive substances. Drink plenty of water and urinate as often as possible before the test. Do NOT give them your first urine of the day! Use Clean 'n Clear. Clean 'n Clear is a three phase system designed to Clean out your body, so you will give Clear urine and Clear the test. The unique Clean 'n Clear Package includes: 1. Simple step-by-step instructions 2. All natural blood purifiers 3. All natural urine flow stimulators 4. Coloring vitamins to put 'yellow' back in your clear urine 5. Information you need about drug testing 6. A guarantee! This is not a simplistic "tea" or golden seal approach to the problem! This amazing three phase system is guaranteed! And not just guaranteed ... We are so sure our unique three phase system will work for you that we are including a DOUBLE YOUR MONEY BACK GUARANTEE!!! Everyone has a friend who needs this information! =================================================================== -------------------------------- P R I N T and S A V E ! ! -------------------------------- Be prepared. Stop worrying now! You will pass. We guarantee it!! Order your guaranteed Clean 'n Clear package now by sending $19.95 along with your name and address to: Clean 'n Clear 2809 East Hamilton Av #121B Eau Claire, WI 54701 Most companies require pre-employment drug screens. You may only have a few days notice of a drug test. Be Prepared. Order Now! =================================================================== Sorry, Clean 'n Clear is not legal in Texas, and will NOT be mailed to Texas addresses. Distributor inquires welcome. From firewalls-owner Sat Nov 11 02:53:15 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id CAA17014 for firewalls-outgoing; Sat, 11 Nov 1995 02:35:39 -0800 (PST) Received: from maas2.phm.GOV.AU (maas2.phm.GOV.AU [202.12.107.3]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id CAA17009 for ; Sat, 11 Nov 1995 02:35:35 -0800 (PST) Received: (from george@localhost) by maas2.phm.GOV.AU (8.6.12/8.6.12) id VAA27958 for firewalls@greatcircle.com; Sat, 11 Nov 1995 21:10:42 -0500 Date: Sat, 11 Nov 1995 21:10:42 -0500 From: george rossi Message-Id: <199511120210.VAA27958@maas2.phm.GOV.AU> Subject: Re: FireWall-1 licensing Apparently-To: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >How does this number-of-hosts licensing work? Is it a certain number of >hosts per time period? The number of simultaneous connections? I believe (I haven't been able to pin down a definitive reply) that the license count relates to the number of IP addresses that will use the firewall either as a defence, or as access point to external sites. It follows that a site with a class "C" address, with more than 50 assigned addresses will require a 250 node license. From firewalls-owner Sat Nov 11 06:23:15 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id FAA19485 for firewalls-outgoing; Sat, 11 Nov 1995 05:57:40 -0800 (PST) Received: from su1.in.net (su1.in.net [199.0.62.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id FAA19480 for ; Sat, 11 Nov 1995 05:57:37 -0800 (PST) Received: from pm1-04.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA09151; Sat, 11 Nov 95 08:57:10 -0500 Date: Sat, 11 Nov 95 08:57:10 -0500 Message-Id: <9511111357.AA09151@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.com From: frankw@in.net (Frank Willoughby) Subject: Re: Web server / SecurID Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >I was asked if it's possible to use SecurID to control access >to a web server ... i.e. to provide very limited access to >the information presented on a server. > Yes it is possible. Will the Web Server have access to the Internet? (Some companies use a Web Server as a means of distributing internal information). The Internet poses a particularly high security risk. Relying on authentication tools (only) for protection is asking for trouble. The use of SecurID, Skey, etc. for dialup lines may be OK in some situations, but I wouldn't recommended it for access from the Internet as they can be pretty easily bypassed. If you are going to use this to restrict internal users (only) from using the web server (which has no Internet access) to provide regular info updates to the users, then this might be deemed an acceptable risk. Of course, the above also depends on the type and value of the info you are trying to protect. >In a way I think this doesn't make sense because by its vary nature >a web server isn't secure anyway. It'd be like putting a deadbolt on >the front door but leaving the windows unlocked. > >On the other hand, if the server is behind a firewall which provides >very limited access, .... maybe it would be useful.. Putting the server behind your firewall (ie - on your internal network) would put your lan/wan at risk. I would recommend putting the server in front between the router (on the Internet side) and the firewall or (preferrably) ensure that the firewall is an applications gateway and has the ability to subnet and then put the server on the subnet. > >What do you think? And what do you think about the actual implementation? >Is it doable? Doable, sure. Whether you want to or not really depends on the problem you are trying to solve & the type, value & sensitivity of the info you are trying to protect. > >Thanks in advance, >Bill > > >-- > Bill Heiser heiser@world.std.com > > > > Best Regards, Frank http://www.fortified.com/fortified From firewalls-owner Sat Nov 11 11:54:37 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id LAA26188 for firewalls-outgoing; Sat, 11 Nov 1995 11:39:45 -0800 (PST) Received: from wattres.Watt.COM (wattres.watt.com [204.182.1.133]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id LAA26178; Sat, 11 Nov 1995 11:39:37 -0800 (PST) Received: by wattres.Watt.COM id AA13060 (5.65c/IDA-1.4.4); Sat, 11 Nov 1995 11:39:49 -0800 Message-Id: <199511111939.AA13060@wattres.Watt.COM> From: steve@Watt.COM (Steve Watt -- KD6GGD) Date: Sat, 11 Nov 1995 11:39:48 -0800 Reply-To: steve@Watt.COM (Steve Watt -- KD6GGD) X-Callsign: KD6GGD X-Mailer: Mail User's Shell (7.2.3 5/22/91) To: wvfc-members@greatcircle.com, firewalls@greatcircle.com, auto-faq-users@oasis.novia.net Subject: Re: Recent Primenet spam Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Amazing! I sent a complaint to postmaster@primenet.com (as well as the person who sent the spam), and got the following reply. Thanks, Primenet! Apologies to all on the three mailing lists that I'm sending this to; since we all had to suffer with the spam, I thought everyone would like to know the (very positive!) results. --- Forwarded mail from "James J. Lippard" Received: from mailhost1.primenet.com by wattres.Watt.COM with SMTP id AA12380 (5.65c/IDA-1.4.4 for ); Sat, 11 Nov 1995 09:32:28 -0800 Received: from usr4.primenet.com (root@usr4.primenet.com [198.68.32.14]) by mailhost1.primenet.com (8.7.1/8.7.1) with ESMTP id DAA18826 for ; Sat, 11 Nov 1995 03:32:08 -0700 (MST) Received: (from lippard2@localhost) by usr4.primenet.com (8.7.1/8.7.1) id KAA00572 for steve@Watt.COM; Sat, 11 Nov 1995 10:31:15 -0700 (MST) Date: Sat, 11 Nov 1995 10:31:15 -0700 (MST) From: "James J. Lippard" Message-Id: <199511111731.KAA00572@usr4.primenet.com> To: steve@Watt.COM Subject: Recent Primenet spam Greetings! You are receiving this automatic response because you have sent email to postmaster@primenet.com with a subject containing either the word "spam" or the phrase "ARE YOU PREPARED," and are almost certainly complaining about the massive email spam to mailing lists by Primenet user peterqz@primenet.com, Peter Quizert. Excuse me, I mean ex-Primenet user Peter Quizert. His account has been terminated and is being billed for the time required to respond to complaints. We apologize for the net abuse, which is a violation of our user agreement, the relevant section of which is appended below for your information. If you would like to reply to this message for any reason, you do not need to worry about getting an autoresponse so long as the subject of your message contains "Recent Primenet spam." Jim Lippard Web Administrator, Postmaster, and Spam Canceller Primenet Services for the Internet 21. The following violations of "netiquette" are grounds for immediate suspension of service pending investigation by PRIMENET and will result in termination of the account(s) the investigation determines to have originated or transmitted these types of traffic. (a) Posting a single article or substantially similar articles to an excessive number of newsgroups (i.e., more than 20) or continued posting of articles which are off-topic (e.g., off-topic according to the newsgroup charter or the article provokes complaints from the regular readers of the newsgroup for being off-topic). (b) Sending unsolicited mass emailings (i.e., to more than 25 users) which provoke complaints from the recipients. (c) Engaging in either (a) or (b) from a provider other than PRIMENET and using an account on PRIMENET as a mail drop for responses. (d) Continued harrassment of other individuals on the Internet after being asked to stop by those individuals and by PRIMENET. (e) Impersonating another user or otherwise falsifying one's user name in email, Usenet postings, on IRC, or with any other Internet service. (This does not preclude the use of nicknames in IRC or the use of anonymous remailer services.) Users whose accounts are terminated for any of the above infractions are also responsible for the cost of labor to cleanup and respond to complaints incurred by PRIMENET. --- End of forwarded message from "James J. Lippard" -- Steve Watt KD6GGD PP-ASEL Packet: KD6GGD @ N0ARY.#NOCAL.CA.USA.NA ICBM: 121W 56' 53.1" / 37N 20' 16.7" Internet: Home: {root,steve}@Watt.COM "I am always ready to learn, although I don't always like being taught." -- Winston Churchill From firewalls-owner Sun Nov 12 10:34:42 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id KAA17347 for firewalls-outgoing; Sun, 12 Nov 1995 10:02:00 -0800 (PST) Received: from neon.ingenia.com (neon.ingenia.com [205.207.219.29]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id KAA17342 for ; Sun, 12 Nov 1995 10:01:56 -0800 (PST) Received: (from shaver@localhost) by neon.ingenia.com (8.6.12/8.6.9) id NAA04510; Sun, 12 Nov 1995 13:19:40 -0500 From: Mike Shaver Message-Id: <199511121819.NAA04510@neon.ingenia.com> Subject: Re: Web server / SecurID To: alan@gi.net (Alan Hannan) Date: Sun, 12 Nov 1995 13:19:40 -0500 (EST) Cc: heiser@world.std.com, firewalls@GreatCircle.COM In-Reply-To: <199511102036.OAA07036@gaijin.mid.net> from "Alan Hannan" at Nov 10, 95 02:35:55 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thus spake Alan Hannan: > ] I was asked if it's possible to use SecurID to control access > ] to a web server ... i.e. to provide very limited access to > ] the information presented on a server. > > Yes it's possible. > > ] What do you think? And what do you think about the actual implementation? > ] Is it doable? > > I dunno, I do know that ncsa's httpd server has things like this: > > # AuthType Basic > # AuthName By Secret Password Only! > > > Which would imply to me that 'AuthType Basic' could be changed to > 'AuthType SNK' or 'AuthType SKey' somehow..... Wouldn't you run into state problems? The browser authenticates every time it fetches an object from the server, so you'd be forever typing in responses, no? (You might be able to hack around it whereby the server "remembers" the last response given, and if the user gets it wrong, offers a new challenge. You'd lose that whole OTP thing, though. =) ) Mike -- #> Mike Shaver (shaver@ingenia.com) Ingenia Communications Corporation <# #> Technical specialist -- Head geek -- System exorcist <# #> <# #> "Have you considered a life? I hear they're quite affordable <# #> these days." --- shields@tembel.org <# From firewalls-owner Sun Nov 12 17:53:17 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id RAA00795 for firewalls-outgoing; Sun, 12 Nov 1995 17:29:21 -0800 (PST) Received: from Fe3.rust.net (Fe3.rust.net [204.157.12.254]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id RAA00790 for ; Sun, 12 Nov 1995 17:29:16 -0800 (PST) Received: from mh-24.rust.net by Fe3.rust.net via SMTP (940816.SGI.8.6.9/940406.SGI.AUTO) id UAA29784; Sun, 12 Nov 1995 20:39:18 -0800 Date: Sun, 12 Nov 1995 20:39:18 -0800 Message-Id: <199511130439.UAA29784@Fe3.rust.net> X-Sender: janken@rust.net X-Mailer: Windows Eudora Version 1.4.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Alan Dowd From: janken@rust.net (Millennium Consulting) Subject: Re: security policy Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk While your definitions for "Policy," "Standards," "Guidelines," and "Procedures" may be accurate, in my Gov. organization the policies and proceedures are both integrated into one document based on audit requirements. Public release of that document would be unacceptable. Anyone who has ever taken an IBM RACF class can describe IBM's Security Policy. I don't think most would be as knowledgeable of IBM's Proceedures even though they were taught the correct IBM defined RACF Security Structures. Maybe others do not suffer the auditors I do. Ken I think you said: >Greetings, All! > >This topic came up last August, with much the same response the Mr. >Johnson-Bryden produced: > >On Thu, 9 Nov 1995, Johnson-Bryden, Ian wrote: >> If someone has produced a real risk/security policy it should not be >> released to anyone other than authorised users for obvious reasons. If it is >> similar to a 'Corporate Mission Statement' it wont be worth much. If it is a >> fully detailed document which someone has unwisely made public, it should >> only be meaningful to the owner because of those unique elements to that >> enterprise, other than it shows how one outfit approached the issues. There >> are now a range of books which cover risk/security policy generation in >> varying detail and from different perspectives. >> Ian J-B >> ---------- > >Aside from the fact that an enormous number of security policies and internet >usage guidelines are freely available on the net, there is a fundamental >breakdown of communication here. Warren S. Moore, CISSP, produced a good set >of definitions of terms and I quote his message to provide that >information once again. > >BTW, IMHO the policy must be a public document. > >Regards, > Al Dowd > dowd@sctc.com secure computing corporation > >begin quoted material ><*>=<*>=<*>=<*>=<*>=<*>=<*>=<*>=<*>=<*>=<*>=<*>=<*>=<*>=<*>=<*>=<*>=<*>=<*>=<*> > >From: warren.moore@cbis.com Warren Moore >10 Aug 95 8:10:51 EDT >List: firewalls-owner@greatcircle.com >Message-Id: 9508101515.AA4890@notes > >John Cougar writes: > >>give away a copy of an organisations Security Policy?!? Not only must >>you be kidding, but also: fat chance. That'd be as negligent as giving >>away company trade secrets! > >I may have missed something here, and certainly not to start a war, but >that's wrong. Copies of real, in-use, corporate security policies are >available from many different sources--starting with the Computer Security >Institute's old "Computer Security Handbook," and the MIS Training >Institute's "Information Security Resource Manual." (IBM, First American >National Bank, yadatayada). In some cases they're slightly sanitized, but the >base document is there. And, there's really no reason not to provide samples >(if management approves), simply because a true Corporate Security Policy >statement isn't going to say very much anyway -- it should be nothing more >than a short statement of what your corporate entity's leaders expect. > >Perhaps it's splitting hairs, but many people don't understand (and often >confuse) the base meanings of the words "Policy," "Standards," "Guidelines," >and "Procedures." If you use the definitions below, there's no reason not to >let people know your policy, but quite a few to guard your standards, >guidelines, and procedures closely. > >Policy: A statement of *what* management expects; not how those expectations >will be met. > >Standard(s): The criteria against which results are to be judged. > >Guideline(s): Items that *should* be considered when a particular subject is >studied and analyzed. Guidelines are not always an exhaustive list, nor are >they always applicable to all things in all cases. > >Procedure(s): A detailed step-by-step description of *how* a job is done, >defining *who* does *what*. Procedures are written to support policy, meet >standards, use guidelines when necessary, and *show the way to do something.* > >Warren S. Moore, CISSP >Information Security Specialist > >Cincinnati Bell Information Systems Inc. > >My Opinions Are Mine Only -- Who Else Would Claim Them? > ><*>=<*>=<*>=<*>=<*>=<*>=<*>=<*>=<*>=<*>=<*>=<*>=<*>=<*>=<*>=<*>=<*>=<*>=<*>=<*> >end quoted material > >I don't claim them, but I sure do quote them. {ad} ;-) > > From firewalls-owner Sun Nov 12 22:23:17 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id WAA11843 for firewalls-outgoing; Sun, 12 Nov 1995 22:16:47 -0800 (PST) Received: from westie.gi.net (westie.gi.net [198.247.250.16]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id WAA11838 for ; Sun, 12 Nov 1995 22:16:44 -0800 (PST) Received: (from alan@localhost) by westie.gi.net (8.7.1/8.7.1) id AAA03444; Mon, 13 Nov 1995 00:13:11 -0600 (CST) From: Alan Hannan Message-Id: <199511130613.AAA03444@westie.gi.net> Subject: Re: Web server / SecurID To: shaver@neon.ingenia.com (Mike Shaver) Date: Mon, 13 Nov 1995 00:13:10 -0600 (CST) Cc: alan@gi.net, heiser@world.std.com, firewalls@GreatCircle.COM In-Reply-To: <199511121819.NAA04510@neon.ingenia.com> from "Mike Shaver" at Nov 12, 95 01:19:40 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I said the stuff w/ > :) |I was asked if it's possible to use SecurID to control access |to a web server ... i.e. to provide very limited access to |the information presented on a server. > > Yes it's possible. > |What do you think? And what do you think about the actual implementation? |Is it doable? > > I dunno, I do know that ncsa's httpd server has things like this: > > # AuthType Basic > # AuthName By Secret Password Only! > > > Which would imply to me that 'AuthType Basic' could be changed to > 'AuthType SNK' or 'AuthType SKey' somehow..... ] ] Wouldn't you run into state problems? ] The browser authenticates every time it fetches an object from the ] server, so you'd be forever typing in responses, no? No. ] (You might be able to hack around it whereby the server "remembers" ] the last response given, and if the user gets it wrong, offers a new ] challenge. You'd lose that whole OTP thing, though. =) ) It does 'remember' it, in some manner I've not taken the time to understand. Regardless, you make a good point, that being that a one time password would be used to authenticate a hybrid 'session' which would really consist of 'N' TCP sessions (those being htgets). The time has come that a standard is developed for stateful web connections. Is there any work being done in this or do I get to start another group? From firewalls-owner Sun Nov 12 23:23:17 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id WAA14031 for firewalls-outgoing; Sun, 12 Nov 1995 22:57:24 -0800 (PST) Received: from SanFrancisco01.POP.InterNex.Net (SanFrancisco01.POP.InterNex.Net [205.158.3.50]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id WAA14024 for ; Sun, 12 Nov 1995 22:57:21 -0800 (PST) Received: from Anthros.Com ([205.158.235.130]) by SanFrancisco01.POP.InterNex.Net (post.office MTA v1.7 ID# 0-11028) with SMTP id AAA18771 for ; Sun, 12 Nov 1995 22:57:54 -0800 Received: from phoebe.Anthros.Com by Anthros.Com (5.0/SMI-SVR4) id AA07955; Sun, 12 Nov 1995 22:55:37 -0800 Received: by phoebe.Anthros.Com (5.x/SMI-SVR4) id AA03524; Sun, 12 Nov 1995 22:52:59 -0800 Date: Sun, 12 Nov 1995 22:52:59 -0800 From: daemeonr@Anthros.Com@Anthros.Com Message-Id: <9511130652.AA03524@phoebe.Anthros.Com> To: firewalls@GreatCircle.COM Subject: Re: Web server / SecurID X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Re. the following, my reply is applicable ONLY to Netscape Commerce Server: you can use NSAPI to drive any challenge response mechanism. The problem is whether you have to run the requesting process as root or run suid to root. While it may be possible to run a shared library suid, I can't get it to work, and I certainly don't intend to run the whole !@#$ server as root! Daemeon Reiydelle => From firewalls-owner@GreatCircle.COM Sun Nov 12 21:59 PST 1995 => From: Mike Shaver => Subject: Re: Web server / SecurID => To: alan@gi.net (Alan Hannan) => Date: Sun, 12 Nov 1995 13:19:40 -0500 (EST) => Cc: heiser@world.std.com, firewalls@GreatCircle.COM => Mime-Version: 1.0 => Content-Transfer-Encoding: 7bit => Sender: firewalls-owner@GreatCircle.COM => Content-Type: text/plain; charset="US-ASCII" => => Thus spake Alan Hannan: => > ] I was asked if it's possible to use SecurID to control access => > ] to a web server ... i.e. to provide very limited access to => > ] the information presented on a server. => > => > Yes it's possible. => > => > ] What do you think? And what do you think about the actual implementation? => > ] Is it doable? => > => > I dunno, I do know that ncsa's httpd server has things like this: => > => > # AuthType Basic => > # AuthName By Secret Password Only! => > => > => > Which would imply to me that 'AuthType Basic' could be changed to => > 'AuthType SNK' or 'AuthType SKey' somehow..... => => Wouldn't you run into state problems? => The browser authenticates every time it fetches an object from the => server, so you'd be forever typing in responses, no? => => (You might be able to hack around it whereby the server "remembers" => the last response given, and if the user gets it wrong, offers a new => challenge. You'd lose that whole OTP thing, though. =) ) => => Mike => => -- => #> Mike Shaver (shaver@ingenia.com) Ingenia Communications Corporation <# => #> Technical specialist -- Head geek -- System exorcist <# => #> <# => #> "Have you considered a life? I hear they're quite affordable <# => #> these days." --- shields@tembel.org <# From firewalls-owner Mon Nov 13 00:56:31 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id AAA17516 for firewalls-outgoing; Mon, 13 Nov 1995 00:02:19 -0800 (PST) Received: from solair1.inter.NL.net (solair1.inter.NL.net [193.78.240.13]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id AAA17509 for ; Mon, 13 Nov 1995 00:02:15 -0800 (PST) Received: from asp97-24.Amsterdam.NL.net by solair1.inter.NL.net (5.65b/solair1.Inter.NL.net-1.31) id AA12058; Mon, 13 Nov 1995 09:02:29 +0100 Date: Mon, 13 Nov 1995 09:02:29 +0100 Message-Id: <9511130802.AA12058@solair1.inter.NL.net> X-Sender: avos@solair1.inter.nl.net Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: avos@kpmg.nl (Arjan Vos) Subject: management of multiple routers X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A client of mine has installed a firewall (screened subnet) which consists of a Cisco 7000 router and Sun's. These are installed on the subnet. The subnet has its own adressing scheme and within the internal network they are using a private address scheme (192.168.x.x). The configuration works fine. But, they want other subsidiaries also to be connected to the Internet. They want a Virtual Private Network (frame relay) to connect their several LAN's, and through which management of the firewalls must take place. The VPN consist of Cisco 2500 router: one serial interface for Frame Relay and to their internal network, and one Ethernet interface to the Internet. Security is implemented through use of access lists and filters. We tested the configuration, and it works great. Now we've got everything working we need to setup a security plan for the configuration. General things like policies, threat analysis and measures have been se up, but they now want the management of routers to be written down. Does anybody's got something we can use as a reference? Can anybody provide me with some information about the way multiple routers can be managed from one single point? E.g. how Ciscoworks must be securely configured, how data can be collected for measurement purposes and problem analyses, etc.. How routers must be remotely configured (telnet is good when a change must be made to one router, but we're talking here about twenty-something routers, so that complex changes to all routers through telnet is not possible)? Thanks, Arjan Vos From firewalls-owner Mon Nov 13 06:54:25 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id GAA05517 for firewalls-outgoing; Mon, 13 Nov 1995 06:40:52 -0800 (PST) Received: from most.weird.com (mail.weird.com [204.92.254.