From firewalls-owner Wed Nov 1 03:22:57 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id DAA26881 for firewalls-outgoing; Wed, 1 Nov 1995 03:16:32 -0800 (PST) Received: from maildrop.micrognosis.com (supernova.micrognosis.com [192.233.13.3]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id DAA26874 for ; Wed, 1 Nov 1995 03:16:27 -0800 (PST) Received: by maildrop.micrognosis.com (4.1/SMI-4.1) id AA18184; Wed, 1 Nov 95 06:16:28 EST Received: from singhi.corp.micrognosis.com(193.32.166.28) by supernova.micrognosis.com via smap (V1.3) id sma018177; Wed Nov 1 06:16:10 1995 Received: from becks (becks.corp.micrognosis.com) by corp.micrognosis.com (4.1/1.0-integ.cf) id AA24465; Wed, 1 Nov 95 06:18:53 EST Date: Wed, 1 Nov 1995 06:18:51 -0500 (EST) From: Adam Jack X-Sender: ajack@becks To: Mike Shaver Cc: hal@netmarket.com, mam@ssds.com, scott@disclosure.com, mjr@iwi.com, firewalls@greatcircle.com Subject: Re: What about the next 20 Java-like applications? ( was Re: Java): In-Reply-To: <199511010517.AAA05319@neon.ingenia.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 1 Nov 1995, Mike Shaver wrote : > > HotJava can be hard-coded-configured shut by an Admin (though this sucks) > > and you can filter out http://*.class to keep it out. > > The issue Hal raised (you're right, it's an old one) is of untrusted > versions of software coming in. You can't solve that without > eliminating execution permissions on anywhere that they have write > access. Possible for some user communities, not at all for others. > Fine - then it isn't a Java issue - and the risk is contained by only allowing write to a directory decided by the firewall manager. If there is no possibility to do this - then write is disallowed. (For what it is worth, and I only browsed the documentation, there isn't any mechanism in Java to set file permissions.) > > > I really hoped, given the experience on this list, that a better informed > > discussion might occur. Unfortunately there doesn't appear to be anybody, > > with experience, spending any real time analyzing it. > > Analyzing what? > It's not a finished system yet, and Sun isn't releasing the source to > the pre-beta JDK stuff, so it's hard for anyone outside Sun to do any > serious analysis of what _is_ there. > There is plenty of stuff to get started on. Their white papers cover most of the issues I've seen raised here. If it is the interpreter you want to review - and not the 'applets & Java language' (which have been discussed so far) - then I must agree with you. This discussion started w/ the threats of applets - not the threats of overwriting interpreter stacks. However - this is consistent w/ my mumbled point. This thing is out (and prolific) and it needs to be dealt w/ with reasoning. Agreed - Sun did a dirty by piggybacking HTTP - but any marketing savvy organisation would do that. Things, like Java, can gain more momentum long before they have been analyzed by the field. (I guess sendmail is an example ;-) > > What I don't hear from this list are criteria for quantifying > > risk. > > I think quantification of risk is a slippery slope, but that's > personal opinion. (Leads towards pigeonholing problems/solutions in > potentially inappropriate ways, IMVHO.) > An excellant point - and one I'd say I was too inexperienced to counter. All I am saying is that there needs to be a way to let firewall managers deal with the hordes of new applications on more than a Yes/No Safe/Dodgy basis - w/o months of personal analysis. Compared to the known holes of NFS - HotJava might be considered safe. Compared to Work Macros in e-mail - safe. Compared to FTP - unsafe. But where in that range does it sit? > > Or proposals for rapid response certification bodies. > > I'm unfamiliar with the term (been away from firewalls@greatcircle for > a while, if that's a good excuse), but I think the current system of > incremental, earned trust in a good one. If Ed deHart says "X is a > hole. Y fixes it." then I'm likely to believe him, etc. Sure, it > creates potential for abuse (imagine the horror if Eric Allman went > bad!), but that's the nature of trust. > I made the term up on the spot - so no suprizes. My point was that these individuals were already occupied and unlikely to be in a position to trust N new technologies per day. Incremental earning of trust is OK when technologies grow incrementally ... like Netscape ;-) ? Adam -- +1-203-730-5437 | http://www.micrognosis.com/~ajack/index.html From firewalls-owner Wed Nov 1 03:53:10 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id DAA27216 for firewalls-outgoing; Wed, 1 Nov 1995 03:48:23 -0800 (PST) Received: from neon.ingenia.com (neon.ingenia.com [134.117.55.86]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id DAA27209 for ; Wed, 1 Nov 1995 03:48:13 -0800 (PST) Received: (from shaver@localhost) by neon.ingenia.com (8.6.12/8.6.9) id GAA06724; Wed, 1 Nov 1995 06:52:16 -0500 From: Mike Shaver Message-Id: <199511011152.GAA06724@neon.ingenia.com> Subject: Re: What about the next 20 Java-like applications? ( was Re: Java): To: ajack@corp.micrognosis.com (Adam Jack) Date: Wed, 1 Nov 1995 06:52:16 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: from "Adam Jack" at Nov 1, 95 06:18:51 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Adam Jack mumbled something vague about: > On Wed, 1 Nov 1995, Mike Shaver wrote : > Fine - then it isn't a Java issue - and the risk is contained by only > allowing write to a directory decided by the firewall manager. If there > is no possibility to do this - then write is disallowed. Under HotJava/Netscape, only applets loaded from the "local" filesystem can access the filesystem. Network-loaded ones can't do jack, which is, IMHO, the way to do things. > (For what it is > worth, and I only browsed the documentation, there isn't any mechanism in > Java to set file permissions.) I think you're right. It might be available through some mucking with the file I/O classes, but I don't recall seeing a way. > However - this is consistent w/ my mumbled point. This thing is out > (and prolific) and it needs to be dealt w/ with reasoning. Agreed > - Sun did a dirty by piggybacking HTTP - but any marketing savvy > organisation would do that. Things, like Java, can gain more > momentum long before they have been analyzed by the field. (I > guess sendmail is an example ;-) Sun didn't really pick HTTP... you can (and I have) used FTP to load applets on a web page. Or gopher. Or.... HTTP is used in most cases because that's the most common way of transporting HTML, in which is embedded the magic tag that makes it all work. Sun provided HotJava as a means of demonstrating the features of its new toy, java. These features included architecture-neutral bytecode, secure execution of potentially untrusted code, and dynamic loading, among others. HotJava doesn't define the limits of java any more than Netscape defines the limits of HTML. It uses the technology, but if people have a problem with executable content, they shouldn't confuse it with having a problem with java. I'm confident enough in Sun's implementation of java and the security mechanisms that I let my users run HotJava inside our 'wall. In fact, I'm encouraging them to develop applications with java instead of CGI, since it requires no access to servers, etc., and IMHO the applets operate in a more secure context. YMMV, of course. My confidence in the implementation comes from the reputation of Sun as a corporation and from my own perusal of the source. > Compared to the known holes of NFS - HotJava might be considered > safe. Compared to Work Macros in e-mail - safe. Compared to FTP > - unsafe. But where in that range does it sit? Depends on how secure you're making the other protocols at your site. NFS over encrypted IP might be more secure than HotJava. A mis-configured ftpd could be thousands of times worse than HotJava. I figure I'm a lot more likely to be burned by a sendmail hole or a library bug or bad IP fragment handling or whatever than I am by a malicious applet, so I'm not losing anything by allowing HotJava to run (with the appropriate security modes) internally. And then we're back to the policy issue... personally, I'd rather have a user load an applet from the network and have it run with the restrictions than FTP it and run it without them. > I made the term up on the spot - so no suprizes. My point was that these > individuals were already occupied and unlikely to be in a position to > trust N new technologies per day. Incremental earning of trust is OK > when technologies grow incrementally ... like Netscape ;-) ? But if people aren't going to trust Sun, Netscape, etc., who's to say that they'll trust the One True Certification Authority? _That_ trust has to be built incrementally... Mike -- #> Mike Shaver (shaver@ingenia.com) Ingenia Communications Corporation <# #> UNIX medicine man -- dark magick, cheap! <# #> <# #> When the going gets tough, the tough give cryptic error messages. <# #> "We believe in rough consensus and running code." <# From firewalls-owner Wed Nov 1 05:52:57 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id FAA29209 for firewalls-outgoing; Wed, 1 Nov 1995 05:37:36 -0800 (PST) Received: from gauntlet-1.trusted.com (gauntlet-1.trusted.com [192.94.214.88]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id FAA29201 for ; Wed, 1 Nov 1995 05:37:33 -0800 (PST) Received: by gauntlet-1.trusted.com; id IAA20267; Wed, 1 Nov 1995 08:39:29 -0500 Message-Id: <199511011339.IAA20267@gauntlet-1.trusted.com> Received: from vanidor.tis.com(192.94.214.98) by gauntlet-1.trusted.com via smap (g3.0.3) id xmah20224; Wed, 1 Nov 95 08:38:57 -0500 X-Sender: avolio@gauntlet-1.trusted.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 01 Nov 1995 09:30:56 -0500 To: Benoit Dicaire , Firewalls@greatcircle.com From: Frederick M Avolio Subject: Re: TIS implementation question Cc: Mike.Jones@aule-tek.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:20 AM 10/31/95 -0500, Benoit Dicaire wrote: >Mike Jones wrote : > >>I'm trying to make an estimate of how long it would take to have a >>reasonably competent engineer get and set up the TIS toolkit on a SunOS >>4.1.4 system. I'd appreciate it if anyone who has done this could give >>me a ballpark figure. > >Okay, let's define some stuff first : > >Reasonably competent engineer : someone who know *well* the platform, >he want to use for the firewall. Good knowledge of TCP/IP, read Cheswick & >Bellovin book and read the list for more than two months. > >Setup a firewall (technical side) : install the core module of TIS and several >modules from public domain. Write scripts to automate thing, parse log, etc ... You left out modifying the operating system source code or configuring routers to take care of the things that the FWTK proxies do not. f From firewalls-owner Wed Nov 1 06:23:16 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id FAA29189 for firewalls-outgoing; Wed, 1 Nov 1995 05:33:41 -0800 (PST) Received: from interlock.reston.ans.net (interlock.reston.ans.net [192.77.167.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id FAA29182 for ; Wed, 1 Nov 1995 05:33:36 -0800 (PST) Received: by interlock.reston.ans.net id AA14000 (InterLock SMTP Gateway 3.0 for firewalls@greatcircle.com); Wed, 1 Nov 1995 08:32:51 -0500 Message-Id: <199511011332.AA14000@interlock.reston.ans.net> Received: by interlock.reston.ans.net (Internal Mail Agent-1); Wed, 1 Nov 1995 08:32:51 -0500 Date: Wed, 1 Nov 1995 08:32:50 +0500 From: sangster@reston.ans.net (Paul Sangster) To: switzel@gwdg.de, firewalls@greatcircle.com Reply-To: sangster@reston.ans.net Subject: Re: tunneling using ssl ??? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article <9510241511.AA01010@gwdu03.gwdg.de.ans-relay>, you write: |> Is it possible to set up a gateway/firewall for tunneling replacing |> the swIPe protocol by SSL? Should I do it? (It's just an idea, not |> a projects!) FYI, SSL is a much higher layered protocol than swIPe. swIPe is intended for packet level encryption, so everything from TCP (or UDP) on up is protected. SSL is intended for just protecting application layer data. Is there a reason you think that SSL will be more appropriate for your envionment? If your safely running swIPe right now, why mess with a good thing (except maybe to play catchup with IETF IPSEC protocols)? Paul |> |> Stefan Witzel email: switzel@gwdg.de |> Universitaet Goettingen / Stabsstelle DV fon: +49 551 394160 |> Gosslerstrasse 5/7 fax: +49 551 399612 |> 37073 Goettingen, Germany ---------------------- |> ____________________________________________________________________________ Paul Sangster ANS Senior Software Engineer 1875 Campus Commons Dr. sangster@reston.ans.net Suite 220, Reston VA 22091 (703) 758-7706 ____________________________________________________________________________ From firewalls-owner Wed Nov 1 06:32:49 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id FAA29327 for firewalls-outgoing; Wed, 1 Nov 1995 05:46:02 -0800 (PST) Received: from balder.ssds.com (balder.ssds.com [204.131.72.62]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id FAA29320 for ; Wed, 1 Nov 1995 05:45:59 -0800 (PST) Received: (from mail@localhost) by balder.ssds.com (8.6.9/8.6.9.SSDSnet-hub) id GAA25637; Wed, 1 Nov 1995 06:45:57 -0700 Received: from denver(134.127.16.1) by balder via smap (V1.3) id sma025635; Wed Nov 1 06:45:37 1995 Received: from baltimore.ssds.com (baltimore.ssds.com [134.127.34.1]) by denver.ssds.com (8.6.9/8.6.9.SSDSnet-hub) with ESMTP id GAA28202; Wed, 1 Nov 1995 06:45:35 -0700 Received: (from mam@localhost) by baltimore.ssds.com (8.6.9/8.6.9.SSDSnet-site) id IAA05137; Wed, 1 Nov 1995 08:45:33 -0500 Date: Wed, 1 Nov 1995 08:45:33 -0500 (EST) From: Mike Malik -- Dover DE X-Sender: mam@baltimore To: Hal Pomeranz cc: Mike Shaver , firewalls@GreatCircle.COM Subject: Re: Java In-Reply-To: <199511010241.VAA22828@tannis.netmarket.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > I'm very worried about Java, but all I hear are reassurances about > memory protection and default security levels. I, for one, am not > reassured. > > Hal Pomeranz > <<< In no way speaking for my employer >>> > > This is the point I was trying to get at. I mean how many times have the Vendors told us "trust us its secure" or "trust us they can't use that hole on our software" and how many times do we have to be bit by the "string too long" hole before we learn. Mike ( ( | ( Mike Malik (mam@ssds.com) ) ) (| ), inc. 9841 Broken Land Parkway,Suite 100 business driven Columbia, MD 21046 technology solutions 410-381-4313 FAX: 410-381-2170 "as always my rants and raves are my own !" From firewalls-owner Wed Nov 1 06:57:35 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id FAA29318 for firewalls-outgoing; Wed, 1 Nov 1995 05:45:27 -0800 (PST) Received: from gatekeeper.ddp.state.me.us (gatekeeper.ddp.state.me.us [141.114.130.70]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id FAA29311 for ; Wed, 1 Nov 1995 05:45:23 -0800 (PST) Received: from localhost by gatekeeper.ddp.state.me.us (8.6.5/1.37) id IAA26762; Wed, 1 Nov 1995 08:38:35 -0500 Date: Wed, 1 Nov 1995 08:38:34 -0500 (EST) From: David Miller Subject: Re: tool for IP-source-routed packets To: Ken Hardy cc: bret@real.com, firewalls@greatcircle.com In-Reply-To: <199510311556.AA28131@ignatz.bridge.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 31 Oct 1995, Ken Hardy wrote: > Per bret@real.com (Bret McDanel): > > >> This comes up from time to time. The BSD telnet will do it, meaning that > >> you can get it from any of the BSD source archives. You're already using > >> it with your FreeBSD, NetBSD, &c. (Don't know about Linux.) > >> > >> The trick is that it's not documented in the man page. The syntax is > >> discernable from the source. It's something like "telnet @hop1@hop2:dest". > >All failed because it tried to do a dns lookup on @hop1:dest (yes I used > >real machine names :) > > Because those are not using the BSD telnet, I'd guess; wouldn't expect > it of any except perhaps Linux. And/or the syntax is not exactly what > I wrote (as I implied was possible.) Your syntax worked on my bsdi system. So did @host1@host2@dest. Note the final '@' rather than ':'. Perhaps that would confuse some telnets? > > Using the proper telnet, how can I use tcpdump or etherfind or snoop to > determine whether it's actually source routing?? I'm not seeing what I > expect to see (and supect my expectations). Look at the packets coming from the source. They should have TCP option 137 set for loose source routing and the hops specified in the @hop1@hop2 should be in the header as well. --- David Miller ---------------------------------------------------------------------------- It's *amazing* what one can accomplish when one doesn't know what one can't do! From firewalls-owner Wed Nov 1 07:17:19 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id FAA29006 for firewalls-outgoing; Wed, 1 Nov 1995 05:27:59 -0800 (PST) Received: from interlock.reston.ans.net (interlock.reston.ans.net [192.77.167.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id FAA28998 for ; Wed, 1 Nov 1995 05:27:54 -0800 (PST) Received: by interlock.reston.ans.net id AA13962 (InterLock SMTP Gateway 3.0 for firewalls@greatcircle.com); Wed, 1 Nov 1995 08:26:57 -0500 Message-Id: <199511011326.AA13962@interlock.reston.ans.net> Received: by interlock.reston.ans.net (Internal Mail Agent-1); Wed, 1 Nov 1995 08:26:57 -0500 Date: Wed, 1 Nov 1995 08:26:55 +0500 From: sangster@reston.ans.net (Paul Sangster) To: jna@echonyc.com (jna, who else?), firewalls@greatcircle.com Reply-To: sangster@reston.ans.net Subject: Re: A note on java... Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article , you write: |> >On Oct 24, 10:45am, Scott Barman wrote: |> >> |> >> Since RealAudio refuses to let people see the protocols and analyze the |> |> I don't see their reasoning... Anyone can run a sniffer on their network |> and analyze the protocol. Since when can another company make looking at |> your OWN NETWORK illegial? |> Its not always that simple to reverse engineer the context of the bits that you see on the sniffer. Even when possible (like for RealAudio) you have to understand how the different connections interrelate. Fortunately, this won't be necessary because the RealAudio folks have decided to work with firewall vendors and are scheduled to present their new proxyable protocol at the NCSA Firewall Vendors meeting later this week. I have a copy of their spec (marked confidential), so they are trying to open up enough that this issue can be addressed. They deserve alot of credit for the change of position, even though it took some proding from firewall vendors (like us.) Paul ____________________________________________________________________________ Paul Sangster ANS Senior Software Engineer 1875 Campus Commons Dr. sangster@reston.ans.net Suite 220, Reston VA 22091 (703) 758-7706 ____________________________________________________________________________ From firewalls-owner Wed Nov 1 07:22:56 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id GAA01389 for firewalls-outgoing; Wed, 1 Nov 1995 06:52:58 -0800 (PST) Received: from tuna.wang.com (tuna.wang.com [150.124.136.4]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id GAA01364 for ; Wed, 1 Nov 1995 06:52:52 -0800 (PST) Received: from mail.wangfed.com (ns.wangfed.com [159.94.10.19]) by tuna.wang.com (8.6.12/8.6.12tf1) with SMTP id JAA21649 for ; Wed, 1 Nov 1995 09:52:53 -0500 Received: from [159.94.10.15] by mail.wangfed.com (1.37.109.4/A.09.00a) id AA13532; Wed, 1 Nov 95 09:45:52 -0600 Received: from [159.94.14.48] by hfsi (BULL 5.61++/B.O.S 02.01) id AA07741; Wed, 1 Nov 95 09:43:32 -0500 Date: Wed, 1 Nov 95 09:43:32 -0500 Message-Id: <9511011443.AA07741@hfsi> From: "K Goertzel" Reply-To: "K Goertzel" To: Firewalls@GreatCircle.COM Subject: Anyone know about this URL? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have been trying, without success ("Connection Refused") to access a set of URLs that begin: http://ibd.ar.com/lists/comp/firewalls/* Does anyone know about these URLs? Do you know of some reason why my connection would continually be refused? Has the URL moved, without leaving a forwarding address? Any help would be appreciated, as the set of URLs I'm trying to reach contains a discussion of implementing firewalls on multilevel secure hosts, a topic in which I'm extremely interested. Karen Goertzel goertzek@wangfed.com From firewalls-owner Wed Nov 1 07:53:42 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id GAA00651 for firewalls-outgoing; Wed, 1 Nov 1995 06:47:27 -0800 (PST) Received: from hosaka.smallworks.com (hosaka.SmallWorks.COM [192.207.126.1]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id GAA00644 for ; Wed, 1 Nov 1995 06:47:22 -0800 (PST) Received: from steve.smallworks.com by hosaka.smallworks.com (5.x/SMI-SVR4) id AA17040; Wed, 1 Nov 1995 08:47:22 -0600 Date: Wed, 1 Nov 1995 08:47:22 -0600 Message-Id: <9511011447.AA17040@hosaka.smallworks.com> X-Sender: steve@smallworks.com X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls From: jim (Jim Thompson) (by way of Steve Bagwell ) Subject: soon to be available Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We failed to mention that 1st qtr. 96 we will be offering an interview type GUI as an optional item. Please call ph512-338-0619 or email if you have further questions. (Steve is the sales guy, Jim is our principle engineer please contact either one of us for help) Steve Bagwell > > >Now that I've determined that buying a firewall may just be the way to go, I'd >like all those firewall product representatives out there reading the list to >duke it out and see which one will fit our needs. So, I've made up a little >survey which you representatives can fill out (or others, if you feel a need to >advocate a particular solution) I will summarize on a web page for others >reference purposes. > >==BEGIN== Product Name: NetGate Informational URL: http://www.smallworks.com Pricing URL: http://www.smallworks.com:80/netgate/price.html Pricing Info: Binary distribution: $2500 US, Source distribution: $5000 US Features: low cost packet filter Standard Services (proxies, standalone): SmallWorks' NetGate firewall security software is a rule-based packet filtering and routing package for administering TCP/IP networks. NetGate performs filtering, logging and forwarding on networks or subnetworks of TCP/IP based computers. In addition to allowing configuration and management of the packet forwarding via a rules database, NetGate can filter datagrams on source or destination and provide statistics and audit information to help protect your network gateway from hostile attacks. Degree of User Configuration allowed (eg, can I add new services easily): yes Management Methods (gui, command line, etc): Config file. Comments: >==END== > > >Thanks! > > >-- >- Matthew E Cable / Systems Administrator / Internet Technologies Group, Inc. From firewalls-owner Wed Nov 1 08:24:39 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id GAA29734 for firewalls-outgoing; Wed, 1 Nov 1995 06:15:41 -0800 (PST) Received: from interlock.reston.ans.net (interlock.reston.ans.net [192.77.167.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id GAA29718 for ; Wed, 1 Nov 1995 06:15:23 -0800 (PST) Received: by interlock.reston.ans.net id AA14252 (InterLock SMTP Gateway 3.0 for firewalls@greatcircle.com); Wed, 1 Nov 1995 09:14:46 -0500 Message-Id: <199511011414.AA14252@interlock.reston.ans.net> Received: by interlock.reston.ans.net (Internal Mail Agent-1); Wed, 1 Nov 1995 09:14:46 -0500 Date: Wed, 1 Nov 1995 09:14:41 +0500 From: sangster@reston.ans.net (Paul Sangster) To: lresch@relay.nswc.navy.mil, firewalls@greatcircle.com Reply-To: sangster@reston.ans.net Subject: Re: PC vs Workstation Firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article <9510261248.AA05515@oanews.ans-relay>, you write: |> |> I have been reading discussions on the pros & cons of using a |> PC vs a 'real' workstation for the firewall. My long-winded |> question is Should I even consider using a PC for a firewall |> system (in particular with Guantlet) or will it get bogged down? |> My plans are to have a Cisco - Guantlet - Cisco config protecting |> my internal network and use the Guantlet as a proxy server (for |> the internal users to have Telnet, FTP, and maybe web browsing) and |> to let in mail to my SMTP gateway inside. Larry, The answer to your question is a resounding "it depends on your traffic mix, distribution and load". Answering these type of performance related issues is difficult for anyone without knowing (at least) how much e-mail and HTTP transactions will occur at peak load, how often large data files will be ftp'ed, and are you talking about hundreds of concurrent telnet session during all this other stuff. >From my experiences, the protocols that will most quickly kill a box are those that require lots of process to handle the load, due to the load of process creates/deletes and context switches required. Then heavy loads of big file transfers and encryption will stress your CPU and networking code (got enough mbuf space for the interfaces?). As you can tell there's lots of issues here. |> |> Thanks for any/all advice. |> My advice (since you asked ;-)) is why plan for today's load when you know that tomorrows will be much greater (particularly web use). Smaller machines (like PCs and low-end workstations) can become overwhelmed by very heavy web use, or very heavy mail use particularly if other protocols are also being stressed. Bottom line is you need to understand and quantify your traffic needs for tomorrow (peak time) and let that dictate the decision. Paul |> <>----------------------------------------------------<> |> <> Larry Resch <> |> <> lresch@relay.nswc.navy.mil <> |> <> <> |> <> My thoughts are mine alone, and do not necessarily <> |> <> reflect the thoughts of those for whom I work. <> |> <>----------------------------------------------------<> -- ____________________________________________________________________________ Paul Sangster ANS Senior Software Engineer 1875 Campus Commons Dr. sangster@reston.ans.net Suite 220, Reston VA 22091 (703) 758-7706 ____________________________________________________________________________ From firewalls-owner Wed Nov 1 08:48:47 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id GAA00364 for firewalls-outgoing; Wed, 1 Nov 1995 06:40:06 -0800 (PST) Received: from gmap-gw.leeds.ac.uk (gmap15.leeds.ac.uk [129.11.84.200]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id GAA00348 for ; Wed, 1 Nov 1995 06:39:55 -0800 (PST) Received: from gmap3 (gmap-mailhub.leeds.ac.uk [129.11.200.3]) by gmap-gw.leeds.ac.uk (8.6.12/8.6.9) with ESMTP id OAA22968 for ; Wed, 1 Nov 1995 14:15:15 GMT Received: from gmap.leeds.ac.uk (dannyc@gmap124 [129.11.200.124]) by gmap3 (8.6.12/8.6.9) with SMTP id MAA08854 for ; Wed, 1 Nov 1995 12:03:17 GMT From: Danny Cox Date: Wed, 1 Nov 1995 11:57:54 GMT Message-Id: <938.9511011157@gmap.leeds.ac.uk> X-Planation: X-Faces images can be viewed with the XFaces program To: firewalls@greatcircle.com Subject: screened host/subnet fws X-Sun-Charset: US-ASCII X-Face: (:_YnQcTM$q\Nl0.mYy:C'Y|(;&7.2m~Rc%xt; Wed, 1 Nov 1995 07:59:39 -0800 (PST) Received: by gateway.damark.com; id JAA00726; Wed, 1 Nov 1995 09:33:50 -0600 Received: from unknown(172.31.254.231) by gateway.damark.com via smap (g3.0.1) id sme000724; Wed, 1 Nov 95 09:33:33 -0600 Received: by damark.com (5.65/1.2-eef) id AA18505; Wed, 1 Nov 95 09:32:08 -0600 Message-Id: <9511011532.AA18505@damark.com> From: "william.wells" To: FIREWALLS Subject: Re: Java Date: Wed, 01 Nov 95 09:34:00 CST Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To what Mike Shaver and Hal Pomeranz say, I add at the end: ---------------------------------------------------------------------------- -- Hal Pomeranz mumbled something vague about: > } 1) An applet running under the default security mode has _no_ access > } to the filesystem, read, write or other. > > This is the crux of the issue. Given the lack of a centralized > security configuration file for Java run-time binaries, security > policy discretion is left to each and every individual in your > organization-- this can only lead (at least in some instances) to bad > security policy decisions. ... If you're trying to prevent _malicious_ users from mangling your network resources, then the solution to the "java problem" is a bonus for solving the original problem: malicious people shouldn't have access to sensitive resources. ... User: "I need to give this applet access to the filesystem." You: "Why?" User: "It needs to write a high-score file." You: "Let me see the source." || "Run it as this unprivileged user." || "It shouldn't have to touch our filesystems." || ... ... It sounds like you're worried about your users intentionally perforating your security mechanisms, in which case it's not java you have to fear... --- My comments follow My concern isn't UNIX users but the PC users. Since there is no security mechanisms on a PC, there isn't anything to prevent access to files; including scripts which run every time a PC boots. You say the default mode is "no access", is that true on a PC? So the applet runs and twiddles files on a PC, is that a problem? In some cases 'no'. But in others, because of the server data that person legitimately has access to, 'yes'. I can have policies against bringing in diskettes from home and people pretty much understand the rational behind them. Its harder to have a policy that says that you can't browse any URL which run applets; especially since I'm not sure that one can tell the URL has applets. I have hundreds of PCs running which have been tightened to the point that our resident hackers have extreme problems accessing anything other than selected canned Windows applications (yes, you can achieve that but it takes work). The thought of some application which appears to be benign having the capability of diddling with any file unexpectedly (or even under explicit user control as in a "Save as" menu) bugs me immensely. I manage those hundreds of PCs remotely through PC scripts and applications and I'm very aware of how easy it is to hijack a PC through script modification. Since I've been able to easily lock down a PC running Windows (not 95) so that it functions more as a dedicated entry terminal with great graphics, I feel it would be only slightly more complicated to hijack a PC running Windows with a 'spy' program to report information somewhat invisibly and restart the program when Windows starts up again. I'm less concerned about someone writing an applet to bash a PC than I am with someone writing an applet to gather information and mail the results back or change the .INI files to start a 'spy' program next time (I'm wouldn't be concerned about someone discovering my changes: how many users look or understand their .INI files?). These concerns aren't limited to Java; from the writings about Java though, it seems like Java may be the golden apple which can't be refused by my users. After hearing all of the discussions for some months about Java, it seems like the basic concern is that Java appears to allow someone outside your organization to 'execute' a foreign program on internal systems and, worse, may provide a means for that program to affect the behavior of the internal systems beyond the scope of a "normal" program. From a non-users perspective, Java appears to be a 'blessed' virus. William Wells Manager, Technical Support Damark International, Inc The opinions are mine and, having not knowingly run any Java program, may not be based in reality. From firewalls-owner Wed Nov 1 09:23:56 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id IAA05544 for firewalls-outgoing; Wed, 1 Nov 1995 08:46:07 -0800 (PST) Received: from wsj2 (wsj2.wsj.dowjones.com [143.131.186.5]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id IAA05522 for ; Wed, 1 Nov 1995 08:45:58 -0800 (PST) Received: by wsj2 (5.0/SMI-SVR4) id AA19345; Wed, 1 Nov 1995 11:32:17 -0500 >Received: from dscott.eng.dowjones.com by eng.dowjones.com (5.x/SMI-SVR4) id AA11475; Wed, 1 Nov 1995 11:49:32 -0500 Received: from dowjone by wsj2.wsj.dowjones.com; Wed, 1 Nov 1995 11:32 EST Received: from dscott.eng.dowjones.com by eng.dowjones.com (5.x/SMI-SVR4) id AA11475; Wed, 1 Nov 1995 11:49:32 -0500 Received: by dscott.eng.dowjones.com (4.1/SMI-4.1) id AA05625; Wed, 1 Nov 95 11:44:11 EST Date: Wed, 1 Nov 95 11:44:11 EST From: dscott@eng.dowjones.com (Dave Scott) Message-Id: <9511011644.AA05625@dscott.eng.dowjones.com> To: firewalls@greatcircle.com Subject: Exporting a Gauntlet Firewall Cc: dscott@eng.dowjones.com Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all, I need to have a Gauntlet in Europe... I can buy it through a German reseller (for a lot more money) and get full maintenance & support, etc. Or I can buy it here, configure and test it here, etc. and ship it out to Europe - but I wont get the support. It would be good to buy it here in the U.S. so I can configure and test it in the lab - the support issue will be handled by management. I'd like to know if, other than having no encryption capabilities, are there any other gotchas I have to worry about for the PC version of the Gauntlet ? Anything involving DES for Unix passwords ? Thanks for any info, Dave Scott From firewalls-owner Wed Nov 1 10:20:30 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id IAA05486 for firewalls-outgoing; Wed, 1 Nov 1995 08:45:06 -0800 (PST) Received: from beach.sctc.com (beach.sctc.com [192.55.214.50]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id IAA05465 for ; Wed, 1 Nov 1995 08:44:47 -0800 (PST) Received: from beach.sctc.com (daemon@localhost) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id LAA14890; Wed, 1 Nov 1995 11:17:05 -0600 Received: from sphinx.sctc.com (sphinx.sctc.com [172.17.192.3]) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id LAA14886; Wed, 1 Nov 1995 11:17:04 -0600 Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by sphinx.sctc.com (8.7.1/8.6.10) with SMTP id KAA00827; Wed, 1 Nov 1995 10:45:04 -0600 (CST) Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id KAA29804; Wed, 1 Nov 1995 10:45:04 -0600 From: Rick Smith Message-Id: <199511011645.KAA29804@shade.sctc.com> Subject: Re: Email and FTP virus protection To: njb@knoware.nl (Niels Bjergstrom) Date: Wed, 1 Nov 1995 10:45:04 -0600 (CST) Cc: smith@sctc.com, firewalls@greatcircle.com In-Reply-To: <199511010103.CAA29095@utrecht.knoware.nl> from "Niels Bjergstrom" at Nov 1, 95 02:03:23 am X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I wrote: > >Behavior blocking is a wonderful concept. I've seen the technique > >succeed (it's the essence of type enforcement) and I've seen it fail > >on workstations where the behavioral profile poorly matched the > >application. Niels responded: > I don't think that is a fault inherent to the technique. There are, however, > many ways to define the behavioural profile, and a number of > economy/security trade-offs are as usual involved. On small networks it is > quite cheap and manageable to define general rules combined with > workstation-specific rules for software behaviour. We are in the side of > intrusion detection concerned with detecting attacks on known weak spots. Type Enforcement takes the opposite tack. Instead of saying "Restrict behavior V because it is used by attack W," it says "Restrict behavior V because program X doesn't need it." In other words, use the concept of least privilege to prevent _and_ detect whole classes of attacks. The other approach is reactive, and that leaves openings for future attacks. Type Enforcement blocks attacks proactively and detects behavior marked as abberant. So even if you didn't fully block the attack, you at least get a real time warning. Traditionally we've deployed Type Enforcement as a form of mandatory access control, and I'm not entirely sure how good of a countermeasure it is on a platform without a protected kernel (MSDOS, Mac). Perhaps it's better than nothing. Clearly, checksum and virus signature based countermeasures have similar vulnerabilities since they aren't protected from integrity attacks either. Rick. smith@sctc.com secure computing corporation From firewalls-owner Wed Nov 1 10:33:05 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id IAA05254 for firewalls-outgoing; Wed, 1 Nov 1995 08:37:37 -0800 (PST) Received: from Disclosure.COM ([205.156.194.11]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id IAA05242 for ; Wed, 1 Nov 1995 08:37:33 -0800 (PST) Received: by Disclosure.COM (4.1/SMI-4.1) id AA29911; Wed, 1 Nov 95 11:39:32 EST Date: Wed, 1 Nov 1995 11:39:32 -0500 (EST) From: Scott Barman To: Jonny Llama Cc: firewalls@greatcircle.com Subject: Re: Attacks on ports 1392 and 1395? In-Reply-To: <199511010122.UAA08159@randomc.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There was a discussion at one time as to when to report problems to CERT and when to wait. I am bringing this up because this was a case of when to wait and check things out before running. A few days ago I wrote: > > Why would anyone want to attack a system on ports 1392 and 1395? And I > > am not talking about a port scan either. There were repeated attempts > > on these ports (especially 1392) and I am wondering what they're for? This was triggered when we received a note from CERT saying that our bastion host was trying to access someone on port 1392 and 1395. Of course we took this seriously. The administrator and I combed the system looking for any evidence of a problem. We plugged a few holes but did not notice anything major. Then again a good hacker may know how to cover his/her tracks. I looked up the two ports in RFC 1700 and posted my message to the list, hoping to figure out what someone could have been trying. I got the following response. Then, on Tue, 31 Oct 1995, Jonny Llama wrote: > Is pcnfs run on any of your machines? looks like an older, more obscure > attempt at exploiting the bugs in it. I would like to thank Mr. Llama, the only person to respond. However, we are not running NFS or PC-NFS nor are we running any RPC-based services on the machine. Upon further review by the people who made the inquiry and CERT, it was discovered that the probes were not break-in attempts but an attempt by our ftp server to respond to a PORT/RETR combo. It was the ftp client that assigned ports 1392 and 1395 for the transfer. When our server went to connect, the requests were blocked at their router, which set off that site's security alarms. Later in the day, we recieved a note from CERT informing us it was a false alarm and of the router configuration problem. The note told us about the router misconfiguration and the author was very apologetic for the trouble this might have caused. MORAL OF THE STORY: Please check your configuration and what you're people are doing first before giving us, and anyone else, a heart attack! We had visions of the system being used as a haven for hackers! :-) scott barman -- scott barman DISCLAIMER: I speak to anyone who will listen, scott@disclosure.com and I speak only for myself. barman@ix.netcom.com "I don't know if security explains why the Win95 support Web servers run BSDI 2.0--an Intel-based Unix--rather than Windows NT, which Microsoft insists is the ideal Web software solution. Does Redmond know something we don't know?" -Robert X. Cringely, INFORWORLD, 9/11/95 From firewalls-owner Wed Nov 1 10:46:45 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id KAA08391 for firewalls-outgoing; Wed, 1 Nov 1995 10:18:17 -0800 (PST) Received: from uu2.psi.com (uu2.psi.com [128.145.228.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id KAA08378 for ; Wed, 1 Nov 1995 10:18:11 -0800 (PST) Received: by uu2.psi.com (5.65b/4.0.940727-PSI/PSINet) via UUCP; id AA09165 for ; Wed, 1 Nov 95 13:03:51 -0500 Received: from samadams.aule-tek.com (samadams.ARPA) by aule-tek.com (4.1/3.2.083191-Aule-Tek Inc.) id AA04347; Wed, 1 Nov 95 12:42:24 EST Received: by samadams.aule-tek.com (5.x/SMI-SVR4) id AA05343; Wed, 1 Nov 1995 12:37:36 -0500 Date: Wed, 1 Nov 1995 12:37:36 -0500 From: Mike.Jones@aule-tek.com (Mike Jonesa) Message-Id: <9511011737.AA05343@samadams.aule-tek.com> To: lresch@relay.nswc.navy.mil, firewalls@greatcircle.com, sangster@reston.ans.net Subject: Re: PC vs Workstation Firewall X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk lresch@relay.nswc.navy.mil writes... > In article <9510261248.AA05515@oanews.ans-relay>, you write: > |> I have been reading discussions on the pros & cons of using a > |> PC vs a 'real' workstation for the firewall. My long-winded > |> question is Should I even consider using a PC for a firewall > |> system (in particular with Guantlet) or will it get bogged down? > |> My plans are to have a Cisco - Guantlet - Cisco config protecting > |> my internal network and use the Guantlet as a proxy server (for > |> the internal users to have Telnet, FTP, and maybe web browsing) and > |> to let in mail to my SMTP gateway inside. > The answer to your question is a resounding "it depends on your > traffic mix, distribution and load". Answering these type of performance > related issues is difficult for anyone without knowing (at least) how much > e-mail and HTTP transactions will occur at peak load, how often large data > files will be ftp'ed, and are you talking about hundreds of concurrent > telnet session during all this other stuff. Actually, I think there's another issue to consider. If you get, for example, a firewall that runs on a Sun, you can purchase maintenance for it. That means that if you lose a disk at 2am in a snowstorm in the middle of January, the *Sun* guy gets to come out and replace the disk within 4 hours. Sure beats playing with PC hardware for my dollar. The same is true of HP, SGI, IBM, etc., of course. Mike Jones | jonesmd@aule-tek.com I've been trying for some time to develop a lifestyle that doesn't require my presence. - Garry Trudeau From firewalls-owner Wed Nov 1 10:53:47 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id JAA07381 for firewalls-outgoing; Wed, 1 Nov 1995 09:49:39 -0800 (PST) Received: from mlfire.ml.com (mlfire.ml.com [192.246.100.1]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id JAA07374 for ; Wed, 1 Nov 1995 09:49:35 -0800 (PST) From: John_Reinke_at_NYTRP@pcmailgw.ml.com Received: from commpost.ml.com ([146.125.4.24]) by mlfire.ml.com (8.6.12/8.6.12) with ESMTP id MAA14780 for ; Wed, 1 Nov 1995 12:49:37 -0500 Received: from pcmailgw.ml.com (unixccgw3.pcmailgw.ml.com [146.125.77.72]) by commpost.ml.com (8.6.12/8.6.12) with SMTP id MAA10914 for ; Wed, 1 Nov 1995 12:50:01 -0500 Received: from cc:Mail by pcmailgw.ml.com id AA815258525; Wed, 01 Nov 95 08:22:17 est Date: Wed, 01 Nov 95 08:22:17 est Encoding: 28 Text Message-Id: <9510018152.AA815258525@pcmailgw.ml.com> To: firewalls@greatcircle.com Subject: Risk metric Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Author: Adam Jack at UNIXGTWY >Date: 11/1/95 9:04 AM > safe. Compared to Work Macros in e-mail - safe. Compared to FTP > - unsafe. But where in that range does it sit? >> Or proposals for rapid response certification bodies. > I made the term up on the spot - so no suprizes. My point was that these > individuals were already occupied and unlikely to be in a position to Adam makes an interesting case for a risk metric. Different industries may wish to be at different points on the risk reward curve. If the metric was probability of a loss greater than $100,000, then I could see brokerages taking more risk than a bank. The difficulty is assessing the a priori probabilities. Opponents of any expenditure for security usually argue from "posterior" statistics (i.e., it hasn't happened; therefore it can't happen). When the breech occurs, as it always does sooner or later usually sooner rather than later, the security officer is taken to task for not presenting forceful enough arguments. So once again, you are damned if you fight hard with the label "doesn't understand" and damned again when the loss occurs with "unable to express the arguments for the position". Perhaps, risk metrics are a valid way to express it. What would be the appropriate measurement applying this concept to firewalls. Mean time to failure, Estimated dollars lost, ... ? From firewalls-owner Wed Nov 1 10:56:02 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id JAA06402 for firewalls-outgoing; Wed, 1 Nov 1995 09:15:21 -0800 (PST) Received: from ace.cisco.com (ace.cisco.com [171.68.225.137]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id JAA06395 for ; Wed, 1 Nov 1995 09:15:16 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by ace.cisco.com (8.6.11/CA/950118) with SMTP id JAA16663; Wed, 1 Nov 1995 09:14:37 -0800 Message-Id: <199511011714.JAA16663@ace.cisco.com> X-Authentication-Warning: ace.cisco.com: Host localhost didn't use HELO protocol To: Hal Pomeranz cc: Mike Shaver , mam@ssds.com (Mike Malik -- Dover DE), firewalls@greatcircle.com Subject: Re: Java In-reply-to: Your message of "Tue, 31 Oct 1995 21:41:24 EST." <199511010241.VAA22828@tannis.netmarket.com> Zippy-Sez: I hope I bought the right relish... zzzzzzzzz... Date: Wed, 01 Nov 1995 09:14:36 -0800 From: John Stewart Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -> How is this any different from the way life is today? After all, -> there's plenty of source code out there that your users could compile -> that is damaging from a security perspective. However, by -> constructing my firewall properly, I can provide a safe "sandbox" -> environment for users who unintentionally open security holes on their -> machine, and guard and monitor against malicious internal users. I don't know that I agree with you on this, given that many "properly constructed firewalls" are port filtering. Just because you only let port 25 connect to this machine doesn't mean that machine is allowing SMTP only on that port. Anyway... -> The difference with Java, I think, is that Java isn't "interesting" to -> most users unless it's used in the context of interacting with groups -> outside of your organization-- so I can't build a wall around it. -> Furthermore, Java applets "piggyback" themselves on protocols -> (e.g. HTTP) which users demand as part of doing their day-to-day jobs -> and which are easy for novice users to deal with-- so it's difficult -> to keep the stuff from getting in. Add to this the fact that it's just -> too damn easy to think of social engineering scenarios which would -> encourage users to reduce security restrictions on the Java run-time -> ("Gosh, my Java Monopoly(tm) applet requires filesystem access to -> write to a high score file and network access to play against -> other users"). I agree that this Java jumping on top of an existing HTTP is what causes all the shudders in the security community, and I share them. I disagree that the only reason for Java is so that groups can interact. This still can be a 1-1 relationship that is profitable. Sadly tho, for the 1-1 relationship to hold true, the 1-many is potentially opened up. For instance, if I wanted to run an applet to your browser which opened up the configuration files from a router and told me perhaps what was wrong, that would be great! However, in doing so, the applet needs filesystem access, and that is terrible. There appears to be no controls in that regard. -> I'm very worried about Java, but all I hear are reassurances about -> memory protection and default security levels. I, for one, am not -> reassured. My concern is that given the already open communications paths for an HTTP session, the quote "man in the middle" idea becomes a whole new problem. Before "secure" communications, the amount of data to be learned from the client was still minimal -- without say, asking the user in a form what the root password was to their machine :) -- but you certainly couldn't "learn" very much about their machine. When "secure" communcations came along, more sensitive data was passed, but it was rarely about the client, but rather about credit information. Here comes Java; now, an applet can learn, and tell, about the client machine and more. Where does this get stopped? Did I miss something? What happens when Microsoft runs a software license checker as an applet, and sends the entire configuration back to their server? My views are my own. --john From firewalls-owner Wed Nov 1 11:36:41 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id KAA09467 for firewalls-outgoing; Wed, 1 Nov 1995 10:50:50 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id KAA09458 for ; Wed, 1 Nov 1995 10:50:47 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950602) id KAA09590; Wed, 1 Nov 1995 10:50:46 -0800 From: cjolley@iac.net Received: from little-miami.iac.net(198.180.60.135) by mycroft via smap (V1.3mjr) id sma009585; Wed Nov 1 10:49:45 1995 Received: from 199.6.47.253 by little-miami.iac.net with SMTP id NAA21726; Wed, 1 Nov 1995 13:44:25 -0500 Message-Id: <199511011844.NAA21726@little-miami.iac.net> MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit Date: Wed, 01 Nov 95 13:45:28 -0500 Subject: Re: screened host/subnet fws To: Danny Cox , firewalls@GreatCircle.COM In-Reply-To: <938.9511011157@gmap.leeds.ac.uk> X-Mailer: SPRY Mail Version: 04.00.06.17 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I may have my definitions confused but we have a screening router between our bastion host (with two NIC cards) and the Internet. OTOH, I believe one could do it with just one NIC card. On Wed, 1 Nov 1995, Danny Cox wrote: > >I suspect this may be a dumb question but bear with me. Given a screened host or >screened subnet firewall, my understanding is that the bastion only has one >ethernet card. If I'm running proxies upon it, then don't I need two IP addresses? > >Is it easy to set two IP addresses on one ethernet card - as I assume this is what's >necessary ? > >Thanks all, >Danny > >. > From firewalls-owner Wed Nov 1 11:59:12 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id LAA10134 for firewalls-outgoing; Wed, 1 Nov 1995 11:18:07 -0800 (PST) Received: from aspensys (aspensys.aspensys.com [198.77.70.104]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id LAA10104 for ; Wed, 1 Nov 1995 11:17:51 -0800 (PST) Received: from smtpinet.aspensys.com (smtpgate.aspensys.com) by aspensys (5.0/SMI-SVR4) id AA27797; Wed, 1 Nov 1995 14:13:03 +0500 Received: from ccMail by smtpinet.aspensys.com (SMTPLINK V2.10.08) id AA815268159; Wed, 01 Nov 95 14:16:34 EST Date: Wed, 01 Nov 95 14:16:34 EST From: "Jim Meritt" Message-Id: <9510018152.AA815268159@smtpinet.aspensys.com> To: firewalls@GreatCircle.COM Subject: Network Security '95 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In DC 13-18 November. Anyone have information on attendance costs/where it will be/how to pay/...? ibid the 2-day course on Unix security cost ~$495.00 Jim Meritt Aspen Systems Corporation From firewalls-owner Wed Nov 1 12:00:41 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id LAA09867 for firewalls-outgoing; Wed, 1 Nov 1995 11:07:39 -0800 (PST) Received: from relay3.UU.NET (relay3.UU.NET [192.48.96.8]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id LAA09860 for ; Wed, 1 Nov 1995 11:07:36 -0800 (PST) Received: from usia.gov by relay3.UU.NET with SMTP id QQznzw16068; Wed, 1 Nov 1995 14:06:25 -0500 (EST) Received: from NetWare MHS (SMF70) by usia.gov via Connect2-SMTP 4.00; Wed, 1 Nov 95 14:05:09 -0500 Message-ID: <4AC097300136C8D1@usia.gov> Date: Wed, 1 Nov 95 14:01:20 -0500 From: "Lehrer, Neil" Organization: USIA To: firewalls@greatcircle.com Cc: dtoler@usia.gov, fjohnson@usia.gov, e._allen_brown@bops.voa.gov Subject: request for info X-mailer: Connect2-SMTP 4.00 MHS to SMTP Gateway Sender: firewalls-owner@GreatCircle.COM Precedence: bulk hi, we are evaluating firewalls. firewall-1, borderware, gauntlet, and smartwall. all in the intel versions because we are an intel shop. I would like any comments you would care to make about these products. i am interested in performance, ease of use, reliability, security, documentation. our internet connection is through a T-1 to sprint. we have lots of smtp in and out, http out, telnet and ftp out, and ftp in, oracle client/server to come. our routers are cisco. also: can these products handle the load from a t-1 if hosted on a high performance intel platform? what do you think of the trend of putting all the services on the same box, for example, proxies, internal and external dns, etc? any comments about their address translation facilities and the oracle secure sqlnet to firewall announcement? thanks very much. if you can cc my email address i would appreciate it. Regards +++++++++++++++++++++++++++++++++++++++ + Neil Lehrer + U.S. Information Agency + Networks and Systems Support Division + + voice 202 619-0903 + fax 202 619-3883 + internet nlehrer@usia.gov + + "oh what a tangled net we weave + when we seek to retrieve." + +++++++++++++++++++++++++++++++++++++++ From firewalls-owner Wed Nov 1 12:01:58 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id KAA09519 for firewalls-outgoing; Wed, 1 Nov 1995 10:54:10 -0800 (PST) Received: from cseic.saic.com (CSEIC.SAIC.COM [139.121.32.135]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id KAA09512 for ; Wed, 1 Nov 1995 10:54:05 -0800 (PST) Received: from [139.121.32.149] by cseic.saic.com (4.1/1.34) id AA20606; Wed, 1 Nov 95 13:48:38 EST Message-Id: <9511011848.AA20606@cseic.saic.com> X-Sender: steveg@cseic.saic.com X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 01 Nov 1995 15:00:53 -0500 To: Danny Cox From: "Stephen H. Goldstein" Subject: Re: screened host/subnet fws Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:57 AM 11/1/95 GMT, Danny Cox wrote: > >I suspect this may be a dumb question but bear with me. Given a screened host or >screened subnet firewall, my understanding is that the bastion only has one >ethernet card. If I'm running proxies upon it, then don't I need two IP addresses? > >Is it easy to set two IP addresses on one ethernet card - as I assume this is what's >necessary ? > >Thanks all, >Danny > With a screened subnet, you only need one adapter and address: +--------+ +----------+ +---------+ +----------+ +---------+ | Inside |---| Filter 1 |----| Bastion |----| Filter 2 |----| Outside | +--------+ +----------+ +---------+ +----------+ +---------+ Filter 1 is set up to only allow connections between "inside" hosts and the bastion. Filter 2 is set up to only allow connections between the bastion and "outside" hosts. Thus the combination of Filter 1 and Filter 2 prevents direct inside-outside communication, forcing everything to go through the bastion. Caveat: This is not necessarily an endorsement of this configuration, just confirmation that dual adapters and IP addresses for the bastion aren't a technical must for it to work. Some firewall implementations use dual IP stacks, one per interface to further enforce separation of inside and outside data. Based on your needs, this may or may not be overkill. Your mileage may vary. Coupon may not be photocopied. --- Stephen Goldstein steveg@cseic.saic.com My first computer: A 24K Atari 800, Rev. A ROMS, November 1980 Disclaimer: That's not what I said. From firewalls-owner Wed Nov 1 13:41:26 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id MAA10861 for firewalls-outgoing; Wed, 1 Nov 1995 12:15:11 -0800 (PST) Received: from habanero.jmu.edu (habanero.jmu.edu [134.126.70.210]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id MAA10854 for ; Wed, 1 Nov 1995 12:15:07 -0800 (PST) Message-Id: <199511012015.MAA10854@miles.greatcircle.com> Received: by habanero.jmu.edu (1.37.109.16/16.2) id AA104214903; Wed, 1 Nov 1995 14:41:43 -0500 Date: Wed, 1 Nov 1995 14:41:43 -0500 From: gary flynn To: firewalls@greatcircle.com Subject: skey/opie/NRL/logdamon or what on fwtk/hpux??? