From firewalls-owner Mon Jan 1 11:22:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA26434 for firewalls-outgoing; Mon, 1 Jan 1996 11:13:40 -0800 (PST) Received: from nsco.network.com (nsco.network.com [129.191.1.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA26428 for ; Mon, 1 Jan 1996 11:13:23 -0800 (PST) Received: from mnbp.network.com (ushub.network.com) by nsco.network.com (4.1/1.34) id AA25136; Mon, 1 Jan 96 13:14:01 CST Received: by mnbp.network.com with Microsoft Mail id <30E831CE@mnbp.network.com>; Mon, 01 Jan 96 13:11:10 CST From: Craig McLellan To: firewalls , pietro Subject: Re: Security managing Cisco Routers Date: Mon, 01 Jan 96 13:10:00 CST Message-Id: <30E831CE@mnbp.network.com> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You could you Network Systems borderguard access router placed behind the Cisco's and nail up an encrypted "sleeve" for all management traffic. This would pass through the public network to the remote borderguard then be decrypted and forwarded to the Cisco you wish to manage. Cost is just over $2K US. RGRDS....clm | My actual problem is to managed several Cisco Routers situated | on a public network from a central site, from where there is no | way to garantee secure communication. | | I can access them using telnet or by using the CiscoWorks | application (protocols SNMP and TFTP), but still the password | and the operation are running on the network in a clear form. | | In many actual security configuration routers are the elements | that protect the internal network. Are there any techniques or | software to protect them and administrative communications with | them? You might be able to get an encrypted connection to a network each Cisco is attached to, and then use one of the other authentication methods commented on (Kerberos, Tacas, or Radius), or simply have a shorter path to worry about sniffing. If you bridge off a cheap bastion system running SSH or DESlogin, then you have an encrypted connection to that box, and a bridged connection to the router. (You might also connect this box to a serial port on the router.) This would take roughly one 386 running UNIX, and possibly one bridge per site. Depending on availability of those resources, you could so something like: external net | router 386/UNIX internal | | network--[bridge]--+---------+- -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Tue Jan 2 00:22:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id AAA09784 for firewalls-outgoing; Tue, 2 Jan 1996 00:10:17 -0800 (PST) Received: from solarnum.itd.uts.edu.au (solarnum.itd.uts.EDU.AU [138.25.16.3]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id AAA09779 for ; Tue, 2 Jan 1996 00:10:10 -0800 (PST) Received: from lordmuck.itd.uts.edu.au (matt@lordmuck.itd.uts.EDU.AU [138.25.32.20]) by solarnum.itd.uts.edu.au (8.7.1/8.7.1/uts) with ESMTP id QAA12397; Fri, 8 Dec 1995 16:47:49 +1100 (EST) Received: (from matt@localhost) by lordmuck.itd.uts.edu.au (8.7.1/8.7/Jas) id QAA03786; Fri, 8 Dec 1995 16:52:18 +1100 (EST) From: Jas (Matthew K) Message-Id: <199512080552.QAA03786@lordmuck.itd.uts.edu.au> Subject: Re: Type enforcement vs chroot and buffers To: mrm@alpharel.com (Mike Murphy) Date: Fri, 8 Dec 1995 16:52:18 +1100 (EST) Cc: firewalls@GreatCircle.COM, smith@sctc.com In-Reply-To: <199512072351.PAA24540@visalia.optigfx.com> from "Mike Murphy" at Dec 7, 95 03:51:25 pm X-Gcb: -----BEGIN GEEK CODE BLOCK----- X-Gcb: Version: 3.1 X-Gcb: GAT/M/CS d-(++) s++:-- a-(?) C+++$ UVS++++$ P+++ L+ E++ W++ N++ X-Gcb: !o K+ w--- O+ M+ V-- PS+ PE+ Y+ PGP++ t+ 5+ X++ R tv- b++ DI+ X-Gcb: D+ e h- r !y X-Gcb: ------END GEEK CODE BLOCK------ X-Ph: ph: +61 2 330 1390 fax: +61 2 330 1999 home: +61 2 9929 0717 X-Pager: +61 2 214 1111 #849482 or 849482@pager.link.com.au X-Pgp-Finger: pub 2048/27FB4AE1 1995/09/30 Jas (Matthew K) X-Pgp-Finger: Key fingerprint = 3A1EEDBE7A6D498D E7953FB40A21A6C8 X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mike Murphy wrote this... [...] > and followed, chroot works. A lot of "if's", sad to say. And too > bad sockets weren't in filespace. [...] well in SVR4 sockets are in the filespace (via /dev/tcp, /dev/udp, and libsocket) Matt -- #!/bin/sh echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sbA0D3F204445524F42snlbxq'|dc;exit Matthew Keenan Systems Programmer Information Technology Division University of Technology Sydney Australia It's nice to be in a position where people apologize because they assume there's humor in your work, based on past experience, but they're not sure where it is. -- Rob Pike From firewalls-owner Tue Jan 2 05:07:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id EAA17328 for firewalls-outgoing; Tue, 2 Jan 1996 04:55:11 -0800 (PST) Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id EAA17323 for ; Tue, 2 Jan 1996 04:55:07 -0800 (PST) From: /G=BECKY/S=HEROLD@mhs-pfg1.attmail.com Received: from alau.al.mt.np.els-gms.att.net by relay2.UU.NET with SMTP id QQzwtv13303; Tue, 2 Jan 1996 07:54:22 -0500 (EST) Received: from mhs!pfg1 by /C=US/AD=ATTMAIL;Tue Jan 2 12:54:05 -0000 1996 Received: by /C=us/AD=attmail/PD=pfg1;Tue Jan 2 06:50:35 -0600 1996 Date: Tue, 02 Jan 1996 06:50:35 -0600 Transport-Options: /STANDARD/REPORT Original-Encoding-Types: ASCII Disclose-Recipients: yes Subject: Firewalls needed for both dial-in AND dial-out P2-Originator: mhs!pfg1/G=BECKY/S=HEROLD To: firewalls@GreatCircle.com, /G=BECKY/S=HEROLD@mhs-pfg1.attmail.com Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Message-ID: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm putting together a document listing the risks of not only allowing dial-in access to a networked PC (used for accessing computer systems on a corporate WAN/LAN at least some of the time...typically has a network interface card); but also the risks of allowing dial-out access from a networked PC. I'd appreciate your help, wisdom, and knowledge in critiquing the following regarding the dial-out issues. I apologize if there is a FAQ on this somewhere...I currently do not have very convenient access to the Internet except via e-mail. If you could provide the location of such a FAQ, that'd be great! First, here are some givens: * I know any type of remote access is NOT risk-free...that acceptable risks must be determined to allow efficient and effective use of remote access (please no long philisophical discussions of how we can never remove all risks from remote access). * I know policies need to be established for end-users to follow to help ensure remote access security. (This document will be used to establish buy-in for the policies and educate end-users why the policies are necessary.) * The environment: Large nation-wide WAN composed of several hundred LANs and running virtually every type of operating system imaginable. 18,000+ users. * With so many users, it's unlikely that all (or even a large percentage) of them will set up the dial-out access to be STRICTLY dial-out, will keep the modem shut off when not in use (if their modem set-up even allows this), or will know AND UNDERSTAND the risks involved when connecting using TCP/IP. * Users may need to dial-out to not only the Internet, but also to a vendor or customer, to a BBS, or to services such as Lexus/Nexus, CompuServ, AOL, etc. * Dial-in access to networked PCs is being controlled through firewalls. (Would like to see dial-out occur through firewalls also.) So, what are the risks involved with various dial-out methods? * Networked PC with modem using SLIP/PPP - Provides bi-directional access - Unauthorized folks (let's call them intruders!) can enter the WAN during the employee's dial-out session - Once the intruder enters the WAN he/she can wander around the systems trying to find weaknesses and other entry points - Files can be transferred to the dial-out employee's hard-drive - Files on the dial-out employee's hard-drive may also be copied, deleted, and possibly modified - Files may also be copied to, deleted, or modified on the other WAN systems - Viruses and/or trojan horses may be placed on the dial-out employee's hard drive, or on one of the systems on the WAN - Changes may be made to WAN systems which could prevent access to the WAN by legitimate WAN users * Networked PC using communications software (eg., SmallTalk) with no TCP/IP - Less risks than PPP/SLIP because of the configurability of the communications software to allow only dial-out (IF the employee remembers to configure the software this way) - What would the risks be here??? * Networked PC using a dial-out modem bank (no modem attached to the PC) - More secure because of centralized control - What would the risks be here??? * Stand-alone (never networked) PC using SLIP/PPP - Viruses and trojans can be placed on the dial-out employee's hard drive - Any files copied to diskettes and placed on the network could cause problems - Employee's PC could be used as a repository * Stand-alone PC using communications software and no TCP/IP - Again, less risks because of the communications software - What would the risks be here??? Please comment on items I have listed that you believe are NOT risks. Also, please let me know the risks for each type of dial-out PC that I did not have listed. Do you know of other dial-out methods I did not list? If so, what are they, and what are the associated risks? Thanks in advance for your help!! Becky herold.becky@mhs-pfg1.attmail.com =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- The opinions expressed here are strictly my own and do not necessarily represent those of my employer. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- From firewalls-owner Tue Jan 2 05:37:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA18008 for firewalls-outgoing; Tue, 2 Jan 1996 05:26:41 -0800 (PST) Received: from relay7.UU.NET (relay7.UU.NET [192.48.96.17]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id FAA17999 for ; Tue, 2 Jan 1996 05:26:35 -0800 (PST) Received: from rssi.com by relay7.UU.NET with SMTP id QQzwtx08893; Tue, 2 Jan 1996 08:25:49 -0500 (EST) Received: from mel.rssi.com by rssi.com (SMI-8.6/SMI-SVR4) id IAA24805; Tue, 2 Jan 1996 08:25:25 -0500 Received: by mel.rssi.com (5.x/SMI-SVR4) id AA03193; Tue, 2 Jan 1996 08:21:36 -0500 Date: Tue, 2 Jan 1996 08:21:36 -0500 From: Brad VanOrden Message-Id: <9601021321.AA03193@mel.rssi.com> To: ckostick@ashton.csc.com, anton@the-wire.com, firewalls@greatcircle.com Subject: Re: Compression is useful (was Re: WAN Encryption) Cc: bvvanor@rssi.rssi.com X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I just wanted to clarify a couple points I was trying to make in my question. First, I am consulting with a Federal Government body who is placing the main computer used by several hundred users a couple hundred miles away from all the users. Their main objective in the WAN design I am doing for them is to minimize the cost of the WAN (moving the computer to where the users are has already been eliminated). In fact, they have never mentioned security as a concern of theirs. Being concerned about security, I did not want to present them a plan that did not also include some security considerations. Some of the Government people came up with the idea of using a compression box to reduce the number of required T1s. The box they recommended has V.35 ports, and would sit between the Cisco and the CSU/DSU. To be fair, the vendor told me his box did not do encryption, but since the data was compressed, it would not be in plain view. I was also looking at an encryption box from WANG. It has AUI ports and would therefore have to go before the CISCO. Thus, my dilema. If I encrypt before I compress, there won't be much to compress. I am not an encryption expert. I was trying to get a general feel from the list of the level of difficulty someone would have reading the data if it was only compressed. I think the consensus has been: It will keep the honest person honest, but will not deter a determined hacker. If someone nows of a device that does encryption as well as compression, I would greatly like to hear it. Thank You, Brad Van Orden Rapid Systems Solutions, Inc www.rssi.com 410-312-0777 >It began with Brad VanOrden asking: >>> >>> I have a question regarding the level of protection I can expect from >>> compressing traffic before it hits a WAN. That is, the compression >>> box vendor stated that since the data is compressed, that unless a snooper >>> has the compression key, the data is also essentially encrypted. >>> >>> Do you feel the "compression" encyrption is good enough, or should I look >>> for a better encryption method? > >Then Chris Kostick said: > >>First of all, compression encryption (even in quotes) is not really a good >>way of stating it. Nonetheless, I'd say no to this. Simply because if >>someone has the tools and/or utilities to sniff something off of a network, >>then the chances are really good that the tool already knows how to >>uncompress the data stream and read everything. If you want privacy, use >>encryption. > >However I'd like to qualify things on two counts. > >Do use compression, please. At the very least it will reduce the >recurrent patterns in your data stream so that even if you are only >using weak encryption the BFI decrypter will not be using this advantage. >This isn't to say you shouldn't use strong encryption, but there may >be constraints you are working under. > >A dictionary based compression algorithm can present problems >to a receiver who doesn't have the dictionary. Strictly speaking, >this is a 'coding' scheme. People often confuse 'codes' and 'cyphers'. >Its not a bullet-prof way of protecting your data but it will deter, >for example, an automatic sniffer looking for the the login-password >sequence. But then so will XORing your packets with the first chapter >of DuMaurier's "Rebecca" (As in "The Key to Rebecca"). > >I view compression like I view The Club. It will deter the casual >theft. Realistically, you have to do what I was suggesting in an >earlier thread (cf the archives) and balance the investment in >protection against the cost and liability of a loss. In short, stop >thinking like a {programmer,consultant,administrator..