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id GAA05512 for ; Mon, 13 Nov 1995 06:40:46 -0800 (PST) Received: by mail.weird.com via sendmail with stdio id for firewalls@GreatCircle.COM; Mon, 13 Nov 95 09:40:48 -0500 (EST) (/\##/\ Smail3.1.30.13 #30.1 built 9-jul-95) Message-Id: Date: Mon, 13 Nov 95 09:40:48 -0500 (EST) From: woods@most.weird.com (Greg A. Woods) To: cjolley@iac.net Cc: firewalls@GreatCircle.COM, postmaster@internic.net, andreas@planix.com Subject: Re: Internic Port Scanning In-Reply-To: cjolley@iac.net's message of "Thu, November 9, 1995 12:11:54 -0500" regarding "Internic Port Scanning" id <95Nov13.093053est.29441@seaport.seachange.com> References: <95Nov13.093053est.29441@seaport.seachange.com> Reply-To: woods@most.weird.com (Greg A. Woods) X-Mailer: ViewMail (vm) Version 5.72 (beta) with GNU Emacs 19.28.1 (m68k-sun-sunos4.1.1_U1) of Thu Mar 9 1995 on most Organization: Planix, Inc.; Toronto, Ontario; Canada Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [ On Thu, November 9, 1995 at 12:11:54 (-0500), cjolley@iac.net wrote: ] > Subject: Internic Port Scanning > > Recently one of my co-workers sent an e-mail to hostmaster@internic.net. > The message was not delivered immediately and is still waiting at the > firewall for retry (i.e. every four hours for 5 days). However very > shortly after the attempt to send this message, our firewall began > seeing attempts to connect to high _TCP_ (not UDP) port numbers. The > IP address appears to be that of the InterNic. Does anyone know what's > going on? Is this the InterNic trying to validate the e-mail as coming > from my site or might this be someone spoofing the InterNic address > while trying to do some port scanning? I wish I knew. I see the high-port connects too. I don't think it's port scanning, esp. not by a spoofer, as it is very very consistent and I've never seen a different high port number during or between conversations. I suspect the Internic has installed some new software that tries a non-public authentication protocol but they've forgotten that the rest of us don't use this protocol. I've three messages sitting in the queue for internic.net, the oldest being from Nov. 5. I can only send them very very small messages (i.e. a message that fits in a single packet seems to go, most of the time). I keep getting SMTP 499 read errors after the connection times out while there's still lots of data in the queue. If anyone can grab their attention long enough to bring this problem to light and get it fixed, please do! A tcpdump of a conversation with their mailer looks thusly: 20:30:19.414250 most.weird.com.2244 > ops.internic.net.smtp: S 1368064000:1368064000(0) win 4096 (ttl 60, id 42895) 20:30:19.654250 ops.internic.net.smtp > most.weird.com.2244: S 561408000:561408000(0) ack 1368064001 win 4096 (ttl 43, id 22783) 20:30:19.654251 most.weird.com.2244 > ops.internic.net.smtp: . ack 1 win 4096 (ttl 60, id 42898) 20:30:20.074250 ops.internic.net.smtp > most.weird.com.2244: P 1:103(102) ack 1 win 4096 (ttl 43, id 22795) 20:30:20.074251 most.weird.com.2244 > ops.internic.net.smtp: . ack 103 win 4096 (ttl 60, id 42905) 20:30:20.094250 most.weird.com.2244 > ops.internic.net.smtp: P 1:22(21) ack 103 win 4096 (ttl 60, id 42906) 20:30:20.434251 ops.internic.net.smtp > most.weird.com.2244: P 103:182(79) ack 22 win 4096 (ttl 43, id 22801) 20:30:20.474251 most.weird.com.2244 > ops.internic.net.smtp: . ack 182 win 4096 (ttl 60, id 42914) 20:30:20.494250 most.weird.com.2244 > ops.internic.net.smtp: P 22:55(33) ack 182 win 4096 (ttl 60, id 42915) 20:30:20.754254 ops.internic.net.smtp > most.weird.com.2244: . ack 55 win 4096 (ttl 43, id 22806) 20:30:20.934250 ops.internic.net.smtp > most.weird.com.2244: P 182:222(40) ack 55 win 4096 (ttl 43, id 22811) 20:30:21.074250 most.weird.com.2244 > ops.internic.net.smtp: . ack 222 win 4096 (ttl 60, id 42944) 20:30:21.194250 most.weird.com.2244 > ops.internic.net.smtp: P 55:90(35) ack 222 win 4096 (ttl 60, id 42945) 20:30:21.454250 ops.internic.net.smtp > most.weird.com.2244: P 222:240(18) ack 90 win 4096 (ttl 43, id 22819) 20:30:21.474250 most.weird.com.2244 > ops.internic.net.smtp: . ack 240 win 4096 (ttl 60, id 42948) 20:30:21.494250 most.weird.com.2244 > ops.internic.net.smtp: P 90:96(6) ack 240 win 4096 (ttl 60, id 42949) 20:30:21.854251 ops.internic.net.smtp > most.weird.com.2244: P 240:290(50) ack 96 win 4096 (ttl 43, id 22820) 20:30:21.874250 most.weird.com.2244 > ops.internic.net.smtp: . ack 290 win 4096 (ttl 60, id 42952) 20:30:22.674252 most.weird.com.2244 > ops.internic.net.smtp: P 96:562(466) ack 290 win 4096 (ttl 60, id 42955) 20:30:23.054253 ops.internic.net.14880 > most.weird.com.29797: R 0:0(0) ack 1 win 0 (ttl 44, id 0) 20:30:23.974250 most.weird.com.2244 > ops.internic.net.smtp: P 96:562(466) ack 290 win 4096 (ttl 60, id 42977) 20:30:24.414251 ops.internic.net.14880 > most.weird.com.29797: R 0:0(0) ack 1 win 0 (ttl 44, id 0) 20:30:26.974250 most.weird.com.2244 > ops.internic.net.smtp: P 96:562(466) ack 290 win 4096 (ttl 60, id 42980) 20:30:27.394250 ops.internic.net.14880 > most.weird.com.29797: R 0:0(0) ack 1 win 0 (ttl 44, id 0) 20:30:32.974250 most.weird.com.2244 > ops.internic.net.smtp: P 96:562(466) ack 290 win 4096 (ttl 60, id 42981) 20:30:33.394250 ops.internic.net.14880 > most.weird.com.29797: R 0:0(0) ack 1 win 0 (ttl 44, id 0) 20:30:44.976250 most.weird.com.2244 > ops.internic.net.smtp: P 96:562(466) ack 290 win 4096 (ttl 60, id 43011) 20:30:45.416250 ops.internic.net.14880 > most.weird.com.29797: R 0:0(0) ack 1 win 0 (ttl 44, id 0) 20:31:08.976250 most.weird.com.2244 > ops.internic.net.smtp: P 96:562(466) ack 290 win 4096 (ttl 60, id 43110) 20:31:09.356255 ops.internic.net.14880 > most.weird.com.29797: R 0:0(0) ack 1 win 0 (ttl 44, id 0) 20:31:56.980251 most.weird.com.2244 > ops.internic.net.smtp: P 96:562(466) ack 290 win 4096 (ttl 60, id 43312) 20:31:57.360250 ops.internic.net.14880 > most.weird.com.29797: R 0:0(0) ack 1 win 0 (ttl 44, id 0) 20:33:00.984251 most.weird.com.2244 > ops.internic.net.smtp: P 96:562(466) ack 290 win 4096 (ttl 60, id 43568) 20:33:01.384251 ops.internic.net.14880 > most.weird.com.29797: R 0:0(0) ack 1 win 0 (ttl 44, id 0) 20:34:04.988251 most.weird.com.2244 > ops.internic.net.smtp: P 96:562(466) ack 290 win 4096 (ttl 60, id 43883) 20:34:05.348250 ops.internic.net.14880 > most.weird.com.29797: R 0:0(0) ack 1 win 0 (ttl 44, id 0) 20:35:08.990250 most.weird.com.2244 > ops.internic.net.smtp: P 96:562(466) ack 290 win 4096 (ttl 60, id 44332) 20:35:09.330250 ops.internic.net.14880 > most.weird.com.29797: R 0:0(0) ack 1 win 0 (ttl 44, id 0) 20:36:12.974250 most.weird.com.2244 > ops.internic.net.smtp: P 96:562(466) ack 290 win 4096 (ttl 60, id 44843) 20:36:13.334250 ops.internic.net.14880 > most.weird.com.29797: R 0:0(0) ack 1 win 0 (ttl 44, id 0) 20:37:16.978250 most.weird.com.2244 > ops.internic.net.smtp: P 96:562(466) ack 290 win 4096 (ttl 60, id 45241) 20:37:17.378250 ops.internic.net.14880 > most.weird.com.29797: R 0:0(0) ack 1 win 0 (ttl 44, id 0) 20:38:20.982250 most.weird.com.2244 > ops.internic.net.smtp: P 96:562(466) ack 290 win 4096 (ttl 60, id 45565) 20:38:21.342251 ops.internic.net.14880 > most.weird.com.29797: R 0:0(0) ack 1 win 0 (ttl 44, id 0) 20:39:24.986256 most.weird.com.2244 > ops.internic.net.smtp: R 562:562(0) ack 290 win 4096 (ttl 60, id 46068) -- Greg A. Woods +1 416 443-1734 VE3TCP robohack!woods Planix, Inc. ; Secrets of the Weird From firewalls-owner Mon Nov 13 07:42:41 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id GAA05878 for firewalls-outgoing; Mon, 13 Nov 1995 06:49:14 -0800 (PST) Received: from nutpagw.nutec.tche.br ([200.248.249.99]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id GAA05871 for ; Mon, 13 Nov 1995 06:49:04 -0800 (PST) Received: (from root@localhost) by nutpagw.nutec.tche.br (8.6.9/8.6.9) id NAA03559 for ; Mon, 13 Nov 1995 13:47:09 -0200 Received: from unknown(200.17.174.65) by nutpagw.nutec.tche.br via smap (V1.3) id sma003552; Mon Nov 13 13:46:42 1995 Received: from canario by nutecpa.nutec.tche.br id aa13104; 13 Nov 95 12:50 BRA Received: from dodo by canario.canario.nutec.com.br id aa06433; 13 Nov 95 9:10 GMT Comments: Authenticated sender is From: Fernando da Silveira Montenegro Organization: Nutec Informsstica S.A. To: firewalls@greatcircle.com Date: Mon, 13 Nov 1995 07:10:13 -0300 Subject: Re: transparent proxies Reply-to: silveira@canario.nutec.tche.br X-mailer: Pegasus Mail for Windows (v2.10) Message-ID: <9511130910.aa06433@canario.canario.nutec.com.br> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi everybody! A few weeks ago there was a thread about transparent proxies, and nobody mentioned Socks. I wonder why not? If the Sockscap effort bears fruit, we would have a WINSOCK.DLL level mechanism, thus invisible to the applications that use it. Any thoughts? Fernando -- Fernando da Silveira Montenegro E-mail: silveira@nutec.com.br Nutec Informatica S.A. Phone.: +55-11-505-5728 Rua Florida, 1821/11th floor Fax...: +55-11-505-1918 Sao Paulo, SP BRAZIL 04565-001 From firewalls-owner Mon Nov 13 08:23:17 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id IAA08884 for firewalls-outgoing; Mon, 13 Nov 1995 08:02:24 -0800 (PST) Received: from beach.sctc.com (beach.sctc.com [192.55.214.50]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id IAA08878 for ; Mon, 13 Nov 1995 08:02:20 -0800 (PST) Received: from beach.sctc.com (daemon@localhost) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id KAA29723 for ; Mon, 13 Nov 1995 10:41:01 -0600 Received: from sphinx.sctc.com (sphinx.sctc.com [172.17.192.3]) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id KAA29717 for ; Mon, 13 Nov 1995 10:41:00 -0600 Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by sphinx.sctc.com (8.7.1/8.6.10) with SMTP id KAA24161; Mon, 13 Nov 1995 10:03:08 -0600 (CST) Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id KAA04939; Mon, 13 Nov 1995 10:03:08 -0600 From: Rick Smith Message-Id: <199511131603.KAA04939@shade.sctc.com> Subject: Secure Computing Stock Offering To: firewalls@greatcircle.com Date: Mon, 13 Nov 1995 10:03:08 -0600 (CST) Cc: smith@sctc.com (Rick Smith) X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This isn't strictly on topic, but I suspected people might find it interesting. IMHO it would be inappropriate to start a thread on this. Secure Computing Corporation is making an initial public offering of about 1.85 million shares of stock. The initial offering price hasn't been set yet but is supposed to be between $12 and $15. The stock is currently scheduled to start trading this Friday, subject to whatever controls such matters (i.e., if there's a crash between then and now they might delay it a bit). Underwriters are Piper-Jaffray and Robertson-Stephens. If you want to see a prospectus, I'm told you can get them from your favorite broker. It goes into gory detail about risks, more risks, financials, and so on. I'm not going to comment on such things since the prospectus is the official, legal expression of such things and the SEC takes public statements Very Seriously. Rick. smith@sctc.com secure computing corporation From firewalls-owner Mon Nov 13 08:57:49 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id HAA07854 for firewalls-outgoing; Mon, 13 Nov 1995 07:37:44 -0800 (PST) Received: from fountain.village.org (fountain.village.org [198.137.146.37]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id HAA07849 for ; Mon, 13 Nov 1995 07:37:31 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by fountain.village.org (8.6.11/8.6.6) with SMTP id IAA24253 for ; Mon, 13 Nov 1995 08:37:38 -0700 Message-Id: <199511131537.IAA24253@fountain.village.org> To: firewalls@greatcircle.com Subject: (summary) rfc-1597 addresses and transparent proxies Date: Mon, 13 Nov 1995 08:37:37 -0700 From: Dieter Dworkin Muller Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The answers to my questions about transparent proxying fell into these categories: - There's this wonderful commercial/shareware product that does exactly what you want. Some of these were quite attractive, particularly the shareware package for $50 which apparently runs standalone on a PC. It's available from ftp://ftp.coast.net/SimTel/msdos/network/iprv078.zip Most of these packages do address translation on the fly. Some have application-level proxies, most don't (the kernel does the protocol-level translation where needed). The basic gist is that everybody has complete, transparent Internet access. - What you want to do is too complicated. Go with something simpler, like the FWTK (or SOCKS, or whatever) and teach your users or their applications how to use the firewall. As stated, this is not an option. At this point, I'm going to roll my own (and put the results up for others to use). I'll probably start with BIND, and add in the additional bits that I need. I have no reason to believe this will ever become a stock part of BIND, so I will do my best to make it easy to add to new versions. The actual proxies will be mostly based on the proxies we're using now (tcp-relay for telnet, ftp, and other relatively simple protocols, and the CERN caching server for http/gopher/wais). I don't like depending on the CERN server for security-type things, so I might just hack tcp-relay to do the actual proxy work, and have it go to the CERN server to handle caching. Kind of convoluted, but less ugly than trying to prove CERN code correct. One additional feature of what I'm planning, that became a requirement once we thought of it, is that if someone *does* manage to break in, any outgoing connection they make A) has to be preceeded by a DNS lookup, and B) can/will be logged (I plan on logging all connections). This should make tracking down crackers just a little bit easier. Once we thought of this, the idea of blind automatic translation became much less attractive. Dworkin From firewalls-owner Mon Nov 13 10:11:00 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id JAA12375 for firewalls-outgoing; Mon, 13 Nov 1995 09:44:11 -0800 (PST) Received: from crc.u-strasbg.fr (crc.u-strasbg.fr [130.79.200.20]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id JAA12351 for ; Mon, 13 Nov 1995 09:44:04 -0800 (PST) Received: (from balzinge@localhost) by crc.u-strasbg.fr (8.6.11/8.6.9) id SAA27673 for firewalls@GreatCircle.COM; Mon, 13 Nov 1995 18:38:17 +0100 Date: Mon, 13 Nov 1995 18:38:17 +0100 From: Laurent Balzinger - Centre Reseau Communication - Universite Louis Pasteur Message-Id: <199511131738.SAA27673@crc.u-strasbg.fr> To: firewalls@GreatCircle.COM Subject: Firewalls and 802.10 switched network X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm studying internal firewall in a university network. I found some interest in using 802.10 switched technologies. The major problem for me is to understand how I can : + share common ressources beetween communities(VLANs) without having, for one server a NIC/community ? + manage a user who is part of more than one community ? + keep filtering capacity onto protocol's services ? Thanks for any help. Laurent. From firewalls-owner Mon Nov 13 13:23:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id MAA17328 for firewalls-outgoing; Mon, 13 Nov 1995 12:46:43 -0800 (PST) Received: from devel.dejong.com (devel.dejong.com [198.235.24.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id MAA17316 for ; Mon, 13 Nov 1995 12:46:39 -0800 (PST) From: Chris Tyler To: firewalls@greatcircle.com Date: Mon, 13 Nov 1995 15:47 EST Subject: Microsoft's Latest Content-Type: text/plain Message-ID: <30a7aed40.90d@devel.dejong.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At least the Java designers gave some thought to security... >From today's http://techweb.cmp.com/techweb/ia/dailies/daily.htm, Microsoft is releasing tools to permit OLE controls (OCX's) to be inserted into web documents downloaded with the M$ Internet Explorer. Should keep life interesting. Chris Tyler Chris@DeJong.Com CTyler@Oxford.Net Systems Development Manager, Wm. De Jong Enterprises Inc. +1-519-424-9007 / fax +1-519-424-2399 From firewalls-owner Mon Nov 13 13:53:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id MAA17383 for firewalls-outgoing; Mon, 13 Nov 1995 12:49:43 -0800 (PST) Received: from dewey.umi.com (dewey.umi.com [192.195.245.3]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id MAA17377 for ; Mon, 13 Nov 1995 12:49:40 -0800 (PST) Received: from namer.umi.com by dewey.umi.com with smtp (Smail3.1.28.1 #17) id m0tF5vj-0008bxC; Mon, 13 Nov 95 15:56 EST Received: from pdoffice.umi.com by namer.umi.com with smtp (Smail3.1.28.1 #16) id m0tF5eh-00046zC; Mon, 13 Nov 95 15:39 EST Received: by pdoffice.umi.com (Smail3.1.28.1 #15) id m0tF5oP-000CXlC; Mon, 13 Nov 95 15:49 EST Message-Id: Date: Mon, 13 Nov 95 15:49 EST From: "TMOONEY.UMI.COM" To: firewalls@greatcircle.com Subject: Vendor Product Access Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A vendor of an on-line database asks that we open our firewall to their entire Class B address space for both UDP and TCP on ports 8000 thru 9120. I have been asked to quantify the risks involved. My initial list includes: Why do they need their entire Class B? This allows ANYONE in their domain access. Why do they want 1120 ports of both UDP or TCP? This seems a little large to me. Any words of wisdom from admins "who have been there" that I can use to bolster my initial "This is a BAD IDEA" reaction to upper management would be appreciated. Thanks, Tom Mooney Senior UNIX System Administrator From firewalls-owner Mon Nov 13 14:53:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id OAA19052 for firewalls-outgoing; Mon, 13 Nov 1995 14:31:38 -0800 (PST) Received: from svcs1.digex.net (svcs1.digex.net [204.91.197.224]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id OAA19047 for ; Mon, 13 Nov 1995 14:31:35 -0800 (PST) Received: from GWFX1.sysorex.com (gwfx1.sysorex.com [204.192.18.20]) by svcs1.digex.net (8.6.12/8.6.12) with SMTP id RAA29860 for ; Mon, 13 Nov 1995 17:31:46 -0500 Received: from ccMail by GWFX1.sysorex.com (SMTPLINK V2.10.08) id AA816306782; Mon, 13 Nov 95 15:50:00 EST Date: Mon, 13 Nov 95 15:50:00 EST From: "Dave Druitt" Message-Id: <9510138163.AA816306782@GWFX1.sysorex.com> To: firewalls@GreatCircle.COM Subject: More VIRUS WARNINGS!! Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We've got a few more "unique" strains of viruses out here in California (don't worry, most require a warm, polluted, overpopulated climate to survive) - San Andreas Virus - computer shakes violently for about 20-45 seconds. Occasional shaking occurs randomly for the next few months. Zuma Beach Virus - "duuude" gets appended to all text files. 405 Virus - the hard drive slows to a crawl whenever user is in a hurry. No effect when time is of no consequence. Smog Alert Virus - soundcard emits a choking sound and monitor becomes bloodshot. King Virus - LAPD come by and beat the crap out of your computer. Simpson Virus - your computer deletes a couple of files unexpectedly, dominates all net traffic for 14 months and then announces that it is searching for another virus. NFL Virus - all data in LA is uploaded to other cities. Beach Dwellers Virus - machine looks great but CPU doesn't work. Not to be confused with the... Valley Girl Virus - machine has all the lastest icons but CPU doesn't work. Also, computer wants to go the mall, a lot. Rodeo Drive Virus - Land lines no longer work. A cellular modem is now required. All periphials need to be upgraded to most expensive models available. Hipster Virus - all data transmitted via a pager. Teenage Virus - machine spends enourmous amounts of time on-line, wants to drive the car. Also note that machine becomes either inactive and quiet OR loud and disagreeable in presence of adults. (Warning - this virus not limited to SoCal!) Be on the lookout, Dave Druitt Senior Systems Engineer Unix Specialist Sysorex Information Systems (usual disclaimer) _________________________________________ erotic: using a feather as a sex toy kinky: using the whole duck! From firewalls-owner Mon Nov 13 16:23:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id QAA21047 for firewalls-outgoing; Mon, 13 Nov 1995 16:14:11 -0800 (PST) Received: from westie.gi.net (ns1.gi.net [198.247.250.16]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id QAA21042 for ; Mon, 13 Nov 1995 16:14:08 -0800 (PST) Received: (from alan@localhost) by westie.gi.net (8.7.1/8.7.1) id SAA14053; Mon, 13 Nov 1995 18:14:25 -0600 (CST) From: Alan Hannan Message-Id: <199511140014.SAA14053@westie.gi.net> Subject: Re: Vendor Product Access To: TMOONEY@umi.com (TMOONEY.UMI.COM) Date: Mon, 13 Nov 1995 18:14:24 -0600 (CST) Cc: firewalls@GreatCircle.COM In-Reply-To: from "TMOONEY.UMI.COM" at Nov 13, 95 03:49:00 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ] A vendor of an on-line database asks that we open our firewall to their entire ] Class B address space for both UDP and TCP on ports 8000 thru 9120. ] ] I have been asked to quantify the risks involved. My initial list includes: ] ] Why do they need their entire Class B? This allows ANYONE in their domain ] access. ] ] Why do they want 1120 ports of both UDP or TCP? This seems a little large to ] me. ] ] Any words of wisdom from admins "who have been there" that I can use to ] bolster my initial "This is a BAD IDEA" reaction to upper management would be ] appreciated. This is laughable. Tell them to get stuffed. It totally goes against most modern network security policy. A/ they assume that all nodes on their network can be watched w/ enough assurange that you are secure? B/ IMHO a proper on-line database would use one IP address, and one port, and most likely one protocol (ie TCP). I could maybe see using two or three of one of the above (*cough* dns), but 1120 + 2^16 + 2? I don't think so. -alan From firewalls-owner Mon Nov 13 16:53:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id PAA20569 for firewalls-outgoing; Mon, 13 Nov 1995 15:57:29 -0800 (PST) Received: from lint.cisco.com (lint.cisco.com [171.68.235.77]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id PAA20556 for ; Mon, 13 Nov 1995 15:57:24 -0800 (PST) Received: from pferguso-pc.cisco.com (sl-chattel-11.cisco.com [171.69.126.181]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id PAA04704; Mon, 13 Nov 1995 15:57:27 -0800 Message-Id: <199511132357.PAA04704@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 13 Nov 1995 18:59:20 -0500 To: "TMOONEY.UMI.COM" From: Paul Ferguson Subject: Re: Vendor Product Access Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 03:49 PM 11/13/95 EST, TMOONEY.UMI.COM wrote: > >A vendor of an on-line database asks that we open our firewall to their entire >Class B address space for both UDP and TCP on ports 8000 thru 9120. > >I have been asked to quantify the risks involved. My initial list includes: > >Why do they need their entire Class B? This allows ANYONE in their domain >access. > >Why do they want 1120 ports of both UDP or TCP? This seems a little large to >me. > >Any words of wisdom from admins "who have been there" that I can use to >bolster my initial "This is a BAD IDEA" reaction to upper management would be >appreciated. > >Thanks, >Tom Mooney >Senior UNIX System Administrator > > Okay, "This is a Bad Idea." The gaping hole approach to network security. - paul -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Mon Nov 13 19:53:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id TAA25555 for firewalls-outgoing; Mon, 13 Nov 1995 19:38:25 -0800 (PST) Received: from su1.in.net (su1.in.net [199.0.62.