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm trying to compile skey on hpux for incorporation into the TIS fwtk. The version of skey that is at thumper.bellcore under skey appears to support only BSD systems. The NRL version at thumper doesn't have any hpux/sysv parameters. Opie 2.x at NRL has the hpux/sysv parameters but all the system calls have been renamed from skeyXXXX to opieXXXX which fwtk won't understand. I'm told that skey1.1b has a sysv parameter on the Makefile but I don't know where to get it. I was hoping for a version of skey that would work on hpux and with fwtk without a lot of modifications. Is there such a beast? Thank you for any assistance. Gary Flynn James Madison University From firewalls-owner Wed Nov 1 13:53:19 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id NAA11425 for firewalls-outgoing; Wed, 1 Nov 1995 13:07:25 -0800 (PST) Received: from tuna.wang.com (tuna.wang.com [150.124.136.4]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id NAA11417 for ; Wed, 1 Nov 1995 13:07:22 -0800 (PST) Received: from mail.wangfed.com (ns.wangfed.com [159.94.10.19]) by tuna.wang.com (8.6.12/8.6.12tf1) with SMTP id QAA07876 for ; Wed, 1 Nov 1995 16:07:22 -0500 Received: from [159.94.10.15] by mail.wangfed.com (1.37.109.4/A.09.00a) id AA17604; Wed, 1 Nov 95 16:00:17 -0600 Received: from [159.94.14.48] by hfsi (BULL 5.61++/B.O.S 02.01) id AA09510; Wed, 1 Nov 95 15:57:56 -0500 Date: Wed, 1 Nov 95 15:57:56 -0500 Message-Id: <9511012057.AA09510@hfsi> From: "K Goertzel" Reply-To: "K Goertzel" To: Firewalls@GreatCircle.COM Subject: idb.ar.com...the mystery continues Sender: firewalls-owner@GreatCircle.COM Precedence: bulk For those that are wondering, several listers have tried the same URL I did, with the following variety of results: User #1: "I get a 'server not responding' when I try this." User #2: "I tried accessing http://idb.ar.com and got 'Remote server down or not responding.'" User #3: "When I tried it, I too did not get connected, but the error message was 'server timed out'." I'm going to continue trying to sort this out, but if there is anyone who can enlighten us on who ibd.ar.com is, and how one might contact them, I'd really appreciate it. Karen Goertzel goertzek@wangfed.com From firewalls-owner Wed Nov 1 15:09:30 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id OAA12729 for firewalls-outgoing; Wed, 1 Nov 1995 14:31:21 -0800 (PST) Received: from citecuh.citec.qld.gov.au (citecuh.citec.qld.gov.au [203.5.10.10]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id OAA12722 for ; Wed, 1 Nov 1995 14:31:16 -0800 (PST) Received: (from mail@localhost) by citecuh.citec.qld.gov.au (8.6.10/8.6.10) id IAA24597; Thu, 2 Nov 1995 08:26:04 +1000 Received: from citecub.citec.qld.gov.au(131.242.4.98) by citecuh.citec.qld.gov.au via smap (V1.3) id /mail/incoming/sma024592; Thu Nov 2 08:25:56 1995 Received: by citecub.citec.qld.gov.au (5.0/SMI-SVR4) id AA13330; Thu, 2 Nov 1995 08:28:45 +1000 From: sgcccdc@citec.qld.gov.au (Colin Campbell) Message-Id: <9511012228.AA13330@citecub.citec.qld.gov.au> Subject: Re: screened host/subnet fws To: dannyc@gmap.leeds.ac.uk (Danny Cox) Date: Thu, 2 Nov 95 8:28:45 EST Cc: firewalls@greatcircle.com In-Reply-To: <938.9511011157@gmap.leeds.ac.uk>; from "Danny Cox" at Nov 1, 95 11:57 am X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, My mailer thinks Danny Cox said: > > > I suspect this may be a dumb question but bear with me. Given a screened host or > screened subnet firewall, my understanding is that the bastion only has one > ethernet card. If I'm running proxies upon it, then don't I need two IP addresses? > Correct, you do not need two addresses. The firewall I manage is configured the same as what you describe. "outside" | | router | | ------------------------ | | | | bastion router | | "inside" As I said, there is no need for two addresses. You configure the routers' filters to force all traffic through the bastion. This however only provides a logical path through the bastion. My personal preference is to force a physical path as well by dual-homing the bastion, as shown below. As well as the router filters, I would consider putting filters on the bastion - if a packet gets rejected by the bastion you know there is something wrong on one of the routers. "outside" | | router | | ------------------------ "outside" lan | | bastion | | ------------------------ "inside" lan | | router | | "inside" A lot of people will call this "belt and braces" but it also allows you to put public servers on the "outside" lan which IMHO you cannot do safely in the first configuration. > Is it easy to set two IP addresses on one ethernet card - as I assume this is what's > necessary ? > It isn't necessary but can be done - I know how on BSDI and Solaris. Colin From firewalls-owner Wed Nov 1 16:34:26 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id PAA14607 for firewalls-outgoing; Wed, 1 Nov 1995 15:56:37 -0800 (PST) Received: from strydr.strydr.com (strydr.strydr.com [199.217.201.1]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id PAA14600 for ; Wed, 1 Nov 1995 15:56:34 -0800 (PST) Received: (from ds3721@localhost) by strydr.strydr.com (8.6.12/8.6.11) id RAA16480 for firewalls@greatcircle.com; Wed, 1 Nov 1995 17:56:33 -0600 From: David Schnardthorst Message-Id: <199511012356.RAA16480@strydr.strydr.com> Subject: Internet Security W3 Directory To: firewalls@greatcircle.com Date: Wed, 1 Nov 1995 17:56:32 -0600 (CST) Organization: Stryder Communications, Inc. Address: 869 St. Francois, Florissant, Mo. 63031 Telephone: (314)838-6839 Fax: (314)838-8527 X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Do you have a URL relating to internet security. If it is information on products, RFC's, or general information, please add it to our W3 directory, http://www.strydr.com/cgi-bin/www_sites This information is public information for members of the internet community. Thanks for your help ============================================================================ David Schnardthorst, Systems/Network Eng. * Phone: (314)838-6839 Stryder Communications, Inc. * Fax: (314)838-8527 869 St. Francois * E-Mail: ds3721@strydr.com Florissant, MO 63031 * URL: http://www.strydr.com ============================================================================ From firewalls-owner Wed Nov 1 16:53:36 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id QAA16438 for firewalls-outgoing; Wed, 1 Nov 1995 16:49:17 -0800 (PST) Received: from acsweb (acsweb.acs.usm.maine.edu [130.111.128.23]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id QAA16430 for ; Wed, 1 Nov 1995 16:49:14 -0800 (PST) Received: from doc.cs.usm.maine.edu by acsweb (5.x/SMI-SVR4) id AA13512; Wed, 1 Nov 1995 19:49:20 -0500 Received: by doc.cs.usm.maine.edu; (5.65/1.1.8.2/04Oct95-1047AM) id AA25854; Wed, 1 Nov 1995 19:49:09 -0500 From: Edward Maillet Message-Id: <9511020049.AA25854@doc.cs.usm.maine.edu> Subject: Spoofing ISDN To: firewalls@greatcircle.com Date: Wed, 1 Nov 1995 19:49:09 -0500 (EST) X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hey All, Some folks at work want to setup an ISDN dial-in connection relying solely on the inbound caller ID as the security measure. Is it possible to spoof the D channel to send fake info? I'm fairly certain there is a way to do it. Can anyone point me to some references so I can make a decent technical argument agaisnt this? Thanx. ----- Ed Maillet maillet@cs.usm.maine.edu From firewalls-owner Wed Nov 1 17:20:22 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id QAA14802 for firewalls-outgoing; Wed, 1 Nov 1995 16:01:22 -0800 (PST) Received: from gw1.octel.com (gw1.octel.com [148.147.1.12]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id QAA14787 for ; Wed, 1 Nov 1995 16:01:16 -0800 (PST) Received: (from daemon@localhost) by gw1.octel.com (8.6.10/8.6.10) id QAA06642; Wed, 1 Nov 1995 16:01:16 -0800 Received: from curly.eng.octel.com(148.147.200.26) by gw1.octel.com via smap (V1.3) id sma006621; Wed Nov 1 16:01:05 1995 Received: from laura.eng.octel.com (laura.eng.octel.com [148.147.206.4]) by curly.eng.octel.com (8.6.12/8.6.12) with ESMTP id QAA10877; Wed, 1 Nov 1995 16:01:04 -0800 Received: (from hbo@localhost) by laura.eng.octel.com (8.6.12/8.6.12) id QAA16168; Wed, 1 Nov 1995 16:01:04 -0800 Date: Wed, 1 Nov 1995 16:01:04 -0800 Message-Id: <199511020001.QAA16168@laura.eng.octel.com> From: Howard B Owen To: nlehrer@usia.gov CC: firewalls@GreatCircle.COM In-reply-to: <4AC097300136C8D1@usia.gov> (nlehrer@usia.gov) Subject: Re: request for info Sender: firewalls-owner@GreatCircle.COM Precedence: bulk /sys/admin has a web page devoted to commercial firewalls. It's a good starting point: http://www.sysadmin.com -- Howard Owen hbo@octel.com Octel Communications Corporation 1024/DC671C31 = Internet Guy/Webmaster 1001 Murphy Ranch Rd. 37 A0 46 EE BE 408-324-6576 Voice and FAX Milpitas CA 95035-7912 95 DB 92 E8 39 I am not a pay TV service! http://www.egbok.com/hbo.html 80 89 A9 F9 3D FB From firewalls-owner Wed Nov 1 17:54:05 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id RAA19645 for firewalls-outgoing; Wed, 1 Nov 1995 17:45:29 -0800 (PST) Received: from colt.milepost.com (colt.milepost.com [164.57.50.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id RAA19637 for ; Wed, 1 Nov 1995 17:45:19 -0800 (PST) Received: (from phil@localhost) by colt.milepost.com (8.6.12/8.6.9) id TAA05185; Wed, 1 Nov 1995 19:44:49 -0600 From: Phil Howard Message-Id: <199511020144.TAA05185@colt.milepost.com> Subject: Re: screened host/subnet fws To: steveg@cseic.saic.com (Stephen H. Goldstein) Date: Wed, 1 Nov 1995 19:44:49 -0600 (CST) Cc: firewalls@GreatCircle.COM In-Reply-To: <9511011848.AA20606@cseic.saic.com> from "Stephen H. Goldstein" at Nov 1, 95 03:00:53 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Stephen H. Goldstein writes: > With a screened subnet, you only need one adapter and address: > > > +--------+ +----------+ +---------+ +----------+ +---------+ > | Inside |---| Filter 1 |----| Bastion |----| Filter 2 |----| Outside | > +--------+ +----------+ +---------+ +----------+ +---------+ > > Filter 1 is set up to only allow connections between "inside" hosts and the > bastion. Filter 2 is set up to only allow connections between the bastion > and "outside" hosts. Thus the combination of Filter 1 and Filter 2 > prevents direct inside-outside communication, forcing everything to > go through the bastion. > > Caveat: This is not necessarily an endorsement of this configuration, just > confirmation that dual adapters and IP addresses for the bastion aren't > a technical must for it to work. Some firewall implementations use > dual IP stacks, one per interface to further enforce separation of > inside and outside data. Based on your needs, this may or may not be > overkill. Your mileage may vary. Coupon may not be photocopied. This kind of configuration also makes the packet filter rule sets in each of the filter routers a lot simpler and easier to code. This is especially so if the filter "language" is limited to "linear match and commit" logic. By "linear match and commit" I refer to rules where if the test does have a positive match, you are committed to either deny the packet or accept the packet without applying any other tests. It's like programming without any "if" statements, loops, or function calls. From firewalls-owner Wed Nov 1 18:45:38 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id RAA20407 for firewalls-outgoing; Wed, 1 Nov 1995 17:59:11 -0800 (PST) Received: from yarrina.connect.com.au (yarrina.connect.com.au [192.189.54.17]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id RAA20399 for ; Wed, 1 Nov 1995 17:59:03 -0800 (PST) Received: (from root@localhost) by yarrina.connect.com.au with UUCP id MAA22978 (8.6.12/IDA-1.6); Thu, 2 Nov 1995 12:57:30 +1100 Received: by junkers.lochard.com.au id AA20822 (5.65c/IDA-1.5); Thu, 2 Nov 1995 02:52:54 GMT From: Mark Message-Id: <199511020252.AA20822@junkers.lochard.com.au> Subject: Re: Tightening up SunOS 5.4 (was Re: Hardened OS) To: cmcurtin@gatekeeper.cb.att.com (C Matthew Curtin) Date: Thu, 2 Nov 1995 12:52:53 +1000 (EET) Cc: Eric_Sheppard.BCI@bbs.bellsouth.com, firewalls@GreatCircle.COM In-Reply-To: <9510312244.ZM5480@gatekeeper> from "C Matthew Curtin" at Oct 31, 95 10:44:52 pm Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Since you've already blown away everything that isn't directly needed >by your system or the applications you run to support necessary services, >things like tar, ar, cc, cpio, etc. are gone. If someone does break in, >make it impossible for them to bring in archives and build binaries. Do >you really need to have an ftp command on the system? I even removed vi :-) Unfortunately this wont work. Unless you remove shells as well from the machine people can still import binaries. I had a friend once in a chroot'd guest environment with reasonably low quotas and they still managed to import a binary and "talk" to the sendmail daemon on the machine. It was a cute trick and more of a proof of concept but it was enough to show me you can't really stop someone on a standard unix model. If anyone got on a firewall setup like this it is simple to compile a binary offsite to suit the architecture, static if necessary, and import it, run it and then have that binary act as a personal ftp/shell/port login process. Have a nice day Mark mark@lochard.com.au From firewalls-owner Wed Nov 1 18:47:45 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id RAA17766 for firewalls-outgoing; Wed, 1 Nov 1995 17:10:21 -0800 (PST) Received: from bast.livingston.com (bast.livingston.com [149.198.247.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id RAA17752 for ; Wed, 1 Nov 1995 17:10:17 -0800 (PST) Received: from server.livingston.com (server.livingston.com [149.198.1.70]) by bast.livingston.com (8.7.1/8.6.9) with ESMTP id RAA17007 for ; Wed, 1 Nov 1995 17:13:01 -0800 (PST) Received: (from cdr@localhost) by server.livingston.com (8.7.1/8.6.9) id RAA04275; Wed, 1 Nov 1995 17:08:28 -0800 (PST) Date: Wed, 1 Nov 1995 17:08:28 -0800 (PST) From: Carl Rigney Message-Id: <199511020108.RAA04275@server.livingston.com> To: firewalls@livingston.com Subject: Firewall Discussion at PC Week Cc: portmaster-users@livingston.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk PC Week is hosting a Discussion on "Protecting the company LAN from Internet intruders" at Protecting the company LAN from Internet intruders ISS, Checkpoint & Livingston are on hand to answer questions, so feel free to drop by on the web and join in. -- Carl Rigney cdr@livingston.com From firewalls-owner Wed Nov 1 18:57:21 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id RAA17597 for firewalls-outgoing; Wed, 1 Nov 1995 17:07:43 -0800 (PST) Received: from acsweb (acsweb.acs.usm.maine.edu [130.111.128.23]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id RAA17584 for ; Wed, 1 Nov 1995 17:07:39 -0800 (PST) Received: from doc.cs.usm.maine.edu by acsweb (5.x/SMI-SVR4) id AA13701; Wed, 1 Nov 1995 20:07:44 -0500 Received: by doc.cs.usm.maine.edu; (5.65/1.1.8.2/04Oct95-1047AM) id AA25053; Wed, 1 Nov 1995 20:07:39 -0500 From: Edward Maillet Message-Id: <9511020107.AA25053@doc.cs.usm.maine.edu> Subject: A defense against sniffing attacks for mere mortals To: firewalls@greatcircle.com Date: Wed, 1 Nov 1995 20:07:38 -0500 (EST) X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hey All, Sorry to step on the toes of you S/Key, Keberos, it's-only-safe-if-it's- encrypted types but it seems that there are other ways of defeating packet sniffers. Both active and passive. Under certain network topologies, sniffing can be rendered useless without encryption. Consider an ethernet that contains an ethernet switch and some 10Base-T hubs. The switch itself can prevent connections from being sniffed or hijacked simply because packets don't get transmitted down that particular segment. If your hubs are somewhat decent, they'll have an option that "scrambles" data not destined for that port. So even that segment is protected from everything except blind guessing. (Which may get lucky for the truely paranoid.) I realize that this is a rather specific topology but it is an interesting and rather simple solution. Flame away! ----- Ed Maillet maillet@cs.usm.maine.edu From firewalls-owner Wed Nov 1 19:00:56 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id RAA20121 for firewalls-outgoing; Wed, 1 Nov 1995 17:53:24 -0800 (PST) Received: from citecuh.citec.qld.gov.au (citecuh.citec.qld.gov.au [203.5.10.10]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id RAA19999 for ; Wed, 1 Nov 1995 17:52:35 -0800 (PST) Received: (from mail@localhost) by citecuh.citec.qld.gov.au (8.6.10/8.6.10) id LAA02321; Thu, 2 Nov 1995 11:47:07 +1000 Received: from citecub.citec.qld.gov.au(131.242.4.98) by citecuh.citec.qld.gov.au via smap (V1.3) id /mail/incoming/sma002313; Thu Nov 2 11:46:55 1995 Received: by citecub.citec.qld.gov.au (5.0/SMI-SVR4) id AA08615; Thu, 2 Nov 1995 11:49:33 +1000 From: sgcccdc@citec.qld.gov.au (Colin Campbell) Message-Id: <9511020149.AA08615@citecub.citec.qld.gov.au> Subject: Re: screened host/subnet fws To: steveg@cseic.saic.com (Stephen H. Goldstein) Date: Thu, 2 Nov 95 11:49:32 EST Cc: firewalls@greatcircle.com In-Reply-To: <9511011848.AA20606@cseic.saic.com>; from "Stephen H. Goldstein" at Nov 1, 95 3:00 pm X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My mailer thinks Stephen H. Goldstein said: > > At 11:57 AM 11/1/95 GMT, Danny Cox wrote: > > > >I suspect this may be a dumb question but bear with me. Given a screened > host or > >screened subnet firewall, my understanding is that the bastion only has one > >ethernet card. If I'm running proxies upon it, then don't I need two IP > addresses? > > > >Is it easy to set two IP addresses on one ethernet card - as I assume this > is what's > >necessary ? > > > >Thanks all, > >Danny > > > With a screened subnet, you only need one adapter and address: > The why did you show one with TWO interfaces? There are a lot of newbies on this list (who probably shouldn't be attempting building firewalls without a lot of study first) who on seeing "pictures" like this and then an explanation that seemingly contradicts it, will only be more confused. > > +--------+ +----------+ +---------+ +----------+ +---------+ > | Inside |---| Filter 1 |----| Bastion |----| Filter 2 |----| Outside | > +--------+ +----------+ +---------+ +----------+ +---------+ > [chomp] IMHO, what you should have drawn, was: +--------+ +----------+ +----------+ +---------+ | Inside |---| Filter 1 |-----| Filter 2 |----| Outside | +--------+ +----------+ | +----------+ +---------+ | +---------+ | Bastion | +---------+ Colin From firewalls-owner Wed Nov 1 19:31:46 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id SAA23085 for firewalls-outgoing; Wed, 1 Nov 1995 18:59:29 -0800 (PST) Received: from london.micrognosis.com (midas.london.micrognosis.com [193.114.123.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id SAA23078 for ; Wed, 1 Nov 1995 18:59:24 -0800 (PST) Received: by london.micrognosis.com (4.1/NAR-Gateway) id AA09937; Thu, 2 Nov 95 02:59:24 GMT Received: from zeus.london.micrognosis.com(192.83.165.17) by midas via smap (V1.0mjr) id sma009935; Thu Nov 2 02:59:22 1995 Received: by zeus.london.micrognosis.com (4.1/SMI-4.1) id AA07723; Thu, 2 Nov 95 02:59:15 GMT From: nreadwin@london.micrognosis.com (Neil Readwin) Message-Id: <9511020259.AA07723@zeus.london.micrognosis.com> Subject: Re: What about the next 20 Java-like applications? ( was Re: Java) To: ajack@corp.micrognosis.com (Adam Jack) Date: Thu, 2 Nov 1995 02:59:14 +0000 (GMT) Cc: firewalls@greatcircle.com In-Reply-To: from "Adam Jack" at Nov 1, 95 00:00:10 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [ Even the author considers this post mind-numbingly tedious. firewalls types not interested in risk analysis should bail here. ] Adam Jack writes: > What I don't hear from this list are criteria for quantifying risk. Well, it's a very hard problem and very few of us know much about it. To do risk analysis properly you need to be some mutant hybrid of accountant and computer wizard. 20/20 foresight helps too. It doesn't get much coverage on the list because accountancy is boring :-) > What I find depressing is the apparent - "its unknown - be scared" > mentality. Surely - with an internet as diverse and rapidly > changing as todays - it is one that is outdated. OK, imagine we have some new service on the Internet. Ideally we would list the potential threats related to that service and calculate the likelihood of them materializing and the associated cost. We must also look at the benefit of enabling that service (ie the cost of denying it). Now, we must have some default decision on whether the service should be enabled before the risk analysis is done. You seem to be arguing the default should be yes. It seems to me that there is a cost to doing the risk analysis and also some cost to disallowing the feature until it is given the OK. There is also the potential cost that we might incur from an un-analyzed service or feature (which we know to be unknown since by definition we have not determined it). If the cost of disallowing the service is smaller than the cost of doing the analysis then it should be disabled. If the cost of disallowing the service is greater than the cost of doing the analysis plus the (unknown) cost of enabling the service then we should enable it. Of course we never know how big the unknown is :-) That is, giving a service the benefit of the doubt is sometimes clearly wrong and never clearly right. On the other hand, you could argue that the cost of disabling services unnecessarily is so large (or rather will be because of the high utility of future developments on the Internet) that the unknown risk associated with them cannot be large enough to justify disabling them by default. That is, enabling them until the analysis is done is critical to the health of your business. Depending on your business and what the future developments are you might be right. What works for a 2 man software company might not work for a multi-billion dollar financial services company or a nuclear power station. Neil (whose risk-analysis of HTTP was basically "I've got a VP screaming for it and TIS have a proxy, so it can't be all bad - I'll do it!") -- nreadwin@micrognosis.co.uk Phone: +1 908 855 1221 x519 Anything is a cause for sorrow that my mind or body has made From firewalls-owner Wed Nov 1 19:38:47 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id RAA18240 for firewalls-outgoing; Wed, 1 Nov 1995 17:18:39 -0800 (PST) Received: from beach.sctc.com (beach.sctc.com [192.55.214.50]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id RAA18233 for ; Wed, 1 Nov 1995 17:18:30 -0800 (PST) Received: from beach.sctc.com (daemon@localhost) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id TAA27214; Wed, 1 Nov 1995 19:50:10 -0600 Received: from sphinx.sctc.com (sphinx.sctc.com [172.17.192.3]) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id TAA27210; Wed, 1 Nov 1995 19:50:07 -0600 Received: from hector.sctc.com (hector.sctc.com [172.17.192.85]) by sphinx.sctc.com (8.7.1/8.6.10) with SMTP id TAA12309; Wed, 1 Nov 1995 19:17:57 -0600 (CST) Received: (from stockwel@localhost) by hector.sctc.com (8.6.12/8.6.9) id TAA06918; Wed, 1 Nov 1995 19:17:54 -0600 Date: Wed, 1 Nov 1995 19:17:54 -0600 From: Ted Stockwell Message-Id: <199511020117.TAA06918@hector.sctc.com> To: Mike.Jones@aule-tek.com CC: lresch@relay.nswc.navy.mil, sangster@reston.ans.net, firewalls@GreatCircle.COM Subject: Re: PC vs Workstation Firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Date: Wed, 1 Nov 1995 12:37:36 > From: Mike.Jones@aule-tek.com (Mike Jonesa) > [text deleted] > > Actually, I think there's another issue to consider. If you get, for > example, a firewall that runs on a Sun, you can purchase maintenance > for it. That means that if you lose a disk at 2am in a snowstorm in the > middle of January, the *Sun* guy gets to come out and replace the disk > within 4 hours. Sure beats playing with PC hardware for my dollar. The > same is true of HP, SGI, IBM, etc., of course. > > Mike Jones | jonesmd@aule-tek.com You can get 7 x 24 support for PC hardware. Workstations do not present an advantage here. PC's may have a cost advantage if you want a hot-swap. -- Ted Stockwell, stockwel@sctc.com, Sidewinder From firewalls-owner Wed Nov 1 19:50:32 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id RAA18871 for firewalls-outgoing; Wed, 1 Nov 1995 17:27:56 -0800 (PST) Received: from colt.milepost.com (colt.milepost.com [164.57.50.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id RAA18853 for ; Wed, 1 Nov 1995 17:27:50 -0800 (PST) Received: (from phil@localhost) by colt.milepost.com (8.6.12/8.6.9) id TAA05078; Wed, 1 Nov 1995 19:27:17 -0600 From: Phil Howard Message-Id: <199511020127.TAA05078@colt.milepost.com> Subject: Re: Firewall Survey To: mec@itg.net (Matthew Cable) Date: Wed, 1 Nov 1995 19:27:16 -0600 (CST) Cc: firewalls@GreatCircle.COM In-Reply-To: <9510311859.ZM1140@squiggy.itg.net> from "Matthew Cable" at Oct 31, 95 06:59:14 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Matthew Cable writes... > ==BEGIN== > =Product Name: > > =Informational URL: > > =Pricing URL: > > =Pricing Info: > > =Features: > > =Standard Services (proxies, standalone): > > =Degree of User Configuration allowed (eg, can I add new services easily): > > =Management Methods (gui, command line, etc): > > =Comments: > > ==END== I definitely want to see a full list of what services application level firewall proxies are able to support, and how sophisticated they can do it. For example, FTP. Can I let anyone in my organization go ftp anything from any site that passes a rule check, using their regular ftp client? Also when listing management methods, please be sure to list all the choices. Some of us prefer editing files so we can see the overall logic that has been configured and can easily do things like rearrange the order of things... stuff not easy, if even possible, with GUI. Also, can configurations be saved as a file or package of files, for the purpose of backup? Suppose the hardware goes belly up, and new hardware and software is now in place. Can you get the original configuration back on the machine and on the air in 5 minutes? From firewalls-owner Wed Nov 1 19:53:09 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id RAA18946 for firewalls-outgoing; Wed, 1 Nov 1995 17:29:22 -0800 (PST) Received: from beach.sctc.com (beach.sctc.com [192.55.214.50]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id RAA18922 for ; Wed, 1 Nov 1995 17:29:05 -0800 (PST) Received: from beach.sctc.com (daemon@localhost) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id SAA25924 for ; Wed, 1 Nov 1995 18:31:32 -0600 Received: from sphinx.sctc.com (sphinx.sctc.com [172.17.192.3]) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id SAA25552; Wed, 1 Nov 1995 18:09:39 -0600 Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by sphinx.sctc.com (8.7.1/8.6.10) with SMTP id RAA08756; Wed, 1 Nov 1995 17:37:29 -0600 (CST) Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id RAA19827; Wed, 1 Nov 1995 17:37:30 -0600 Date: Wed, 1 Nov 1995 17:37:30 -0600 From: Rick Smith Message-Id: <199511012337.RAA19827@shade.sctc.com> To: firewalls@greatcircle.com Cc: smith@sctc.com, cmcurtin@gatekeeper.cb.att.com Subject: Re: Tightening up SunOS 5.4 (was Re: Hardened OS) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "C Matthew Curtin" suggests: >Basically, I define: > * What services we need > * What applications we use to support those services > * What system commands/drivers/etc are needed to support those apps >And blew away everything else. >If your only user is root, there is no point in having setuid on things like >ps, since anyone non-root trying to run that is obviously someone who broke >in, right? I removed all of the setuid/setgid bits, made them only runnable >by root. >Since you've already blown away everything that isn't directly needed >by your system or the applications you run to support necessary services, >things like tar, ar, cc, cpio, etc. are gone. If someone does break in, >make it impossible for them to bring in archives and build binaries... Of course, RTM didn't use a C compiler to exploit the old fingerd buffer overrun vulnerability, just the fact that fingerd was running as root on most systems. Doesn't this cast some doubt on the notion of eliminating every user but root? Or did we skip a step here? Rick. smith@sctc.com secure computing corporation From firewalls-owner Wed Nov 1 20:31:49 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id RAA19306 for firewalls-outgoing; Wed, 1 Nov 1995 17:38:12 -0800 (PST) Received: from acsweb (acsweb.acs.usm.maine.edu [130.111.128.23]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id RAA19292 for ; Wed, 1 Nov 1995 17:38:07 -0800 (PST) Received: from doc.cs.usm.maine.edu by acsweb (5.x/SMI-SVR4) id AA13880; Wed, 1 Nov 1995 20:38:14 -0500 Received: by doc.cs.usm.maine.edu; (5.65/1.1.8.2/04Oct95-1047AM) id AA25452; Wed, 1 Nov 1995 20:38:08 -0500 From: Edward Maillet Message-Id: <9511020138.AA25452@doc.cs.usm.maine.edu> Subject: Man in the Middle Attacks (Over rated?) To: firewalls@greatcircle.com Date: Wed, 1 Nov 1995 20:38:07 -0500 (EST) X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hey All, Wouldn't it be more accurate to say that Man in the Middle attacks are really Man at the End attacks? I've been reading the IP-Watch Web Page about hijacking TCP connections and active packet sniffing. The "threat to the whole Internet" seems a bit exaggerated for the average Joe. (http://www.EnGarde.com/software/ipwatcher) TCP connections flying over Internet today from say A.com to B.com aren't likely to be crossing over a network controlled by evil.com. What is the REAL potential of someone being able to nail a A.com to B.com connection without being inside A.com or B.com? Most companies connect to the 'net using a commercial Intner provider. Let's say MCI. I know for a fact MCI routes data internally along its DS3 back bone as much as it can so if you and I both use MCI we never leave MCI land. What is the real potential of someone tapping, hacking or sniffing one of MCI's links? Sure the possibility exists but so does the possibility I put a bomb in your car while you were reading this. The real potential threat seems to be from the inside of B.com or A.com where direct access to the network is MUCH more easy to abtain. Or even worse is evil.com directly attacking A.com or B.com like the Tsutomu Shimomura attack last year. Is the real potential threat the Man at the End rather than the Man that maybe in the Middle? Particularly my end. My company seems to not view it this way so internal security is much looser than our outbound connections. As a side thought, anyone got any numbers of how many hacks come from inside versus outside? Flame Away! ----- Ed Maillet maillet@cs.usm.maine.edu From firewalls-owner Wed Nov 1 20:36:36 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id RAA18638 for firewalls-outgoing; Wed, 1 Nov 1995 17:24:35 -0800 (PST) Received: from beach.sctc.com (beach.sctc.com [192.55.214.50]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id RAA18628 for ; Wed, 1 Nov 1995 17:24:22 -0800 (PST) Received: from beach.sctc.com (daemon@localhost) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id TAA27270; Wed, 1 Nov 1995 19:55:50 -0600 Received: from sphinx.sctc.com (sphinx.sctc.com [172.17.192.3]) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id TAA27266; Wed, 1 Nov 1995 19:55:50 -0600 Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by sphinx.sctc.com (8.7.1/8.6.10) with SMTP id TAA12384; Wed, 1 Nov 1995 19:23:39 -0600 (CST) Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id TAA23834; Wed, 1 Nov 1995 19:23:38 -0600 Date: Wed, 1 Nov 1995 19:23:38 -0600 From: Rick Smith Message-Id: <199511020123.TAA23834@shade.sctc.com> To: firewalls@greatcircle.com Cc: smith@sctc.com, ajack@corp.micrognosis.com Subject: Re: What about the next 20 Java-like applications? ( was Re: Java) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Adam Jack writes a manifesto: > Sun aren't complete cretins. They have a tonne of experience of break- > ins (through their own software on their machines ;-). HotJava can deal > with the threats that any non-firewall-professionals - can dream up - > and most that this list has raised. Perhaps I'm sounding like a broken record, but you've got to plan for tomorrow's threats, not yesterday's. The "firewall professional's" threats of today are the bread and butter of tomorrow's attackers. Or maybe I got that reversed.. :-> For the (broken) record, I think the Java developers did a fine job of dealing with early '80s style security issues. But they didn't get a handle on the desktop security issues early enough in the HotJava design. It's a tough problem and they don't really have many models to follow, so I'm not surprised they're having trouble. At least the Java folks could follow the instruction set and pcode security traditions. >> I'm very worried about Java, but all I hear are reassurances about >> memory protection and default security levels. I, for one, am not >> reassured. > > This is the statement that has been getting to me more and more > through this Java thread. (Scott Barman irrated me to silence!) > Reassurance isn't a right! ... Competent firewall and security vendors do NOT subscribe to this mindset. If a customer is concerned enough about security to seek a quality product, they have every right to (re)assurance that the protections they expect are in place. They deserve to know what security measures are effective and deployed. They deserve evidence. > I really hoped, given the experience on this list, that a better informed > discussion might occur. Unfortunately there doesn't appear to be anybody, > with experience, spending any real time analyzing it. ... As you've probably figured out, this is expensive and time consuming work. We do it for our own products. I admit it depresses me to have the same, tired security questions go unanswered, and that I do not have the time myself to try things out. On the other hand, it shouldn't be so much to ask other vendors to do their own job, too. It makes our life easier, and lets us help our customers better. I had a hard time quantifying risks for customers intending to use Netscape until the appropriate group of hackers did the costly research Netscape didn't do. My hat's off to them. I hope those guys will tackle HotJava now, unless Sun and/or Netscape pumps in the resources to do it. Somehow I doubt they will -- security doesn't appear to have much of a priority in their institutional cultures. But it's nice that they're getting efficient at fixing their security bugs after they occur. Reactive security, anyway. > What I find depressing is the apparent - "its unknown - be scared" > mentality. ... > Surely - with an internet as diverse and rapidly changing as todays - it is > one that is outdated. It is too obvious. (Facist 'old' Admin vs Coool $tuff) > It is an expression of discomfort - not an approach to solve the problems. It really is sensible to be cautious when handling a live wire of unknown voltage. Things were much easier back in the Good Old Days when we just used the 'Net for R&D and transcontinental Adventure games. Things get a bit squirrely when you use it to run a business, and your livelihood depends on correct results whose integrity you can depend on. The raw, theoretical risk of running arbitrary, possibly hostile code in numerous workstations... well, the mind boggles. > Applications on the Internet are racing ahead. Despite the common sense > demand for security - pressure for functionality is higher. It depends on who you talk to. Our customers want both, but they recognize there is a tradeoff. How many will put their back office operations at risk just for "coool stuff" on desktops?? Not many. > Java is just > one of many emerging 'technologies' that will strain current firewall > models. Firewall technology needs to evolve with the technological 'advances' > (- and so do individuals.) Evolving attack methodologies also strain current firewall models, even without throwing HotJava into the picture. Sites concerned about security want finer grained awareness of what crosses their boundary. It's not clear how we meet their needs and also pass applets. Magic doesn't exist, and firewalls can't perform mathematical miracles. > What I don't hear from this list are criteria for quantifying risk. If our customers are going to run Java/HotJava, they want it on every desk, not just those belonging to a couple of R&D propellerheads with some blue-sky proprietary data on their filesystems. The CEO and the Director of Mergers and Acquisitions and the Custodian of Insider Information will all want the spiffy stuff, too. It is not clear that spiffy stuff will run on a HotJava system configured to run securely. >.. How are firewalls going to deal with the next 20 Java's? The same way this one is dealt with: a refusal to throw caution to the wind simply because it's Kool Stuff. I hate long postings. Rick. smith@sctc.com secure computing corporation From firewalls-owner Wed Nov 1 20:52:25 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id QAA16206 for firewalls-outgoing; Wed, 1 Nov 1995 16:43:48 -0800 (PST) Received: from aurora.intel.com (aurora.intel.com [143.183.152.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id QAA16197 for ; Wed, 1 Nov 1995 16:43:40 -0800 (PST) Received: from argus.intel.com by aurora.intel.com (5.65/10.0i); Wed, 1 Nov 95 16:42:08 -0800 Received: by argus.intel.com (5.65/10.0i); Wed, 1 Nov 95 16:40:22 -0800 From: sedayao@argus.intel.com (Jeffrey C. Sedayao) Message-Id: <9511020040.AA22823@argus.intel.com> Subject: Re: idb.ar.com...the mystery continues To: goertzek@wangfed.com Date: Wed, 1 Nov 95 16:40:21 PST Cc: Firewalls@GreatCircle.COM In-Reply-To: <9511012057.AA09510@hfsi> from "K Goertzel" at Nov 1, 95 03:57:56 pm X-Mailer: ELM [version 2.4dev PL66] Mime-Version: 1.0 Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [stuff deleted] > I'm going to continue trying to sort this out, but if there is anyone who can > enlighten us on who ibd.ar.com is, and how one might contact them, I'd really > appreciate it. The Internic says: [xterm] InterNIC > whois ar.com Connecting to the rs Database . . . . . . Connected to the rs Database Rick Wesson (AR3-DOM) 1278 Sandia Dr. Sunnyvale, CA 94089 Domain Name: AR.COM Administrative Contact: Wesson, Rick (RW56) wessorh@AR.COM (408) 749-1175 Technical Contact, Zone Contact: InterNex Information Services (INEX-NOC) noc@internex.net 408-496-5466 voice 408-496-5485 fax Record last updated on 25-Jul-95. Record created on 11-Feb-94. Domain servers in listed order: idb.ar.com doesn't respond to pings, telnet idb.ar.com 80 fails, so it looks like the system is dead. A better question - is there really a subject for firewalls? I don't think so. > Karen Goertzel > goertzek@wangfed.com -- Jeff Sedayao Intel Corporation sedayao@argus.intel.com From firewalls-owner Wed Nov 1 20:53:01 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id UAA28484 for firewalls-outgoing; Wed, 1 Nov 1995 20:35:34 -0800 (PST) Received: from london.micrognosis.com (midas.london.micrognosis.com [193.114.123.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id UAA28470 for ; Wed, 1 Nov 1995 20:35:28 -0800 (PST) Received: by london.micrognosis.com (4.1/NAR-Gateway) id AA10197; Thu, 2 Nov 95 04:35:27 GMT Received: from zeus.london.micrognosis.com(192.83.165.17) by midas via smap (V1.0mjr) id sma010194; Thu Nov 2 04:34:49 1995 Received: by zeus.london.micrognosis.com (4.1/SMI-4.1) id AA08312; Thu, 2 Nov 95 04:34:45 GMT From: nreadwin@london.micrognosis.com (Neil Readwin) Message-Id: <9511020434.AA08312@zeus.london.micrognosis.com> Subject: Re: Tightening up SunOS 5.4 (was Re: Hardened OS) To: smith@sctc.com (Rick Smith) Date: Thu, 2 Nov 1995 04:34:45 +0000 (GMT) Cc: firewalls@greatcircle.com In-Reply-To: <199511012337.RAA19827@shade.sctc.com> from "Rick Smith" at Nov 1, 95 05:37:30 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Rick Smith writes: > Of course, RTM didn't use a C compiler to exploit the old fingerd > buffer overrun vulnerability, just the fact that fingerd was running > as root on most systems. Ahem ... RTM did use a C compiler (to compile the grappling hook that pulled over the rest of the worm) and it didn't require root (since the worm made no efforts to exploit the fact that it was privileged and if fingerd had been running as another user the worm would still have worked). That said, I agree that if your firewall platform is a typical "Almost C2" Unix then there is no point in stripping it down - if the bad guys can get a login or just execute a shell script then you are toast. Neil. -- nreadwin@micrognosis.co.uk Phone: +1 908 855 1221 x519 Anything is a cause for sorrow that my mind or body has made From firewalls-owner Wed Nov 1 21:06:51 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id TAA25942 for firewalls-outgoing; Wed, 1 Nov 1995 19:52:24 -0800 (PST) Received: from citecuh.citec.qld.gov.au (citecuh.citec.qld.gov.au [203.5.10.10]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id TAA25927 for ; Wed, 1 Nov 1995 19:52:14 -0800 (PST) Received: (from mail@localhost) by citecuh.citec.qld.gov.au (8.6.10/8.6.10) id NAA07276; Thu, 2 Nov 1995 13:47:09 +1000 Received: from citecub.citec.qld.gov.au(131.242.4.98) by citecuh.citec.qld.gov.au via smap (V1.3) id /mail/incoming/sma007269; Thu Nov 2 13:46:47 1995 Received: by citecub.citec.qld.gov.au (5.0/SMI-SVR4) id AA23456; Thu, 2 Nov 1995 13:49:33 +1000 From: sgcccdc@citec.qld.gov.au (Colin Campbell) Message-Id: <9511020349.AA23456@citecub.citec.qld.gov.au> Subject: Re: PC vs Workstation Firewall To: Mike.Jones@aule-tek.com (Mike Jonesa) Date: Thu, 2 Nov 95 13:49:31 EST Cc: firewalls@greatcircle.com In-Reply-To: <9511011737.AA05343@samadams.aule-tek.com>; from "Mike Jonesa" at Nov 1, 95 12:37 pm X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My mailer thinks Mike Jonesa said: > [chomp] > > Actually, I think there's another issue to consider. If you get, for > example, a firewall that runs on a Sun, you can purchase maintenance > for it. That means that if you lose a disk at 2am in a snowstorm in the > middle of January, the *Sun* guy gets to come out and replace the disk > within 4 hours. Sure beats playing with PC hardware for my dollar. The > same is true of HP, SGI, IBM, etc., of course. > Actually, the amount you pay in maintenance could probably be put into buying spares for everything. This would alleviate the Sun Engineer from having to come out - only you would need to go out. After all you were there to let him into the building and onto the bastion, weren't you? :-) Colin From firewalls-owner Wed Nov 1 21:23:14 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id VAA00551 for firewalls-outgoing; Wed, 1 Nov 1995 21:09:28 -0800 (PST) Received: from sunthing.sjsinc.com (sunthing.sjsinc.com [140.174.165.1]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id VAA00543 for ; Wed, 1 Nov 1995 21:09:23 -0800 (PST) Received: by sunthing.sjsinc.com Mailer: sendmail (8.6.12/8.6.9) Protocol: Id: VAA17081; Wed, 1 Nov 1995 21:06:35 -0800 Date: Wed, 1 Nov 1995 21:06:35 -0800 From: sjs@sunthing.sjsinc.com (Stefan Jon Silverman) Message-Id: <199511020506.VAA17081@sjsinc.com> To: goertzek@wangfed.com Subject: Re: idb.ar.com...the mystery continues Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Karen: > > For those that are wondering, several listers have tried the same URL I did, > with the following variety of results: > > > User #1: "I get a 'server not responding' when I try this." > > User #2: "I tried accessing http://idb.ar.com and got 'Remote server down or > not responding.'" > > User #3: "When I tried it, I too did not get connected, but the error message > was 'server timed out'." > > I'm going to continue trying to sort this out, but if there is anyone who can > enlighten us on who ibd.ar.com is, and how one might contact them, I'd really > appreciate it. > My suspicion is that all three error messages above are in fact the same message, just different text based on OS and application. I hate sending people traceroutes, but, the one below shows that all connectivity to the desired host is blocking at some intermediate point; to wit: (ttyp2@sunthing) sjs> traceroute ibd.ar.com traceroute to ibd.ar.com (199.2.25.111), 30 hops max, 40 byte packets 1 tlgrouter.tlg.org (140.174.122.3) 176 ms 163 ms 175 ms 2 gw2-sf-tlg.tlg.net (140.174.122.17) 173 ms 165 ms 175 ms 3 border-sf-tlg.tlg.net (140.174.125.5) 176 ms 167 ms 170 ms 4 border1-serial3-0.SanFrancisco.mci.net (204.70.32.45) 266 ms 170 ms 206 ms 5 core-fddi-0.SanFrancisco.mci.net (204.70.2.161) 191 ms 167 ms 188 ms 6 borderx2-fddi0-0.SanFrancisco.mci.net (204.70.3.164) 158 ms 160 ms 175 ms 7 fix-west-nap.SanFrancisco.mci.net (204.70.158.118) 176 ms 162 ms 173 ms 8 * 198.32.136.38 (198.32.136.38) 183 ms 167 ms 9 205.158.0.5 (205.158.0.5) 172 ms 168 ms 176 ms 10 * * * Both of their ISP's nameservers at internex.net seem to alive and can resolve on a zone transfer. I can't get to their internal nameserver, but this might be connectivity or it might be security. I think that either their connection to their ISP is down or they have a piece of dead equipment in the path. Hope this helps... Regards, b c++'ing u, %-) sjs PS: I am my own employer, therefore: "all opinions are twice spoken for;" and they do, in fact, scare the hell out of said employer!!! ------------------------------------------------------------------------------- Stefan Jon Silverman - President SJS Associates, N.A., Inc. 572 Chestnut Street Distributed Systems Architecture & Implementation San Francisco, Ca. 94133 Phone: 415 989 2741 Fax: 415 989 7250 E-mail: sjs@sjsinc.com Cell: 415 519 3494 ------------------------------------------------------------------------------- Weebles wobble, but they don't fall down!!! ------------------------------------------------------------------------------- From firewalls-owner Wed Nov 1 21:52:50 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id VAA01416 for firewalls-outgoing; Wed, 1 Nov 1995 21:31:35 -0800 (PST) Received: from yarrina.connect.com.au (yarrina.connect.com.au [192.189.54.17]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id VAA01401 for ; Wed, 1 Nov 1995 21:31:26 -0800 (PST) Received: from suburbia.net (suburbia.apana.org.au [192.188.107.90]) by yarrina.connect.com.au with ESMTP id QAA19539 (8.6.12/IDA-1.6); Thu, 2 Nov 1995 16:30:25 +1100 Received: (proff@localhost) by suburbia.net (8.6.12/Proff-950810) id QAA20256; Thu, 2 Nov 1995 16:21:57 +1100 From: Julian Assange Message-Id: <199511020521.QAA20256@suburbia.net> Subject: Re: Tightening up SunOS 5.4 (was Re: Hardened OS) To: mark@lochard.com.au (Mark) Date: Thu, 2 Nov 1995 16:21:50 +1100 (EST) In-Reply-To: <199511020252.AA20822@junkers.lochard.com.au> from "Mark" at Nov 2, 95 12:52:53 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > If anyone got on a firewall setup like this it is simple to compile a binary > offsite to suit the architecture, static if necessary, and import it, run it > and then have that binary act as a personal ftp/shell/port login process. > > Have a nice day > Mark > mark@lochard.com.au I modified our kernel to do trust circles (mainly mods to exec.c) quite some time ago. To put it simply, only non group and world writable binaries owned by "trusted" users (root, etc) in trusted user owned directories can be executed . This goes for #! expansion as well. If however a user is in the "exec" group then they can execute their own binaries. Bypassing this system requires the privilages of the trusted user or root. Using a flaw to create, or finding a group or world writeable file owned by a trusted user and placing your code into it will not work, unless you can turn off the group/world write permission afterwards. Attempted trust violations are klogged. Every time the latest IFS (etc) style "execute my code now", kernel call bug or race condition is found, I amuse myself by watching the frustration of people trying to exploit it. The reason the directory in which the trusted binary lays must also be trusted is that one can do things like: $ cd /tmp $ ln /sbin/reboot usr $ export IFS=/ $ neil+karl_food -y -- +----------------------------------+-----------------------------------------+ |Julian Assange | "if you think the United States has | |FAX: +61-3-9819-9066 | has stood still, who built the largest | |EMAIL: proff@suburbia.net | shopping centre in the world?" - Nixon | +----------------------------------+-----------------------------------------+ From firewalls-owner Wed Nov 1 22:23:20 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id VAA01256 for firewalls-outgoing; Wed, 1 Nov 1995 21:26:47 -0800 (PST) Received: from delta.eecs.nwu.edu (delta.eecs.nwu.edu [129.105.5.103]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id VAA01249 for ; Wed, 1 Nov 1995 21:26:43 -0800 (PST) Received: by delta.eecs.nwu.edu (8.6.12/8.6.12) id XAA07034; Wed, 1 Nov 1995 23:26:40 -0600 Date: Wed, 1 Nov 1995 23:26:40 -0600 From: Robert Bonomi Message-Id: <199511020526.XAA07034@delta.eecs.nwu.edu> To: cmcurtin@gatekeeper.cb.att.com, mark@lochard.com.au Subject: Re: Tightening up SunOS 5.4 (was Re: Hardened OS) Cc: Eric_Sheppard.BCI@bbs.bellsouth.com, firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk + From: Mark + Subject: Re: Tightening up SunOS 5.4 (was Re: Hardened OS) + Status: R + >Since you've already blown away everything that isn't directly needed + >by your system or the applications you run to support necessary services, + >things like tar, ar, cc, cpio, etc. are gone. If someone does break in, + >make it impossible for them to bring in archives and build binaries. Do + >you really need to have an ftp command on the system? I even removed vi :-) + Unfortunately this wont work. Unless you remove shells as well from the + machine people can still import binaries. To quote from Porgy & Bess... "It ain't necessarily so" + I had a friend once in a chroot'd + guest environment with reasonably low quotas and they still managed to import + a binary and "talk" to the sendmail daemon on the machine. It was a cute + trick and more of a proof of concept but it was enough to show me you can't + really stop someone on a standard unix model. All it takes to prevent this is a) proper filesystem layout (executables and 'valuable' config data being *absolutely* segrated from 'user-writable' files), and b) the right features in the O/S (e.g. a 'noexec' and/or 'nosuid' option for mount(1)). + If anyone got on a firewall setup like this it is simple to compile a binary + offsite to suit the architecture, static if necessary, and import it, run it + and then have that binary act as a personal ftp/shell/port login process. You can't do it on -my- firewall machine. any writable media is mounted with specialty options, as discussed above: 'nodev' -- won't honor device special files on that filesystem; 'noexec' -- _can't_ run an executable from that filesystem, and 'nosuid' -- won't honor 'set uid' bit on any file on that filesystem. to plug the final possibility, the 'mount' command disappears early on, when the system is coming up -- this prevents *anybody* from doing an 'update' mount, to change the filesystem permissions. All executables and configuration files (*including* /etc/passwd, even :) live on media that is _hardware_ write-protected. I can't prove there *aren't* any holes in my set-up, naturally. :) I *do* know that what anybody _can_ do, after they get in, is _very_ limited, and that a simple press of the 'reset' button will put them right back to square one. this is comforting. From firewalls-owner Wed Nov 1 22:26:03 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id UAA28330 for firewalls-outgoing; Wed, 1 Nov 1995 20:32:59 -0800 (PST) Received: from gatekeeper.glaxo.com (gatekeeper.glaxo.com [192.58.204.201]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id UAA28323 for ; Wed, 1 Nov 1995 20:32:56 -0800 (PST) Received: by gatekeeper.glaxo.com (5.65/fma-120691); id AA25777; Wed, 1 Nov 95 23:30:23 -0500 Received: from ussun2f.glaxo.com by ussun1d.glaxo.com (5.x/SMI-SVR4) id AA21760; Wed, 1 Nov 1995 23:31:11 -0500 Received: by ussun2f.glaxo.com (5.x/SMI-SVR4) id AA01934; Wed, 1 Nov 1995 23:35:52 -0500 Reply-To: ggh14854@ussun2f.glaxo.com (Gary Hull) Date: Wed, 1 Nov 1995 23:35:51 -0500 (EST) From: Gary Hull To: K Goertzel Cc: Firewalls@GreatCircle.COM Subject: Re: idb.ar.com...the mystery continues In-Reply-To: <9511012057.AA09510@hfsi> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 1 Nov 1995, K Goertzel wrote: > For those that are wondering, several listers have tried the same URL I did, > with the following variety of results: > > > User #1: "I get a 'server not responding' when I try this." > > User #2: "I tried accessing http://idb.ar.com and got 'Remote server down or > not responding.'" > > User #3: "When I tried it, I too did not get connected, but the error message > was 'server timed out'." > > I'm going to continue trying to sort this out, but if there is anyone who can > enlighten us on who ibd.ar.com is, and how one might contact them, I'd really > appreciate it. > > Karen Goertzel > goertzek@wangfed.com > > Folks - Regarding ibd.ar.com, the following is what I can glean from nslookup and dig: >From dig: ar.com. 86400 NS nic2.internex.net. ;; ADDITIONAL RECORDS: nic1.internex.net. 86400 A 199.2.14.10 nic2.internex.net. 86400 A 129.65.240.240 nslookup says: > whois ar.com Name: ar.com Address: 199.2.25.111 and > whois ibd.ar.com Non-authoritative answer: Name: ibd.ar.com Address: 199.2.25.111 |/ ---o0o-@@-o0o--------- Gary G. Hull - Technical Consultant Howard Systems International - Glaxo Wellcome Inc. Five Moore Drive - Raleigh, North Carolina 27709 Tel : (919) 941-4867 - Fax : (919) 248-2831 email: ggh14854@ussun2f.glaxo.com From firewalls-owner Wed Nov 1 22:57:45 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id UAA29642 for firewalls-outgoing; Wed, 1 Nov 1995 20:55:52 -0800 (PST) Received: from lehman.Lehman.COM (Lehman.COM [192.147.66.1]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id UAA29627 for ; Wed, 1 Nov 1995 20:55:44 -0800 (PST) From: carson@lehman.com Received: (from smap@localhost) by lehman.Lehman.COM (8.6.12/8.6.12) id XAA16592; Wed, 1 Nov 1995 23:55:37 -0500 Received: from relay.mail.lehman.com(192.9.140.112) by lehman via smap (V1.3) id tmp016585; Wed Nov 1 23:55:05 1995 Received: from kublai.lehman.com by relay.lehman.com (4.1/LB-0.6) id AA24709; Wed, 1 Nov 95 23:54:59 EST Received: from dragon.lehman.com by kublai.lehman.com (4.1/Lehman Bros. V1.6) id AA03685; Wed, 1 Nov 95 23:54:57 EST Received: by dragon.lehman.com (5.0/Lehman Bros. V1.5) id AA28920; Wed, 1 Nov 1995 23:54:56 -0500 Date: Wed, 1 Nov 1995 23:54:56 -0500 Message-Id: <9511020454.AA28920@dragon.lehman.com> To: Mark Cc: cmcurtin@gatekeeper.cb.att.com (C Matthew Curtin), Eric_Sheppard.BCI@bbs.bellsouth.com, firewalls@GreatCircle.COM Subject: Re: Tightening up SunOS 5.4 (was Re: Hardened OS) In-Reply-To: <199511020252.AA20822@junkers.lochard.com.au> References: <9510312244.ZM5480@gatekeeper> <199511020252.AA20822@junkers.lochard.com.au> Reply-To: carson@lehman.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>>> "Mark" == Mark writes: Mark> Unfortunately this wont work. Unless you remove shells as well from Mark> the machine people can still import binaries. I had a friend once in a Mark> chroot'd guest environment with reasonably low quotas and they still Mark> managed to import a binary and "talk" to the sendmail daemon on the Mark> machine. It was a cute trick and more of a proof of concept but it was Mark> enough to show me you can't really stop someone on a standard unix Mark> model. Mark> If anyone got on a firewall setup like this it is simple to compile a Mark> binary offsite to suit the architecture, static if necessary, and Mark> import it, run it and then have that binary act as a personal Mark> ftp/shell/port login process. One of my ex-employers got around that by setting the global umask to 133. If you don't give them any way to change the umask or the mode of the file, it's very difficult to execute an unknown binary. -- Carson Gaspar -- carson@cs.columbia.edu carson@lehman.com http://www.cs.columbia.edu/~carson/home.html From firewalls-owner Wed Nov 1 23:02:35 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id UAA27865 for firewalls-outgoing; Wed, 1 Nov 1995 20:26:18 -0800 (PST) Received: from access1.digex.net (access1.digex.net [205.197.245.192]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id UAA27849 for ; Wed, 1 Nov 1995 20:26:13 -0800 (PST) From: sharborth@hai-net.com Received: from houston_cc_smtp.hai-net.com (houston_cc_smtp.hai-net.com [204.91.94.67]) by access1.digex.net (8.6.12/8.6.12) with SMTP id XAA04147 ; for ; Wed, 1 Nov 1995 23:26:15 -0500 Received: from cc:Mail by houston_cc_smtp.hai-net.com id AA815297259; Wed, 01 Nov 95 23:20:20 EST Date: Wed, 01 Nov 95 23:20:20 EST Message-Id: <9510018152.AA815297259@houston_cc_smtp.hai-net.com> To: Firewalls@GreatCircle.COM, "K Goertzel" Subject: Re: idb.ar.com...the mystery continues Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Seems to me perhaps you should try a whois or DNS look-up if you haven't already. ______________________________ Reply Separator _________________________________ Subject: idb.ar.com...the mystery continues Author: "K Goertzel" at internet Date: 01-11-95 15:57 For those that are wondering, several listers have tried the same URL I did, with the following variety of results: User #1: "I get a 'server not responding' when I try this." User #2: "I tried accessing http://idb.ar.com and got 'Remote server down or not responding.'" User #3: "When I tried it, I too did not get connected, but the error message was 'server timed out'." I'm going to continue trying to sort this out, but if there is anyone who can enlighten us on who ibd.ar.com is, and how one might contact them, I'd really appreciate it. Karen Goertzel goertzek@wangfed.com From firewalls-owner Wed Nov 1 23:23:40 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id WAA03590 for firewalls-outgoing; Wed, 1 Nov 1995 22:52:57 -0800 (PST) Received: from hermes.intel.com (hermes.intel.com [143.183.152.3]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id WAA03582 for ; Wed, 1 Nov 1995 22:52:54 -0800 (PST) Received: from argus.intel.com by hermes.intel.com (5.65/10.0i); Wed, 1 Nov 95 22:52:56 -0800 Received: by argus.intel.com (5.65/10.0i); Wed, 1 Nov 95 22:52:54 -0800 From: sedayao@argus.intel.com (Jeffrey C. Sedayao) Message-Id: <9511020652.AA24440@argus.intel.com> Subject: Re: Man in the Middle Attacks (Over rated?) To: maillet@doc.cs.usm.maine.edu (Edward Maillet) Date: Wed, 1 Nov 95 22:52:54 PST Cc: firewalls@greatcircle.com In-Reply-To: <9511020138.AA25452@doc.cs.usm.maine.edu> from "Edward Maillet" at Nov 1, 95 08:38:07 pm X-Mailer: ELM [version 2.4dev PL66] Mime-Version: 1.0 Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Hey All, > Wouldn't it be more accurate to say that Man in the Middle attacks are really > Man at the End attacks? No. > I've been reading the IP-Watch Web Page about hijacking TCP connections and > active packet sniffing. The "threat to the whole Internet" seems a bit > exaggerated for the average Joe. I would disagree. > (http://www.EnGarde.com/software/ipwatcher) > TCP connections flying over Internet today from say A.com to B.com aren't > likely to be crossing over a network controlled by evil.com. What is the > REAL potential of someone being able to nail a A.com to B.com connection > without being inside A.com or B.com? Most companies connect to the 'net > using a commercial Intner provider. Let's say MCI. I know for a fact MCI > routes data internally along its DS3 back bone as much as it can so if > you and I both use MCI we never leave MCI land. What is the real potential > of someone tapping, hacking or sniffing one of MCI's links? Sure the > possibility exists but so does the possibility I put a bomb in your car > while you were reading this. There can definitely be risk. First, not every person or company connects to the Internet with a dedicated line. Many people and companies dial up into a terminal server or some other kind of remote access device. Put a network sniffer on the terminal server segment and the man in the middle scenario is definitely there. I believe that this situation happened to BARRnet (please correct me if I am wrong). There also situations where an organization's mail connectivity to the Internet is via UUCP. Penetrate the UUCP/Internet gateway host, and then you have a man in the middle scenario again. Also, an Internet Provider may have network monitor host on the backbone segment of their POP. A packet sniffer there could see a lot of things. Second, how can you always trust the phone company carrying the traffic? There are some governments with monopoly PTTs that are known to spy on foreign commercial organizations in order to gain advantage for their domestic companies. Third, sometimes what looks like a.com or b.com really isn't. This scenario happens when an organization is not diligent about deleting accounts of people that leave. I have seen situations where someone thought that they were sending mail only to internal people, but the mail message went out on the Internet because someone left a .forward in an account that should have been deleted. I remember someone sending a note about highly confidential and proprietary technology to an internal mailing list, and then getting a message from someone at a University saying, "That's cool. Can you send me more info?" > The real potential threat seems to be from the inside of B.com or A.com where > direct access to the network is MUCH more easy to abtain. Or even worse is > evil.com directly attacking A.com or B.com like the Tsutomu Shimomura attack > last year. > Is the real potential threat the Man at the End rather than the Man that > maybe in the Middle? Particularly my end. I would say that both Middle and End are real threats. > My company seems to not view it this way so internal security is much > looser than our outbound connections. As secure network perimeters in organizations become more and more porrous, this will have to change. I believe that we will see a future with multiple perimeters and firewalls within a single organization. > As a side thought, anyone got any numbers of how many hacks come from inside > versus outside? It's probably pretty substantial. Inside hacks definitely do happen. > Flame Away! > ----- Ed Maillet > maillet@cs.usm.maine.edu -- Jeff Sedayao Intel Corporation sedayao@argus.intel.com From firewalls-owner Thu Nov 2 02:23:21 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id CAA10498 for firewalls-outgoing; Thu, 2 Nov 1995 02:15:02 -0800 (PST) Received: from basic.net (basic.net [205.242.92.