} for a moment >and think like an actuary. > >Brad, I presume you are going in to this as a "consultant". Present >to your client the comparable costs of the different solutions. >Involve their accountant and lawyers to get input about risk >and liability. Find out if their insurance covers data loss. > > >Please, please, please, recognise the difference between >compression and encryption at the LINK level and at the >NETWORK level. Make sure you use the one appropriate >for your situation. > >/anton From firewalls-owner Tue Jan 2 05:52:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA18711 for firewalls-outgoing; Tue, 2 Jan 1996 05:44:18 -0800 (PST) Received: from hvar.mzt.hr (hvar.mzt.hr [161.53.4.4]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id FAA18667 for ; Tue, 2 Jan 1996 05:41:55 -0800 (PST) Received: from gaus@localhost by hvar.mzt.hr (8.7/8.6.12.CI) id OAA02554; Tue, 2 Jan 1996 14:38:26 +0100 (MET) From: gaus@znanost.hr (Damir Rajnovic) Message-Id: <199601021338.OAA02554@hvar.mzt.hr> Subject: Where to find Endorsed Product List To: Firewalls@GreatCircle.COM Date: Tue, 2 Jan 1996 14:38:26 +0100 (MET) X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello there! Can someone tell me where to find Endorsed Product List on the Net? I need it for a seminar. Thank's in advance. Gaus |-----------------------------------------------------------------| | Damir Rajnovic | E-mail: gaus@znanost.hr | | Ministry of Science and Technology | Voice: (+385 1)4594 437 | | Strossmayerov trg 4, 41000 Zagreb | | |-----------------------------------------------------------------| | There is no unsolvable problems, but question is - can you | | accept solution. | |=================================================================| From firewalls-owner Tue Jan 2 06:07:19 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA18666 for firewalls-outgoing; Tue, 2 Jan 1996 05:40:58 -0800 (PST) Received: from simtel.Coast.NET (simtel.coast.net [205.149.128.6]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id FAA18661 for ; Tue, 2 Jan 1996 05:40:51 -0800 (PST) Received: by simtel.Coast.NET (Smail3.1.28.1 #12) id m0tX6wd-0000sKC; Tue, 2 Jan 96 08:40 EST Date: Tue, 2 Jan 1996 08:40:03 -0500 (EST) To: /G=BECKY/S=HEROLD@mhs-pfg1.attmail.com Cc: firewalls@greatcircle.com (Firewalls Mailing List) Subject: Re: Firewalls needed for both dial-in AND dial-out In-Reply-To: from "/G=BECKY/S=HEROLD@mhs-pfg1.attmail.com" at Jan 2, 96 06:50:35 am From: "Mike O'Connor" Reply-To: "Mike O'Connor" X-Organization: :noitazinagrO-X Message-Id: <960102084003.mjo@dojo> Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk :So, what are the risks involved with various dial-out methods? :* Networked PC with modem using SLIP/PPP : - Provides bi-directional access : - Unauthorized folks (let's call them intruders!) can enter the WAN during : the employee's dial-out session : - Once the intruder enters the WAN he/she can wander around the systems : trying to find weaknesses and other entry points : - Files can be transferred to the dial-out employee's hard-drive : - Files on the dial-out employee's hard-drive may also be copied, deleted, : and possibly modified : - Files may also be copied to, deleted, or modified on the other WAN : systems : - Viruses and/or trojan horses may be placed on the dial-out employee's : hard drive, or on one of the systems on the WAN : - Changes may be made to WAN systems which could prevent access to the WAN : by legitimate WAN users One big danger: Networked PCs may be screwed up by the mixing and matching of IP stacks and clients that this sort of thing implies. Just as one example, one incarnation of C$'s software unobviously munged with WINSOCK.DLL, which caused me lots of grief trying to debug why a system wasn't working properly. The supportability of allowing people to do this needs to be considered. ...Mike -- Michael J. O'Connor Internet: mjo@dojo.mi.org InterNIC WHOIS: MJO http://www.coast.net/~mjo "Sir, I must protest! I am not a merry man!" -Worf From firewalls-owner Tue Jan 2 07:22:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA22165 for firewalls-outgoing; Tue, 2 Jan 1996 07:19:41 -0800 (PST) Received: from uuneo.neosoft.com (uuneo.neosoft.com [206.109.1.3]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id HAA22160 for ; Tue, 2 Jan 1996 07:19:38 -0800 (PST) Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.7.3/8.7.3) with UUCP id JAA21893 for GreatCircle.COM!firewalls; Tue, 2 Jan 1996 09:11:19 -0600 (CST) Received: by ris1.nmti.com (smail2.5) id AA13022; 2 Jan 96 09:40:12 CST (Tue) Received: by sonic.nmti.com; id AA27928; Tue, 2 Jan 1996 09:11:15 -0600 From: peter@nmti.com (Peter da Silva) Message-Id: <9601021511.AA27928@sonic.nmti.com.nmti.com> Subject: Re: Type enforcement vs chroot and buffers To: matt@lordmuck.itd.uts.edu.au (Jas) Date: Tue, 2 Jan 1996 09:11:15 -0600 (CST) Cc: mrm@alpharel.com, firewalls@GreatCircle.COM, smith@sctc.com In-Reply-To: <199512080552.QAA03786@lordmuck.itd.uts.edu.au> from "Jas" at Dec 8, 95 04:52:18 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > and followed, chroot works. A lot of "if's", sad to say. And too > > bad sockets weren't in filespace. > well in SVR4 sockets are in the filespace (via /dev/tcp, /dev/udp, and > libsocket) That's not significantly better in terms of security, since it's all or nothing. To be any use it'd have to be something like "/dev/tcp/25" and so on... From firewalls-owner Tue Jan 2 09:11:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA24120 for firewalls-outgoing; Tue, 2 Jan 1996 09:00:19 -0800 (PST) Received: from smtp-gw01.ny.us.ibm.net ([165.87.194.252]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id JAA24113 for ; Tue, 2 Jan 1996 09:00:14 -0800 (PST) Received: (from uucp@localhost) by smtp-gw01.ny.us.ibm.net (8.6.9/8.6.9) id QAA31145 for ; Tue, 2 Jan 1996 16:59:32 GMT Received: from async61.async.duke.edu(152.3.249.61) by smtp-gw01.ny.us.ibm.net via smap (V1.3mjr) id smaIp8CkR; Tue Jan 2 16:59:29 1996 Received: by async61.async.duke.edu with Microsoft Mail id <01BAD90A.16831660@async61.async.duke.edu>; Tue, 2 Jan 1996 12:01:45 -0500 Message-ID: <01BAD90A.16831660@async61.async.duke.edu> From: Ray Hooker To: "'Firewall Mailing List'" Subject: Source Routing and Disabling Date: Tue, 2 Jan 1996 12:01:32 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I know certain things about source routing: - Stated purpose (see RFC 791) was to allow the specification of = routing information to be used by gateways. - I know how to code source routed packets under UNIX (or Linux). - They can be used in attacking TCP/IP hosts (see IPEXT paper on weaknesses in the TCP/IP protocol. - Microsoft's tracert module purportedly has an option to use=20 loose source-routing to debug network problems (this is their version of traceroute). - Some networks configure their routers to reject source-routed = packets. - Firewalls should reject source-routed packets. What I am curious about is what functions or applications, if any, = commonly use source-routing. I haven't noticed any Telnet clients that, = for example, could specify a loose source-routing to contact a = particular host. I have searched the Comer series on Internetworking = with TCP/IP and other references, but see little information on actual = usage. Ray Hooker, rayhook@ibm.net Secure I/T Inc. 1-919-544-4565 From firewalls-owner Tue Jan 2 09:52:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA25576 for firewalls-outgoing; Tue, 2 Jan 1996 09:46:52 -0800 (PST) Received: from warp10.smartlink.net (smartlink.net [204.118.4.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id JAA25571 for ; Tue, 2 Jan 1996 09:46:45 -0800 (PST) Received: by warp10.smartlink.net(8.6.12/SMARTLINK-1.0) with id JAA06359 for on Tue, 2 Jan 1996 09:47:21 -0800 Date: Tue, 2 Jan 1996 09:47:20 -0800 (PST) From: Pablo To: firewalls@greatcircle.com Subject: ipx-bridging & ip-routing Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all, I am working on a problem in which I need some sort of unix box ( linux/bsd ? ) to do ip-routing ( no problem there, i know ), & do ipx-bridging. The second part is the problem area. Coming into & going out of the box will be 100 mbps FDDI. I have set up a linux box and put ipfwadmin & ipxbridge & ipxripd ( mostly from sunsite ) on it, and it seems like it will work ok for ipx bridging, but it seems like it will be far to ineffecient to handle traffic from 300+ users @ 100mbps. vinod@cse.iitb.ernet.in says in the documentation on ipx-bridge that he is currently using ipx-bridge to connect two networks, i'm not sure how large the networks are. I was hoping someone out there would have some comments or ideas on what to use to ROUTE ip packets with good control, and bridge ipx-packets as fast as possible. I can use a dedicated box for the routing, or even one of the cisco products if need be, I just need to know the best way to go. Any insight would be greatly appreciated. Thanks in advance! paul From firewalls-owner Tue Jan 2 10:22:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA26387 for firewalls-outgoing; Tue, 2 Jan 1996 10:09:41 -0800 (PST) Received: from lint.cisco.com (lint.cisco.com [171.68.235.77]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA26382 for ; Tue, 2 Jan 1996 10:09:37 -0800 (PST) Received: from pferguso-pc.cisco.com (c4robo4.cisco.com [171.68.13.74]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id KAA22829; Tue, 2 Jan 1996 10:07:55 -0800 Message-Id: <199601021807.KAA22829@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 02 Jan 1996 13:08:22 -0500 To: Ray Hooker From: Paul Ferguson Subject: Re: Source Routing and Disabling Cc: "'Firewall Mailing List'" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A common application for loose source-routing, used mainly by service providers, is troubleshooting routing problems in the Internet. It can be quite helpful to trace a route *from* a specified node, *to* a specified node. Of course, this doesn't mean that you should allow loose source-routed traffic into your internal network from external sources, however, many service providers allow source-routed traffic transit on their backbones for specifically this purpose. - paul At 12:01 PM 1/2/96 -0500, Ray Hooker wrote: >I know certain things about source routing: > - Stated purpose (see RFC 791) was to allow the specification of routing > information to be used by gateways. > - I know how to code source routed packets under