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id TAA25550 for ; Mon, 13 Nov 1995 19:38:21 -0800 (PST) Received: from pm3-29.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA22372; Mon, 13 Nov 95 22:36:58 -0500 Date: Mon, 13 Nov 95 22:36:58 -0500 Message-Id: <9511140336.AA22372@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: "TMOONEY.UMI.COM" From: frankw@in.net (Frank Willoughby) Subject: Re: Vendor Product Access Cc: firewalls@GreatCircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > >A vendor of an on-line database asks that we open our firewall to their entire >Class B address space for both UDP and TCP on ports 8000 thru 9120. > >I have been asked to quantify the risks involved. My initial list includes: > >Why do they need their entire Class B? This allows ANYONE in their domain >access. > >Why do they want 1120 ports of both UDP or TCP? This seems a little large to >me. > >Any words of wisdom from admins "who have been there" that I can use to >bolster my initial "This is a BAD IDEA" reaction to upper management would be >appreciated. > >Thanks, >Tom Mooney >Senior UNIX System Administrator > > > > > > Tom, Mildly putting it - "They are out of their minds" (although you may want to rephrase this to be somewhat more diplomatic). A connection between their database & your internal LAN/WAN through your firewall configured as you mentioned puts your internal LAN/WAN at a serious risk. Assuming you have no other choice in matter & your manager says make the connection or find another job, there are almost always alternatives to ugly situations: 1) Send a mail (cc: to yourself and at least one other trustworthy person) indicating the risks and your disapproval of the connection. Print out the mail, sign & date it, and mail it to your home address. Take the unopened envelope and file it away for safekeeping (you may need it if anything ever happens). 2) Find a way to minimize the risk (& hope for the best). There are a few ways of minimizing the risk, but the least risky one that comes to mind right now (10pm) is to have the connection tied to an isolated network segment (ie - isolated = not connected to any other networks, all network connections taped up, etc.) where the db info is accessed and transferred via sneakernet to your internal LAN/WAN. This segment can be protected by your outside router or a firewall with subnetting capability. (If you decide to go this route, make *Very* sure you are very careful about setting up your rules.) Triple-check your work and then have a second person confirm your configuration is correct. If you want a long song & dance on the risks of what they are proposing, either grab a copy of Cheswick & Bellovin's wonderful book entitled "Firewalls & Internet Security" or send me a mail. The above comes from my experience in a previous life as a National Information Security Operations Officer for a major high-tech company where I have had to handle similar problems as the one you posed. (Some were actually pretty bizarre, but that's another story...) Best Regards, Frank PS - If you need any more help on this, drop me a line with your phone number & I will try to help you more. Fortified Networks Inc. http://www.fortified.com/fortified Fortified Networks Inc. http://www.fortified.com/fortified Expert Management & Information Security Consulting The opinions expressed above are of the author and may not necessarily be representative of Fortified Networks Inc. From firewalls-owner Tue Nov 14 05:23:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id EAA06073 for firewalls-outgoing; Tue, 14 Nov 1995 04:56:45 -0800 (PST) Received: from inetgw.fsc.ibm.com (inetgw.lfs.loral.com [204.177.125.1]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id EAA06068 for ; Tue, 14 Nov 1995 04:56:42 -0800 (PST) From: don.turner@lfs.loral.com Received: by inetgw.fsc.ibm.com (AIX 3.2/UCB 5.64/4.03) id AA25420; Tue, 14 Nov 1995 07:57:04 -0500 Message-Id: <9511141257.AA25420@inetgw.fsc.ibm.com> Received: from wmavm7.gburg.ibm.com(9.130.139.107) by inetgw.fsc.ibm.com via smap (V1.3) id sma025925; Tue Nov 14 07:56:17 1995 Received: from WMAVM7.VNET by WMAVM7.GBURG.IBM.COM (IBM VM SMTP V2R2) with BSMTP id 4510; Tue, 14 Nov 95 07:56:13 EST Date: Tue, 14 Nov 95 07:56:13 EST To: firewalls@greatcircle.com Subject: NO SUBJECT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk *** Reply to note of 11/14/95 01:59 From: Don Turner Subject: NO SUBJECT I cannot think of a reason for that range of ports unless they were doing X. It selects random port assignments, doesn't it? I agree, it is a GAPING hole in your security that should definitely be avoided. No sense in making it easier for trouble to find you. Don Turner DekaTron Corp. From firewalls-owner Tue Nov 14 05:53:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id EAA06056 for firewalls-outgoing; Tue, 14 Nov 1995 04:53:24 -0800 (PST) Received: from roma.atc.olivetti.com (roma.atc.olivetti.com [129.189.134.10]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id EAA06051 for ; Tue, 14 Nov 1995 04:53:20 -0800 (PST) Received: from olivea.ATC.Olivetti.Com ([129.189.134.9]) by roma.atc.olivetti.com with SMTP id <80366>; Tue, 14 Nov 1995 04:53:33 -0800 Received: from scanet.Ico.Olivetti.Com by olivea.ATC.Olivetti.Com (4.1/SMI-4.1) id AA00402; Tue, 14 Nov 95 04:52:56 PST Message-Id: <9511141252.AA00402@olivea.ATC.Olivetti.Com> Date: Tue, 14 Nov 1995 05:49:22 -0800 X-Sender: jofav@vela X-Mailer: Windows Eudora Version 1.4.5 Mime-Version: 1.0 To: firewalls@GreatCircle.COM From: j.favia@olibari.ico.olivetti.com (Joseph Favia) Subject: Security setup Received: from iconet.Ico.Olivetti.Com by scanet.Ico.Olivetti.Com; Tue, 14 Nov 95 13:55:52 UTC Received: from olibari.Ico.Olivetti.Com by iconet.Ico.Olivetti.Com; Tue, 14 Nov 95 13:52:13 WET Received: from olibari.ico.olivetti.com by olibari.Ico.Olivetti.Com; Tue, 14 Nov 95 13:49:22 UTC Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello Everybody, I have the following setup to handle and to which provide a 'security solution'. A WWW service is to be established on a UNIX server which will provide info to remote users. These users will mostly be dial-up (PPP) users. Basically we have no private network to protect (yet); we only have the Unix machine to protect. The available data is classified as : a.) data for general public b.) restricted data The restricted data is to be made available only to authorized users. The other data can be accessed by anyone. Therefore we need both authentication of user (client) and encryption to make the restricted data confidential. Server authentication is desirable but not mandatory. We may have some local users but that's not clear at the moment. At any rate, they will be handled as authorized users. We expect most of the users to be running a PC to contact the server. It is probable that other services be supported in the future (FTP,TELNET,etc.). These will probably require other authentication mechanisms, best if the same. Usage of specific software at client sites is not much of a problem. I have yet to hear about any product that supports client to server encryption. Maybe I've missed something somewhere. I would appreciate any advice that people are willing to provide, including indications of products/freeware/shareware/etc. that would be useful. Thanks in advance. Joseph Favia Jr. ***************************************************** * * * Joseph Favia Jr. * * Laboratorio di Traffic Engineering * * OLIVETTI Ricerca S.C.p.A. * * Via Fanelli, 206/16 * * 70124 BARI - Italy * * ____________ * * * * Phone : +39 80 5093-247 * * FAX : +39 80 5093-272 * * E-mail: j.favia@olibari.ico.olivetti.com * * * ***************************************************** From firewalls-owner Tue Nov 14 07:02:59 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id GAA08384 for firewalls-outgoing; Tue, 14 Nov 1995 06:34:02 -0800 (PST) Received: from Fe3.rust.net (Fe3.rust.net [204.157.12.254]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id GAA08375 for ; Tue, 14 Nov 1995 06:33:58 -0800 (PST) Received: from mh-22.rust.net by Fe3.rust.net via SMTP (940816.SGI.8.6.9/940406.SGI.AUTO) id JAA18869; Tue, 14 Nov 1995 09:48:10 -0800 Date: Tue, 14 Nov 1995 09:48:10 -0800 Message-Id: <199511141748.JAA18869@Fe3.rust.net> X-Sender: janken@rust.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: "TMOONEY.UMI.COM" From: janken@rust.net (Kenneth J. Stephens) Subject: Re: Vendor Product Access Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I hate to be a pain in the (insert lower body part) but you can't implement this addressing scheme now even if you wanted to. You have just told between 6000 and 15000 people that UMI.COM may open ports 8000 thur 9120 to an online database vendor's class C address for UDP and TCP. How long do you think it would take to crack the unknown online database vendor's identity and then their class C address. Please folks let's be a little discreet about what gets posted here. The information is available to almost anyone via the mailing list, digest or archives. Yes the idea of opening up this much of a hole in your firewall is dangerous. Make the vendor document/justify every single port address they need, IN WRITING. Get your management to sign your strongly worded damage/distruction disclaimer before you carry out their "ordered" distruction of your data security. File the disclaimer in your safe-deposit box for the inevitable day you will need it. Ken I think you said: > > >A vendor of an on-line database asks that we open our firewall to their entire >Class B address space for both UDP and TCP on ports 8000 thru 9120. > >I have been asked to quantify the risks involved. My initial list includes: > >Why do they need their entire Class B? This allows ANYONE in their domain >access. > >Why do they want 1120 ports of both UDP or TCP? This seems a little large to >me. > >Any words of wisdom from admins "who have been there" that I can use to >bolster my initial "This is a BAD IDEA" reaction to upper management would be >appreciated. > >Thanks, >Tom Mooney >Senior UNIX System Administrator > > > > [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] [] [] [] Ken Stephens Senior Capacity Planner/Data Security Officer [] [] email: Ken_Stephens@miconsulting.com Voice (313) 876-5081 [] [] Michigan Employment Security Commission (MESC) Fax (313) 876-6827 [] [] 7th Fl. I.S. [] [] 7310 Woodward Ave [] [] Detroit, MI 48202 [] [] [] [] Millennium Consulting Your Security Policy is only [] [] 28234 Diesing Dr. as strong as your organization's [] [] Madison Heights, MI 48071 commitment to it. [] [] [] [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] From firewalls-owner Tue Nov 14 07:23:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id GAA08586 for firewalls-outgoing; Tue, 14 Nov 1995 06:55:30 -0800 (PST) Received: from relay6.UU.NET (relay6.UU.NET [192.48.96.16]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id GAA08581 for ; Tue, 14 Nov 1995 06:55:28 -0800 (PST) From: SZAXAR@itco.msk.su Received: from soul.itco.msk.su by relay6.UU.NET with SMTP id QQzpvf22216; Tue, 14 Nov 1995 09:55:00 -0500 (EST) Received: by soul.itco.msk.su (8.6.12/ITC-soul-951113) id RAA09154; Tue, 14 Nov 1995 17:16:16 +0300 Received: from duke.itco.msk.su(192.168.34.7) by soul.itco.msk.su via smap (V1.3) tid smaa09146; Tue Nov 14 17:15:54 1995 Received: from pluto.itco.msk.su by duke.itco.msk.su (8.6.12/ITC-duke-951104) with ESMTP id RAA20275 for ; Tue, 14 Nov 1995 17:10:35 +0300 Received: from PLUTO/PLUTO_MAIL_Q by pluto.itco.msk.su (Mercury 1.21); 14 Nov 95 17:15:49 +0300 Received: from PLUTO_MAIL_Q by PLUTO (Mercury 1.21); 14 Nov 95 17:15:24 +0300 To: firewalls@greatcircle.com Date: Tue, 14 Nov 1995 17:15:24 +0400 Subject: X-mailer: Pegasus Mail/Windows (v1.22) Message-ID: <139D3E71AF4@pluto.itco.msk.su> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Tue Nov 14 08:32:06 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id HAA09825 for firewalls-outgoing; Tue, 14 Nov 1995 07:58:17 -0800 (PST) Received: from habanero.jmu.edu (habanero.jmu.edu [134.126.70.210]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id HAA09820 for ; Tue, 14 Nov 1995 07:58:11 -0800 (PST) Message-Id: <199511141558.HAA09820@miles.greatcircle.com> Received: by habanero.jmu.edu (1.37.109.16/16.2) id AA079764604; Tue, 14 Nov 1995 10:56:44 -0500 Date: Tue, 14 Nov 1995 10:56:44 -0500 From: gary flynn To: firewalls@greatcircle.com Subject: HPUX client program for OPIE/SKEY??? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Anyone know of an hp/ux client program to use with a firewall using OPIE authentication? I'd prefer one that has a good user interface (i.e. an X product similar to the winkeys program for MS Windows) and one that works with MD5. I think I understand that S/key only supports MD4 so using an S/Key client would make me use MD4 on OPIE. But I'll take whatever I can get :-) TIA, Gary Flynn James Madison University From firewalls-owner Tue Nov 14 08:33:47 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id IAA10050 for firewalls-outgoing; Tue, 14 Nov 1995 08:07:02 -0800 (PST) Received: from telxon.mis.telxon.com (TELXON.MIS.TELXON.COM [149.23.2.4]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id IAA10035 for ; Tue, 14 Nov 1995 08:06:54 -0800 (PST) Received: from sbridg.mis.telxon.com by telxon.mis.telxon.com (5.61/3.1.090690-Telxon Corporation) id AA10068; Tue, 14 Nov 95 10:44:37 -0500 Message-Id: <9511141544.AA10068@telxon.mis.telxon.com> From: jwojn@telxon.mis.telxon.com (Wojno, Jim) Date: Tue, 14 Nov 1995 11:04 EST To: firewalls@greatcircle.com Subject: RE: Vendor Product Access Sender: firewalls-owner@GreatCircle.COM Precedence: bulk How about a modem? This gives a single point of entry, while only allowing a single user access. Jim Wojno Systems Administrator Telxon Corporation _________________Begin included text______________________________ A vendor of an on-line database asks that we open our firewall to their entire Class B address space for both UDP and TCP on ports 8000 thru 9120. I have been asked to quantify the risks involved. My initial list includes: Why do they need their entire Class B? This allows ANYONE in their domain access. Why do they want 1120 ports of both UDP or TCP? This seems a little large to me. Any words of wisdom from admins "who have been there" that I can use to bolster my initial "This is a BAD IDEA" reaction to upper management would be appreciated. Thanks, Tom Mooney Senior UNIX System Administrator _________________End included text__________________________________ From firewalls-owner Tue Nov 14 09:13:15 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id IAA11281 for firewalls-outgoing; Tue, 14 Nov 1995 08:30:52 -0800 (PST) Received: from simtel.Coast.NET (simtel.coast.net [205.149.128.6]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id IAA11256 for ; Tue, 14 Nov 1995 08:30:42 -0800 (PST) Received: by simtel.Coast.NET (Smail3.1.28.1 #12) id m0tFOG1-0000sSC; Tue, 14 Nov 95 11:30 EST Date: Tue, 14 Nov 1995 11:30:48 -0500 (EST) To: firewalls@greatcircle.com (Firewalls Mailing List) Subject: Re: Vendor Product Access From: "Mike O'Connor" Reply-To: "Mike O'Connor" X-Organization: :noitazinagrO-X Message-Id: <951114113048.mjo@dojo> Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk :I hate to be a pain in the (insert lower body part) but you can't implement :this addressing scheme now even if you wanted to. You have just told :between 6000 and 15000 people that UMI.COM may open ports 8000 thur 9120 to :an online database vendor's class C address for UDP and TCP. How long do :you think it would take to crack the unknown online database vendor's :identity and then their class C address. It depends on the nature of their link to their online database vendor, obviously. I employ firewall technologies for non-Internet private IP links, and umi.com may well do the same sort of thing. -- Michael J. O'Connor Internet: mjo@dojo.mi.org InterNIC WHOIS: MJO http://www.coast.net/~mjo "Existence is not only temporary, it's pointless!" -Calvin From firewalls-owner Tue Nov 14 09:24:26 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id IAA11614 for firewalls-outgoing; Tue, 14 Nov 1995 08:50:24 -0800 (PST) Received: from relay1.pipex.net (relay1.pipex.net [158.43.128.6]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id IAA11607 for ; Tue, 14 Nov 1995 08:50:21 -0800 (PST) Received: from london.ecaltd.com (actually london.ecaltd.co.uk) by flow.pipex.net with SMTP (PP); Tue, 14 Nov 1995 16:12:47 +0000 Received: by london.ecaltd.com with Microsoft Mail id <30A8C009@london.ecaltd.com>; Tue, 14 Nov 95 16:12:57 GMT From: "Anthony.W.Youngman" To: _firewalls Subject: Re: security policy Date: Tue, 14 Nov 95 16:04:00 GMT Message-ID: <30A8C009@london.ecaltd.com> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My mailer says Ken said [definition of "security through obscurity" deleted] In order to break into a system, a hacker needs to know the following: (1) What protocols, encryption methods, operating systems etc are being used. (The burglary analogy is "where is the entrance") (2) What are the keys, passwords, etc to get in (the burglary analogy is "how do I break the window or force the door"). IMHO, anything relying on (1) is security through obscurity, anything relying on (2) is "real" security. And as most attacks appear to be inside jobs, any administrator expecting obscurity to provide a decent defence lives in cloud cuckoo land. By all means try and hide everything you can from a potential attacker, but it's safest to assume the only thing he lacks is the key to the lock. If they won't tell you why it IS secure, then it probably isn't. Our banks are wonderful at "we can't tell you how we keep our data secure. It's part of our security". Pretty useless against an inside job. From firewalls-owner Tue Nov 14 11:23:20 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id LAA15395 for firewalls-outgoing; Tue, 14 Nov 1995 11:17:02 -0800 (PST) Received: from kandiyohi.westlan.com (mail1.westpub.com [163.231.238.3]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id LAA15390 for ; Tue, 14 Nov 1995 11:16:59 -0800 (PST) From: jwilde@westmail.com Received: by kandiyohi.westlan.com (AIX 3.2/UCB 5.64/4.03) id AB07548; Tue, 14 Nov 1995 13:03:16 -0600 Received: by westlan.com via smwrap Version 2.1 id smwrapI3oB4o; Tue Nov 14 13:02:52 1995 id AA06416; Tue, 14 Nov 1995 13:14:51 -0600 Message-Id: <9511141914.AA06416@westlan.com> Mime-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit Date: Tue, 14 Nov 95 13:16:38 -0600 Subject: NTP through a firewall To: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I was wondering if there would be any security concerns about using my firewall as an NTP Server for the rest of our network. I was thinking of opening an udp port for NTP and (network time protocol) allowing only my time provider to talk to the firewall via NTP through an generalized proxy. My question is this, would this open a security hole? Wouldn't the NTP Server (our firewall) go out and get the time when it is specified? Any comments would be appreciated. _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ _/ Jeff Wilde West Publishing _/ _/ jwilde@westpub.com Systems Engineer _/ _/ Eagan, MN USA Tech Support Communications _/ _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ From firewalls-owner Tue Nov 14 11:58:39 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id LAA16724 for firewalls-outgoing; Tue, 14 Nov 1995 11:48:06 -0800 (PST) Received: from hal.saic.com (HAL.SAIC.COM [149.8.83.18]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id LAA16718 for ; Tue, 14 Nov 1995 11:48:03 -0800 (PST) Received: (from roberts@localhost) by hal.saic.com (8.6.10/8.6.9) id TAA19529; Tue, 14 Nov 1995 19:51:42 GMT Date: Tue, 14 Nov 1995 14:51:42 -0500 (EST) From: tom roberts To: firewalls@greatcircle.com Subject: Configuration Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have been trying to configure the TIS FWTK on a HP-UX 9.05 machine for about a week now. I have everything compiled and placed in the proper directories. When trying to use the services, i receive the following errors in the syslog: netacl [249] deny host=unknow service=in.telnetd tn-gw [272] deny host=unknown ues of gateway ftp-gw[297] deny host=unknown use of gateway netacl [293] deny host=unknown service=in.ftp The following is the message received at the client end: ftp service not available: remote server has closed the connection (standard ftp port) 500 unknown not authorized to use FTP proxy (FWTK port) I have the authsrv set to run off port 180 and the tn-gw is set to use this for authentication. I am out of ideas on how to make this thing work. If anyone has any suggestions, I am all ears..... thanks, tpr From firewalls-owner Tue Nov 14 12:00:04 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id LAA15234 for firewalls-outgoing; Tue, 14 Nov 1995 11:09:02 -0800 (PST) Received: from uu11.psi.com (uu11.psi.com [38.8.24.