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id CAA10491 for ; Thu, 2 Nov 1995 02:14:51 -0800 (PST) Received: by basic.net (SMI-8.6/BN-1.20) id EAA08661; Thu, 2 Nov 1995 04:12:02 -0600 Date: Thu, 2 Nov 1995 04:12:02 -0600 (CST) From: Jim McBride To: Edward Maillet cc: firewalls@GreatCircle.COM Subject: Re: Spoofing ISDN In-Reply-To: <9511020049.AA25854@doc.cs.usm.maine.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 1 Nov 1995, Edward Maillet wrote: > Hey All, > Some folks at work want to setup an ISDN dial-in connection relying > solely on the inbound caller ID as the security measure. Is it possible > to spoof the D channel to send fake info? I'm fairly certain there is > a way to do it. Can anyone point me to some references so I can make a > decent technical argument agaisnt this? > Thanx. > > ----- Ed Maillet > maillet@cs.usm.maine.edu > > Well since neither the caller id info nor the CLID are generated by any on premise equipment -- the only thing you would have to worry about is someone playing switch pranks...and even then I dont think you could ''spoof'' a circuit since a bri's cid is its ''phone number'' which is the broadcast ascii string. And I dont believe the switch will pass clid packets straight through anyway, even if you did come up with someway to generate them on premise. So -- my answer would be no, not by any technical means that I can think of. Jim McBride jim@basic.net From firewalls-owner Thu Nov 2 03:23:08 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id DAA12122 for firewalls-outgoing; Thu, 2 Nov 1995 03:18:21 -0800 (PST) Received: from relay1.pipex.net (relay1.pipex.net [158.43.128.6]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id DAA12114 for ; Thu, 2 Nov 1995 03:18:15 -0800 (PST) Received: from smtpgty.saicuk.co.uk by flow.pipex.net with SMTP (PP); Thu, 2 Nov 1995 11:16:42 +0000 Received: by smtpgty.saicuk.co.uk with Microsoft Mail id <3098A844@smtpgty.saicuk.co.uk>; Thu, 02 Nov 95 11:15:16 GMT From: "Johnson-Bryden, Ian" To: "'firewalls@greatcircle.com'" Subject: Re: PC vs Workstation Firewall Date: Thu, 02 Nov 95 11:14:00 GMT Message-ID: <3098A844@smtpgty.saicuk.co.uk> Encoding: 44 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There is another issue. Intel/Intel clone based products come in all shapes and sizes but mostly are designed for minimum buy price and maximum volume sale. That means they tend to a lot of 'value engineering' which for some vendors means "if the customers wont notice how about taking this functionality out and not telling them". Even the best vendors arent that good at advising of planned changes to design. All of this can be a real problem for any secure or mission critical system like a firewall and can cause a lot of grief for the PBC (poor bloody customer). Folk like Sun tend to be much better at telling folk about planned changes and documenting what they have done. They arent perfect but they are usualy better. Some Intel vendors would say thats just because they dont shift much tin, but if they offer a better product/service, who cares what the reason is. Anyway lower volume sales can be explained in many ways. It can simply be that there are fewer wise buyers out there and lots of people who dont know any better than to buy cheapest product. Ian J-B ---------- From: firewalls-owner To: Mike.Jones Cc: firewalls Subject: Re: PC vs Workstation Firewall Date: Thursday, November 02, 1995 1:49PM My mailer thinks Mike Jonesa said: > [chomp] > > Actually, I think there's another issue to consider. If you get, for > example, a firewall that runs on a Sun, you can purchase maintenance > for it. That means that if you lose a disk at 2am in a snowstorm in the > middle of January, the *Sun* guy gets to come out and replace the disk > within 4 hours. Sure beats playing with PC hardware for my dollar. The > same is true of HP, SGI, IBM, etc., of course. > Actually, the amount you pay in maintenance could probably be put into buying spares for everything. This would alleviate the Sun Engineer from having to come out - only you would need to go out. After all you were there to let him into the building and onto the bastion, weren't you? :-) Colin From firewalls-owner Thu Nov 2 05:22:53 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id EAA15113 for firewalls-outgoing; Thu, 2 Nov 1995 04:54:09 -0800 (PST) Received: from gauntlet-1.trusted.com (gauntlet-1.trusted.com [192.94.214.88]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id EAA15104 for ; Thu, 2 Nov 1995 04:54:06 -0800 (PST) Received: by gauntlet-1.trusted.com; id HAA24658; Thu, 2 Nov 1995 07:56:09 -0500 Message-Id: <199511021256.HAA24658@gauntlet-1.trusted.com> Received: from vanidor.tis.com(192.94.214.98) by gauntlet-1.trusted.com via smap (g3.0.3) id xmai24621; Thu, 2 Nov 95 07:55:59 -0500 X-Sender: avolio@gauntlet-1.trusted.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 02 Nov 1995 08:47:53 -0500 To: Dave Scott , firewalls@greatcircle.com From: Frederick M Avolio Subject: Re: Exporting a Gauntlet Firewall Cc: dscott@eng.dowjones.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Questions like this really should just go to TIS, no? Yes, you can buy from us here or a reseller. I bet we can work something out with one of our German resellers to allow you to get the machine here and play with it and ship it to Germany and get support from them. Should be easy. We'd sell you the exportable version. Fred At 11:44 AM 11/1/95 EST, Dave Scott wrote: > >Hi all, I need to have a Gauntlet in Europe... > >I can buy it through a German reseller (for a lot >more money) and get full maintenance & support, etc. > >Or I can buy it here, configure and test it here, etc. >and ship it out to Europe - but I wont get the support. > >It would be good to buy it here in the U.S. so I can >configure and test it in the lab - the support issue >will be handled by management. I'd like to know if, >other than having no encryption capabilities, are there >any other gotchas I have to worry about for the PC version >of the Gauntlet ? Anything involving DES for Unix passwords ? > >Thanks for any info, >Dave Scott > > From firewalls-owner Thu Nov 2 05:53:16 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id FAA15974 for firewalls-outgoing; Thu, 2 Nov 1995 05:49:40 -0800 (PST) Received: from relay.puug.pt (relay.puug.pt [193.126.4.65]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id FAA15967 for ; Thu, 2 Nov 1995 05:49:35 -0800 (PST) Received: from q950.bvl.pt by relay.puug.pt with UUCP id AA11023 (5.67a/IDA-1.5 for firewalls@GreatCircle.COM); Thu, 2 Nov 1995 14:49:06 +0100 Received: from q950 (q950.bvl.pt) by jessica.bvl.pt with SMTP id AA15031 (5.65c/IDA-1.4.4); Thu, 2 Nov 1995 14:40:45 GMT Message-Id: <199511021440.AA15031@jessica.bvl.pt> Date: 2 Nov 1995 14:37:48 +0000 From: "Antonio Vasconcelos" Subject: RE: Spoofing ISDN To: "Edward Maillet" , "Jim McBride" Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >And I dont believe the switch will pass clid packets straight through >anyway, even if you did come up with someway to generate them on premise. > >So -- my answer would be no, not by any technical means that I can think of. Short from taking over the phone switch, of course... From firewalls-owner Thu Nov 2 06:24:07 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id FAA16178 for firewalls-outgoing; Thu, 2 Nov 1995 05:57:19 -0800 (PST) Received: from hp01.vak12ed.edu (hp01.vak12ed.edu [141.104.150.251]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id FAA16171 for ; Thu, 2 Nov 1995 05:57:14 -0800 (PST) Message-Id: <199511021357.FAA16171@miles.greatcircle.com> Received: by hp01.vak12ed.edu (1.38.193.5/16.2) id AA11677; Thu, 2 Nov 1995 08:56:11 -0500 From: "W.C. Epperson" Subject: Re: PC vs Workstation Firewall To: stockwel@sctc.com (Ted Stockwell) Date: Thu, 2 Nov 95 8:56:11 EST Cc: firewalls@greatcircle.com In-Reply-To: <199511020117.TAA06918@hector.sctc.com>; from "Ted Stockwell" at Nov 1, 95 7:17 pm Mailer: Elm [revision: 70.85.2.1] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ted Stockwell, stockwel@sctc.com, Sidewinder wrote: > You can get 7 x 24 support for PC hardware. Workstations do not > present an advantage here. PC's may have a cost advantage if you want > a hot-swap. > I believe that workstations on which the hardware and operating software are produced/controlled by the primary manufacturer tend to offer better integration of the components. Because of that better integration, the manufacturer typically can offer integrated hardware/software support. With an an integrated support contract, I can say "Hardware/software/smoftware: component isolation and integration not my problem. They're all [HP|IBM|DEC] components: fix it." Although this costs you some flexibility in the marketplace, the flexibility I've gotten from PC hardware running Unix-named-after-California-city has generally been used for bending over. Your mileage may vary. My opinions, but you can help yourself: I got plenty. -- W.C. Epperson "I have great faith in fools. Senior SE Self-confidence, my friends call it." Information Security Officer --Edgar Allan Poe-- DBA Emeritus Curmudgeon-for-Life Virginia Dept. of Education epperson@pen.k12.va.us From firewalls-owner Thu Nov 2 06:53:58 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id GAA16372 for firewalls-outgoing; Thu, 2 Nov 1995 06:03:00 -0800 (PST) Received: from hobbes.orl.mmc.com (hobbes.orl.mmc.com [141.240.192.100]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id GAA16365 for ; Thu, 2 Nov 1995 06:02:56 -0800 (PST) Date: Thu, 2 Nov 1995 9:02:58 -0500 (EST) From: "A. Padgett Peterson, P.E. Information Security" To: firewalls@greatcircle.com Message-Id: <951102090258.20200396@hobbes.orl.mmc.com> Subject: Firewall discussion at PC Week Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >PC Week is hosting a Discussion on "Protecting the company LAN from Internet >intruders" at > Protecting the company LAN from Internet intruders And if you can make sense out of that address, you probably do not need any more help 8*). P.fla From firewalls-owner Thu Nov 2 07:26:31 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id GAA16801 for firewalls-outgoing; Thu, 2 Nov 1995 06:18:03 -0800 (PST) Received: from kgbvax.network.com (kgbvax.network.com [129.191.202.58]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id GAA16778 for ; Thu, 2 Nov 1995 06:17:57 -0800 (PST) Received: (from ted@localhost) by kgbvax.network.com (8.6.9/8.6.9) id IAA28060; Thu, 2 Nov 1995 08:14:41 -0500 Date: Thu, 2 Nov 1995 08:14:41 -0500 From: Ted Doty Message-Id: <199511021314.IAA28060@kgbvax.network.com> To: maillet@doc.cs.usm.maine.edu, firewalls@greatcircle.com Subject: Re: Man in the Middle Attacks (Over rated?) In-Reply-To: Mail from 'Edward Maillet ' dated: Wed, 1 Nov 1995 20:38:07 -0500 (EST) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Edward Maillet wrote: > > Wouldn't it be more accurate to say that Man in the Middle attacks are really > Man at the End attacks? [snip] > TCP connections flying over Internet today from say A.com to B.com aren't > likely to be crossing over a network controlled by evil.com. What is the > REAL potential of someone being able to nail a A.com to B.com connection > without being inside A.com or B.com? Most companies connect to the 'net > using a commercial Intner provider. Let's say MCI. I know for a fact MCI > routes data internally along its DS3 back bone as much as it can so if > you and I both use MCI we never leave MCI land. What is the real potential > of someone tapping, hacking or sniffing one of MCI's links? Sure the > possibility exists but so does the possibility I put a bomb in your car > while you were reading this. There is a long history of folks penetrating the public switched phone network for either recreation or profit. The example that I think is funniest was when (on June 13, 1989) caller to the Palm Beach (Florida) Probation office found themselves connected to a phone sex number in New York. I'm sure that The Authorities at the telephone company do not share my amusement. As you point out, so what? Well, there are two forces driving the phone companies towards a much more open architecture for data networks. The first is the realization that they are losing out on an enormous opportunity to sell data service (to PSI, UUnet, and company, but also to Wiltel and others). Much of this is because their service offerings are much less flexible than that of their competition's. There is a feeling at many of the phone companies that new technologies would allow customers to connect in and provision a higher quality (and more expensive) service, as needed, and this would be a major competative edge that the phone companies could use to get in the game. The second is the "Equal Access" laws. Basically these are a holdover from the days when The Powers That Be in Washington decreed that my mom and dad (in Orono, Maine) should get the same service as I get here in the Washington DC area, although it costs much less for a phone company to provide it to me. As it turns out, many of the technologies that would allow customers to provision their own service also help out here. Nevermind when the NFSnet routing nodes were subverted (January 1994?), and sniffer programs installed. [snip] > As a side thought, anyone got any numbers of how many hacks come from inside > versus outside? Haven't seen any numbers, but (as the police say) the insiders have the opportunity, motive, and means. They also know where the Good Stuff is. This is an extremely ugly topic, but there it is. I'd be *very* surprised if there were more than 25% external jobs, but that's a guess. (and you thought that YOU were flame bait, Ed!) -- - Ted -------------------------------------------------------------------------- Ted Doty, Network Systems Corporation | phone: +1 301 596-2270 8965 Guilford Road, Suite 250 | fax: +1 410 381-3320 Columbia, MD, 21046 USA | voice mail: (800) 233-1485 -------------------------------------------------------------------------- The opinion expressed in this message is fictitious. Any resemblence to real opinions, living or dead, is purely coincidental. From firewalls-owner Thu Nov 2 08:50:12 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id HAA18310 for firewalls-outgoing; Thu, 2 Nov 1995 07:24:31 -0800 (PST) Received: from intex.intex.net (intex.intex.net [204.255.96.10]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id HAA18302 for ; Thu, 2 Nov 1995 07:24:21 -0800 (PST) Received: from dialupb56.intex.net (dialupb56.intex.net [204.255.103.56]) by intex.intex.net (8.6.12/4.1.4) with SMTP id JAA09853 for ; Thu, 2 Nov 1995 09:23:47 -0600 Message-Id: <199511021523.JAA09853@intex.intex.net> X-Sender: lpierce@intex.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 02 Nov 1995 09:29:28 -0600 To: firewalls@greatcircle.com From: lpierce@intex.net (S. Lane Pierce) Subject: URL for netcat? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Would a kind soul post the URL or netcat for me. I have lost that message. Thanks in advance. S. Lane Pierce lpierce@intex.net From firewalls-owner Thu Nov 2 08:56:28 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id HAA18222 for firewalls-outgoing; Thu, 2 Nov 1995 07:21:53 -0800 (PST) Received: from tuna.wang.com (tuna.wang.com [150.124.136.4]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id HAA18215 for ; Thu, 2 Nov 1995 07:21:46 -0800 (PST) Received: from mail.wangfed.com (ns.wangfed.com [159.94.10.19]) by tuna.wang.com (8.6.12/8.6.12tf1) with SMTP id KAA15155 for ; Thu, 2 Nov 1995 10:21:44 -0500 Received: from [159.94.10.15] by mail.wangfed.com (1.37.109.4/A.09.00a) id AA23067; Thu, 2 Nov 95 10:14:39 -0600 Received: from [159.94.14.48] by hfsi (BULL 5.61++/B.O.S 02.01) id AA13335; Thu, 2 Nov 95 10:12:19 -0500 Date: Thu, 2 Nov 95 10:12:19 -0500 Message-Id: <9511021512.AA13335@hfsi> From: "K Goertzel" Reply-To: "K Goertzel" To: firewalls@GreatCircle.COM Subject: Re: Exporting a Gauntlet Firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message <199511021256.HAA24658@gauntlet-1.trusted.com> Frederick M Avolio writes: > Questions like this really should just go to TIS, no? > > Yes, you can buy from us here or a reseller. > > I bet we can work something out with one of our German resellers to allow > you to get the machine here and play with it and ship it to Germany and get > support from them. Should be easy. > > We'd sell you the exportable version. I was under the impression that TIS now has an office in the UK. Would this not be a more logical place for Dave Scott to go, given the version sold by the UK would (presumably) already be "exportable", along with the lack of tariffs within the EC? Karen Goertzel Manager, International Programmes Secure Systems and Services Operation Wang Federal, Inc. goertzek@wangfed.com From firewalls-owner Thu Nov 2 08:58:01 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id HAA18502 for firewalls-outgoing; Thu, 2 Nov 1995 07:31:13 -0800 (PST) Received: from cseic.saic.com (CSEIC.SAIC.COM [139.121.32.135]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id HAA18495 for ; Thu, 2 Nov 1995 07:31:09 -0800 (PST) Received: from [139.121.32.149] by cseic.saic.com (4.1/1.34) id AA21560; Thu, 2 Nov 95 10:28:55 EST Message-Id: <9511021528.AA21560@cseic.saic.com> X-Sender: steveg@cseic.saic.com X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 02 Nov 1995 11:41:14 -0500 To: sgcccdc@citec.qld.gov.au (Colin Campbell) From: "Stephen H. Goldstein" Subject: Re: screened host/subnet fws Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:49 AM 11/2/95 EST, Colin Campbell wrote: >The why did you show one with TWO interfaces? There are a lot of newbies >on this list (who probably shouldn't be attempting building firewalls >without a lot of study first) who on seeing "pictures" like this and >then an explanation that seemingly contradicts it, will only be more >confused. >> >> +--------+ +----------+ +---------+ +----------+ +---------+ >> | Inside |---| Filter 1 |----| Bastion |----| Filter 2 |----| Outside | >> +--------+ +----------+ +---------+ +----------+ +---------+ >> > [chomp] > >IMHO, what you should have drawn, was: > > > +--------+ +----------+ +----------+ +---------+ > | Inside |---| Filter 1 |-----| Filter 2 |----| Outside | > +--------+ +----------+ | +----------+ +---------+ > | > +---------+ > | Bastion | > +---------+ You're right, but I had a hard enough time as it was getting the dashes an plus signs to line up. :-) To anyone who's confused by this, think of my picture as the "logical" flow of data, and Colin's as the physical, and I think it'll be clearer. --- Stephen Goldstein steveg@cseic.saic.com My first computer: A 24K Atari 800, Rev. A ROMS, November 1980 Disclaimer: That's not what I said. From firewalls-owner Thu Nov 2 09:43:10 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id HAA18362 for firewalls-outgoing; Thu, 2 Nov 1995 07:25:47 -0800 (PST) Received: from devnull (devnull.mpd.tandem.com [131.124.4.29]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id HAA18343 for ; Thu, 2 Nov 1995 07:25:34 -0800 (PST) Received: from galil.austnsc.tandem.com. by devnull (8.6.8/8.6.6) id JAA14178; Thu, 2 Nov 1995 09:25:21 -0600 Received: (from dreschs@localhost) by galil.austnsc.tandem.com. (8.7.1/8.7.1) id JAA04881; Thu, 2 Nov 1995 09:27:45 -0600 (CST) Date: Thu, 2 Nov 1995 09:27:45 -0600 (CST) From: Sten Drescher Message-Id: <199511021527.JAA04881@galil.austnsc.tandem.com.> To: Edward Maillet CC: firewalls@GreatCircle.COM In-reply-to: Edward Maillet's message of Wed, 1 Nov 1995 20:38:07 -0500 (EST) Subject: Re: Man in the Middle Attacks (Over rated?) References: <9511020138.AA25452@doc.cs.usm.maine.edu> Cc: Edward Maillet Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Edward Maillet said: EM> Hey All, Wouldn't it be more accurate to say that Man in the Middle EM> attacks are really Man at the End attacks? EM> I've been reading the IP-Watch Web Page about hijacking TCP EM> connections and active packet sniffing. The "threat to the whole EM> Internet" seems a bit exaggerated for the average Joe. EM> (http://www.EnGarde.com/software/ipwatcher) TCP connections flying EM> over Internet today from say A.com to B.com aren't likely to be EM> crossing over a network controlled by evil.com. What is the REAL EM> potential of someone being able to nail a A.com to B.com connection EM> without being inside A.com or B.com? Most companies connect to the EM> 'net using a commercial Intner provider. Let's say MCI. I know for a EM> fact MCI routes data internally along its DS3 back bone as much as EM> it can so if you and I both use MCI we never leave MCI land. What is EM> the real potential of someone tapping, hacking or sniffing one of EM> MCI's links? Sure the possibility exists but so does the possibility EM> I put a bomb in your car while you were reading this. The real EM> potential threat seems to be from the inside of B.com or A.com where EM> direct access to the network is MUCH more easy to abtain. Or even EM> worse is evil.com directly attacking A.com or B.com like the Tsutomu EM> Shimomura attack last year. Is the real potential threat the Man at EM> the End rather than the Man that maybe in the Middle? Particularly EM> my end. My company seems to not view it this way so internal EM> security is much looser than our outbound connections. EM> As a side thought, anyone got any numbers of how many hacks come EM> from inside versus outside? I can't give any specific percentages, but, yes, more security problems occur from disgruntled/larcenous current and former employees than from outside sources, whether you are talking about computer cracks or bank losses. But unless every single one of your systems talks directly to MCIinternet, you are vulnerable to MitM attacks within your organization. Then you have MitM attacks within MCIinternet by their employees (note: I'm not saying that MCIinternet is hiring more dishonest employees than anyone else. I'm just saying that they're probably not hiring _less_ than anyone else, either). Then, unless every single one of the systems at the other organization is connected to MCIinternet, you have MitM attacks there. The real danger with the internal MitM asttacks is that they are probably more likely to go unnoticed for prolonged periods, because the perpetrator is 'supposed' to be there, just like a bank manager siphoning of a small fraction of deposits periodically is going to be more likely to go unnoticed than someone walking into the lobby with a ski mask and a Uzi. But that bank manager (if he's good enough of an accountant to cook the books well enough to get past auditors) it likely to be able to do much more damage. Sten -- #include /* Sten Drescher */ To get my PGP public key, send me email with your public key and Subject: PGP key exchange Key fingerprint = 90 5F 1D FD A6 7C 84 5E A9 D3 90 16 B2 44 C4 F3 From firewalls-owner Thu Nov 2 09:55:54 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id JAA20625 for firewalls-outgoing; Thu, 2 Nov 1995 09:12:25 -0800 (PST) Received: from guardian.EnGarde.com (guardian.EnGarde.com [199.165.219.1]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id JAA20618 for ; Thu, 2 Nov 1995 09:12:21 -0800 (PST) Received: (from mcn@localhost) by guardian.EnGarde.com (8.7.1/8.6.12) id LAA05223; Thu, 2 Nov 1995 11:11:22 -0600 (CST) Date: Thu, 2 Nov 1995 11:11:22 -0600 (CST) From: Mike Neuman Message-Id: <199511021711.LAA05223@guardian.EnGarde.com> To: maillet@doc.cs.usm.maine.edu, firewalls@greatcircle.com Reply-To: mcn@EnGarde.com Subject: Re: Man in the Middle Attacks (Over rated?) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article <9511020138.AA25452@doc.cs.usm.maine.edu> you write: > I've been reading the IP-Watch Web Page about hijacking TCP connections and >active packet sniffing. The "threat to the whole Internet" seems a bit >exaggerated for the average Joe. > (http://www.EnGarde.com/software/ipwatcher) I don't think the statement is exaggerated (of course, I wrote it) :-) I won't repeat the statements of some of the other people who have replied to your message, but I will make one other point. I find it fascinating how many people are trying to discount the threat as being irrelevant. Myself (with IP-Watcher, sequence number prediction, and other tools), Laurent Joncheray (with his hijacking tool), Steve Bellovin (with his description of the sequence number attack more than 6 years ago), Jim Alves-Foss (with SNIF), and the people at Berkeley with the Netscape hack have all shown the following INESCAPABLE FACTS: 1) IP can can be monitored 2) TCP connections can be hijacked (REGARDLESS of where the attacker is) 3) UDP pseudo-connections can have data inserted midstream. 4) IP Source addresses are meaningless This means: 1) You can't trust the source of any packet, regardless of whether it's in the middle of a connection. 2) You can't trust that a packet sent by you will arrive at the destination. 3) You can't trust that your traffic won't be seen by a third party. Any solution other than full encryption, or at least packet-level authentication (ie IPv6), is merely delaying the inevitable. -Mike mcn@EnGarde.com http://www.engarde.com From firewalls-owner Thu Nov 2 10:23:32 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id IAA20181 for firewalls-outgoing; Thu, 2 Nov 1995 08:52:56 -0800 (PST) Received: from sunthing.sjsinc.com (sunthing.sjsinc.com [140.174.165.1]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id IAA20174 for ; Thu, 2 Nov 1995 08:52:52 -0800 (PST) Received: by sunthing.sjsinc.com Mailer: sendmail (8.6.12/8.6.9) Protocol: Id: IAA18898; Thu, 2 Nov 1995 08:52:26 -0800 Date: Thu, 2 Nov 1995 08:52:26 -0800 From: sjs@sunthing.sjsinc.com (Stefan Jon Silverman) Message-Id: <199511021652.IAA18898@sjsinc.com> To: colt@isavax.isa.com Subject: Re: idb.ar.com...the mystery continues Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk George: > > >From the keyboard of Stefan Jon Silverman: Should have further read: >>>From the keyboard of goertzek@wangfed.com If you had followed the brackets, you would have discovered that I was trying to answer her post... In the future can you be a little more careful about attribution of quoted material before you post to the list. I don't mind being challanged on incorrect information, or even flamed for stupidity, but misquoted and made to appear a simpleton for not knowing about basic network utilities...ahem...this I take objection to... You also, in your snipping of text, might in the future leave some of the original text from each progressive indent so that other readers can figure out the authorship chain... > > > I'm going to continue trying to sort this out, but if there is anyone who can > > > enlighten us on who ibd.ar.com is, and how one might contact them, I'd really > > > appreciate it. > > Whois is a wonderful service... :-) > I know, how do you think I found out who the offending site's nameservers are so that I could investigate their pointers to that site. Regards, b c++'ing u, %-) sjs PS: I am my own employer, therefore: "all opinions are twice spoken for;" and they do, in fact, scare the hell out of said employer!!! ------------------------------------------------------------------------------- Stefan Jon Silverman - President SJS Associates, N.A., Inc. 572 Chestnut Street Distributed Systems Architecture & Implementation San Francisco, Ca. 94133 Phone: 415 989 2741 Fax: 415 989 7250 E-mail: sjs@sjsinc.com Cell: 415 519 3494 ------------------------------------------------------------------------------- Weebles wobble, but they don't fall down!!! ------------------------------------------------------------------------------- From firewalls-owner Thu Nov 2 10:47:40 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id JAA21563 for firewalls-outgoing; Thu, 2 Nov 1995 09:42:51 -0800 (PST) Received: from smtpgate.saa-cons.co.uk (haddock.demon.co.uk [158.152.16.191]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id JAA21532 for ; Thu, 2 Nov 1995 09:42:07 -0800 (PST) Received: from haddock.saa-cons.co.uk by smtpgate.saa-cons.co.uk with SMTP (5.65/1.3-eef) id AA21234; Thu, 2 Nov 95 17:42:06 GMT Received: by haddock.saa-cons.co.uk (AIX 3.2/UCB 5.64/5.00) id AA31244; Thu, 2 Nov 1995 17:43:35 GMT Date: Thu, 2 Nov 1995 17:43:35 +0000 (GMT) From: Dave Roberts To: Firewalls Mailing List Subject: Proxy FTP - Client issues Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm wondering what kind of changes are required to FTP clients to allow them to use a proxy on a bastion. Brent and Elizabeth's book states that it can sometimes be overcome by the user being trained and responding to the login prompt with something like "anonymous@ftp.domain.co.uk". TIS's fwtk ftp seems to be compiled with various options, open up a connection to the bastion, and offer it the command "PASSERVE actual.host.com". I appreciate that this is limited research but, this suggests a lack of standard between different proxy servers. Is this actually true? What if I wanted to write a new FTP client (perhaps I'm really bored with lot's of time)? Obviously I want to be firewall conscious and friendly, but would I be able to provide a client that would work with all servers, or would I have to start providing command line options (ftp -p [fwtk | borderware | nt :-)] ) to cope with it all? TIA - Dave From firewalls-owner Thu Nov 2 11:41:33 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id JAA21700 for firewalls-outgoing; Thu, 2 Nov 1995 09:52:57 -0800 (PST) Received: from ismael.gmv.es (ismael.gmv.es [193.127.51.205]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id JAA21678 for ; Thu, 2 Nov 1995 09:52:36 -0800 (PST) Received: (from uucp@localhost) by ismael.gmv.es (8.6.9/1.1) id SAA10809 for ; Thu, 2 Nov 1995 18:47:49 +0100 Received: from melmac.gmv.es(193.127.48.3) by ismael via smap (g3.0.3) id xma010806; Thu, 2 Nov 95 18:47:32 +0100 Received: by gmv.es (4.1/GMV-1.10) id AA09894; Thu, 2 Nov 95 18:52:19 +0100 To: gmv-gw-lists-firewalls@gmv.es Path: not-for-mail From: jsanchez@gmv.es (Julio Sanchez) Newsgroups: gmv.gw-lists.firewalls Subject: Re: International Encryption Protocols Date: 2 Nov 1995 17:52:18 GMT Organization: GMV, SA., Tres Cantos, Spain Lines: 19 Message-Id: <47b0gi$6g4@melmac.gmv.es> References: <199510112230.SAA16369@thor.cs.umass.edu> Nntp-Posting-Host: melmac.gmv.es X-Newsreader: TIN [UNIX 1.3 950824BETA PL0] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Futplex (futplex@pseudonym.com) wrote: : As far as CoCom was concerned, you could generally sell crypto from Britain : to most of the net. This is a far cry from the position of the U.S. ITAR, : which prohibits the export of strong confidentiality-protecting crypto to the : U.K., for example. : : Most of the other CoCom signatories do _not_ enforce export controls similar : to the U.S. ones. We had our lawyers look into this. Essentially we could export to most places without even asking first. For some countries, things were more difficult. I don't have their report at hand. Julio -- Julio Sanchez, SGI Soluciones Globales Internet Tel/Fax: 91/804 14 05 WWW: http://www.esegi.es jsanchez@esegi.es jsanchez@gmv.es PGP Key fingerprint = E5 29 93 6F 41 4E 00 E2 90 11 A1 8C 72 D0 DE 71 From firewalls-owner Thu Nov 2 11:51:44 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id JAA21104 for firewalls-outgoing; Thu, 2 Nov 1995 09:27:14 -0800 (PST) Received: from tidbit.fhda.edu. (tidbit.fhda.edu [153.18.12.252]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id JAA21095 for ; Thu, 2 Nov 1995 09:26:51 -0800 (PST) Received: (from lanning@localhost) by tidbit.fhda.edu. (8.6.12/8.6.9) id KAA17111; Thu, 2 Nov 1995 10:33:22 -0800 From: Bob Lanning Message-Id: <199511021833.KAA17111@tidbit.fhda.edu.> Subject: Re: idb.ar.com...the mystery continues To: ggh14854@ussun2f.glaxo.com Date: Thu, 2 Nov 1995 10:33:21 -0800 (PST) Cc: goertzek@wangfed.com, Firewalls@GreatCircle.COM In-Reply-To: from "Gary Hull" at Nov 1, 95 11:35:51 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ---- As written by Gary Hull: > > On Wed, 1 Nov 1995, K Goertzel wrote: > > > For those that are wondering, several listers have tried the same URL I did, > > with the following variety of results: > > > > > > User #1: "I get a 'server not responding' when I try this." [SNIP] > > Karen Goertzel > > goertzek@wangfed.com > > Folks - Regarding ibd.ar.com, the following is what I can glean from > nslookup and dig: > ar.com. 86400 NS nic2.internex.net. > [SNIP] > > |/ > ---o0o-@@-o0o--------- > > Gary G. Hull - Technical Consultant > Howard Systems International - Glaxo Wellcome Inc. > Five Moore Drive - Raleigh, North Carolina 27709 > Tel : (919) 941-4867 - Fax : (919) 248-2831 > email: ggh14854@ussun2f.glaxo.com > Some info about ar.com: % whois ar.com [rs.internic.net] Rick Wesson (AR3-DOM) 1278 Sandia Dr. Sunnyvale, CA 94089 Domain Name: AR.COM Administrative Contact: Wesson, Rick (RW56) wessorh@AR.COM (408) 749-1175 Technical Contact, Zone Contact: InterNex Information Services (INEX-NOC) noc@internex.net 408-496-5466 voice 408-496-5485 fax Record last updated on 25-Jul-95. Record created on 11-Feb-94. Domain servers in listed order: NIC1.INTERNEX.NET 199.2.14.10 NIC2.INTERNEX.NET 129.65.240.240 The InterNIC Registration Services Host contains ONLY Internet Information (Networks, ASN's, Domains, and POC's). Please use the whois server at nic.ddn.mil for MILNET Information. -- Robert Hajime Lanning "It's the FROSTING!" The opinions expressed here are not mine, nor are they anyone else's. lanning@tidbit.fhda.edu <--for fun && for profit--> lanning@cup.hp.com From firewalls-owner Thu Nov 2 11:54:54 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id KAA22474 for firewalls-outgoing; Thu, 2 Nov 1995 10:22:41 -0800 (PST) Received: from tuna.wang.com (tuna.wang.com [150.124.136.4]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id KAA22466 for ; Thu, 2 Nov 1995 10:22:37 -0800 (PST) Received: from mail.wangfed.com (ns.wangfed.com [159.94.10.19]) by tuna.wang.com (8.6.12/8.6.12tf1) with SMTP id NAA22931 for ; Thu, 2 Nov 1995 13:22:40 -0500 Received: from [159.94.10.15] by mail.wangfed.com (1.37.109.4/A.09.00a) id AA25563; Thu, 2 Nov 95 13:15:38 -0600 Received: from [159.94.14.48] by hfsi (BULL 5.61++/B.O.S 02.01) id AA14242; Thu, 2 Nov 95 13:13:16 -0500 Date: Thu, 2 Nov 95 13:13:16 -0500 Message-Id: <9511021813.AA14242@hfsi> From: "K Goertzel" Reply-To: "K Goertzel" To: firewalls@GreatCircle.COM Subject: It's working now Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Just a note to everyone, the ibd.ar.com/lists/comp/firewalls/ URL is working now. Surprise, surprise -- it seems to be the archive for *this* mailing list. Now my only complaint is that the list of links is so long, my Netscape keeps running out of memory before it can list them all. Karen Goertzel Manager, International Programmes Secure Systems and Services Operation Wang Federal, Inc. From firewalls-owner Thu Nov 2 12:40:03 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id KAA23898 for firewalls-outgoing; Thu, 2 Nov 1995 10:59:32 -0800 (PST) Received: from neon.ingenia.com (neon.ingenia.com [134.117.55.86]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id KAA23891 for ; Thu, 2 Nov 1995 10:59:28 -0800 (PST) Received: (from shaver@localhost) by neon.ingenia.com (8.6.12/8.6.9) id OAA14050; Thu, 2 Nov 1995 14:04:28 -0500 From: Mike Shaver Message-Id: <199511021904.OAA14050@neon.ingenia.com> Subject: Re: Java To: william.wells@damark.com (william.wells) Date: Thu, 2 Nov 1995 14:04:28 -0500 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <9511011532.AA18505@damark.com> from "william.wells" at Nov 1, 95 09:34:00 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk william.wells mumbled something vague about: > My concern isn't UNIX users but the PC users. Since there is no security > mechanisms on a PC, there isn't anything to prevent access to files; > including scripts which run every time a PC boots. You say the default mode > is "no access", is that true on a PC? Yes. > Its harder to have a policy that says that you can't browse any URL > which run applets; especially since I'm not sure that one can tell the URL > has applets. You can't tell which pages will have applets, but you _can_ mandate that the users only use non-Java(tm)-aware browsers. (Yes, Netscape is releasing such beasts.) > These concerns aren't limited to Java; from the writings about > Java though, it seems like Java may be the golden apple which can't be > refused by my users. Java-aware browsers are just another application. If you've got the place locked down so that they can't load their own applications, then don't allow Java-aware ones as part of the standard package. If they complain _and_ you feel the need to placate them, provide a few isolated machines that will run a 'J' version of Netscape, and don't allow those machines to access the internal networked resources, etc. > After hearing all of the discussions for some months about Java, it seems > like the basic concern is that Java appears to allow someone outside your > organization to 'execute' a foreign program on internal systems and, worse, > may provide a means for that program to affect the behavior of the internal > systems beyond the scope of a "normal" program. From a non-users > perspective, Java appears to be a 'blessed' virus. Think of an applet as a script executed by the browser, and you're closer to the truth. If you run a safe-perl script with all file access disabled, then they can't muck with the filesystem. If you do it with file access wide open, you're asking for trouble. Same deal with Java-aware browsers. Mike -- #> Mike Shaver (shaver@ingenia.com) Ingenia Communications Corporation <# #> Technical Specialist -- will tame sendmail(8) for food <# #> <# #> "You are a very perverse individual, and I think I'd like to get to <# #> know you better." --- eric@reference.com <# From firewalls-owner Thu Nov 2 12:55:07 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id MAA26682 for firewalls-outgoing; Thu, 2 Nov 1995 12:24:36 -0800 (PST) Received: from hernsvr.med.osd.mil (hernsvr.med.osd.mil [161.14.8.101]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id MAA26662 for ; Thu, 2 Nov 1995 12:24:26 -0800 (PST) Received: from ae938.med.osd.mil by hernsvr.med.osd.mil with SMTP (5.65/25-eef) id AA29216; Thu, 2 Nov 95 15:24:11 -0500 From: "John P. Morton" Message-Id: <9511021520.ZM16023@unknown.zmail.host> Date: Thu, 2 Nov 1995 15:20:30 -0500 X-Mailer: ZM-Win (3.2.1 11Sep94) To: firewalls@greatcircle.com Subject: Firewall Study Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello all, I am a novice to the internet firewall concepts however, I am involved in a graduate project; attempting to quantify or measure the effectiveness of an internet firewall. My research must support that internet firewalls are effective against hackers. From your experience(s) when making firewall configurations what criteria do you analyze within the enterprise and organization to determine the cost-effective firewall configuration? Are there other factors I should consider in attempting to measure firewalls to secure corporate data. Please advise with any information. Thank You From firewalls-owner Thu Nov 2 13:30:10 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id MAA26659 for firewalls-outgoing; Thu, 2 Nov 1995 12:24:14 -0800 (PST) Received: from hernsvr.med.osd.mil (hernsvr.med.osd.mil [161.14.8.101]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id MAA26648 for ; Thu, 2 Nov 1995 12:23:53 -0800 (PST) Received: from ae938.med.osd.mil by hernsvr.med.osd.mil with SMTP (5.65/25-eef) id AA29191; Thu, 2 Nov 95 15:23:33 -0500 From: "John P. Morton" Message-Id: <9511021519.ZM16023@unknown.zmail.host> Date: Thu, 2 Nov 1995 15:19:51 -0500 X-Mailer: ZM-Win (3.2.1 11Sep94) To: firewalls@greatcircle.com Subject: Firewall Study Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello all, I am a novice to the internet firewall concepts however, I am involved in a graduate project; attempting to quantify or measure the effectiveness of an internet firewall. My research must support that internet firewalls are effective against hackers. From your experience(s) when making firewall configurations what criteria do you analyze within the enterprise and organization to determine the cost-effective firewall configuration? Are there other factors I should consider in attempting to measure firewalls to secure corporate data. Please advise with any information. Thank You -- ---------------------------------------------------------------------- John P. Morton Internet : jmorton@hernsvr.med.osd.mil EDS-D/SIDDOMS Phone : (703)-733-3529 13600 EDS DR. Fax : (703)-742-2479 MAIL STOP: A4S-D12 Herndon, VA 22071 ---------------------------------------------------------------------- From firewalls-owner Thu Nov 2 13:54:36 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id NAA29204 for firewalls-outgoing; Thu, 2 Nov 1995 13:45:27 -0800 (PST) Received: from gatekeeper.glaxo.com (gatekeeper.glaxo.com [192.58.204.201]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id NAA29190 for ; Thu, 2 Nov 1995 13:45:22 -0800 (PST) Received: by gatekeeper.glaxo.com (5.65/fma-120691); id AA08141; Thu, 2 Nov 95 16:45:20 -0500 Received: from ussun2f.glaxo.com by ussun1d.glaxo.com (5.x/SMI-SVR4) id AA22515; Thu, 2 Nov 1995 16:46:06 -0500 Received: by ussun2f.glaxo.com (5.x/SMI-SVR4) id AA07731; Thu, 2 Nov 1995 16:50:46 -0500 Reply-To: ggh14854@ussun2f.glaxo.com (Gary Hull) Date: Thu, 2 Nov 1995 16:50:45 -0500 (EST) From: Gary Hull To: Firewalls@GreatCircle.COM Cc: goertzek@wangfed.com Subject: Re: idb.ar.com...the mystery continues In-Reply-To: <199511021833.KAA17111@tidbit.fhda.edu.> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 2 Nov 1995, Bob Lanning wrote: > ---- As written by Gary Hull: > > > > On Wed, 1 Nov 1995, K Goertzel wrote: > > > > > For those that are wondering, several listers have tried the same URL I did, > > > with the following variety of results: > > > > > > > > > User #1: "I get a 'server not responding' when I try this." > [SNIP] Mighty large SNIP there, Bob... > > > Karen Goertzel > > > goertzek@wangfed.com > > > > Folks - Regarding ibd.ar.com, the following is what I can glean from > > nslookup and dig: > > ar.com. 86400 NS nic2.internex.net. > > > [SNIP] Bob, again another large SNIP...glad you know how to use telent and whois though. > Some info about ar.com: > % whois ar.com > [rs.internic.net] > Rick Wesson (AR3-DOM) > 1278 Sandia Dr. > Sunnyvale, CA 94089 > > Domain Name: AR.COM > > Administrative Contact: > Wesson, Rick (RW56) wessorh@AR.COM > (408) 749-1175 > Technical Contact, Zone Contact: > InterNex Information Services (INEX-NOC) noc@internex.net > 408-496-5466 voice 408-496-5485 fax > > > > Record last updated on 25-Jul-95. > Record created on 11-Feb-94. > > Domain servers in listed order: > > NIC1.INTERNEX.NET 199.2.14.10 > NIC2.INTERNEX.NET 129.65.240.240 > > > The InterNIC Registration Services Host contains ONLY Internet Information > (Networks, ASN's, Domains, and POC's). > Please use the whois server at nic.ddn.mil for MILNET Information. > > > -- > Robert Hajime Lanning "It's the FROSTING!" > The opinions expressed here are not mine, nor are they anyone else's. > lanning@tidbit.fhda.edu <--for fun && for profit--> lanning@cup.hp.com From firewalls-owner Thu Nov 2 14:23:22 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id NAA29597 for firewalls-outgoing; Thu, 2 Nov 1995 13:59:21 -0800 (PST) Received: from services ([168.166.0.67]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id NAA29590 for ; Thu, 2 Nov 1995 13:59:18 -0800 (PST) Received: from services by services (SMI-8.6/SMI-SVR4) id QAA09319; Thu, 2 Nov 1995 16:01:08 -0600 Date: Thu, 2 Nov 1995 16:01:06 -0600 (CST) From: "Frank K. Senter" X-Sender: fsenter@services To: firewalls@greatcircle.com Subject: Sales Opportunity for FW Vendors Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The State of Missouri has issued IFB B600265, requesting bids for a firewall contract. For (a little) more info, reference http://www.state.mo.us/oa/purch/purch.htm. Direct enquiries to Laurie Borchelt, ph. 314.751.1702. Frank Senter Senior Information Specialist Missouri Highway and Transportation Department From firewalls-owner Thu Nov 2 14:26:05 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id MAA26181 for firewalls-outgoing; Thu, 2 Nov 1995 12:04:49 -0800 (PST) Received: from bwh.harvard.edu (bwh.harvard.edu [134.174.81.34]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id MAA26174 for ; Thu, 2 Nov 1995 12:04:37 -0800 (PST) Received: from cushing.bwh.harvard.edu (cushing.bwh.harvard.edu [134.174.81.60]) by bwh.harvard.edu (8.6.9/8.6.9) with ESMTP id PAA14555; Thu, 2 Nov 1995 15:04:38 -0500 From: Adam Shostack X-Organization: Brigham & Womens Hospital, A Teaching Affiliate of Harvard Medical School Received: by cushing.bwh.harvard.edu (8.6.9) id OAA03674; Thu, 2 Nov 1995 14:51:40 -0500 Message-Id: <199511021951.OAA03674@cushing.bwh.harvard.edu> Subject: Re: skey/opie/NRL/logdamon or what on fwtk/hpux??? To: gary@habanero.jmu.edu (gary flynn) Date: Thu, 2 Nov 1995 14:51:40 -0500 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <199511012015.MAA10854@miles.greatcircle.com> from "gary flynn" at Nov 1, 95 02:41:43 pm X-PGP: 0xE794DA91 FD3C3450FEB4A0B8 18F2E72CA82D29B8 X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Gary Flynn wrote: | I'm trying to compile skey on hpux for incorporation | into the TIS fwtk. The version of skey that is at | thumper.bellcore under skey appears to support only BSD systems. | | I'm told that skey1.1b has a sysv parameter on the Makefile | but I don't know where to get it. | | I was hoping for a version of skey that would work on hpux and | with fwtk without a lot of modifications. I've used the logdaemon S/key stuff with FWTK recently. Should work fine. ftp.win.tue.nl:/pub/security Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Thu Nov 2 14:46:14 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id MAA27162 for firewalls-outgoing; Thu, 2 Nov 1995 12:39:56 -0800 (PST) Received: from echonyc.com (echonyc.com [198.67.15.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id MAA27155 for ; Thu, 2 Nov 1995 12:39:52 -0800 (PST) Received: (from jna@localhost) by echonyc.com (8.6.12/echo-relay) id PAA10053; Thu, 2 Nov 1995 15:38:21 -0500 Date: Thu, 2 Nov 1995 15:38:15 -0500 (EST) From: John Adams X-Sender: jna@echonyc To: Edward Maillet cc: firewalls@GreatCircle.COM Subject: Re: A defense against sniffing attacks for mere mortals In-Reply-To: <9511020107.AA25053@doc.cs.usm.maine.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 1 Nov 1995, Edward Maillet wrote: > Flame away! > ----- Ed Maillet > maillet@cs.usm.maine.edu > Okay, I will! :) > Hey All, > Sorry to step on the toes of you S/Key, Keberos, it's-only-safe-if-it's- > encrypted types but it seems that there are other ways of defeating > packet sniffers. Both active and passive. > Under certain network topologies, sniffing can be rendered useless without > encryption. Consider an ethernet that contains an ethernet switch and some > 10Base-T hubs. Yes, you're describing 'Intelligent Hubs' available from HP and other vendores. They work well, but what happens when that data flows up to your WAN, or the company backbone and someone sniffs there? I think what we were trying to prevent was attacks upon data crossing the internet. > I realize that this is a rather specific topology but it is an interesting > and rather simple solution. > Your solution is a good one, but doesn't cover all the bases. .. : : : : : : .. : : : : : : .. : : : : : .. : : : : : .. : : : : : .. John Adams jna@echonyc.com EchoNYC Systems Administrator (212) 292-0900 From firewalls-owner Thu Nov 2 14:55:03 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id MAA26731 for firewalls-outgoing; Thu, 2 Nov 1995 12:26:31 -0800 (PST) Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id MAA26720 for ; Thu, 2 Nov 1995 12:26:24 -0800 (PST) Received: from bwh.harvard.edu by relay2.UU.NET with SMTP id QQzodt03374; Thu, 2 Nov 1995 15:23:03 -0500 (EST) Received: from cushing.bwh.harvard.edu (cushing.bwh.harvard.edu [134.174.81.60]) by bwh.harvard.edu (8.6.9/8.6.9) with ESMTP id PAA14524; Thu, 2 Nov 1995 15:02:00 -0500 From: Adam Shostack X-Organization: Brigham & Womens Hospital, A Teaching Affiliate of Harvard Medical School Received: by cushing.bwh.harvard.edu (8.6.9) id OAA03631; Thu, 2 Nov 1995 14:49:03 -0500 Message-Id: <199511021949.OAA03631@cushing.bwh.harvard.edu> Subject: Re: A defense against sniffing attacks for mere mortals To: maillet@doc.cs.usm.maine.edu (Edward Maillet) Date: Thu, 2 Nov 1995 14:49:02 -0500 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <9511020107.AA25053@doc.cs.usm.maine.edu> from "Edward Maillet" at Nov 1, 95 08:07:38 pm X-PGP: 0xE794DA91 FD3C3450FEB4A0B8 18F2E72CA82D29B8 X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk | Sorry to step on the toes of you S/Key, Keberos, it's-only-safe-if-it's- | encrypted types but it seems that there are other ways of defeating | packet sniffers. Both active and passive. (Use ethernet bridges/switches) | I realize that this is a rather specific topology but it is an interesting | and rather simple solution. What happens when I sniff your internet connection instead of your LAN? Bridges protect your students from each other; they don't protect them when they telnet in over Thanksgiving break. Kerberos, S/Key, ssh, deslogin, and the like protect you from sniffing every time they are used. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Thu Nov 2 16:34:36 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id PAA02493 for firewalls-outgoing; Thu, 2 Nov 1995 15:24:46 -0800 (PST) Received: from firewall.supertex.com (firewall.supertex.com [204.178.240.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id PAA02455 for ; Thu, 2 Nov 1995 15:24:34 -0800 (PST) Received: from cmos.supertex.com (cmos.supertex.com [204.178.240.200]) by firewall.supertex.com (8.6.12/8.6.9) with SMTP id PAA10090 for ; Thu, 2 Nov 1995 15:18:33 -0800 Received: from skill.supertex.com by cmos.supertex.com (4.1/SMI-4.1) id AA02772; Thu, 2 Nov 95 15:17:53 PST Date: Thu, 2 Nov 95 15:17:53 PST From: jimk@cmos.supertex.com (Jim Kendall) Message-Id: <9511022317.AA02772@cmos.supertex.com> To: firewalls@GreatCircle.COM Subject: LINUX firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm a newguy to this list and would be interested in talking to anyone utilizing a LINUX box as a firewall running ipfwadm. I need to talk about my filter setup and make sure that I'm squeezing all of the security out of it that's possible. I've inherited this setup and am wondering if it's any good. Also, I may replace it with a Sun Sparc2 and need pointers to decent firewall software that doesn't cost 82 grillion bucks (a.k.a Sun) Any help will be appreciated....... Cheers! Jim Kendall jimk@supertex.com (408) 745-1923 x 281 From firewalls-owner Thu Nov 2 16:40:06 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id PAA02367 for firewalls-outgoing; Thu, 2 Nov 1995 15:23:11 -0800 (PST) Received: from relay1.pipex.net (relay1.pipex.net [158.43.128.6]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id GAA18582 for ; Tue, 31 Oct 1995 06:09:23 -0800 (PST) Received: from smtpgty.saicuk.co.uk by flow.pipex.net with SMTP (PP); Tue, 31 Oct 1995 14:08:56 +0000 Received: by smtpgty.saicuk.co.uk with Microsoft Mail id <30962D87@smtpgty.saicuk.co.uk>; Tue, 31 Oct 95 14:07:03 GMT From: "Johnson-Bryden, Ian" To: "'firewalls@greatcircle.com'" Subject: In search of an OS for firewalling Date: Tue, 31 Oct 95 14:05:00 GMT Message-ID: <30962D87@smtpgty.saicuk.co.uk> Encoding: 148 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have watched with facination the flow of postings on the subjects of NT, hardened OS and related subjects. I have only been in the business 30 odd years, so there is much I still dont know and much more probably than I have time to learn. One thing I did learn very early on is that there is no such thing as total elimination of risk. Therefore, risk management is a process of trade offs to achieve an acceptable level of risk reduction. That also implies 'affordable' but there are so many ways of measuring 'affordable'. >From watching postings here and on other groups, 'affordable' seems to mean low visibility cost at time of acquisition. For example, I have seen firewall systems where very little software was purchased and special cables were built in the MIS department, so that the visible cost of the firewall was only a few $K. That looks pretty cheap until you cost up all the labour and 'diverted' hardware it took to painfully build the firewall and all the labour it then takes to keep it running. When you start pulling those costs into the equation you can very rapidly find that it would have cost less to hire the greediest (well maybe thats a rash statement) consultants, buy commercial firewalling products, or even use a set of TCSEC/ITSEC certified products. The other aspect is the cost to the corporation of having a large part of its MIS department playing firewalls for months. OK it may be that the department is grossly over staffed with over qualified engineers and scientists and this has had no impact at all on the rest of MIS operations, but if you disclose the location of this facility your Human Resources department will get buried under applications for jobs. OK its also possible that your scientists and engineers know far more about security and risk containment than any vendor will ever know, but thats pretty unlikely also, or you would have been out there selling those skills at a good profit and out 'Bill'ing 'Bill'. As I am old enough to remember (well on a good day when senility is less pronounced) the days before packaged software and clone hardware, I have heard most of these arguments before. There were computer scientists and professionals who tried to make the case for proprietary product and those who believed that only they had the skill to produce a reliable product with the aid of source code. Of course most of us ignored them and went out to buy ever cheaper packages anyway. In terms of risk management, it raises some interesting debating points. The general wisdom still applies to information systems as with anything else, "you dont get something for nothing", or "you get what you pay for". In this world, nothing which is within the wit of man to invent cannot be made cheaper and nastier by another man, and the undiscerning are his natural prey. However, if we were still faced with proprietary mainframe prices and the astronomical cost of maintaining custom engineered software, the computer would not be the ubiquetous tool which it is today. Therefore, there are those who will argue that the risks associated with operating badly designed, poorly engineered systems, using largely unskilled operators and minimum levels of maintenance are more than balanced by the enormous savings which result from computerisation. Of course no one ever really tries to find out exactly what those 'enormous savings' are. The simple yard stick is often firing x number of people to justify the cost of the system and then making those who remain work to succeed in the new environment. If you take that line of reasoning, as some senior managers do, you can argue that there is absolutely no justification for implementing a firewall, or any other form of risk management technology. What happens is that the firewall is taken as a panacea at lowest price. To borrow something someone commented to me recently, firewalls and security are like dieting and exercise. You know you are eating too much and not taking enough exercise and you also know that the answer is to eat wisely and take regular exercise, but there are these slimming pills on the market. Working out a diet and exercise chart takes skill and time. Keeping to the chart instructions is a bore. Buying the slimming pills is easy and looks cheap. 