UNIX (or Linux). > - They can be used in attacking TCP/IP hosts (see IPEXT paper on > weaknesses in the TCP/IP protocol. > - Microsoft's tracert module purportedly has an option to use > loose source-routing to debug network problems (this is their > version of traceroute). > - Some networks configure their routers to reject source-routed packets. > - Firewalls should reject source-routed packets. >What I am curious about is what functions or applications, if any, commonly use source-routing. I haven't noticed any Telnet clients that, for example, could specify a loose source-routing to contact a particular host. I have searched the Comer series on Internetworking with TCP/IP and other references, but see little information on actual usage. > >Ray Hooker, rayhook@ibm.net >Secure I/T Inc. >1-919-544-4565 > -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Tue Jan 2 11:07:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA28566 for firewalls-outgoing; Tue, 2 Jan 1996 11:03:42 -0800 (PST) Received: from hobbes.orl.mmc.com (hobbes.orl.mmc.com [141.240.192.100]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA28554 for ; Tue, 2 Jan 1996 11:03:38 -0800 (PST) Date: Tue, 2 Jan 1996 14:02:49 -0500 (EST) From: "A. Padgett Peterson, P.E. Information Security" To: firewalls@greatcircle.com CC: bvvanor@rssi.rssi.com Message-Id: <960102140249.202006bf@hobbes.orl.mmc.com> Subject: Compression is useful - but for security, not Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Being concerned about security, I did not want to present them a plan that >did not also include some security considerations. Some of the Government >people came up with the idea of using a compression box to reduce the number >of required T1s. The box they recommended has V.35 ports, and would sit >between the Cisco and the CSU/DSU. To be fair, the vendor told me his >box did not do encryption, but since the data was compressed, it would not >be in plain view. 1) Compression aids performance. It does not aid security (at best is SBO). 2) Sounds like you have dedicated lines. Have you considered requiring PNS (Protected Network Service) from the telco ? (May have a different name but should be available). With this your lines are isolated/protected from other trunks. A dedicated line is not at the same risk as the Internet and PNS is generally "good enough" for SBU (Sensitive but Unclassified) traffic. When the idea was introduced a couple of years ago, it was to be approved by the NSA and was a part of the FTS contract. Dunno where it is now. Warmly, Padgett From firewalls-owner Tue Jan 2 11:22:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA28971 for firewalls-outgoing; Tue, 2 Jan 1996 11:16:01 -0800 (PST) Received: from magellan.cleveland.dfas.mil (magellan.cleveland.dfas.mil [164.216.50.3]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA28966 for ; Tue, 2 Jan 1996 11:15:54 -0800 (PST) Received: from mail.cleveland.dfas.mil (mail.cleveland.dfas.mil [164.216.11.5]) by magellan.cleveland.dfas.mil (8.6.12/8.6.12) with SMTP id OAA09745 for ; Tue, 2 Jan 1996 14:11:28 -0500 Received: from cc:Mail by mail.cleveland.dfas.mil id AA820620752; Tue, 02 Jan 96 14:13:09 EST Date: Tue, 02 Jan 96 14:13:09 EST From: "KOHLS, KERSTEN" Message-Id: <9600028206.AA820620752@mail.cleveland.dfas.mil> To: firewalls@greatcircle.com Subject: FreeBSD as a firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings -- Does anyone use FreeBSD as a firewall and can you tell me what problems you've had with it? We're evaluating solutions and this is one of the possibilities . . . TIA -- Kersten Kohls kkohls@cleveland.dfas.mil From firewalls-owner Tue Jan 2 11:40:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA29132 for firewalls-outgoing; Tue, 2 Jan 1996 11:26:22 -0800 (PST) Received: from delta.eecs.nwu.edu (delta.eecs.nwu.edu [129.105.5.103]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA29127 for ; Tue, 2 Jan 1996 11:26:17 -0800 (PST) Received: by delta.eecs.nwu.edu (8.6.12/8.6.12) id NAA22342; Tue, 2 Jan 1996 13:22:43 -0600 Date: Tue, 2 Jan 1996 13:22:43 -0600 From: Robert Bonomi Message-Id: <199601021922.NAA22342@delta.eecs.nwu.edu> To: /G=BECKY/S=HEROLD@mhs-pfg1.attmail.com, firewalls@GreatCircle.COM Subject: Re: Firewalls needed for both dial-in AND dial-out Sender: firewalls-owner@GreatCircle.COM Precedence: bulk + Date: Tue, 02 Jan 1996 06:50:35 -0600 + Subject: Firewalls needed for both dial-in AND dial-out + To: firewalls@GreatCircle.COM, /G=BECKY/S=HEROLD@mhs-pfg1.attmail.com + Sender: firewalls-owner@GreatCircle.COM + + I'm putting together a document listing the risks of not only allowing + dial-in access to a networked PC (used for accessing computer systems + on a corporate WAN/LAN at least some of the time...typically has a network + interface card); but also the risks of allowing dial-out access from a + networked PC. I'd appreciate your help, wisdom, and knowledge in critiquing + the following regarding the dial-out issues. I apologize if there is a FAQ + on this somewhere...I currently do not have very convenient access to the + Internet except via e-mail. If you could provide the location of such a FAQ, + that'd be great! + + First, here are some givens: + * I know any type of remote access is NOT risk-free...that acceptable risks + must be determined to allow efficient and effective use of remote access + (please no long philisophical discussions of how we can never remove all + risks from remote access). + * I know policies need to be established for end-users to follow to help + ensure remote access security. (This document will be used to establish + buy-in for the policies and educate end-users why the policies are + necessary.) + * The environment: Large nation-wide WAN composed of several hundred LANs + and running virtually every type of operating system imaginable. 18,000+ + users. + * With so many users, it's unlikely that all (or even a large percentage) of + them will set up the dial-out access to be STRICTLY dial-out, will keep the + modem shut off when not in use (if their modem set-up even allows this), or + will know AND UNDERSTAND the risks involved when connecting using TCP/IP. + * Users may need to dial-out to not only the Internet, but also to a vendor + or customer, to a BBS, or to services such as Lexus/Nexus, CompuServ, AOL, + etc. + * Dial-in access to networked PCs is being controlled through firewalls. + (Would like to see dial-out occur through firewalls also.) Analyzing 'dial-in' risks is fairly simple/straightforward. 1)authentication 2)authorization 3)access-control 'layered defenses' are a _good_ idea. the more you can restrict the functionality available to _any_ dial-in user, the more limited the potential risk posed by unauthorized access. strong authentication, helps ensure that *only* authorized persons gain access. + + So, what are the risks involved with various dial-out methods? + * Networked PC with modem using SLIP/PPP + - Provides bi-directional access + - Unauthorized folks (let's call them intruders!) can enter the WAN during + the employee's dial-out session + - Once the intruder enters the WAN he/she can wander around the systems + trying to find weaknesses and other entry points + - Files can be transferred to the dial-out employee's hard-drive + - Files on the dial-out employee's hard-drive may also be copied, deleted, + and possibly modified + - Files may also be copied to, deleted, or modified on the other WAN + systems + - Viruses and/or trojan horses may be placed on the dial-out employee's + hard drive, or on one of the systems on the WAN + - Changes may be made to WAN systems which could prevent access to the WAN + by legitimate WAN users all true. it *is* a 'network' connection. vulnerable to *any* attack that can be launched over a network connection. IP spoofing, session hijacking, etc. requires _at_least_ as 'good' a firewall as you would use on a hard- wired connection. the *only* difference is that it is a 'part-time' connection, but relying on this is, in effect, security through obscurity. + + * Networked PC using communications software (eg., SmallTalk) with no TCP/IP + - Less risks than PPP/SLIP because of the configurability of the + communications software to allow only dial-out (IF the employee + remembers to configure the software this way) + - What would the risks be here??? *no* vulnerability to _outside_only_ attack. Especially if the phone line does not accept incoming calls. Entire risk is via compromise due to 'inside' user mistakes -- e.g. virus infection from 'downloaded' executable. + + * Networked PC using a dial-out modem bank (no modem attached to the PC) + - More secure because of centralized control + - What would the risks be here??? functionally, little if any different than modem on the PC. less chance of user 'inadvertently' leaving a 'dial-in' server running. However, if line is restricted from incoming calls, point is moot. + + * Stand-alone (never networked) PC using SLIP/PPP + - Viruses and trojans can be placed on the dial-out employee's hard drive + - Any files copied to diskettes and placed on the network could cause + problems + - Employee's PC could be used as a repository That machine is vulnerable, to any/all network-based attacks. It protects the -rest- of the internal network against all but _very_ determined_ attacks. *Possible vector* of infection to internal network, via floppy-transferred files. + + * Stand-alone PC using communications software and no TCP/IP + - Again, less risks because of the communications software + - What would the risks be here??? Pretty much the same as a 'terminal-emulating' _networked_ PC. you buy an additional layer of containment, but if the user is 'foolish' enough to down- load an 'unknown' executable, he's also 'foolish' enough to move it to the networked machines intact. And you get infected, anyway. + + Please comment on items I have listed that you believe are NOT risks. Also, + please let me know the risks for each type of dial-out PC that I did not have + listed. Do you know of other dial-out methods I did not list? If so, what + are they, and what are the associated risks? + + Thanks in advance for your help!! + + Becky + herold.becky@mhs-pfg1.attmail.com + + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + The opinions expressed here are strictly my own and do not necessarily + represent those of my employer. + -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + From firewalls-owner Tue Jan 2 12:52:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA01574 for firewalls-outgoing; Tue, 2 Jan 1996 12:49:02 -0800 (PST) Received: from lint.cisco.com (lint.cisco.com [171.68.235.77]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id MAA01569 for ; Tue, 2 Jan 1996 12:48:58 -0800 (PST) Received: from pferguso-pc.cisco.com (c4robo4.cisco.com [171.68.13.74]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id MAA25036 for ; Tue, 2 Jan 1996 12:47:50 -0800 Message-Id: <199601022047.MAA25036@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 02 Jan 1996 15:48:15 -0500 To: firewalls@GreatCircle.com From: Paul Ferguson Subject: ISS ported to NT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From the 'For What Its Worth' department - The January 1, 1996 edition of Communications Week has an article [Internet Scanner Ported to Win NT, by Karen Rodriguez, p. 24] explaining that Internet Security Systems, Inc. has announced plans to ship a a version of it's Internet Scanner software for systems running Windows NT. - paul -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Tue Jan 2 14:23:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA03466 for firewalls-outgoing; Tue, 2 Jan 1996 14:06:53 -0800 (PST) Received: from relay.ashton.csc.com (relay.ashton.csc.com [20.2.54.