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id LAA15223 for ; Tue, 14 Nov 1995 11:08:37 -0800 (PST) Received: from gate.funb.com by uu11.psi.com (5.65b/4.0.940727-PSI/PSINet) via SMTP; id AA10515 for firewalls@GreatCircle.COM; Tue, 14 Nov 95 14:08:51 -0500 Received: by funb.com (4.1/SMI-4.1) id AA14930; Tue, 14 Nov 95 14:08:50 EST Received: from cm_mailhost.capmark.funb.com by gate via SMTP (V1.3) id sma014921; Tue Nov 14 14:08:37 1995 Received: from funws302.capmark.funb.com (funws302 [168.175.7.54]) by cm_mailhost.capmark.funb.com (8.6.12/8.6.12) with ESMTP id OAA04099; Tue, 14 Nov 1995 14:08:28 -0500 From: "Mark Horn [ Net Ops ]" Received: (mhorn@localhost) by funws302.capmark.funb.com (8.6.12/8.6.12) id OAA01760; Tue, 14 Nov 1995 14:08:25 -0500 Date: Tue, 14 Nov 1995 14:08:25 -0500 Message-Id: <9511141408.ZM1758@funws302> In-Reply-To: "Anthony.W.Youngman" "Re: security policy" (Nov 14, 4:04pm) References: <30A8C009@london.ecaltd.com> X-Mailer: Z-Mail (3.2.1 10apr95) To: firewalls@GreatCircle.COM, "Anthony.W.Youngman" Subject: Re: security policy Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Nov 14, 4:04pm, Anthony.W.Youngman wrote: >If they won't tell you why it IS secure, then it probably isn't. Our banks >are wonderful at "we can't tell you how we keep our data secure. It's part >of our security". Pretty useless against an inside job. I like the way mjr describes the value of obscurity in his paper "Thinking a About Firewalls". He says: "'Security through obscurity' is not sufficient in and of itself, but there is no question that an unusual configuration, or one that is hard to understnad, is likely to give an attacker pause, or to make them more likely to reveal themselves in the process." Note how he says "is not sufficient in and of itself". Certainly, if obscurity is your only security, you're in trouble. Nevertheless, just because I have a very strong lockable security box in my house, doesn't mean that I'm going to broadcast that fact on my front door. The point is that obscurity isn't necessarily bad unless it's the *only* thing that you're using to protect yourself. $.02 -- Mark Horn mhorn@funb.com "With all the great communications equipment we've got here you'd think I could find out the score of the Green Bay Packer Game" - Michael Douglas in "The American President" Free Advice and Opinions -- Refunds Available From firewalls-owner Tue Nov 14 12:01:30 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id LAA16038 for firewalls-outgoing; Tue, 14 Nov 1995 11:38:57 -0800 (PST) Received: from erenj.com (ereapp.ERENJ.COM [159.70.31.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id LAA16033 for ; Tue, 14 Nov 1995 11:38:54 -0800 (PST) Received: from eredns.erenj.com(159.70.1.252) by ereapp.erenj.com via smap (V1.3) id sma015606; Tue Nov 14 14:38:51 1995 Posted-Date: Tue, 14 Nov 1995 14:38:48 -0500 From: "Bryan D. Boyle" Message-Id: <9511141438.ZM17289@maverick.erenj.com> Date: Tue, 14 Nov 1995 14:38:47 -0500 In-Reply-To: jwilde@westmail.com "NTP through a firewall" (Nov 14, 1:16pm) References: <9511141914.AA06416@westlan.com> X-Phone: (908) 730-3338 X-Saying: Strange problems call for strange solutions. X-Face: "Pd&4kXWsi"3Hc_Y~I-ts24DN$w~Hh)&L-P9DZvE"~_~m),~Y&N_]TUIM*4.r@z$SxVL]}v=+IP>Fuq{zx%{KKj"Kys1Q5{|m*l}:[T;N:/=@5[xOIpR$%skp$f0#6^j\1+ -?l%Yk/+S8Y!3J@{~!Ao4-COV:Ft}{]oZ&1=!@<>UIh2s X-Mailer: Z-Mail (3.2.1 10apr95) To: jwilde@westmail.com Subject: Re: NTP through a firewall Cc: firewalls@greatcircle.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Nov 14, 1:16pm, jwilde@westmail.com wrote: > Subject: NTP through a firewall > I was wondering if there would be any security concerns about using my firewall > as an NTP Server for the rest of our network. I was thinking of opening an udp > port for NTP and (network time protocol) allowing only my time provider to talk > to the firewall via NTP through an generalized proxy. My question is this, > would this open a security hole? Wouldn't the NTP Server (our firewall) go out > and get the time when it is specified? Any comments would be appreciated. having just done this, a couple of thoughts: 1) run 3 xntpd processes: one on an app proxy, that actually talks to the outside server, and one on the screen that uses the app proxy as its server. 2) run an xntpd on an internal machine that is peer with the xntp on the screen. inside, talk to the internal xntp server. that way, you don't have to open up a hole, and the time is relatively synched (hey, within a couple ms of each other...ok?) or, diagramatically: inside xntpd <------> screen xntpd -------->app xntpd -------->internet ^ \__peer__/ | inside talks here just my $.02. feel free to flame to /dev/null -- Bryan D. Boyle | EMAIL: bdboyle@erenj.com 908-730-3338 | PAGE: bboyle@apt1.pagemart.com #include | http://www.access.digex.net/~bdboyle/index.html "It seems that 'national security' is the root password to the Constitution. As with any dishonest superuser, the best countermeasure is strong encryption." -Phil Karn From firewalls-owner Tue Nov 14 14:23:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id OAA19636 for firewalls-outgoing; Tue, 14 Nov 1995 14:05:24 -0800 (PST) Received: from su1.in.net (su1.in.net [199.0.62.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id OAA19631 for ; Tue, 14 Nov 1995 14:05:21 -0800 (PST) Received: from pm3-10.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA11807; Tue, 14 Nov 95 17:04:04 -0500 Date: Tue, 14 Nov 95 17:04:04 -0500 Message-Id: <9511142204.AA11807@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.com From: frankw@in.net (Frank Willoughby) Subject: Re: HPUX client program for OPIE/SKEY??? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Gary, > >Anyone know of an hp/ux client program to use with >a firewall using OPIE authentication? > >I'd prefer one that has a good user interface (i.e. >an X product similar to the winkeys program for MS >Windows) and one that works with MD5. I think I >understand that S/key only supports MD4 so using >an S/Key client would make me use MD4 on OPIE. I wouldn't touch any X product for use over the Internet for *anything* (much less a firewall) due to the ease at which the sessions can be taken over. Also, authentication that does not end up in an encrypted link between the user and the firewall is only giving you a false sense of security (as it too can be compromised fairly easily). > >But I'll take whatever I can get :-) > >TIA, > >Gary Flynn >James Madison University > > > Best Regards, Frank Fortified Networks Inc. http://www.fortified.com/fortified Expert Management & Information Security Consulting The opinions expressed above are of the author and may not necessarily be representative of Fortified Networks Inc. From firewalls-owner Tue Nov 14 14:53:20 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id OAA20144 for firewalls-outgoing; Tue, 14 Nov 1995 14:37:24 -0800 (PST) Received: from citecuh.citec.qld.gov.au (citecuh.citec.qld.gov.au [203.5.10.10]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id OAA20139 for ; Tue, 14 Nov 1995 14:37:20 -0800 (PST) Received: (from mail@localhost) by citecuh.citec.qld.gov.au (8.6.10/8.6.10) id IAA10307; Wed, 15 Nov 1995 08:32:26 +1000 Received: from citecub.citec.qld.gov.au(131.242.4.98) by citecuh.citec.qld.gov.au via smap (V1.3) id /mail/incoming/sma010303; Wed Nov 15 08:32:00 1995 Received: by citecub.citec.qld.gov.au (5.0/SMI-SVR4) id AA18724; Wed, 15 Nov 1995 08:33:26 +1000 From: sgcccdc@citec.qld.gov.au (Colin Campbell) Message-Id: <9511142233.AA18724@citecub.citec.qld.gov.au> Subject: Re: NTP through a firewall To: jwilde@westmail.com Date: Wed, 15 Nov 1995 08:33:25 +1000 (EST) Cc: firewalls@greatcircle.com In-Reply-To: <9511141914.AA06416@westlan.com> from "jwilde@westmail.com" at Nov 14, 95 01:16:38 pm X-Mailer: ELM [version 2.4 PL24 PGP3 *ALPHA*] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My mailer thinks jwilde@westmail.com said: > > I was wondering if there would be any security concerns about using my firewall > as an NTP Server for the rest of our network. I was thinking of opening an udp > port for NTP and (network time protocol) allowing only my time provider to talk > to the firewall via NTP through an generalized proxy. My question is this, > would this open a security hole? Wouldn't the NTP Server (our firewall) go out > and get the time when it is specified? Any comments would be appreciated. > The only problem with this is the fact that NTP is UDP-based which means anyone with the inclination can screw around with the time on your network merely by impersonating the host you look to for the correct time. Sure thay can only make small and gradual adjustments but they can do it and you did ask. I think NTP uses the same port at either end (like DNS server to server) so you do not need to allow "udp from host blah to host bastion where port > 1023" which can be dangerous and is generally frowned upon. Colin From firewalls-owner Tue Nov 14 15:29:00 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id OAA20222 for firewalls-outgoing; Tue, 14 Nov 1995 14:41:59 -0800 (PST) Received: from citecuh.citec.qld.gov.au (citecuh.citec.qld.gov.au [203.5.10.10]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id OAA20217 for ; Tue, 14 Nov 1995 14:41:51 -0800 (PST) Received: (from mail@localhost) by citecuh.citec.qld.gov.au (8.6.10/8.6.10) id IAA10511; Wed, 15 Nov 1995 08:36:57 +1000 Received: from citecub.citec.qld.gov.au(131.242.4.98) by citecuh.citec.qld.gov.au via smap (V1.3) id /mail/incoming/sma010495; Wed Nov 15 08:36:31 1995 Received: by citecub.citec.qld.gov.au (5.0/SMI-SVR4) id AA19334; Wed, 15 Nov 1995 08:37:50 +1000 From: sgcccdc@citec.qld.gov.au (Colin Campbell) Message-Id: <9511142237.AA19334@citecub.citec.qld.gov.au> Subject: Re: Configuration To: roberts@hal.saic.com (tom roberts) Date: Wed, 15 Nov 1995 08:37:50 +1000 (EST) Cc: firewalls@greatcircle.com In-Reply-To: from "tom roberts" at Nov 14, 95 02:51:42 pm X-Mailer: ELM [version 2.4 PL24 PGP3 *ALPHA*] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My mailer thinks tom roberts said: > > > I have been trying to configure the TIS FWTK on a HP-UX 9.05 machine for > about a week now. I have everything compiled and placed in the proper > directories. When trying to use the services, i receive the following > errors in the syslog: > > netacl [249] deny host=unknow service=in.telnetd > tn-gw [272] deny host=unknown ues of gateway > ftp-gw[297] deny host=unknown use of gateway > netacl [293] deny host=unknown service=in.ftp > The answer is in these lines - you have "deny hosts unknown" in netperm-table. FWTK does a name lookup on the IP address of every connection. If it cannot turn the IP address into a name via DNS, the name comes back as "unknown" and therefore gets denied. Thus you must configure every host requiring access, into the DNS used by the bastion OR remove "deny hosts unknown" from netperm-table. The former requires work but it means you know who is using the system. The latter is the easy way out and reduces security. Colin From firewalls-owner Tue Nov 14 16:53:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id QAA23595 for firewalls-outgoing; Tue, 14 Nov 1995 16:46:32 -0800 (PST) Received: from deserthosp.org ([192.251.121.175]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id QAA23590 for ; Tue, 14 Nov 1995 16:46:29 -0800 (PST) From: CWSTAFFORD@deserthosp.org Received: from WPDOMAIN-Message_Server by deserthosp.org with WordPerfect_Office; Tue, 14 Nov 1995 16:44:12 -0800 Message-Id: X-Mailer: WordPerfect Office 4.0 Date: Tue, 14 Nov 1995 16:43:40 -0800 To: firewalls-digest@GreatCircle.COM Subject: Firewalls-Digest V4 #640 -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am interested in obtaining a book titled "Firewalls and Internet Security" by Cheswick and Bellovin. Can someone recommend where I can obtain this book. Also, I am seeking recommendations for other Firewall material. Any recommendations would be appreciated. -Chris From firewalls-owner Tue Nov 14 17:23:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id QAA23259 for firewalls-outgoing; Tue, 14 Nov 1995 16:26:51 -0800 (PST) Received: from miricle.its.unimelb.edu.au (miricle.its.unimelb.EDU.AU [128.250.20.187]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id QAA23254 for ; Tue, 14 Nov 1995 16:26:48 -0800 (PST) Received: (from danny@localhost) by miricle.its.unimelb.edu.au (8.6.9/8.6.9) id LAA04431; Wed, 15 Nov 1995 11:27:14 +1100 Date: Wed, 15 Nov 1995 11:27:13 +1100 (EST) From: "Daniel O'Callaghan" Subject: Re: transparent proxies To: Fernando da Silveira Montenegro cc: firewalls@GreatCircle.COM In-Reply-To: <9511130910.aa06433@canario.canario.nutec.com.br> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 13 Nov 1995, Fernando da Silveira Montenegro wrote: > Hi everybody! > > A few weeks ago there was a thread about transparent proxies, and > nobody mentioned Socks. I wonder why not? If the Sockscap effort > bears fruit, we would have a WINSOCK.DLL level mechanism, thus > invisible to the applications that use it. > > Any thoughts? You mean like Trumpet Winsock (ftp://ftp.trumpet.com.au/)!!?? From firewalls-owner Tue Nov 14 17:31:59 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id QAA23420 for firewalls-outgoing; Tue, 14 Nov 1995 16:38:46 -0800 (PST) Received: from tera.bctel.net (tera.bctel.net [204.174.66.253]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id QAA23415 for ; Tue, 14 Nov 1995 16:38:43 -0800 (PST) Received: (from nobody@localhost) by tera.bctel.net (8.7.1/8.7.1) id QAA29607; Tue, 14 Nov 1995 16:38:54 -0800 (PST) X-Authentication-Warning: tera.bctel.net: nobody set sender to using -f Received: from mocha.bctel.net(204.174.66.5) by tera via smap (V1.3) id sma029605; Tue Nov 14 16:38:31 1995 Received: (from murrell@localhost) by mocha.bctel.net (8.7.1/8.7.1) id QAA07698; Tue, 14 Nov 1995 16:40:04 -0800 (PST) Date: Tue, 14 Nov 1995 16:40:04 -0800 (PST) From: Brian Murrell Message-Id: <199511150040.QAA07698@mocha.bctel.net> To: jwilde@westmail.com, sgcccdc@citec.qld.gov.au Subject: Re: NTP through a firewall Cc: firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-MD5: oEn944CSvKlF+iiOC9FK+Q== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > The only problem with this is the fact that NTP is UDP-based which > means anyone with the inclination can screw around with the time on > your network merely by impersonating the host you look to for the > correct time. Sure thay can only make small and gradual adjustments > but they can do it and you did ask. >From what I've heard, NTP has facilities to authenticate the NTP server. b. -- Brian J. Murrell murrell@bctel.net BCTel Advanced Communications brian@ilinx.com Vancouver, B.C. brian@wimsey.com 604 454 5261 From firewalls-owner Tue Nov 14 17:53:20 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id RAA24526 for firewalls-outgoing; Tue, 14 Nov 1995 17:24:33 -0800 (PST) Received: from mda.ca (mdavcr.mda.ca [142.73.128.50]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id RAA24510 for ; Tue, 14 Nov 1995 17:24:26 -0800 (PST) Received: from conan.mda.ca by mda.ca (4.1/SMI-4.1-DNI) id AA28760; Tue, 14 Nov 95 17:24:46 PST Received: by conan.mda.ca via SMTP (931110.SGI/931108.SGI.ANONFTP) for @mailhost.mda.ca:firewalls@greatcircle.com id AA02405; Tue, 14 Nov 95 17:24:29 -0800 Message-Id: <9511150124.AA02405@conan.mda.ca> X-Mailer: exmh version 1.6.4 10/10/95 To: firewalls@greatcircle.com Cc: eo@mda.ca Subject: Parsing CISCO router logs Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 14 Nov 1995 17:24:23 -0800 From: Ed Osterman Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, We have just installed a CISCO router and are using its logging capabilities to notify us via remote syslogging of attempts to use services and ports that are blocked. For example, at the end of each access list we explicitly deny all other port access and request that this be logged. (Note that IP addresses below are not relevant). access-list 100 permit icmp 000.000.000.000 255.255.255.255 x.x.x.x 000.000.255.255 ! This allows logging of access violations access-list 100 deny ip 000.000.000.000 255.255.255.255 000.000.000.000 255.255.255.255 log Our log file fills with lots of neat info ie: Nov 14 17:12:06 nb0 5346: %SEC-6-IPACCESSLOGP: list 100 denied tcp x.x.x.x(23309) -> x.x.x.x(113), 1 packet The question is are there any scripts or programs that can parse this log file and produce some pretty statistics and/or sound alarms/mail when something is going wrong or there are too many attempts, etc. Thanks, -- Ed Osterman eo@mda.ca I guess sometimes there just aren't enough stones to throw. -Forest Gump From firewalls-owner Tue Nov 14 19:23:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id TAA26884 for firewalls-outgoing; Tue, 14 Nov 1995 19:13:24 -0800 (PST) Received: from eden-valley (eden-valley.aaii.oz.AU [192.35.59.242]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id TAA26879 for ; Tue, 14 Nov 1995 19:13:16 -0800 (PST) Received: from alamein (alamein.aaii.oz.AU) by eden-valley with SMTP (5.65c/SMI-4.0/AAII) id AA08609; Wed, 15 Nov 1995 14:13:24 +1100 Received: from localhost by alamein (8.6.8.1/8.6.6) with SMTP id OAA02758; Wed, 15 Nov 1995 14:13:23 +1100 Message-Id: <199511150313.OAA02758@alamein> X-Authentication-Warning: alamein: anthony owned process doing -bs X-Authentication-Warning: alamein: Host localhost didn't use HELO protocol To: Ed Osterman Cc: firewalls@greatcircle.com From: anthony baxter Reply-To: anthony.baxter@aaii.oz.au Subject: Re: Parsing CISCO router logs In-Reply-To: Message from Ed Osterman of 1995-Nov-14 17:24:23, <9511150124.AA02405@conan.mda.ca> Date: Wed, 15 Nov 1995 14:13:16 +1100 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > [ need log parsing tools ] Check out 'swatch', from sierra.stanford.edu:/pub Anthony From firewalls-owner Tue Nov 14 19:54:05 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id TAA26992 for firewalls-outgoing; Tue, 14 Nov 1995 19:27:59 -0800 (PST) Received: from uuneo.neosoft.com (uuneo.neosoft.com [206.109.1.3]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id TAA26987 for ; Tue, 14 Nov 1995 19:27:56 -0800 (PST) Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.7.1/8.7.1) with UUCP id VAA24032 for GreatCircle.COM!firewalls; Tue, 14 Nov 1995 21:25:33 -0600 (CST) Received: by ris1.nmti.com (smail2.5) id AA07180; 14 Nov 95 20:09:13 CST (Tue) Received: by sonic.nmti.com; id AA00852; Tue, 14 Nov 1995 19:38:36 -0600 From: peter@nmti.com (Peter da Silva) Message-Id: <9511150138.AA00852@sonic.nmti.com.nmti.com> Subject: Re: Configuration To: sgcccdc@citec.qld.gov.au (Colin Campbell) Date: Tue, 14 Nov 1995 19:38:35 -0600 (CST) Cc: roberts@hal.saic.com, firewalls@GreatCircle.COM In-Reply-To: <9511142237.AA19334@citecub.citec.qld.gov.au> from "Colin Campbell" at Nov 15, 95 08:37:50 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does turning off "deny hosts unknown" really reduce security that much? You shouldn't have any rules that depend on DNS, right? Right? > Thus you must configure every host requiring access, into the DNS used by > the bastion OR remove "deny hosts unknown" from netperm-table. The former > requires work but it means you know who is using the system. The latter > is the easy way out and reduces security. From firewalls-owner Tue Nov 14 20:23:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id UAA28399 for firewalls-outgoing; Tue, 14 Nov 1995 20:15:34 -0800 (PST) Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id UAA28394 for ; Tue, 14 Nov 1995 20:15:31 -0800 (PST) Received: from cixgate by relay2.UU.NET with SMTP id QQzpxg13638; Tue, 14 Nov 1995 23:14:55 -0500 (EST) Received: from manzanita.DEV.3Com.COM.noname ([139.87.180.206]) by cixgate (4.1/SMI-4.1/3com-cixgate-GCA-931027-01) id AA15329; Tue, 14 Nov 95 08:39:37 PST Received: by manzanita.DEV.3Com.COM.noname (4.1/SMI-4.1) id AA01934; Tue, 14 Nov 95 08:27:08 PST Date: Tue, 14 Nov 95 08:27:08 PST From: bobk@manzanita.DEV.3Com.COM (Bob Konigsberg) Message-Id: <9511141627.AA01934@manzanita.DEV.3Com.COM.noname> To: TMOONEY@umi.com Subject: Re: Vendor Product Access Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It's a BAD idea. What I'd recommend (based on experience) is to set up a separate access for vendors (Frame Relay, ISDN, whatever), and run them through a firewall (a filtering router will work in this case). Also, you need to get a LOT more specific about the specific types of traffic that you will allow through. Don't let the vendor bamboozle your management into believing that this type of wide open access is "necessary" to the proper operation of whatever service they are providing. I will usually allow either a subnet of a vendor, or we assign an IP address that we specify for them to use by PPP or CSLIP which gives us more precise control over what they are doing, and where they can connect to within our network. Good luck, BobK From firewalls-owner Tue Nov 14 20:53:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id UAA29853 for firewalls-outgoing; Tue, 14 Nov 1995 20:51:11 -0800 (PST) Received: from nova.unix.portal.com (nova.unix.portal.com [156.151.1.101]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id UAA29845 for ; Tue, 14 Nov 1995 20:51:08 -0800 (PST) Received: from jobe.shell.portal.com (jobe.shell.portal.com [156.151.3.4]) by nova.unix.portal.com (8.6.11/8.6.5) with ESMTP id UAA20616; Tue, 14 Nov 1995 20:50:13 -0800 Received: (zerucha@localhost) by jobe.shell.portal.com (8.6.11/8.6.5) id UAA28848; Tue, 14 Nov 1995 20:50:11 -0800 Date: Tue, 14 Nov 1995 20:50:10 -0800 (PST) From: Thomas E Zerucha To: Colin Campbell cc: jwilde@westmail.com, firewalls@greatcircle.com Subject: Re: NTP through a firewall In-Reply-To: <9511142233.AA18724@citecub.citec.qld.gov.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk IT would depend on who initiated the connection, and if your firewall is flexible enough to only allow udp connections to the NTP port from inside, and have your firewall only go out. It might be easier to get an accurate clock that would need setting less often, or get a WWV clock or GPS based clock and hook it to the serial port. zerucha@shell.portal.com -or- 2015509 on MCI Mail finger zerucha@jobe.portal.com for PGP key From firewalls-owner Tue Nov 14 21:06:37 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id UAA28092 for firewalls-outgoing; Tue, 14 Nov 1995 20:02:59 -0800 (PST) Received: from citecuh.citec.qld.gov.au (citecuh.citec.qld.gov.au [203.5.10.10]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id UAA28083 for ; Tue, 14 Nov 1995 20:02:48 -0800 (PST) Received: (from mail@localhost) by citecuh.citec.qld.gov.au (8.6.10/8.6.10) id NAA22519; Wed, 15 Nov 1995 13:57:48 +1000 Received: from citecub.citec.qld.gov.au(131.242.4.98) by citecuh.citec.qld.gov.au via smap (V1.3) id /mail/incoming/sma022512; Wed Nov 15 13:57:32 1995 Received: by citecub.citec.qld.gov.au (5.0/SMI-SVR4) id AA23633; Wed, 15 Nov 1995 13:58:46 +1000 From: sgcccdc@citec.qld.gov.au (Colin Campbell) Message-Id: <9511150358.AA23633@citecub.citec.qld.gov.au> Subject: Re: Configuration To: peter@nmti.com (Peter da Silva) Date: Wed, 15 Nov 1995 13:58:45 +1000 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <9511150138.AA00852@sonic.nmti.com.nmti.com> from "Peter da Silva" at Nov 14, 95 07:38:35 pm X-Mailer: ELM [version 2.4 PL24 PGP3 *ALPHA*] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My mailer thinks Peter da Silva said: > > Does turning off "deny hosts unknown" really reduce security that much? > > You shouldn't have any rules that depend on DNS, right? > > Right? They do not depend on DNS - if DNS fails the host shows up as unknown and they don't get in. Right? I use IP addresses only in netperm-table. If the reverse lookup fails either the host attempting access is not in DNS and therefore I do not want them using the service, or DNS failed and since I can't "verify" the IP address, access is again denied. Note that the lookups are performed on an internal DNS (unless someone has changed resolv.conf :-). I also have one line in netperm-table oer host so having the "unknown" line is overkill I guess. It does however, in a perverse kind of way let me know if DNS is playing up - someone who used to be able to get out now can't -> DNS broken :-) If you have a wildcard like "permit hosts *" then the "unknown" line adds security. Am I talking rubbish? Colin From firewalls-owner Tue Nov 14 21:23:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id UAA29962 for firewalls-outgoing; Tue, 14 Nov 1995 20:53:16 -0800 (PST) Received: from access.netaxs.com (access.netaxs.com [198.69.186.