'Bill' has got where he is today largely because he produced products which were well marketed (or over sold - depends on your viewpoint) to people who did not really know what they were buying but had access to those cash levels. One thing I see frequently in risk analysis is an MIS department trying to use 'security' as a way of regaining control over the computing assets in their organisation, because today the unskilled users in concert hold more processing, storage and communications power than the MIS department does. I dont think that anyone can fairly claim any one product is 'all good' or 'all bad'. Millions of people have recently found out that Microsoft is more interested in selling Windows95 that in the customers who now have crippled their old PCs and have to buy new hardware or go back to Windows 3.x. What surprises me is that they are surprised by that discovery, but then 30 years of risk management can make one cynical. Right now NT doesnt have enough track record for that sort of discovery but one day it will. Also being old enough to remember not only the pre-'Bill' days, but also the pre-UNIX days, I remember how some respected computer scientists said that UNIX was total crap. Back then they had a point, the OS had several *VERY* unlovely features (which have mostly been removed 20 odd years on) and there was little choice of hardware. What was available was pretty puny which explains why RDBMS coming from a proprietry background tends to be much fatter than products like Informix which had to live with the UNIX hosts of the early 80s. I think what UNIX brought was a flexible market. If you want to buy pre-packaged, its there. If you buy HP (or any other type) hardware today and want to change to something else tomorrow you have that choice and even the toughest re-porting is not that much hassle. If you are a control freak or have a massive ego, you can always have source. OTOH, the option to buy source reduces risk, even if you dont buy it right now. You may take the view that the folk who built the OS and ported it onto the hardware knew what they were doing (probably a lot better than you) and you paid for their time anyway. However, the fact that you can always buy source later puts a pressure on that vendor to make sure they do a good job and if any time in the future you have reason to doubt that, you can always go back to source. A proprietary vendor (and that includes 'Bill') does not have that pressure and when things go wrong he can point the finger at another vendor or at the user. Perish the thought that 'Bill' would ever do anything like that. There are anti 'Bill' folk around (hard though it may be to believe), but one should not forget the story reported a while back. It seems that some VARs in Europe who received early copies of Windows 95 also got a virus they didnt want. According to the report, Microsoft immediately leapt to their assistance by identifying a Microsoft sub-contractor as the guilty person and stating quite clearly that he would never produce media for Microsoft again - could you ask for more from a supplier? Now if a small vendor provided product with virus included, he would cause his customers a lot of inconvenience in taking him through the courts for the loss he caused and some would say that he would be justly put out of business. Dealing with a 'Bill' is so much easier because you know you cant afford to take him through the courts so you just write it off to experience and trust him not to let it happen again (maybe). Although I think the potential availability of source code is important, I dont agree that it has to be the sole deciding factor, or that it should be used necessarily. If you are taking a trusted operating system which has been developed through extensive testing by a reputable company working government contracts, and then been evaluated by a third party, the resulting product will be very good but not perfect. However, the people who built it have considerable skills and many thousands of hours have gone into the development. The chances of a sysad finding a real fault in the code is relatively remote unless he can devote a few lifetimes to pulling it apart. When that type of product is available as source code, the cost of source is naturally fairly high. The question therefore is - "is the cost of buying source justified by forecast benefits?" What I see is a lot of people trying to teach themselves security and hardened OS. Re-inventing the wheel has always been a popular human activity so maybe this is just a natural thing. OTOH there are people out there and products which have been around a while and work pretty well and as has been pointed out, users dont normally expect to buy source from people like Cisco. I noticed one posting recently, from someone working for an automobile manufacturer, where the individual was clearly stating that he and his employers knew far more than any lesser mortal and would only ever buy product which they could strip down and rebuild correctly. The same company was also advertising how their expertise in vehicle design was beyond equal (and NO, 'Bill' has not moved into car manufacture). One wonders what their reaction would be to customers who would only buy their vehicles if every piece of development information was included in the sale - probably similar to the reacion of the same auto manufacturer in the early 80s when they tried beating a supplier up to give them US domestic market prices in every country. The demand went when the supplier said OK you give me that deal on all the vehicles I buy from you and you can have the deal on what you buy from me. Yes - you guessed it - the auto manufacturer got more bucks from that supplier than the supplier would ever get back. Ian J-B From firewalls-owner Thu Nov 2 16:53:23 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id QAA03914 for firewalls-outgoing; Thu, 2 Nov 1995 16:07:19 -0800 (PST) Received: from bugfix.ikos2.iao.fhg.de (bugfix.ikos2.iao.fhg.de [141.58.133.88]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id QAA03907 for ; Thu, 2 Nov 1995 16:07:14 -0800 (PST) Received: by bugfix.ikos2.iao.fhg.de (ikos2.iao.fhg.de:9507140) id BAA01626; Fri, 3 Nov 1995 01:07:15 +0100 Date: Fri, 3 Nov 1995 01:07:15 +0100 From: Wolfram Schmidt Message-Id: <199511030007.BAA01626@bugfix.ikos2.iao.fhg.de> To: firewalls@GreatCircle.COM Subject: Re: Tightening up SunOS 5.4 (was Re: Hardened OS) X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ] Unfortunately this wont work. Unless you remove shells as well from the ] machine people can still import binaries. I had a friend once in a chroot'd ] guest environment with reasonably low quotas and they still managed to import ] a binary and "talk" to the sendmail daemon on the machine. It was a cute ] trick and more of a proof of concept but it was enough to show me you can't ] really stop someone on a standard unix model. ] ] If anyone got on a firewall setup like this it is simple to compile a binary ] offsite to suit the architecture, static if necessary, and import it, run it ] and then have that binary act as a personal ftp/shell/port login process. We patched the exec stub of libc.so in the chroot environment to prevent people from importing binaries. The replacement only allows to exec files in certain directory trees. It also checks for xxx/../yyy tricks. LD_* environment variables are removed. All static binaries have beem removed from the guest environment. -Wolfram From firewalls-owner Thu Nov 2 17:40:22 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id PAA03649 for firewalls-outgoing; Thu, 2 Nov 1995 15:58:39 -0800 (PST) Received: from squiggy.itg.net (squiggy.itg.net [206.64.176.3]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id PAA03642 for ; Thu, 2 Nov 1995 15:58:35 -0800 (PST) Received: (from mec@localhost) by squiggy.itg.net (8.7.1/8.7.1) id SAA13346 for firewalls@GreatCircle.COM; Thu, 2 Nov 1995 18:58:03 -0500 (EST) From: "Matthew Cable" Message-Id: <9511021858.ZM13344@squiggy.itg.net> Date: Thu, 2 Nov 1995 18:58:01 -0500 X-Zippy: TONY RANDALL! Is YOUR life a PATIO of FUN?? X-Face: "C;v@b&3G'&t`!U]y,BST?i$}M3C>;`ezuniL&>e$G@[c3:?SEDH@8V;(-)J<6x2>@y^YGf#\XDP*1+\*Q']&9I[Q3'9&t&ORC#l#VFWu8)~@}I$PqG8#:C'qHfG[O)c*)?!Ea3|h{|EiupBHXM6G+dkg\6[65,j?7#t{#`{;F%9!]a4q[##n9b55'E;"GN#6is7Mf"Bl+D?CR?I- X-Mailer: Z-Mail (3.2.2 10apr95 MediaMail) To: Firewalls Subject: Opinions? Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We're working on a major network overhaul in anticipation of future demands... Our current setup is quite simple, and serves only as a temporary setup until the new layout is hashed out. To get a little perspective on what we're trying to do, let me tell you a bit about the company. Its an ISP of sorts, but we deal soley with corporate customers or bulk buyers. As a result, our security policy has to be loose enough to allow them to do the things clients want to do, while at the same time, protecting our office from being overrun with little kneebiters... Here's a peek at the current setup current ======= +----------+ +---------+ +---|portmaster| +---|mail/news| | +----------+ | +---------+ +--------+ +----------+ | | +------+ |internet|-T1-|cisco 2501|--inside net--+---------+-----|office| +--------+ +----------+ | +------+ | +-------+ +---|webhost| +-------+ cisco currently filters out all incoming traffic but http to webhost, smtp and nntp to mail/news, ssh to webhost, dns datagrams to webhost and mail/news host, and ports over 1024. Obviously this is a problem as a large network space is wide open. Our planned network would look something like the following... planned ======= +-------------------+ +---|co-located machines| +----+ | +-------------------+ |isdn|---+ | +----------+ +---------+ +----+ | | +---|portmaster| +---|news/mail| | | | +----------+ | +---------+ +--------+ +-----+----+ | | +--------+ +-----+ | +------+ |internet|-T1-|cisco 7000|--outside net--|firewall|--|cisco|--inside--|office| +--------+ +-----+----+ +--------+ +-----+ | +------+ | | +-------+ | +------------+ +---|webhost| +---|leased lines| +-------+ +------------+ in the planned network, the cisco 7000 filters out all unnecessary incoming traffic to the outside net. Filters for leased lines, isdn will be handled on an individual basis. Co-located machines are web servers, ftp servers, etc that clients have paid to locate on our network. The firewall will run http, smtp, nntp, and pop proxies (at least) which will retrieve things from the appropriate host on the inside net. An important requirement of the firewall is that we be able to easily add proxies as needed for other services. In addition, adding virtual interfaces to the external firewall interface would be very useful as we serve several domain's on our internal network. Ideally nothing would actually be hosted on the firewall. Internal and external dns servers will also be run on the firewall. The cisco on the other side of the firewall would simply filter out all traffic not coming from the firewall. I'm looking for any critique's/suggestions you all might have as to what sort of firewall product/machine we should look into, and how feasible/secure the above setup is. Thanks! -- - Matthew E Cable / Systems Administrator / Internet Technologies Group, Inc. / Cambridge, MA / http://www.itg.net/~mec From firewalls-owner Thu Nov 2 17:51:58 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id PAA02405 for firewalls-outgoing; Thu, 2 Nov 1995 15:23:45 -0800 (PST) Received: from relay5.UU.NET (relay5.UU.NET [192.48.96.15]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id LAA25783 for ; Tue, 31 Oct 1995 11:11:27 -0800 (PST) Received: from uucp2.UU.NET by relay5.UU.NET with SMTP id QQznwe26310; Tue, 31 Oct 1995 14:11:24 -0500 (EST) Received: from amgen.UUCP by uucp2.UU.NET with UUCP/RMAIL ; Tue, 31 Oct 1995 14:11:26 -0500 Received: from spice.amgen.com by amgen.com (5.0/SMI-SVR4) id AA17793; Tue, 31 Oct 1995 10:44:56 -0800 Received: from amgen.com (amgengate) by spice.amgen.com (4.1/SMI-4.1) id AA15679; Tue, 31 Oct 95 10:44:52 PST Message-Id: Date: 31 Oct 1995 10:43:12 U From: "Yalda Mirzai" Subject: Vendors wanting access thru To: "GreatCircle" X-Mailer: Mail*Link SMTP/QM 3.0.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mike Papais asked that I compile the responses to my question below and send it to everyone. So here goes... ************************************************************ MY QUESTION WAS: ************************************************************ On Wed, 25 Oct 1995, Yalda Mirzai wrote: > We have been receiving many requests from our system administrators to >allow "vendors" access to our internal network via the firewall for "technical > support" or "troubleshooting" purposes. > > Any philosophical thoughts regarding this issue in general? > > Specifically, we use a Gauntlet Box. > We would like feedback if possible. > > Regards... ************************************************************ THE RESPONSES WERE : ************************************************************My old company had a few such requests. The answer was "no". What we did was allow a few vendors dial in access to only the machine(s) that we allowed them on. With some kind of password protected Network Terminal Server inbetween your computer and the phone line, this, as insecure as it is, is far more secure than allowing them to come in over the Internet, IMHO. Besides, the telephone bills will disuade them from coming in any more than is necessary (presuming it's long distance). Lastly, many rack mounted modems have a "busy" switch to give out a busy signal; you leave the modem they use in the "busy" position unless you are having them dial in. This will keep out the curious who dial every number in the area code looking for modems (let's face it, today they are probably pinging IP addresses, not dialing telephones). Another option is to leave the modem unplugged when not in use, or turn the power off, etc. If you trust your system administrators to faithfully shut it down when not in use, you can even put the modem somewhere that they have access to so that they don't have to bug you to flip the busy switch for them. Garry Garry.Garrett@abii.com ______________________ My personal recommendation for your situation is to have a modem connected to a terminal server, where the modem connection is disconnected when there is no reason for the connection, IF YOU WANT TO ALLOW FOR ANY VENDOR ACCESS. Unfortunately, difficult maintenance is a part of security, because maintenance people usually require superuser privileges. I would strongly recommend that your admins be forced to live with the situation, but that is solely from a security perspective. Allowing the modem connection facilitates a somewhat secure connection, that is easily monitored. However, it can be social engineered to give a hacker access. Perhaps an alternative is to have you be the person that monitors the connection, but that would cause you a lot of work. Talk to you later, Ira ______________________ Non-authoritative response: How much do you trust your vendors and technical support people? Do they have the same understanding of your security policy as your employees? Do you run the same background checks on vendors and support people as you do on your own employees? Do your vendors and technical support people have the same loyalty to your company as your employees do? Is your internal security (security on individual network nodes) tight enough to deny access to unauthorized users on each and _every_ node on your network? Are you sure, especially for machines which have entries in other machines' .rhosts or hosts.equiv files? Once you have answered the above (obvious?) questions, put a value on the data and resources exposed on your internal network. Then, ask yourself if the value of the data and resources is higher than the cost of _not_ letting vendors and technical support people through your firewall and onto your internal network. Personally, my employer has flatly stated that there will be no intentional access to our internal network through our firewall. All access to internal systems must be through a dialup using one-time access tokens. dharris@kcp.com Delmer D. Harris ______________________ How you handle this _type_ of request should be something covered by your security policy. If it isn't, it needs to be added. That being said, there may be case-by-case exceptions. One approach to vendors that want to provide information/files electronicly is to have them provide access to THEIR servers and the appropriate people at your site can do an inside initiated telnet or FTP to them. I would really hesitate to provide your SecureId card to anyone that your organization does not have "administrative control" over, i.e. you can't fire a vendor since they are not your employee. **** cjolley@iac.net ______________________ Hi, whithout knowing more about your specific situation I would think the answer is no. If in fact they are troubleshooting they would be moving info that describes your internal network and maybe protential weaknesses. I make it a habit to inform my clients _not_ to permit any security analysis of their network via the internet for this reason. If there is a need for vendors to access your internal net I suggest a dial-up account that you can enable and disable at will. I would also question why a sysadmin is willing to let venders muck about on their network. msk e-mail @ kadrich@uni.ins.com ______________________ There are many ways to skin a cat. For instance: We do not allow our vendors access through the firewall. Instead, we allow them to dial in, through our dial security system, to the specific machine that they need to access. ______________________ Authentication and acknowledgement of the request from both parties, by each party, involved would be a good start. Why not use SecureId ? If you've given the vendor one, it's their job to manage it in a suitable way for responding to your support calls. If they end up with a cabinet full of those cards, that's their problem, not yours :) I'd be very wary of such requests though... "hi, I'm trying to login to your firewall to get through to abc for xyz and it doesn't seem to work yet..." ...opens up lots of scope for possible social engineering tricks. darren reed ______________________ >Any philosophical thoughts regarding this issue in general? Yes, set up a bastion host and don't let vendors into your internal net. See the Zwicky and Chapman book. Steve Simmons ______________________ If you have a tech regularly getting in, give them a secureID card. If it's someone different, or different vendors, have them call *you* (or some trusted party) to get a number off *your* card. Card never goes to vendor. David Miller ______________________ How you handle this _type_ of request should be something covered by your security policy. If it isn't, it needs to be added. That being said, there may be case-by-case exceptions. One approach to vendors that want to provide information/files electronicly is to have them provide access to THEIR servers and the appropriate people at your site can do an inside initiated telnet or FTP to them. I would really hesitate to provide your SecureId card to anyone that your organization does not have "administrative control" over, i.e. you can't fire a vendor since they are not your employee. **** cjolley@iac.net ______________________ I would NEVER allow outside vendors to access my network unless they are physically inside my facility, behind my security. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=- W.S. "Skip" Harborth Manager & Senior Engineer Information Systems Security Engineering Houston Associates, Incorporated 4601 North Fairfax Dr, Suite 1001 Arlington, Virginia 22203 USA (703) 284-8732 812-5099 (fax) sharborth@hai-net.com -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=- ______________________ Philosophically, you ask? Don't do it. There are plenty of other methods that can be used. Why not? say the vendors. Because, ultimately, you can not trust the vendor to have _your_ best interest at heart (no matter how much $$$ your throw their way), but _their_ best interest. And that probably does not include ensuring that your network and information security policies are followed, and so on. If they need to shoot problems or provide support, 28.8 modems work fine. It is not as sexy as doing it over the net, or whatever. But dial up (especially if the modem is disconnected from the phone line between calls...which means that the vendor has to alert the customer when they need access...not just call in anytime...) has been working quite well for a long time, and, I think, will continue to be so. Yes, it is a *bit* more cumbersome. So is running a SEAL or Gauntlet or whatever. But, there accountability and control. Just my $.02. -- Bryan D. Boyle | EMAIL: bdboyle@erenj.com ______________________ Non-authoritative response: How much do you trust your vendors and technical support people? Do they have the same understanding of your security policy as your employees? Do you run the same background checks on vendors and support people as you do on your own employees? Do your vendors and technical support people have the same loyalty to your company as your employees do? Is your internal security (security on individual network nodes) tight enough to deny access to unauthorized users on each and _every_ node on your network? Are you sure, especially for machines which have entries in other machines' .rhosts or hosts.equiv files? Once you have answered the above (obvious?) questions, put a value on the data and resources exposed on your internal network. Then, ask yourself if the value of the data and resources is higher than the cost of _not_ letting vendors and technical support people through your firewall and onto your internal network. Personally, my employer has flatly stated that there will be no intentional access to our internal network through our firewall. All access to internal systems must be through a dialup using one-time access tokens. dharris@kcp.com Delmer D. Harris ______________________ My old company had a few such requests. The answer was "no". What we did was allow a few vendors dial in access to only the machine(s) that we allowed them on. With some kind of password protected Network Terminal Server inbetween your computer and the phone line, this, as insecure as it is, is far more secure than allowing them to come in over the Internet, IMHO. Besides, the telephone bills will disuade them from coming in any more than is necessary (presuming it's long distance). Lastly, many rack mounted modems have a "busy" switch to give out a busy signal; you leave the modem they use in the "busy" position unless you are having them dial in. This will keep out the curious who dial every number in the area code looking for modems (let's face it, today they are probably pinging IP addresses, not dialing telephones). Another option is to leave the modem unplugged when not in use, or turn the power off, etc. If you trust your system administrators to faithfully shut it down when not in use, you can even put the modem somewhere that they have access to so that they don't have to bug you to flip the busy switch for them. Garry Garry.Garrett@abii.com ______________________ For the type of access needed, TCP/IP access to the systems seems very dangerous to me and I don't see why it would be needed. Vendor remote connection support can be very useful and even vital, but firewall or no firewall vender reps. shouldn't be blindly trusted. Here at JMU the Digital, TGV, and other vendors connect to our system whenever there is a major problem, but... The vendors connect via the support modem and new accounts/passwords are issued for each session. The modem connection requires multiple passwords and is normally only used by one person, so it's easy to track usage in the log files. The actual session is duplicated on the system administrators workstation so that she can watch everything (and interrupt the session if needed). She also normally talks to the support rep. on the phone most (if not all) of the time they are connected to the system. Vendor support reps can crash a system and do other damage that have nothing to do with networks and security. We learned that the hard way. Modem dial-up and single session passwords along with a human monitoring the session should provide sufficient security. I don't think that the convenience of TCP/IP over dial-up terminal access makes it worth the enhanced dangers. Charles Cooley Network Services James Madison University _________________________________ If access of this type is unavoidable, you may want to consider using dial up access on a selective basis, via a terminal server with the equivalent of TACACS or RADIUS support. Paul Ferguson _________________________________ There are many ways to skin a cat. For instance: We do not allow our vendors access through the firewall. Instead, we allow them to dial in, through our dial security system, to the specific machine that they need to access. uunet!itthartford.com!pwright _________________________________ Yalda: We provided a mechanism to do the following: 1. Require someone at "company name" (I'll say) to turn on the ability for a vendor to connect, authenticate, and connect to one inside machine, determined by the person at "company name" and based on the problem. 2. Have a time limit on this connection (I think... I could be wrong on this). 3. Have this only work once. If the vendor needed to reconnect, "our company" would have to reset things. We provided a management screen to allow this to be done easily by "company name" when a trouble call was logged with a vendor and the vendor indicated access was needed. Yes, one time password mechanisms were used (SecurID, SNK cards, etc.). Fred Avolio _________________________________ I like to set up a S/Key password, and tell them the next one-time pass phrase over the telephone for that session. Peter Da Silva _________________________________ How you handle this _type_ of request should be something covered by your security policy. If it isn't, it needs to be added. That being said, there may be case-by-case exceptions. One approach to vendors that want to provide information/files electronicly is to have them provide access to THEIR servers and the appropriate people at your site can do an inside initiated telnet or FTP to them. I would really hesitate to provide your SecureId card to anyone that your organization does not have "administrative control" over, i.e. you can't fire a vendor since they are not your employee. Carl Jolley _________________________________ Sorry if I missed someones comments... There were so many. From firewalls-owner Thu Nov 2 19:52:52 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id TAA12841 for firewalls-outgoing; Thu, 2 Nov 1995 19:51:14 -0800 (PST) Received: from access.netaxs.com (access.netaxs.com [198.69.186.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id TAA12834 for ; Thu, 2 Nov 1995 19:51:10 -0800 (PST) Received: from unix3.netaxs.com (morph_1@unix3.netaxs.com [198.69.186.5]) by access.netaxs.com (8.6.12/8.6.11) with ESMTP id WAA13774 for ; Thu, 2 Nov 1995 22:50:51 -0500 From: ELYTENE$$ Received: (morph_1@localhost) by unix3.netaxs.com (8.6.12/8.6.9) id WAA20363 for firewalls@GreatCircle.com; Thu, 2 Nov 1995 22:50:40 -0500 Message-Id: <199511030350.WAA20363@unix3.netaxs.com> Subject: Re: mountd Security To: firewalls@GreatCircle.com Date: Thu, 2 Nov 1995 22:50:38 -0500 (EST) X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is there any real reason mountd should not be run on machines inside of a secure firewall, and what sort of access should users on those machines have to mount? Is there any way to secure mountd from attack, while exporting only to trusted machines? -- Morph_1 Witty Quote Here morph_1@netaxs.com Disclaimer Here blah blah blah Phone Numbers etc. From firewalls-owner Thu Nov 2 21:23:27 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id VAA14161 for firewalls-outgoing; Thu, 2 Nov 1995 21:03:36 -0800 (PST) Received: from odin.community.net (odin.community.net [140.174.119.10]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id VAA14146 for ; Thu, 2 Nov 1995 21:03:26 -0800 (PST) Received: from [140.174.226.120] (n120.coco.community.net [140.174.226.120]) by odin.community.net with SMTP id VAA23932 for ; Thu, 2 Nov 1995 21:02:57 -0800 Date: Thu, 2 Nov 1995 21:02:57 -0800 Message-Id: <199511030502.VAA23932@odin.community.net> Subject: Advantage of Filtering in Router vs Firewall From: Bill Husler To: Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I know I have read here that You have a stronger, more secure, setup if you keep IP filtering in your router and use the Firewall for Application level stuff - like proxies, but I don't remember the reasoning behind it. Please, somebody, run through it again for me. Thanks, Bill The opinions expressed here-in are my own. Any similarities between these opinions and those of any other person - living or not - including my employer are purely coincidental. From firewalls-owner Thu Nov 2 23:23:16 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id XAA16799 for firewalls-outgoing; Thu, 2 Nov 1995 23:18:13 -0800 (PST) Received: from psyche.the-wire.com (psyche.the-wire.com [198.53.192.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id XAA16792 for ; Thu, 2 Nov 1995 23:18:10 -0800 (PST) Received: from rcooper.the-wire.com (rcooper.the-wire.com [198.53.159.74]) by psyche.the-wire.com (8.6.10/8.6.9) with SMTP id CAA24512; Fri, 3 Nov 1995 02:17:51 -0500 Received: by rcooper.the-wire.com with Microsoft Mail id <01BAA992.77E00780@rcooper.the-wire.com>; Fri, 3 Nov 1995 02:17:04 -0500 Message-ID: <01BAA992.77E00780@rcooper.the-wire.com> From: Russ Cooper To: "'Mike Shaver'" , "william.wells" Cc: "firewalls@GreatCircle.COM" Subject: RE: Java Date: Fri, 3 Nov 1995 02:17:03 -0500 Encoding: 10 TEXT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Would it be possible to embed a virus into a .GIF file? or .AVI file? or .WAV file? These guys are all downloaded and stored in a cache on your local workstation, and in turn invoke an application on the local workstation. What is the difference between this and Java? Cheers, Russ Cooper Senior Internet Integration Engineer SHL/Computer Innovations RCooper@the-wire.com - Express@msn.com - 74323.364@compuserve.com From firewalls-owner Thu Nov 2 23:54:01 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id XAA17194 for firewalls-outgoing; Thu, 2 Nov 1995 23:35:32 -0800 (PST) Received: from neon.ingenia.com (neon.ingenia.com [134.117.55.86]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id XAA17187 for ; Thu, 2 Nov 1995 23:35:28 -0800 (PST) Received: (from shaver@localhost) by neon.ingenia.com (8.6.12/8.6.9) id CAA04073; Fri, 3 Nov 1995 02:32:38 -0500 From: Mike Shaver Message-Id: <199511030732.CAA04073@neon.ingenia.com> Subject: Re: Java To: rcooper@the-wire.com (Russ Cooper) Date: Fri, 3 Nov 1995 02:32:38 -0500 (EST) Cc: william.wells@damark.com, firewalls@GreatCircle.COM In-Reply-To: <01BAA992.77E00780@rcooper.the-wire.com> from "Russ Cooper" at Nov 3, 95 02:17:03 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Russ Cooper mumbled something vague about: > Would it be possible to embed a virus into a .GIF file? or .AVI file? or > .WAV file? These guys are all downloaded and stored in a cache on your > local workstation, and in turn invoke an application on the local > workstation. What is the difference between this and Java? A better, if still flawed, analogy is to PostScript, which contains among its primitives means of accessing filesystems, etc. People are worried about an applet breaking out of its cage and mangling their network and associated resources (*). Granted, the language contains a number of methods of doing things that could be subverted. So do newer (non-Java(tm)) versions of Netscape. And Word. Etc. It's a matter of trust, I guess. Do you trust Sun's and Netscape's words that they've done everything in their power to both _design_ and _implement_ the java systems in a secure way? Perhaps not. But if you _don't_, then perhaps you should start questioning your faith in other applications, too. Like Word, X, PS viewers, Netscape v2.0bN, etc. I'm beginning to think it's a case of "damnant quod non intellegerunt", but that might just be a sign of me swinging the other way. (*) Some people, it seems, are also worried about similar abuses by a hostile user community. To me, this is an issue related not at all to the "java problem", nor really to firewalls. Kinda sci.psychology meets bugtraq, I guess. =) Mike -- #> Mike Shaver (shaver@ingenia.com) Ingenia Communications Corporation <# #> UNIX medicine man -- dark magick, cheap! <# #> <# #> When the going gets tough, the tough give cryptic error messages. <# #> "We believe in rough consensus and running code." <# From firewalls-owner Fri Nov 3 00:53:11 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id AAA20092 for firewalls-outgoing; Fri, 3 Nov 1995 00:49:02 -0800 (PST) Received: from tidbit.fhda.edu. (tidbit.fhda.edu [153.18.12.252]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id AAA20078 for ; Fri, 3 Nov 1995 00:48:58 -0800 (PST) Received: (from lanning@localhost) by tidbit.fhda.edu. (8.6.12/8.6.9) id BAA18217; Fri, 3 Nov 1995 01:57:40 -0800 From: Bob Lanning Message-Id: <199511030957.BAA18217@tidbit.fhda.edu.> Subject: Re: Java To: rcooper@the-wire.com (Russ Cooper) Date: Fri, 3 Nov 1995 01:57:40 -0800 (PST) Cc: firewalls@GreatCircle.COM In-Reply-To: <01BAA992.77E00780@rcooper.the-wire.com> from "Russ Cooper" at Nov 3, 95 02:17:03 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ---- As written by Russ Cooper: > > Would it be possible to embed a virus into a .GIF file? or .AVI file? or > .WAV file? These guys are all downloaded and stored in a cache on your > local workstation, and in turn invoke an application on the local > workstation. What is the difference between this and Java? > > Cheers, > Russ Cooper > Senior Internet Integration Engineer > SHL/Computer Innovations > RCooper@the-wire.com - Express@msn.com - 74323.364@compuserve.com > .GIF, .AVI, .WAV... are basically compressed raw data streams. The "viewer" decompresses the stream and sticks it on your monitor or your audio device. JAVA on the other hand is a programming language. It can manipulate files watch the mouse/keyboard/network for traffic. This is simular to the Micro$oft Word Macro trojanhorse. The document (HTML, Word) is harmless. It is when you have attachments that get executed that thing go wrong. -- Robert Hajime Lanning "It's the FROSTING!" The opinions expressed here are not mine, nor are they anyone else's. lanning@tidbit.fhda.edu <--for fun && for profit--> lanning@cup.hp.com From firewalls-owner Fri Nov 3 01:24:19 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id BAA20901 for firewalls-outgoing; Fri, 3 Nov 1995 01:07:08 -0800 (PST) Received: from access.netaxs.com (access.netaxs.com [198.69.186.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id BAA20894 for ; Fri, 3 Nov 1995 01:07:04 -0800 (PST) Received: from unix3.netaxs.com (morph_1@unix3.netaxs.com [198.69.186.5]) by access.netaxs.com (8.6.12/8.6.11) with ESMTP id EAA28118; Fri, 3 Nov 1995 04:07:05 -0500 Received: (morph_1@localhost) by unix3.netaxs.com (8.6.12/8.6.9) id EAA25347; Fri, 3 Nov 1995 04:07:01 -0500 Date: Fri, 3 Nov 1995 04:06:59 -0500 (EST) From: "W0W!@# ELYTENESS#@!" To: Phil Howard cc: firewalls@GreatCircle.com Subject: Re: mountd Security In-Reply-To: <199511030506.XAA07170@colt.milepost.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 2 Nov 1995, Phil Howard wrote: > > Is there any real reason mountd should not be run on machines inside of > > a secure firewall, and what sort of access should users on those machines > > have to mount? > > Is there any way to secure mountd from attack, while exporting only to > > trusted machines? > > Define "trusted machine". One with a certain IP address? If your > firewall is rock solid, then of course you don't need to worry about > the outside. But you better trust EVERY machine on the inside, or > else partition them from each other with more firewalls. > and then I said: Well the firewall itself isn't in question, it's the fact that mountd is running between the machines that have users on them inside the firewall, is there any security problem with running mountd that can be locally exploited? If there is then i would just disable the daemon; not exporting anything nesc at this point. Limiting access would work too, but first I wanted to establish if much of a risk exists. As far as what's being exported goes, it's only (rw) filesystems to the machines inside the firewall. From firewalls-owner Fri Nov 3 02:23:27 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id CAA24654 for firewalls-outgoing; Fri, 3 Nov 1995 02:03:23 -0800 (PST) Received: from mailbox.swip.net (mailbox.swip.net [193.12.122.1]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id CAA24639 for ; Fri, 3 Nov 1995 02:03:17 -0800 (PST) Received: from enterprise (dialup100-122.swipnet.se [130.244.100.122]) by mailbox.swip.net (8.6.12/8.6.12) with SMTP id LAA14538 for ; Fri, 3 Nov 1995 11:03:18 +0100 Date: Fri, 3 Nov 1995 11:03:18 +0100 Message-Id: <199511031003.LAA14538@mailbox.swip.net> X-Sender: m-18213@mailbox.swip.net X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.com From: Martin Fredriksson Subject: DES export restrictions and ZyXEL Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sorry if this is not directly fw related (it sure does relate to one fw system at my site...). This is a copy of a post to comp.security.misc. Dear Security and (DES) encryption politics and export rules specialists: Our network group has just begun testing a new ZyXEL ISDN capable modem, the "ZyXEL Elite 2864I". According to the local distributor, this modem supports _data_ encryption using 112 bit DES technology. We are a Swedish company, and thus subject to the not so very liberal US export restrictions for cryptographic "stuff"(?). Or so I thought. The local distributor for the ZyXEL modem can only forward questions to ZyXEL corporation. Thus without having a direct line to the ZyXEL corp., I have received following answer to my question about how (if they really) they can export DES based data encryption. > Federal Information Processing Standards are issued by the National Bureau > of Standards pursuant to the Federal Property and Administrative Services > Act of 1949, as amended, Public Law 89-306(79 stat 1127). Excutive Order > 11717 (38 FR 12315, dated May ,1, 1973) and Part 6 of Title 15 Code of > Federal Regulations(CFR). > > Name of Standard: Data Encryption Standard (DES). > > Patents: Crytographic devices implementing this standard may be covered by > U.S. and foreign patents issued to the International Business Machines > Corporation. However, IBM has granted nonexclusive, royalty-free licenses > under the patents to make, use and sell apparatus which complies with the > standard. The terms, conditions and scope of the licenses are set out in > notices published in the May 13, 1975 and August 31, 1976 issue of the > Official Gazette of the United State Patent and Trademark Office (934 O. G. > 452 and 949 O. G. 1717). > > If you need more information about these document above, please check with > librarian who will help you a lot. The local distributor reads this as "well, DES is in the public domain, how nice". I read this as ZyXEL answered someone else's question.... I will of course follow this up with the local distributor, and thus with ZyXEL. The reason for my posting/mailing this here, is that I feel I need an external opinion. My questions now are mainly: (1) Is it possible for a large US company to export products using DES data encryption? I mean even if they get a "non-USA DES" can they export products including this? (2) Is anyone familiar with the modem in question (2864I), and know if it really provides DES data encryption? (3) Where should I have posted this. Thanks in advance, for any pointers!, Martin Fredriksson Systems Integration and Security Ericsson Microwave Systems AB, Molndal, Sweden From firewalls-owner Fri Nov 3 02:53:04 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id CAA25332 for firewalls-outgoing; Fri, 3 Nov 1995 02:23:51 -0800 (PST) Received: from access.netaxs.com (access.netaxs.com [198.69.186.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id CAA25302 for ; Fri, 3 Nov 1995 02:23:44 -0800 (PST) Received: from unix3.netaxs.com (morph_1@unix3.netaxs.com [198.69.186.5]) by access.netaxs.com (8.6.12/8.6.11) with ESMTP id FAA29898; Fri, 3 Nov 1995 05:23:33 -0500 Received: (morph_1@localhost) by unix3.netaxs.com (8.6.12/8.6.9) id FAA26103; Fri, 3 Nov 1995 05:23:28 -0500 Date: Fri, 3 Nov 1995 05:23:27 -0500 (EST) From: "W0W!@# ELYTENESS#@!" To: Bob Lanning cc: Russ Cooper , firewalls@GreatCircle.COM Subject: Re: JAVA is the Devil In-Reply-To: <199511030957.BAA18217@tidbit.fhda.edu.> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 3 Nov 1995, Bob Lanning wrote: > ---- As written by Russ Cooper: > > > > Would it be possible to embed a virus into a .GIF file? or .AVI file? or > > .WAV file? These guys are all downloaded and stored in a cache on your > > local workstation, and in turn invoke an application on the local > > workstation. What is the difference between this and Java? > > > > Cheers, > > Russ Cooper > > Senior Internet Integration Engineer > > SHL/Computer Innovations > > RCooper@the-wire.com - Express@msn.com - 74323.364@compuserve.com > > > .GIF, .AVI, .WAV... are basically compressed raw data streams. > The "viewer" decompresses the stream and sticks it on your monitor or your > audio device. JAVA on the other hand is a programming language. It can > manipulate files watch the mouse/keyboard/network for traffic. > > This is simular to the Micro$oft Word Macro trojanhorse. The document (HTML, > Word) is harmless. It is when you have attachments that get executed that > thing go wrong. > > -- > Robert Hajime Lanning "It's the FROSTING!" > The opinions expressed here are not mine, nor are they anyone else's. > lanning@tidbit.fhda.edu <--for fun && for profit--> lanning@cup.hp.com > Interesting, but there are neat "virii" that exist in compressed image files .JPG etc, where the picture itself keeps getting larger by infinitly expanding itself when you try and view it. Plus you never get to see the picture! evil. -- Morph_1 Witty Phrase Here morph_1@netaxs.net Some Phone Numbers Here and so on. Jazzy Title Here From firewalls-owner Fri Nov 3 03:22:56 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id CAA25673 for firewalls-outgoing; Fri, 3 Nov 1995 02:44:41 -0800 (PST) Received: from student.uq.edu.au (student.uq.edu.au [130.102.2.20]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id CAA25666 for ; Fri, 3 Nov 1995 02:44:38 -0800 (PST) Received: from student.uq.edu.au (cs324342@localhost [127.0.0.1]) by student.uq.edu.au (8.6.12/8.6.12) with SMTP id UAA07842 for ; Fri, 3 Nov 1995 20:44:41 +1000 Date: Fri, 3 Nov 1995 20:44:35 +1000 (GMT+1000) From: John Dean To: Firewalls@GreatCircle.COM Subject: How do I unsubscribe to firewalls Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --------------------------------------------------- J.E.Dean BSc III University of Queensland Australia From firewalls-owner Fri Nov 3 05:57:31 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id FAA00590 for firewalls-outgoing; Fri, 3 Nov 1995 05:42:46 -0800 (PST) Received: from gatekeeper.glaxo.com (gatekeeper.glaxo.com [192.58.204.201]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id FAA00583 for ; Fri, 3 Nov 1995 05:42:43 -0800 (PST) Received: by gatekeeper.glaxo.com (5.65/fma-120691); id AA17490; Fri, 3 Nov 95 08:42:45 -0500 Received: from ussun2f.glaxo.com by ussun1d.glaxo.com (5.x/SMI-SVR4) id AA22889; Fri, 3 Nov 1995 08:43:31 -0500 Received: by ussun2f.glaxo.com (5.x/SMI-SVR4) id AA10054; Fri, 3 Nov 1995 08:48:15 -0500 Reply-To: ggh14854@ussun2f.glaxo.com (Gary Hull) Date: Fri, 3 Nov 1995 08:48:13 -0500 (EST) From: Gary Hull To: Bob Lanning Cc: firewalls Subject: Re: idb.ar.com...the mystery continues In-Reply-To: <199511030910.BAA18145@tidbit.fhda.edu.> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 3 Nov 1995, Bob Lanning wrote: > Uhh... What the hell are you talking about? > > The pieces that were snipped were already posted to the list. I see no need > in the duplicating. > > P.S. I'm a sysadmin, I better know how to use telnet, whois and a whole > lot more! Bob -- Yes, I realize that and I apologize for my rash reaction. Like me, you too were offering assistance to the list and I know it is appreciated. I also offer my apologies to the list membership as a whole. Yesterday was a bad day for me with my focus being on draining the swamp but the darn alligators wouldn't let me near the plug. Have a nice day! |/ ---o0o-@@-o0o--------- Gary G. Hull - Technical Consultant Howard Systems International - Glaxo Wellcome Inc. Five Moore Drive - Raleigh, North Carolina 27709 Tel : (919) 941-4867 - Fax : (919) 248-2831 email: ggh14854@ussun2f.glaxo.com From firewalls-owner Fri Nov 3 06:24:03 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id GAA01007 for firewalls-outgoing; Fri, 3 Nov 1995 06:18:34 -0800 (PST) Received: from Fe3.rust.net (Fe3.rust.net [204.157.12.254]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id GAA00990 for ; Fri, 3 Nov 1995 06:18:29 -0800 (PST) Received: from dtw-16.rust.net by Fe3.rust.net via SMTP (940816.SGI.8.6.9/940406.SGI.AUTO) id JAA25232; Fri, 3 Nov 1995 09:25:32 -0800 Date: Fri, 3 Nov 1995 09:25:32 -0800 Message-Id: <199511031725.JAA25232@Fe3.rust.net> X-Sender: janken@rust.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: "A. Padgett Peterson, P.E. Information Security" From: janken@rust.net (Kenneth J. Stephens) Subject: Re: Firewall discussion at PC Week Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>PC Week is hosting a Discussion on "Protecting the company LAN from Internet >>intruders" at >> Protecting the company LAN from Internet intruders > >And if you can make sense out of that address, you probably do not need any >more help 8*). > P.fla > I may just change a few bytes and use it for my PGP key :^)> Ain't CGI a wonderful tool. Ken [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] [] [] [] Ken Stephens Senior Capacity Planner/Data Security Officer [] [] email: Ken_Stephens@miconsulting.com Voice (313) 876-5081 [] [] Michigan Employment Security Commission (MESC) Fax (313) 876-6827 [] [] 7th Fl. I.S. [] [] 7310 Woodward Ave [] [] Detroit, MI 48202 [] [] [] [] Millennium Consulting Your Security Policy is only [] [] 28234 Diesing Dr. as strong as your organization's [] [] Madison Heights, MI 48071 commitment to it. [] [] [] [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] From firewalls-owner Fri Nov 3 06:54:21 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id GAA01124 for firewalls-outgoing; Fri, 3 Nov 1995 06:28:34 -0800 (PST) Received: from kgbvax.network.com (kgbvax.network.com [129.191.202.58]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id GAA01117 for ; Fri, 3 Nov 1995 06:28:30 -0800 (PST) Received: (from ted@localhost) by kgbvax.network.com (8.6.9/8.6.9) id IAA28999; Fri, 3 Nov 1995 08:23:36 -0500 Date: Fri, 3 Nov 1995 08:23:36 -0500 From: Ted Doty Message-Id: <199511031323.IAA28999@kgbvax.network.com> To: martin@msp.se, firewalls@greatcircle.com Subject: Re: DES export restrictions and ZyXEL In-Reply-To: Mail from 'Martin Fredriksson ' dated: Fri, 3 Nov 1995 11:03:18 +0100 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk martin@msp.se wrote: [stuff about DES deleted] > My questions now are mainly: > > (1) Is it possible for a large US company to export products using DES > data encryption? I mean even if they get a "non-USA DES" can they > export products including this? Yes. We do, and many others do as well. The export restrictions have many (well, some) instances where strong encryption can be exported. Note that what you are talking about looks like Triple DES (3 passes thru DES using 2 different keys, for an effective key length of 112 bits). I have no direct knowledge of any american company exporting Triple DES, altho IDEA seems to be at least as strong. You should know, however, that most of the instances where DES is exported from the USA are when it is shipped to Banks or to subsidiaries of american companies. Commercial, non-US companies can not get DES (easily) from US companies. > (3) Where should I have posted this. You should check out the sci.crypt newsgroup. -- - Ted -------------------------------------------------------------------------- Ted Doty, Network Systems Corporation | phone: +1 301 596-2270 8965 Guilford Road, Suite 250 | fax: +1 410 381-3320 Columbia, MD, 21046 USA | voice mail: (800) 233-1485 -------------------------------------------------------------------------- The opinion expressed in this message is fictitious. Any resemblence to real opinions, living or dead, is purely coincidental. From firewalls-owner Fri Nov 3 07:24:31 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id HAA02435 for firewalls-outgoing; Fri, 3 Nov 1995 07:20:33 -0800 (PST) Received: from maildrop.micrognosis.com (supernova.micrognosis.com [192.233.13.3]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id HAA02428 for ; Fri, 3 Nov 1995 07:20:27 -0800 (PST) Received: by maildrop.micrognosis.com (4.1/SMI-4.1) id AA06554; Fri, 3 Nov 95 10:20:31 EST Received: from singhi.corp.micrognosis.com(193.32.166.28) by supernova.micrognosis.com via smap (V1.3) id sma006552; Fri Nov 3 10:20:26 1995 Received: from becks (becks.corp.micrognosis.com) by corp.micrognosis.com (4.1/1.0-integ.cf) id AA08471; Fri, 3 Nov 95 10:23:48 EST Date: Fri, 3 Nov 1995 10:23:45 -0500 (EST) From: Adam Jack X-Sender: ajack@becks To: Rick Smith Cc: firewalls@greatcircle.com Subject: Re: What about the next 20 Java-like applications? ( was Re: Java) In-Reply-To: <199511020123.TAA23834@shade.sctc.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 1 Nov 1995, Rick Smith wrote: > For the (broken) record, I think the Java developers did a fine job of > dealing with early '80s style security issues. But they didn't get a > handle on the desktop security issues early enough in the HotJava > design. > Interesting comment. Please elaborate w/ some examples - privately, if you think this thread is noise or it is undue repetition. > > Reassurance isn't a right! ... > > Competent firewall and security vendors do NOT subscribe to this > mindset. If a customer is concerned enough about security to seek a > quality product, they have every right to (re)assurance that the > protections they expect are in place. They deserve to know what > security measures are effective and deployed. They deserve evidence. > Precisly. Customers pay you to prove something. Sun aren't selling to you - they are testing a concept in good old Internet fashion - by letting 'net individuals do some of the leg work. Sun have made a lot of information availble - it just takes time to injest. I don't neccessarily condone it (except maybe from a business standpoint) - but it is happening. And it will continue to ... > > As you've probably figured out, this is expensive and time consuming > work. We do it for our own products. I admit it depresses me to have > the same, tired security questions go unanswered, and that I do not > have the time myself to try things out. > This is exactly my point. Mustn't something be done to try to change that - now that money & livelyhood are getting involved. > > Applications on the Internet are racing ahead. Despite the common sense > > demand for security - pressure for functionality is higher. > > It depends on who you talk to. Our customers want both, but they > recognize there is a tradeoff. How many will put their back office > operations at risk just for "coool stuff" on desktops?? Not many. > Hmm - sorry - I was wrong to say "is higher". My experience is a tad slanted by proppeller-heads. Maybe I should take a note from you - and say we should plan for the future. The pace of this 'Net explosion is such that soon will want everything. Not for 'coool' reasons - but for functional reasons. > > Evolving attack methodologies also strain current firewall models, > even without throwing HotJava into the picture. Sites concerned about > security want finer grained awareness of what crosses their boundary. > It's not clear how we meet their needs and also pass applets. Magic > doesn't exist, and firewalls can't perform mathematical miracles. > I am not able to comment on other than Java - but your point seems very sound. Maybe one of the benefits of this Internet explosion will be heightened user awareness - and reduced requirement for transparancy at the firewall. If users will accept a bit more pain for their functionality maybe the need for magic can be removed. Java : Remember when Chuck McManis suggested the possibility of a firewall resident Java based applet-proxy? There would, of course, be overhead (but then downloading Java applets is slow so there is CPU idle time!) That would be a valuable addition to the firewall - since the proxy was to provided 'firewall manager configurable' applet sanitation. > It is not clear that > spiffy stuff will run on a HotJava system configured to run securely. > I agree. This is, and the bandwidth abuse, is why I have lost most interest in HotJava. There are more effective and less contraversial ways to do pretty graphics. Partly this is why I asked about the next ones. The perceived need is there and if HotJava doesn't serve that need - other will try. > >.. How are firewalls going to deal with the next 20 Java's? > > The same way this one is dealt with: a refusal to throw caution to the > wind simply because it's Kool Stuff. > Cheap retort to a serious question. Do you expect the Internet to wait 'cos you imply they are being immature? People will push the boundaries to attempt to make money - that is business. What you might think of as Kool - may, to others, be big dollars. You (firewall security types) will need better arguements than yours above. No doubt I am naive - and maybe there are historical models for ways to deal with this kind of swelling (if not scale). Interoperability constriants of the last few decades, plus limited financial gain, have kept Internet applications at bay. No longer so. Some applications will be worthwhile - some will not be. Rick - I know you have taken time & effort to learn about Java - and I respect that choice of investment. However there is too much coming for individuals to continually keep abreast of. Adam > I hate long postings. > BTW : Comments like this suit what purpose? Like above - if you want me to stop - give me a better reason. -- +1-203-730-5437 | http://www.micrognosis.com/~ajack/index.html From firewalls-owner Fri Nov 3 07:55:40 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id HAA02621 for firewalls-outgoing; Fri, 3 Nov 1995 07:31:28 -0800 (PST) Received: from smtp.interramp.com (smtp.interramp.com [38.8.45.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id HAA02614 for ; Fri, 3 Nov 1995 07:31:24 -0800 (PST) Received: from [38.12.98.76] by smtp.interramp.com (8.6.12/SMI-4.1.3-PSI-irsmtp) id KAA10605; Fri, 3 Nov 1995 10:31:23 -0500 X-Sender: us008809@pop3.interramp.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 3 Nov 1995 11:30:00 -0500 To: firewalls@greatcircle.com From: russo@interramp.com (Bob Russo) Subject: An *UN* UNIX Firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My mailer told me that someone posted the following: >what are people using for software. we feel that gauntlet is a unix based >software product and we have very little unix knowledge. our network is either >pc/mac or ibm mainframe (VM/ESA). we do have a couple of applications on unix >but only 1 person to staff this area. a gateway application running on a unix >platform wouldn't be bad if it were a database application, requiring little >to no knowledge of unix. ========================================================================= Then Padgett said: Unfortunately, what you want does not exist. Security, particularly Internet Insecurity, is different from RAC-F administration. While many firewalls are drawn from Unix backgrounds (though more precisely they use UNIX-like interfaces, rarely are they built on top of plain-jane UNIX), this is because most people who have the necessary background in the TCP/IP protocols and addressing used on the Internet to be able to set up a good firewall come from Unix backgrounds and are most familiar with that syntax. =========================================================================== Now I'm saying: You should have a look at FireWall/Plus. This product is a DOS-Based firewall. *WAIT*...before you dismiss it by saying "How good can it be if it's DOS" you should know that it is much much more. FireWall/Plus is a "Stateful" packet filtering firewall. It is as robust as most UNIX based firewalls...in all cases easier to setup and manage...less costly to purchase and maintain...Filters and reports on frame level, transport level, application level, node level and even down to the byte level with no UNIX scripting by simply utilizing the most intuitive GUI...Blah Blah Blah Sorry for the sales pitch...but have a look at it on our home page and you can even down-load a copy and try from there as well. Good luck, Bob Russo _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ + _______ _______ Network-1 Software & Technology, Inc. _______ _______ + + | _____\\\\____ | | ____////_____ | + + | | \\\\ | | Designers of *FireWall/Plus* | | //// | | + + | | \\\\\\\ | | The Only *DOS* based firewall | | /////// | | + + | | \\\ | | | | /// | | + + | | \\\\\\\ | | New York Corporate Office | | /////// | | + + | | \\ | | 909 Third Ave. | | // | | + + | 1___\\______1 | New York, NY 10022 | 1______//___1 | + + 1______\\_______1 1_______//______1 + + 1 - k r o w t e N N e t w o r k - 1 + + + + Voice: 212-293-3068 Fax: 212-293-3090 Email: russo@network-1.com + + + + HTTP: //www.network-1.com/n1 + _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ From firewalls-owner Fri Nov 3 08:23:30 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id IAA03271 for firewalls-outgoing; Fri, 3 Nov 1995 08:03:08 -0800 (PST) Received: from aads.com (aads.net [198.111.96.42]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id IAA03264 for ; Fri, 3 Nov 1995 08:03:04 -0800 (PST) Received: from [198.111.96.11] (agnew.aads.net [198.111.96.11]) by aads.com (8.6.11/aads2.0) with SMTP id LAA22636; Fri, 3 Nov 1995 11:02:05 -0500 X-Sender: jgs@home.aads.net Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 3 Nov 1995 11:03:18 -0500 To: firewalls@GreatCircle.COM From: jgs@aads.net (John G. Scudder) Subject: Re: Man in the Middle Attacks (Over rated?) Cc: maillet@doc.cs.usm.maine.edu, Ted Doty , curtis@ans.net Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 8:14 AM 11/2/95, Ted Doty wrote: [...] >Nevermind when the NFSnet routing nodes were subverted (January 1994?), and >sniffer programs installed. [...] As I discussed with Ted in private email, this isn't correct. The CERT advisory (and various news stories in the popular media) reported sniffer attacks in general. Neither the advisory nor any news stories ever mentioned the NSFNET, and in fact no sniffer programs were ever installed on any NSFNET routers. Yours for keeping the record straight, --John Scudder Ameritech Former NSFNET guy From firewalls-owner Fri Nov 3 08:54:21 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id IAA03798 for firewalls-outgoing; Fri, 3 Nov 1995 08:32:10 -0800 (PST) Received: from westie.gi.net (westie.gi.net [198.247.250.16]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id IAA03791 for ; Fri, 3 Nov 1995 08:32:06 -0800 (PST) Received: from gaijin.mid.net (gaijin.gi.net [198.247.250.28]) by westie.gi.net (8.7.1/8.7.1) with ESMTP id KAA03715 for ; Fri, 3 Nov 1995 10:32:03 -0600 (CST) From: Alan Hannan Received: by gaijin.mid.net (8.7.1) id KAA08828; Fri, 3 Nov 1995 10:32:01 -0600 (CST) Message-Id: <199511031632.KAA08828@gaijin.mid.net> Subject: Anecdotes or Firewall/NetSec Jokes To: firewalls@greatcircle.com (Firewalls Mailing List) Date: Fri, 3 Nov 1995 10:31:59 -0600 (CST) X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'll be speaking at a number of seminars in the next three weeks, and I think it would be nice to have some intelligent humerous jokes or anecdotes to start my talks off. If anyone has any good ones, I'd love to hear them, and I think the list members would benefit from their discussion. I can't recall any of mine (I'm sure there are) and the only one I remember is Marcus's one about some trading chairman listening to the security folks debate policy, and yelling "We will trade" and storming off..... I look forward to hearing from you, thanks! -- Alan Hannan alan@gi.net Network Engineer (402) 472-0239 Global Internet Network Operations http://www.gi.net/~alan Global Internet - Secure Internetworking Around the Globe -=( Formerly MIDnet )=- From firewalls-owner Fri Nov 3 10:15:24 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id JAA05296 for firewalls-outgoing; Fri, 3 Nov 1995 09:46:56 -0800 (PST) Received: from quark.foobar.co.uk (quark.foobar.co.uk [193.122.182.