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id OAA03457 for ; Tue, 2 Jan 1996 14:06:48 -0800 (PST) Received: by relay.ashton.csc.com; id RAA15882; Tue, 2 Jan 1996 17:05:56 -0500 Received: from mccoy.ashton.csc.com(20.2.51.2) by relay.ashton.csc.com via smap (g3.0.1) id sma015879; Tue, 2 Jan 96 17:05:45 -0500 Received: (from ckostick@localhost) by mccoy.ashton.csc.com (8.6.9/8.6.9) id RAA00396 for firewalls@greatcircle.com; Tue, 2 Jan 1996 17:18:37 -0500 From: Chris Kostick Message-Id: <199601022218.RAA00396@mccoy.ashton.csc.com> Subject: firewall encryption information To: firewalls@greatcircle.com Date: Tue, 2 Jan 1996 17:18:37 -0500 (EST) X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A few questions about firewalls setting up virtual private networks. - for Gauntlet; what is the encryption algorithm used and what is the key size for session keys? - for Eagle; what is the key size used for DES encryption? - for Firewall-1; what is the key size used for DES encryption? -- chris From firewalls-owner Tue Jan 2 14:37:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA03978 for firewalls-outgoing; Tue, 2 Jan 1996 14:26:27 -0800 (PST) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id OAA03973 for ; Tue, 2 Jan 1996 14:26:23 -0800 (PST) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id CAA03032; Mon, 1 Jan 1996 02:27:56 -0500 Date: Mon, 1 Jan 1996 02:27:52 -0500 (EST) From: Rabid Wombat To: Pablo cc: firewalls@GreatCircle.COM Subject: Re: ipx-bridging & ip-routing In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk below: ---------------------------------------- Rabid Wombat wombat@mcfeely.bsfs.org ---------------------------------------- On Tue, 2 Jan 1996, Pablo wrote: > > > > Hi all, > I am working on a problem in which I need some sort of unix box ( > linux/bsd ? ) to do ip-routing ( no problem there, i know ), & do > ipx-bridging. The second part is the problem area. Coming into & going > out of the box will be 100 mbps FDDI. I have set up a linux box and put > ipfwadmin & ipxbridge & ipxripd ( mostly from sunsite ) on it, and it > seems like it will work ok for ipx bridging, but it seems like it will be > far to ineffecient to handle traffic from 300+ users @ 100mbps. > vinod@cse.iitb.ernet.in says in the documentation on ipx-bridge > that he is currently using ipx-bridge to connect two networks, i'm not > sure how large the networks are. I was hoping someone out there would > have some comments or ideas on what to use to ROUTE ip packets with good > control, and bridge ipx-packets as fast as possible. I can use a > dedicated box for the routing, or even one of the cisco products if need > be, I just need to know the best way to go. Any insight would be greatly > appreciated. My guess is that the PC bus will be the bottleneck. I've ran PC servers on FDDI that had EISA bus (w/ EISA FDDI NICs) and couldn't get more than about 25 Mb/s stuffed into the box. I haven't looked into this lately; PCI may have a higher raw capacity. If you are expecting to be using the FDDI to capacity you may be outa luck using a PC. Hope this is of some use. I'd be glad to hear from someone who's done this successfully. > > Thanks in advance! > > paul > > > From firewalls-owner Tue Jan 2 15:37:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA05789 for firewalls-outgoing; Tue, 2 Jan 1996 15:23:39 -0800 (PST) Received: from sun6.barr.com (gate.barr.com [199.199.125.133]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id PAA05784 for ; Tue, 2 Jan 1996 15:23:31 -0800 (PST) Received: by sun6.barr.com (4.1/SMI-4.1) id AA25023; Tue, 2 Jan 96 17:22:49 CST Received: from wpo.barr.com(192.102.178.238) by sun6.barr.com via smap (V1.3) id sma025018; Tue Jan 2 23:22:39 1996 Received: from Barr_Domain_1-Message_Server by wpo.barr.com with Novell_GroupWise; Tue, 02 Jan 1996 17:22:45 -0600 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Tue, 02 Jan 1996 17:21:56 -0600 From: Steve Devore To: kkohls@cleveland.dfas.mil, firewalls@greatcircle.com Subject: FreeBSD as a firewall -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have used it and have not had any problems with it. I have set up a couple of systems where I used the fwtk toolkit, socks, and some other stuff. It was not difficult to set up. However, I wouldn't consider it unless you have considerable unix experience (as with anything that is not supported). >>> KOHLS, KERSTEN 1/2/96, 01:13pm >>> Greetings -- Does anyone use FreeBSD as a firewall and can you tell me what problems you've had with it? We're evaluating solutions and this is one of the possibilities . . . TIA -- Kersten Kohls kkohls@cleveland.dfas.mil From firewalls-owner Tue Jan 2 16:37:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id QAA07126 for firewalls-outgoing; Tue, 2 Jan 1996 16:32:49 -0800 (PST) Received: from kangtong. (kangtong.etri.re.kr [129.254.32.41]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id QAA07121 for ; Tue, 2 Jan 1996 16:32:22 -0800 (PST) Received: by kangtong. (5.0/SMI-SVR4) id AA07697; Wed, 3 Jan 1996 09:25:24 +0900 Date: Wed, 3 Jan 1996 09:25:24 +0900 From: wyyou@kangtong (You Woo Yeol) Message-Id: <9601030025.AA07697@kangtong.> Content-Type: text Apparently-To: Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please stop sending e-mail. I'm no longer interested. Thank you WooYeol You From firewalls-owner Tue Jan 2 16:52:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id QAA07317 for firewalls-outgoing; Tue, 2 Jan 1996 16:35:44 -0800 (PST) Received: from yarrina.connect.com.au (yarrina.connect.com.au [192.189.54.17]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id QAA07301 for ; Tue, 2 Jan 1996 16:35:38 -0800 (PST) Received: from suburbia.net (suburbia.apana.org.au [192.188.107.90]) by yarrina.connect.com.au with ESMTP id LAA18046 (8.6.12/IDA-1.6); Wed, 3 Jan 1996 11:34:24 +1100 Received: (proff@localhost) by suburbia.net (8.7.3/Proff-950810) id LAA17736; Wed, 3 Jan 1996 11:34:11 +1100 From: Julian Assange Message-Id: <199601030034.LAA17736@suburbia.net> Subject: Re: Compression is useful - but for security, not To: PADGETT@hobbes.orl.mmc.com (A. Padgett Peterson, P.E. Information Security) Date: Wed, 3 Jan 1996 11:34:10 +1100 (EST) Cc: firewalls@greatcircle.com, bvvanor@rssi.rssi.com In-Reply-To: <960102140249.202006bf@hobbes.orl.mmc.com> from "A. Padgett Peterson, P.E. Information Security" at Jan 2, 96 02:02:49 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > 1) Compression aids performance. It does not aid security (at best is SBO). Not so! Compressed plain text, which is then ciphered is several orders of magnitude harder to break (depending on the compression scheme and attack). -- +----------------------------------+-----------------------------------------+ |Julian Assange | "if you think the United States has | |FAX: +61-3-9819-9066 | stood still, who built the largest | |EMAIL: proff@suburbia.net | shopping centre in the world?" - Nixon | +----------------------------------+-----------------------------------------+ From firewalls-owner Tue Jan 2 17:37:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id RAA12528 for firewalls-outgoing; Tue, 2 Jan 1996 17:33:06 -0800 (PST) Received: from m1.interserv.com (troi.interserv.net [165.121.1.68]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id RAA12523 for ; Tue, 2 Jan 1996 17:33:01 -0800 (PST) Received: (from root@localhost) by m1.interserv.com (8.6.12/8.6.12) id RAA27726; Tue, 2 Jan 1996 17:26:53 -0800 Message-Id: <199601030126.RAA27726@m1.interserv.com> Received: from interserv.com (root@sarek.interserv.net [165.121.1.87]) by m1.interserv.com (8.6.12/8.6.12) with ESMTP id RAA27681 for ; Tue, 2 Jan 1996 17:26:40 -0800 Received: from relay5.UU.NET (relay5.UU.NET [192.48.96.15]) by interserv.com (8.6.12/8.6.12) with ESMTP id RAA22040 for ; Tue, 2 Jan 1996 17:32:38 -0800 Received: from miles.greatcircle.com by relay5.UU.NET with ESMTP id QQzwvt14981; Tue, 2 Jan 1996 20:25:02 -0500 (EST) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id QAA07126 for firewalls-outgoing; Tue, 2 Jan 1996 16:32:49 -0800 (PST) Received: from kangtong. (kangtong.etri.re.kr [129.254.32.41]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id QAA07121 for ; Tue, 2 Jan 1996 16:32:22 -0800 (PST) Received: by kangtong. (5.0/SMI-SVR4) id AA07697; Wed, 3 Jan 1996 09:25:24 +0900 Date: Wed, 3 Jan 1996 09:25:24 +0900 From: kangtong!wyyou@uunet.uu.net (You Woo Yeol) Content-Type: text Apparently-To: Firewalls@GreatCircle.COM From: Interserv Operations X-Loop: postmaster@interserv.com Subject: Mailbox soft limit exceeded To: mevans01@interserv.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Your mailbox has exceeded the soft size limit of 8MB. Mail will continue to be delivered to your mailbox until it reaches the hard size limit of 15MB. please removed unecessary messages from you mailbox. Additionally, if you're using CompuServe/Spry AirMail you may choose the local inbox option which will download the mail from your remote inbox to your local system inbox before allowing you to read it. PLEASE NOTE: Use of the local inbox option will preclude accessing the downloaded mail messages except from the system on which the messages were downloaded. -- Interserv Network Operations Center Postmaster@interserv.com 2001 6th Ave. Suite 3025B noc@interserv.net Seattle, WA. 95121 CompuServe/Internet Division From firewalls-owner Tue Jan 2 19:52:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id TAA15904 for firewalls-outgoing; Tue, 2 Jan 1996 19:46:51 -0800 (PST) Received: from relay.ashton.csc.com (relay.ashton.csc.com [20.2.54.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id TAA15899 for ; Tue, 2 Jan 1996 19:46:45 -0800 (PST) Received: by relay.ashton.csc.com; id WAA16968; Tue, 2 Jan 1996 22:45:56 -0500 Received: from mccoy.ashton.csc.com(20.2.51.2) by relay.ashton.csc.com via smap (g3.0.1) id sma016966; Tue, 2 Jan 96 22:45:47 -0500 Received: (from ckostick@localhost) by mccoy.ashton.csc.com (8.6.9/8.6.9) id WAA00783 for firewalls@greatcircle.com; Tue, 2 Jan 1996 22:58:55 -0500 From: Chris Kostick Message-Id: <199601030358.WAA00783@mccoy.ashton.csc.com> Subject: encrypting modems To: firewalls@greatcircle.com Date: Tue, 2 Jan 1996 22:58:55 -0500 (EST) X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can anyone provide me a list of vendors who make encrypting modems? That is, a modem with encryption in hardware rather than software on a machine just sending out over a modem. -- chris From firewalls-owner Tue Jan 2 20:22:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id UAA16558 for firewalls-outgoing; Tue, 2 Jan 1996 20:06:29 -0800 (PST) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id UAA16553 for ; Tue, 2 Jan 1996 20:06:24 -0800 (PST) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id XAA03458; Tue, 2 Jan 1996 23:02:40 -0500 Date: Tue, 2 Jan 1996 23:02:36 -0500 (EST) From: Rabid Wombat To: /G=BECKY/S=HEROLD@mhs-pfg1.attmail.com cc: firewalls@GreatCircle.COM, /G=BECKY/S=HEROLD@mhs-pfg1.attmail.com Subject: Re: Firewalls needed for both dial-in AND dial-out In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk below: ---------------------------------------- Rabid Wombat wombat@mcfeely.bsfs.org ---------------------------------------- On Tue, 2 Jan 1996 /G=BECKY/S=HEROLD@mhs-pfg1.attmail.com wrote: > I'm putting together a document listing the risks of not only allowing > dial-in access to a networked PC (used for accessing computer systems > on a corporate WAN/LAN at least some of the time...typically has a network > interface card); but also the risks of allowing dial-out access from a > networked PC. I'd appreciate your help, wisdom, and knowledge in critiquing > the following regarding the dial-out issues. I apologize if there is a FAQ > on this somewhere...I currently do not have very convenient access to the > Internet except via e-mail. If you could provide the location of such a FAQ, > that'd be great! > > First, here are some givens: > * I know any type of remote access is NOT risk-free...that acceptable risks > must be determined to allow efficient and effective use of remote access > (please no long philisophical discussions of how we can never remove all > risks from remote access). The basic approach is to determine what your assets are, who/what the threats are, and the likelyhood of each type of attempt. You can then identify possible solutions, and determine what is cost effective, and make a guess as to how secure you are/aren't. I've seen this sumarized as Asset Valuation, Threat Modeling, Assessment of Vulnerability, Countermeasure Evaluation, and Risk Assessment. > * I know policies need to be established for end-users to follow to help > ensure remote access security. (This document will be used to establish > buy-in for the policies and educate end-users why the policies are > necessary.) It's a good idea to formalize a security policy, and make it known to users, as you are doing. You may want to go a step further, by requiring users to sign a usage policy, although this may depend on your corporate culture. Also, an exit briefing should inform users that their obligations to the organazation don't end when the terminate their employment. > * The environment: Large nation-wide WAN composed of several hundred LANs > and running virtually every type of operating system imaginable. 