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id UAA29957 for ; Tue, 14 Nov 1995 20:53:13 -0800 (PST) Received: from unix3.netaxs.com (morph_1@unix3.netaxs.com [198.69.186.5]) by access.netaxs.com (8.6.12/8.6.11) with ESMTP id WAA09646; Tue, 14 Nov 1995 22:51:00 -0500 Received: (morph_1@localhost) by unix3.netaxs.com (8.6.12/8.6.9) id WAA13124; Tue, 14 Nov 1995 22:50:54 -0500 Date: Tue, 14 Nov 1995 22:50:53 -0500 (EST) From: FEH Systems Philadelphia To: danny@miricle.its.unimelb.edu.au cc: firewalls@GreatCircle.COM Subject: Re: transparent proxies In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 15 Nov 1995, Daniel O'Callaghan wrote: > > A few weeks ago there was a thread about transparent proxies, and > > nobody mentioned Socks. I wonder why not? If the Sockscap effort > > bears fruit, we would have a WINSOCK.DLL level mechanism, thus > > invisible to the applications that use it. > > Any thoughts? > You mean like Trumpet Winsock (ftp://ftp.trumpet.com.au/)!!?? Windows doesn't have sockets. -- Morph HeAd WeBMaStErUr, morph_1@netaxs.com NoVeLL CeRTiFiEd TeXt FiLE DeleTeR From firewalls-owner Tue Nov 14 22:23:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id WAA01659 for firewalls-outgoing; Tue, 14 Nov 1995 22:03:00 -0800 (PST) Received: from gateway (gateway.realtime.co.za [196.7.2.6]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id WAA01653 for ; Tue, 14 Nov 1995 22:02:54 -0800 (PST) Received: from real3.realtime.co.za by gateway (5.x/SMI-SVR4) id AA29349; Wed, 15 Nov 1995 08:02:14 -0200 Received: from REAL3/SpoolDir by real3.realtime.co.za (Mercury 1.13); Wed, 15 Nov 95 8:07:53 GMT+2 Received: from SpoolDir by REAL3 (Mercury 1.13); Wed, 15 Nov 95 8:07:29 GMT+2 From: "Gregg Williams" Organization: Realtime To: firewalls@GreatCircle.COM Date: Wed, 15 Nov 1995 08:07:21 GMT+2 Subject: Thats How Netscape does it! X-Mailer: Pegasus Mail for Windows (v2.01) Message-Id: <8CB850C4562@real3.realtime.co.za> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi All, When your web browser connects to home.netscape.com, you actually get home1.netscape.com or home2.netscape.com or home3... We would also like to load balance our web server like this and have one address that could connect a user to any of 5 different machines (least heavily loaded one, or some cyclic order). So I tried to find out how Netscape does it. -- They say its hardwired into the browser. (home.netscape.com = homeN.netscape.com, where N = random number between 1 and 16) Anyone know of generic easy way to do this? I thought of two solutions, but I dont think they will work: 1. Add 5 aliases called "www" to point to the 5 different machines. e.g. www IN CNAME home1.domain.org www IN CNAME home2.domain.org www IN CNAME home3.domain.org www IN CNAME home4.domain.org www IN CNAME home5.domain.org I dont know if this will screw up DNS, or whether requests will be serviced in a cyclic order? 2. Filter the packets on the router: (bad load-balancing) e.g. Src = *.com Dest = home1.domain.org Src = *.gov Dest = home2.domain.org Src = *.mil Dest = home3.domain.org Src = *.com Dest = home4.domain.org Src = *.* Dest = home5.domain.org Any suggestions would be greatly appreciated. Regards Gregg -------------------------- Gregg Williams Support Engineer http://www.realtime.co.za/ -------------------------- From firewalls-owner Tue Nov 14 22:53:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id WAA03349 for firewalls-outgoing; Tue, 14 Nov 1995 22:51:30 -0800 (PST) Received: from SanFrancisco01.POP.InterNex.Net (SanFrancisco01.POP.InterNex.Net [205.158.3.50]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id WAA03344 for ; Tue, 14 Nov 1995 22:51:27 -0800 (PST) Received: from Anthros.Com ([205.158.235.130]) by SanFrancisco01.POP.InterNex.Net (post.office MTA v1.7 ID# 0-11028) with SMTP id AAA12699 for ; Tue, 14 Nov 1995 22:52:10 -0800 Received: from phoebe.Anthros.Com by Anthros.Com (5.0/SMI-SVR4) id AA09894; Tue, 14 Nov 1995 22:49:52 -0800 Received: by phoebe.Anthros.Com (5.x/SMI-SVR4) id AA04696; Tue, 14 Nov 1995 22:47:21 -0800 Date: Tue, 14 Nov 1995 22:47:21 -0800 From: daemeonr@Anthros.Com@Anthros.Com Message-Id: <9511150647.AA04696@phoebe.Anthros.Com> To: Firewalls@GreatCircle.COM Subject: Re: (summary) rfc-1597 addresses and transparent proxies X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Recently Dieter Dworkin Muller wrote: => At this point, I'm going to roll my own (and put the results up for => others to use). I'll probably start with BIND, and add in the => additional bits that I need. I have no reason to believe this will => ever become a stock part of BIND, so I will do my best to make it easy => to add to new versions. The actual proxies will be mostly based on => the proxies we're using now (tcp-relay for telnet, ftp, and other => relatively simple protocols, and the CERN caching server for => http/gopher/wais). => => I don't like depending on the CERN server for security-type things, so => I might just hack tcp-relay to do the actual proxy work, and have it => go to the CERN server to handle caching. Kind of convoluted, but less => ugly than trying to prove CERN code correct. I gather that there is a large user base at your installation to validate the quality of your code? Far larger no doubt than the user base that is constantly validating CERN? I believe that Bianca Troll might be able to direct you to a good recipe for humble pie (ask in the coffee shop). => => One additional feature of what I'm planning, that became a requirement => once we thought of it, is that if someone *does* manage to break in, => any outgoing connection they make A) has to be preceeded by a DNS => lookup, and B) can/will be logged (I plan on logging all connections). => This should make tracking down crackers just a little bit easier. => Once we thought of this, the idea of blind automatic translation => became much less attractive. telnet 123.123.123.123 ... oops, no DNS lookup! => => Dworkin => From firewalls-owner Tue Nov 14 23:23:30 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id WAA03331 for firewalls-outgoing; Tue, 14 Nov 1995 22:49:45 -0800 (PST) Received: from SanFrancisco01.POP.InterNex.Net (SanFrancisco01.POP.InterNex.Net [205.158.3.50]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id WAA03326 for ; Tue, 14 Nov 1995 22:49:42 -0800 (PST) Received: from Anthros.Com ([205.158.235.130]) by SanFrancisco01.POP.InterNex.Net (post.office MTA v1.7 ID# 0-11028) with SMTP id AAA12690 for ; Tue, 14 Nov 1995 22:50:25 -0800 Received: from phoebe.Anthros.Com by Anthros.Com (5.0/SMI-SVR4) id AA09888; Tue, 14 Nov 1995 22:48:07 -0800 Received: by phoebe.Anthros.Com (5.x/SMI-SVR4) id AA04688; Tue, 14 Nov 1995 22:45:29 -0800 Date: Tue, 14 Nov 1995 22:45:29 -0800 From: daemeonr@Anthros.Com@Anthros.Com Message-Id: <9511150645.AA04688@phoebe.Anthros.Com> To: Firewalls@GreatCircle.COM Subject: Re: Vendor Product Access X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Recently, TMOONEY@umi.com wrote: => From firewalls-owner@GreatCircle.COM Mon Nov 13 18:59 PST 1995 => Date: Mon, 13 Nov 95 15:49 EST => From: "TMOONEY.UMI.COM" => To: firewalls@greatcircle.com => Subject: Vendor Product Access => Sender: firewalls-owner@GreatCircle.COM => Content-Type: text => => => => A vendor of an on-line database asks that we open our firewall to their entire => Class B address space for both UDP and TCP on ports 8000 thru 9120. Bullshit, either they are running dynamically assigned IP addresses or they really don't want to be bothered figuring out who needs to get in. => => I have been asked to quantify the risks involved. My initial list includes: => => Why do they need their entire Class B? This allows ANYONE in their domain => access. Do you care who on the vendor's staff accesses your system(s)? Will the vendor commit to having DNS entries for every IP address (so you can at least validate the connecting machine? I presume that the vendor wants their engineering or tech support staff to access your system? Must be a pretty small-time vendor if they don't have a bastion host, proxy, or equivalent to control access to your systems (If they did then they would only need to have your access list(s) permit that machine to get through. Seems to me that any vendor with this hokey a network is far to out of control to ever get access to your employer/client's system. => => Why do they want 1120 ports of both UDP or TCP? This seems a little large to => me. My guess would be that they have some sort of automatic installation process that finds an available port in that range and uses it. I suggest that you find out what are the ports and ranges used (e.g. Informix does some *limited* dynamic allocation of ports, but you can control what gets used). My Internet access experience with Internet, Oracle, and Sybase has yet to require this sort of broad access. I have had occasion to modify access lists, but the vendor and application development team(s) have always been able to document their IP and port range requirements quite narrowly. One point you didn't mention: how long do they want this fairly wide open access? => => Any words of wisdom from admins "who have been there" that I can use to => bolster my initial "This is a BAD IDEA" reaction to upper management would be=> appreciated. The risks as I see them are: - unrestricted access to the Class B - any vendor employee can access your systems - Is this OK with your organization? - if an entire class B is allowed, then the risk of an IP spoof style attack is greater. Can you do reverse name lookup on all of the vendor's IP's? what does nslookup with q=any show? - broad range of ports - no significant risk per se, they are unprivileged ports - Vendor's blanket request suggests that the vendor does not percieve your organization's security requirements as being significant. Is this the case? Why does vendor require this relatively blanket access except to reduce the amount of work their support staff must do to determine your configuration? - Is your organization such that it might be a target for hacking? If so, then your security policy should be (is?) one of "that which is not expressly permitted is denied". => Flame on: This is a BAD IDEA, and your managers would do well to listen to your advise instead of some bullshit talking head of a marketting "nice hair". Flame off => Thanks, => Tom Mooney => Senior UNIX System Administrator From firewalls-owner Wed Nov 15 02:28:53 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id CAA09181 for firewalls-outgoing; Wed, 15 Nov 1995 02:09:41 -0800 (PST) Received: from gateway.toploguk.co.uk (gateway.toploguk.co.uk [193.119.169.250]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id CAA09166 for ; Wed, 15 Nov 1995 02:09:22 -0800 (PST) From: Paul Crossley To: jwojn@telxon.mis.telxon.com, firewalls@greatcircle.com Subject: RE: Vendor Product Access X-Mailer: ScoMail 1.0 Date: Wed, 15 Nov 1995 10:08:03 +0000 (GMT) Message-ID: <9511151008.aa08809@gateway.toploguk.co.uk> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> > A vendor of an on-line database asks that we open our firewall to their >> entire >> Class B address space for both UDP and TCP on ports 8000 thru 9120. >> >> I have been asked to quantify the risks involved. My initial list includes: >> >> >> Why do they need their entire Class B? This allows ANYONE in their domain >> access. >> >> Why do they want 1120 ports of both UDP or TCP? This seems a little large to >> >> me. > > How about a modem? This gives a single point of entry, while only allowing a > single user access. > Not so, I have customers who give their entire network access to the internet over V34 modems - it may not give the best performance but it certainly gives multiple users access. I tend to agree with all that's gone before - your database vendor is asking too much. Could you get them to access you via some form of proxy at their end ? ------------------------------------------------------------------------- Paul Crossley (paul@toploguk.co.uk) Senior Consultant SCO ACE TopLog Limited TopLog House, Knaves Beech Business Centre, Loudwater, Bucks. HP10 9QY Phone (01628) 819444 Fax (01628) 819356 ------------------------------------------------------------------------- From firewalls-owner Wed Nov 15 02:54:00 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id CAA09725 for firewalls-outgoing; Wed, 15 Nov 1995 02:33:43 -0800 (PST) Received: from pegase.total.fr (pegase.total.fr [146.249.152.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id CAA09717 for ; Wed, 15 Nov 1995 02:33:17 -0800 (PST) Received: from tidtest.total.fr by pegase.total.fr with SMTP (16.6/16.2) id AA21385; Wed, 15 Nov 95 11:27:18 +0100 Received: by tidtest.total.fr (4.1/SMI-4.1) id AA06281; Wed, 15 Nov 95 11:32:47 GMT Message-Id: <9511151132.AA06281@tidtest.total.fr> To: anthony.baxter@aaii.oz.au Cc: Ed Osterman , firewalls@greatcircle.com Subject: Re: Parsing CISCO router logs In-Reply-To: Your message of "Wed, 15 Nov 1995 14:13:16 +1100." <199511150313.OAA02758@alamein> Date: Wed, 15 Nov 1995 11:32:46 +0000 From: Michel Lavondes Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message <199511150313.OAA02758@alamein>, anthony baxter writes: > > > [ need log parsing tools ] > > Check out 'swatch', from sierra.stanford.edu:/pub > Doesn't allow anon ftp, and ftp.stanford.edu doesn't have swatch. Anyone has a better idea ? :-) C&B has no source other than sierra.stanford.edu. Michel Lavondes (lavondes@tidtest.total.fr) #include ============================================================ = When Privacy Is Outlawed, Only Outlaws Will Have Privacy = = I Support the Phil Zimmermann Legal Defense Fund! = = email: zldf@clark.net http://www.netresponse.com/zldf = ============================================================ (with thanks to those who lead me into it :-)) From firewalls-owner Wed Nov 15 03:23:57 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id BAA08668 for firewalls-outgoing; Wed, 15 Nov 1995 01:57:24 -0800 (PST) Received: from office.un.kiev.ua (office.un.kiev.ua [194.44.28.227]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id BAA08569 for ; Wed, 15 Nov 1995 01:56:15 -0800 (PST) Received: (from scorp@localhost) by office.un.kiev.ua (8.6.12/8.6.12xla) id LAA04666; Wed, 15 Nov 1995 11:48:59 +0200 Date: Wed, 15 Nov 1995 11:48:59 +0200 (EET) From: Slava Kritov X-Sender: scorp@office.un.kiev.ua To: Gregg Williams cc: firewalls@GreatCircle.COM Subject: Re: Thats How Netscape does it! In-Reply-To: <8CB850C4562@real3.realtime.co.za> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi ! NCSA just did rotated DNS hack ... Since they've hardwired their address in Mosaic ... Best Slava > Hi All, > > When your web browser connects to home.netscape.com, you actually > get home1.netscape.com or home2.netscape.com or home3... > > We would also like to load balance our web server like this and > have one address that could connect a user to any of 5 different > machines (least heavily loaded one, or some cyclic order). > > So I tried to find out how Netscape does it. -- They say its > hardwired into the browser. (home.netscape.com = homeN.netscape.com, > where N = random number between 1 and 16) > > Anyone know of generic easy way to do this? I thought of two > solutions, but I dont think they will work: > 1. Add 5 aliases called "www" to point to the 5 different machines. > e.g. > www IN CNAME home1.domain.org > www IN CNAME home2.domain.org > www IN CNAME home3.domain.org > www IN CNAME home4.domain.org > www IN CNAME home5.domain.org > I dont know if this will screw up DNS, or whether requests > will be serviced in a cyclic order? > > 2. Filter the packets on the router: (bad load-balancing) > e.g. > Src = *.com Dest = home1.domain.org > Src = *.gov Dest = home2.domain.org > Src = *.mil Dest = home3.domain.org > Src = *.com Dest = home4.domain.org > Src = *.* Dest = home5.domain.org > > Any suggestions would be greatly appreciated. > Regards > Gregg > -------------------------- > Gregg Williams > Support Engineer > http://www.realtime.co.za/ > -------------------------- > From firewalls-owner Wed Nov 15 03:53:58 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id DAA11274 for firewalls-outgoing; Wed, 15 Nov 1995 03:47:48 -0800 (PST) Received: from relay-1.mail.demon.net (relay-1.mail.demon.net [158.152.1.140]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id DAA11262 for ; Wed, 15 Nov 1995 03:47:28 -0800 (PST) Received: from gate.demon.co.uk by relay-1.mail.demon.net id g.aa20722; 15 Nov 95 11:47 GMT Received: by reednews.co.uk (5.x/SMI-SVR4) id AA18004; Wed, 15 Nov 1995 11:48:53 GMT From: Gavin Aiken Message-Id: <9511151148.AA18004@reednews.co.uk> Subject: firewall logging To: firewalls@greatcircle.com Date: Wed, 15 Nov 1995 11:48:51 +0000 (GMT) X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am using the TIS firewall toolkit on a solaris 2.4 operating system. The default logging configuration for the proxies sends all messages to my system log, /var/adm/messages, which is not where I want them. I've tried to configure my proxies to log to /eg_pathname/firewall_log in the following way: 1) Edited firewall.h and changed the logging stuff to: #define LLEV LOG_DEBUG #define LFAC LOG_DAEMON 2) edited my syslog.conf to contain the following line: daemon.debug /eg_pathname/firewall_log 3) recompiled all my toolkit components, re-installed them, and restarted syslogd Messages no longer appear in /var/adm/messages from my proxies; however they don't appear in /eg_pathname/firewall_log either! Help! From firewalls-owner Wed Nov 15 04:28:48 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id EAA12716 for firewalls-outgoing; Wed, 15 Nov 1995 04:23:37 -0800 (PST) Received: from pegase.total.fr (pegase.total.fr [146.249.152.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id EAA12711 for ; Wed, 15 Nov 1995 04:23:24 -0800 (PST) Received: from tidtest.total.fr by pegase.total.fr with SMTP (16.6/16.2) id AA22627; Wed, 15 Nov 95 13:17:23 +0100 Received: by tidtest.total.fr (4.1/SMI-4.1) id AA00405; Wed, 15 Nov 95 13:22:51 GMT Message-Id: <9511151322.AA00405@tidtest.total.fr> To: anthony.baxter@aaii.oz.au, Ed Osterman , firewalls@greatcircle.com Subject: Re: Parsing CISCO router logs In-Reply-To: Your message of "Wed, 15 Nov 1995 11:32:46 GMT." Date: Wed, 15 Nov 1995 13:22:50 +0000 From: Michel Lavondes Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I write: > > In message <199511150313.OAA02758@alamein>, anthony baxter writes: > > > > > [ need log parsing tools ] > > > > Check out 'swatch', from sierra.stanford.edu:/pub > > > > Doesn't allow anon ftp, and ftp.stanford.edu doesn't have > swatch. Anyone has a better idea ? :-) C&B has no source > other than sierra.stanford.edu. FWIW, I've been given another source : ftp://ftp.inria.fr/system/secur/swatch-2.0.tar.gz Michel Lavondes (lavondes@tidtest.total.fr) #include ============================================================ = When Privacy Is Outlawed, Only Outlaws Will Have Privacy = = I Support the Phil Zimmermann Legal Defense Fund! = = email: zldf@clark.net http://www.netresponse.com/zldf = ============================================================ (with thanks to those who lead me into it :-)) From firewalls-owner Wed Nov 15 04:53:57 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id EAA13007 for firewalls-outgoing; Wed, 15 Nov 1995 04:39:50 -0800 (PST) Received: from pegase.total.fr (pegase.total.fr [146.249.152.