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id JAA05289 for ; Fri, 3 Nov 1995 09:46:49 -0800 (PST) Received: (from mjc@localhost) by quark.foobar.co.uk (8.6.11/8.6.9) id RAA23766; Fri, 3 Nov 1995 17:40:24 GMT Message-Id: <199511031740.RAA23766@quark.foobar.co.uk> Subject: Re: Tightening up SunOS 5.4 (was Re: Hardened OS) To: smith@sctc.com (Rick Smith) Date: Fri, 3 Nov 1995 17:40:23 +0000 (GMT) From: "Martin Cooper" Cc: firewalls@greatcircle.com In-Reply-To: <199511031718.LAA09560@shade.sctc.com> from "Rick Smith" at Nov 3, 95 11:18:54 am X-Mailer: ELM [version 2.4 PL24 ME6] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > No, but then you can hardly eliminate root can you? ;) > > That's what we did on Sidewinder. It's a liability in a highly secure > system, not a benefit. Nobody, not even root, can bypass the > mandatory aspects of the security mechanisms while the system is in > normal operation and on the Net. Oh, ok. I thought it wasn't possible. I'm happy that root is just a name for uid 0, but what about processes that need to be started at boot time? Will it be possible to run these at boot time without an entry for root in the password file, and without the setuid bits on executable binaries? If it is, then this seems like a fine security measure for a bastion host. Martin -- Martin Cooper http://www.foobar.co.uk/~mjc/ mjc@foobar.co.uk Foobar Internet http://www.foobar.co.uk/ sales@foobar.co.uk Phone: +44 (0)116 2330033 Fax: +44 (0)116 2330035 The Magazine Business Centre, Newarke Street, LEICESTER, LE1 5SS From firewalls-owner Fri Nov 3 10:34:05 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id KAA05841 for firewalls-outgoing; Fri, 3 Nov 1995 10:03:25 -0800 (PST) Received: from incog.com (ns.incog.com [199.190.177.251]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id KAA05828 for ; Fri, 3 Nov 1995 10:03:21 -0800 (PST) From: mulligan@future.incog.com Received: from coslabs.incog.com by incog.com (SMI-8.6/94082501) id KAA20778; Fri, 3 Nov 1995 10:01:55 -0800 Received: from future.incog.com by coslabs.incog.com (5.x/SMI-SVR4) id AA14680; Fri, 3 Nov 1995 11:03:04 -0700 Received: from future (localhost) by future.incog.com (5.x/SMI-SVR4) id AA09630; Fri, 3 Nov 1995 11:03:06 -0700 Message-Id: <9511031803.AA09630@future.incog.com> To: jgs@aads.net (John G. Scudder) Cc: firewalls@GreatCircle.COM, maillet@doc.cs.usm.maine.edu, Ted Doty , curtis@ans.net Subject: Re: Man in the Middle Attacks (Over rated?) Reply-To: mulligan@incog.com In-Reply-To: Your message of "Fri, 03 Nov 1995 11:03:18 EST." Date: Fri, 03 Nov 1995 11:03:05 -0700 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk John Scudder wrote: > As I discussed with Ted in private email, this isn't correct. The CERT > advisory (and various news stories in the popular media) reported sniffer > attacks in general. Neither the advisory nor any news stories ever > mentioned the NSFNET, and in fact no sniffer programs were ever installed > on any NSFNET routers. This is sort of a cagey answer. Quite probably "no sniffer programs were ever installed on any NSFNET routers." ------- If they were pure routers and not general purpose machines running as routers I don't think you COULD install a sniffer, but this doesn't say that sniffers were not installed on other (non router) machines attached to the NSFNET backbone. I do know FOR A FACT that a sniffer program was installed on a machine attached to the BARRnet backbone and did sniff a huge number of passwords. geoff From firewalls-owner Fri Nov 3 11:09:17 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id JAA04296 for firewalls-outgoing; Fri, 3 Nov 1995 09:02:30 -0800 (PST) Received: from spider.lloyd.com (spider.lloyd.com [158.222.1.5]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id JAA04289 for ; Fri, 3 Nov 1995 09:02:28 -0800 (PST) Received: from tomewing.entexcal.com by spider.lloyd.com with smtp (Smail3.1.29.1 #5) id m0tBPVg-000TriC; Fri, 3 Nov 95 09:02 PST Message-Id: Date: Fri, 3 Nov 95 09:02 PST X-Sender: tewing@spider.lloyd.com X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: tewing@spider.lloyd.com (Thomas Ewing) Subject: Novell based firewalls / IP managers Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings, I realize this is perhaps an ancient information request, but: What are everyone's view of the various (if various) products designed as Novell Netware (4.x) centric firewalls / IP address space managers? Please e-mail direct, and I will summarize. Thanks, Tom -- Tom Ewing Your fingers are the original System Consulting Manager personal computer ENTEX Information Services 980 9th Street, Suite 380 Sacramento, CA 95814 PH: 916-325-2976 PG: 916-736-5606 From firewalls-owner Fri Nov 3 11:25:54 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id KAA06490 for firewalls-outgoing; Fri, 3 Nov 1995 10:37:06 -0800 (PST) Received: from gauntlet-1.trusted.com (gauntlet-1.trusted.com [192.94.214.88]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id KAA06483 for ; Fri, 3 Nov 1995 10:37:03 -0800 (PST) Received: by gauntlet-1.trusted.com; id NAA29813; Fri, 3 Nov 1995 13:39:16 -0500 Message-Id: <199511031839.NAA29813@gauntlet-1.trusted.com> Received: from vanidor.tis.com(192.94.214.98) by gauntlet-1.trusted.com via smap (g3.0.3) id xma029811; Fri, 3 Nov 95 13:39:13 -0500 X-Sender: avolio@gauntlet-1.trusted.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 03 Nov 1995 14:30:57 -0500 To: Bob Russo , firewalls@greatcircle.com From: Frederick M Avolio Subject: Re: An *UN* UNIX Firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:30 AM 11/3/95 -0500, Bob Russo wrote: >My mailer told me that someone posted the following: > >>what are people using for software. we feel that gauntlet is a unix based >>software product and we have very little unix knowledge. our network is either >>pc/mac or ibm mainframe (VM/ESA). we do have a couple of applications on unix >>but only 1 person to staff this area. a gateway application running on a unix >>platform wouldn't be bad if it were a database application, requiring little >>to no knowledge of unix. A firewall, such as our Gauntlet Internet Firewall, does not require UNIX expertise, or even much UNIX knowledge. ANY connection to the Internet requires knowledge of IP networks, especially DNS and SMTP. Fred From firewalls-owner Fri Nov 3 11:26:33 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id IAA03400 for firewalls-outgoing; Fri, 3 Nov 1995 08:08:14 -0800 (PST) Received: from maildrop.micrognosis.com (supernova.micrognosis.com [192.233.13.3]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id IAA03393 for ; Fri, 3 Nov 1995 08:08:10 -0800 (PST) Received: by maildrop.micrognosis.com (4.1/SMI-4.1) id AA08497; Fri, 3 Nov 95 11:08:09 EST Received: from singhi.corp.micrognosis.com(193.32.166.28) by supernova.micrognosis.com via smap (V1.3) id sma008470; Fri Nov 3 11:07:46 1995 Received: from becks (becks.corp.micrognosis.com) by corp.micrognosis.com (4.1/1.0-integ.cf) id AA08641; Fri, 3 Nov 95 11:11:02 EST Date: Fri, 3 Nov 1995 11:11:01 -0500 (EST) From: Adam Jack X-Sender: ajack@becks To: Mike Shaver Cc: "william.wells" , firewalls@greatcircle.com Subject: Re: Java In-Reply-To: <199511021904.OAA14050@neon.ingenia.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 2 Nov 1995, Mike Shaver wrote: > > > Its harder to have a policy that says that you can't browse any URL > > which run applets; especially since I'm not sure that one can tell the URL > > has applets. > > You can't tell which pages will have applets, but you _can_ mandate > that the users only use non-Java(tm)-aware browsers. (Yes, Netscape is > releasing such beasts.) > My turn at playing the broken record. However - since Sun have left few centralized control options (using HTTP & user config) - I think this is a useful tip. Trap all http://*.class requests at the firewalls HTTP proxy. Denying them should affect only Java applets. (OK - application firewall soln only. But even packet filter only sites should have an internal cached HTTPD IMHO.) Adam -- +1-203-730-5437 | http://www.micrognosis.com/~ajack/index.html From firewalls-owner Fri Nov 3 11:38:47 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id JAA05039 for firewalls-outgoing; Fri, 3 Nov 1995 09:38:21 -0800 (PST) Received: from neon.ingenia.com (neon.ingenia.com [134.117.55.86]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id JAA05032 for ; Fri, 3 Nov 1995 09:38:14 -0800 (PST) Received: (from shaver@localhost) by neon.ingenia.com (8.6.12/8.6.9) id MAA06284; Fri, 3 Nov 1995 12:38:32 -0500 From: Mike Shaver Message-Id: <199511031738.MAA06284@neon.ingenia.com> Subject: Re: Java To: ajack@corp.micrognosis.com (Adam Jack) Date: Fri, 3 Nov 1995 12:38:31 -0500 (EST) Cc: william.wells@damark.com, firewalls@greatcircle.com In-Reply-To: from "Adam Jack" at Nov 3, 95 11:11:01 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Adam Jack mumbled something vague about: > > You can't tell which pages will have applets, but you _can_ mandate > > that the users only use non-Java(tm)-aware browsers. (Yes, Netscape is > > releasing such beasts.) > > My turn at playing the broken record. However - since Sun have left few > centralized control options (using HTTP & user config) - I think this is > a useful tip. > > Trap all http://*.class requests at the firewalls HTTP proxy. Denying > them should affect only Java applets. (OK - application firewall > soln only. But even packet filter only sites should have an internal > cached HTTPD IMHO.) Works great iff the person writing the page doesn't get wise and rename the class file to MyApplet.wonky or some such. I suspect that many people will try the *.class solution, and it will quickly become standard for anyone who "really wants people to see their cool applet" to rename it. Mike -- #> Mike Shaver (shaver@ingenia.com) Ingenia Communications Corporation <# #> Technical Specialist -- will tame sendmail(8) for food <# #> <# #> "You are a very perverse individual, and I think I'd like to get to <# #> know you better." --- eric@reference.com <# From firewalls-owner Fri Nov 3 11:53:08 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id JAA05339 for firewalls-outgoing; Fri, 3 Nov 1995 09:48:14 -0800 (PST) Received: from maildrop.micrognosis.com (supernova.micrognosis.com [192.233.13.3]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id JAA05331 for ; Fri, 3 Nov 1995 09:48:03 -0800 (PST) Received: by maildrop.micrognosis.com (4.1/SMI-4.1) id AA12185; Fri, 3 Nov 95 12:48:01 EST Received: from singhi.corp.micrognosis.com(193.32.166.28) by supernova.micrognosis.com via smap (V1.3) id sma012182; Fri Nov 3 12:47:37 1995 Received: from becks (becks.corp.micrognosis.com) by corp.micrognosis.com (4.1/1.0-integ.cf) id AA09077; Fri, 3 Nov 95 12:50:54 EST Date: Fri, 3 Nov 1995 12:50:53 -0500 (EST) From: Adam Jack X-Sender: ajack@becks To: Mike Shaver Cc: william.wells@damark.com, firewalls@greatcircle.com Subject: Re: Java In-Reply-To: <199511031738.MAA06284@neon.ingenia.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 3 Nov 1995, Mike Shaver (who needs a new reply to comment) wrote : > Adam Jack mumbled something vague about: > > > > Trap all http://*.class requests at the firewalls HTTP proxy. Denying > > them should affect only Java applets. (OK - application firewall > > soln only. But even packet filter only sites should have an internal > > cached HTTPD IMHO.) > > Works great iff the person writing the page doesn't get wise and > rename the class file to MyApplet.wonky or some such. > > I suspect that many people will try the *.class solution, and it will > quickly become standard for anyone who "really wants people to see > their cool applet" to rename it. > It isn't the page author that chooses this. Yes an individual might start the .wonky craze - but they would have to communicate this to people who would then have to similarly re-code their Java-enabled browsers. These individuals might also chose to attach a C++ compiler/loader to their browser and mess up their lives similarly. I think these people would find ftp easier. Adam -- +1-203-730-5437 | http://www.micrognosis.com/~ajack/index.html From firewalls-owner Fri Nov 3 12:37:26 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id KAA06204 for firewalls-outgoing; Fri, 3 Nov 1995 10:20:19 -0800 (PST) Received: from neon.ingenia.com (neon.ingenia.com [134.117.55.86]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id KAA06197 for ; Fri, 3 Nov 1995 10:20:14 -0800 (PST) Received: (from shaver@localhost) by neon.ingenia.com (8.6.12/8.6.9) id NAA06640; Fri, 3 Nov 1995 13:17:37 -0500 From: Mike Shaver Message-Id: <199511031817.NAA06640@neon.ingenia.com> Subject: Re: Java To: ajack@corp.micrognosis.com (Adam Jack) Date: Fri, 3 Nov 1995 13:17:37 -0500 (EST) Cc: william.wells@damark.com, firewalls@greatcircle.com In-Reply-To: from "Adam Jack" at Nov 3, 95 12:50:53 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Adam Jack brought forth: > On Fri, 3 Nov 1995, Mike Shaver (who needs a new reply to comment) wrote : True, true... > It isn't the page author that chooses this. Yes an individual might > start the .wonky craze - but they would have to communicate this > to people who would then have to similarly re-code their Java-enabled > browsers. Not much recoding to do... distribute a wrapper applet that includes its own class loader. But that's the "illegal software" debate, and I'm getting a little sick of it. > These individuals might also chose to attach a C++ compiler/loader to > their browser and mess up their lives similarly. I think these people > would find ftp easier. Indeed. See the codebase variable in the tag. Or "gopher://", etc. (Java's only piggybacked on HTTP because that's where most of the HTML gets transported.) Mike -- #> Mike Shaver (shaver@ingenia.com) Ingenia Communications Corporation <# #> Ignore the man behind the curtain. <# #> <# #> "And then I realized that it never should have worked in the first <# #> place. Thus, it would not work again until rewritten." --- Anon. <# From firewalls-owner Fri Nov 3 12:59:00 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id LAA07294 for firewalls-outgoing; Fri, 3 Nov 1995 11:11:30 -0800 (PST) Received: from relay5.UU.NET (relay5.UU.NET [192.48.96.15]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id LAA07287 for ; Fri, 3 Nov 1995 11:11:27 -0800 (PST) Received: from uucp1.UU.NET by relay5.UU.NET with SMTP id QQzohg23646; Fri, 3 Nov 1995 14:11:14 -0500 (EST) Received: from amgen.UUCP by uucp1.UU.NET with UUCP/RMAIL ; Fri, 3 Nov 1995 14:11:27 -0500 Received: from spice.amgen.com by amgen.com (5.0/SMI-SVR4) id AA00772; Fri, 3 Nov 1995 10:19:01 -0800 Received: from amgen.com (amgengate) by spice.amgen.com (4.1/SMI-4.1) id AA05968; Fri, 3 Nov 95 10:18:52 PST Message-Id: Date: 3 Nov 1995 10:16:25 U From: "Yalda Mirzai" Subject: Re: Firewall Study To: "John P. Morton" , uunet!greatcircle.com!firewalls@uunet.uu.net X-Mailer: Mail*Link SMTP/QM 3.0.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Reply to: RE>Firewall Study I would begin by learning about the various types of firewalls since quantifying or measuring the effectiveness of an internet firewall is partially due to the "type" of firewall in question as well as how well it is implemented. As for measuring the cost-effectiveness of a firewall configuration and other factors, Gartner Group has written papers on this topic. Mr. Mike Zboray is a Gartner Group analyst who is quite knowledgeable of security related issues. Regards, Yalda Mirzai -------------------------------------- Date: 11/2/95 3:16 PM To: Yalda Mirzai From: John P. Morton Hello all, I am a novice to the internet firewall concepts however, I am involved in a graduate project; attempting to quantify or measure the effectiveness of an internet firewall. My research must support that internet firewalls are effective against hackers. From your experience(s) when making firewall configurations what criteria do you analyze within the enterprise and organization to determine the cost-effective firewall configuration? Are there other factors I should consider in attempting to measure firewalls to secure corporate data. Please advise with any information. Thank You ------------------ RFC822 Header Follows ------------------ Received: by amgen.com with SMTP;2 Nov 1995 15:11:31 U Received: by amgen.com (5.0/SMI-SVR4) id AA01752; Thu, 2 Nov 1995 15:11:25 -0800 >Received: from miles.greatcircle.com by relay3.UU.NET with ESMTP id QQzoea09551; Thu, 2 Nov 1995 17:09:16 -0500 (EST) Received: from uunet by amgen.amgen.com; Thu, 2 Nov 1995 15:11 PST Received: from miles.greatcircle.com by relay3.UU.NET with ESMTP id QQzoea09551; Thu, 2 Nov 1995 17:09:16 -0500 (EST) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id MAA26682 for firewalls-outgoing; Thu, 2 Nov 1995 12:24:36 -0800 (PST) Received: from hernsvr.med.osd.mil (hernsvr.med.osd.mil [161.14.8.101]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id MAA26662 for ; Thu, 2 Nov 1995 12:24:26 -0800 (PST) Received: from ae938.med.osd.mil by hernsvr.med.osd.mil with SMTP (5.65/25-eef) id AA29216; Thu, 2 Nov 95 15:24:11 -0500 From: "John P. Morton" Message-Id: <9511021520.ZM16023@unknown.zmail.host> Date: Thu, 2 Nov 1995 15:20:30 -0500 X-Mailer: ZM-Win (3.2.1 11Sep94) To: uunet!greatcircle.com!firewalls Subject: Firewall Study Mime-Version: 1.0 Sender: uunet!GreatCircle.COM!firewalls-owner Precedence: bulk Content-Type: text/plain; charset=us-ascii Content-Length: 669 From firewalls-owner Fri Nov 3 13:33:08 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id MAA09400 for firewalls-outgoing; Fri, 3 Nov 1995 12:52:39 -0800 (PST) Received: from beach.sctc.com (beach.sctc.com [192.55.214.50]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id MAA09393 for ; Fri, 3 Nov 1995 12:52:32 -0800 (PST) Received: from beach.sctc.com (daemon@localhost) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id PAA22839; Fri, 3 Nov 1995 15:25:40 -0600 Received: from sphinx.sctc.com (sphinx.sctc.com [172.17.192.3]) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id PAA22835; Fri, 3 Nov 1995 15:25:40 -0600 Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by sphinx.sctc.com (8.7.1/8.6.10) with SMTP id OAA21683; Fri, 3 Nov 1995 14:52:36 -0600 (CST) Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id OAA20691; Fri, 3 Nov 1995 14:52:35 -0600 Date: Fri, 3 Nov 1995 14:52:35 -0600 From: Rick Smith Message-Id: <199511032052.OAA20691@shade.sctc.com> To: firewalls@greatcircle.com Cc: smith@sctc.com, maillet@doc.cs.usm.maine.edu Subject: Re: A defense against sniffing attacks for mere mortals Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Edward Maillet writes: > Sorry to step on the toes of you S/Key, Keberos, it's-only-safe-if-it's- >encrypted types but it seems that there are other ways of defeating >packet sniffers. Both active and passive. .... >I realize that this is a rather specific topology but it is an interesting >and rather simple solution. This might be simple from a technical standpoint, the first time out the chute. But it poses the same question addressed in Ian J-B's recent testament on build vs buy in security. How much is the lifecycle cost? Moreover, there's a policy problem. Step back a minute and consider the fundamental objective: You're trying to protect information while transferring it across a set of communications devices. You have a policy statement that says the information must be protected, and describe the general measures that must be used. In this case, the security measures are properties of the specific communications media being used. Thus, you can not change those devices without revisiting and reevaluating your security policy, and the measures by which the policy is achieved. If you can guarantee that this evaluation and analysis will always occur, then the network is already under pretty good security control. The real trouble is with traffic outside your region of control. These security measures depend on properties of external connections ("We have a direct feed to Sprint's backbone"), but the functional behavior of the feed itself does _not_ depend on these properties. Here's the rub. If a network manager somewhere in the path changes the configuration, your traffic will still go through but your security posture will have invisibly changed. Maybe you can produce diagnostics or probe procedures to detect any such changes, but that doesn't sound like the right allocation of analytical resources. It becomes a losing race with patching a bad job. Rick. smith@sctc.com secure computing corporation From firewalls-owner Fri Nov 3 13:56:35 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id MAA08460 for firewalls-outgoing; Fri, 3 Nov 1995 12:01:04 -0800 (PST) Received: from habanero.jmu.edu (habanero.jmu.edu [134.126.70.210]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id MAA08443 for ; Fri, 3 Nov 1995 12:00:59 -0800 (PST) Message-Id: <199511032000.MAA08443@miles.greatcircle.com> Received: by habanero.jmu.edu (1.37.109.16/16.2) id AA069408777; Fri, 3 Nov 1995 14:59:37 -0500 Date: Fri, 3 Nov 1995 14:59:37 -0500 From: gary flynn To: firewalls@greatcircle.com Subject: Success and thanks...re: OPIE on FWTK Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Many thanks to all those who offered suggestions to me on how to get an SKEY derived package integrated into FWTK on hpux. For various reasons, I've chosen to use the OPIE product and it seems to be working fine at this time. I have to clean up my kludged modifications and do more testing but I think I'm in the clear. Thanks again, gary From firewalls-owner Fri Nov 3 14:24:49 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id LAA07975 for firewalls-outgoing; Fri, 3 Nov 1995 11:37:11 -0800 (PST) Received: from tidbit.fhda.edu. (tidbit.fhda.edu [153.18.12.252]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id LAA07965 for ; Fri, 3 Nov 1995 11:37:06 -0800 (PST) Received: (from lanning@localhost) by tidbit.fhda.edu. (8.6.12/8.6.9) id MAA00880; Fri, 3 Nov 1995 12:46:20 -0800 From: Bob Lanning Message-Id: <199511032046.MAA00880@tidbit.fhda.edu.> Subject: Re: idb.ar.com...the mystery continues To: ggh14854@ussun2f.glaxo.com Date: Fri, 3 Nov 1995 12:46:20 -0800 (PST) Cc: Firewalls@GreatCircle.COM In-Reply-To: from "Gary Hull" at Nov 3, 95 08:48:13 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ---- As written by Gary Hull: > > Bob -- Yes, I realize that and I apologize for my rash reaction. Like > me, you too were offering assistance to the list and I know it is > appreciated. I also offer my apologies to the list membership > as a whole. Yesterday was a bad day for me with my focus being on > draining the swamp but the darn alligators wouldn't let me near > the plug. Have a nice day! > |/ > ---o0o-@@-o0o--------- > > Gary G. Hull - Technical Consultant > Howard Systems International - Glaxo Wellcome Inc. > Five Moore Drive - Raleigh, North Carolina 27709 > Tel : (919) 941-4867 - Fax : (919) 248-2831 > email: ggh14854@ussun2f.glaxo.com > > apology accepted. Just keep away from them alligator snouts! :) -- Robert Hajime Lanning "It's the FROSTING!" The opinions expressed here are not mine, nor are they anyone else's. lanning@tidbit.fhda.edu <--for fun && for profit--> lanning@cup.hp.com From firewalls-owner Fri Nov 3 14:26:09 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id LAA08026 for firewalls-outgoing; Fri, 3 Nov 1995 11:39:20 -0800 (PST) Received: from aads.com (aads.net [198.111.96.42]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id LAA08019 for ; Fri, 3 Nov 1995 11:39:16 -0800 (PST) Received: from [198.111.96.11] (agnew.aads.net [198.111.96.11]) by aads.com (8.6.11/aads2.0) with SMTP id OAA23896; Fri, 3 Nov 1995 14:38:07 -0500 X-Sender: jgs@home.aads.net Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 3 Nov 1995 14:39:25 -0500 To: mulligan@incog.com From: jgs@aads.net (John G. Scudder) Subject: Re: Man in the Middle Attacks (Over rated?) Cc: firewalls@GreatCircle.COM, maillet@doc.cs.usm.maine.edu, Ted Doty , curtis@ans.net Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Geoff, At 11:03 AM 11/3/95, mulligan@future.incog.com wrote: [...] >This is sort of a cagey answer. Quite probably "no sniffer programs >were ever installed on any NSFNET routers." My message wasn't meant to be cagey. I'm sorry you found it too ambiguous. Try this: No sniffer programs were installed on any components of the NSFNET backbone. >If they were pure routers and not general purpose machines running as >routers I don't think you COULD install a sniffer, but this doesn't say >that sniffers were not installed on other (non router) machines attached >to the NSFNET backbone. Since all the (then) NSFNET regionals and, by transitivity, the entire Internet was attached to the NSFNET backbone in some sense it wouldn't make sense to make this claim if we are splitting hairs. But the point is that the NSFNET backbone service wasn't compromised. Your packets might have been sniffed getting there or away, as they transited other people's networks, but not as they crossed the NSFNET. >I do know FOR A FACT that a sniffer program was installed on a machine >attached to the BARRnet backbone and did sniff a huge number of >passwords. BARRnet's not the NSFNET backbone of course, so this doesn't prove anything. Hopefully this message makes things clear to all but the most inveterate hair-splitters. If you want further clarification, perhaps we could take this to private email. Regards, --John Scudder From firewalls-owner Fri Nov 3 14:27:31 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id MAA08542 for firewalls-outgoing; Fri, 3 Nov 1995 12:06:42 -0800 (PST) Received: from beach.sctc.com (beach.sctc.com [192.55.214.50]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id MAA08535 for ; Fri, 3 Nov 1995 12:06:38 -0800 (PST) Received: from beach.sctc.com (daemon@localhost) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id OAA21573; Fri, 3 Nov 1995 14:40:13 -0600 Received: from sphinx.sctc.com (sphinx.sctc.com [172.17.192.3]) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id OAA21569; Fri, 3 Nov 1995 14:40:12 -0600 Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by sphinx.sctc.com (8.7.1/8.6.10) with SMTP id OAA20316; Fri, 3 Nov 1995 14:07:10 -0600 (CST) Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id OAA17966; Fri, 3 Nov 1995 14:07:09 -0600 From: Rick Smith Message-Id: <199511032007.OAA17966@shade.sctc.com> Subject: Re: Tightening up SunOS 5.4 (was Re: Hardened OS) To: mjc@quark.foobar.co.uk (Martin Cooper) Date: Fri, 3 Nov 1995 14:07:08 -0600 (CST) Cc: smith@sctc.com, firewalls@greatcircle.com In-Reply-To: <199511031740.RAA23766@quark.foobar.co.uk> from "Martin Cooper" at Nov 3, 95 05:40:23 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I'm happy that root is just a name for uid 0, but what about > processes that need to be started at boot time? Will it be > possible to run these at boot time without an entry for root in > the password file, and without the setuid bits on executable > binaries? Actually, the term "root" is getting overloaded in this discussion. It has two fundamental properties of interest here: 1) it has uid 0 which is really necessary in most Unix systems, and 2) it can override lots of access protections on the system. We left in 1) and constrained 2) using our type enforcement mechanism. Some standard Unix systems try to get a similar effect with chroot, with varying degrees of success. Rick. > If it is, then this seems like a fine security measure for a > bastion host. I think the industry has proven there's a huge market for host systems with limited security. So we at least need to make strong firewalls. Rick. smith@sctc.com secure computing corporation From firewalls-owner Fri Nov 3 14:28:53 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id LAA08153 for firewalls-outgoing; Fri, 3 Nov 1995 11:43:42 -0800 (PST) Received: from gatekeeper.alpharel.com (gatekeeper.ALPHAREL.COM [204.118.5.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id LAA08146 for ; Fri, 3 Nov 1995 11:43:39 -0800 (PST) Received: (from mail@localhost) by gatekeeper.alpharel.com (8.6.8/8.6.6a) id LAA01979; Fri, 3 Nov 1995 11:43:44 -0800 Received: from optigfx.optigfx.com(147.203.1.30) by gatekeeper.alpharel.com via smap (V1.5mrm) id sma001977; Fri Nov 3 11:43:43 1995 Received: from visalia.optigfx.com by optigfx.optigfx.com (4.1/SMI-4.1-3) id AA07093; Fri, 3 Nov 95 11:40:40 PST Received: (from mrm@localhost) by visalia.optigfx.com (8.6.9/8.6.9) id LAA08495; Fri, 3 Nov 1995 11:40:37 -0800 Date: Fri, 3 Nov 1995 11:40:37 -0800 From: Mike Murphy Message-Id: <199511031940.LAA08495@visalia.optigfx.com> To: scs@lokkur.dexter.mi.us Subject: Re: None Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From: Steve Simmons >Subject: Re: None >To: amgen!Yalda.Mirzai@uunet.uu.net (Yalda Mirzai) >Date: Wed, 25 Oct 1995 21:22:47 -0400 (EDT) >In-Reply-To: from "Yalda Mirzai" at Oct 25, 95 12:10:14 pm > >>Any philosophical thoughts regarding this issue in general? > >Yes, set up a bastion host and don't let vendors into your internal net. >See the Zwicky and Chapman book. > >From the viewpoint of a vendor ;-) If you have net access and you let us in to do maintenance via the Internet it is less expensive for you, and you get better service. If you have dialin access and you let us in to do maintenance via the dialin it more expensive for us, takes more time, you get slightly less responsive service, and you pay slightly more. If you decide not to let us into your system that we need to maintain unless we show up in person, you pay more... time, travel, and expenses. You may not get response that is as rapid as you might desire. Flights from point A to point B are generally not quite as quick as telnet. You may also not get a response from as knowledgeable a service person. It is the choice of the customer, but the customer should be aware that a security policy defines tradeoffs that involve money. -- Mike Murphy mrm@alpharel.com +1.619.625.3000 x265 ALPHAREL 9339 Carroll Park Drive San Diego, CA 92121 Any opinions above are mine and not those of my employer. From firewalls-owner Fri Nov 3 14:30:20 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id LAA08359 for firewalls-outgoing; Fri, 3 Nov 1995 11:56:55 -0800 (PST) Received: from quark.foobar.co.uk (quark.foobar.co.uk [193.122.182.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id LAA08352 for ; Fri, 3 Nov 1995 11:56:42 -0800 (PST) Received: (from mjc@localhost) by quark.foobar.co.uk (8.6.11/8.6.9) id TAA26509; Fri, 3 Nov 1995 19:50:36 GMT Message-Id: <199511031950.TAA26509@quark.foobar.co.uk> Subject: Re: Anecdotes or Firewall/NetSec Jokes To: alan@gi.net (Alan Hannan) Date: Fri, 3 Nov 1995 19:50:35 +0000 (GMT) From: "Martin Cooper" Cc: firewalls@greatcircle.com In-Reply-To: <199511031632.KAA08828@gaijin.mid.net> from "Alan Hannan" at Nov 3, 95 10:31:59 am X-Mailer: ELM [version 2.4 PL24 ME6] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Alan Hannan wrote: > I'll be speaking at a number of seminars in the next three weeks, > and I think it would be nice to have some intelligent humerous > jokes or anecdotes to start my talks off. > > If anyone has any good ones, I'd love to hear them, and I think > the list members would benefit from their discussion. > > I can't recall any of mine (I'm sure there are) and the only one I > remember is Marcus's one about some trading chairman listening to > the security folks debate policy, and yelling "We will trade" and > storming off..... > > I look forward to hearing from you, thanks! Customer to ISP: Hello, is the Internet broken tonight? ---- Regarding a University sysadmin: [snip] Whilst reading a posting in [local newsgroup] in which the poster told of how he asked [the sysadmin] (aka. [login]/root/dude with long hair) when the news feed would resume, I quivvered, quaked and generally spasmed that a lesser mortal would dare to approach the great one with such a trivial request. It then struck upon me to impart the fourth year guide to requesting help from the long-haired one. The trick, my dear friends, is in the glasses - more specifically, in the shade of the lenses. If, when you approach the door to effect that first inquisitive knock, you can only see the man's eyes through his shades, then you must seriosly question the importance and validity of your request. *DO NOT PROCEDE* under any circumstances if said request falls into any of the following catagories: * can you stop the printer printing that postscript file I just sent it * i've just hit the reset button on my workstation * what happened to those 30 .GIF files I had in my directory * I'm sure somebody has already told you, but did you know that [hostname] has crashed etc. If you are lucky enough to chance upon the man whilst his face is devoid of his come-nearer scopes, you will be subjected to gentle ridicule, with a dose of dry humour and intellectually challenging conversation in a matey-matey sort of way and your request will be dealt with promptly and courteously. HOWEVER - if the shades are soooo goddamn dark that you can see your own reflection in them, then forget it! Walk away. Live to fight another day and all that rather than face the rath of Mr. [name]. We, quite simply, are not worthy! Yours coweringly.... [snip] Can't think of anything else particularly funny at the moment. Martin -- Martin Cooper http://www.foobar.co.uk/~mjc/ mjc@foobar.co.uk Foobar Internet http://www.foobar.co.uk/ sales@foobar.co.uk Phone: +44 (0)116 2330033 Fax: +44 (0)116 2330035 The Magazine Business Centre, Newarke Street, LEICESTER, LE1 5SS From firewalls-owner Fri Nov 3 14:31:50 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id LAA08342 for firewalls-outgoing; Fri, 3 Nov 1995 11:55:56 -0800 (PST) Received: from beach.sctc.com (beach.sctc.com [192.55.214.50]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id LAA08335 for ; Fri, 3 Nov 1995 11:55:50 -0800 (PST) Received: from beach.sctc.com (daemon@localhost) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id OAA21357; Fri, 3 Nov 1995 14:29:23 -0600 Received: from sphinx.sctc.com (sphinx.sctc.com [172.17.192.3]) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id OAA21353; Fri, 3 Nov 1995 14:29:22 -0600 Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by sphinx.sctc.com (8.7.1/8.6.10) with SMTP id NAA20124; Fri, 3 Nov 1995 13:56:21 -0600 (CST) Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id NAA17221; Fri, 3 Nov 1995 13:56:20 -0600 From: Rick Smith Message-Id: <199511031956.NAA17221@shade.sctc.com> Subject: Re: What about the next 20 Java-like applications? ( was Re: Java) To: ajack@corp.micrognosis.com (Adam Jack) Date: Fri, 3 Nov 1995 13:56:19 -0600 (CST) Cc: smith@sctc.com, firewalls@greatcircle.com In-Reply-To: from "Adam Jack" at Nov 3, 95 10:23:45 am X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Continuing my discussion with Adam Jack on Java: > On Wed, 1 Nov 1995, Rick Smith wrote: > > > For the (broken) record, I think the Java developers did a fine job of > > dealing with early '80s style security issues. But they didn't get a > > handle on the desktop security issues early enough in the HotJava > > design. > > > Interesting comment. Please elaborate w/ some examples - privately, > if you think this thread is noise or it is undue repetition. The '80s security problem I'm referring to is the implementation of pcodes that defend themselves from programming errors (i.e. bad vectors or array offsets) or overt attempts at subversion. This is a software extension of the storage protection and multiple mode work in computer architectures to support multiprogramming, which dates back to the late '50s. I think the industry's understanding of such mechanisms really flowered in the late '70s and early '80s after having a variety of worked examples to review. The unaddressed problem is that of running code from arbitrary sources on a workstation without threatening the workstation's integrity. They could have taken the easy way out and just fielded HotJava without functions that observe or modify workstation information -- pretty pictures, mousedowns and key presses, but no file reading. If HotJava only sent back stuff that was clearly and unambiguously provided to it by explicit user actions, then it presents a much smaller threat. Once they gave HotJava a way to read files the genie was out. Now it's like X-windows: only safe for certain on virtual private networks. At least that's how it looks right now. > Java : > Remember when Chuck McManis suggested the possibility of a firewall > resident Java based applet-proxy? There would, of course, be overhead > (but then downloading Java applets is slow so there is CPU idle time!) Some form of that is going to happen eventually. The hard question will be one of policy: why let in one applet but not another? It will be tough to manage it on the basis of behavior (i.e. what functions does the applet use) since behavior could be masked through some elaborate chain of procedure inheritance. That leaves authentication and decisionmaking based on whose digital signature vouches for the applet's behavior. Needs an infrastructure that's not deployed yet. > > >.. How are firewalls going to deal with the next 20 Java's? > > > > The same way this one is dealt with: a refusal to throw caution to the > > wind simply because it's Kool Stuff. > > > Cheap retort to a serious question. Do you expect the Internet to > wait 'cos you imply they are being immature? People will push the > boundaries to attempt to make money - that is business. What you might > think of as Kool - may, to others, be big dollars. You (firewall > security types) will need better arguements than yours above. I think we were both drawing lines in the sand. You're right: that's the wrong way to fix the problem. The solutions will require teamwork, and the ability to deal with the whole universe of problems, not just functional ones nor just security ones. > Some applications will be worthwhile - some will not be. Rick - I know you > have taken time & effort to learn about Java - and I respect that choice of > investment. However there is too much coming for individuals to > continually keep abreast of. The only reason I spent so much time on Java was because we had a client that was very, very interested in it, tho' not interested enough to fund a real security audit of it. But it represents a fundamental technological problem in computer security. Even if Java fails in the marketplace, the issues it raises will reappear. > > I hate long postings. > > > BTW : Comments like this suit what purpose? Like above - if you want > me to stop - give me a better reason. Sorry, I was just letting off steam. My response just took longer to compose than I expected and I was late leaving for home. Rick. smith@sctc.com secure computing corporation From firewalls-owner Fri Nov 3 14:33:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id NAA10413 for firewalls-outgoing; Fri, 3 Nov 1995 13:32:58 -0800 (PST) Received: from services ([168.166.0.67]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id NAA10406 for ; Fri, 3 Nov 1995 13:32:55 -0800 (PST) Received: from services by services (SMI-8.6/SMI-SVR4) id PAA17720; Fri, 3 Nov 1995 15:34:39 -0600 Date: Fri, 3 Nov 1995 15:34:37 -0600 (CST) From: "Frank K. Senter" X-Sender: fsenter@services To: firewalls@greatcircle.com Subject: Replacing From: field Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Could someone point me to instruction on altering the "From: user@myplace" field in outbound email? It doesn't make much sense for me to hide our naming structure with a dual DNS system around our firewall if outbound mail informs our readers of userids and hostnames. Frank Senter Senior Information Specialist Missouri Highway and Transportation Department P.O. Box 270 Jefferson City MO 65102 From firewalls-owner Fri Nov 3 14:34:46 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id OAA11174 for firewalls-outgoing; Fri, 3 Nov 1995 14:10:10 -0800 (PST) Received: from relay-4.mail.demon.net (relay-4.mail.demon.net [158.152.1.64]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id OAA11167 for ; Fri, 3 Nov 1995 14:10:01 -0800 (PST) Received: from post.demon.co.uk by relay-4.mail.demon.net id sg.ah25088; 3 Nov 95 21:54 GMT Received: from relay-4.mail.demon.net by relay-3.mail.demon.net id aa24547; 3 Nov 95 21:51 GMT Received: by mntcmp2.demon.co.uk (Smail3.1.28.1 #5) id m0tBU0t-0006r9C; Fri, 3 Nov 95 21:51 GMT Message-Id: From: Jon Whitton Subject: Re: Anecdotes or Firewall/NetSec Jokes To: Alan Hannan Date: Fri, 3 Nov 1995 21:51:03 +0000 (GMT) Cc: firewalls@greatcircle.com In-Reply-To: <199511031632.KAA08828@gaijin.mid.net> from "Alan Hannan" at Nov 3, 95 10:31:59 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > I'll be speaking at a number of seminars in the next three weeks, > and I think it would be nice to have some intelligent humerous > jokes or anecdotes to start my talks off. > How about Microsoft, they are the biggest joke going. -- ================================================================================ Jon Whitton. Internet Address: jonw@mntcmp2.demon.co.uk ================================================================================ -- From firewalls-owner Fri Nov 3 14:36:39 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id MAA08716 for firewalls-outgoing; Fri, 3 Nov 1995 12:19:44 -0800 (PST) Received: from blackgold.ab.ca (tnc.com [198.53.152.12]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id MAA08709 for ; Fri, 3 Nov 1995 12:19:40 -0800 (PST) Received: from ppp1.tnc.com by blackgold.ab.ca (4.1/SMI-4.1) id AA17237; Fri, 3 Nov 95 13:23:10 MST Message-Id: <9511032023.AA17237@blackgold.ab.ca> X-Sender: lbickley@tnc.com X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 03 Nov 1995 14:18:38 -0400 To: firewalls@greatcircle.com From: Lachlan Bickley Subject: Re: An *UN* UNIX Firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:30 03/11/95 -0500, you wrote: >My mailer told me that someone posted the following: > >>what are people using for software. we feel that gauntlet is a unix based >>software product and we have very little unix knowledge. our network is either >>pc/mac or ibm mainframe (VM/ESA). we do have a couple of applications on unix >>but only 1 person to staff this area. a gateway application running on a unix >>platform wouldn't be bad if it were a database application, requiring little >>to no knowledge of unix. > >========================================================================= >Then Padgett said: > >Unfortunately, what you want does not exist. Security, particularly Internet >Insecurity, is different from RAC-F administration. > >While many firewalls are drawn from Unix backgrounds (though >more precisely they use UNIX-like interfaces, rarely are they built on top >of plain-jane UNIX), this is because most people who have the necessary >background in the TCP/IP protocols and addressing used on the Internet >to be able to set up a good firewall come from Unix backgrounds and are >most familiar with that syntax. > > > >=========================================================================== > >Now I'm saying: > >You should have a look at FireWall/Plus. This product is a DOS-Based >firewall. > >*WAIT*...before you dismiss it by saying "How good can it be if it's DOS" >you should know that it is much much more. > >FireWall/Plus is a "Stateful" packet filtering firewall. It is as robust as >most UNIX based firewalls...in all cases easier to setup and manage...less >costly to purchase and maintain...Filters and reports on frame level, >transport level, application level, node level and even down to the byte >level with no UNIX scripting by simply utilizing the most intuitive >GUI...Blah Blah Blah > >Sorry for the sales pitch...but have a look at it on our home page and you >can even down-load a copy and try from there as well. > >Good luck, >Bob Russo > > I don't recall seeing the first message on this list, however I thought that you might want to have a look at Blackhole from Milkyway (http://www.milkyway.com/). They have a UNIX firewall which comes with a front end GUI interface to add and modify any "rules" that you want to setup. Just my two bits. ------------------------------------------------------------------- TNC The Network Centre Ltd. Internetworking Consultants & Service Providers +++++++++++++++++++++++++++++++++++++++++++++++ Lachlan Bickley 11211 76 Avenue lbickley@tnc.com Edmonton, Alberta, Canada T6G 0K2 (403)955-7166 (403)470-7846-pager ------------------------------------------------------------------- From firewalls-owner Fri Nov 3 17:56:26 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id RAA16682 for firewalls-outgoing; Fri, 3 Nov 1995 17:30:23 -0800 (PST) Received: from Disclosure.COM (di2.disclosure.com [205.156.194.11]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id RAA16607 for ; Fri, 3 Nov 1995 17:29:50 -0800 (PST) Received: by Disclosure.COM (4.1/SMI-4.1) id AA08440; Fri, 3 Nov 95 20:32:48 EST Date: Fri, 3 Nov 1995 20:32:46 -0500 (EST) From: Scott Barman To: Adam Jack Cc: Rick Smith , firewalls@greatcircle.com Subject: Re: What about the next 20 Java-like applications? ( was Re: Java) In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 3 Nov 1995, Adam Jack wrote: > On Wed, 1 Nov 1995, Rick Smith wrote: > > > (third level referecnes unattributed): > > > Reassurance isn't a right! ... > > > > Competent firewall and security vendors do NOT subscribe to this > > mindset. If a customer is concerned enough about security to seek a > > quality product, they have every right to (re)assurance that the > > protections they expect are in place. They deserve to know what > > security measures are effective and deployed. They deserve evidence. > > > Precisly. Customers pay you to prove something. Sun aren't selling > to you - they are testing a concept in good old Internet fashion > - by letting 'net individuals do some of the leg work. Sun have > made a lot of information availble - it just takes time to injest. The problem is that they are not only testing it, they are test marketing it as well. It is a topic in almost every sales pitch, press release, etc. One cannot have a talk with a Sun employee without Java being mention in the conversation--and sounding like the sales litterature. Then I walk into a company and hear "oh neat, where can I get this Java thingy." All they know is what is put out by Sun's marketing machine, but they're out and ready to buy a non-existant product. Is this right? I hate to say this, but Sun is doing to Java what M$ did to Windoze 95. Will it fizzle like Win95 has? I also have a problem with this concept "in good old Internet fashion - by letting 'net individuals do some of the leg work." Oh really?? What a way to get cheap labor. Get every out there with two seconds free time to play with this and go "oooo neat!" instead of doing a proper evaluation. I think they would be better off hiring a few independent contractors (as in independent from Sun) to do a proper analysis on this from all aspects, including for security! > I don't neccessarily condone it (except maybe from a business > standpoint) - but it is happening. And it will continue to ... Just because Sun is doing it doesn't make it right! > > Evolving attack methodologies also strain current firewall models, > > even without throwing HotJava into the picture. Sites concerned about > > security want finer grained awareness of what crosses their boundary. > > It's not clear how we meet their needs and also pass applets. Magic > > doesn't exist, and firewalls can't perform mathematical miracles. > > > I am not able to comment on other than Java - but your point seems > very sound. Maybe one of the benefits of this Internet explosion > will be heightened user awareness - and reduced requirement for > transparancy at the firewall. If users will accept a bit more pain > for their functionality maybe the need for magic can be removed. Don't count on it. I am now talking to people (trying to sell my services :-) who do not know the first thing about the internet or internet security except what they read in Time or Newsweek (basically). It is amazing the look of shock and fear when I explain what is really going on and shove a few examples under their noses. I don't know why I keep arguing this point, especially since I just installed a firewall for a customer whose systems were hacked into. I'm making a good living. I guess I'm just tired of the mop-up roll. > > >.. How are firewalls going to deal with the next 20 Java's? > > > > The same way this one is dealt with: a refusal to throw caution to the > > wind simply because it's Kool Stuff. > > > Cheap retort to a serious question. Do you expect the Internet to > wait 'cos you imply they are being immature? People will push the > boundaries to attempt to make money - that is business. What you might > think of as Kool - may, to others, be big dollars. You (firewall > security types) will need better arguements than yours above. I don't think it's a cheap retort, I think it's a valid answer! Why should I just open my (virtual) doors and allow the (net) traffic in if I cannot trust it, just because it's neat and wonderful? I think horses are neat and wonderful animals, but I'm not going to let one in my house! (POINT: Even the best of intentions have their consequences) > Some applications will be worthwhile - some will not be. Rick - I know you > have taken time & effort to learn about Java - and I respect that choice of > investment. However there is too much coming for individuals to > continually keep abreast of. Live by information, die by ignorance. It is the responsibility of the person who has the guard the door to understand the threats. Watching over this, security and systems, is more than a full time job. This is where this list comes in, to help keep those of us who requires this information up to date. I've had no problems keeping up--well, maybe I should s/no/only a few/ !! :-) scott barman -- scott barman DISCLAIMER: I speak to anyone who will listen, scott@disclosure.com and I speak only for myself. barman@ix.netcom.com "I don't know if security explains why the Win95 support Web servers run BSDI 2.0--an Intel-based Unix--rather than Windows NT, which Microsoft insists is the ideal Web software solution. Does Redmond know something we don't know?" -Robert X. Cringely, INFORWORLD, 9/11/95 From firewalls-owner Fri Nov 3 18:24:00 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id SAA18216 for firewalls-outgoing; Fri, 3 Nov 1995 18:08:02 -0800 (PST) Received: from research.att.com (research.att.com [192.20.225.3]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id SAA18209 for ; Fri, 3 Nov 1995 18:07:59 -0800 (PST) From: smb@research.att.com Message-Id: <199511040207.SAA18209@miles.greatcircle.com> Date: Fri, 3 Nov 95 21:06:53 EST To: firewalls@greatcircle.com Subject: defending against sequence number attacks Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Folks on this list may want to retrieve draft-rfced-info-bellovin-00.txt from their favorite internet-drafts directory. It describes a simple change to TCP servers the provides strong protection against sequence number guessing attacks. --Steve Bellovin From firewalls-owner Fri Nov 3 18:52:57 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id SAA18116 for firewalls-outgoing; Fri, 3 Nov 1995 18:04:26 -0800 (PST) Received: from TIS.COM (neptune.tis.com [192.94.214.96]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id SAA18109 for ; Fri, 3 Nov 1995 18:04:23 -0800 (PST) Received: from relay.tis.com by neptune.TIS.COM id aa27763; 3 Nov 95 20:50 EST Received: from sol.tis.com(192.33.112.100) by relay.tis.com via smap (g3.0.1) id xma010223; Fri, 3 Nov 95 20:29:44 -0500 Received: by tis.com (4.1/SUN-5.64) id AA26787; Fri, 3 Nov 95 20:50:00 EST Date: Fri, 3 Nov 95 20:50:00 EST From: Frederick M Avolio Message-Id: <9511040150.AA26787@tis.com> To: firewalls@greatcircle.com, fsenter@mail.state.mo.us Subject: Re: Replacing From: field Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Get a fine sendmail book such as SENDMAIL: THEORY AND PRACTICE (Digital Press, ISBN 1-55558 127 7) You can also check out the sendmail.cf that (I think) is supplied with the FWTK. You can check out the book's sendmail.cf in users/avolio/book.cf on ftp.tis.com. fred From firewalls-owner Fri Nov 3 19:20:08 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id SAA19461 for firewalls-outgoing; Fri, 3 Nov 1995 18:45:13 -0800 (PST) Received: from colt.milepost.com (colt.milepost.com [164.57.50.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id SAA19454 for ; Fri, 3 Nov 1995 18:45:08 -0800 (PST) Received: (from phil@localhost) by colt.milepost.com (8.6.12/8.6.9) id UAA08423; Fri, 3 Nov 1995 20:43:04 -0600 From: Phil Howard Message-Id: <199511040243.UAA08423@colt.milepost.com> Subject: Re: mountd Security To: morph_1@netaxs.com (W0W!@# ELYTENESS#@!) Date: Fri, 3 Nov 1995 20:43:04 -0600 (CST) Cc: firewalls@GreatCircle.COM In-Reply-To: from "!" at Nov 3, 95 04:06:59 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Well the firewall itself isn't in question, it's the fact that mountd is > running between the machines that have users on them inside the firewall, > is there any security problem with running mountd that can be locally > exploited? If there is then i would just disable the daemon; not exporting > anything nesc at this point. Limiting access would work too, but first > I wanted to establish if much of a risk exists. > As far as what's being exported goes, it's only (rw) filesystems to the > machines inside the firewall. Your inside users could take advantage of the mountd. Maybe they won't. If you trust those users, then you don't need to worry about them. IP addresses can be faked. Userids can be faked from machines where someone has root access or physical machine access. Security comes from a combination of trust and distrust that is correctly attributed. If you know correctly who you can trust and who you cannot trust, you will do the right thing, given the right information. I have found a situation where I was exporting a filesystem ro to all hosts and rw to two hosts. However, it turned out that all hosts had rw. I do not know what was wrong, and because it wasn't anything important, I just removed it all and never investigated. From firewalls-owner Fri Nov 3 19:22:17 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id RAA17756 for firewalls-outgoing; Fri, 3 Nov 1995 17:54:38 -0800 (PST) Received: from Disclosure.COM (di2.disclosure.com [205.156.194.11]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id RAA17749 for ; Fri, 3 Nov 1995 17:54:34 -0800 (PST) Received: by Disclosure.COM (4.1/SMI-4.1) id AA08487; Fri, 3 Nov 95 20:57:23 EST Date: Fri, 3 Nov 1995 20:57:23 -0500 (EST) From: Scott Barman To: Mike Murphy Cc: scs@lokkur.dexter.mi.us, firewalls@greatcircle.com Subject: Re: None In-Reply-To: <199511031940.LAA08495@visalia.optigfx.