18,000+ > users. > * With so many users, it's unlikely that all (or even a large percentage) of > them will set up the dial-out access to be STRICTLY dial-out, will keep the > modem shut off when not in use (if their modem set-up even allows this), or > will know AND UNDERSTAND the risks involved when connecting using TCP/IP. > * Users may need to dial-out to not only the Internet, but also to a vendor > or customer, to a BBS, or to services such as Lexus/Nexus, CompuServ, AOL, > etc. > * Dial-in access to networked PCs is being controlled through firewalls. > (Would like to see dial-out occur through firewalls also.) > > So, what are the risks involved with various dial-out methods? > * Networked PC with modem using SLIP/PPP > - Provides bi-directional access > - Unauthorized folks (let's call them intruders!) can enter the WAN during > the employee's dial-out session > - Once the intruder enters the WAN he/she can wander around the systems > trying to find weaknesses and other entry points > - Files can be transferred to the dial-out employee's hard-drive > - Files on the dial-out employee's hard-drive may also be copied, deleted, > and possibly modified > - Files may also be copied to, deleted, or modified on the other WAN > systems > - Viruses and/or trojan horses may be placed on the dial-out employee's > hard drive, or on one of the systems on the WAN > - Changes may be made to WAN systems which could prevent access to the WAN > by legitimate WAN users The (potentially) worst breach I've run into was at a site belonging to one of our NATO allies; an end-user wanted to FTP files from a U.S. site, and didn't know how to request access through the firewall. He installed Netmanage, and enabled the IP Routing feature - opened the whole network up. Fortunately, monitoring caught this immediately, and we were finally able to get all the modems out of end-users hands as a result. > > * Networked PC using communications software (eg., SmallTalk) with no TCP/IP > - Less risks than PPP/SLIP because of the configurability of the > communications software to allow only dial-out (IF the employee > remembers to configure the software this way) > - What would the risks be here??? > With 18,000+ users, I'd expect a wide variety of user-installed communication software to start showing up, both purchased and bootlegged. Many popular packages support host mode, and I've run into quite a few users who will take the time to figure out how to use this the first time they run into a file too big to take home on a floppy. Even worse are the remote control packages, such as PC Anywhere. They're great for telecommuting, but are a security nightmare, especially if the end-user installs and configures. In terms of risks, a fair number of security breaches involve current employees with legitimate system access. The most common threats involving dial-out systems are non-work/ recreational usage, bootlegging of software (both acquiring and distributing), and exporting corporate data (for sale, or to benefit a future employer). Launching attacks on other (outside) systems is also a problem. > * Networked PC using a dial-out modem bank (no modem attached to the PC) > - More secure because of centralized control > - What would the risks be here??? > A better solution than giving modems to users. Even the possibility that someone is watching/monitoring is of some value. What are your applications? Could users TELNET to a UNIX system, and then dial out from there? You could then go as far as using single-use (couponing) passwords, and monitor sessions. You're still at risk to internal monitoring; a sniffer attack could be used to obtain passwords to external systems. Denial of use attacks could be launched against the comm server, and session hijacking could be employed. These require more sophistication than other attacks, and require access to the local segment. > * Stand-alone (never networked) PC using SLIP/PPP > - Viruses and trojans can be placed on the dial-out employee's hard drive > - Any files copied to diskettes and placed on the network could cause > problems > - Employee's PC could be used as a repository > > * Stand-alone PC using communications software and no TCP/IP > - Again, less risks because of the communications software > - What would the risks be here??? > > Please comment on items I have listed that you believe are NOT risks. Also, > please let me know the risks for each type of dial-out PC that I did not have > listed. Do you know of other dial-out methods I did not list? If so, what > are they, and what are the associated risks? > > Thanks in advance for your help!! Hope this is of some use. I'm working on similar projects, and would be happy to trade ideas. > > Becky > herold.becky@mhs-pfg1.attmail.com > > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > The opinions expressed here are strictly my own and do not necessarily > represent those of my employer. > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > From firewalls-owner Tue Jan 2 20:37:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id UAA16898 for firewalls-outgoing; Tue, 2 Jan 1996 20:28:25 -0800 (PST) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id UAA16893 for ; Tue, 2 Jan 1996 20:28:21 -0800 (PST) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id XAA03483; Tue, 2 Jan 1996 23:26:03 -0500 Date: Tue, 2 Jan 1996 23:26:00 -0500 (EST) From: Rabid Wombat To: firewalls@greatcircle.com Subject: rfi Radius Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is anyone out there using Radius w/ Portmasters? I'd be interested in getting informed opinions, as I'm considering implementing it. Since it uses encrypted sessions, can the system serving as a firewall also serve as the Radius host, or is this opening a hole? ---------------------------------------- Rabid Wombat wombat@mcfeely.bsfs.org ---------------------------------------- From firewalls-owner Wed Jan 3 03:07:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id CAA24163 for firewalls-outgoing; Wed, 3 Jan 1996 02:57:52 -0800 (PST) Received: from avalon.immortal.net.au (modem2.cynergy.com [198.142.58.9]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id CAA24158 for ; Wed, 3 Jan 1996 02:57:41 -0800 (PST) Received: (from mcleod@localhost) by avalon.immortal.net.au (8.6.12/8.6.9) id VAA02132; Wed, 3 Jan 1996 21:00:18 +1000 Date: Wed, 3 Jan 1996 21:00:17 +1000 (EST) From: Shaw Innes To: Rabid Wombat cc: Pablo , firewalls@GreatCircle.COM Subject: Re: ipx-bridging & ip-routing In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 1 Jan 1996, Rabid Wombat wrote: > My guess is that the PC bus will be the bottleneck. I've ran PC servers on > FDDI that had EISA bus (w/ EISA FDDI NICs) and couldn't get more than > about 25 Mb/s stuffed into the box. I haven't looked into this lately; > PCI may have a higher raw capacity. If you are expecting to be using the > FDDI to capacity you may be outa luck using a PC. > > Hope this is of some use. I'd be glad to hear from someone who's done > this successfully. I don't really know an awful lot about fddi, but I could see that a PC would cause a bottleneck at 100mb/s also. However, I have noticed that there exists Linux for, mips, sparc and alpha architectures. Hence if the PC was causing a bottleneck, surely you could buy a sun and run linux on the sun, using the sun's faster bus to route/bridge the packets? Perhaps not... this is just a theory Regards, Shaw +----------------------------------------+-----------------------+ | Shaw Innes | mcleod@cynergy.com.au | | IRC: McLeod Mobile: 019-470-556 | mcleod@healey.com.au | | WWW: http://www.odyssey.com.au/mcleod | mcleod@odyssey.com.au | +----------------------------------------+-----------------------+ | "If I were to wish for anything, I should not wish | | for wealth and power, but for the eye which, | | ever young and ardent, sees the possible" | +----------------------------------------------------------------+ From firewalls-owner Wed Jan 3 03:37:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id DAA24992 for firewalls-outgoing; Wed, 3 Jan 1996 03:28:07 -0800 (PST) Received: from sven.lpa.se ([194.23.43.4]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id DAA24987 for ; Wed, 3 Jan 1996 03:28:01 -0800 (PST) Message-Id: <199601031128.DAA24987@miles.greatcircle.com> Received: from hans.lpa.se by sven.lpa.se (NTMail 2.11.26) id aa000469 Wed, 3 Jan 96 12:27:04 +0000 (CET) X-Sender: hans@sven.lpa.se X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 03 Jan 1996 12:27:05 +0100 To: firewalls@greatcircle.com From: Hans Lissborg Subject: Firewall for Windows NT? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone know of a free (or cheap) firewall for Windows NT? Thanks Hans From firewalls-owner Wed Jan 3 04:22:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id EAA26502 for firewalls-outgoing; Wed, 3 Jan 1996 04:08:05 -0800 (PST) Received: from lint.cisco.com (lint.cisco.com [171.68.235.77]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id EAA26488 for ; Wed, 3 Jan 1996 04:07:55 -0800 (PST) Received: from pferguso-pc.cisco.com (c1robo6.cisco.com [171.68.13.16]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id EAA07234; Wed, 3 Jan 1996 04:05:42 -0800 Message-Id: <199601031205.EAA07234@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 03 Jan 1996 07:06:10 -0500 To: Shaw Innes From: Paul Ferguson Subject: Re: ipx-bridging & ip-routing Cc: Rabid Wombat , Pablo , firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is there some reason why a router is not being considered? It would appear to be a natural choice... - paul At 09:00 PM 1/3/96 +1000, Shaw Innes wrote: >On Mon, 1 Jan 1996, Rabid Wombat wrote: > >> My guess is that the PC bus will be the bottleneck. I've ran PC servers on >> FDDI that had EISA bus (w/ EISA FDDI NICs) and couldn't get more than >> about 25 Mb/s stuffed into the box. I haven't looked into this lately; >> PCI may have a higher raw capacity. If you are expecting to be using the >> FDDI to capacity you may be outa luck using a PC. >> >> Hope this is of some use. I'd be glad to hear from someone who's done >> this successfully. > >I don't really know an awful lot about fddi, but I could see that a PC >would cause a bottleneck at 100mb/s also. However, I have noticed that >there exists Linux for, mips, sparc and alpha architectures. Hence if >the PC was causing a bottleneck, surely you could buy a sun and run linux >on the sun, using the sun's faster bus to route/bridge the packets? > >Perhaps not... this is just a theory > >Regards, > Shaw > -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Wed Jan 3 05:37:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA28385 for firewalls-outgoing; Wed, 3 Jan 1996 05:23:43 -0800 (PST) Received: from netcomsv.netcom.com (uucp3.netcom.com [163.179.3.3]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id FAA28380 for ; Wed, 3 Jan 1996 05:23:39 -0800 (PST) From: kurt@hteinc.com Received: by netcomsv.netcom.com with UUCP (8.6.12/SMI-4.1) id FAA08677; Wed, 3 Jan 1996 05:13:23 -0800 Received: from rs01.hteinc.com by rs02.hteinc.com (8.6.12/1.7) id HAA14114; Wed, 3 Jan 1996 07:31:08 -0500 Received: from ws11.hteinc.com (ws11.hteinc.com [172.24.0.30]) by rs01.hteinc.com (8.6.12/1.1) with SMTP id HAA67450 for ; Wed, 3 Jan 1996 07:31:07 -0500 Date: Wed, 3 Jan 96 07:21:17 PST Subject: Public traffic over private network To: firewalls@greatcircle.com X-Mailer: Chameleon ENGP1, TCP/IP for Windows, NetManage Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We have a client who has told us about their upcoming internet access. The setup they are proposing, in my opinion, is a security risk. They have a corporate WAN with 15 segments/routers connected to a FDDI backbone. They are are getting two Class C addresses. One for the WWW, FTP, etc. segment that will be connected directly to the Internet and a second class C that will be for other public services. The problem is the second class C will be on the other side of the FDDI ring. Therefore public traffic will have to pass over the FDDI to get to the second class C. But at the same time everyone in the orginazation will have access out to the net. They don't have a security policy other than don't let the bad guys mess up any stuff. Now I know that the routers can be programmed to an extent to disallow certain access. But it seems to me that allowing public traffic on the privite network is asking (advertising) for a break in. If anyone has any comments on this setup, please comment. Kurt Kessel HTE, Inc. kurt@hteinc.com 407-841-3235 (v) 407-246-8835 (fax) From firewalls-owner Wed Jan 3 06:22:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA29947 for firewalls-outgoing; Wed, 3 Jan 1996 06:19:00 -0800 (PST) Received: from godel2.bim.be (godel2.bim.be [141.253.4.135]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id GAA29942 for ; Wed, 3 Jan 1996 06:18:54 -0800 (PST) From: pc@bim.be Received: from gauss.bim.be by godel2.bim.be (5.x/SMI-SVR4) id AA01060; Wed, 3 Jan 1996 14:17:25 +0100 Date: Wed, 3 Jan 1996 14:17:25 +0100 Message-Id: <9601031317.AA01060@godel2.bim.be> To: hans@lpa.se Subject: Re: Firewall for Windows NT? Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A firewall called "catapult" is announced by Microsoft. I don't know when it will be available. Philippe -- Ph. Cayphas Senior Engineer E-Mail: pc@bim.be Telephone: +32(10)47.08.32 Fax : +32(10)47.08.11 Postal Mail : Ph. Cayphas BIM sa 4, Av. Albert Einstein 1348 Louvain-La-Neuve Belgium From firewalls-owner Wed Jan 3 06:37:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA00184 for firewalls-outgoing; Wed, 3 Jan 1996 06:35:05 -0800 (PST) Received: from logicon.com (klee.logicon.com [137.51.252.5]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id GAA00179 for ; Wed, 3 Jan 1996 06:35:02 -0800 (PST) Received: from cclink.logicon.com (cclink-out.logicon.com) by logicon.com (5.0/SMI-4.2) id AA17280; Wed, 3 Jan 96 06:50:16 PST Received: from cc:Mail by cclink.logicon.com id AA820680065; Wed, 03 Jan 96 08:59:10 PST Date: Wed, 03 Jan 96 08:59:10 PST From: "Grady, Pat" Message-Id: <9600038206.AA820680065@cclink.logicon.com> To: pablo@smartlink.net, Rabid Wombat Cc: firewalls@GreatCircle.COM Subject: Re[2]: ipx-bridging & ip-routing Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Actually, 25 Mbps on 100Mbps FDDI is pretty good--the bottleneck is usually the overhead and handshakes of the network protocol. ______________________________ Reply Separator _________________________________ Subject: Re: ipx-bridging & ip-routing Author: Rabid Wombat at INTERNET-MAIL Date: 1/2/96 5:45 PM My guess is that the PC bus will be the bottleneck. I've ran PC servers on FDDI that had EISA bus (w/ EISA FDDI NICs) and couldn't get more than about 25 Mb/s stuffed into the box. I haven't looked into this lately; PCI may have a higher raw capacity. If you are expecting to be using the FDDI to capacity you may be outa luck using a PC. Hope this is of some use. I'd be glad to hear from someone who's done this successfully. > > Thanks in advance! > > paul > > > From firewalls-owner Wed Jan 3 06:52:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA00304 for firewalls-outgoing; Wed, 3 Jan 1996 06:46:08 -0800 (PST) Received: from hobbes.orl.mmc.com (hobbes.orl.mmc.com [141.240.192.100]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id GAA00299 for ; Wed, 3 Jan 1996 06:46:04 -0800 (PST) Date: Wed, 3 Jan 1996 9:45:24 -0500 (EST) From: "A. Padgett Peterson, P.E. Information Security" To: proff@suburbia.net CC: firewalls@greatcircle.com Message-Id: <960103094524.2020153c@hobbes.orl.mmc.com> Subject: RE: Compression is useful - but for security, not Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I rote >> 1) Compression aids performance. It does not aid security (at best is SBO). Julian wresponded: >Not so! Compressed plain text, which is then ciphered is several orders >of magnitude harder to break (depending on the compression scheme and attack). Any cipher scheme that is effectively strengthened by compression is not very good encryption IMNSHO. True, if you use a rearranged XXENCODE table as your cipher scheme, compression will make it more difficult to break (provided you remove the headers). Triple DES or SKIPJACK is hard enough to break that comression makes no effective difference. Warmly, Padgett From firewalls-owner Wed Jan 3 07:07:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA29817 for firewalls-outgoing; Wed, 3 Jan 1996 06:13:04 -0800 (PST) Received: from hawk.tml.co.za (hawk.tml.co.za [196.4.87.22]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id GAA29811 for ; Wed, 3 Jan 1996 06:12:45 -0800 (PST) Received: from gavin.tml.co.za (gavin.tml.co.za [196.4.87.114]) by hawk.tml.co.za (8.6.12/8.6.12) with SMTP id QAA11830 for ; Wed, 3 Jan 1996 16:12:14 -0200 Received: by gavin.tml.co.za with Microsoft Mail id <01BAD96C.4B588DE0@gavin.tml.co.za>; Tue, 2 Jan 1996 23:44:44 +-200 Message-ID: <01BAD96C.4B588DE0@gavin.tml.co.za> From: Gavin Ferreiro To: "'firewalls@GreatCircle.COM'" Subject: FW: ipx-bridging & ip-routing Date: Tue, 2 Jan 1996 23:44:38 +-200 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If speed is very important, seeing that you have 2 FDDI rings, the most = efficient and effective way to route betewwn the rings is with a Router. = The speed obtained from a dedicated router as aposed to a router that = has been made out of a HOST is astonomical. Rather user the correct = equipment for the task. It will in my experience save you a lot of = trouble in the end. ---------- From: Paul Ferguson[SMTP:pferguso@cisco.com] Sent: Wednesday, January 03, 1996 02:06 To: Shaw Innes Cc: Rabid Wombat; Pablo; firewalls@GreatCircle.COM Subject: Re: ipx-bridging & ip-routing Is there some reason why a router is not being considered? It would appear to be a natural choice... - paul At 09:00 PM 1/3/96 +1000, Shaw Innes wrote: >On Mon, 1 Jan 1996, Rabid Wombat wrote: > >> My guess is that the PC bus will be the bottleneck. I've ran PC = servers on=20 >> FDDI that had EISA bus (w/ EISA FDDI NICs) and couldn't get more than = >> about 25 Mb/s stuffed into the box. I haven't looked into this = lately;=20 >> PCI may have a higher raw capacity. If you are expecting to be using = the=20 >> FDDI to capacity you may be outa luck using a PC. >>=20 >> Hope this is of some use. I'd be glad to hear from someone who's done = >> this successfully. > >I don't really know an awful lot about fddi, but I could see that a PC=20 >would cause a bottleneck at 100mb/s also. However, I have noticed that = >there exists Linux for, mips, sparc and alpha architectures. Hence if=20 >the PC was causing a bottleneck, surely you could buy a sun and run = linux=20 >on the sun, using the sun's faster bus to route/bridge the packets? > >Perhaps not... this is just a theory > >Regards, > Shaw > -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 = ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m = s From firewalls-owner Wed Jan 3 07:28:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA00968 for firewalls-outgoing; Wed, 3 Jan 1996 07:14:16 -0800 (PST) Received: from sasami.jurai.net (sasami.jurai.net [205.218.122.51]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id HAA00938 for ; Wed, 3 Jan 1996 07:14:09 -0800 (PST) From: scanner@jurai.net Received: (from scanner@localhost) by sasami.jurai.net (8.6.11/8.6.9) id JAA10585; Wed, 3 Jan 1996 09:14:29 -0600 Date: Wed, 3 Jan 1996 09:14:29 -0600 (CST) To: Rabid Wombat cc: firewalls@GreatCircle.COM Subject: Re: rfi Radius In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 2 Jan 1996, Rabid Wombat wrote: > > Is anyone out there using Radius w/ Portmasters? I'd be interested in > getting informed opinions, as I'm considering implementing it. Since it > uses encrypted sessions, can the system serving as a firewall also serve > as the Radius host, or is this opening a hole? We are using radius on on our livingston. we just finished it and are working on getting our lan online. (new ISP) If you want I can send you some config files and the like that we use just let me know. The encryption seems to be strong and hold its own. but i do suggest not using the database on the portmaster. I was informed its not wise. but other than that it seems pretty good. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Chris Watson % Scanner@jurai.net % 1(908)367-8030 x126 % Networking & Computer Security Expert % Webspan Networking % Lakewood, NJ % %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQENAzA7IoEAAAEH/2EPSOUsZ+hSxh3zGwtYvuaIjCzMU/TOz8z2RoKAubcJ+IlQ YVfG3RTiShlqsNnKSYKJbvOxF1OzkCicGl+XlodcWuXR3BmUrnpm45+oGIx6IUJ4 xkO6Ce7K5bT024jFkBXoL8csLdPmHDBlZtL4Y5uh8yXLMHSpJUMPT+hEGjuiFY48 E8Gox46Jti0oBxF9AtnZChsf1asMXrNiGgfRuWYgBjwB2lMW/co3XgvUw+JK2jSt MK3FhJSgSBpSeoq4K1pyEBboXXbV5/xD2rLgxJVBAxARpIDhaIQdOpRHENIGuwvl FhMzNOAqkJG6eAMJAdFMVXtgGvotuuEikpZD3oEABRG0IENocmlzIFdhdHNvbiA8 c2Nhbm5lckBqdXJhaS5uZXQ+ =yI5B -----END PGP PUBLIC KEY BLOCK----- From firewalls-owner Wed Jan 3 07:52:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA01563 for firewalls-outgoing; Wed, 3 Jan 1996 07:38:29 -0800 (PST) Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id HAA01522 for ; Wed, 3 Jan 1996 07:38:19 -0800 (PST) Received: from nessie.mcc.ac.uk by relay2.UU.NET with ESMTP id QQzwxy12211; Wed, 3 Jan 1996 10:36:02 -0500 (EST) Received: from utserv.mcc.ac.uk by nessie.mcc.ac.uk with SMTP (PP); Wed, 3 Jan 1996 15:12:47 +0000 Received: from xen.mcc.ac.uk (actually xen-eth.mcc.ac.uk) by utserv.mcc.ac.uk with SMTP (PP); Wed, 3 Jan 1996 15:12:24 +0000 Date: Wed, 3 Jan 1996 15:12:19 +0000 (GMT) From: Patrick Myers To: Firewalls@GreatCircle.COM Subject: Network Address Translation In-Reply-To: <199601022338.PAA06132@miles.greatcircle.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have a requirement for software to do NAT (Network Address Translation) where the ip addresses of systems on a local LAN are translated to different addresses on another interface (connected to the internet). I know that some firewall software has this facility, does anyone know of any other (non-firewall) software that will do this translation, preferably low cost (or free) and possibly to run on a Linux system? Thanks in advance -- Patrick Myers Manchester Computing | Email: p.j.myers@mcc.ac.uk University of Manchester | Tel: +44 (0)161 275 6016 Oxford Road | Mob: +44 (0)973 73 55 11 Manchester M13 9PL | Fax: +44 (0)161 275 6040 From firewalls-owner Wed Jan 3 08:07:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA01186 for firewalls-outgoing; Wed, 3 Jan 1996 07:24:36 -0800 (PST) Received: from nsco.network.com (nsco.network.com [129.191.1.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id HAA01181 for ; Wed, 3 Jan 1996 07:24:30 -0800 (PST) Received: from mnbp.network.com (ushub.network.com) by nsco.network.com (4.1/1.34) id AA13309; Wed, 3 Jan 96 09:25:55 CST Received: by mnbp.network.com with Microsoft Mail id <30EA9F55@mnbp.network.com>; Wed, 03 Jan 96 09:23:01 CST From: Craig McLellan To: firewalls Subject: RE: firewall encryption information Date: Wed, 03 Jan 96 09:22:00 CST Message-Id: <30EA9F55@mnbp.network.com> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You should also look at Network Systems Borderguard Access Router. Provides DES, 3xDES, IDEA and NSC1 as well as MD5 and Dif-Hell (sic). Costs start around 2.3K with one LAN and one WAN (V.35). RGRDS....clm ---------- From: firewalls-owner To: firewalls Subject: firewall encryption information Date: 2 January, 1996 17:18 A few questions about firewalls setting up virtual private networks. - for Gauntlet; what is the encryption algorithm used and what is the key size for session keys? - for Eagle; what is the key size used for DES encryption? - for Firewall-1; what is the key size used for DES encryption? -- chris From firewalls-owner Wed Jan 3 08:10:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA01191 for firewalls-outgoing; Wed, 3 Jan 1996 07:25:03 -0800 (PST) Received: from nessie.mcc.ac.uk (nessie.mcc.ac.uk [130.88.200.20]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id HAA00946 for ; Wed, 3 Jan 1996 07:14:10 -0800 (PST) Received: from utserv.mcc.ac.uk by nessie.mcc.ac.uk with SMTP (PP); Wed, 3 Jan 1996 15:12:47 +0000 Received: from xen.mcc.ac.uk (actually xen-eth.mcc.ac.uk) by utserv.mcc.ac.uk with SMTP (PP); Wed, 3 Jan 1996 15:12:24 +0000 Date: Wed, 3 Jan 1996 15:12:19 +0000 (GMT) From: Patrick Myers To: Firewalls@GreatCircle.COM Subject: Network Address Translation In-Reply-To: <199601022338.PAA06132@miles.greatcircle.