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id EAA13000 for ; Wed, 15 Nov 1995 04:39:41 -0800 (PST) Received: from tidtest.total.fr by pegase.total.fr with SMTP (16.6/16.2) id AA22755; Wed, 15 Nov 95 13:33:55 +0100 Received: by tidtest.total.fr (4.1/SMI-4.1) id AA00491; Wed, 15 Nov 95 13:39:24 GMT Message-Id: <9511151339.AA00491@tidtest.total.fr> To: firewalls@greatcircle.com Subject: Another ftp site for swatch, thx to George Colt Date: Wed, 15 Nov 1995 13:39:23 +0000 From: Michel Lavondes Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ftp.isa.com:/pub/security From firewalls-owner Wed Nov 15 05:30:42 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id FAA14846 for firewalls-outgoing; Wed, 15 Nov 1995 05:19:10 -0800 (PST) Received: from gater4.sematech.org (GATER4.SEMATECH.ORG [192.73.53.4]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id FAA14841 for ; Wed, 15 Nov 1995 05:19:07 -0800 (PST) Received: from thecount.eng.sematech.org by gater4.sematech.org (8.6.12/F-1.9) with ESMTP id HAA10640; Wed, 15 Nov 1995 07:19:29 -0600 Received: from localhost.eng.sematech.org by thecount.eng.sematech.org (8.6.12/I-1.8) with SMTP id HAA14807; Wed, 15 Nov 1995 07:19:28 -0600 Message-Id: <199511151319.HAA14807@thecount.eng.sematech.org> X-Authentication-Warning: thecount.eng.sematech.org: Host localhost.eng.sematech.org didn't use HELO protocol To: Gregg Williams cc: firewalls@greatcircle.com Subject: Re: Thats How Netscape does it! In-reply-to: Your message of "Wed, 15 Nov 1995 08:07:21 GMT." <8CB850C4562@real3.realtime.co.za> Date: Wed, 15 Nov 1995 07:19:25 -0600 From: "Quentin Fennessy" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greg- Modern versions (4.9.3bXX) of bind will do round-robin sharing of addresses. So you could have www IN A 123.123.123.123 IN A 123.123.123.124 IN A 123.123.123.125 IN A 123.123.123.126 IN A 123.123.123.127 The named process on your nameserver will answer up the A records one after another. Quentin From firewalls-owner Wed Nov 15 05:53:57 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id FAA16169 for firewalls-outgoing; Wed, 15 Nov 1995 05:51:59 -0800 (PST) Received: from relay-1.mail.demon.net (relay-1.mail.demon.net [158.152.1.140]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id FAA16162 for ; Wed, 15 Nov 1995 05:51:55 -0800 (PST) Received: from gate.demon.co.uk by relay-1.mail.demon.net id sg.aa26223; 15 Nov 95 13:52 GMT Received: by reednews.co.uk (5.x/SMI-SVR4) id AA18562; Wed, 15 Nov 1995 13:53:27 GMT From: Gavin Aiken Message-Id: <9511151353.AA18562@reednews.co.uk> Subject: Re: firewall logging To: firewalls@greatcircle.com Date: Wed, 15 Nov 1995 13:53:26 +0000 (GMT) X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thanks to everyone who replied! I've found the problem- I had created the file for syslogd to log to, but I'd done it _after_ restarting the syslogd process! It's working now that I've restarted again. Thanks again. From firewalls-owner Wed Nov 15 07:37:15 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id HAA17926 for firewalls-outgoing; Wed, 15 Nov 1995 07:11:24 -0800 (PST) Received: from gatekeeper.mpsisys.com (ppp.mpsisys.com [198.65.132.134]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id HAA17921 for ; Wed, 15 Nov 1995 07:11:20 -0800 (PST) Received: (from smap@localhost) by gatekeeper.mpsisys.com (8.6.10/8.6.10) id JAA28458 for ; Wed, 15 Nov 1995 09:11:42 -0600 Received: from mpsi.mpsisys.com(139.45.3.26) by gatekeeper.mpsisys.com via smap (V1.3) id sma028456; Wed Nov 15 09:11:30 1995 Received: from omni.mpsisys.com by mpsi.mpsisys.com (AIX 3.2/UCB 5.64/4.03) id AA25977; Wed, 15 Nov 1995 09:11:31 -0600 Received: by omni.mpsisys.com (AIX 4.1/UCB 5.64/4.03) id AA29488; Wed, 15 Nov 1995 09:11:17 -0600 Date: Wed, 15 Nov 1995 09:11:17 -0600 From: ralph@omni.mpsisys.com (Ralph Mitchell) Message-Id: <9511151511.AA29488@omni.mpsisys.com> To: firewalls@GreatCircle.COM Subject: Re: NTP through a firewall Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Md5: NHT1Ja5ZuEKSyvn3u10q5Q== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > It might be easier to get an accurate clock that would need setting less > often, or get a WWV clock or GPS based clock and hook it to the serial port. If you don't require millisecond accuracy, set up xntp on a machine with a modem and have it dial the NIST Automated Computer Time Service (ACTS) once a week or once a day - depending on your clock accuracy. No holes in your firewall and is reasonably secure, unless someone subverts the phone system again... Ralph Mitchell From firewalls-owner Wed Nov 15 07:53:57 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id HAA17932 for firewalls-outgoing; Wed, 15 Nov 1995 07:11:41 -0800 (PST) Received: from eagle.twinds.com (eagle.twinds.com [206.27.30.1]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id HAA17927 for ; Wed, 15 Nov 1995 07:11:37 -0800 (PST) Received: from hawk.twinds.com by eagle.twinds.com with SMTP (1.37.109.16/16.2) id AA128928241; Wed, 15 Nov 1995 10:10:41 -0500 Date: Wed, 15 Nov 1995 10:12:42 -0500 ("EST) From: Arley Carter X-Sender: ac@hawk.twinds.com To: Quentin Fennessy Cc: Gregg Williams , firewalls@GreatCircle.COM Subject: Re: Thats How Netscape does it! In-Reply-To: <199511151319.HAA14807@thecount.eng.sematech.org> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Will this version of bind work on hp 700 machines? To the best of my knowledge, it is not possible to make a hp machine running hpux 9.X or 10.X answer to multiple IP addresses without having a seperate NIC card for each interface. It would be *great* to find a solution to this problem. Regards: -arc Arley Carter Tradewinds Technologies, Inc. email: ac@hawk.twinds.com www: http://www.twinds.com "Trust me. This is a secure product. I'm from ." On Wed, 15 Nov 1995, Quentin Fennessy wrote: > > Greg- > Modern versions (4.9.3bXX) of bind will do round-robin sharing > of addresses. So you could have > > www IN A 123.123.123.123 > IN A 123.123.123.124 > IN A 123.123.123.125 > IN A 123.123.123.126 > IN A 123.123.123.127 > > The named process on your nameserver will answer up the A records > one after another. > > Quentin > From firewalls-owner Wed Nov 15 08:25:48 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id HAA17965 for firewalls-outgoing; Wed, 15 Nov 1995 07:13:13 -0800 (PST) Received: from sierra.corsof.com (sierra.corsof.com [198.22.44.240]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id HAA17960 for ; Wed, 15 Nov 1995 07:13:07 -0800 (PST) Message-Id: <199511151513.HAA17960@miles.greatcircle.com> Received: from dana.corsof.com by sierra.corsof.com with SMTP (8.6.12/16.2) id KAA06607; Wed, 15 Nov 1995 10:12:43 -0500 X-Sender: dana@pop.corsof.com X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 15 Nov 1995 10:13:08 -0500 To: firewalls-digest@GreatCircle.COM From: Dana Nowell Subject: RE: Vendor Product Access Sender: firewalls-owner@GreatCircle.COM Precedence: bulk While you're at it, give them keys to all the doors and filing cabinets. This IS a joke right? No, well I guess it didn't hurt to ask. Well, I'd grant them all the access they want, right after they sign a contract granting your company N million/billion/gazillion dollars in punitive damages PLUS all actual damages incurred if they are in ANY WAY responsible for a security breach. Actually, I kidding, I'd really tell them to go fish, but it make a good bargaining chip sometimes to get a more realistic request. Indemnity contracts of that type are rarely worth it in the 'real world'. Only the lawyers get the gazillion dollars in the end and the comapny still goes out of business. "TMOONEY.UMI.COM" said: > >A vendor of an on-line database asks that we open our firewall to their entire >Class B address space for both UDP and TCP on ports 8000 thru 9120. > > Dana Nowell Voice (603) 595-7480 EXT 28 Cornerstone Software Inc. FAX (603) 882-7313 Work: DanaNowell@corsof.com Home: dnowell@mv.mv.com Veni, Vidi, et in machina posui. As usual, I speak only for myself. From firewalls-owner Wed Nov 15 08:53:57 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id IAA18911 for firewalls-outgoing; Wed, 15 Nov 1995 08:03:29 -0800 (PST) Received: from gater4.sematech.org (GATER4.SEMATECH.ORG [192.73.53.4]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id IAA18906 for ; Wed, 15 Nov 1995 08:03:25 -0800 (PST) Received: from thecount.eng.sematech.org by gater4.sematech.org (8.6.12/F-1.9) with ESMTP id KAA07824; Wed, 15 Nov 1995 10:03:37 -0600 Received: from localhost.eng.sematech.org by thecount.eng.sematech.org (8.6.12/I-1.8) with SMTP id KAA16670; Wed, 15 Nov 1995 10:03:36 -0600 Message-Id: <199511151603.KAA16670@thecount.eng.sematech.org> X-Authentication-Warning: thecount.eng.sematech.org: Host localhost.eng.sematech.org didn't use HELO protocol To: Arley Carter cc: Gregg Williams , firewalls@greatcircle.com Subject: Re: Thats How Netscape does it! In-reply-to: Your message of "Wed, 15 Nov 1995 10:12:42 EST." Date: Wed, 15 Nov 1995 10:03:34 -0600 From: "Quentin Fennessy" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Arley- The latest version of BIND build on HP-UX9. I have not tried it on HP-UX10 but I will guess so. My answer for Greg referred only to one _name_ expanding to multiple IP addresses -- not one machine answering for multiple IP addresses. My only solution for your problem is to find an OS that supports what you are looking for, or to redefine your problem to something that can be solved on HP-UX. Quentin From firewalls-owner Wed Nov 15 09:07:03 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id HAA18358 for firewalls-outgoing; Wed, 15 Nov 1995 07:34:46 -0800 (PST) Received: from wsj2 (wsj2.wsj.dowjones.com [143.131.186.5]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id HAA18353 for ; Wed, 15 Nov 1995 07:34:43 -0800 (PST) Received: by wsj2 (5.0/SMI-SVR4) id AA12275; Wed, 15 Nov 1995 10:21:24 -0500 >Received: from dscott.eng.dowjones.com by eng.dowjones.com (5.x/SMI-SVR4) id AA13920; Wed, 15 Nov 1995 10:24:03 -0500 Received: from dowjone by wsj2.wsj.dowjones.com; Wed, 15 Nov 1995 10:21 EST Received: from dscott.eng.dowjones.com by eng.dowjones.com (5.x/SMI-SVR4) id AA13920; Wed, 15 Nov 1995 10:24:03 -0500 Received: by dscott.eng.dowjones.com (4.1/SMI-4.1) id AA03748; Wed, 15 Nov 95 10:24:34 EST Date: Wed, 15 Nov 95 10:24:34 EST From: dscott@eng.dowjones.com (Dave Scott) Message-Id: <9511151524.AA03748@dscott.eng.dowjones.com> To: firewalls@greatcircle.com Subject: NFS Filtering Question Cc: dscott@eng.dowjones.com Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello all, Quick question about filtering NFS... Notice I said "filtering" NFS (with a router) and not "firewalling" NFS. I have 2 corporate networks (which are completely isolated from the Internet) and I'd like to leave them as 2 networks for the most part, but I've been told that we must be able to NFS mount machines from one net to the other. I did some sniffing and found the usual ports used, that is 111 and 2049 (RPC and NFS) But I also found that there is some randomness to the port numbers used between machines, and they are below the superuser fence... For example, I saw port numbers like 522 and 935. So the simple question is why? Would this be something specific to Wallongong maybe? Is there a range of ports I have to open, of would is be easier to deny specifics and allow all else ? Thanks, Dave From firewalls-owner Wed Nov 15 09:53:58 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id JAA21856 for firewalls-outgoing; Wed, 15 Nov 1995 09:42:55 -0800 (PST) Received: from uuneo.neosoft.com (uuneo.neosoft.com [206.109.1.3]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id JAA21844 for ; Wed, 15 Nov 1995 09:42:51 -0800 (PST) Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.7.1/8.7.1) with UUCP id LAA17142 for GreatCircle.COM!firewalls; Wed, 15 Nov 1995 11:16:45 -0600 (CST) Received: by ris1.nmti.com (smail2.5) id AA07349; 15 Nov 95 11:46:33 CST (Wed) Received: by sonic.nmti.com; id AA03182; Wed, 15 Nov 1995 11:16:01 -0600 From: peter@nmti.com (Peter da Silva) Message-Id: <9511151716.AA03182@sonic.nmti.com.nmti.com> Subject: Smart hubs To: firewalls@GreatCircle.COM Date: Wed, 15 Nov 1995 11:16:01 -0600 (CST) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What's a recommended "smart" hub for use in a "Lobby" or "DMZ". It doesn't need to do any routing itself, just not route packets between the firewall and the routers to lobby machines. From firewalls-owner Wed Nov 15 10:06:36 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id IAA18947 for firewalls-outgoing; Wed, 15 Nov 1995 08:07:18 -0800 (PST) Received: from Disclosure.COM (di2.disclosure.com [205.156.194.11]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id IAA18942 for ; Wed, 15 Nov 1995 08:07:14 -0800 (PST) Received: by Disclosure.COM (4.1/SMI-4.1) id AA08507; Wed, 15 Nov 95 11:10:48 EST Date: Wed, 15 Nov 1995 11:10:47 -0500 (EST) From: Scott Barman To: Peter da Silva Cc: Colin Campbell , roberts@hal.saic.com, firewalls@GreatCircle.COM Subject: Re: Configuration In-Reply-To: <9511150138.AA00852@sonic.nmti.com.nmti.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Previously, someone else wrote (sorry, citation lost): > > Thus you must configure every host requiring access, into the DNS used by > > the bastion OR remove "deny hosts unknown" from netperm-table. The former > > requires work but it means you know who is using the system. The latter > > is the easy way out and reduces security. Then, on Tue, 14 Nov 1995, Peter da Silva replied: > Does turning off "deny hosts unknown" really reduce security that much? > > You shouldn't have any rules that depend on DNS, right? > > Right? Well... maybe the original sender didn't say it exactly right. You do not *have* to deny rights to IP addresses you can't resolve. However, it does provide for a *little* extra measure of security knowing that someone, or some site, can be tracked down "just in case." This helps fight against IP spoofing, albeit it's not the best way (I did say "helps," folks, implying that there are other, and what I believe are better, methods to preventing IP spoofing, so no flames). Check out places like ftp.uu.net and coast.cs.purdue.edu. They don't allow you into their archives if they cannot verify (reverse name map) your IP address. I have no problems with this! scott barman -- scott barman DISCLAIMER: I speak to anyone who will listen, scott@disclosure.com and I speak only for myself. barman@ix.netcom.com "I don't know if security explains why the Win95 support Web servers run BSDI 2.0--an Intel-based Unix--rather than Windows NT, which Microsoft insists is the ideal Web software solution. Does Redmond know something we don't know?" -Robert X. Cringely, INFORWORLD, 9/11/95 From firewalls-owner Wed Nov 15 10:23:58 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id JAA20294 for firewalls-outgoing; Wed, 15 Nov 1995 09:00:57 -0800 (PST) Received: from future.dreamscape.com (future.dreamscape.com [206.64.128.3]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id JAA20287 for ; Wed, 15 Nov 1995 09:00:53 -0800 (PST) Received: from future.dreamscape.com (matkoski@future.dreamscape.com [206.64.128.3]) by future.dreamscape.com (8.6.12/8.6.12) with SMTP id MAA24970 for ; Wed, 15 Nov 1995 12:00:08 -0500 Date: Wed, 15 Nov 1995 11:59:58 -0500 (EST) From: Steve Matkoski To: firewalls mailing-list Subject: setting up IBMs firewall. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We are going to be using IBMs Internet Connection Secured Network Gateway as a firewall. I was wondering if anyone out there has ever configured this brand before and could help me with any gotchas. Thanks for any info given! -steve. matkoski@dreamscape.com From firewalls-owner Wed Nov 15 10:32:38 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id JAA21160 for firewalls-outgoing; Wed, 15 Nov 1995 09:12:53 -0800 (PST) Received: from uuneo.neosoft.com (uuneo.neosoft.com [206.109.1.3]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id JAA21155 for ; Wed, 15 Nov 1995 09:12:49 -0800 (PST) Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.7.1/8.7.1) with UUCP id LAA16172 for GreatCircle.COM!firewalls; Wed, 15 Nov 1995 11:08:37 -0600 (CST) Received: by ris1.nmti.com (smail2.5) id AA06666; 15 Nov 95 11:28:35 CST (Wed) Received: by sonic.nmti.com; id AA28814; Wed, 15 Nov 1995 10:58:03 -0600 From: peter@nmti.com (Peter da Silva) Message-Id: <9511151658.AA28814@sonic.nmti.com.nmti.com> Subject: Re: Configuration To: scott@Disclosure.COM (Scott Barman) Date: Wed, 15 Nov 1995 10:58:02 -0600 (CST) Cc: peter@nmti.com, sgcccdc@citec.qld.gov.au, roberts@hal.saic.com, firewalls@GreatCircle.COM In-Reply-To: from "Scott Barman" at Nov 15, 95 11:10:47 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Check out places like ftp.uu.net and coast.cs.purdue.edu. They don't > allow you into their archives if they cannot verify (reverse name map) > your IP address. I have no problems with this! I do. With CIDR routing changing IP addresses is all too often necessary, and then you have to wait for everyone's caches to time out before you can actually *do* anything. From firewalls-owner Wed Nov 15 10:54:40 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id HAA18647 for firewalls-outgoing; Wed, 15 Nov 1995 07:48:38 -0800 (PST) Received: from tuna.wang.com (tuna.wang.com [150.124.136.4]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id HAA18642 for ; Wed, 15 Nov 1995 07:48:35 -0800 (PST) Received: from mail.wangfed.com (ns.wangfed.com [159.94.10.19]) by tuna.wang.com (8.6.12/8.6.12tf1) with SMTP id KAA24667; Wed, 15 Nov 1995 10:48:58 -0500 Received: from [159.94.10.15] by mail.wangfed.com (1.37.109.4/A.09.00a) id AA15612; Wed, 15 Nov 95 10:41:40 -0600 Received: from [159.94.14.48] by hfsi (BULL 5.61++/B.O.S 02.01) id AA14666; Wed, 15 Nov 95 10:39:25 -0500 Date: Wed, 15 Nov 95 10:39:25 -0500 Message-Id: <9511151539.AA14666@hfsi> From: "K Goertzel" Reply-To: "K Goertzel" To: firewalls@GreatCircle.COM, hbarnett@fastlane.net Subject: Re: Encrypted Sessions Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message <199511090253.UAA12727@fastlane.net> Howard Barnett writes: > I have a clients who has a requirement to install a software encryptions > scheme over several operating systems and several platforms. The product > must be exportable (from the U.S.) Does anyone know of such a product or > any product that may come close. Thanks. and he later wrote to me: > At this point I believe, Netware, Unix (unknown flavors), DOS, Windows > (Several flavors. I would not be surprised to see something like VMS, but I > don't know. Will try for more info. So, after a quick review of all my info on software crypto products, I will suggest he look into the following. I don't vouch for any of them -- I'm only going by product literature and various buyer's guides -- but at least this is a place to start. I don't know whether any of the following are supported on Netware or NT -- they seem to be primarily desktop-based, not server-based. I'm sure they don't handle VMS, but it's always worth giving them a call to find out how some of their customers might be handling a heterogeneous crypto requirement like yours (probably through hardware...sorry). Even if you do need to include VMS in your architecture, you might be able to get by using one of the following on the desktop systems, and another DES or RSA package (hardware or software) on VMS, NetWare, etc. If you configure your keys correctly, this should still work, particularly with the public key encryption. Key management might get a little tricky, but who ever said life was supposed to be easy? - AT&T's SecretAgent software does DES and RSA on DOS, Windows, Unix, and Macintosh. 1-800-203 5563 - ViaCrypt PGP is available for DOS, Windows, Macintosh, and UNIX. 602-944 0773 Depending on your requirement (and budget) you might also consider BSAFE from RSA Data Security, which is their toolkit for adding RSA or DES encryption to applications. This is a developer's toolkit, which would give you the widest scope for recompiling the crypto capability onto pretty much whatever operating system platform required it. 415-595 8782 info@rsa.com As you can see, the marketplace isn't exactly teeming with products that even come close to meeting your heterogeneous platform requirements. You will discover, if you hadn't already, that the vast majority of cross-platform crypto products are hardware or token+software based. If your requirement changes, and you're willing to consider such solutions, I will be happy to send you information our Trusted Interface Unit for encrypting LAN traffic. Karen Goertzel Manager, International Programmes Secure Systems and Services Operation Wang Federal, Inc. 7900 Westpark Drive - MS 700 McLean, Virginia 22102-4299 TEL: 703-827 3914 FAX: 703-827 3161 Internet: goertzek@wangfed.com +-----------------------------------------+ | Human history becomes more and more a | | race between education and catastrophe. | | - H.G. Wells | +-----------------------------------------+ From firewalls-owner Wed Nov 15 10:58:05 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id IAA20164 for firewalls-outgoing; Wed, 15 Nov 1995 08:58:25 -0800 (PST) Received: from uuneo.neosoft.com (uuneo.neosoft.com [206.109.1.3]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id IAA20159 for ; Wed, 15 Nov 1995 08:58:21 -0800 (PST) Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.7.1/8.7.1) with UUCP id KAA13603 for GreatCircle.COM!firewalls; Wed, 15 Nov 1995 10:52:38 -0600 (CST) Received: by ris1.nmti.com (smail2.5) id AA03416; 15 Nov 95 09:55:44 CST (Wed) Received: by sonic.nmti.com; id AA19299; Wed, 15 Nov 1995 09:25:11 -0600 From: peter@nmti.com (Peter da Silva) Message-Id: <9511151525.AA19299@sonic.nmti.com.nmti.com> Subject: Re: Configuration To: sgcccdc@citec.qld.gov.au (Colin Campbell) Date: Wed, 15 Nov 1995 09:25:10 -0600 (CST) Cc: peter@nmti.com, firewalls@GreatCircle.COM In-Reply-To: <9511150358.AA23633@citecub.citec.qld.gov.au> from "Colin Campbell" at Nov 15, 95 01:58:45 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I use IP addresses only in netperm-table. If the reverse lookup fails > either the host attempting access is not in DNS and therefore I do not > want them using the service, or DNS failed and since I can't "verify" > the IP address, access is again denied. How does reverse lookup "verify" the IP address. All it verifies is that the IP address is known to DNS. It doesn't verify that someone's not using a source routing or IP spoofing attack on you. > If you have a wildcard like "permit hosts *" then the "unknown" line > adds security. If "sites that have recently changed their IP address can't send you mail" adds security, I guess so. I still don't see the point of the "unknown" line... could someone explain (in short sentences)? From firewalls-owner Wed Nov 15 10:59:54 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id IAA19286 for firewalls-outgoing; Wed, 15 Nov 1995 08:29:20 -0800 (PST) Received: from gater3.sematech.org (GATER3.SEMATECH.ORG [192.73.53.3]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id IAA19281 for ; Wed, 15 Nov 1995 08:29:17 -0800 (PST) Received: from thecount.eng.sematech.org by gater3.sematech.org (8.6.12/F-1.9) with ESMTP id KAA09470; Wed, 15 Nov 1995 10:29:27 -0600 Received: from localhost.eng.sematech.org by thecount.eng.sematech.org (8.6.12/I-1.8) with SMTP id KAA17095; Wed, 15 Nov 1995 10:29:26 -0600 Message-Id: <199511151629.KAA17095@thecount.eng.sematech.org> X-Authentication-Warning: thecount.eng.sematech.org: Host localhost.eng.sematech.org didn't use HELO protocol To: Wall_Dick/sra_hq1@cpo.stratus.com cc: firewalls@greatcircle.com Subject: Re: Thats How Netscape does it! In-reply-to: Your message of "Wed, 15 Nov 1995 10:46:14 EST." Date: Wed, 15 Nov 1995 10:29:23 -0600 From: "Quentin Fennessy" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The official source for information on BIND is at: http://info-sys.home.vix.com/isc/bind.html and you can grab beta code at: ftp://ftp.vix.com/pub/bind/testing/ I do not know where non-beta code is stashed but I recommend you try to stay up to date and use the beta versions. I am happily running Beta17 -- this is stable stuff. The latest seems to be Beta26. Quentin From firewalls-owner Wed Nov 15 11:01:48 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id IAA19118 for firewalls-outgoing; Wed, 15 Nov 1995 08:21:26 -0800 (PST) Received: from eagle.twinds.com (eagle.twinds.com [206.27.30.1]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id IAA19113 for ; Wed, 15 Nov 1995 08:21:23 -0800 (PST) Received: from hawk.twinds.com by eagle.twinds.com with SMTP (1.37.109.16/16.2) id AA129112431; Wed, 15 Nov 1995 11:20:31 -0500 Date: Wed, 15 Nov 1995 11:22:32 -0500 ("EST) From: Arley Carter X-Sender: ac@hawk.twinds.com To: Quentin Fennessy Cc: Gregg Williams , firewalls@greatcircle.com Subject: Re: Thats How Netscape does it! In-Reply-To: <199511151603.KAA16670@thecount.eng.sematech.org> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I know. I guess I'll have to start buying Suns and support multiple platforms. Grumble, Grumble..... :-( . Any hp'ers out there listening to this? When will hp support this? Regards: -arc Arley Carter Tradewinds Technologies, Inc. email: ac@hawk.twinds.com www: http://www.twinds.com "Trust me. This is a secure product. I'm from ." On Wed, 15 Nov 1995, Quentin Fennessy wrote: > > Arley- > The latest version of BIND build on HP-UX9. I have not tried > it on HP-UX10 but I will guess so. > > My answer for Greg referred only to one _name_ expanding to > multiple IP addresses -- not one machine answering for multiple IP > addresses. My only solution for your problem is to find an OS that > supports what you are looking for, or to redefine your problem to > something that can be solved on HP-UX. > > Quentin > From firewalls-owner Wed Nov 15 11:04:30 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id IAA19180 for firewalls-outgoing; Wed, 15 Nov 1995 08:24:50 -0800 (PST) Received: from Disclosure.COM (di2.disclosure.com [205.156.194.11]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id IAA19175 for ; Wed, 15 Nov 1995 08:24:47 -0800 (PST) Received: by Disclosure.COM (4.1/SMI-4.1) id AA08583; Wed, 15 Nov 95 11:28:29 EST Date: Wed, 15 Nov 1995 11:28:28 -0500 (EST) From: Scott Barman To: firewalls@greatcircle.com Subject: (fwd) Personal Firewall beta available Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In my "I really want to do nothing" few seconds (and that's