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 3 Nov 1995, Mike Murphy wrote: > From the viewpoint of a vendor ;-) (good description of the vendor's point of view regarding maintenance via various means deleted) > It is the choice of the customer, but the customer should be > aware that a security policy defines tradeoffs that involve > money. > -- > Mike Murphy mrm@alpharel.com +1.619.625.3000 x265 > ALPHAREL 9339 Carroll Park Drive San Diego, CA 92121 > Any opinions above are mine and not those of my employer. I wish every vendor had your outlook on this! I just had a very well known vendor request access via the internet (not here) to fix a problem. When this person (a former customer) asked me what I thought about it, we had a discussion and he decided to find an alternative. So I set up a modem on a system to allow the vendor come in using PPP. I turned IP forwarding turned off, the DNS was disabled, and the /etc/hosts file was empty. For all practical purposes, it was an isloated system. This was also the production system which we were taking off line! I was called everything from a jerk to a jack*ss by the manager of technical support for this large vendor and wondered why we didn't trust them. He told me that this setup was unacceptible. When the lawyers were finished with the "breech of contract" speil, they logged in and fixed the problem. Funny thing, though. The person who logged in did some interesting things. Looked at the /etc/passwd file (which was cut down quite a bit), tried to look at the /etc/shadow file, found the /etc/hosts, tried various nis* commands to check the network copies out, and did a netstat (to see where the connections were from). I can see doing things like who, ls and w--I do those as a nervous-like thing while thinking. But why try to get this information. Good thing he didn't run a ps to see I was not running a standard shell. I was running a modified "script" and saved all the output. The output was sent via FedEx to the tech support manager who promptly wrote a letter of apology. MORAL OF THIS STORY (can be summed up by paraphrasing an old joke): How does one business man tell another business man f**k you? TRUST ME! scott barman -- scott barman DISCLAIMER: I speak to anyone who will listen, scott@disclosure.com and I speak only for myself. barman@ix.netcom.com "I don't know if security explains why the Win95 support Web servers run BSDI 2.0--an Intel-based Unix--rather than Windows NT, which Microsoft insists is the ideal Web software solution. Does Redmond know something we don't know?" -Robert X. Cringely, INFORWORLD, 9/11/95 From firewalls-owner Fri Nov 3 19:23:34 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id RAA17630 for firewalls-outgoing; Fri, 3 Nov 1995 17:52:49 -0800 (PST) Received: from netcom.netcom.com (netcom.netcom.com [192.100.81.100]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id RAA17612 for ; Fri, 3 Nov 1995 17:52:42 -0800 (PST) Received: by netcom.netcom.com (8.6.12/Netcom) id RAA13876; Fri, 3 Nov 1995 17:52:00 -0800 Date: Fri, 3 Nov 1995 17:51:59 -0800 (PST) From: Bob Bosen Subject: SafeWord new www page To: Mark_W_Loveless@smtp.bnr.com cc: firewalls@greatcircle.com In-Reply-To: <9509308150.AA815091475@smtp.bnr.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk All this discussion about sniffers has prompted me to accelerate the following announcement: Enigma Logic's www page, under development for the past several weeks, is now up and running at: http://www.safeword.com It has a lot of links to firewall-related stuff, and offers the ability to instantly download free demonstration versions of SafeWord's software- based, non-replayable dynamic password system. This is not full encryption, but it offers very good protection against unathorized breakins, even if sniffers are capturing and compromising conventional passwords. It has interfaces to TACACS, TACACS+, RADIUS, and to several commercial and/or public-domain firewall packages. This web page is still under development, and I don't know for sure how our 128K ISDN link will stand up to the strain if everybody tries to access at once, but I'd like to get some feedback. I hope you like it. Bob Bosen Enigma Logic Inc. 2151 Salvio St. #301 Concord, CA 94520 USA Tel: +1 510 827-5707 Internet: bbosen@netcom.com anonymous ftp archives: ftp.safeword.com /pub/Safeword ************************************************************************** * "It wasn't me!!! Somebody must have captured my username/password!!!" * ************************************************************************** On Mon, 30 Oct 1995 Mark_W_Loveless@smtp.bnr.com wrote: > 1 - You assume Unix in most cases. Non-IP cards can still get stuff, > even from IP stations, when in promiscuous mode. You're talking raw > packets here. > > 2 - Most cards have built into them the ability to report total > packets received (and passed up the OSI chain). These usually are not > protocol dependent. Certain IPX calls can retrieve this data (the IPX > Responder code, used for diagnostics). > > 3 - Bay Systems 5000 concentrators can detect and PARTITION OFF an > unauthorized sniffer. > > Mark > > > ______________________________ Reply Separator _________________________________ > Subject: Re: How protect against sniffers? > Author: mcn@EnGarde.com at internet > Date: 10/29/95 11:21 PM > > > In article you > write: > > > >>> in these day I've found several students using sniffers programs...How can I > >>> protect my systems? Can you suggest me any source of informations about > >>> sniffers programs? > > >Kerberos and S/key makes sniffing more or less obsolete. > >In addition you could code a program to scan for a promiscuous mode and > >alert the admins if found.. > > Kerberos and S/Key (or smartcards) do *NOT* make sniffing obsolete. See > > http://www.engarde.com/software/ipwatcher > > for a product which (while not it's intended purpose) can hijack S/Key or > Kerberos authenticated sessions. > > Full encryption or packet-level authentication is the only way to go, and > this will continue to be the case for the foreseeable future. There are several > good packages which will help protect from sniffing and the IP spoofing family > of attacks. > > 1) Kerberos: but MAKE SURE Encryption is not only the default, but it's > enforced. Unfortunately, Kerberos (and it's related tools) seem to only turn > on encryption if the user specifies some obscure flag (which is most likely > rarely the case). The latest telnet daemon (94.02.07) allows the admin to > force all incoming connections to be encrypted and authenticated. This is > a step in the right direction! > ftp://aeneas.mit.edu/pub/kerberos{README.KRB4, README.KRB5_BETA5} > > 2) STEL: This was probably the first stand-alone encryption connection package > out, and looked promising at the time. A paper was presented on it at Usenix > '95, and it went through the proper beta-testing cycle. (It had around 100 > very reputable people looking through the source). After Usenix, updates > to STEL seemed to stop... > ftp://idea.sec.dsi.unimi.it/pub/security/cert-it/{STEL.ps, f95_stel.ps, stel} > > 3) SSH: This has a lot more features than STEL and the author is very > responsive if any problems are found. Fortunately (or unfortunately), many are. > I remember one weekend when 3 versions were released in a matter of hours. > :-) I'd definitely suggest picking this package up--it supports encrypted > X displays among other nice things. > ftp://ftp.cs.hut.fi/pub/ssh/{README, ssh-1.2.0.tar.gz} > > As for more information on sniffers, Chris Klaus ocasionally posts a > sniffer FAQ to the comp.security.* newsgroups. > http://www.iss.net/iss/addsec.html > > Hope that's helpful! > > -Mike Neuman > mcn@EnGarde.com > http://www.engarde.com > > From firewalls-owner Fri Nov 3 19:25:56 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id SAA19914 for firewalls-outgoing; Fri, 3 Nov 1995 18:55:39 -0800 (PST) Received: from akasha.tic.com (akasha.tic.com [192.135.128.129]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id SAA19906 for ; Fri, 3 Nov 1995 18:55:35 -0800 (PST) From: smoot@tic.com Received: from xfrsparc.tic.com by akasha.tic.com (8.7.1/akasha.1.21) id UAA20128; Fri, 3 Nov 1995 20:55:45 -0600 (CST) Received: from localhost by xfrsparc.tic.com (8.7.1/sub.1.6) id UAA21606; Fri, 3 Nov 1995 20:54:47 -0600 (CST) Message-Id: <199511040254.UAA21606@xfrsparc.tic.com> To: firewalls@greatcircle.com Subject: Re: Replacing From: field In-reply-to: Your message of "Fri, 03 Nov 95 15:34:37 CST." Date: Fri, 03 Nov 95 20:54:46 -0600 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Could someone point me to instruction on altering the "From: >user@myplace" field in outbound email? It doesn't make much sense for me >to hide our naming structure with a dual DNS system around our firewall if >outbound mail informs our readers of userids and hostnames. With sendmail it is fairly easy, if cryptic. You also need to rip out the Received: lines in the message header, if you really want to hide internal names. Here is a mailer which replaces user@internalhost.domain with user@domain. The D macro is the site's domain. Mtcp, P=[IPC], F=msDFMuX, S=22, R=22, A=IPC $h, E=\r\n S22 R$*<@$+>$* $@$1<@$2>$3 R$+ $@$1<@$D> ~ From firewalls-owner Fri Nov 3 22:52:50 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id WAA25951 for firewalls-outgoing; Fri, 3 Nov 1995 22:36:33 -0800 (PST) Received: from ns.iij.ad.jp (ns.iij.ad.jp [192.244.176.33]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id WAA25932 for ; Fri, 3 Nov 1995 22:36:28 -0800 (PST) Received: from shiosai.iij.ad.jp (shiosai.iij.ad.jp [192.244.176.35]) by ns.iij.ad.jp (8.6.12+2.4W/3.3W9-NS) with SMTP id PAA22590; Sat, 4 Nov 1995 15:36:29 +0900 Message-Id: <199511040636.PAA22590@ns.iij.ad.jp> To: mulligan@incog.com cc: firewalls@GreatCircle.COM Subject: Re: Man in the Middle Attacks (Over rated?) In-reply-to: Your message of "Fri, 03 Nov 1995 11:03:05 MST." <9511031803.AA09630@future.incog.com> Date: Sat, 04 Nov 1995 15:36:29 +0900 From: David R Conrad Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >I do know FOR A FACT that a sniffer program was installed on a machine >attached to the BARRnet backbone and did sniff a huge number of >passwords. Just so people don't think BARRNet was the only organization burnt by this, let me assure you they weren't. There was a rash of break-ins a while back (a year or so ago?) in which several very large ISPs in the US (and likely elsewhere) were compromised, not just once but several times. There is a reason the major backbone providers have a *severe* allergic reaction to putting any type of general purpose host on the MAEs or NAPs (the RA machines are, as I understand it, on their own ethernet leg off the NAPs). One interesting aspect of this was some ISPs told their customers that their passwords had a very high probability of being compromised, but the ISPs couldn't be positive: after a few attacks where the sniffers kept the passwords in plaintext on disk, the sniffers evolved to encrypt the collected password files so the ISP, when they did discover their backbone was being sniffed, had no idea which of their customers were compromised. Of course, some ISPs didn't tell their customers, so the fact that people know BARRNet had been compromised can be seen to speak very highly of the integrity of BARRNet's personnel... Regards, -drc P.S. I believe the NSFNet routers were general purpose Unix machines (IBM RS6000s) with high speed serial interfaces. From firewalls-owner Sat Nov 4 03:22:51 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id DAA02467 for firewalls-outgoing; Sat, 4 Nov 1995 03:07:36 -0800 (PST) Received: from emerald.fibronics.co.il (emerald.fibronics.co.il [192.114.66.3]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id DAA02460 for ; Sat, 4 Nov 1995 03:07:23 -0800 (PST) Received: by emerald.fibronics.co.il id AA02526 (5.65c/IDA-1.4.4 for firewalls@greatcircle.com); Sat, 4 Nov 1995 13:08:46 +0200 From: "Maxim A. Guzman" Message-Id: <199511041108.AA02526@emerald.fibronics.co.il> Subject: One-Time passwords To: firewalls@greatcircle.com Date: Sat, 4 Nov 1995 13:08:45 +0200 (IST) X-Mailer: ELM [version 2.4 PL24 PGP3 *ALPHA*] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I want to use one-time passwords at my site. I don't want any "hardware", like cryptographic calculators, etc. Instead, I want to print a list of challenge/response pairs and give it to the user who wants to connect from remote site. Can anyone point me to the freeware resources list related to my needs? Thanks in advance. --- Regards, Maxim "Maguz". +--------------------------------------------------------------------------+ | Maxim "Maguz" Guzman UNIX System and Network manager | | Internet: maguz@fibronics.co.il Fibronics Ltd. | | Phone/Fax: +972-9-840556 Haifa, Israel | +--------------------------------------------------------------------------+ From firewalls-owner Sat Nov 4 05:25:02 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id EAA04036 for firewalls-outgoing; Sat, 4 Nov 1995 04:59:11 -0800 (PST) Received: from gold.uni-miskolc.hu (golde.uni-miskolc.hu [193.6.10.1]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id EAA04028 for ; Sat, 4 Nov 1995 04:59:04 -0800 (PST) Received: from zeus.iit.uni-miskolc.hu by gold.uni-miskolc.hu (AIX 3.2/UCB 5.64/4.03) id AA58808; Sat, 4 Nov 1995 13:55:11 GMT Received: from indwgy.iit.uni-miskolc.hu by zeus.iit.uni-miskolc.hu via ESMTP (940816.SGI.8.6.9/940406.SGI) id NAA21217; Sat, 4 Nov 1995 13:56:29 -0800 Received: by indwgy.iit.uni-miskolc.hu (940816.SGI.8.6.9/940406.SGI.AUTO) id NAA13032; Sat, 4 Nov 1995 13:58:46 -0800 Date: Sat, 4 Nov 1995 13:58:33 -0800 (PST) From: Wagner Gyorgy To: goertzek@wangfed.com Cc: firewalls@GreatCircle.COM Subject: Re: idb.ar.com...the mystery continues Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Karen: > For those that are wondering, several listers have tried the same URL I did, > > with the following variety of results: > User #1: "I get a 'server not responding' when I try this." > > User #2: "I tried accessing http://idb.ar.com and got 'Remote server > down or not responding.'" > > ... I tried traceroute this node. My results: 1 193.6.4.254 (193.6.4.254) 2 ms (ttl=30!) 2 ms (ttl=30!) 2 ms (ttl=30!) 2 193.6.14.125 (193.6.14.125) 2 ms (ttl=29!) 2 ms (ttl=29!) 2 ms (ttl=29!) 3 hbone.uni-miskolc.hu (193.6.10.240) 2 ms 2 ms 2 ms 4 vhb.iif.hu (193.6.21.58) 60 ms 85 ms 35 ms 5 vha.iif.hu (192.84.229.61) 26 ms 38 ms 26 ms 6 mta.iif.hu (193.6.206.13) 33 ms 29 ms 29 ms 7 mtb.iif.hu (193.6.206.18) 33 ms * 30 ms 8 Vienna-EBS1.Ebone.NET (192.121.159.89) 324 ms 703 ms 812 ms 9 Paris-EBS2.Ebone.net (192.121.156.17) 758 ms * 696 ms 10 Stockholm-ebs.ebone.net (192.121.154.21) 687 ms 306 ms 334 ms 11 Stockholm-DGIX.nordu.net (194.68.128.24) 282 ms * 705 ms 12 icm-gw.nordu.net (192.36.148.193) 924 ms (ttl=243!) * * 13 icm-uk-1-H1/0-5M.icp.net (198.67.131.41) 985 ms (ttl=244!) * * 14 icm-pen-2-H2/0-T3.icp.net (198.67.131.25) 890 ms (ttl=245!) 969 ms (ttl=24 15 icm-dc-2b-H0/0-5M.icp.net (198.67.131.17) 995 ms (ttl=246!) 930 ms (ttl=246!) 676 ms (ttl=246!) 16 icm-dc-1-F0/0.icp.net (198.67.131.36) 731 ms (ttl=245!) 620 ms (ttl=245!) * * 17 icm-mae-e-H1/0-T3.icp.net (198.67.131.9) 1002 ms (ttl=244!) 847 ms (ttl=244!) * 18 mae-east.agis.net (192.41.177.145) 780 ms (ttl=243!) 833 ms (ttl=243!) * 19 santaclara.agis.net (204.130.243.34) 1071 ms (ttl=242!) 843 ms (ttl=242! 20 InterNex-T1.agis.net (205.137.63.34) 732 ms (ttl=242!) 993 ms (ttl=242!) 822 ms (ttl=242!) * 21 area-1-rtr-S0-inex.InterNex.Net (205.158.1.14) 840 ms (ttl=240!) 1031 ms 22 webfarm-1-rtr-fddi.InterNex.Net (205.158.0.5) 941 ms (ttl=240!) 1001 ms (ttl=240!) 1028 ms (ttl=240!) * 23 ibd.ar.com (199.2.25.111) 870 ms (ttl=239!) 976 ms (ttl=239!) Regards: Gyorgy Wagner email: gyuri@indwgy.iit.uni-miskolc.hu From firewalls-owner Sat Nov 4 07:53:00 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id HAA05590 for firewalls-outgoing; Sat, 4 Nov 1995 07:50:50 -0800 (PST) Received: from incog.com (ns.incog.com [199.190.177.251]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id HAA05583 for ; Sat, 4 Nov 1995 07:50:48 -0800 (PST) From: mulligan@future.incog.com Received: from coslabs.incog.com by incog.com (SMI-8.6/94082501) id HAA20521; Sat, 4 Nov 1995 07:49:33 -0800 Received: from future.incog.com by coslabs.incog.com (5.x/SMI-SVR4) id AA18108; Sat, 4 Nov 1995 08:50:31 -0700 Received: from future (localhost) by future.incog.com (5.x/SMI-SVR4) id AA11238; Sat, 4 Nov 1995 08:50:29 -0700 Message-Id: <9511041550.AA11238@future.incog.com> To: jgs@aads.net (John G. Scudder) Cc: mulligan@incog.com, firewalls@GreatCircle.COM, maillet@doc.cs.usm.maine.edu, Ted Doty , curtis@ans.net Subject: Re: Man in the Middle Attacks (Over rated?) Reply-To: mulligan@incog.com In-Reply-To: Your message of "Fri, 03 Nov 1995 14:39:25 EST." Date: Sat, 04 Nov 1995 08:50:29 -0700 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk John, John Scudder wrote: > At 11:03 AM 11/3/95, mulligan@future.incog.com wrote: > >This is sort of a cagey answer. Quite probably "no sniffer programs > >were ever installed on any NSFNET routers." > > My message wasn't meant to be cagey. I'm sorry you found it too ambiguous. > Try this: No sniffer programs were installed on any components of the > NSFNET backbone. I'm sure that you weren't trying to be cagey in your answer. I just thought that the wording used was interesting and unecessarily limited the scope of the statement. geoff From firewalls-owner Sat Nov 4 08:22:51 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id IAA05866 for firewalls-outgoing; Sat, 4 Nov 1995 08:08:56 -0800 (PST) Received: from count01.mry.scruznet.com (count01.mry.scruznet.com [204.147.227.65]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id IAA05859 for ; Sat, 4 Nov 1995 08:08:53 -0800 (PST) From: firewalls@count01.mry.scruznet.com Received: from count01.mry.scruznet.com (localhost [127.0.0.1]) by count01.mry.scruznet.com (8.7.1/8.7.1) with ESMTP id HAA03975 for ; Sat, 4 Nov 1995 07:59:23 -0800 (PST) Message-Id: <199511041559.HAA03975@count01.mry.scruznet.com> To: firewalls@greatcircle.com Subject: Active Spoofing, Sequence Attacks, Infrastructure attacks Re: SafeWord new www page In-reply-to: Your message of "Fri, 03 Nov 1995 17:51:59 PST." Date: Sat, 04 Nov 1995 07:59:23 -0800 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Unfortunately the OTP card vendors just havent gotten a clue yet. Safeword, SNK. Enigma, S/key, Secureid, OPIE etc ad NAUSEAM.. All of these NON-encrypted methodologies have been obsolete as soon as the general hacker community learned about sequence number prediction and session hijacks(whether through attacks on the routing protocol infrastructure and,or combinational attacks with techniques like active spoofing). For those of us on the HOT seat(designing and building Internet Firewalls) WE ARE NOT serving our customer base best by recommending technologies which are at present being actively subverted. The ONLY ethical action from MY point of view is to use programs and protocols like SKIP, ssh1.2 and others(ESM, Ctcp). A lot of these may be right on the bleeding edge but they can be had and used. cheers anon From firewalls-owner Sat Nov 4 08:52:51 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id IAA06121 for firewalls-outgoing; Sat, 4 Nov 1995 08:38:15 -0800 (PST) Received: from access.netaxs.com (access.netaxs.com [198.69.186.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id IAA06114 for ; Sat, 4 Nov 1995 08:38:11 -0800 (PST) Received: from unix3.netaxs.com (morph_1@unix3.netaxs.com [198.69.186.5]) by access.netaxs.com (8.6.12/8.6.11) with ESMTP id LAA08871; Sat, 4 Nov 1995 11:38:13 -0500 Received: (morph_1@localhost) by unix3.netaxs.com (8.6.12/8.6.9) id LAA27265; Sat, 4 Nov 1995 11:38:09 -0500 Date: Sat, 4 Nov 1995 11:38:08 -0500 (EST) From: "W0W!@# ELYTENESS#@!" To: Phil Howard cc: firewalls@GreatCircle.COM Subject: Re: mountd Security In-Reply-To: <199511040243.UAA08423@colt.milepost.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 3 Nov 1995, Phil Howard wrote: > > Well the firewall itself isn't in question, it's the fact that mountd is > > running between the machines that have users on them inside the firewall, > > is there any security problem with running mountd that can be locally > > exploited? If there is then i would just disable the daemon; not exporting > > anything nesc at this point. Limiting access would work too, but first > > I wanted to establish if much of a risk exists. > > As far as what's being exported goes, it's only (rw) filesystems to the > > machines inside the firewall. > > Your inside users could take advantage of the mountd. Maybe they won't. > If you trust those users, then you don't need to worry about them. IP > addresses can be faked. Userids can be faked from machines where someone > has root access or physical machine access. > > Security comes from a combination of trust and distrust that is correctly > attributed. If you know correctly who you can trust and who you cannot > trust, you will do the right thing, given the right information. > > I have found a situation where I was exporting a filesystem ro to all hosts > and rw to two hosts. However, it turned out that all hosts had rw. I do > not know what was wrong, and because it wasn't anything important, I just > removed it all and never investigated. > How could inside users take advantage of mountd? I've heard of some strange problems on systems running mountd like the situation you pointed out. I personally don't trust mountd, so I stopped exporting, but my question was what security problems can mountd cause, is there any potential for local users to exploit it ot take advantage of it? From firewalls-owner Sat Nov 4 10:52:51 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id KAA08185 for firewalls-outgoing; Sat, 4 Nov 1995 10:44:12 -0800 (PST) Received: from basic.net (basic.net [205.242.92.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id KAA08178 for ; Sat, 4 Nov 1995 10:44:08 -0800 (PST) Received: by basic.net (SMI-8.6/BN-1.20) id MAA28600; Sat, 4 Nov 1995 12:40:40 -0600 Date: Sat, 4 Nov 1995 12:40:39 -0600 (CST) From: Jim McBride To: Martin Cooper cc: Rick Smith , firewalls@GreatCircle.COM Subject: Re: Tightening up SunOS 5.4 (was Re: Hardened OS) In-Reply-To: <199511031740.RAA23766@quark.foobar.co.uk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 3 Nov 1995, Martin Cooper wrote: > processes that need to be started at boot time? Will it be > possible to run these at boot time without an entry for root in > the password file, and without the setuid bits on executable > binaries? > > If it is, then this seems like a fine security measure for a > bastion host. > > > Martin > -- You will play hell trying to boot in single user mode... Jim McBride jim@basic.net From firewalls-owner Sat Nov 4 11:22:56 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id KAA08209 for firewalls-outgoing; Sat, 4 Nov 1995 10:47:10 -0800 (PST) Received: from basic.net (basic.net [205.242.92.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id KAA08202 for ; Sat, 4 Nov 1995 10:47:07 -0800 (PST) Received: by basic.net (SMI-8.6/BN-1.20) id MAA28613; Sat, 4 Nov 1995 12:44:14 -0600 Date: Sat, 4 Nov 1995 12:44:13 -0600 (CST) From: Jim McBride To: "Maxim A. Guzman" cc: firewalls@GreatCircle.COM Subject: Re: One-Time passwords In-Reply-To: <199511041108.AA02526@emerald.fibronics.co.il> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sat, 4 Nov 1995, Maxim A. Guzman wrote: > Hi, > > I want to use one-time passwords at my site. > I don't want any "hardware", like cryptographic calculators, etc. > Instead, I want to print a list of challenge/response pairs and give > it to the user who wants to connect from remote site. > Can anyone point me to the freeware resources list related to my > needs? > > Thanks in advance. > > --- Regards, Maxim "Maguz". Sure -- Skey, archie for it. Jim McBride jim@basic.net From firewalls-owner Sat Nov 4 11:52:51 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id KAA08046 for firewalls-outgoing; Sat, 4 Nov 1995 10:23:52 -0800 (PST) Received: from netcom.netcom.com (netcom.netcom.com [192.100.81.100]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id KAA08039 for ; Sat, 4 Nov 1995 10:23:49 -0800 (PST) Received: by netcom.netcom.com (8.6.12/Netcom) id KAA26719; Sat, 4 Nov 1995 10:21:30 -0800 Date: Sat, 4 Nov 1995 10:21:30 -0800 (PST) From: Bob Bosen Subject: Re: One-Time passwords To: "Maxim A. Guzman" cc: firewalls@greatcircle.com In-Reply-To: <199511041108.AA02526@emerald.fibronics.co.il> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Max: Our "SafeWord" software is commercial (not freeware) but a free demonstration copy could be set up with our "soft token" to meet your needs. You can retrieve a copy right now from: http://www.safeword.com I hope you like it. Regards, Bob Bosen Enigma Logic Inc. 2151 Salvio St. #301 Concord, CA 94520 USA Tel: +1 510 827-5707 Internet: bbosen@netcom.com anonymous ftp archives: ftp.netcom.com /pub/bb/bbosen/Enigma read.me also: (bigger archives) ftp.netcom.com /pub/sa/safeword readme.001 ************************************************************************** * "It wasn't me!!! Somebody must have captured my username/password!!!" * ************************************************************************** On Sat, 4 Nov 1995, Maxim A. Guzman wrote: > Hi, > > I want to use one-time passwords at my site. > I don't want any "hardware", like cryptographic calculators, etc. > Instead, I want to print a list of challenge/response pairs and give > it to the user who wants to connect from remote site. > Can anyone point me to the freeware resources list related to my > needs? > > Thanks in advance. > > --- Regards, Maxim "Maguz". > > +--------------------------------------------------------------------------+ > | Maxim "Maguz" Guzman UNIX System and Network manager | > | Internet: maguz@fibronics.co.il Fibronics Ltd. | > | Phone/Fax: +972-9-840556 Haifa, Israel | > +--------------------------------------------------------------------------+ > From firewalls-owner Sat Nov 4 12:22:58 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id LAA08594 for firewalls-outgoing; Sat, 4 Nov 1995 11:30:21 -0800 (PST) Received: from little-miami.iac.net (little-miami.iac.net [198.180.60.135]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id LAA08587 for ; Sat, 4 Nov 1995 11:30:17 -0800 (PST) Received: by little-miami.iac.net id OAA24931; Sat, 4 Nov 1995 14:29:48 -0500 Date: Sat, 4 Nov 1995 14:29:46 -0500 (EST) From: Carl Jolley To: Bob Bosen cc: Mark_W_Loveless@smtp.bnr.com, firewalls@GreatCircle.COM Subject: Re: SafeWord new www page In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 3 Nov 1995, Bob Bosen wrote: > > All this discussion about sniffers has prompted me to accelerate the > following announcement: > > Enigma Logic's www page, under development for the past several weeks, > is now up and running at: > > http://www.safeword.com > > It has a lot of links to firewall-related stuff, and offers the ability > to instantly download free demonstration versions of SafeWord's software- > based, non-replayable dynamic password system. This is not full encryption, > but it offers very good protection against unathorized breakins, even if ^^^^^^^^^^^ Uhh, Is there any other kind? Or are you the chief head director of the Department of Redundancy Department? > sniffers are capturing and compromising conventional passwords. It has > interfaces to TACACS, TACACS+, RADIUS, and to several commercial and/or > public-domain firewall packages. > > This web page is still under development, and I don't know for sure how > our 128K ISDN link will stand up to the strain if everybody tries to > access at once, but I'd like to get some feedback. I hope you like it. > > > > Bob Bosen > Enigma Logic Inc. > 2151 Salvio St. #301 > Concord, CA 94520 > USA > > Tel: +1 510 827-5707 > Internet: bbosen@netcom.com > anonymous ftp archives: ftp.safeword.com /pub/Safeword > ************************************************************************** > * "It wasn't me!!! Somebody must have captured my username/password!!!" * > ************************************************************************** > > On Mon, 30 Oct 1995 Mark_W_Loveless@smtp.bnr.com wrote: > > > 1 - You assume Unix in most cases. Non-IP cards can still get stuff, > > even from IP stations, when in promiscuous mode. You're talking raw > > packets here. > > > > 2 - Most cards have built into them the ability to report total > > packets received (and passed up the OSI chain). These usually are not > > protocol dependent. Certain IPX calls can retrieve this data (the IPX > > Responder code, used for diagnostics). > > > > 3 - Bay Systems 5000 concentrators can detect and PARTITION OFF an > > unauthorized sniffer. > > > > Mark > > > > > > ______________________________ Reply Separator _________________________________ > > Subject: Re: How protect against sniffers? > > Author: mcn@EnGarde.com at internet > > Date: 10/29/95 11:21 PM > > > > > > In article you > > write: > > > > > >>> in these day I've found several students using sniffers programs...How can I > > >>> protect my systems? Can you suggest me any source of informations about > > >>> sniffers programs? > > > > >Kerberos and S/key makes sniffing more or less obsolete. > > >In addition you could code a program to scan for a promiscuous mode and > > >alert the admins if found.. > > > > Kerberos and S/Key (or smartcards) do *NOT* make sniffing obsolete. See > > > > http://www.engarde.com/software/ipwatcher > > > > for a product which (while not it's intended purpose) can hijack S/Key or > > Kerberos authenticated sessions. > > > > Full encryption or packet-level authentication is the only way to go, and > > this will continue to be the case for the foreseeable future. There are several > > good packages which will help protect from sniffing and the IP spoofing family > > of attacks. > > > > 1) Kerberos: but MAKE SURE Encryption is not only the default, but it's > > enforced. Unfortunately, Kerberos (and it's related tools) seem to only turn > > on encryption if the user specifies some obscure flag (which is most likely > > rarely the case). The latest telnet daemon (94.02.07) allows the admin to > > force all incoming connections to be encrypted and authenticated. This is > > a step in the right direction! > > ftp://aeneas.mit.edu/pub/kerberos{README.KRB4, README.KRB5_BETA5} > > > > 2) STEL: This was probably the first stand-alone encryption connection package > > out, and looked promising at the time. A paper was presented on it at Usenix > > '95, and it went through the proper beta-testing cycle. (It had around 100 > > very reputable people looking through the source). After Usenix, updates > > to STEL seemed to stop... > > ftp://idea.sec.dsi.unimi.it/pub/security/cert-it/{STEL.ps, f95_stel.ps, stel} > > > > 3) SSH: This has a lot more features than STEL and the author is very > > responsive if any problems are found. Fortunately (or unfortunately), many are. > > I remember one weekend when 3 versions were released in a matter of hours. > > :-) I'd definitely suggest picking this package up--it supports encrypted > > X displays among other nice things. > > ftp://ftp.cs.hut.fi/pub/ssh/{README, ssh-1.2.0.tar.gz} > > > > As for more information on sniffers, Chris Klaus ocasionally posts a > > sniffer FAQ to the comp.security.* newsgroups. > > http://www.iss.net/iss/addsec.html > > > > Hope that's helpful! > > > > -Mike Neuman > > mcn@EnGarde.com > > http://www.engarde.com > > > > > From firewalls-owner Sat Nov 4 12:52:56 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id MAA09775 for firewalls-outgoing; Sat, 4 Nov 1995 12:36:18 -0800 (PST) Received: from lint.cisco.com (lint.cisco.com [171.68.235.77]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id MAA09768 for ; Sat, 4 Nov 1995 12:36:15 -0800 (PST) Received: from pferguso-pc.cisco.com (sl-chanty-02.cisco.com [171.69.126.156]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id MAA06785; Sat, 4 Nov 1995 12:33:46 -0800 Date: Sat, 4 Nov 1995 12:33:46 -0800 Message-Id: <199511042033.MAA06785@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Bob Bosen From: Paul Ferguson Subject: Re: One-Time passwords Cc: "Maxim A. Guzman" , firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bob, It appears that you're site is not being routed across CIX: % ping www.safeword.com PING www.safeword.com (204.242.227.134): host unreachable from 149.20.64.33 % lookup 149.20.64.33 Official Name: psi-too.west.cix.net IP Address: 149.20.64.33 - paul At 10:21 AM 11/4/95 -0800, Bob Bosen wrote: > >Our "SafeWord" software is commercial (not freeware) but a free demonstration >copy could be set up with our "soft token" to meet your needs. You can >retrieve a copy right now from: > >http://www.safeword.com > -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Sat Nov 4 13:22:51 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id NAA10316 for firewalls-outgoing; Sat, 4 Nov 1995 13:18:15 -0800 (PST) Received: from switchblade.iwi.com (switchblade.iwi.com [137.39.156.214]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id NAA10302 for ; Sat, 4 Nov 1995 13:18:11 -0800 (PST) Received: (from mjr@localhost) by switchblade.iwi.com (8.6.9/8.6.9) id QAA20513; Sat, 4 Nov 1995 16:18:21 -0500 From: "Marcus J. Ranum" Message-Id: <199511042118.QAA20513@switchblade.iwi.com> Subject: Re: What about the next 20 Java-like applications? ( was Re: Java) To: ajack@corp.micrognosis.com (Adam Jack) Date: Sat, 4 Nov 1995 16:18:21 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: from "Adam Jack" at Nov 1, 95 00:00:10 am Reply-To: mjr@iwi.com Organization: Information Warehouse! Inc, Baltimore, MD URL: mjr's web page Phone: 410-889-8569 Coredump: Infocalypse Now!!! X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If Java applets run with write permissions turned off, is it possible to write an applet that, when you run it, FTPs your password file, .rhosts file, $MAIL, etc, to a dead-drop? There might be useful stuff in those. Basically, for Java to not leave the user vulnerable to something nasty, the language will have to have a lot of the properties of a TCB; which means it won't do a lot of the things people will *want* to do, which means that they'll just make everything writeable and "damn the torpedoes." mjr. From firewalls-owner Sat Nov 4 13:52:51 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id NAA10921 for firewalls-outgoing; Sat, 4 Nov 1995 13:42:39 -0800 (PST) Received: from su1.in.net (su1.in.net [199.0.62.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id NAA10914 for ; Sat, 4 Nov 1995 13:42:29 -0800 (PST) Received: from pm1-13.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA25047; Sat, 4 Nov 95 16:41:44 -0500 Date: Sat, 4 Nov 95 16:41:44 -0500 Message-Id: <9511042141.AA25047@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.com From: frankw@in.net (Frank Willoughby) Subject: Re: None Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My mailer claims Scott Barman wrote: >On Fri, 3 Nov 1995, Mike Murphy wrote: > >> From the viewpoint of a vendor ;-) > >(good description of the vendor's point of view regarding maintenance >via various means deleted) > >> It is the choice of the customer, but the customer should be >> aware that a security policy defines tradeoffs that involve >> money. >> -- >> Mike Murphy mrm@alpharel.com +1.619.625.3000 x265 >> ALPHAREL 9339 Carroll Park Drive San Diego, CA 92121 >> Any opinions above are mine and not those of my employer. > >I wish every vendor had your outlook on this! I just had a very well >known vendor request access via the internet (not here) to fix a >problem. When this person (a former customer) asked me what I thought >about it, we had a discussion and he decided to find an alternative. > >So I set up a modem on a system to allow the vendor come in using PPP. >I turned IP forwarding turned off, the DNS was disabled, and the >/etc/hosts file was empty. For all practical purposes, it was an >isloated system. This was also the production system which we were >taking off line! > >I was called everything from a jerk to a jack*ss by the manager of >technical support for this large vendor and wondered why we didn't trust >them. He told me that this setup was unacceptible. When the lawyers >were finished with the "breech of contract" speil, they logged in and >fixed the problem. > >Funny thing, though. The person who logged in did some interesting >things. Looked at the /etc/passwd file (which was cut down quite a >bit), tried to look at the /etc/shadow file, found the /etc/hosts, tried >various nis* commands to check the network copies out, and did a netstat >(to see where the connections were from). I can see doing things like >who, ls and w--I do those as a nervous-like thing while thinking. But >why try to get this information. > >Good thing he didn't run a ps to see I was not running a standard shell. >I was running a modified "script" and saved all the output. The output >was sent via FedEx to the tech support manager who promptly wrote a >letter of apology. Scott, This goes without saying (but I will anyway), you have a gold mine with the output you saved. The next time a vendor wants to log into your system to fix something, you have excellent documentation which justifies not allowing the vendor in. The easiest way for hackers to crack systems is to get a tech-support job which permits them to log in & set up a couple of accounts, trojan horses, etc. (Why bother to try to break into a system when the customer will let you in - and usually without so much as a wimper?). Thanks for posting our example. Best Regards, Frank > >MORAL OF THIS STORY (can be summed up by paraphrasing an old joke): >How does one business man tell another business man f**k you? TRUST ME! > >scott barman >-- >scott barman DISCLAIMER: I speak to anyone who will listen, >scott@disclosure.com and I speak only for myself. >barman@ix.netcom.com > "I don't know if security explains why the Win95 support Web servers run BSDI > 2.0--an Intel-based Unix--rather than Windows NT, which Microsoft insists is > the ideal Web software solution. Does Redmond know something we don't know?" > -Robert X. Cringely, INFORWORLD, 9/11/95 > > > > From firewalls-owner Sat Nov 4 14:24:47 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id OAA12305 for firewalls-outgoing; Sat, 4 Nov 1995 14:13:18 -0800 (PST) Received: from psyche.the-wire.com (psyche.the-wire.com [198.53.192.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id OAA12286 for ; Sat, 4 Nov 1995 14:13:07 -0800 (PST) Received: from rcooper.the-wire.com (rcooper.the-wire.com [198.53.159.74]) by psyche.the-wire.com (8.6.10/8.6.9) with SMTP id RAA01336; Sat, 4 Nov 1995 17:12:37 -0500 Received: by rcooper.the-wire.com with Microsoft Mail id <01BAAAD8.BFD86E00@rcooper.the-wire.com>; Sat, 4 Nov 1995 17:12:41 -0500 Message-ID: <01BAAAD8.BFD86E00@rcooper.the-wire.com> From: Russ Cooper To: "'Bob Bosen'" Cc: "'Firewalls'" Subject: RE: One-Time passwords Date: Sat, 4 Nov 1995 17:12:40 -0500 Encoding: 9 TEXT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Rather than continuing to plug your product, you might want to put some effort into getting the web page UP!!! Tried Nov. 3, and 4, several times to access www.safeword.com with no luck. Cheers, Russ Cooper Senior Internet Integration Engineer SHL/Computer Innovations RCooper@the-wire.com - Express@msn.com - 74323.364@compuserve.com From firewalls-owner Sat Nov 4 15:56:36 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id PAA15725 for firewalls-outgoing; Sat, 4 Nov 1995 15:43:51 -0800 (PST) Received: from access.netaxs.com (access.netaxs.com [198.69.186.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id PAA15717 for ; Sat, 4 Nov 1995 15:43:48 -0800 (PST) Received: from unix3.netaxs.com (morph_1@unix3.netaxs.com [198.69.186.5]) by access.netaxs.com (8.6.12/8.6.11) with ESMTP id SAA29162; Sat, 4 Nov 1995 18:43:28 -0500 Received: (morph_1@localhost) by unix3.netaxs.com (8.6.12/8.6.9) id SAA05324; Sat, 4 Nov 1995 18:43:22 -0500 Date: Sat, 4 Nov 1995 18:43:20 -0500 (EST) From: "W0W!@# ELYTENESS#@!" To: Jim McBride cc: "Maxim A. Guzman" , firewalls@GreatCircle.COM Subject: Re: One-Time passwords In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk SuM D0oDuR SaYS: > > > On Sat, 4 Nov 1995, Maxim A. Guzman wrote: > > > Hi, > > > > I want to use one-time passwords at my site. > > I don't want any "hardware", like cryptographic calculators, etc. > > Instead, I want to print a list of challenge/response pairs and give > > it to the user who wants to connect from remote site. > > Can anyone point me to the freeware resources list related to my > > needs? > > > > Thanks in advance. > > > > --- Regards, Maxim "Maguz". > > Sure -- Skey, archie for it. > > Jim McBride > jim@basic.net > So DeN EyE G0eS: SKey! ARchie! Dis WholE InTerNeT THinG Iz So E-Z! Morph_1 - archie phore _ME_ From firewalls-owner Sat Nov 4 18:24:26 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id RAA20839 for firewalls-outgoing; Sat, 4 Nov 1995 17:56:04 -0800 (PST) Received: from randomc.com (ra1.randomc.com [205.160.16.20]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id RAA20825 for ; Sat, 4 Nov 1995 17:55:58 -0800 (PST) Received: (llama@localhost) by randomc.com (8.6.10/8.6.10) id UAA04752; Sat, 4 Nov 1995 20:55:54 -0500 From: Jonny Llama Message-Id: <199511050155.UAA04752@randomc.com> Subject: Re: SafeWord new www page To: cjolley@iac.net (Carl Jolley) Date: Sat, 4 Nov 1995 20:55:53 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: from "Carl Jolley" at Nov 4, 95 02:29:46 pm X-Info: finger llama@randomc.com | pgp -fka +force X-Mailer: ELM [version 2.4 PL22] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Uhh, > >Is there any other kind? Or are you the chief head director of the >Department of Redundancy Department? Please help me understand why you quoted ~150 lines of text to frame 2 lines of a snide comment? From firewalls-owner Sun Nov 5 09:22:57 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id JAA07557 for firewalls-outgoing; Sun, 5 Nov 1995 09:13:45 -0800 (PST) Received: from uuneo.neosoft.com (uuneo.neosoft.com [206.109.1.3]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id JAA07550 for ; Sun, 5 Nov 1995 09:13:42 -0800 (PST) Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.7.1/8.7.1) with UUCP id LAA05332 for GreatCircle.COM!firewalls; Sun, 5 Nov 1995 11:11:19 -0600 (CST) Received: by ris1.nmti.com (smail2.5) id AA29715; 5 Nov 95 11:16:41 CST (Sun) Received: by sonic.nmti.com; id AA02221; Sun, 5 Nov 1995 10:45:54 -0600 From: peter@nmti.com (Peter da Silva) Message-Id: <9511051645.AA02221@sonic.nmti.com.nmti.com> Subject: Re: What about the next 20 Java-like applications? ( was Re: Java) To: scott@Disclosure.COM (Scott Barman) Date: Sun, 5 Nov 1995 10:45:53 -0600 (CST) Cc: ajack@corp.micrognosis.com, smith@sctc.com, firewalls@GreatCircle.COM In-Reply-To: from "Scott Barman" at Nov 3, 95 08:32:46 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Just ask them... "would you put a TV in your house with a remotely operated surveillance camera built in? That's what you could be doing if you just run untrusted applications on an Internet-connected computer." From firewalls-owner Sun Nov 5 09:52:55 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id JAA07623 for firewalls-outgoing; Sun, 5 Nov 1995 09:15:46 -0800 (PST) Received: from uuneo.neosoft.com (uuneo.neosoft.com [206.109.1.3]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id JAA07614 for ; Sun, 5 Nov 1995 09:15:43 -0800 (PST) Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.7.1/8.7.1) with UUCP id LAA05326 for GreatCircle.COM!firewalls; Sun, 5 Nov 1995 11:11:14 -0600 (CST) Received: by ris1.nmti.com (smail2.5) id AA29582; 5 Nov 95 11:11:50 CST (Sun) Received: by sonic.nmti.com; id AA01999; Sun, 5 Nov 1995 10:41:03 -0600 From: peter@nmti.com (Peter da Silva) Message-Id: <9511051641.AA01999@sonic.nmti.com.nmti.com> Subject: Re: Anecdotes or Firewall/NetSec Jokes To: jonw@mntcmp2.demon.co.uk (Jon Whitton) Date: Sun, 5 Nov 1995 10:41:02 -0600 (CST) Cc: alan@gi.net, firewalls@GreatCircle.COM In-Reply-To: from "Jon Whitton" at Nov 3, 95 09:51:03 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > I'll be speaking at a number of seminars in the next three weeks, > > and I think it would be nice to have some intelligent humerous > > jokes or anecdotes to start my talks off. > How about Microsoft, they are the biggest joke going. Unfortunately this is sounding more and more like graveyard humor. They're selling very effectively, no matter how awful their product is. From firewalls-owner Sun Nov 5 10:23:01 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id JAA07830 for firewalls-outgoing; Sun, 5 Nov 1995 09:25:15 -0800 (PST) Received: from asp.cdev.com (asp.cdev.com [160.207.1.254]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id JAA07811 for ; Sun, 5 Nov 1995 09:25:10 -0800 (PST) Received: from asp.cdev.com (daemon@localhost) by asp.cdev.com (8.6.12/8.6.12) with ESMTP id LAA27651 for ; Sun, 5 Nov 1995 11:17:05 -0600 Received: from aurora.cdev.com ([160.207.114.200]) by asp.cdev.com (8.6.12/8.6.12) with SMTP id LAA27647 for ; Sun, 5 Nov 1995 11:17:04 -0600 Message-Id: <199511051717.LAA27647@asp.cdev.com> Received: from cdicisco3.cdev.com by aurora.cdev.com id SMTP-001309cf3c9022299; Sun, 5 Nov 95 11:26:35 -0600 X-Sender: djs3wn39@aurora.cdev.com X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 05 Nov 1995 05:58:23 -0800 To: Firewalls@GreatCircle.com From: Donald.J.Smith@.cdev.com (Donald J Smith) Subject: TIS setup on sun4.1.1 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From: Benoit Dicaire >Date: Tue, 31 Oct 1995 09:20:39 -0500 >Subject: TIS implementation question > >Mike Jones wrote : > >>I'm trying to make an estimate of how long it would take to have a >>reasonably competent engineer get and set up the TIS toolkit on a SunOS >>4.1.4 system. I'd appreciate it if anyone who has done this could give >>me a ballpark figure. > Hopefully your firewall is more than just the tis toolkit. But you don't say so I'll assume that TIS is going on a dual-homed-gateway which is the only outside access to your system. Otherwise you could have a bastion/dhg with TIS and some screening router(s). If you choose the later (based on a defined security policy) then you need someone to setup the screening routers. >Okay, let's define some stuff first : > >Reasonably competent engineer : someone who know *well* the platform, >he want to use for the firewall. Good knowledge of TCP/IP, read Cheswick & >Bellovin book and read the list for more than two months. > Reading this list does help alot. The answers I find here are often not what I was thinking at all. Also is already familuar with all the apps that will be passed thru the firewall. (He has to test doesn't he). Also helps if he has unix sysadm knowledge (assuming he works directly on your firewall, he needs to know how to use: an editor, make, tar,) Also helps if he has years of knowledge of your network. >Setup a firewall (technical side) : install the core module of TIS and several >modules from public domain. Write scripts to automate thing, parse log, etc ... OK if you've done it before maybe but it took me over a week to get the netacl, a chrooted ftp, and smap working. I did have to do some extra stuff like hiding dns and ip addresses behind the 3 nic addresses I used on the firewall. > >Setup a firewall (political side) : write security policies in collaboration >with management, decide services to allow and discrimate who will get it. > >The whole thing can take six months if you're lucky ;-) > >For the tech side, you should have something running in three days. Only if he has some of the skills I listed. Else he has months to learn the system before he starts getting productive. > >- --- > Benoit Dicaire - Unix - NRJ Informatique Inc. > bdicaire@nrj.com - Consultant - (514) 593-9747 > Donald J Smith Network Security Engineer @Computing Devices International "@begin design in the security and ease_of_use != A*(1/Data_Security)" (my opinions are mine and so are the spelling errors ;-) From firewalls-owner Sun Nov 5 10:53:08 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id KAA08647 for firewalls-outgoing; Sun, 5 Nov 1995 10:12:38 -0800 (PST) Received: from sdata.no (breim.sdata.no [193.216.8.130]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id KAA08640 for ; Sun, 5 Nov 1995 10:12:34 -0800 (PST) Received: from breng ([193.216.12.65]) by sdata.no (4.1/SMI-4.1) id AA20461; Sun, 5 Nov 95 19:12:37 +0100 From: Einar.Landre@sdata.no (Einar Landre) Received: by breng (5.x) id AA00352; Sun, 5 Nov 1995 19:11:48 +0100 Date: Sun, 5 Nov 1995 19:11:48 +0100 Message-Id: <9511051811.AA00352@breng> To: firewalls@greatcircle.com Subject: Info about Secure Net and Secure ID X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, The documentation from TIS regarding user authentification, two commercial vendors / products are mentioned. Digital Pathways with Secure Net Security Dynamics with Secuure ID Can sombody tell me where to find information about the two ?? Regards Einar ------------------------------------------------------ Einar Landre, Senior Consultant Skrivervik Data AS Phone: +47 22 18 58 27 Post Box 3885 Fax: +47 22 18 59 98 Ullevaal Hageby E-mail: einar.landre@sdata.no N-0805 Oslo, Norway From firewalls-owner Sun Nov 5 11:34:04 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id KAA09610 for firewalls-outgoing; Sun, 5 Nov 1995 10:46:59 -0800 (PST) Received: from neon.ingenia.com (neon.ingenia.com [134.117.55.86]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id KAA09602 for ; Sun, 5 Nov 1995 10:46:56 -0800 (PST) Received: (from shaver@localhost) by neon.ingenia.com (8.6.12/8.6.9) id NAA15824; Sun, 5 Nov 1995 13:48:53 -0500 From: Mike Shaver Message-Id: <199511051848.NAA15824@neon.ingenia.com> Subject: Re: What about the next 20 Java-like applications? ( was Re: Java) To: mjr@iwi.com Date: Sun, 5 Nov 1995 13:48:52 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: <199511042118.QAA20513@switchblade.iwi.com> from "Marcus J. Ranum" at Nov 4, 95 04:18:21 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thus spake Marcus J. Ranum: > If Java applets run with write permissions turned off, is > it possible to write an applet that, when you run it, FTPs your > password file, .rhosts file, $MAIL, etc, to a dead-drop? There > might be useful stuff in those. As per the Java documentation, applets do not (under the default configuration) have any (direct) access to the filesystem. It's possible that they could impact the filesystem in some way if the browser caches images, etc. loaded by the applet, and there's always virtual memory exhaustion, but there's no direct access. No reading, no writing, no executing, no ogling of inodes, nothing. Mike -- #> Mike Shaver (shaver@ingenia.com) Ingenia Communications Corporation <# #> UNIX medicine man -- dark magick, cheap! <# #> <# #> When the going gets tough, the tough give cryptic error messages. <# #> "We believe in rough consensus and running code." <# From firewalls-owner Sun Nov 5 13:23:01 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id MAA13875 for firewalls-outgoing; Sun, 5 Nov 1995 12:54:48 -0800 (PST) Received: from lint.cisco.com (lint.cisco.com [171.68.235.77]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id MAA13868 for ; Sun, 5 Nov 1995 12:54:45 -0800 (PST) Received: from pferguso-pc.cisco.com (sl-charm-06.cisco.com [171.69.126.144]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id MAA10544; Sun, 5 Nov 1995 12:54:23 -0800 Date: Sun, 5 Nov 1995 12:54:23 -0800 Message-Id: <199511052054.MAA10544@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Einar.Landre@sdata.no (Einar Landre) From: Paul Ferguson Subject: Re: Info about Secure Net and Secure ID Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Contact information about both of these is contained in Christopher Klaus' Sniffer FAQ, located at http://iss.net/iss/sniff.html. - paul At 07:11 PM 11/5/95 +0100, Einar Landre wrote: > >The documentation from TIS regarding user authentification, >two commercial vendors / products are mentioned. > > Digital Pathways with Secure Net > Security Dynamics with Secuure ID > >Can sombody tell me where to find information about the two ?? > >Regards Einar >------------------------------------------------------ >Einar Landre, Senior Consultant >Skrivervik Data AS Phone: +47 22 18 58 27 >Post Box 3885 Fax: +47 22 18 59 98 >Ullevaal Hageby E-mail: einar.landre@sdata.no >N-0805 Oslo, Norway > > -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Sun Nov 5 13:55:15 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id NAA14909 for firewalls-outgoing; Sun, 5 Nov 1995 13:36:38 -0800 (PST) Received: from switchblade.iwi.com (switchblade.iwi.com [137.39.156.214]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id NAA14902 for ; Sun, 5 Nov 1995 13:36:34 -0800 (PST) Received: (from mjr@localhost) by switchblade.iwi.com (8.6.9/8.6.9) id QAA26845 for firewalls@greatcircle.com; Sun, 5 Nov 1995 16:37:01 -0500 From: "Marcus J. Ranum" Message-Id: <199511052137.QAA26845@switchblade.iwi.com> Subject: OTPs: clarification To: firewalls@greatcircle.com Date: Sun, 5 Nov 1995 16:37:00 -0500 (EST) Reply-To: mjr@iwi.com Organization: Information Warehouse! Inc, Baltimore, MD URL: mjr's web page Phone: 410-889-8569 Coredump: Infocalypse Now!!! X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk mdr@vodka.sse.att.com writes: >That leads one to try to implement something else and claim that its a >OTP. One such method would be to use a Random Number Generator in This is called an "autokey cipher" and is not terribly secure. When I talked to the folks from Elementrix I found that they *are* aware of the distinction and are aware of the fact that they have abused the terminology. Their claim is that their system has the *properties* of a OTP. Which I find quite interesting, since the main interesting property of an OTP is that it is absolutely unbreakable if used properly. >This is *NOT* a true OTP. Correct, it is not. Elementrix is also aware of this. When I spoke with the guy who developed the scheme in question it is clear that he is aware of the distinction. :) A lot of cryptographers have jumped all over them (rightly) for abusing a trade term for marketing purposes. >The real problem of course is finding a source of random data that is >available to *both* parties. By the *definition* of randomness, this is impossible. Note that the guys at Elementrix are aware of this impossibility, too. :) They claim to have a way around it. I do not believe they do - unless they've got a selective repeal of laws of nature, or are not using true randomness. Be that as it may: avoid misusing terms of the trade. There is no such thing as random data available to both parties without a communication channel someplace in the system to convey it. Unless you accept action at a distance. In which case you still only have one source of randomness. :) >> Synchronization is a piece of cake. Since the pad is secure, >> you simply call the other party on the phone and say "offset 129198L" >> and crank away. > >I caveated that with: > Giving away the offset is inconsequential for a true OTP, but > for a algorithmically generated OTP it makes cryptoanalyis > much easier. Please do not abuse terms of the trade. THERE IS NO SUCH THING AS AN ALGORITHMICALLY GENERATED OTP. You know that. I know that. If you keep abusing the terminology, other people who do not will keep getting confused. >If the OTP has been "generated" then synchronization is a pain because THERE IS NO SUCH THING AS A "GENERATED" OTP. You know that. I know that. If you keep abusing the terminology, other people who do not will keep getting confused. >I'm trying to say that the devil is in the details, is their >implentation of a OTP really a OTP, or just another cypher? It's not an OTP. They have said as much in the past. They're willing to describe their technique under NDA and I'm probably going to meet with them sometime in the next few weeks and find out what's up. It's not an OTP; it sounds like they've come up with what they (rightly or wrongly) feel is an extremely clever wrinkle on some kind of generalized autokey cipher. They've explained it to a number of folks who are involved with cryptography but none who I know have great credentials as a cryptographer. So it remains to be seen. I'd be *impressed* if Whit Diffie or Ron Rivest said it was good. I'm less impressed that Winn Schwartau has said it was good. :) mjr. From firewalls-owner Sun Nov 5 16:02:47 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id PAA18418 for firewalls-outgoing; Sun, 5 Nov 1995 15:43:10 -0800 (PST) Received: from dcc.com (ns.dcc.com [204.147.95.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id PAA17686 for ; Sun, 5 Nov 1995 15:23:27 -0800 (PST) Received: by gateway.dcc.com id <79364>; Sun, 5 Nov 1995 17:28:25 -0600 From: "Moubray, Steve" To: "'firewalls@greatcircle.com'" Subject: Re: WWW & Proxy Servers Date: Sun, 5 Nov 1995 19:19:00 -0600 Encoding: 72 TEXT X-Mailer: Microsoft Mail V3.0 Message-Id: <95Nov5.172825cst.79364@gateway.dcc.