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have a requirement for software to do NAT (Network Address Translation) where the ip addresses of systems on a local LAN are translated to different addresses on another interface (connected to the internet). I know that some firewall software has this facility, does anyone know of any other (non-firewall) software that will do this translation, preferably low cost (or free) and possibly to run on a Linux system? Thanks in advance -- Patrick Myers Manchester Computing | Email: p.j.myers@mcc.ac.uk University of Manchester | Tel: +44 (0)161 275 6016 Oxford Road | Mob: +44 (0)973 73 55 11 Manchester M13 9PL | Fax: +44 (0)161 275 6040 From firewalls-owner Wed Jan 3 10:22:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA04716 for firewalls-outgoing; Wed, 3 Jan 1996 10:09:06 -0800 (PST) Received: from NUki (nuki.netuse.de [193.98.110.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA04705 for ; Wed, 3 Jan 1996 10:09:02 -0800 (PST) Received: by Mail.NetUSE.de (SMail3.1.28.1 #2) ID m0tXXg4-0009AaC: Wed, 3 Jan 96 19:12 MET Received: by white.schulung.netuse.de (Smail3.1.29.0 #2) id m0tXUWu-0008xkC; Wed, 3 Jan 96 15:51 MET Received: from GATEWAY by white.schulung.netuse.de with netnews for firewalls@greatcircle.com (firewalls@greatcircle.com) To: firewalls@greatcircle.com Date: Wed, 3 Jan 1996 14:45:33 GMT From: kris@schulung.netuse.de (=?ISO-8859-1?Q?Kristian_K=F6hntopp?=) Message-ID: Organization: =?ISO-8859-1?Q?entf=E4llt?= References: <199601022338.PAA06132@miles.greatcircle.com> Subject: Re: Type enforcement vs chroot and buffers Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Firewalls@GreatCircle.COM writes: >That's not significantly better in terms of security, since it's all >or nothing. To be any use it'd have to be something like "/dev/tcp/25" >and so on... This would still be useless of course, unless you can do "chown mail /dev/tcp/25" and it actually changes permissions on this socket. This is trivial of course, but I mention it anyway because of the Linux procfs, which does not allow inode write access, thus giving you no advantage SUID-wise. Kristian -- Kristian Koehntopp, Wassilystrasse 30, 24113 Kiel, +49 431 688897 >>Bald wird auch AOL unsere GABELN sperren muessen. Man nennt das "Security by Obscenity".<< -- Peter Berlich in de.talk.bizarre From firewalls-owner Wed Jan 3 10:37:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA05349 for firewalls-outgoing; Wed, 3 Jan 1996 10:21:58 -0800 (PST) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA05344 for ; Wed, 3 Jan 1996 10:21:53 -0800 (PST) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id NAA04350; Wed, 3 Jan 1996 13:19:08 -0500 Date: Wed, 3 Jan 1996 13:19:05 -0500 (EST) From: Rabid Wombat To: Paul Ferguson cc: Shaw Innes , Pablo , firewalls@GreatCircle.COM Subject: Re: ipx-bridging & ip-routing In-Reply-To: <199601031205.EAA07234@lint.cisco.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm not sure what the requestor's requirements are; only that he asked if a PC running LINUX could route TCP/IP and bridge IPX between two FDDI rings. A router would seem to be the natural choice, although this _is_ the firewalls list, so he might have some additional concerns. ---------------------------------------- Rabid Wombat wombat@mcfeely.bsfs.org ---------------------------------------- On Wed, 3 Jan 1996, Paul Ferguson wrote: > Is there some reason why a router is not being considered? It would > appear to be a natural choice... > > - paul > > > At 09:00 PM 1/3/96 +1000, Shaw Innes wrote: > > >On Mon, 1 Jan 1996, Rabid Wombat wrote: > > > >> My guess is that the PC bus will be the bottleneck. I've ran PC servers on > >> FDDI that had EISA bus (w/ EISA FDDI NICs) and couldn't get more than > >> about 25 Mb/s stuffed into the box. I haven't looked into this lately; > >> PCI may have a higher raw capacity. If you are expecting to be using the > >> FDDI to capacity you may be outa luck using a PC. > >> > >> Hope this is of some use. I'd be glad to hear from someone who's done > >> this successfully. > > > >I don't really know an awful lot about fddi, but I could see that a PC > >would cause a bottleneck at 100mb/s also. However, I have noticed that > >there exists Linux for, mips, sparc and alpha architectures. Hence if > >the PC was causing a bottleneck, surely you could buy a sun and run linux > >on the sun, using the sun's faster bus to route/bridge the packets? > > > >Perhaps not... this is just a theory > > > >Regards, > > Shaw > > > > -- > Paul Ferguson || || > Consulting Engineering || || > Reston, Virginia USA |||| |||| > tel: +1.703.716.9538 ..:||||||:..:||||||:.. > e-mail: pferguso@cisco.com c i s c o S y s t e m s > > From firewalls-owner Wed Jan 3 11:07:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA07315 for firewalls-outgoing; Wed, 3 Jan 1996 11:03:22 -0800 (PST) Received: from relay.ashton.csc.com (relay.ashton.csc.com [20.2.54.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA07286 for ; Wed, 3 Jan 1996 11:03:15 -0800 (PST) Received: by relay.ashton.csc.com; id OAA19023; Wed, 3 Jan 1996 14:02:26 -0500 Received: from mccoy.ashton.csc.com(20.2.51.2) by relay.ashton.csc.com via smap (g3.0.1) id sma019019; Wed, 3 Jan 96 14:01:59 -0500 Received: (from ckostick@localhost) by mccoy.ashton.csc.com (8.6.9/8.6.9) id OAA03467; Wed, 3 Jan 1996 14:15:16 -0500 From: Chris Kostick Message-Id: <199601031915.OAA03467@mccoy.ashton.csc.com> Subject: s/key digest algorithm on Firewall-1 To: firewalls@greatcircle.com, skey-users@thumper.bellcore.com Date: Wed, 3 Jan 1996 14:15:15 -0500 (EST) X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone know the digest algorithm used with the S/Key implementation on Firewall-1. It doesn't seem to be MD4 or MD5. I have an s/key implmentation for both and it never generates the same list as the one generated on Firewall-1. -- Chris From firewalls-owner Wed Jan 3 11:22:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA07937 for firewalls-outgoing; Wed, 3 Jan 1996 11:15:23 -0800 (PST) Received: from relay.tis.com (relay.tis.com [192.94.214.100]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA07920 for ; Wed, 3 Jan 1996 11:15:18 -0800 (PST) Received: by relay.tis.com; id JAA11799; Wed, 3 Jan 1996 09:20:28 -0500 Received: from sol.tis.com(192.33.112.100) by relay.tis.com via smap (g3.0.3) id xma011794; Wed, 3 Jan 96 09:20:27 -0500 Received: from jupiter.tis.com by tis.com (4.1/SUN-5.64) id AA08614; Wed, 3 Jan 96 14:12:40 EST Date: Wed, 3 Jan 96 14:12:40 EST From: Jody C Patilla Message-Id: <9601031912.AA08614@tis.com> To: firewalls@GreatCircle.COM Subject: Livingston Firewall IRX router Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does it use static or dynamic (or stateful, if you prefer) packet filtering? The product info is unclear on this point. I'd be interested in hearing any of your experiences with it, especially in connection with high-use Web servers on inside or outside segments. I'd also like to know more about how fine-grained the filtering is (and how easy to set up), say, compared with a Cisco. thanks - jcp ========================================================================= Jody C. Patilla jcp@tis.com Trusted Information Systems Glenwood, Md. From firewalls-owner Wed Jan 3 12:52:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA09673 for firewalls-outgoing; Wed, 3 Jan 1996 12:39:36 -0800 (PST) Received: from gateway.upj.com (gateway.upj.com [146.240.240.5]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id MAA09661 for ; Wed, 3 Jan 1996 12:39:31 -0800 (PST) Received: from basil.upj.com by gateway.upj.com with SMTP id AA25440 (InterLock SMTP Gateway 3.0 for ); Wed, 3 Jan 1996 15:37:26 -0500 Received: by basil.upj.com (5.0/SMI-SVR4) id AA15160; Wed, 3 Jan 1996 15:31:46 +0500 Date: Wed, 3 Jan 1996 15:31:46 +0500 From: telomas@upj.com (Timothy E. Lomas ) Message-Id: <9601032031.AA15160@basil.upj.com> To: Firewalls@GreatCircle.com Subject: Firewalls in Many Countries X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The Pharmacia and Upjohn Companies merged last November. We are merging/changing the firewalls and Internet access points within the company. How do you do that and still give adequate service levels? We have queried our ISP and only received vague answers. It has been hard for me to find knowledgeable people within companies that understand firewalls, security issues and network issues. I am a strong proponent of local administration because I do not see how you can provide adequate response time to serious problems if the people that are supporting the firewall or if the vendor that supports the firewall is across the ocean. However, others within our new company think that centralization of firewall support and firewalls is critical. There is also a group that feels does not want to "pay" for the external IP traffic running across the internal network if adequate security can be provided by adding additional firewalls. KEY QUESTIONS: How many firewalls and Internet sites of access should we have and how should they be supported? Select and support one firewall vendor? Local versus remote administration? Service Level: Respond to security problems immediately, and fix technical problems within 24 hours. Therefore, even mail could be down at a site for 24 hours although this seems like a long time to me. Management is very sensitive to the idea of the Internet and because of this, investigating unknown problems is a high priority. Users: We have a current or potential Internet user population of over 1000 users in Uppsala, Sweden; Milan, Italy; Kalamazoo, Michigan (USA); and Tsukuba, Japan. There are many other smaller sites that do (or will) receive Internet access by using the firewalls. Firewalls: We currently have two firewalls for Internet access: Kalamazoo (firewall is ANS Interlock - Solaris) Uppsala (firewall is Dec Seal). We will probably add a third in Japan shortly. Services allowed: Outbound FTP, TELNET, HTTP and of course smtp for mail. A few additional services are being piloted but have not yet been approved (WinCIM for Compuserve; SciFinder for access to an external database. Essentially anyone who has been given a TCP/IP address on an authorized network can obtain access to Internet services. TCP/IP addresses: We have one class B address and multiple class C's. From firewalls-owner Wed Jan 3 13:22:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA10594 for firewalls-outgoing; Wed, 3 Jan 1996 13:12:50 -0800 (PST) Received: from usagroup.com ([198.70.128.3]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id NAA10589 for ; Wed, 3 Jan 1996 13:12:40 -0800 (PST) Received: from DOMAIN-E-Message_Server by usagroup.com with Novell_GroupWise; Wed, 03 Jan 1996 16:11:29 -0600 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Wed, 03 Jan 1996 16:14:41 -0600 From: David Leonard To: firewalls@greatcircle.com Subject: Router Config Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We are in the process of configuring our firewall and I have a question on the router access lists. Currently, we do not allow UPD to pass through our router except for DNS traffic. However, are experiencing denies when we change servers. Therefore, I have received a request to allow UDP for any port greater than 1023 to pass through our router. In addition, we have a Raptor Firewall between our internal network and the router in question. What, if any, are the exposures for allowing this type of traffic through our router? Any assistance will be greatly appreciated. I was also wondering if anyone could recommend a good book on router security. From firewalls-owner Wed Jan 3 13:37:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA10414 for firewalls-outgoing; Wed, 3 Jan 1996 13:11:17 -0800 (PST) Received: from uni.ins.com (uni.ins.com [199.0.193.10]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id NAA10387 for ; Wed, 3 Jan 1996 13:11:02 -0800 (PST) Received: (from kron@localhost) by uni.ins.com (8.6.12/8.6.12) id NAA05372; Wed, 3 Jan 1996 13:10:08 -0800 From: Kenneth Kron Message-Id: <199601032110.NAA05372@uni.ins.com> Subject: Re: Livingston Firewall IRX router To: jcp@tis.com (Jody C Patilla) Date: Wed, 3 Jan 96 13:10:08 PST Cc: firewalls@GreatCircle.COM In-Reply-To: <9601031912.AA08614@tis.com>; from "Jody C Patilla" at Jan 3, 96 2:12 pm X-Mailer: ELM [version 2.3 PL6] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In the spirit of teaching you to fish... The way to answer this question for your self is fairly simple. Does it allow you to open a hole for ... 