all I get :-) I was reading the comp.security.firewalls newsgroup and found the following: From: dani@elementrix.co.il (Daniel Isarel) Newsgroups: comp.security.firewalls Subject: Personal Firewall beta available Date: 13 Nov 1995 14:42:25 GMT Organization: Elementrix.Technologies Ltd. Message-ID: <488du6$m6k_001@elementrix.co.il> Hi everybody, The beta release of Personal Firewall for Windows 3.1, WFWG 3.11 is available for download ftp://ftp.elementrix.co.il/pub/beta-test/pfw099.zip Your feedback will be greatly appreciated. Please send you comments to : support@elementrix.co.il Thank you Did anyone else see this? Has anyone tried downloading it to see what it is and how it works? scott barman -- scott barman DISCLAIMER: I speak to anyone who will listen, barman@ix.netcom.com and I speak only for myself. "I don't know if security explains why the Win95 support Web servers run BSDI 2.0--an Intel-based Unix--rather than Windows NT, which Microsoft insists is the ideal Web software solution. Does Redmond know something we don't know?" -Robert X. Cringely, INFORWORLD, 9/11/95 From firewalls-owner Wed Nov 15 11:07:04 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id IAA19710 for firewalls-outgoing; Wed, 15 Nov 1995 08:41:34 -0800 (PST) Received: from neon.ingenia.com (neon.ingenia.com [205.207.219.29]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id IAA19705 for ; Wed, 15 Nov 1995 08:41:31 -0800 (PST) Received: (from shaver@localhost) by neon.ingenia.com (8.6.12/8.6.9) id MAA17463; Wed, 15 Nov 1995 12:01:18 -0500 From: Mike Shaver Message-Id: <199511151701.MAA17463@neon.ingenia.com> Subject: Re: transparent proxies To: morph_1@netaxs.com (FEH Systems Philadelphia) Date: Wed, 15 Nov 1995 12:01:18 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: from "FEH Systems Philadelphia" at Nov 14, 95 10:50:53 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thus spake FEH Systems Philadelphia: > On Wed, 15 Nov 1995, Daniel O'Callaghan wrote: > > > > A few weeks ago there was a thread about transparent proxies, and > > > nobody mentioned Socks. I wonder why not? If the Sockscap effort > > > bears fruit, we would have a WINSOCK.DLL level mechanism, thus > > > invisible to the applications that use it. > > > Any thoughts? That's not what is usually meant by transparent proxies... they're proxies that don't require any modification to the client, and this does, although not to the binary proper. > Windows doesn't have sockets. Sure, and neither does SVR4. But both have mechanisms for emulating the socket API and semantics via their native networking paradigm. Mike -- #> Mike Shaver (shaver@ingenia.com) Ingenia Communications Corporation <# #> UNIX medicine man -- dark magick, cheap! <# #> <# #> When the going gets tough, the tough give cryptic error messages. <# #> "We believe in rough consensus and running code." <# From firewalls-owner Wed Nov 15 11:08:49 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id KAA23810 for firewalls-outgoing; Wed, 15 Nov 1995 10:46:46 -0800 (PST) Received: from gate.personal-media.co.jp (gate.personal-media.co.jp [202.33.97.65]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id KAA23805 for ; Wed, 15 Nov 1995 10:46:41 -0800 (PST) Received: (from ishikawa@localhost) by gate.personal-media.co.jp (8.6.12+2.4W3/3.3W5-gate-mx) id DAA20569; Thu, 16 Nov 1995 03:49:49 +0900 Date: Thu, 16 Nov 1995 03:49:49 +0900 From: Chiaki Ishikawa Message-Id: <199511151849.DAA20569@gate.personal-media.co.jp> To: Firewalls@GreatCircle.COM In-reply-to: <199511150724.XAA04214@miles.greatcircle.com> (firewalls-digest-owner@uunet.uu.net) Subject: Re: Thats How Netscape does it! (Firewalls-Digest V4 #649) Reply-to: ishikawa@personal-media.co.jp Sender: firewalls-owner@GreatCircle.COM Precedence: bulk PMC e-mail id: 4113 >From: "Gregg Williams" >Date: Wed, 15 Nov 1995 08:07:21 GMT+2 >Subject: Thats How Netscape does it! > >Hi All, > >When your web browser connects to home.netscape.com, you actually >get home1.netscape.com or home2.netscape.com or home3... I was also intrigued to learn that netscape uses 5 or 6 ftp servers to load-balance the heavy access. Anyway, regarding the http access, my guess is as follows. Set up a machine as home.netscape.com. Now, prepare other machines as backup. When a user client accesses home.netscape.com's home page, issue a response saying that the server has moved at the HTTP level. There is this feature in HTTP spec for telling the client that the server has moved. This, as I understand, is handled more or less transparently by modern web clients. (Certainly by netscape's browser, I think.) Then, the browser automatically accesses the new host and obtains the home page from there. [Well, after writing up to this point. I wonder what happens if there is a cycle of reference. Can this be a cause of denial of service attack!?!?] The front end machine is hit for every new client access, but this host tells the client that the server has moved to a new location, and the subsequent accesses from the same client will be done to one of the chosen hosts. Here is the relevant excerpt from the HTTP spec. === quote ==== 6.3.2 Redirection 3xx This class of status codes indicates that further action needs to be taken by the client in order to fulfill the request. The action required can normally be carried out by the client without interaction with the user, but it is strongly recommended that this only takes place if the method used in the request is either GET or HEAD. 301 Moved Permanently o Following: GET, HEAD, POST, PUT o Required metainformation: URI-header, Location The object requested has been assigned a new permanent URI, and any future references to this object must be done using the returned URI. Clients with link editing capabilities are encouraged to automatically relink references to the URI requested to the new reference returned by the server, where possible. Note: It is possible for the server to send back this status code in response to a request using the PUT and POST methods. However, as this might change the conditions under which the request was issued, the user agent should not automatically redirect the request unless it can be confirmed by the user. ==== end quote ===== I haven't tried this, though. I will be delighted to see if this works for you. -- Chiaki Ishikawa ishikawa@personal-media.co.jp Personal Media Corp. Shinagawa, Tokyo, Japan 141 From firewalls-owner Wed Nov 15 12:27:50 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id MAA27042 for firewalls-outgoing; Wed, 15 Nov 1995 12:07:49 -0800 (PST) Received: from bwh.harvard.edu (bwh.harvard.edu [134.174.81.34]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id MAA27037 for ; Wed, 15 Nov 1995 12:07:43 -0800 (PST) Received: (adam@localhost) by bwh.harvard.edu (8.6.9/8.6.9) id PAA15066; Wed, 15 Nov 1995 15:07:54 -0500 From: Adam Shostack Message-Id: <199511152007.PAA15066@bwh.harvard.edu> X-Organization: Brigham & Womens Hospital, A Teaching Affiliate of Harvard Medical School Subject: Re: Smart hubs To: peter@nmti.com (Peter da Silva) Date: Wed, 15 Nov 1995 15:07:54 -0500 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <9511151716.AA03182@sonic.nmti.com.nmti.com> from "Peter da Silva" at Nov 15, 95 11:16:01 am X-PGP: 0xE794DA91 FD3C3450FEB4A0B8 18F2E72CA82D29B8 X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk | What's a recommended "smart" hub for use in a "Lobby" or "DMZ". It doesn't need | to do any routing itself, just not route packets between the firewall and the | routers to lobby machines. If your regular vendor makes smart hubs, its probably a good idea to use them. Familiarity, support contracts, fewer gotchyas. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Wed Nov 15 12:53:58 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id MAA28520 for firewalls-outgoing; Wed, 15 Nov 1995 12:51:37 -0800 (PST) Received: from access.netaxs.com (access.netaxs.com [198.69.186.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id MAA28507 for ; Wed, 15 Nov 1995 12:51:32 -0800 (PST) Received: from unix3.netaxs.com (morph_1@unix3.netaxs.com [198.69.186.5]) by access.netaxs.com (8.6.12/8.6.11) with ESMTP id PAA04201; Wed, 15 Nov 1995 15:51:55 -0500 Received: (morph_1@localhost) by unix3.netaxs.com (8.6.12/8.6.9) id PAA18375; Wed, 15 Nov 1995 15:51:51 -0500 Date: Wed, 15 Nov 1995 15:51:49 -0500 (EST) From: FEH Systems Philadelphia To: Mike Shaver cc: firewalls@greatcircle.com Subject: Re: transparent proxies In-Reply-To: <199511151701.MAA17463@neon.ingenia.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 15 Nov 1995, Mike Shaver wrote: > > Windows doesn't have sockets. > > Sure, and neither does SVR4. But both have mechanisms for emulating > the socket API and semantics via their native networking paradigm. > > Mike Well Mike, I personally feel that putting sockets on Windows violates the intentionality of the product; which was to bring America the first 7 meg solitaire game. Jimmy -- Morph Jimmy Hats esq. morph_1@netaxs.com Webmastur and text file deleter From firewalls-owner Wed Nov 15 13:07:02 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id MAA27069 for firewalls-outgoing; Wed, 15 Nov 1995 12:09:09 -0800 (PST) Received: from inet-gw-0.ey.ca (inet-gw-0.EY.CA [132.220.23.1]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id MAA27063 for ; Wed, 15 Nov 1995 12:09:03 -0800 (PST) Received: from sobeco.sobeco.com (server-001.EY.CA [132.220.12.5]) by inet-gw-0.ey.ca (8.6.11/8.6.10) with SMTP id PAA07308; Wed, 15 Nov 1995 15:09:14 -0500 Received: by sobeco.sobeco.com(5.65+/IDA-1.3.5) id AA21162; Wed, 15 Nov 95 15:08:47 -0500 From: "s.millions" Message-Id: <9511152008.AA21162@sobeco.sobeco.com> Subject: Re: Parsing CISCO router logs To: lavondes@tidtest.total.fr Date: Wed, 15 Nov 95 15:08:46 EST Cc: Firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From: Michel Lavondes Date: Wed, 15 Nov 1995 11:32:46 +0000 Subject: Re: Parsing CISCO router logs Michel Lavondes writes: > In message <199511150313.OAA02758@alamein>, anthony baxter writes: > > Check out 'swatch', from sierra.stanford.edu:/pub > > Doesn't allow anon ftp, and ftp.stanford.edu doesn't have > swatch. Anyone has a better idea ? :-) C&B has no source > other than sierra.stanford.edu. Compliments of: http://www.alw.nih.gov/Security/prog-monitor.html s/sierra/ee/ or for those of you who prefer emacs to ed :-) ftp://ee.stanford.edu/pub/software -stacy -- "I will finish what I st..." stacy@ey.ca - Bart Simpson From firewalls-owner Wed Nov 15 13:23:58 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id NAA29659 for firewalls-outgoing; Wed, 15 Nov 1995 13:18:41 -0800 (PST) Received: from lokkur.dexter.mi.us (dexter-gw.dexter.msen.com [148.59.2.1]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id NAA29650 for ; Wed, 15 Nov 1995 13:18:33 -0800 (PST) Received: (scs@localhost) by lokkur.dexter.mi.us (8.6.12/8.6.5) id QAA01083; Wed, 15 Nov 1995 16:16:38 -0500 To: firewalls@GreatCircle.COM Path: lokkur.dexter.mi.us!not-for-mail From: scs@lokkur.dexter.mi.us (Steve Simmons) Newsgroups: local.firewalls Subject: Raptor + Windows Netscape + FTP proxy working? Date: 15 Nov 1995 16:16:37 -0500 Organization: Inland Sea Lines: 10 Message-ID: <48dlbl$11o@lokkur.dexter.mi.us> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have been asked by a client who doesn't have net access yet if there is a known site which is using a Raptor firewll, Netscape on PCs, and the Raptor ftp proxy successfully. Raptor says this should work, but the client is looking for a 3rd-party confirmation. Many thanks. -- ` . . . I'm a sysadmin, with an admitted preference for things I can reboot over things I have to negotiate with . . . ' Mike Shaver (shaver@neon.ingenia.com) From firewalls-owner Wed Nov 15 13:53:58 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id NAA29240 for firewalls-outgoing; Wed, 15 Nov 1995 13:07:13 -0800 (PST) Received: from mail.redcrossdk.dk (mail.redcrossdk.dk [147.29.204.99]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id NAA29235 for ; Wed, 15 Nov 1995 13:07:08 -0800 (PST) Received: from [147.29.204.2] by mail.redcrossdk.dk with SMTP (Apple Internet Mail Server 1.0); Wed, 15 Nov 1995 23:14:48 +0000 Message-Id: <6334c4af0002100434e7@[147.29.204.2]> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Mailer: Eudora 2.0.1 X-Charset: US-DK X-Char-Esc: 29 To: firewalls@GreatCircle.COM From: Lars-Bertelsen@mail.redcrossdk.dk (Lars Bertelsen) Subject: Firewall related FAQ's? Date: Wed, 15 Nov 1995 23:14:48 +0000 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Would anyone know of any FAQ's or other general sources of firewall related info on the net? There are a lot of words and ideas that are taken for granted ("spoofing" might be a good exaple!); stuff that is supposed to be known to one and all. I think I'm not quite alone in feeling that I might want to bone up on some of these things in a slightly less intrusive way than ascing a lot of basic questions on the list... If I get any good pointers I'll sumarize for the rest of us lurkers on the list :-) lbe@login.dkuug.dk Lars Bertelsen Gartnervang 29 Roskilde, DK From firewalls-owner Wed Nov 15 14:30:09 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id NAA01019 for firewalls-outgoing; Wed, 15 Nov 1995 13:55:44 -0800 (PST) Received: from dns.eng.auburn.edu (dns.eng.auburn.edu [131.204.10.13]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id NAA00999 for ; Wed, 15 Nov 1995 13:55:37 -0800 (PST) Received: from netman.eng.auburn.edu (20663@netman.eng.auburn.edu [131.204.12.24]) by dns.eng.auburn.edu (8.6.12/8.6.4) with ESMTP id PAA25130; Wed, 15 Nov 1995 15:55:53 -0600 From: Doug Hughes Received: from localhost (doug@localhost) by netman.eng.auburn.edu (8.6.4/8.6.4) id PAA16719; Wed, 15 Nov 1995 15:55:50 -0600 Date: Wed, 15 Nov 1995 15:55:50 -0600 Subject: Re: Smart hubs To: peter@nmti.com Cc: firewalls@greatcircle.com Message-Id: In-Reply-To: <9511151716.AA03182@sonic.nmti.com.nmti.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Well, our HP's don't do exactly that, but they'll do the trick. They have an option that allows you to scramble packets not explicitly destined to the MAC address on that port. You can snoop all you want, but all you see is garbage. You need the management module installed for this one. -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug@eng.auburn.edu Apple T-shirt on Win95 - "Been there, done that" From firewalls-owner Wed Nov 15 14:31:28 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id NAA00986 for firewalls-outgoing; Wed, 15 Nov 1995 13:55:21 -0800 (PST) Received: from pimaia2w.prodigy.com (pimaia2w.prodigy.com [192.207.105.46]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id NAA00981 for ; Wed, 15 Nov 1995 13:55:18 -0800 (PST) Received: from mail.prodigy.com ([199.4.137.13]) by pimaia2w.prodigy.com (8.6.10/8.6.9) with SMTP id QAA16912 for ; Wed, 15 Nov 1995 16:31:01 -0500 Date: Wed, 15 Nov 1995 16:30:47 EST From: HFDK41A@prodigy.com (MR. JOHN K MOLNAR) X-Mailer: PRODIGY Services Company Internet mailer [PIM 3.2-319.50] Message-Id: <013.04878174.HFDK41A@prodigy.com> To: Firewalls@GreatCircle.Com Subject: Firewalls - A Request Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi- I'm a newbie! Yep and I know nobody likes to hear from us new guys 'cause we just clutter up the ether with questions. But, we gotta start somewhere. Sorry! Now, with that out of the way, I do have a serious question. I'm trying to set up a WEB site at my company and am really confused about what everyone's using for commercial web servers and firewalls. We are leaning, philosophically, towards putting the firewalls on an NT box and haven't made a firm decison on the server, but probably will go with a UNIX box (Netra or DEC). I would really like to hear from anybody who's been in this position and can help clear out the noise. Please let me know what you're using. It'll help me make my decision. Also, please don't flame me for writing with a Prodigy address. I'm stuck with it until I get a site up and running. Thanks in advance -John Molnar From firewalls-owner Wed Nov 15 14:32:52 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id NAA00104 for firewalls-outgoing; Wed, 15 Nov 1995 13:30:33 -0800 (PST) Received: from magneto.bosch.com (magneto.bosch.com [198.111.120.52]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id NAA29999 for ; Wed, 15 Nov 1995 13:30:29 -0800 (PST) Received: by magneto.bosch.com; id QAA25578; Wed, 15 Nov 1995 16:26:32 -0500 Received: from cyber.rbus(198.168.2.2) by magneto via smap (V1.3) id sma025576; Wed Nov 15 16:26:29 1995 Received: by inet.rbus; id QAA08887; Wed, 15 Nov 1995 16:29:12 -0500 Received: from mail(172.16.1.21) by inet.rbus via smap (V1.3) id sma008885; Wed Nov 15 16:29:01 1995 Received: by mail.fh.rbus; id QAA10274; Wed, 15 Nov 1995 16:27:39 -0500 Date: Wed, 15 Nov 1995 16:27:39 -0500 Message-Id: <199511152127.QAA10274@mail.fh.rbus> X-Sender: cwerner@fh.rbus X-Mailer: Windows Eudora Version 2.1.1 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.com From: "Christopher L. Werner" Subject: "Information Security Policies Made Easy" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Since there has been a thread discussing Security Policies running for a while... Has anyone seen or worked with Charles Cresson Wood's book on Security Policies? He claims to have over 600 policies available on diskette or printed. Is the collection worthwhile? About what percent of the files are really applicable/usable? They list about 72 companies who have 'used' them but $495.00 is a bit much for a book. :( -------------------------------------------------------------------- Opinions expressed are mine and not those of my employer. -------------------------------------------------------------------- Christopher L. Werner Robert Bosch Corporation System Engineer 38000 Hills Tech Dr. (810)553-1389 Farmington Hills, MI 48331-3417 From firewalls-owner Wed Nov 15 14:34:22 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id NAA29975 for firewalls-outgoing; Wed, 15 Nov 1995 13:29:33 -0800 (PST) Received: from bwh.harvard.edu (bwh.harvard.edu [134.174.81.34]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id NAA29970 for ; Wed, 15 Nov 1995 13:29:25 -0800 (PST) Received: (adam@localhost) by bwh.harvard.edu (8.6.9/8.6.9) id QAA16190; Wed, 15 Nov 1995 16:29:36 -0500 From: Adam Shostack Message-Id: <199511152129.QAA16190@bwh.harvard.edu> X-Organization: Brigham & Womens Hospital, A Teaching Affiliate of Harvard Medical School Subject: Re: NTP through a firewall To: sgcccdc@citec.qld.gov.au (Colin Campbell) Date: Wed, 15 Nov 1995 16:29:35 -0500 (EST) Cc: jwilde@westmail.com, firewalls@GreatCircle.COM In-Reply-To: <9511142233.AA18724@citecub.citec.qld.gov.au> from "Colin Campbell" at Nov 15, 95 08:33:25 am X-PGP: 0xE794DA91 FD3C3450FEB4A0B8 18F2E72CA82D29B8 X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Collin wrote: | | > as an NTP Server for the rest of our network. I was thinking of opening an udp | > port for NTP and (network time protocol) allowing only my time provider to talk | > to the firewall via NTP through an generalized proxy. My question is this, | The only problem with this is the fact that NTP is UDP-based which | means anyone with the inclination can screw around with the time on | your network merely by impersonating the host you look to for the | correct time. Sure thay can only make small and gradual adjustments | but they can do it and you did ask. Doesn't NTP 3 allow for authentication of packets? (Manually shared key md5 and DES) That makes screwing with your time substantially harder. Or is there a problem with the implementation? Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Wed Nov 15 14:35:44 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id OAA01351 for firewalls-outgoing; Wed, 15 Nov 1995 14:06:23 -0800 (PST) Received: from devel.dejong.com (devel.dejong.com [198.235.24.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id OAA01346 for ; Wed, 15 Nov 1995 14:06:16 -0800 (PST) From: Chris Tyler To: Firewalls@GreatCircle.COM Cc: "Gregg Williams" Date: Wed, 15 Nov 1995 17:07 EST Subject: Re: Thats How Netscape does it! Content-Type: text/plain Message-ID: <30aa648e0.1b41@devel.dejong.