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From: sangster@reston.ans.net (Paul Sangster) Date: Tue, 31 Oct 1995 07:58:20 +0500 Subject: Re: WWW & Proxy Servers > In article , stuart@loddon.demon.co.uk writes: |> Apologies if the following questions has been asked before - if they have, I can't |> find them ! |> |> i) Is/Are there any proxy servers for WWW to restrict access to the WWW on |> a username basis AND to further restrict use of 'sub-protocols' supported |> by WWW such as ftp, gopher ... again on a username basis ? _____________________________ I recently dealt with this and found out that only ANS supported such a system (at least they were the only ones to respond to my v-mail, e-mail and letters). A few manufacturers claimed to have something in the works but many of them have been selling non-existent features such as e-mail scanning and virus protection for some time. Other vendors may have this feature by now but make sure that you aren't getting vapor-ware. I also have a general problem with the concept of keeping passwords on my firewall. I know these will only be used for outgoing traffic but those same passwords will be used by users to access everything else. ANS had to keep the passwords on the firewall at that time but you might want to check with them anyway. I couldn't use ANS anyway because my customer went out and purchased a Gauntlet before defining all of the needs. The solution that we found was a Netscape Proxy Server. This assumes that you are using Netscape and allows the passwords to be kept on a separate box. You also gain all of the performance advantages of the Netscape Proxy Server. We used the configuration below. Outside Router | -----Services | Firewall | | -----Proxy | | Screen | | Internal Network Traffic is only allowed to go between the firewall and the proxy and the proxy and the screen. No direct traffic is allowed. I like this method for security. This also has some advantages with the logs. The security manager is mainly concerned with someone trying to get in and the Gauntlet logs give him that information quite well. The administrators are interested in user ID, passwords and traffic and can get those logs from the proxy. The security guys only need to manage the firewall and the administrators only need to manage the proxy. Download the Netscape proxy and check it out. We have ours running on FreeBSD but are converting it to BSDI (some people like to spend money). ------------------------------------- Steve Moubray DCC, Inc. (612) 378-4469 Fax (612) 378-4401 smoubray@dcc.com http://www.dcc.com/ From firewalls-owner Sun Nov 5 16:23:02 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id PAA18482 for firewalls-outgoing; Sun, 5 Nov 1995 15:44:35 -0800 (PST) Received: from neon.ingenia.com (neon.ingenia.com [134.117.55.86]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id LAA10370 for ; Sun, 5 Nov 1995 11:07:38 -0800 (PST) Received: (from shaver@localhost) by neon.ingenia.com (8.6.12/8.6.9) id OAA15910 for firewalls@greatcircle.com; Sun, 5 Nov 1995 14:09:43 -0500 From: Mike Shaver Message-Id: <199511051909.OAA15910@neon.ingenia.com> Subject: Java(tm) security documentation To: firewalls@greatcircle.com Date: Sun, 5 Nov 1995 14:09:42 -0500 (EST) X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Warning: this is a long message. There's been a lot of speculation about Java's security features on this list of late, and it's starting to tend towards FUD. In the interests of having everyone on the same page, I've snipped relevant (IMHO, as is this whole paragraph) chunks of Sun's Java documentation for interested parties to read. I've kept the URLs intact, in case anyone wants to read the rest of it, or make sure I haven't doctored it for my own nefarious purposes. The language's security features (not just applets): (http://java.sun.com/whitePaper/javawhitepaper_6.html#HEADING15) 4.2 Security in the Java Environment Security commands a high premium in the growing use of the Internet for products and services ranging from electronic distribution of software and multimedia content, to "digital cash". The area of security with which we're concerned here is how the Java compiler and run-time system restrict application programmers from creating subversive code. The Java language compiler and run-time system implement several layers of defense against potentially incorrect code. One of the Java compiler's primary lines of defense is its memory allocation and reference model. Simply put, Java does not have "pointers" in the traditional C and C++ sense--memory cells that contain the addresses of other memory cells. Memory layout decisions are not made by the compiler, as they are in C and C++. Rather, memory layout is deferred to run-time, and will potentially differ depending on the characteristics of the hardware and software platforms on which the Java language system is executing. The Java interpreter references memory via symbolic "handles" that are resolved to real memory addresses at run time. Java programmers can't forge pointers to memory, because the memory allocation and referencing model is completely opaque to the programmer and controlled entirely by the underlying run-time system. Very late binding of structures to memory means that programmers can't infer the physical memory layout of a class by looking at its declaration. By removing the C/C++ memory layout and pointer models, the Java language has eliminated the programmer's ability to get behind the scenes and manufacture pointers to memory. These features must be viewed as positive benefits rather than a restriction on the programmer, because they ultimately lead to more reliable and secure applications. The Byte Code Verification Process What about the concept of a "hostile compiler"? Although the Java compiler ensures that Java source code doesn't violate the safety rules, when an application such as the HotJava web browser imports a code fragment from anywhere, it doesn't actually know if code fragments follow the Java language rules for safety--the code may not have been produced by a known-to-be trustworthy Java compiler. In such a case, how is the Java run-time system on your machine to trust the incoming byte code stream? The answer is simple--it doesn't trust the incoming code, but subjects it to byte code verification. The tests range from simple verification that the format of a code fragment is correct, to passing through a simple theorem prover to establish that the code fragment plays by the rules--that it doesn't forge pointers, it doesn't violate access restrictions, and it accesses objects as what they are (for example, that "InputStream" objects are always used as "InputStreams" and never as anything else). A language that is safe, plus run-time verification of generated code, establishes a base set of guarantees that interfaces cannot be violated. The Byte Code Verifier The last phase of the byte code loader is the verifier. It traverses the byte codes, constructs the type state information, and verifies the types of the parameters to all the byte code instructions. The illustration [see the HTML] shows the flow of data and control from Java language source code through the Java compiler, to the byte code verifier and hence on to the Java interpreter. The important issue is that the Java class loader and the byte code verifier make no assumptions about the primary source of the byte code stream--the code may have come from the local system, or it may have travelled halfway around the planet. The byte code verifier acts as a sort of gatekeeper. The byte code verifier ensures that the code passed to the Java interpreter is in a fit state to be executed and can run without fear of breaking the Java interpreter. Imported code is not allowed to execute by any means until after it has passed the verifier's tests. Once the verifier is done, a number of important properties are known: There are no operand stack overflows or underflows The types of the parameters of all byte code instructions are known to always be correct No illegal data conversions are done, like converting integers to pointers Object field accesses are known to be legal--private or public or protected While all this checking appears excruciatingly detailed, by the time the byte code verifier has done its work, the Java interpreter can proceed knowing that the code will run securely. Knowing these properties makes the Java interpreter much faster, because it doesn't have to check anything. There are no operand type checks and no stack overflow checks. The interpreter can thus function at full speed without compromising reliability. Security Checks in the Class Loader After incoming code has been vetted and determined clean by the byte code verifier, the next line of defense is the Java class loader. The environment seen by a thread of execution running Java byte codes can be visualized as a set of classes partitioned into separate name spaces. There is one name space for classes that come from the local file system, and a separate name space for each network source. When a class is imported from across the network it is placed into the private name space associated with its origin. When a class references another class, it is first looked for in the name space for the local system (built-in classes), then in the name space of the referencing class. There is no way that an imported class can "spoof" a built-in class. Built-in classes can never accidentally reference classes in imported name spaces--they can only reference such classes explicitly. Similarly, classes imported from different places are separated from each other. Security in the Java Networking Package Java's networking package provides the interfaces to handle the various network protocols (FTP, HTTP, Telnet, and so on). This is your front line of defense at the network interface level. The networking package can be set up with configurable levels of paranoia. You can: Disallow all network accesses Allow all network accesses Allow network accesses to only the hosts from which the code was imported Allow network accesses only outside the firewall if the code came from outside -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Applet-specific security: (written for the 1.0a3 release of HotJava(tm)... there will be a rewrite for the 1.0b release when that occurs. I'm assuming, perhaps incorrectly, that the Netscape implementation is similar. As I understand it, they licensed the HJ code from Sun, so I think it's all very close to the truth.) (http://java.sun.com/1.0alpha3/doc/security/security.html) [ A rehash of the above text, snipped ] Security level four: protecting the file system and network access HotJava enforces security policies confident that its security interfaces are secure. The three lower levels of security guarantee that all local classes, e.g., the file access primitives, are themselves protected from being supplanted, replaced, or extended by imported code. The file access primitives implement an access control list that controls read and write access to files by imported code (or code invoked by imported code). The defaults for these access control lists are very restrictive[*]. If an attempt is made by a piece of imported code to access a file to which access has not been granted, a dialog box pops up to allow the user to decide whether or not to allow that specific access. These security policies err on the conservative side in order to ensure maximum security. This conservative approach may make writing some applets more difficult or awkward. For network security, HotJava provides a variety of mechanisms that can provide information about the trustworthiness of imported code. These mechanisms cover a wide range of possibilities. At the simple end the system can check on the origin of a code fragment to determine if it came from inside or outside a firewall. At the sophisticated end of the range a mechanism exists whereby public keys and cryptographic message digests can be securely attached to code fragments that not only identify who originated the code, but guarantee its integrity as well. This latter mechanism will be implemented in future releases. The security policies implemented by the runtime system can be dynamically adjusted based on the information available concerning the origin of a code fragment. The Socket class provides such an example. The Socket class implements security policies that are adjusted to reflect the trustworthiness of the code that invoked it, and transitively, the code that invoked the invoker. The information about what code began the chain of execution is available to the class in the form of which namespace contains the invoking code and what parameters are associated with that class. The class loader puts the classes it has loaded in a specific namespace, allowing the Socket class to determine the network host from which a class is loaded. Knowing the network host allows the HotJava security mechanism to determine whether the class originated inside or outside a firewall. Knowledgable users of HotJava can decide which category of hosts to trust when loading executable code. For example, the Socket class can implement the policy of only allowing new connections to be created that terminate at the host from whence the code was loaded. This restriction means that code loaded from outside a firewall cannot connect to other machines on the net behind the firewall. Code that comes from more trusted sources can be allowed more freedom to make connections to other machines. As an additional defense against untrusted sources HotJava's security can be set to prevent any code from being loaded. The level of security is configurable by HotJava users. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- [*] For exactly how "very restrictive" it is, I suggest people check the source. Mike (don't work for Sun/Netscape, etc., etc.) -- #> Mike Shaver (shaver@ingenia.com) Ingenia Communications Corporation <# #> Technical Specialist -- will tame sendmail(8) for food <# #> <# #> "You are a very perverse individual, and I think I'd like to get to <# #> know you better." --- eric@reference.com <# From firewalls-owner Sun Nov 5 17:53:16 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id RAA22892 for firewalls-outgoing; Sun, 5 Nov 1995 17:24:15 -0800 (PST) Received: from ic.co.at (ic.co.at [193.81.168.69]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id RAA22878 for ; Sun, 5 Nov 1995 17:24:08 -0800 (PST) Received: from ic.co.at (ic.co.at [193.81.168.69]) by ic.co.at (8.7.1/8.7.1) with SMTP id DAA05303 for ; Mon, 6 Nov 1995 03:27:44 -0100 Date: Mon, 6 Nov 1995 03:27:44 -0100 (GMT-0100) From: Michael Haberler To: firewalls@GreatCircle.COM Subject: ssh secure tunnels anybody? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Did anybody try to do a secure point-to-point tunnel with the ssh package from ftp.cs.hut.fi:/pub/ssh? -michael Michael Haberler mah@eunet.co.at EUnet Austria Ltd MH182 A-1090 Vienna, Austria, Thurngasse 8/16 Tel: +43 (1) 31376 fax: +43 (1) 3106926 From firewalls-owner Sun Nov 5 18:23:17 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id RAA23734 for firewalls-outgoing; Sun, 5 Nov 1995 17:55:36 -0800 (PST) Received: from bass.com.my (bass.com.my [161.142.248.42]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id RAA23727 for ; Sun, 5 Nov 1995 17:55:10 -0800 (PST) Received: from bass.bass.com.my (gw.bass.com.my) by bass.com.my with SMTP id AA14271 (5.67a/IDA-1.5 for ); Mon, 6 Nov 1995 09:55:49 +0800 Received: by bass.bass.com.my (4.1/SMI-4.1) id AA16621; Mon, 6 Nov 95 09:53:08 MYT Date: Mon, 6 Nov 1995 09:41:17 +0800 (MYT) From: Tham Huei Hwan Subject: Check point firewall-1 and firewall-2 To: firewalls Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I have some simple question relating how to setup firewall-1 or firewall-2 in sun Netra i with sbus quad ehternet card. what are the procedure should I follow to configure the quad ethernet so that my local net can talk to Internet ? What are the precaution step should I follow to configure firewall-2 to work with this quad ethetnet card. Thank you From firewalls-owner Sun Nov 5 18:53:15 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id SAA24027 for firewalls-outgoing; Sun, 5 Nov 1995 18:06:17 -0800 (PST) Received: from jedi.perth.wgc.com.au (jedi.perth.wgc.com.au [203.8.204.250]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id SAA24014 for ; Sun, 5 Nov 1995 18:06:09 -0800 (PST) Received: (from root@localhost) by jedi.perth.wgc.com.au (8.6.9/) id KAA05312 Received: from cael.perth.wgc.com.au(203.8.204.3) by jedi via smap (V1.3) id sma005310; Mon Nov 6 10:17:19 1995 Received: (from peter@localhost) by cael.perth.wgc.com.au (8.6.10/8.6.10) id KAA03098 for firewalls@greatcircle.com; Mon, 6 Nov 1995 10:05:34 +0800 From: Peter Musca Message-Id: <199511060205.KAA03098@cael.perth.wgc.com.au> Subject: sendmail mc files?? To: firewalls@greatcircle.com (Firewalls Mailing List) Date: Mon, 6 Nov 1995 10:05:33 +0800 (WST) X-Mailer: ELM [version 2.4 PL11] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all, Many months ago someone posted the appropriate m4 macro files for sendmail which configured one as a client and one as a mailhost which handles all incoming and outgoing mail, where canI getthese from??? (stupid me didn't keep a copy) ....peter -- -------------------------------------------------------------- Peter Musca System/Network Administrator Email: peter@perth.wgc.com.au World Geoscience Corp Phone: +61-9-273-6400 Western Australia fax: +61-9-273-6466 -------------------------------------------------------------- From firewalls-owner Sun Nov 5 19:23:22 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id SAA24889 for firewalls-outgoing; Sun, 5 Nov 1995 18:55:50 -0800 (PST) Received: from dns.eng.auburn.edu (dns.eng.auburn.edu [131.204.10.13]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id SAA24879 for ; Sun, 5 Nov 1995 18:55:46 -0800 (PST) Received: from strangelove.eng.auburn.edu.eng.auburn.edu (20663@strangelove.eng.auburn.edu [131.204.12.12]) by dns.eng.auburn.edu (8.6.12/8.6.4) with SMTP id UAA00307 for ; Sun, 5 Nov 1995 20:55:45 -0600 Date: Sun, 5 Nov 1995 20:55:45 -0600 From: Doug Hughes Message-Id: <199511060255.UAA00307@dns.eng.auburn.edu> To: firewalls@GreatCircle.COM Subject: Re: Java(tm) security documentation Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It becomes readily apparent that Java may in fact be free from program correctness flaws, but it isn't at all aparent that it is free from other security flaws. The main problem I see, over and over again, is that all the security is user configurable. This leaves Java wide open to social engineering type attacks.. "Click here for a really cool demo, and don't forget to disable network security!" Not having to worry about the program accessing memory it shouldn't and pointer abuses is good, but having file and network security user configurable is scary. This is especially so when you've got 5000 undergraduates to worry about. No amount of policy can prevent somebody from eventually doing something wrong (or at least naive). I'm still not reassured that I want to give this tool to everybody... It still sounds easily subverted via social engineering. There are a lot of things subject to this kind of attack, but something which sits out on the web, looks "really cool", and might be fun, with explicit instructions on how to get it to run by disabling something is just too easy. It could even do something really cool, but be doing something not so cool behind the scenes. Doug Hughes Engineering Network Services doug@eng.auburn.edu Auburn University From firewalls-owner Sun Nov 5 19:53:04 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id RAA23145 for firewalls-outgoing; Sun, 5 Nov 1995 17:32:28 -0800 (PST) Received: from yarrina.connect.com.au (yarrina.connect.com.au [192.189.54.17]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id RAA23097 for ; Sun, 5 Nov 1995 17:32:10 -0800 (PST) Received: (from root@localhost) by yarrina.connect.com.au with UUCP id MAA06136 (8.6.12/IDA-1.6); Mon, 6 Nov 1995 12:31:43 +1100 Received: by junkers.lochard.com.au id AA41991 (5.65c/IDA-1.5); Mon, 6 Nov 1995 01:58:48 GMT From: Mark Message-Id: <199511060158.AA41991@junkers.lochard.com.au> Subject: Re: Spoofing ISDN To: maillet@doc.cs.usm.maine.edu (Edward Maillet) Date: Mon, 6 Nov 1995 11:58:48 +1000 (EET) Cc: firewalls@GreatCircle.COM In-Reply-To: <9511020049.AA25854@doc.cs.usm.maine.edu> from "Edward Maillet" at Nov 1, 95 07:49:09 pm Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Some folks at work want to setup an ISDN dial-in connection relying >solely on the inbound caller ID as the security measure. Is it possible >to spoof the D channel to send fake info? I'm fairly certain there is >a way to do it. Can anyone point me to some references so I can make a >decent technical argument agaisnt this? Throw words at them like corporate espionage, phreakers reprogramming switches and malicious telco employees. Remind them that link level encryption and authentication is not that much more difficult so there is no excuse not to use it on the production system. Ask them how much their security is worth to them and how much more peace of mind they will get by knowing a heck of a lot of mathematics is protecting their transmissions. Cheers, Mark mark@lochard.com.au From firewalls-owner Sun Nov 5 22:23:08 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id VAA01433 for firewalls-outgoing; Sun, 5 Nov 1995 21:52:08 -0800 (PST) Received: from neon.ingenia.com (neon.ingenia.com [205.207.219.29]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id VAA01426 for ; Sun, 5 Nov 1995 21:52:04 -0800 (PST) Received: (from shaver@localhost) by neon.ingenia.com (8.6.12/8.6.9) id BAA02160; Mon, 6 Nov 1995 01:08:51 -0500 From: Mike Shaver Message-Id: <199511060608.BAA02160@neon.ingenia.com> Subject: Re: Java(tm) security documentation To: Doug.Hughes@Eng.Auburn.EDU (Doug Hughes) Date: Mon, 6 Nov 1995 01:08:51 -0500 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <199511060255.UAA00307@dns.eng.auburn.edu> from "Doug Hughes" at Nov 5, 95 08:55:45 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thus spake Doug Hughes: > It becomes readily apparent that Java may in fact be free from > program correctness flaws, but it isn't at all aparent that it is > free from other security flaws. The main problem I see, over and > over again, is that all the security is user configurable. Well, you could always write your own SecurityManager.class (talk to Anselm Baird-Smith... he's working on one right now) to drop into the appropriate directory and then have the security hard-configured. (I don't think there's a security-config option relating to Java in Netscape 2.0b, so I'll assume we're talking about HotJava. Actually, there might be something in the .INI... should check that out.) > It still sounds easily subverted via social engineering. What isn't? If you allow outbound TCP, you're wide open for someone to distribute a Netscape plug-in, or a new version of ws_ftp, or what have you, and have it do nasty things security-leak-wise. OK, let's assume that Java(tm) really is a Bad Thing. What are you going to do about it? It's out there, and if you can't trust your users to listen to your policy about "no Java!", then you can't keep it from getting in. And if you _can_ trust them to listen to you, then you can solve this with policy. Mike -- #> Mike Shaver (shaver@ingenia.com) Ingenia Communications Corporation <# #> UNIX medicine man -- dark magick, cheap! <# #> <# #> When the going gets tough, the tough give cryptic error messages. <# #> "We believe in rough consensus and running code." <# From firewalls-owner Sun Nov 5 22:53:02 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id WAA02483 for firewalls-outgoing; Sun, 5 Nov 1995 22:46:56 -0800 (PST) Received: from crimson.cadvision.com (cadb184.cadvision.com [204.50.59.184]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id WAA02476 for ; Sun, 5 Nov 1995 22:46:50 -0800 (PST) Received: (from root@localhost) by crimson.cadvision.com (8.6.9/8.6.9) id FAA01684; Fri, 2 Dec 1994 05:33:11 -0700 Date: Fri, 2 Dec 1994 05:33:02 -0700 (MST) From: root To: David R Conrad cc: mulligan@incog.com, firewalls@GreatCircle.COM Subject: Re: Man in the Middle Attacks (Over rated?) In-Reply-To: <199511040636.PAA22590@ns.iij.ad.jp> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sat, 4 Nov 1995, David R Conrad wrote: > > while back (a year or so ago?) in which several very large ISPs in the > US (and likely elsewhere) were compromised, not just once but several > times. Yes, and to be honest I see no reason why we should not assume most if not all of the major ISP's out there have serious or at least some security troubles. BBN who owns BARRNET as well as other internet concerns got burned quite recently. And rather severely I might add. > > the ISPs couldn't be positive: after a few attacks where the sniffers > kept the passwords in plaintext on disk, the sniffers evolved to > encrypt the collected password files so the ISP, when they did Sniffers with export setups are common place on the net. Ie. The sniffer sitting on your machine sends packets across the net to a listening port on another. Some variations include the packets being encrypted via IDEA or whatnot and then sent, while others are simply encrypting the traffic once it is recieved. Not only this but some hackers are couching their traffic in ICMP echo requests or other such non-standard (to be monitered) protocols. Al H. Mcphee ****************************************************************************** "Freedom is a meal easy to eat, but difficult to digest". -Rosseau Send all replies to mcpheea@cadvision.com ****************************************************************************** From firewalls-owner Sun Nov 5 23:23:09 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id XAA02818 for firewalls-outgoing; Sun, 5 Nov 1995 23:01:28 -0800 (PST) Received: from hk.super.net (hk.super.net [202.14.67.4]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id XAA02811 for ; Sun, 5 Nov 1995 23:01:14 -0800 (PST) Received: from rssd.hk.olivetti.com (rssd.hk.olivetti.com [202.64.192.5]) by hk.super.net (8.7.1/8.7.1) with SMTP id PAA04967 for <@hk.super.net:firewalls@greatcircle.com>; Mon, 6 Nov 1995 15:00:58 +0800 (HKT) Message-Id: <199511060700.PAA04967@hk.super.net> Subject: Re: DES export restrictions and ZyXEL To: ted@kgbvax.network.com (Ted Doty) Date: Mon, 6 Nov 1995 14:46:25 +0800 (HKT) From: "Raju M. Daryanani" Cc: firewalls@greatcircle.com In-Reply-To: <199511031323.IAA28999@kgbvax.network.com> from "Ted Doty" at Nov 3, 95 08:23:36 am X-Mailer: ELM [version 2.4 PL21] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to Ted Doty: > > (1) Is it possible for a large US company to export products using DES > > data encryption? I mean even if they get a "non-USA DES" can they > > export products including this? > Yes. We do, and many others do as well. The export restrictions have many > (well, some) instances where strong encryption can be exported. Note that Zyxel is a Taiwanese company isn't it? Why should it care about US export restrictions when it can ship product from Taiwan straight to Sweden or anywhere else in the world for that matter. Raju -- Raju M. Daryanani | Email: raju@rssd.hk.olivetti.com Technical Support Manager | raju@hk.super.net, raju@air.org Products Division | Tel: +852 2979 2450 / Fax: +852 2802 6650 Olivetti (HK) Ltd. | [Finger for PGP key] [MIME understood] From firewalls-owner Sun Nov 5 23:53:06 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id XAA03838 for firewalls-outgoing; Sun, 5 Nov 1995 23:43:34 -0800 (PST) Received: from hermes.intel.com (hermes.intel.com [143.183.152.3]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id XAA03831 for ; Sun, 5 Nov 1995 23:43:32 -0800 (PST) Received: from argus.intel.com by hermes.intel.com (5.65/10.0i); Sun, 5 Nov 95 23:43:35 -0800 Received: by argus.intel.com (5.65/10.0i); Sun, 5 Nov 95 23:43:34 -0800 From: sedayao@argus.intel.com (Jeffrey C. Sedayao) Message-Id: <9511060743.AA13245@argus.intel.com> Subject: Re: Man in the Middle Attacks (Over rated?) To: firewalls@greatcircle.com Date: Sun, 5 Nov 95 23:43:33 PST X-Mailer: ELM [version 2.4dev PL66] Mime-Version: 1.0 Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anyone heard of "Man in the middle attacks" at trade shows? I would think that they would be the best place to do that. I am always amazed that people login and read their mail over the Internet at shows like InterOP. Think of all the sniffers that must be there! I have seen reports that sniffing of regular voice conversations (i.e. eavesdropping) is a problem at such trade shows, but haven't heard any confirmed reports about data sniffing. -- Jeff Sedayao Intel Corporation sedayao@argus.intel.com From firewalls-owner Mon Nov 6 04:23:45 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id EAA09618 for firewalls-outgoing; Mon, 6 Nov 1995 04:12:52 -0800 (PST) Received: from icnucevx.cnuce.cnr.it (icnucevx.cnuce.cnr.it [131.114.1.30]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id EAA09604 for ; Mon, 6 Nov 1995 04:12:42 -0800 (PST) Received: from fly.cnuce.cnr.it by mailsrv.cnuce.cnr.it (PMDF V5.0-4 #9955) id <01HXBOHQ2RS6A4L6PM@mailsrv.cnuce.cnr.it> for firewalls@greatcircle.com; Mon, 06 Nov 1995 13:12:32 +0100 (MET) Received: by fly.cnuce.cnr.it (Smail3.1.26.7 #1) id m0tCQQC-00021XC; Mon, 06 Nov 1995 13:13 +0100 (MET) Date: Mon, 06 Nov 1995 13:13 +0100 (MET) From: claudio@fly.CNUCE.CNR.IT (Claudio Telmon) Subject: Re: Java(tm) security documentation To: firewalls@greatcircle.com Message-id: Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The Byte Code Verifier [...] Looks a little more complex than sendmail or telnetd... :) - Claudio From firewalls-owner Mon Nov 6 04:55:25 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id EAA10079 for firewalls-outgoing; Mon, 6 Nov 1995 04:45:50 -0800 (PST) Received: from pegase.total.fr (pegase.total.fr [146.249.152.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id EAA10072 for ; Mon, 6 Nov 1995 04:45:35 -0800 (PST) Received: from tidtest.total.fr by pegase.total.fr with SMTP (16.6/16.2) id AA17702; Mon, 6 Nov 95 13:22:26 +0100 Received: by tidtest.total.fr (4.1/SMI-4.1) id AA00333; Mon, 6 Nov 95 13:44:49 GMT Message-Id: <9511061344.AA00333@tidtest.total.fr> To: Rick Smith Cc: firewalls@greatcircle.com Subject: Re: Tightening up SunOS 5.4 (was Re: Hardened OS) In-Reply-To: Your message of "Fri, 03 Nov 1995 14:07:08 CST." <199511032007.OAA17966@shade.sctc.com> Date: Mon, 06 Nov 1995 13:44:49 +0000 From: Michel Lavondes Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message <199511032007.OAA17966@shade.sctc.com>, Rick Smith writes: > > I'm happy that root is just a name for uid 0, but what about > > processes that need to be started at boot time? Will it be > > possible to run these at boot time without an entry for root in > > the password file, and without the setuid bits on executable > > binaries? > > Actually, the term "root" is getting overloaded in this discussion. > It has two fundamental properties of interest here: 1) it has uid 0 > which is really necessary in most Unix systems, and 2) it can override > lots of access protections on the system. We left in 1) and > constrained 2) using our type enforcement mechanism. Some standard > Unix systems try to get a similar effect with chroot, with varying > degrees of success. > > Rick. > smith@sctc.com secure computing corporation Apologies if this sounds like nit-picking, but isn't it uid 0 that has property 2) ? If so, and assuming that each "privilege area" needs its own superuser uid, and that some commands need superuser privilege in more than one area (this may well be wrong - I don't know enough about the way you implemented TE to figure it out,) it seems to me that you may wind up with up to n^n different uid's, where n is the number of privilege areas. That looks like a lot of user names to make secure. OTOH, though, breaking through one may compromise your firewall far less than breaking through root on a standard Un*x box. But n^n still is quite a lot. Plus we still don't know what are the provileges of a process started at boot time with your scheme. Did I misunderstood the thread ? Am I hopelessly clueless ? Or is that a real issue ? Just my $0.0034 (FF 0.02 at 5.9 FF/$) Michel Lavondes (lavondes@tidtest.total.fr) #include ============================================================ = When Privacy Is Outlawed, Only Outlaws Will Have Privacy = = I Support the Phil Zimmermann Legal Defense Fund! = = email: zldf@clark.net http://www.netresponse.com/zldf = ============================================================ (with thanks to those who lead me into it :-)) From firewalls-owner Mon Nov 6 06:25:17 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id GAA12805 for firewalls-outgoing; Mon, 6 Nov 1995 06:15:05 -0800 (PST) Received: from dns.eng.auburn.edu (dns.eng.auburn.edu [131.204.10.13]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id GAA12798 for ; Mon, 6 Nov 1995 06:15:01 -0800 (PST) Received: from netman.eng.auburn.edu (netman.eng.auburn.edu [131.204.12.24]) by dns.eng.auburn.edu (8.6.12/8.6.4) with ESMTP id IAA16884; Mon, 6 Nov 1995 08:15:02 -0600 From: Doug Hughes Received: from localhost (doug@localhost) by netman.eng.auburn.edu (8.6.4/8.6.4) id IAA21823; Mon, 6 Nov 1995 08:14:59 -0600 Date: Mon, 6 Nov 1995 08:14:59 -0600 Subject: Re: Java(tm) security documentation To: shaver@neon.ingenia.com Cc: firewalls@greatcircle.com Message-Id: In-Reply-To: <199511060608.BAA02160@neon.ingenia.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >Well, you could always write your own SecurityManager.class (talk to >Anselm Baird-Smith... he's working on one right now) to drop into the >appropriate directory and then have the security hard-configured. > >(I don't think there's a security-config option relating to Java in >Netscape 2.0b, so I'll assume we're talking about HotJava. Actually, >there might be something in the .INI... should check that out.) > Yeah, I could, but when anybody can download a free clean copy from the Internet, what good does all that effort do me? (Yes, I'm talking about HotJava) >> It still sounds easily subverted via social engineering. > >What isn't? >If you allow outbound TCP, you're wide open for someone to distribute >a Netscape plug-in, or a new version of ws_ftp, or what have you, and >have it do nasty things security-leak-wise. > The point is, that java makes it much easier. There's no need for the user to write a sockets program or anything. Plus, Java has the magic phrase "WWW - Internet - Information Superhighway" associated with it. The problem is that Java is so user-friendly for the novice, while these other things aren't. Undergrads with absolutely no knowledge of computers can use Java to click and navigate the Internet, and can use somebody else's "new improved copy from some.site.somewhere.net" >OK, let's assume that Java(tm) really is a Bad Thing. What are you >going to do about it? It's out there, and if you can't trust your >users to listen to your policy about "no Java!", then you can't keep >it from getting in. And if you _can_ trust them to listen to you, >then you can solve this with policy. > >Mike > So, I should just accept it's going to get in and write some words on paper that if you use it you get your hands slapped? I'd rather that they be convinced to take out the user-configurable security. I don't think Java is a bad thing, I think user-configurable security "could" be a very bad thing. -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug@eng.auburn.edu Apple T-shirt on Win95 - "Been there, done that" From firewalls-owner Mon Nov 6 06:53:59 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id GAA13170 for firewalls-outgoing; Mon, 6 Nov 1995 06:48:05 -0800 (PST) Received: from basic.net (basic.net [205.242.92.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id GAA13162 for ; Mon, 6 Nov 1995 06:48:02 -0800 (PST) Received: by basic.net (SMI-8.6/BN-1.20) id IAA10717; Mon, 6 Nov 1995 08:44:30 -0600 Date: Mon, 6 Nov 1995 08:44:30 -0600 (CST) From: Jim McBride To: Mark cc: Edward Maillet , firewalls@GreatCircle.COM Subject: Re: Spoofing ISDN In-Reply-To: <199511060158.AA41991@junkers.lochard.com.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 6 Nov 1995, Mark wrote: > > Some folks at work want to setup an ISDN dial-in connection relying > >solely on the inbound caller ID as the security measure. Is it possible > >to spoof the D channel to send fake info? I'm fairly certain there is > >a way to do it. Can anyone point me to some references so I can make a > >decent technical argument agaisnt this? > > Throw words at them like corporate espionage, phreakers reprogramming switches > and malicious telco employees. Remind them that link level encryption and > authentication is not that much more difficult so there is no excuse not to > use it on the production system. > > Ask them how much their security is worth to them and how much more peace of > mind they will get by knowing a heck of a lot of mathematics is protecting > their transmissions. > > Cheers, > Mark > mark@lochard.com.au > And keep in mind while spouting this that you are completely and utterly full of sh*t. Again, per my previous post, I would like somebody to explain to me how you think you can forge a clid even with switch access, if you can prove me wrong, great...but I dont think you can. --Jim From firewalls-owner Mon Nov 6 08:27:55 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id IAA14469 for firewalls-outgoing; Mon, 6 Nov 1995 08:11:40 -0800 (PST) Received: from netcom.netcom.com (netcom.netcom.com [192.100.81.100]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id IAA14462 for ; Mon, 6 Nov 1995 08:11:36 -0800 (PST) Received: by netcom.netcom.com (8.6.12/Netcom) id IAA20139; Mon, 6 Nov 1995 08:09:35 -0800 Date: Mon, 6 Nov 1995 08:09:35 -0800 (PST) From: Bob Bosen Subject: Re: Info about Secure Net and Secure ID To: Einar Landre cc: firewalls@greatcircle.com In-Reply-To: <9511051811.AA00352@breng> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, 5 Nov 1995, Einar Landre wrote: > Hi, > > The documentation from TIS regarding user authentification, > two commercial vendors / products are mentioned. > > Digital Pathways with Secure Net > Security Dynamics with Secuure ID > > Can sombody tell me where to find information about the two ?? > > Regards Einar > ------------------------------------------------------ > Einar Landre, Senior Consultant > Skrivervik Data AS Phone: +47 22 18 58 27 > Post Box 3885 Fax: +47 22 18 59 98 > Ullevaal Hageby E-mail: einar.landre@sdata.no > N-0805 Oslo, Norway > Both of these companies have web pages: www.securid.com www.digpath.com Regards, Bob Bosen Enigma Logic Inc. 2151 Salvio St. #301 Concord, CA 94520 USA Tel: +1 510 827-5707 Internet: bbosen@netcom.com http://www.safeword.com ftp://ftp.safeword.com/ ************************************************************************** * "It wasn't me!!! Somebody must have captured my username/password!!!" * ************************************************************************** From firewalls-owner Mon Nov 6 09:11:12 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id IAA14975 for firewalls-outgoing; Mon, 6 Nov 1995 08:46:59 -0800 (PST) Received: from tuna.wang.com (tuna.wang.com [150.124.136.4]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id IAA14968 for ; Mon, 6 Nov 1995 08:46:56 -0800 (PST) Received: from mail.wangfed.com (ns.wangfed.com [159.94.10.19]) by tuna.wang.com (8.6.12/8.6.12tf1) with SMTP id LAA14919 for ; Mon, 6 Nov 1995 11:47:01 -0500 Received: from [159.94.10.15] by mail.wangfed.com (1.37.109.4/A.09.00a) id AA16475; Mon, 6 Nov 95 11:39:54 -0600 Received: from [159.94.14.48] by hfsi (BULL 5.61++/B.O.S 02.01) id AA00475; Mon, 6 Nov 95 11:37:28 -0500 Date: Mon, 6 Nov 95 11:37:28 -0500 Message-Id: <9511061637.AA00475@hfsi> From: "K Goertzel" Reply-To: "K Goertzel" To: firewalls@GreatCircle.COM Subject: Re: Anecdotes or Firewall/NetSec Jokes Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message <9511051641.AA01999@sonic.nmti.com.nmti.com> Peter da Silva writes: > > > I'll be speaking at a number of seminars in the next three weeks, > > > and I think it would be nice to have some intelligent humerous > > > jokes or anecdotes to start my talks off. > > > How about Microsoft, they are the biggest joke going. > > Unfortunately this is sounding more and more like graveyard humor. They're > selling very effectively, no matter how awful their product is. And McDonald's is never going to rate even 1 Michelin star, let alone five. Those of us who are more discerning in what we eat, and what software we buy, refuse to accept the lowest common denominator just because it's popular. Karen Goertzel Manager, International Programmes Secure Systems and Services Operation Wang Federal, Inc. 7900 Westpark Drive - MS 700 McLean, Virginia 22102-4299 TEL: 703-827 3914 FAX: 703-827 3161 Internet: goertzek@wangfed.com +-----------------------------------------------------------+ | So far, everybody will agree with me. This proves either | | that I am hopelessly wrong, or that the world has had at | | least a half century to think the matter over in. | | - George Bernard Shaw | +-----------------------------------------------------------+ From firewalls-owner Mon Nov 6 09:23:19 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id HAA14273 for firewalls-outgoing; Mon, 6 Nov 1995 07:56:05 -0800 (PST) Received: from quark.foobar.co.uk (quark.foobar.co.uk [193.122.182.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id HAA14266 for ; Mon, 6 Nov 1995 07:55:50 -0800 (PST) Received: (from mjc@localhost) by quark.foobar.co.uk (8.6.11/8.6.9) id OAA05862; Mon, 6 Nov 1995 14:55:17 GMT Message-Id: <199511061455.OAA05862@quark.foobar.co.uk> Subject: Re: Tightening up SunOS 5.4 (was Re: Hardened OS) To: lavondes@tidtest.total.fr (Michel Lavondes) Date: Mon, 6 Nov 1995 14:55:17 +0000 (GMT) From: "Martin Cooper" Cc: firewalls@greatcircle.com In-Reply-To: <9511061344.AA00333@tidtest.total.fr> from "Michel Lavondes" at Nov 6, 95 01:44:49 pm X-Mailer: ELM [version 2.4 PL24 ME6] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > In message <199511032007.OAA17966@shade.sctc.com>, Rick Smith writes: > > > I'm happy that root is just a name for uid 0, but what about > > > processes that need to be started at boot time? Will it be > > > possible to run these at boot time without an entry for root in > > > the password file, and without the setuid bits on executable > > > binaries? > > > > Actually, the term "root" is getting overloaded in this discussion. > > It has two fundamental properties of interest here: 1) it has uid 0 > > which is really necessary in most Unix systems, and 2) it can override > > lots of access protections on the system. We left in 1) and > > constrained 2) using our type enforcement mechanism. Some standard > > Unix systems try to get a similar effect with chroot, with varying > > degrees of success. > > > > Rick. > > smith@sctc.com secure computing corporation > > Apologies if this sounds like nit-picking, but isn't it uid 0 that > has property 2) ? If so, and assuming that each "privilege area" needs > its own superuser uid, and that some commands need superuser privilege > in more than one area (this may well be wrong - I don't know enough > about the way you implemented TE to figure it out,) it seems to me > that you may wind up with up to n^n different uid's, where n is the > number of privilege areas. That looks like a lot of user names to > make secure. OTOH, though, breaking through one may compromise your > firewall far less than breaking through root on a standard Un*x box. > But n^n still is quite a lot. > > Plus we still don't know what are the provileges of a process > started at boot time with your scheme. > > Did I misunderstood the thread ? Am I hopelessly clueless ? Or is > that a real issue ? What I'm not yet sure of, is whether it is possible to have no users, and have all necessary processes be spawned at boot time from uid 0 processes, and any sub-processes be spawned from them, without an entry for root in the passwd file. I thought Rick had posted to the list saying that having no root entry for uid 0 would cause problems with booting into single user mode, but perhaps it was someone else. Rick, are you saying that although you have removed root's passwd entry, you have created other usernames and given them permissions specific to specific tasks? Is it possible to boot into single user mode, or reboot at all, on your system as it is? Martin -- Martin Cooper http://www.foobar.co.uk/~mjc/ mjc@foobar.co.uk Foobar Internet http://www.foobar.co.uk/ sales@foobar.co.uk Phone: +44 (0)116 2330033 Fax: +44 (0)116 2330035 The Magazine Business Centre, Newarke Street, LEICESTER, LE1 5SS From firewalls-owner Mon Nov 6 09:53:31 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id JAA15505 for firewalls-outgoing; Mon, 6 Nov 1995 09:22:04 -0800 (PST) Received: from uuneo.neosoft.com (uuneo.neosoft.com [206.109.1.3]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id JAA15498 for ; Mon, 6 Nov 1995 09:22:00 -0800 (PST) Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.7.1/8.7.1) with UUCP id KAA01254 for GreatCircle.COM!firewalls; Mon, 6 Nov 1995 10:14:21 -0600 (CST) Received: by ris1.nmti.com (smail2.5) id AA00137; 6 Nov 95 10:14:17 CST (Mon) Received: by sonic.nmti.com; id AA01837; Mon, 6 Nov 1995 09:43:31 -0600 From: peter@nmti.com (Peter da Silva) Message-Id: <9511061543.AA01837@sonic.nmti.com.nmti.com> Subject: Re: OTPs: clarification To: mjr@iwi.com Date: Mon, 6 Nov 1995 09:43:31 -0600 (CST) Cc: firewalls@GreatCircle.COM In-Reply-To: <199511052137.QAA26845@switchblade.iwi.com> from "Marcus J. Ranum" at Nov 5, 95 04:37:00 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Be that as it may: avoid misusing terms of the trade. > There is no such thing as random data available to both parties > without a communication channel someplace in the system to > convey it. Unless you accept action at a distance. In which > case you still only have one source of randomness. :) Back to the Aspect Experiment and Quantum Mechanical crypto? From firewalls-owner Mon Nov 6 10:31:59 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id JAA15572 for firewalls-outgoing; Mon, 6 Nov 1995 09:27:11 -0800 (PST) Received: from uuneo.neosoft.com (uuneo.neosoft.com [206.109.1.3]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id JAA15565 for ; Mon, 6 Nov 1995 09:27:07 -0800 (PST) Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.7.1/8.7.1) with UUCP id KAA01338 for GreatCircle.COM!firewalls; Mon, 6 Nov 1995 10:14:37 -0600 (CST) Received: by ris1.nmti.com (smail2.5) id AA00523; 6 Nov 95 10:29:46 CST (Mon) Received: by sonic.nmti.com; id AA11325; Mon, 6 Nov 1995 09:58:55 -0600 From: peter@nmti.com (Peter da Silva) Message-Id: <9511061558.AA11325@sonic.nmti.com.nmti.com> Subject: Re: Java(tm) security documentation To: shaver@neon.ingenia.com (Mike Shaver) Date: Mon, 6 Nov 1995 09:58:55 -0600 (CST) Cc: Doug.Hughes@Eng.Auburn.EDU, firewalls@GreatCircle.COM In-Reply-To: <199511060608.BAA02160@neon.ingenia.com> from "Mike Shaver" at Nov 6, 95 01:08:51 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > It still sounds easily subverted via social engineering. > What isn't? > If you allow outbound TCP, you're wide open for someone to distribute > a Netscape plug-in, or a new version of ws_ftp, or what have you, and > have it do nasty things security-leak-wise. Yeh, but that's not something that can be subverted with two apparently innocent clicks. From firewalls-owner Mon Nov 6 10:53:21 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id KAA17529 for firewalls-outgoing; Mon, 6 Nov 1995 10:29:14 -0800 (PST) Received: from webisys.com (webisys.com [205.186.45.16]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id KAA17522 for ; Mon, 6 Nov 1995 10:29:09 -0800 (PST) Received: from tiger.webisys.com (tiger.webisys.com [205.186.45.130]) by webisys.com (8.6.12/8.6.12) with ESMTP id LAA13919 for ; Mon, 6 Nov 1995 11:29:51 -0700 Received: (from rkandari@localhost) by tiger.webisys.com (8.6.12/8.6.12) id LAA23080 for firewalls@GreatCircle.COM; Mon, 6 Nov 1995 11:30:45 -0700 Date: Mon, 6 Nov 1995 11:30:45 -0700 From: Richard Kandarian Message-Id: <199511061830.LAA23080@tiger.webisys.com> Subject: Re: Anecdotes or Firewall/NetSec Jokes Content-Type: text Apparently-To: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > I'll be speaking at a number of seminars in the next three weeks, > > > and I think it would be nice to have some intelligent humerous > > > jokes or anecdotes to start my talks off. > > > How about Microsoft, they are the biggest joke going. > > Unfortunately this is sounding more and more like graveyard humor. They're > selling very effectively, no matter how awful their product is. Brings to mind the joke which ends: ...billions and billions of flies can't be wrong! From firewalls-owner Mon Nov 6 11:39:09 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id LAA18669 for firewalls-outgoing; Mon, 6 Nov 1995 11:18:55 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id LAA18660 for ; Mon, 6 Nov 1995 11:18:52 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950602) id LAA25518; Mon, 6 Nov 1995 11:18:51 -0800 Received: from relay-4.mail.demon.net(158.152.1.64) by mycroft via smap (V1.3mjr) id sma025516; Mon Nov 6 11:18:44 1995 Received: by relay-4.mail.demon.net id msg.aa17505; 6 Nov 95 19:13 GMT Received: from post.demon.co.uk by relay-4.mail.demon.net id g.ac15399; 6 Nov 95 18:36 GMT Received: from relay-4.mail.demon.net by relay-3.mail.demon.net id msg.aa20172; 6 Nov 95 18:35 GMT From: Mike Williams To: firewalls@greatcircle.com Subject: Generic Proxy Date: Mon, 06 Nov 1995 18:34:36 GMT X-Mailer: Forte Agent .99b.112 Message-ID: <9511061835.msg.aa20172@relay-3.mail.demon.net> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I can't believe this hasn't been discussed before but as I'm relatively new to the list please forgive my ignorance. Does anybody know of a generic tcp/udp proxy which does not suffer from the limitations of the likes of plug-gw (no slight intended), i.e. will support one-to-many connections to the same destination port? Is the answer to this client code that always connects to the proxy but furnishes it with a name and destination port number of the ultimate destination? Does a, dare I suggest, standard exist for such communication? Grateful for any feedback, Mike. From firewalls-owner Mon Nov 6 11:56:09 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id LAA19107 for firewalls-outgoing; Mon, 6 Nov 1995 11:38:46 -0800 (PST) Received: from uuneo.neosoft.com (uuneo.neosoft.com [206.109.1.3]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id LAA19100 for ; Mon, 6 Nov 1995 11:38:43 -0800 (PST) Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.7.1/8.7.1) with UUCP id KAA01287 for GreatCircle.COM!firewalls; Mon, 6 Nov 1995 10:14:28 -0600 (CST) Received: by ris1.nmti.com (smail2.5) id AA00395; 6 Nov 95 10:23:57 CST (Mon) Received: by sonic.nmti.com; id AA10983; Mon, 6 Nov 1995 09:53:10 -0600 From: peter@nmti.com (Peter da Silva) Message-Id: <9511061553.AA10983@sonic.nmti.com.nmti.com> Subject: Re: Java(tm) security documentation To: shaver@neon.ingenia.com (Mike Shaver) Date: Mon, 6 Nov 1995 09:53:09 -0600 (CST) Cc: firewalls@GreatCircle.COM In-Reply-To: <199511051909.OAA15910@neon.ingenia.com> from "Mike Shaver" at Nov 5, 95 02:09:42 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > The tests range from simple verification that the format of a code > fragment is correct, to passing through a simple theorem prover to > establish that the code fragment plays by the rules--that it doesn't > forge pointers, it doesn't violate access restrictions, and it > accesses objects as what they are (for example, that "InputStream" > objects are always used as "InputStreams" and never as anything > else). I would be much happier if this read "the Java bytecode interpreter doesn't provide any mechanism to forge pointers, violate access restrictions, and access objects other than what they are (for example, an "InputStream" object is always accessed through the "InputStream" mechanism... the interpreter won't allow anything else to manipulate it). This whole "theorem prover" business strikes me as very very dangerous. A full interpreter that presented a higher level interface to the bytecode stream would perhaps be less efficient, but it would be inherently safe. This seems very much like the Burroughs approach to virtual memory and access control... without the requirement that a compiler be a trusted piece of code. I simply don't trust it. Sorry. From firewalls-owner Mon Nov 6 12:12:29 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id KAA17557 for firewalls-outgoing; Mon, 6 Nov 1995 10:30:25 -0800 (PST) Received: from quark.foobar.co.uk (quark.foobar.co.uk [193.122.182.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id KAA17550 for ; Mon, 6 Nov 1995 10:30:05 -0800 (PST) Received: (from mjc@localhost) by quark.foobar.co.uk (8.6.11/8.6.9) id SAA12821; Mon, 6 Nov 1995 18:25:54 GMT Message-Id: <199511061825.SAA12821@quark.foobar.co.uk> Subject: Re: What about the next 20 Java-like applications? ( was Re: Java) To: peter@nmti.com (Peter da Silva) Date: Mon, 6 Nov 1995 18:25:54 +0000 (GMT) From: "Martin Cooper" Cc: firewalls@greatcircle.com In-Reply-To: <9511051645.AA02221@sonic.nmti.com.nmti.com> from "Peter da Silva" at Nov 5, 95 10:45:53 am X-Mailer: ELM [version 2.4 PL24 ME6] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Just ask them... "would you put a TV in your house with a remotely operated > surveillance camera built in? That's what you could be doing if you just run > untrusted applications on an Internet-connected computer." More like a remote controlled bomb with on-board surveillance camera in your TV, I would have said. Martin -- Martin Cooper http://www.foobar.co.uk/~mjc/ mjc@foobar.co.uk Foobar Internet http://www.foobar.co.uk/ sales@foobar.co.uk Phone: +44 (0)116 2330033 Fax: +44 (0)116 2330035 The Magazine Business Centre, Newarke Street, LEICESTER, LE1 5SS From firewalls-owner Mon Nov 6 12:26:52 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id LAA18634 for firewalls-outgoing; Mon, 6 Nov 1995 11:17:13 -0800 (PST) Received: from beach.sctc.com (beach.sctc.com [192.55.214.50]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id LAA18625 for ; Mon, 6 Nov 1995 11:16:36 -0800 (PST) Received: from beach.sctc.com (daemon@localhost) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id NAA20730; Mon, 6 Nov 1995 13:51:29 -0600 Received: from sphinx.sctc.com (sphinx.sctc.com [172.17.192.3]) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id NAA20726; Mon, 6 Nov 1995 13:51:28 -0600 Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by sphinx.sctc.com (8.7.1/8.6.10) with SMTP id NAA18142; Mon, 6 Nov 1995 13:17:00 -0600 (CST) Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id NAA20280; Mon, 6 Nov 1995 13:16:58 -0600 From: Rick Smith Message-Id: <199511061916.NAA20280@shade.sctc.com> Subject: Re: Tightening up SunOS 5.4 (was Re: Hardened OS) To: lavondes@tidtest.total.fr (Michel Lavondes) Date: Mon, 6 Nov 1995 13:16:58 -0600 (CST) Cc: smith@sctc.com, firewalls@greatcircle.com In-Reply-To: <9511061344.AA00333@tidtest.total.fr> from "Michel Lavondes" at Nov 6, 95 01:44:49 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Apologies if this sounds like nit-picking, but isn't it uid 0 that > has property 2) ? If so, and assuming that each "privilege area" needs > its own superuser uid, and that some commands need superuser privilege > in more than one area (this may well be wrong - I don't know enough > about the way you implemented TE to figure it out,) it seems to me > that you may wind up with up to n^n different uid's, where n is the > number of privilege areas. Type Enforcement essentially breaks the system up into a bunch of separate "domains," each with a set of access permissions for talking to other resources on the system. Resources are assigned "types" and access permissions are assigned on a domain-type or domain-domain basis. If you're running uid 0 (or any other uid) within a given domain, your access permissions are constrained first by your uid (i.e. hardly at all if you're root) and second by Type Enforcement, even if you are root. For example, if you're running as root in the context of the Web server software, you can override the standard Unix protections on the password file, but you'll be blocked by Type Enforcement, which doesn't allow the Web server to access the password file (well, at least the one with hashed passwords). So you get the effect of nxn privilege areas without actually defining a zillion new uids and associated user names. > Plus we still don't know what are the provileges of a process > started at boot time with your scheme. > Did I misunderstood the thread ? Am I hopelessly clueless ? Or is > that a real issue ? As far as Type Enforcement is concerned, the permissions are all set up in a static data file that can't be changed during normal system operation. And in a sense this is the "real issue." If somebody (root, for instance) can change privileges during normal system operation, then an attacker can probably do so, too. Rick. From firewalls-owner Mon Nov 6 12:53:25 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id MAA20117 for firewalls-outgoing; Mon, 6 Nov 1995 12:34:33 -0800 (PST) Received: from beach.sctc.com (beach.sctc.com [192.55.214.50]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id MAA20098 for ; Mon, 6 Nov 1995 12:34:17 -0800 (PST) Received: from beach.sctc.com (daemon@localhost) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id PAA23292; Mon, 6 Nov 1995 15:08:21 -0600 Received: from sphinx.sctc.com (sphinx.sctc.com [172.17.192.3]) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id PAA23288; Mon, 6 Nov 1995 15:08:21 -0600 Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by sphinx.sctc.com (8.7.1/8.6.10) with SMTP id OAA19637; Mon, 6 Nov 1995 14:33:50 -0600 (CST) Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id OAA24039; Mon, 6 Nov 1995 14:33:49 -0600 Date: Mon, 6 Nov 1995 14:33:49 -0600 From: Rick Smith Message-Id: <199511062033.OAA24039@shade.sctc.com> To: firewalls@greatcircle.com Cc: smith@sctc.com, shaver@neon.ingenia.com Subject: Re: What about the next 20 Java-like applications? ( was Re: Java) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mike Shaver writes: >As per the Java documentation, applets do not (under the default >configuration) have any (direct) access to the filesystem. ...etc. Note the dirty word: DEFAULT. The whole problem is that they have a bunch of different configuration settings. When you read about "really kool stuff" in Java, it usually turns out that none of it works when you're in the DEFAULT mode. Now you've placed policy enforcement in the hands of the most vulnerable people: untrained workstation users who might not know what the security implications of Default/UnDefault HotJava really are. Rick. smith@sctc.com secure computing corporation From firewalls-owner Mon Nov 6 13:23:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id NAA21254 for firewalls-outgoing; Mon, 6 Nov 1995 13:16:01 -0800 (PST) Received: from beach.sctc.com (beach.sctc.com [192.55.214.50]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id NAA21237 for ; Mon, 6 Nov 1995 13:15:34 -0800 (PST) Received: from beach.sctc.com (daemon@localhost) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id PAA24600; Mon, 6 Nov 1995 15:49:54 -0600 Received: from sphinx.sctc.com (sphinx.sctc.com [172.17.192.3]) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id PAA24596; Mon, 6 Nov 1995 15:49:53 -0600 Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by sphinx.sctc.com (8.7.1/8.6.10) with SMTP id PAA20265; Mon, 6 Nov 1995 15:15:21 -0600 (CST) Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id PAA25628; Mon, 6 Nov 1995 15:15:20 -0600 Date: Mon, 6 Nov 1995 15:15:20 -0600 From: Rick Smith Message-Id: <199511062115.PAA25628@shade.sctc.com> To: firewalls@greatcircle.com Cc: smith@sctc.com, mjr@iwi.com Subject: Firewall Sales Tactics Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "Marcus J. Ranum" wrote: > Don't dignify such scummy sales practices by even deigning >to respond to them. I've run into about a dozen situations in the >last year where sales reptiles have claimed that their competitors' >products have been compromised. Whether it's true or not (and I >doubt it usually is) there is only one correct response, and that >is to look the sales rep in the eye and tell it something like: > "Thank you for your time, but by telling me unsubstantiated >stories about how bad your competition's product is, you are doing >nothing more than putting the entire market area where you work >(firewalls) in doubt. Your business practices are something we >have to take into account when we purchase a product, and you've >just shown that you'll stop at nothing to make a sale. Good day." >Show them the door. Thank you, Marcus, for starting this thread. It led to lots of discussion among sales people and engineers around here. Our VP of Sales has just passed the word (for those unsure) that sales people are not to talk directly about competitors or disparage competing products. Anything less skates too close to the edge of unethical behavior. I think it's interesting that IBM long held such a policy, according to ex-IBMers around here. I grew up loathing OS/JCL, punched cards, and mainframe mentality. I'm charmed to finally figure out what they were doing right. Rick. smith@sctc.com secure computing corporation From firewalls-owner Mon Nov 6 13:55:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id NAA21811 for firewalls-outgoing; Mon, 6 Nov 1995 13:24:38 -0800 (PST) Received: from gauntlet-1.trusted.com ([204.254.155.