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Gregg Williams wrote: > When your web browser connects to home.netscape.com, you actually > get home1.netscape.com or home2.netscape.com or home3... This can be done with URL redirects. Configure your master home page to be a CGI script that returns a redirect to the home page on the appropriate server. For example, http://www.company.com/ --> CGI script that returns a URL redirect to one of www1.company.com, www2.company.com, or www3.company.com This script could return the URL randomly, or in rotary fashion (www1 the first time, www2 the second, etc), or it could be more intelligent and go out and see which server(s) had the lightest load. You could also make it check that the server was "up" and that it was not undergoing maintenance (e.g., page updating). One problem is that users will tend to hotlist or bookmark files on one specific server, so that eventually even a sequential or random URL redirection may not balance the load properly... thus it's best to check actual load. Round-robin DNS will solve this bookmark problem, but it won't detect when you take a server down and it won't always accurately balance the load. Note also that in order to make the URL redirects work nicely, you'll need to configure your server so that the master homepage can be a CGI script without some awkward directory name in there (so the main URL is http://www.company.com/ instead of http://www.company.com/cgi-bin/homepage.html)... it might be easier to do that with (say) Apache or Spider rather than something like NCSA httpd. (You must have a pretty big pipe... or a slow machine... if your server and not your pipe is your bottleneck!). Chris Tyler Chris@DeJong.Com CTyler@Oxford.Net Systems Development Manager, Wm. De Jong Enterprises Inc. +1-519-424-9007 / fax +1-519-424-2399 From firewalls-owner Wed Nov 15 14:37:09 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id MAA28943 for firewalls-outgoing; Wed, 15 Nov 1995 12:59:44 -0800 (PST) Received: from gatekeeper.mpsisys.com (ppp.mpsisys.com [198.65.132.134]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id MAA28931 for ; Wed, 15 Nov 1995 12:59:38 -0800 (PST) Received: (from smap@localhost) by gatekeeper.mpsisys.com (8.6.10/8.6.10) id OAA29347 for ; Wed, 15 Nov 1995 14:13:59 -0600 Received: from mpsi.mpsisys.com(139.45.3.26) by gatekeeper.mpsisys.com via smap (V1.3) id sma029343; Wed Nov 15 14:13:49 1995 Received: from omni.mpsisys.com by mpsi.mpsisys.com (AIX 3.2/UCB 5.64/4.03) id AA05582; Wed, 15 Nov 1995 14:13:50 -0600 Received: by omni.mpsisys.com (AIX 4.1/UCB 5.64/4.03) id AA26880; Wed, 15 Nov 1995 14:13:36 -0600 Date: Wed, 15 Nov 1995 14:13:36 -0600 From: ralph@omni.mpsisys.com (Ralph Mitchell) Message-Id: <9511152013.AA26880@omni.mpsisys.com> To: firewalls@GreatCircle.COM Subject: Re: NTP through a firewall Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Md5: mDW+o1c2IdTKJB75fqpjUw== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > On Nov 15, 9:11am, I wrote: > > If you don't require millisecond accuracy, set up xntp on a machine with a > > modem and have it dial the NIST Automated Computer Time Service (ACTS) once > > a week or once a day - depending on your clock accuracy. No holes in your > > firewall and is reasonably secure, unless someone subverts the phone system > > again... > > I've had several requests regarding this message, so I will summarize to the list... :-) In xntp3.4m/doc (I know, there's a later release than this...) there is a file that is called acts.c. At the top it has this comment /* * refclock_acts - clock driver for the NIST Automated Computer Time * Service aka Amalgamated Containerized Trash Service (ACTS) */ And a little lower down it expands on it: /* * This driver supports the NIST Automated Computer Time Service (ACTS). * It periodically dials a prespecified telephone number, receives the * NIST timecode data and calculates the local clock correction. It is * designed primarily for use as a backup when neither a radio clock nor * connectivity to Internet time servers is available. For the best * accuracy, the individual telephone line/modem delay needs to be * calibrated using outside sources. * * The ACTS is located at NIST Boulder, CO, telephone 303 494 4774. I don't know how to configure this refclock, because I have never needed it, but there are some instructions futher down the file. Read the file for more information. Ralph Mitchell From firewalls-owner Wed Nov 15 15:23:58 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id PAA03020 for firewalls-outgoing; Wed, 15 Nov 1995 15:07:04 -0800 (PST) Received: from citecuh.citec.qld.gov.au (citecuh.citec.qld.gov.au [203.5.10.10]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id PAA03015 for ; Wed, 15 Nov 1995 15:07:00 -0800 (PST) Received: (from mail@localhost) by citecuh.citec.qld.gov.au (8.6.10/8.6.10) id JAA29025; Thu, 16 Nov 1995 09:02:08 +1000 Received: from citecub.citec.qld.gov.au(131.242.4.98) by citecuh.citec.qld.gov.au via smap (V1.3) id /mail/incoming/sma029016; Thu Nov 16 09:01:42 1995 Received: by citecub.citec.qld.gov.au (5.0/SMI-SVR4) id AA16558; Thu, 16 Nov 1995 09:02:58 +1000 From: sgcccdc@citec.qld.gov.au (Colin Campbell) Message-Id: <9511152302.AA16558@citecub.citec.qld.gov.au> Subject: Re: Configuration To: peter@nmti.com (Peter da Silva) Date: Thu, 16 Nov 1995 09:02:57 +1000 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <9511151525.AA19299@sonic.nmti.com.nmti.com> from "Peter da Silva" at Nov 15, 95 09:25:10 am X-Mailer: ELM [version 2.4 PL24 PGP3 *ALPHA*] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My mailer thinks Peter da Silva said: > > > I use IP addresses only in netperm-table. If the reverse lookup fails > > either the host attempting access is not in DNS and therefore I do not > > want them using the service, or DNS failed and since I can't "verify" > > the IP address, access is again denied. > > How does reverse lookup "verify" the IP address. All it verifies is that > the IP address is known to DNS. It doesn't verify that someone's not using > a source routing or IP spoofing attack on you. > > > If you have a wildcard like "permit hosts *" then the "unknown" line > > adds security. > > If "sites that have recently changed their IP address can't send you mail" > adds security, I guess so. I still don't see the point of the "unknown" > line... could someone explain (in short sentences)? > Here's how I use it. 1. No external hosts have access at all. 2. My netperm-table is used to control access to the proxy as follows: a) first line for a service is "deny host unknown" b) subsequent lines are one per host detailing where they can go, eg permit host 123.231.124.241 -dest !127.0.0.1 -dest * Why do I do this? the deny line means only people I have entered into DNS have access security? maybe control? yes the deny line means not having to scan a long list to deny access if known by DNS, then scan long list (:-) to determine controls This is not really practical for large sites and I am looking at going to subnets for the "permit" lines (permit hosts 123.231.*.*) because netperm-table is getting too long. We do not use DNS extensively so I can still use it to control access via the "unknown" option. If you allow external hosts access to the proxy then really the whole netperm-table is pointless - you cannot guarantee anyone is who they say they are. You can only control access by hostname/ip address/subnet all of which can be faked out. If on the otehr hand the proxy only sees internal hosts, the "unknown" option allows the control I mentioned above. Yes you can impersonate a host but you cannot just grab any IP address and expect service. If you ain't DNS-ed you don't get service. Maybe not security, just control. If you can smell something burning, it's just me thinking. Colin From firewalls-owner Wed Nov 15 15:55:33 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id OAA02426 for firewalls-outgoing; Wed, 15 Nov 1995 14:43:04 -0800 (PST) Received: from tera.bctel.net (tera.bctel.net [204.174.66.253]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id OAA02420 for ; Wed, 15 Nov 1995 14:42:52 -0800 (PST) Received: (from nobody@localhost) by tera.bctel.net (8.7.1/8.7.1) id OAA04128; Wed, 15 Nov 1995 14:42:50 -0800 (PST) X-Authentication-Warning: tera.bctel.net: nobody set sender to using -f Received: from mocha.bctel.net(204.174.66.5) by tera via smap (V1.3) id sma004126; Wed Nov 15 14:42:42 1995 Received: (from murrell@localhost) by mocha.bctel.net (8.7.1/8.7.1) id OAA12813; Wed, 15 Nov 1995 14:44:16 -0800 (PST) Date: Wed, 15 Nov 1995 14:44:16 -0800 (PST) From: Brian Murrell Message-Id: <199511152244.OAA12813@mocha.bctel.net> To: firewalls@GreatCircle.COM, GREGGW@real3.realtime.co.za Subject: Re: Thats How Netscape does it! Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-MD5: bwbbnwcQqoPocLG+o5Ww5w== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > When your web browser connects to home.netscape.com, you actually > get home1.netscape.com or home2.netscape.com or home3... > > Anyone know of generic easy way to do this? I thought of two > solutions, but I dont think they will work: Generic, easy?? Maybe not, but you could hack your DNS (i.e. BIND) to return a different address each time, maybe even sampling the load on the machines to be balanced. b. -- Brian J. Murrell murrell@bctel.net BCTel Advanced Communications brian@ilinx.com Vancouver, B.C. brian@wimsey.com 604 454 5261 From firewalls-owner Wed Nov 15 16:23:58 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id OAA02440 for firewalls-outgoing; Wed, 15 Nov 1995 14:44:11 -0800 (PST) Received: from tera.bctel.net (tera.bctel.net [204.174.66.253]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id OAA02435 for ; Wed, 15 Nov 1995 14:44:07 -0800 (PST) Received: (from nobody@localhost) by tera.bctel.net (8.7.1/8.7.1) id OAA04133; Wed, 15 Nov 1995 14:44:21 -0800 (PST) X-Authentication-Warning: tera.bctel.net: nobody set sender to using -f Received: from mocha.bctel.net(204.174.66.5) by tera via smap (V1.3) id sma004130; Wed Nov 15 14:44:07 1995 Received: (from murrell@localhost) by mocha.bctel.net (8.7.1/8.7.1) id OAA12816; Wed, 15 Nov 1995 14:45:40 -0800 (PST) Date: Wed, 15 Nov 1995 14:45:40 -0800 (PST) From: Brian Murrell Message-Id: <199511152245.OAA12816@mocha.bctel.net> To: GREGGW@real3.realtime.co.za, fennessq@thecount.eng.sematech.org Subject: Re: Thats How Netscape does it! Cc: firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-MD5: g4734R/3Mu2eDk14gvDs9g== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Modern versions (4.9.3bXX) of bind will do round-robin sharing > of addresses. So you could have > > www IN A 123.123.123.123 > IN A 123.123.123.124 > IN A 123.123.123.125 > IN A 123.123.123.126 > IN A 123.123.123.127 > > The named process on your nameserver will answer up the A records > one after another. Cool. I didn't know this. This is essentially what I suggested a few minutes ago. b. -- Brian J. Murrell murrell@bctel.net BCTel Advanced Communications brian@ilinx.com Vancouver, B.C. brian@wimsey.com 604 454 5261 From firewalls-owner Wed Nov 15 18:23:58 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id RAA07923 for firewalls-outgoing; Wed, 15 Nov 1995 17:57:54 -0800 (PST) Received: from switchblade.iwi.com (switchblade.iwi.com [137.39.156.214]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id RAA07918 for ; Wed, 15 Nov 1995 17:57:50 -0800 (PST) Received: (from mjr@localhost) by switchblade.iwi.com (8.6.9/8.6.9) id UAA08445 for firewalls@greatcircle.com; Wed, 15 Nov 1995 20:58:38 -0500 From: "Marcus J. Ranum" Message-Id: <199511160158.UAA08445@switchblade.iwi.com> Subject: Re: Thats How Netscape does it! To: firewalls@greatcircle.com Date: Wed, 15 Nov 1995 20:58:38 -0500 (EST) Reply-To: mjr@iwi.com Organization: Information Warehouse! Inc, Baltimore, MD URL: mjr's web page Phone: 410-889-8569 Coredump: Infocalypse Now!!! X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >We would also like to load balance our web server like this and >have one address that could connect a user to any of 5 different >machines (least heavily loaded one, or some cyclic order). The usual way of doing this is to use a rotating DNS record, and have N machines, with N addresses in the DNS. Then you hack up some code (I have some that does this) which keeps the machines heartbeating to eachother, and if one of the N is down, you have a backup machine quickly take its IP address *too* for a while. BSDI and most decent versions of UNIX let you have multiple IPs for a single interface. The idea of trying to calculate which is least heavily loaded has relatively little merit, I expect. For a REALLY large installation, luck-of-the-draw is going to tend to produce a pretty smooth load level across all the systems. If you are fielding 2,000 requests/minute, and have 10 machines, that's 200 requests/minute, and if you use luck-of-the-draw to let the load balance itself, one machine might have to handle 250 hits (which is actually a pretty large deviation - 10% off average). I wouldn't bother getting fancy until I had some hard numbers that indicated getting fancy would actually benefit you! Don't *assume* that a naive solution is inadequate: be a scientist and *test* it, or model it. For some really *COOL* info on building monster web servers, I highly recommend a paper by Dan Mosedale, which was presented at LISA '95: http://home.netscape.com/people/dmose/paper.ps mjr. From firewalls-owner Wed Nov 15 21:33:39 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id VAA12235 for firewalls-outgoing; Wed, 15 Nov 1995 21:11:32 -0800 (PST) Received: from mail.crl.com (mail.crl.com [165.113.1.22]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id VAA12228 for ; Wed, 15 Nov 1995 21:11:29 -0800 (PST) Received: from crl.crl.com (crl.com) by mail.crl.com with SMTP id AA05541 (5.65c/IDA-1.5 for ); Wed, 15 Nov 1995 21:10:37 -0800 Received: by crl.crl.com id AA15785 (5.65c/IDA-1.5); Wed, 15 Nov 1995 20:58:04 -0800 Date: Wed, 15 Nov 1995 20:58:03 -0800 (PST) From: Tim Keanini To: Gregg Williams Cc: firewalls@GreatCircle.COM Subject: Re: Thats How Netscape does it! In-Reply-To: <8CB850C4562@real3.realtime.co.za> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 15 Nov 1995, Gregg Williams wrote: > 1. Add 5 aliases called "www" to point to the 5 different machines. > e.g. > www IN CNAME home1.domain.org > www IN CNAME home2.domain.org > www IN CNAME home3.domain.org > www IN CNAME home4.domain.org > www IN CNAME home5.domain.org This works fine. but I would make sure it is www IN CNAME home1.domain.org. That last period will get you all the time. :-) ALso, please keep in mind that if you do this, and you have cgi-bin's, make darn sure that you are saving the "state" at the client because the next hit will go to the next machine in line. Make SURE you understand the security issues involved with cgi-bin scripting before you start getting clever with holding the "state" at the users client. -blast From firewalls-owner Wed Nov 15 23:53:58 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id WAA14764 for firewalls-outgoing; Wed, 15 Nov 1995 22:53:18 -0800 (PST) Received: from SanFrancisco01.POP.InterNex.Net (SanFrancisco01.POP.InterNex.Net [205.158.3.50]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id WAA14759 for ; Wed, 15 Nov 1995 22:53:15 -0800 (PST) Received: from Anthros.Com ([205.158.235.130]) by SanFrancisco01.POP.InterNex.Net (post.office MTA v1.7 ID# 0-11028) with SMTP id AAA29969 for ; Wed, 15 Nov 1995 22:54:00 -0800 Received: from phoebe.Anthros.Com by Anthros.Com (5.0/SMI-SVR4) id AA10871; Wed, 15 Nov 1995 22:51:37 -0800 Received: by phoebe.Anthros.Com (5.x/SMI-SVR4) id AA05142; Wed, 15 Nov 1995 22:48:59 -0800 Date: Wed, 15 Nov 1995 22:48:59 -0800 From: daemeonr@Anthros.Com@Anthros.Com Message-Id: <9511160648.AA05142@phoebe.Anthros.Com> To: firewalls@greatcircle.com Subject: Re: Thats How Netscape does it! X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Recently, Chris Tyler wrote: => => Gregg Williams wrote: => => > When your web browser connects to home.netscape.com, you actually => > get home1.netscape.com or home2.netscape.com or home3... => => This can be done with URL redirects. Configure your master home page to be a CGI => script that returns a redirect to the home page on the appropriate server. For => example, => => http://www.company.com/ --> CGI script that returns a URL => redirect to one of www1.company.com, www2.company.com, => or www3.company.com => => This script could return the URL randomly, or in rotary fashion (www1 the first time, => www2 the second, etc), or it could be more intelligent and go out and see which => server(s) had the lightest load. You could also make it check that the server was => "up" and that it was not undergoing maintenance (e.g., page updating). One problem => is that users will tend to hotlist or bookmark files on one specific server, so that => eventually even a sequential or random URL redirection may not balance the load => properly... thus it's best to check actual load. Round-robin DNS will solve this => bookmark problem, but it won't detect when you take a server down and it won't => always accurately balance the load. I have reservations about such a DNS solution, use of short time-to-live A records is considered bad for because of the excessive network (DNS/ARP) overhead it adds. On the other hand, it is a royal pain to parse vmstat/sar/etc. to figure out what the darned system load is. Even then, I haven't come up with a good way to make this data readily accessible to the server. Any suggestions? => => Note also that in order to make the URL redirects work nicely, you'll need to => configure your server so that the master homepage can be a CGI script without some => awkward directory name in there (so the main URL is http://www.company.com/ => instead of http://www.company.com/cgi-bin/homepage.html)... it might be easier to do => that with (say) Apache or Spider rather than something like NCSA httpd. You may also want to consider use of a default file to be served, make doc-root a cgi directory, and make the served file a cgi-bp. These options are available using Netscape's products, and I *thought* that similar functions were available with the current version of NCSA. As a security measure, I have architected all of my client's systems such that doc-root is a cgi, and contains the default script. It makes use of wild-card certificates a viable solution (with multiple Secure Servers, e.g. www*.foo.com). I force ALL of the Web servers to load balance by forcing a URL redirect if there is another server *known* to have less utilization (set the utilization deltas low so you don't end up pinging). This dynamic load balancing becomes very important if you are using e.g. a Commerce server to serve up files (i.e. where the Web server is sort of a fancy SSL-ftp server). I am currently working on a client's solution where EVERY page is CGI'ed, and every cgi program will load balance (wild-card'ed Certificates are used). This is complicated by the fact that most of the server instances will be enqued on a reply from mainframe (CICS in this case) systems. => => (You must have a pretty big pipe... or a slow machine... if your server and not your => pipe is your bottleneck!). Or some pretty serial cgi's. => => Chris Tyler Chris@DeJong.Com CTyler@Oxford.Net => Systems Development Manager, Wm. De Jong Enterprises Inc. => +1-519-424-9007 / fax +1-519-424-2399 => From firewalls-owner Thu Nov 16 00:10:01 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id XAA15277 for firewalls-outgoing; Wed, 15 Nov 1995 23:05:14 -0800 (PST) Received: from fountain.village.org (fountain.village.org [198.137.146.37]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id XAA15272 for ; Wed, 15 Nov 1995 23:05:07 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by fountain.village.org (8.6.11/8.6.6) with SMTP id AAA04067 for ; Thu, 16 Nov 1995 00:05:29 -0700 Message-Id: <199511160705.AAA04067@fountain.village.org> To: Firewalls@greatcircle.com Subject: Re: (summary) rfc-1597 addresses and transparent proxies In-reply-to: Your message of Tue, 14 Nov 1995 23:24:57 PST Date: Thu, 16 Nov 1995 00:05:28 -0700 From: Dieter Dworkin Muller Sender: firewalls-owner@GreatCircle.COM Precedence: bulk daemeonr@Anthros.Com@Anthros.Com wrote: : : Recently Dieter Dworkin Muller wrote: : : => I don't like depending on the CERN server for security-type things, so : => I might just hack tcp-relay to do the actual proxy work, and have it : => go to the CERN server to handle caching. Kind of convoluted, but less : => ugly than trying to prove CERN code correct. : : I gather that there is a large user base at your installation to validate : the quality of your code? Far larger no doubt than the user base that is : constantly validating CERN? I believe that Bianca Troll might be able to : direct you to a good recipe for humble pie (ask in the coffee shop). In general, my approach in security-related areas is very similar to that which is often espoused here: make it as simple as possible, but no simpler. None of the HTTP servers available today qualifies as simple. Adding in proxy support adds complexity. Therefore, I prefer to separate the two functions -- run the big, full-featured server in a context where it doesn't matter if it's vulnerable, and have the small, easily-verified security-enhancing proxy servers running where security does matter. I have seen people with very solid credentials in paranoid coding make mistakes. Nobody is immune to them. If I can't read and understand the entire program in a reasonable amount of time (nebulously defined, but certainly in less than eight hours), it's going to be very hard for me to feel completely secure using it. Even if I *can* understand the code, I probably still won't trust it completely. Features can interact, either within a program, or between programs, in such a way that a vulnerability is produced. There are many well-known instances of such combinations happening. For that matter, just because somebody says something is secure is no reason for me to believe it. If there are a lot of people saying something is secure, it might bias me towards a similar conclusion, but I won't believe it without first checking it myself. I trust no one, including myself. I especially don't trust people I don't know. My original comments, and those above, apply equally well to any of the other HTTP servers (actually, any other software in general) that are out there. I mentioned the CERN server in particular, because it's the one I'm running (chroot'd, as a non-privileged user, in a directory tree where nothing is writable except by root). : => One additional feature of what I'm planning, that became a requirement : => once we thought of it, is that if someone *does* manage to break in, : => any outgoing connection they make A) has to be preceeded by a DNS : => lookup, and B) can/will be logged (I plan on logging all connections). : => This should make tracking down crackers just a little bit easier. : => Once we thought of this, the idea of blind automatic translation : => became much less attractive. : : telnet 123.123.123.123 ... oops, no DNS lookup! And no connection. You need to read my message in the context of the entire discussion. The scenario is an rfc-1597 network, with application-level proxies on a multi-homed bastion host. No packets may go directly from internal systems to the outside world. Getting out involves: . the client does a DNS lookup for the outside host name . the DNS server allocates an unused rfc-1597 address for that name . configure a virtual interface on the bastion host to respond to the newly-allocated address . record the (name, address) pair in the in-addr.arpa domain . return the false address to the client . the client sends to the rfc-1597 address it was provided (UDP send, TCP connect) . the proxy application notes what address was used for its end of the transmission . the proxy does a reverse lookup on the address, which tells it what name was originally requested . the proxy then queries a DNS server that is not on the bastion (or at least isn't the same one that responds to queries from the rfc-1597 side) for the real address of the named host . the proxy then sends/connects to the real host . the proxy proceeds to relay data between the rfc-1597 host and the external host . after the virtual interface has been idle for a sufficient period of time, the interface is turned off and the address returned to the unused pool So, a telnet 123.123.123.123 would not work, as packets from an rfc-1597 host are blocked from leaving the local network (even if I didn't do it in my packet filters, my ISP does it, and so do most of the others). Since there's been no DNS lookup, there's no virtual interface setup to proxy some internal rfc-1597 address for transmissions to 123.123.123.123. I'm quite willing to believe there's a loophole in the above design, but it's not quite as trivial as what you imply. Dworkin From firewalls-owner Thu Nov 16 00:23:58 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id XAA17957 for firewalls-outgoing; Wed, 15 Nov 1995 23:56:07 -0800 (PST) Received: from archimedes.vislab.navy.mil (archimedes.chinalake.navy.mil [129.131.31.8]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id XAA17946 for ; Wed, 15 Nov 1995 23:56:03 -0800 (PST) Received: from archimedes.vislab.navy.mil (parcival.vislab.navy.mil [129.131.31.12]) by archimedes.vislab.navy.mil (current-1701B/current-CL-CL) with ESMTP id XAA19109; Wed, 15 Nov 1995 23:57:30 -0800 Posted-Date: Wed, 15 Nov 1995 23:57:30 -0800 Message-Id: <199511160757.XAA19109@archimedes.vislab.navy.mil> To: mjr@iwi.com cc: firewalls@greatcircle.com, bens@archimedes.vislab.navy.mil Subject: Re: Thats How Netscape does it! In-reply-to: Your message of "Wed, 15 Nov 1995 20:58:38 EST." <199511160158.UAA08445@switchblade.iwi.com> Date: Wed, 15 Nov 1995 23:57:21 -0800 From: Benjamin Allan Smith Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Marcus Ranum wrote in response to someone: > >We would also like to load balance our web server like this and > >have one address that could connect a user to any of 5 different > >machines (least heavily loaded one, or some cyclic order). > > The usual way of doing this is to use a rotating D