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id NAA21803 for ; Mon, 6 Nov 1995 13:24:31 -0800 (PST) Received: by gauntlet-1.trusted.com; id QAA07788; Mon, 6 Nov 1995 16:26:57 -0500 Received: from unknown(10.0.1.126) by gauntlet-1.trusted.com via smap (g3.0.3) id xma007784; Mon, 6 Nov 95 16:26:40 -0500 Received: from vanidor.trusted.com by hilo.trusted.com with SMTP (1.37.109.4/16.2) id AA01619; Mon, 6 Nov 95 16:24:27 -0500 Message-Id: <9511062124.AA01619@hilo.trusted.com> X-Sender: avolio@hilo.trusted.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 06 Nov 1995 16:24:20 -0500 To: "Moubray, Steve" , "'firewalls@greatcircle.com'" From: Frederick M Avolio Subject: Re: WWW & Proxy Servers Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 07:19 PM 11/5/95 -0600, Moubray, Steve wrote: >I recently dealt with this and found out that only ANS supported such a >system (at least they were the only ones to respond to my v-mail, e-mail and >letters). Yes, they support it with reusabable passwords. Fred From firewalls-owner Mon Nov 6 14:24:19 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id LAA19296 for firewalls-outgoing; Mon, 6 Nov 1995 11:46:46 -0800 (PST) Received: from sunthing.sjsinc.com (sunthing.sjsinc.com [140.174.165.1]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id LAA19287 for ; Mon, 6 Nov 1995 11:46:38 -0800 (PST) Received: by sunthing.sjsinc.com Mailer: sendmail (8.6.12/8.6.9) Protocol: Id: LAA04561; Mon, 6 Nov 1995 11:46:23 -0800 Date: Mon, 6 Nov 1995 11:46:23 -0800 From: sjs@sunthing.sjsinc.com (Stefan Jon Silverman) Message-Id: <199511061946.LAA04561@sjsinc.com> To: firewalls@greatcircle.com Subject: Re: Anecdotes or Firewall/NetSec Jokes Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Folks: > > > I'll be speaking at a number of seminars in the next three weeks, > > > and I think it would be nice to have some intelligent humerous > > > jokes or anecdotes to start my talks off. The attached is more atuned to Unix sys/net-admins rather than purely firewall maintainers, BUT, since several of us double up on jobs, or have to prove to our clients that we are indeed super-natural, I submit the following from alt.folklore.computers a couple of months ago ....and don't forget to sarifice a goat today... Regards, b c++'ing u, %-) sjs ------------------------------------------------------------------------------- Stefan Jon Silverman - President SJS Associates, N.A., Inc. 572 Chestnut Street Distributed Systems Architecture & Implementation San Francisco, Ca. 94133 Phone: 415 989 2741 Fax: 415 989 7250 E-mail: sjs@sjsinc.com Cell: 415 519 3494 ------------------------------------------------------------------------------- Weebles wobble, but they don't fall down!!! ------------------------------------------------------------------------------- ----- Begin Included Message ----- Subject: The Dark Rituals of Unix Date: Wed, 13 Sep 1995 12:46:41 GMT From: ogre@netcom.com (Mr. Ogre) Organization: ftp://ftp.netcom.com/pub/og/ogre/home.html Newsgroups: alt.religion.kibology, alt.folklore.computers, alt.irc, alt.religion.emacs Recently I've been spending some of my valuable free time hanging out on IRC, mostly on #unix, the channel where crusty old fart^H^H^H^HUnix gurus /kick people for asking questions. Note I didn't say "stupid questions" or "questions unrelated to Unix" I just said questions. Anyway, I, as a good samaritan, occasionally try to answer a question. Now what really bugs me is that people never take me seriously. Animal sacrifice is no joking matter, if I tell you you need to sacrifice a goat with a vorpal blade on an altar of granite in order to untar your file, I mean it. The man page for tar even says so. The reason most people don't realize this is that the man page is purposefully confusing in order to keep the unskilled practictioners from hurting themselves. Furthermore, the number of cats present in your household is an important factor in determining the exact ritual for virtually every Unix command. When I ask you to supply this information, I am not being frivolous or misleading. To answer your question about what program you use to rename a file, I desperately need to know the strength of the feline aura in your vicinity. In the future, please realize that I know more than you, and that all my questions are relative to your problem, whether or not it seems that way to you. Joe AKA MrOgre, often found on #unix in the dark hours when the mana runs hot through the circuits of Unix boxen. ----- End Included Message ----- From firewalls-owner Mon Nov 6 15:18:29 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id OAA25961 for firewalls-outgoing; Mon, 6 Nov 1995 14:49:02 -0800 (PST) Received: from dns.sprintcorp.com (dns.sprintcorp.com [144.230.1.35]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id JAA16350 for ; Mon, 6 Nov 1995 09:56:54 -0800 (PST) Received: from qm.sprintcorp.com by dns.sprintcorp.com (5.4R3.10/200.2.1.5) id AA27541; Mon, 6 Nov 1995 11:57:58 -0600 Message-Id: Date: 6 Nov 1995 12:00:11 -0500 From: "Ken Melrose" Subject: HELP ! Advice Needed. To: "firewalls-digest@GreatCircle.CO" Cc: "Ken Melrose" X-Mailer: Mail*Link SMTP-QM 3.0.2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Subject: Time: 11:29 AM OFFICE MEMO HELP ! Advice Needed. Date: 11/6/95 PROBLEM: I need to establish a "temporary" Firewall/Gateway using the workstation mentioned below in order to connect three internal networks. Two of these networks use "Private Address Space" allocated from the NIC, and the other uses "Legal Address Space" allocated from the NIC. Currently I have the following workstation: Sun SPARC 2 Solaris 1.1.1/SunOS 4.1.3 U1 64 Meg RAM 340 Meg Hard Drive Ethernet Interface Card 3 1/2 Floppy Disk Drive The first Network - serves the business community (mail, applications, etc.) in addition to connecting to the Internet. The second Network, serves internal management and control systems and is completely internal with no external connections (outside world). The third Network, serves internal labs and is completely internal with no external connections (outside world). 1) How can I best utilize the workstation above to establish the appropriate Firewall/Gateway? 2) What are the steps to actually go about doing this? - configuration of workstation - configuration of routers - deleting of specific workstation software - etc. I would appreciate any help/input anyone can provide. I don't have much time to accomplish this task (about 2 weeks). Again this is just for "temporary" use only Thanks, Ken From firewalls-owner Mon Nov 6 15:54:34 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id PAA26990 for firewalls-outgoing; Mon, 6 Nov 1995 15:25:14 -0800 (PST) Received: from icicle (icicle.winternet.com [198.174.169.5]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id PAA26983 for ; Mon, 6 Nov 1995 15:25:10 -0800 (PST) Received: from parka (dufresne@parka.winternet.com [198.174.169.9]) by icicle (8.6.12/8.6.12) with ESMTP id RAA14761 for ; Mon, 6 Nov 1995 17:25:19 -0600 Received: (from dufresne@localhost) by parka (8.6.12/8.6.12) id RAA24696; Mon, 6 Nov 1995 17:25:18 -0600 Posted-Date: Mon, 6 Nov 1995 17:25:18 -0600 Date: Mon, 6 Nov 1995 17:25:17 -0600 (CST) From: Ron DuFresne To: firewalls@GreatCircle.COM Subject: fairly recent web server compromise... Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Peoples, Wasn't but a couple of months ago that a major Hollywood motion pictures firm's web server was compromised and files served up by it were altered. I think it was something like www.umga.com or some such thing, was in retalliation for the pending release of the movie hackers... Anyway, does anyone have info reguarding such tid-bits as: OS of this box WWW server SW that was in use various other goodies? Thanks, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From firewalls-owner Mon Nov 6 16:42:07 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id PAA27114 for firewalls-outgoing; Mon, 6 Nov 1995 15:29:48 -0800 (PST) Received: from dns.sprintcorp.com (dns.sprintcorp.com [144.230.1.35]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id PAA27105 for ; Mon, 6 Nov 1995 15:29:44 -0800 (PST) Received: from qm.sprintcorp.com by dns.sprintcorp.com (5.4R3.10/200.2.1.5) id AA01695; Mon, 6 Nov 1995 17:30:24 -0600 Message-Id: Date: 6 Nov 1995 17:30:35 -0500 From: "Ken Melrose" Subject: FWD>HELP ! Advice Needed. To: "firewalls-digest@GreatCircle.CO" Cc: "Ken Melrose" X-Mailer: Mail*Link SMTP-QM 3.0.2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Subject: Time: 11:29 AM OFFICE MEMO FWD>HELP ! Advice Needed. Date: 11/6/95 PROBLEM: I need to establish a "temporary" Firewall/Gateway using the workstation mentioned below in order to connect three internal networks. Two of these networks use "Private Address Space" allocated from the NIC, and the other uses "Legal Address Space" allocated from the NIC. Currently I have the following workstation: Sun SPARC 2 Solaris 1.1.1/SunOS 4.1.3 U1 64 Meg RAM 340 Meg Hard Drive Ethernet Interface Card 3 1/2 Floppy Disk Drive The first Network - serves the business community (mail, applications, etc.) in addition to connecting to the Internet. The second Network, serves internal management and control systems and is completely internal with no external connections (outside world). The third Network, serves internal labs and is completely internal with no external connections (outside world). 1) How can I best utilize the workstation above to establish the appropriate Firewall/Gateway? 2) What are the steps to actually go about doing this? - configuration of workstation - configuration of routers - deleting of specific workstation software - etc. I would appreciate any help/input anyone can provide. I don't have much time to accomplish this task (about 2 weeks). Again this is just for "temporary" use only Thanks, Ken From firewalls-owner Mon Nov 6 19:29:16 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id TAA02290 for firewalls-outgoing; Mon, 6 Nov 1995 19:00:03 -0800 (PST) Received: from su1.in.net (su1.in.net [199.0.62.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id SAA02257 for ; Mon, 6 Nov 1995 18:59:56 -0800 (PST) Received: from pm3-07.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA07320; Mon, 6 Nov 95 19:59:22 -0500 Date: Mon, 6 Nov 95 19:59:22 -0500 Message-Id: <9511070059.AA07320@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.com From: frankw@in.net (Frank Willoughby) Subject: Re: Firewall Sales Tactics Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >"Marcus J. Ranum" wrote: > >> Don't dignify such scummy sales practices by even deigning >>to respond to them. I've run into about a dozen situations in the >>last year where sales reptiles have claimed that their competitors' >>products have been compromised. Whether it's true or not (and I >>doubt it usually is) there is only one correct response, and that >>is to look the sales rep in the eye and tell it something like: >> "Thank you for your time, but by telling me unsubstantiated >>stories about how bad your competition's product is, you are doing >>nothing more than putting the entire market area where you work >>(firewalls) in doubt. Your business practices are something we >>have to take into account when we purchase a product, and you've >>just shown that you'll stop at nothing to make a sale. Good day." >>Show them the door. > >Thank you, Marcus, for starting this thread. It led to lots of >discussion among sales people and engineers around here. Our VP of >Sales has just passed the word (for those unsure) that sales people >are not to talk directly about competitors or disparage competing >products. Anything less skates too close to the edge of unethical >behavior. > Speaking of ethical behaviour, I take it then that the infamous "Challenge" has been dropped and replaced by a true contest where people are challenged to go _thru_ the firewall to a system on the inside (which mirrors a real-world environment), and that the nonexistent (if it isn't being shipped, it is nonexistent) "content filtering" has been retracted/recalled from brochures, web pages, etc. >I think it's interesting that IBM long held such a policy, according >to ex-IBMers around here. I grew up loathing OS/JCL, punched cards, >and mainframe mentality. I'm charmed to finally figure out what they >were doing right. I share your love of Big Blue. 8^) One must admit however, that their sales force must be pretty awesome to keep selling the mainframes like they have/are - in spite of the advances in the advances in technology and the money they are asking. BTW, their crypto people aren't too shabby either. Best Regards, Frank > >Rick. >smith@sctc.com secure computing corporation > > > From firewalls-owner Mon Nov 6 19:53:00 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id TAA02643 for firewalls-outgoing; Mon, 6 Nov 1995 19:22:24 -0800 (PST) Received: from the-link.com (master.the-link.com [204.221.32.253]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id TAA02636 for ; Mon, 6 Nov 1995 19:22:20 -0800 (PST) Received: (from endrizzi@localhost) by the-link.com (8.6.9/8.6.9) id QAA03075; Mon, 6 Nov 1995 16:31:32 -0500 Date: Mon, 6 Nov 1995 16:31:31 +0000 From: "Michael J. Endrizzi" Subject: Facts on Break-Ins To: firewalls@GreatCircle.COM Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm looking for research on computer security violations. Any data is great but more specifically: 1) Ratio of internal (e.g. employee) attacks vs external attacks 2) Ratio of dial-in vs. firewall attacks I am familiar with the latest Sept 95 CSI report. thanks, dreez ----------------------------------------------- Michael J. Endrizzi/InterSec Communications Inc. 7020 145th Street West, Apple Valley, MN 55124 mje@the-link.com 612-432-0509/1107 Internet and Computer Security Consulting From firewalls-owner Tue Nov 7 09:38:36 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id IAA28626 for firewalls-outgoing; Tue, 7 Nov 1995 08:32:07 -0800 (PST) Received: from ncar.UCAR.EDU (ncar.ucar.edu [192.52.106.6]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id IAA28610 for ; Tue, 7 Nov 1995 08:32:03 -0800 (PST) Message-Id: <199511071631.JAA00560@ncar.ucar.EDU> Received: by ncar.ucar.EDU (NCAR Local/ NCAR Central Post Office 03/11/93) id JAA00560; Tue, 7 Nov 1995 09:31:49 -0700 (MST) Subject: Re: Info about Secure Net and Secure ID To: vin@shore.net (Vin McLellan) Date: Tue, 7 Nov 95 9:31:49 MST Cc: einar.landre@sdata.no, firewalls@GreatCircle.COM, sdi@shore.net In-Reply-To: ; from "Vin McLellan" at Nov 7, 95 2:48 am From: woods@ncar.ucar.edu (Greg Woods) X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > The DPI token is called a "SecureNet Key" and is generally > supported by DPI's Defender software. > The SDI token, called a SecurID, is supported by SDI's ACE access > control software. Contact info follows: You can also use the SecureNet Key with the TIS toolkit, without any additional software. To use SecurID, with our without TIS, you *must* buy and license the ACE software (and they charge through the nose for it). The users who have helped us with testing tend to prefer the SecurID because it is somewhat less awkward to use (SecurID just gives you a password that changes with time, for SecureNet you have to enter a PIN and a challenge into the token which then computes the proper response to the challenge). SecurID also has partnerships with several vendors (cisco, annex/xylogics) so that their cards can be used with these vendors' devices without modification to vendor software (I'm working on modifying the Annex "erpcd" code to work with the SecureNet Key; anybody done this already?) --Greg From firewalls-owner Tue Nov 7 10:27:23 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id JAA05013 for firewalls-outgoing; Tue, 7 Nov 1995 09:11:09 -0800 (PST) Received: from relay5.UU.NET (relay5.UU.NET [192.48.96.15]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id JAA05007 for ; Tue, 7 Nov 1995 09:11:01 -0800 (PST) Received: from uucp6.UU.NET by relay5.UU.NET with SMTP id QQzovs16143; Tue, 7 Nov 1995 12:11:06 -0500 (EST) Received: from vanguard.UUCP by uucp6.UU.NET with UUCP/RMAIL ; Tue, 7 Nov 1995 12:11:06 -0500 Received: by vanguard.hmp.com (UUPC/extended 1.12b); Tue, 07 Nov 1995 09:16:10 MST Date: Tue, 07 Nov 1995 09:16:09 MST From: "Scott Deshaies" Message-ID: <309f864a.vanguard@vanguard.hmp.com> Organization: High Mountain Press, Inc. To: "Firewalls Mailing List" Subject: Weird Netscape Navigator functions? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all- In two different trade magazine recently, I've read a few things about Netscape's Navigator that made me go "Hmm?". The first was the CEO of Netscape saying something to the effect that "..we know how many people are using our browsers because every time you access a site, a message is set to one of our servers telling us what version you have, if it's a trial beta or registered, etc". I havent had a chance to run a packet trace on it yet, but does anyone know if this is true? Next, there is a company that is now marketing a program that goes beyond recording hits on a Web page from just counting IP addresses. It apparently uses "Netscape function calls" to obtain user info, even if that user is behind a firewall or a proxy. My guess is that it could pull your e-mail address from the Mail: setup fields, but what else could it possibly do? (OK, sure, there are many things that it *could* do, but what does it currently offer up as free info to anyone who asks the right question?) Just another paranoid firewall admin... -- >> Scott R. Deshaies <> High Mountain Press, Inc. << >> MIS Manager <> 2530 Camino Entrada * Santa Fe, NM 87505 << >> sdeshaies@hmp.com <> Direct:505/474-5103 http://www.hmp.com << From firewalls-owner Tue Nov 7 10:27:22 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id IAA27493 for firewalls-outgoing; Tue, 7 Nov 1995 08:27:21 -0800 (PST) Received: from zeus.lyceum.com (zeus.lyceum.com [205.142.28.7]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id IAA27428 for ; Tue, 7 Nov 1995 08:27:02 -0800 (PST) Received: (from jhoward@localhost) by zeus.lyceum.com (8.6.12/8.6.12) id LAA25218; Tue, 7 Nov 1995 11:23:53 -0500 From: jim howard Message-Id: <199511071623.LAA25218@zeus.lyceum.com> Subject: Re: Generic Proxy To: mikew@smartpt.demon.co.uk Date: Tue, 7 Nov 1995 11:23:53 -0500 (EST) Cc: firewalls@greatcircle.com, fwtk-users@tis.com Reply-To: firewalls@greatcircle.com, fwtk-users@tis.com In-Reply-To: <199511071454.JAA17593@zeus.lyceum.com> from "lcrawley@lyceum.com>" at Nov 7, 95 09:54:26 am X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Does anybody know of a generic tcp/udp proxy which does not suffer > from the limitations of the likes of plug-gw (no slight intended), > i.e. will support one-to-many connections to the same destination > port? I have built from the TIS plug-gw, a "multiplug" that listens on a single port number and a single ip address. (tcp only) The key is that it runs stand-alone and not from inetd. By using multiple instances of this "multiplug" I can listen on the same port in much the same way as a virtual WWW server, and perform a different task based on which address I'm listening for. I'm sure there are probably better ways of doing this, like a stand-alone process listening on the generic (0.0.0.0) address that extracts the connection information from the socket, but I didn't have a lot of time to put research into it. The code is very rough, about a days work for an emergency "plug". If there is enough interest, I can clean it up and send it back over to TIS (after all, it was their code I built it from.) Jim Howard Network Engineer Lyceum Internet From firewalls-owner Tue Nov 7 10:52:55 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id JAA11951 for firewalls-outgoing; Tue, 7 Nov 1995 09:59:00 -0800 (PST) Received: from future.dreamscape.com (future.dreamscape.com [206.64.128.3]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id JAA11916 for ; Tue, 7 Nov 1995 09:58:52 -0800 (PST) Received: from future.dreamscape.com (matkoski@future.dreamscape.com [206.64.128.3]) by future.dreamscape.com (8.6.12/8.6.12) with SMTP id MAA27823 for ; Tue, 7 Nov 1995 12:44:32 -0500 Date: Tue, 7 Nov 1995 12:44:32 -0500 (EST) From: Steve Matkoski To: Firewalls@GreatCircle.COM Subject: connecting several networks to firewall. In-Reply-To: <199511061941.LAA19174@miles.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I am going to be using the IBM NetSP firewall for connecting several IP networks to our corporate backbone. I wanted to know the best way to implement this? I want to use a multi-port router with several serial line and one ethernet port. The ethernet would connect directly to one port of the firewall. The other port of the firewall would connect to the internal network. How do I connect all the serial lines to the router without having them talk to each other? If I use static routes and eliminate any dynamic updates would this do the job? or do I have to set up filtering between ports too? Any help appreciated! -steve. matkoski@dreamscape.com From firewalls-owner Tue Nov 7 11:28:48 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id FAA07019 for firewalls-outgoing; Tue, 7 Nov 1995 05:50:15 -0800 (PST) Received: from mail1.digital.com (mail1.digital.com [204.123.2.50]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id FAA07014 for ; Tue, 7 Nov 1995 05:50:11 -0800 (PST) Received: from ilosrv.ilo.dec.com by mail1.digital.com; (5.65 EXP 4/12/95 for V3.2/1.0/WV) id AA13226; Tue, 7 Nov 1995 05:41:56 -0800 Received: from ilofrs.ilo.dec.com by ilosrv.ilo.dec.com; (5.65/1.1.8.2/12Nov94-8.2MPM) id AA07130; Tue, 7 Nov 1995 13:40:53 GMT Received: by fwsrtr.fws.ilo.dec.com; (5.65/1.3/10May95) id AA12056; Tue, 7 Nov 1995 13:42:27 GMT Received: from localhost by philby.fws.ilo.dec.com; (5.65/1.1.8.2/31Aug95-8.2MPM) id AA02540; Tue, 7 Nov 1995 13:39:37 GMT Message-Id: <9511071339.AA02540@philby.fws.ilo.dec.com> To: "Michael J. Endrizzi" Cc: firewalls@greatcircle.com, fod@fws.ilo.dec.com Subject: Re: Facts on Break-Ins In-Reply-To: Your message of "Mon, 06 Nov 1995 16:31:31 GMT." X-Mailer: exmh version 1.4.1 7/21/94 Date: Tue, 07 Nov 1995 13:39:27 +0000 From: "Frank O'Dwyer" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I'm looking for research on computer security > violations. Any data is great but more specifically: > > 1) Ratio of internal (e.g. employee) attacks vs external attacks > 2) Ratio of dial-in vs. firewall attacks > > I am familiar with the latest Sept 95 CSI report. I think the British DTI did a report some time back which covers some of the aspects you mention, if that's any help. I saw it a couple of years ago, but it may have been updated since. As I recall, the greatest risks were from much more low-tech things such as fire, power surges, user error, and so on. Cheers, Frank O'Dwyer From firewalls-owner Tue Nov 7 11:28:49 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id JAA12227 for firewalls-outgoing; Tue, 7 Nov 1995 09:59:58 -0800 (PST) Received: from switchblade.iwi.com (switchblade.iwi.com [137.39.156.214]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id JAA12204 for ; Tue, 7 Nov 1995 09:59:51 -0800 (PST) Received: (from mjr@localhost) by switchblade.iwi.com (8.6.9/8.6.9) id NAA16076 for firewalls@greatcircle.com; Tue, 7 Nov 1995 13:00:15 -0500 From: "Marcus J. Ranum" Message-Id: <199511071800.NAA16076@switchblade.iwi.com> Subject: MORE about one-time-pads :) To: firewalls@greatcircle.com Date: Tue, 7 Nov 1995 13:00:14 -0500 (EST) Reply-To: mjr@iwi.com Organization: Information Warehouse! Inc, Baltimore, MD URL: mjr's web page Phone: 410-889-8569 Coredump: Infocalypse Now!!! X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I was just stumbling around on the 'web and it turns out the NSA home page has a lot of interesting information about one of the more famous one-time-pad cracking incidents, which was codenamed VENONA. The VENONA documents were extremely interesting material, and are an example of what can happen if you screw up your use of OTPs. :) http://www.nsa.gov:8080/docs/venona/venona.html mjr. From firewalls-owner Tue Nov 7 12:03:08 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id KAA15449 for firewalls-outgoing; Tue, 7 Nov 1995 10:11:51 -0800 (PST) Received: from Disclosure.COM (di2.disclosure.com [205.156.194.11]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id KAA15417 for ; Tue, 7 Nov 1995 10:11:44 -0800 (PST) Received: by Disclosure.COM (4.1/SMI-4.1) id AA15806; Tue, 7 Nov 95 13:14:48 EST Date: Tue, 7 Nov 1995 13:14:47 -0500 (EST) From: Scott Barman To: firewalls@greatcircle.com Subject: Changing shared libraries and how is ld.so finding real libraries? Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Gee... this started out as a question and, after some investigation, has evolved into "what the heck is it doing?" Let's start with the original question: Now that the advisory is out regarding telnet and resetting the LD_LIBRARY_PATH environment variable I have a question: Is it possible for someone who has acquired unauthorized access to a system using an ordinary userid to upload in their own copy of libc.so.*, change LD_LIBRARY_PATH (or LD_RUN_PATH) so that /bin/login dynamically links with their hacked version rather than the one /usr/lib? I decided to do some investigating. Under Solaris 2.4 on a SPARC 1000E, I set up a "simulated" environment by creating some empty files that had the name of libraries under /tmp and tried to run the login program. The following is what I did: cd /usr/lib foreach i (lib*.so*) echo -n > /tmp/$i end cd security <--- hmmm this was an intersting find! foreach i (*) echo -n > /tmp/$i end setenv LD_LIBRARY_PATH /tmp setenv LD_RUN_PATH /tmp /usr/bin/login The login program seemed to work fine. It prompted me for my userid and password... no problems. In fact, any setuid or setgid program (ps and mail, for example) ran with no problems. Others, such as ls and who, came back with errors that they didn't like my "new" libraries, giving me a message like: ld.so.1: who: fatal: /tmp/libc.so.1: unknown file type This is what I expected. But why are the setuid/setgid finding the right libraries? What is Solaris doing to get around the settings of these environment variables? Interestingly, I found /usr/lib/security (with lsof) with one library and a symbolic link to it. /usr/lib/security/unix_scheme.so.1 seems to contain the "guts" to login, passwd, etc. (assumption based on an examination of the output from nm and strings). But even with my stubs in /tmp, login ran with no problems. Can anyone enlighten me as to what is happening? TIA scott barman -- scott barman DISCLAIMER: I speak to anyone who will listen, scott@disclosure.com and I speak only for myself. barman@ix.netcom.com "I don't know if security explains why the Win95 support Web servers run BSDI 2.0--an Intel-based Unix--rather than Windows NT, which Microsoft insists is the ideal Web software solution. Does Redmond know something we don't know?" -Robert X. Cringely, INFORWORLD, 9/11/95 From firewalls-owner Tue Nov 7 12:24:33 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id KAA20671 for firewalls-outgoing; Tue, 7 Nov 1995 10:48:55 -0800 (PST) Received: from delfin.com (delfin.com [192.129.85.1]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id KAA20666 for ; Tue, 7 Nov 1995 10:48:51 -0800 (PST) Received: from delfinsd.delfinsd.delfin.com ([192.187.198.1]) by delfin.com (4.1/SMI-4.1 - 6/21/93 ) id AA28187; Tue, 7 Nov 95 10:48:18 PST Received: from felixpc (felixpc.delfinsd.delfin.com) by delfinsd.delfinsd.delfin.com (4.1/SMI-4.1) id AA10310; Tue, 7 Nov 95 10:50:44 PST Message-Id: <9511071850.AA10310@delfinsd.delfinsd.delfin.com> X-Sender: felix@delfinsd-gw X-Mailer: Windows Eudora Version 2.1.1 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 07 Nov 1995 10:48:55 -0800 To: Ron DuFresne From: Robin Felix Subject: Re: fairly recent web server compromise... Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 05:25 PM 11/6/95 -0600, Ron DuFresne wrote: >Wasn't but a couple of months ago that a major Hollywood motion pictures >firm's web server was compromised and files served up by it were >altered. I think it was something like www.umga.com or some such thing, >was in retalliation for the pending release of the movie hackers... As I recall, the problem was not in the www server but in the globally-mountable disk drive on which the actual "Hackers" web page was resident. Someone just mounted it remotely and altered the page. There is some suspicion that this "insecurity" was intentionally left available to encourage this, as the hack itself was subsequently used as PR for the movie. -- Robin Felix; felix@delfin.com; felix@nosc.mil 619-291-2194(work), 619-291-5852(fax), 619-991-5081(alt) http://www.delfinsd.delfin.com/ From firewalls-owner Tue Nov 7 12:43:58 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id EAA26781 for firewalls-outgoing; Tue, 7 Nov 1995 04:08:33 -0800 (PST) Received: from relay1.pipex.net (relay1.pipex.net [158.43.128.6]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id EAA26773 for ; Tue, 7 Nov 1995 04:08:28 -0800 (PST) Received: from smtpgty.saicuk.co.uk by flow.pipex.net with SMTP (PP); Tue, 7 Nov 1995 12:08:18 +0000 Received: by smtpgty.saicuk.co.uk with Microsoft Mail id <309F4BB1@smtpgty.saicuk.co.uk>; Tue, 07 Nov 95 12:06:09 GMT From: "Johnson-Bryden, Ian" To: "'firewalls@greatcircle.com'" Subject: Re: Anecdotes or Firewall/NetSec Jokes Date: Tue, 07 Nov 95 12:00:00 GMT Message-ID: <309F4BB1@smtpgty.saicuk.co.uk> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From: firewalls-owner >To: firewalls >Subject: Re: Anecdotes or Firewall/NetSec Jokes >Date: Monday, November 06, 1995 11:37AM In message <9511051641.AA01999@sonic.nmti.com.nmti.com> Peter da Silva writes: >> > > I'll be speaking at a number of seminars in the next three weeks, >> > > and I think it would be nice to have some intelligent humerous > >> > jokes or anecdotes to start my talks off. > > > >> How about Microsoft, they are the biggest joke going. > > >> Unfortunately this is sounding more and more like graveyard humor. They're >> selling very effectively, no matter how awful their product is. and Karen Goertzel wrote >And McDonald's is never going to rate even 1 Michelin star, let alone five. >Those of us who are more discerning in what we eat, and what software we buy, >refuse to accept the lowest common denominator just because it's popular. A joke appropriate to firewalls discussion could be:- The Ark was built by unskilled amateurs, The Titannic was built by skilled professionals!!! A very good multi-purpose joke which you can use to illustrated any of the opposing points of view. Ian J-B From firewalls-owner Tue Nov 7 12:43:59 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id LAA22370 for firewalls-outgoing; Tue, 7 Nov 1995 11:58:30 -0800 (PST) Received: from relay1.pipex.net (relay1.pipex.net [158.43.128.6]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id LAA22361 for ; Tue, 7 Nov 1995 11:58:26 -0800 (PST) Received: from smtpgty.saicuk.co.uk by flow.pipex.net with SMTP (PP); Tue, 7 Nov 1995 19:58:10 +0000 Received: by smtpgty.saicuk.co.uk with Microsoft Mail id <309FB9EB@smtpgty.saicuk.co.uk>; Tue, 07 Nov 95 19:56:27 GMT From: "Johnson-Bryden, Ian" To: "'firewalls@greatcircle.com'" Subject: Re: Facts on Break-Ins Date: Tue, 07 Nov 95 18:55:00 GMT Message-ID: <309FB9EB@smtpgty.saicuk.co.uk> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Frank is correct in saying British DTI produced a report, although the more accurate statement is that the IT Security section of DTI, which supplies half of the British reps for the British ITSEC team, commissioned someone to do a study and then published the result. I have a copy of the draft (of what I think is the document Frank refers to) but not a final released version so DTI may not have credited the study team. From memory National Physical Laboratory did that particular study on contract to DTI. Different parts of DTI and CCTA carryout or commission studies into these issues, and many others, with great frequency and make the results available publically, not always with the greatest accuracy. For example a recent CCTA study concluded that the Internet was populated with an undisciplined rabble and totally unsuited for any serious communications use, being unlikely to survive as an Information Byeway. Ian J-B ---------- From: firewalls-owner To: Michael J. Endrizzi Cc: firewalls; fod Subject: Re: Facts on Break-Ins Date: Tuesday, November 07, 1995 1:39PM > I'm looking for research on computer security > violations. Any data is great but more specifically: > > 1) Ratio of internal (e.g. employee) attacks vs external attacks > 2) Ratio of dial-in vs. firewall attacks > > I am familiar with the latest Sept 95 CSI report. I think the British DTI did a report some time back which covers some of the aspects you mention, if that's any help. I saw it a couple of years ago, but it may have been updated since. As I recall, the greatest risks were from much more low-tech things such as fire, power surges, user error, and so on. Cheers, Frank O'Dwyer From firewalls-owner Tue Nov 7 12:59:03 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id MAA23093 for firewalls-outgoing; Tue, 7 Nov 1995 12:36:48 -0800 (PST) Received: from bastion.sware.com (bastion.sware.com [139.131.15.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id MAA23088 for ; Tue, 7 Nov 1995 12:36:45 -0800 (PST) Received: from shlep.sware.com (shlep.sware.com [139.131.1.14]) by bastion.sware.com (8.6.5/8.6.5) with SMTP id PAA08306; Tue, 7 Nov 1995 15:36:39 -0500 Received: by shlep.sware.com (5.65/2.0) from guinan.sware.com id AA28653; Tue, 7 Nov 95 15:32:42 -0500 Received: by guinan.sware.com (AIX 3.2/UCB 5.64/2.1) from localhost id AA37378; Tue, 7 Nov 1995 15:32:27 -0500 Message-Id: <9511072032.AA37378@guinan.sware.com> From: Shan Bell X-Mailer: SecureMail [2.2] Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Ooops. To: firewalls@greatcircle.com, fwtk-users@tis.com Date: Tue, 7 Nov 95 15:32:27 EST Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sorry about sending that response to the list. I didn't check the Reply-to address closely enough. Shannon Bell Email: shan.bell@sware.com - Voice: +1 404 321 6597 x163 - Fax: +1 404 315 0293 SecureWare, Inc. / 2957 Clairmont Rd Suite 200 / Atlanta GA 30329-1647 GCS -d+@ H>++ s+:- g+ p?>!p !au>* a- w+ v- C++$ U[BLUAVHSCX]++++$ P+ L+>+++ 3>+++ E- !N>N++ K W M+ V- -po+ Y+ t+>+(+++) 5+ j R(+) G'('') tv+ b+++ !D B-- e++ u** h--- f+ r+++ n-- y+++ From firewalls-owner Tue Nov 7 13:22:55 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id MAA22550 for firewalls-outgoing; Tue, 7 Nov 1995 12:02:49 -0800 (PST) Received: from bastion.sware.com (bastion.sware.com [139.131.15.2]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id MAA22544 for ; Tue, 7 Nov 1995 12:02:46 -0800 (PST) Received: from shlep.sware.com (shlep.sware.com [139.131.1.14]) by bastion.sware.com (8.6.5/8.6.5) with SMTP id PAA08052; Tue, 7 Nov 1995 15:02:39 -0500 Received: by shlep.sware.com (5.65/2.0) from guinan.sware.com id AA28014; Tue, 7 Nov 95 14:58:42 -0500 Received: by guinan.sware.com (AIX 3.2/UCB 5.64/2.1) from localhost id AA35897; Tue, 7 Nov 1995 14:58:27 -0500 Message-Id: <9511071958.AA35897@guinan.sware.com> From: Shan Bell X-Mailer: SecureMail [2.2] Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: firewalls@GreatCircle.COM, fwtk-users@tis.com Subject: Re: Generic Proxy In-Reply-To: Your message of Tue, 7 Nov 1995 11:23:53 -0500 (EST). <199511071623.LAA25218@zeus.lyceum.com> Date: Tue, 7 Nov 95 14:58:27 EST Sender: firewalls-owner@GreatCircle.COM Precedence: bulk jim howard writes: > > Does anybody know of a generic tcp/udp proxy which does not suffer > > from the limitations of the likes of plug-gw (no slight intended), > > i.e. will support one-to-many connections to the same destination > > port? > > I have built from the TIS plug-gw, a "multiplug" that > listens on a single port number and a single ip address. (tcp only) > The key is that it runs stand-alone and not from inetd. > > By using multiple instances of this "multiplug" I can > listen on the same port in much the same way as a virtual WWW server, > and perform a different task based on which address I'm listening for. > > I'm sure there are probably better ways of doing this, > like a stand-alone process listening on the generic (0.0.0.0) address > that extracts the connection information from the socket, > but I didn't have a lot of time to put research into it. > > The code is very rough, about a days work for an emergency "plug". > If there is enough interest, I can clean it up and send it back over > to TIS (after all, it was their code I built it from.) > > Jim Howard > Network Engineer > Lyceum Internet > I would very much like to see this, if you don't mind... can you send me your code? Shannon Bell Email: shan.bell@sware.com - Voice: +1 404 321 6597 x163 - Fax: +1 404 315 0293 SecureWare, Inc. / 2957 Clairmont Rd Suite 200 / Atlanta GA 30329-1647 GCS -d+@ H>++ s+:- g+ p?>!p !au>* a- w+ v- C++$ U[BLUAVHSCX]++++$ P+ L+>+++ 3>+++ E- !N>N++ K W M+ V- -po+ Y+ t+>+(+++) 5+ j R(+) G'('') tv+ b+++ !D B-- e++ u** h--- f+ r+++ n-- y+++ From firewalls-owner Tue Nov 7 13:52:51 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id CAA19966 for firewalls-outgoing; Tue, 7 Nov 1995 02:47:37 -0800 (PST) Received: from TIS.COM (neptune.tis.com [192.94.214.96]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id CAA19961 for ; Tue, 7 Nov 1995 02:47:33 -0800 (PST) Received: from relay.tis.com by neptune.TIS.COM id aa27191; 7 Nov 95 5:43 EST Received: from gauntlet.demon.co.uk(158.152.143.226) by relay.tis.com via smap (g3.0.1) id xma017137; Tue, 7 Nov 95 05:18:02 -0500 Received: from gauntlet.demon.co.uk by gauntlet.demon.co.uk with SMTP id AA815740528 ; Tue, 07 Nov 95 10:35:28 gmt Received: by gauntlet.demon.co.uk with Microsoft Mail id <01BAACFC.C1055C40@gauntlet.demon.co.uk>; Tue, 7 Nov 1995 10:35:27 -0500 Message-ID: <01BAACFC.C1055C40@gauntlet.demon.co.uk> From: "Jeffrey R. Jones" To: "'Firewalls@greatcircle.com'" Subject: RE: Exporting nonUS DES Date: Tue, 7 Nov 1995 10:35:25 -0500 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="---- =_NextPart_000_01BAACFC.C10E8400" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ------ =_NextPart_000_01BAACFC.C10E8400 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable The answer is that where it was developed has no relevancy. Once it is = imported into the US, then US export laws apply for re-exporting it. = So, 40-bit DES could be provided, larger-key DES could be provided to = some government customers and Banks, and (presumably) 64-bit DES with = key escrow could be provided to countries having appropriate agreements = with the US. (1) Is it possible for a large US company to export products using DES data encryption? I mean even if they get a "non-USA DES" can they export products including this? (2) Is anyone familiar with the modem in question (2864I), and know if it really provides DES data encryption? (3) Where should I have posted this. Thanks in advance, for any pointers!, Martin Fredriksson Systems Integration and Security Ericsson Microwave Systems AB, Molndal, Sweden ------ =_NextPart_000_01BAACFC.C10E8400 Content-Type: application/x-tnef Content-Transfer-Encoding: base64 eJ8+IhsPAQaQCAAEAAAAAAABAAEAAQeQBgAIAAAA5AQAAAAAAADoAAENgAQAAgAAAAIAAgABBJAG ADgBAAABAAAADAAAAAMAADADAAAACwAPDgAAAAACAf8PAQAAAFEAAAAAAAAAgSsfpL6jEBmdbgDd AQ9UAgAAAABGaXJld2FsbHNAZ3JlYXRjaXJjbGUuY29tAFNNVFAARmlyZXdhbGxzQGdyZWF0Y2ly Y2xlLmNvbQAAAAAeAAIwAQAAAAUAAABTTVRQAAAAAB4AAzABAAAAGgAAAEZpcmV3YWxsc0BncmVh dGNpcmNsZS5jb20AAAADABUMAQAAAAMA/g8GAAAAHgABMAEAAAAcAAAAJ0ZpcmV3YWxsc0BncmVh dGNpcmNsZS5jb20nAAIBCzABAAAAHwAAAFNNVFA6RklSRVdBTExTQEdSRUFUQ0lSQ0xFLkNPTQAA AwAAOQAAAAALAEA6AQAAAAIB9g8BAAAABAAAAAAAAAOJPgEIgAcAGAAAAElQTS5NaWNyb3NvZnQg TWFpbC5Ob3RlADEIAQSAAQAYAAAAUkU6IEV4cG9ydGluZyBub25VUyBERVMAwAcBBYADAA4AAADL BwsABwAKACMAGQACACwBASCAAwAOAAAAywcLAAcACgAfABsAAgAqAQEJgAEAIQAAADM2M0RGQ0Iz RUExOENGMTFBODhFMDAwMEMwQUU1RTc5AFEHAQOQBgC0BAAAEgAAAAsAIwAAAAAAAwAmAAAAAAAL ACkAAAAAAAMANgAAAAAAQAA5ACA1x6gmrboBHgBwAAEAAAAYAAAAUkU6IEV4cG9ydGluZyBub25V UyBERVMAAgFxAAEAAAAWAAAAAbqtJqi/s/w9NxjqEc+ojgAAwK5eeQAAHgAeDAEAAAAFAAAAU01U UAAAAAAeAB8MAQAAABwAAABKSm9uZXNAZ2F1bnRsZXQuZGVtb24uY28udWsAAwAGEP7QZXMDAAcQ pgIAAB4ACBABAAAAZQAAAFRIRUFOU1dFUklTVEhBVFdIRVJFSVRXQVNERVZFTE9QRURIQVNOT1JF TEVWQU5DWU9OQ0VJVElTSU1QT1JURURJTlRPVEhFVVMsVEhFTlVTRVhQT1JUTEFXU0FQUExZRk9S UkUAAAAAAgEJEAEAAAAxAwAALQMAAAcFAABMWkZ1H6bU4P8ACgEPAhUCqAXrAoMAUALyCQIAY2gK wHNldDI3BgAGwwKDMgPFAgBwckJxEeJzdGVtAoMzdwLkBxMCgH0KgAjPCdk78RYPMjU1AoAKgQ2x C2DgbmcxMDMUUAsKFFFBC/EgVGhlIABxd2UEkCAEACB0EYAFQHdvGsAWEBtQG8FhBCANsHZqZRWg cAmAIBGABCBuNG8gFhBsHMAAcGN58C4gIE8eIBwjG2EHcO5wFbEdIQuAdB2gG5Aa0DhVUywgAgOg IFAgZSp4H1IgC2B3BCBhcLkLUHkgAhAFwBYQLSEUTQuAZxwxHlFTbyBwNMgwLWIcQURFBfAFoDR1 bB0wYhrQE1BvdpppDbBkIHALYHJnBJD4LWtlIhAkTyVSG4AdoPZzA3Aa0GclMASRB4ACMH0mkHUT wCgBEaAa4R0wQtkAcGtzIHApkigTUAeQBnUAwAJgeSkgNjR3I/cD8BuQICYiB5AFAG//B+Amryey LQECMAiBBCARgP8lQCMRIdEDYBNQBzAT0BrgXwnCKKIEICwDIBQuCots+GkzNg3wGdwKjxoXFXBP AEAznDJvGoEoMSswIN5JHxEFQB9QBBBpAmAa0P0iMmElpCDSBaAfQABwIhDHH+EhFSURZHVjMKEp AO8jAiZhM6U8c2QbsDkgCfBVBQB5BTBpAiA/N9Eg/weAA5EcwQOgBpAgAiIQJeBLBUA5ICIdkG4t IFBB/SZSIizwA5E+4jwaOo4LgLpjCkBkIwIbkAQAPzOleTOlKDI3xDoRAiA4wWG+bQMQBzAFwDDX BGJtH7G8IHEKUBPAPZFEcTgrUPRJKSokax2QB+AGkDwa/xxBFhAHQCIBJRUEICZiPN6VQ60zN8FX G/NzaCST/z3wLvEk8ThgH4JDUjGGM6WnGrAp4kbiYWQeAmUgcJ844zohH1AfwSlRISwzpeZNCsAi 8SBGFhEFECoA3SfwbjOlE6QEIElSEQnAvxuwR3IpkgZgKPAFEHRA5vpFBRBjU9IF0FcQLMFOUvlU hkFCIHAF0AbwKaAHQP1YwVMbIA2wVAY1nQHBNG8LNXcVMQBdYAAAAAMAEBAAAAAAAwAREAAAAABA AAcwAKnjGiatugFAAAgwAKnjGiatugEeAD0AAQAAAAUAAABSRTogAAAAAM1M ------ =_NextPart_000_01BAACFC.C10E8400-- From firewalls-owner Tue Nov 7 13:52:52 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id CAA19810 for firewalls-outgoing; Tue, 7 Nov 1995 02:32:43 -0800 (PST) Received: from TIS.COM (neptune.tis.com [192.94.214.96]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id CAA19805 for ; Tue, 7 Nov 1995 02:32:39 -0800 (PST) Received: from relay.tis.com by neptune.TIS.COM id aa27004; 7 Nov 95 5:29 EST Received: from gauntlet.demon.co.uk(158.152.143.226) by relay.tis.com via smap (g3.0.1) id xma017073; Tue, 7 Nov 95 05:07:34 -0500 Received: from gauntlet.demon.co.uk by gauntlet.demon.co.uk with SMTP id AA815739854 ; Tue, 07 Nov 95 10:24:14 gmt Received: by gauntlet.demon.co.uk with Microsoft Mail id <01BAACFB.2F323BE0@gauntlet.demon.co.uk>; Tue, 7 Nov 1995 10:24:13 -0500 Message-ID: <01BAACFB.2F323BE0@gauntlet.demon.co.uk> From: "Jeffrey R. Jones" To: "'Firewalls@greatcircle.com'" Subject: Re: Generic Proxy Date: Tue, 7 Nov 1995 10:24:11 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mike, The plug-gw suffers this problem because the proxy can't determine = which destination of several to actually connect to. Anyway, the plug-gw in the TIS Gauntlet Internet Firewall can do one to = many with the plug-gw because with transparency, the destination can be = pulled from the packet. If you really want to roll your own, I suggest you might want to contact = jsanchez@gmv.es and ask for his Linux transparency mods for the fwtk. Best Regards, Jeff Jones - - - - - - - - - - - - - Jeffrey R. Jones JJones@tis.com Firewalls and Network Security, Europe = JJones@gauntlet.demon.co.uk Trusted Informations Systems (UK) Ltd phone: +44 1734 304 413 Commerce Park, Brunel Road fax: +44 1734 304 412 Theale, Berkshire RG7 4AB United Kingdom - - - - - - - - - - - - - - - - - - - - - - - - = - PGP Key fingerprint =3D C5 EF 8F 3F D5 ED 1C 61 09 63 90 3C 3B F2 46 = 2E - - - - - - - - - - - - - - - - - - - - - - - - = -=20 From: Mike Williams Date: Mon, 06 Nov 1995 18:34:36 GMT Subject: Generic Proxy I can't believe this hasn't been discussed before but as I'm relatively new to the list please forgive my ignorance. Does anybody know of a generic tcp/udp proxy which does not suffer from the limitations of the likes of plug-gw (no slight intended), i.e. will support one-to-many connections to the same destination port? Is the answer to this client code that always connects to the proxy but furnishes it with a name and destination port number of the ultimate destination? Does a, dare I suggest, standard exist for such communication? Grateful for any feedback, Mike. From firewalls-owner Tue Nov 7 13:52:53 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id CAA19947 for firewalls-outgoing; Tue, 7 Nov 1995 02:46:53 -0800 (PST) Received: from nt.neurotec.de (nt.neurotec.de [194.120.241.3]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id CAA19942 for ; Tue, 7 Nov 1995 02:46:41 -0800 (PST) Received: from nt.neurotec.de (194.120.241.3) by nt.neurotec.de id ; Tue, 07 Nov 1995 11:41:52 +0100 Message-ID: <309F37ED.572F@neurotec.de> Date: Tue, 07 Nov 1995 11:41:49 +0100 From: Jan Schubert X-Mailer: Mozilla 2.0b1J (Windows; I; 32bit) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: Q: FTP-GW Port retsricting References: <199510240506.WAA05678@miles.greatcircle.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello FireAlls ;-), has anyone experience with restricting the Ports for DataConnections using the FTP-GW included in the TIS FWTK ?? I like to use a special Port or a PortRange because of filtering the connections. I use the TIS FWTK 1.3 and Linux 1.2.8. Or, how is it possible to filter these Data-Connections in the Linux-Kernel ? May anyone help ? Thanx a lot, Jan -- Ing. Jan Schubert e-Mail: jan@neurotec.de NEUROTEC WWW : http://www.inf-gr.htw-zittau.de/~longint Ehlersstr. 15 Tel. : +49 7541 3012 156 D-88046 Friedrichshafen FAX : +49 7541 33013 From firewalls-owner Tue Nov 7 13:52:54 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id BAA12070 for firewalls-outgoing; Tue, 7 Nov 1995 01:11:57 -0800 (PST) Received: from bastion1.bazis.nl (bastion1.bazis.nl [130.78.143.1]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id BAA12064 for ; Tue, 7 Nov 1995 01:11:53 -0800 (PST) Received: from bazu05.bazis.nl by bastion1.bazis.nl id aa04438; 7 Nov 95 10:12 WET From: Rene Doove To: Firewalls@greatcircle.com, mikew@smartpt.demon.co.uk Subject: RE: Generic Proxy X-Mailer: ScoMail 1.0 Date: Tue, 7 Nov 1995 10:11:41 +0100 (WET) Message-ID: <9511071011.aa07064@bazu05.bazis.nl> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mike says: >> Does anybody know of a generic tcp/udp proxy which does not suffer >> from the limitations of the likes of plug-gw (no slight intended), >> i.e. will support one-to-many connections to the same destination >> port? Yep, It's name is SOCKS. You can get more info at the following site: http://www.socks.nec.com greetings, (o o) ---------------------------oOO--(_)--OOo--------------------------------- Rene Doove, HISCOM, afd. Systeembeheer, Schipholweg 97, Postbus 901, 2300 AX Leiden, Nederland 071 5256830 (kantoor), 071 5256862 (secr.), 071 219856 (FAX) ------------------------------------------------------------------------- From firewalls-owner Tue Nov 7 13:52:56 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id XAA07932 for firewalls-outgoing; Mon, 6 Nov 1995 23:20:30 -0800 (PST) Received: from capx.co.gva.es (cap.cap.gva.es [193.144.104.4]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id XAA07921 for ; Mon, 6 Nov 1995 23:20:23 -0800 (PST) Message-Id: <199511070720.XAA07921@miles.greatcircle.com> Received: from pc9.cap.gva.es by capx.co.gva.es with SMTP (1.38.193.5/16.2) id AA26990; Tue, 7 Nov 1995 08:17:54 +0100 Date: Tue, 7 Nov 1995 08:17:54 +0100 X-Sender: alfon@capx.co.gva.es X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: alfon@gva.es (Alfonso Jimenez) Subject: proxy's questions Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It's my first posting in this list and maybe It's not an apropiate question for this list, but I'll try. I've been earing a lot about proxy servers and clients recently, but I've some questions about It: - How can I manage to configure an UNX server to work as a real proxy server?, must I get any aditional software?. - What must I do in the clients (PCs) to work as proxy clients (not only for web, but also for telnet, ftp,...). - what realtionship is betwen proxy servers and firewalls?. Thank you very much in advance. ================================================ Alfonso Jimenez Cantos - Analista de Sistemas. Tlf: 96 - 38 63 906 Fax: 96 - 38 66 303 Cons. Admon. Publica - Generalitat Valenciana - ================================================ From firewalls-owner Tue Nov 7 13:52:57 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id WAA07231 for firewalls-outgoing; Mon, 6 Nov 1995 22:43:13 -0800 (PST) Received: from northshore.ecosoft.com (northshore.ecosoft.com [192.233.85.129]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id WAA07226 for ; Mon, 6 Nov 1995 22:43:10 -0800 (PST) Received: from [198.115.177.203] (slip-3-26.shore.net) by northshore.ecosoft.com with SMTP id AA26757 (5.67a/IDA-1.5 for ); Tue, 7 Nov 1995 01:43:00 -0500 Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 7 Nov 1995 02:48:24 -0500 To: einar.landre@sdata.no From: vin@shore.net (Vin McLellan) Subject: Info about Secure Net and Secure ID Cc: firewalls@greatcircle.com, sdi@shore.net Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Einar Landre queried the List: > Digital Pathways with Secure Net > Security Dynamics with Secuure ID >Can sombody tell me where to find information about the two ?? Both DPI and SDI market one-time password ID tokens. The DPI token is called a "SecureNet Key" and is generally supported by DPI's Defender software. The SDI token, called a SecurID, is supported by SDI's ACE access control software. Contact info follows: _Digital Pathways_ URL: Suite 700 201 Ravendale Drive Mountain View, CA 94043-5216 USA TEL: 415-964-0707 FAX: 415-961-7487 Digital Pathways lists offices or reps in both the UK and Belgium. DPI/Europe Sales Contact: Antwerpsesteen w124/B25 Belgium Bernard@digpath.com TEL: 32.3.870.4625 FAX: 32.3.870.4651 ==== ==== ==== _Security Dynamics Inc._ URL: One Alewife Center Cambridge, Ma. 02150-2312 USA Tel. (617) 547-7820 or 1 (800) SECURID Fax. (617) 354-8836 E-mail: Security Dynamics lists six SDI offices overseas and 21 international distributors. SDI/Norway Contact: Ericsson Computer Products Nebruveien 75, Nebru P.O. Box 34 N-1361 Billingstad Attn: Lars H. Nordin Tel 47 66 84 16 50 Fax 47 66 84 16 51 I don't think either company has formally annouced their web sites. Neither may be ready for prime time, but both are accessible and offer useful and interesting information. Suerte, _vbm Vin McLellan +The Privacy Guild+ 53 Nichols St., Chelsea, Ma., USA Tel: (617) 884-5548 <*><*><*><*><*><*><*><*><*> From firewalls-owner Tue Nov 7 13:52:55 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id NAA23959 for firewalls-outgoing; Tue, 7 Nov 1995 13:24:22 -0800 (PST) Received: from uuneo.neosoft.com (uuneo.neosoft.com [206.109.1.3]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with ESMTP id NAA23954 for ; Tue, 7 Nov 1995 13:24:16 -0800 (PST) Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.7.1/8.7.1) with UUCP id PAA19613 for GreatCircle.COM!firewalls; Tue, 7 Nov 1995 15:12:38 -0600 (CST) Received: by ris1.nmti.com (smail2.5) id AA11401; 7 Nov 95 15:29:11 CST (Tue) Received: by sonic.nmti.com; id AA14847; Tue, 7 Nov 1995 14:58:26 -0600 From: peter@nmti.com (Peter da Silva) Message-Id: <9511072058.AA14847@sonic.nmti.com.nmti.com> Subject: Re: Weird Netscape Navigator functions? To: sdeshaies@pioneer.hmp.com (Scott Deshaies) Date: Tue, 7 Nov 1995 14:58:26 -0600 (CST) Cc: firewalls@GreatCircle.COM In-Reply-To: <309f864a.vanguard@vanguard.hmp.com> from "Scott Deshaies" at Nov 7, 95 09:16:09 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > The first was the CEO of Netscape saying something to the effect that > "..we know how many people are using our browsers because every time > you access a site, a message is set to one of our servers telling us > what version you have, if it's a trial beta or registered, etc". Not through my firewall they're not. My proxy only speaks HTTP and logs everything, and there's no way for netscape to find my firewall address. I suspect the guy meant "every time you access our site"... see below: > Next, there is a company that is now marketing a program that goes > beyond recording hits on a Web page from just counting IP addresses. > It apparently uses "Netscape function calls" to obtain user info, > even if that user is behind a firewall or a proxy. Netscape puts a lot of stuff in the headers it sends out. From firewalls-owner Tue Nov 7 14:52:56 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id NAA24773 for firewalls-outgoing; Tue, 7 Nov 1995 13:53:15 -0800 (PST) Received: from vulcan.iss.bnr.com (vulcan.iss.bnr.com [139.51.128.1]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id NAA24760 for ; Tue, 7 Nov 1995 13:53:02 -0800 (PST) From: Mark_W_Loveless@smtp.bnr.com Received: from smtp.bnr.com by vulcan.iss.bnr.com (4.1/BNR/v1.0/910819) id AA28865; Tue, 7 Nov 95 15:53:04 CST Received: from cc:Mail by smtp.bnr.com id AA815787920; Tue, 07 Nov 95 13:09:12 CST Date: Tue, 07 Nov 95 13:09:12 CST Message-Id: <9510078157.AA815787920@smtp.bnr.com> To: firewalls@GreatCircle.COM Subject: Re: fairly recent web server compromise... Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Not much to say except you could mount the filesystem containing the Web page in question from any PC on the planet. An interesting "coincidence" that a Hollywood advertisement for a movie about hackers got so much free press from the compromise... Since the "firewall" amounted to a firecurb you could call this off-topic ;-) ______________________________ Reply Separator _________________________________ Subject: fairly recent web server compromise... Author: Ron DuFresne at internet Date: 11/7/95 9:24 AM Peoples, Wasn't but a couple of months ago that a major Hollywood motion pictures firm's web server was compromised and files served up by it were altered. I think it was something like www.umga.com or some such thing, was in retalliation for the pending release of the movie hackers... Anyway, does anyone have info reguarding such tid-bits as: OS of this box WWW server SW that was in use various other goodies? Thanks, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From firewalls-owner Tue Nov 7 15:00:59 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1/Miles-950430-1) id NAA24137 for firewalls-outgoing; Tue, 7 Nov 1995 13:31:00 -0800 (PST) Received: from NS1.stl.net (stl.net [199.217.196.1]) by miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP id NAA24132 for ; Tue, 7 Nov 1995 13:30:56 -0800 (PST) Received: (from jym@localhost) by NS1.stl.net (8.6.11/8.6.9) id QAA12554; Tue, 7 Nov 1995 16:27:48 -0600 Date: Tue, 7 Nov 1995 16:27:48 -0600 (CST) From: Jym Barnes To: Scott Deshaies cc: Firewalls Mailing List Subject: Re: Weird Netscape Navigator functions? In-Reply-To: <309f864a.vanguard@vanguard.hmp.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 7 Nov 1995, Scott Deshaies wrote: > Hi all- > > In two different trade magazine recently, I've read a few things about > Netscape's Navigator that made me go "Hmm?". > > The first was the CEO of Netscape saying something to the effect that > "..we know how many people are using our browsers because every time > you access a site, a message is set to one of our servers telling us > what version you have, if it's a trial beta or registered, etc". > I havent had a chance to run a packet trace on it yet, but does anyone > know if this is true? > Any web site can keep track of what type of browser visits their site by simply logging the HTTP_USER_AGENT field. This is not specific to Netscape and is quite valuable to Webmasters as they have a way to serve the proper HTML depending on what type of browser the user is using. Netscape can put whatever they want in this field when they ship the browser. The field usually contains the browser type and version. This field will also pass through most proxies and usually contains both what proxy was used and the original value. Since most people do not change their home from http://home.netscape.com Netscape has a great way to keep track of what versions of their browsers are being used. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-