1) outbound only UPD connections (DNS, NFS, etc.) UDP is connectionless so attempting to impose this requires statefulness. 2) outbound only non-passive ftp. FTP requires a back chanel on a random port... 3) Does the marketing literature/documentation specificaly state that it is stateful (or dynamic). The degree to which it performs 1 & 2 will give you your real answer 3 is just a sanity check if you will. If it's statefull at all it will probably be touted as such somewhere. For example one stateful product has a section called "Stateful Multi-Layer Inspection Technology". As far as the livingston IRX router I really don't know as I haven't used it. =================== Kenneth Kron Information Security Consultant Kenneth_Kron@ins.com > > > Does it use static or dynamic (or stateful, if you prefer) packet filtering? > The product info is unclear on this point. I'd be interested in hearing > any of your experiences with it, especially in connection with high-use > Web servers on inside or outside segments. I'd also like to know more about > how fine-grained the filtering is (and how easy to set up), say, compared > with a Cisco. > > thanks - > > jcp > > ========================================================================= > Jody C. Patilla jcp@tis.com > Trusted Information Systems Glenwood, Md. > > From firewalls-owner Wed Jan 3 14:56:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA13048 for firewalls-outgoing; Wed, 3 Jan 1996 14:34:49 -0800 (PST) Received: from sgigate.sgi.com (sgigate.SGI.COM [204.94.209.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id OAA12843 for ; Wed, 3 Jan 1996 14:33:38 -0800 (PST) Received: from sgihub.corp.sgi.com by sgigate.sgi.com via ESMTP (950911.SGI.8.6.12.PATCH825/940406.SGI) id OAA10084; Wed, 3 Jan 1996 14:32:51 -0800 Received: from rock.csd.sgi.com by sgihub.corp.sgi.com via ESMTP (950511.SGI.8.6.12.PATCH526/911001.SGI) id OAA25072; Wed, 3 Jan 1996 14:32:50 -0800 Received: from boytoy.csd.sgi.com by rock.csd.sgi.com via ESMTP (940816.SGI.8.6.9/910805.SGI) id OAA12979; Wed, 3 Jan 1996 14:32:48 -0800 Received: by boytoy.csd.sgi.com (950511.SGI.8.6.12.PATCH526/911001.SGI) id OAA03022; Wed, 3 Jan 1996 14:32:35 -0800 From: "SGI Security Coordinator" Message-Id: <9601031432.ZM3020@boytoy.csd.sgi.com> Date: Wed, 3 Jan 1996 14:32:32 -0800 X-Mailer: Z-Mail-SGI (3.2S.2 10apr95 MediaMail) To: agent99@sgihub.corp.sgi.com Subject: SGI Security Advisory 19960101-01-PX Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk FOR PUBLIC RELEASE -----BEGIN PGP SIGNED MESSAGE----- ________________________________________________________________________________ Silicon Graphics Inc. Security Advisory Title: Object Server Vulnerability Number: 19960101-01-PX Date: January 3, 1996 ________________________________________________________________________________ Silicon Graphics provides this information freely to the SGI community for its consideration, interpretation and implementation. Silicon Graphics recommends that this information be acted upon as soon as possible. Silicon Graphics will not be liable for any consequential damages arising from the use of, or failure to use or use properly, any of the instructions or information in this Security Advisory. ________________________________________________________________________________ As part of Silicon Graphics continued security improvement efforts, Silicon Graphics has discovered a security vulnerability within the object server program used in the IRIX 5.x and IRIX 6.x operating systems. SGI has investigated this issue and recommends the following steps for neutralizing the exposure. It is HIGHLY RECOMMENDED that these measures be implemented on ALL SGI systems running IRIX 5.2, 5.3, 6.0, 6.0.1 and 6.1. This issue will be corrected in future releases of IRIX. - -------------- - --- Impact --- - -------------- Provided with the correct network configuration and SGI environment, both local and remote users may be able to become root on a targeted SGI system. - ---------------- - --- Solution --- - ---------------- The solution for this issue is a replacement of the object server program and assistant programs for those versions that are vulnerable. The following patches have been generated for those versions vulnerable and are freely provided to the SGI community. **** IRIX 3.x **** This version of IRIX is not vulnerable. No action is required. **** IRIX 4.x **** This version of IRIX is not vulnerable. No action is required. **** IRIX 5.0.x, 5.1.x **** For the IRIX operating systems versions 5.0.x, 5.1.x, an upgrade to 5.2 or better is required first. When the upgrade is completed, then the patches described in the next sections "**** IRIX 5.2, 6.0, 6.0.1 ***" or "**** IRIX 5.3 ****" or "**** IRIX 6.1 ****" can be applied depending on the final version of upgrade. **** IRIX 5.2, 6.0, 6.0.1 **** For the IRIX operating system versions 5.2, 6.0, and 6.0.1, an inst-able patch has been generated and made available via anonymous ftp and/or your service/support provider. The patch is number 1052 and will only install on IRIX versions 5.2, 6.0, and 6.0.1 . The SGI anonymous ftp site is sgigate.sgi.com (204.94.209.1). Patch 1052 can be found in the following directories on the ftp server: ~ftp/Security or ~ftp/Patches/5.2 ~ftp/Patches/6.0 ~ftp/Patches/6.0.1 ##### Checksums #### The actual patch will be a tar file containing the following files: Filename: README.patch.1052 Algorithm #1 (sum -r): 16512 8 README.patch.1052 Algorithm #2 (sum): 59284 8 README.patch.1052 MD5 checksum: 4E8FA3A3305C68BC18EC52564C6B2AED Filename: patchSG0001052 Algorithm #1 (sum -r): 51587 1 patchSG0001052 Algorithm #2 (sum): 32069 1 patchSG0001052 MD5 checksum: E0E3487A8A36A8B854BD704E35CA7245 Filename: patchSG0001052.cadmin_sw Algorithm #1 (sum -r): 63062 548 patchSG0001052.cadmin_sw Algorithm #2 (sum): 51720 548 patchSG0001052.cadmin_sw MD5 checksum: E8612BF40C60DBC9D7A90FAC6F8EF102 Filename: patchSG0001052.idb Algorithm #1 (sum -r): 07247 1 patchSG0001052.idb Algorithm #2 (sum): 40615 1 patchSG0001052.idb MD5 checksum: 580F688D98950F250BF47AC82EB91FFB **** IRIX 5.3 **** For the 5.3 IRIX operating system, an inst-able patch has been generated and made available via anonymous ftp and/or your service/support provider. The patch is number 1048 and will only install on IRIX 5.3 . The SGI anonymous ftp site is sgigate.sgi.com (204.94.209.1). Patch 1048 can be found in the following directories on the ftp server: ~ftp/Security or ~ftp/Patches/5.3 ##### Checksums #### The actual patch will be a tar file containing the following files: Filename: README.patch.1048 Algorithm #1 (sum -r): 37177 9 README.patch.1048 Algorithm #2 (sum): 1825 9 README.patch.1048 MD5 checksum: D0CE2B1132B417F3B9215AA9F85CA073 Filename: patchSG0001048 Algorithm #1 (sum -r): 42189 4 patchSG0001048 Algorithm #2 (sum): 56038 4 patchSG0001048 MD5 checksum: 456BF186B65A56EA413E9E7AD4BDE17A Filename: patchSG0001048.cadmin_sw Algorithm #1 (sum -r): 47788 698 patchSG0001048.cadmin_sw Algorithm #2 (sum): 55041 698 patchSG0001048.cadmin_sw MD5 checksum: 7E3239ED9F110567B02176EC16B93F94 Filename: patchSG0001048.eoe1_sw Algorithm #1 (sum -r): 53666 12 patchSG0001048.eoe1_sw Algorithm #2 (sum): 30809 12 patchSG0001048.eoe1_sw MD5 checksum: 32F087EB64444279DF865D104664BE47 Filename: patchSG0001048.eoe2_sw Algorithm #1 (sum -r): 01942 132 patchSG0001048.eoe2_sw Algorithm #2 (sum): 33035 132 patchSG0001048.eoe2_sw MD5 checksum: E5242DE17431D40BC5FCD49925BE3283 Filename: patchSG0001048.idb Algorithm #1 (sum -r): 37645 2 patchSG0001048.idb Algorithm #2 (sum): 10420 2 patchSG0001048.idb MD5 checksum: 460C69356D5AA920978F7A9FF49A4612 **** IRIX 6.1 **** For the IRIX operating system version 6.1, an inst-able patch has been generated and made available via anonymous ftp and/or your service/support provider. The patch is number 1090 and will install on IRIX 6.1 . The SGI anonymous ftp site is sgigate.sgi.com (204.94.209.1). Patch 1090 can be found in the following directories on the ftp server: ~ftp/Security or ~ftp/Patches/6.1 ##### Checksums #### The actual patch will be a tar file containing the following files: Filename: README.patch.1090 Algorithm #1 (sum -r): 28420 8 README.patch.1090 Algorithm #2 (sum): 59862 8 README.patch.1090 MD5 checksum: 7CA042E478210D2E90A93F9B71D31455 Filename: patchSG0001090 Algorithm #1 (sum -r): 38512 1 patchSG0001090 Algorithm #2 (sum): 37227 1 patchSG0001090 MD5 checksum: 7A266E0BFCE18322F7034BB4520C6824 Filename: patchSG0001090.cadmin_sw Algorithm #1 (sum -r): 45703 689 patchSG0001090.cadmin_sw Algorithm #2 (sum): 29950 689 patchSG0001090.cadmin_sw MD5 checksum: 9EB38D49CDDF439EE1110797FEC5BC6B Filename: patchSG0001090.idb Algorithm #1 (sum -r): 46990 1 patchSG0001090.idb Algorithm #2 (sum): 40298 1 patchSG0001090.idb MD5 checksum: 05E8F138BF0331BFEF8454074519F40A - ------------------------ - --- Acknowledgments --- - ------------------------ Silicon Graphics wishes to thank Kari E. Hurtta, FIRST members and CERT organizations worldwide for their assistance in this matter. - ----------------------------------------- - --- SGI Security Information/Contacts --- - ----------------------------------------- Past SGI Advisories and security patches can be obtained via anonymous FTP from sgigate.sgi.com or mirror site ftp.sgi.com . These security patches and advisories are provided freely to all interested parties. For issues with the patches on the FTP sites, email can be sent to cse-security-alert@csd.sgi.com . For assistance obtaining or working with security patches, please contact your SGI support provider. If there are questions about this document, email can be sent to cse-security-alert@csd.sgi.com . For reporting *NEW* SGI security issues, email can be sent to security-alert@sgi.com or contacting your SGI support provider. -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAwUBMOsB8rQ4cFApAP75AQFOlQP7Bgk7XFq+eXF9BxcaR2RBN1i7qJq/tVqh eMoswM9E55sRKgQa0pzjnpXjTcr0lgBfnof+PvQ5zmDGK9f/AQ+RcjagHtm4+3rC zvTzZd9epcAaLI5ylOx6AISWw9tBAwrL+FVtadQmvApEOW/9UcsyEedNO8gVI8hq gAwBxwRhSIk= =LA2k -----END PGP SIGNATURE----- From firewalls-owner Wed Jan 3 15:07:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA14533 for firewalls-outgoing; Wed, 3 Jan 1996 15:00:33 -0800 (PST) Received: from sheeba.rcooper.the-wire.com (rcooper.the-wire.com [198.53.192.91]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id PAA14528 for ; Wed, 3 Jan 1996 15:00:27 -0800 (PST) Received: from rwcooper.rcooper.the-wire.com ([205.206.47.2]) by sheeba.rcooper.the-wire.com (post.office MTA v1.9.1 evaluation license) with SMTP id AAA195; Wed, 3 Jan 1996 17:58:55 -0500 Received: by rwcooper.rcooper.the-wire.com with Microsoft Mail id <01BADA69.AAE0F240@rwcooper.rcooper.the-wire.com>; Thu, 4 Jan 1996 05:58:27 -0500 Message-ID: <01BADA69.AAE0F240@rwcooper.rcooper.the-wire.com> From: Russ Cooper To: "hans@lpa.se" , "'pc@bim.be'" Cc: "firewalls@GreatCircle.COM" Subject: RE: Firewall for Windows NT? Date: Thu, 4 Jan 1996 05:58:26 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Catapult is at Beta II now, I'll be happy to tell more when I'm out from under this NDA. All I can say for now is that it will be good for *smaller* installations that are running *mostly* MS based OS's. Cheers, Russ Cooper Sr. Internet Integration Engineer SHL/Computer Innovations rcooper@the-wire.com -- rwcooper@shl.com "can someone tell me where to go today to get the money to go to where I want to go today" From firewalls-owner Wed Jan 3 16:07:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA16893 for firewalls-outgoing; Wed, 3 Jan 1996 15:52:50 -0800 (PST) Received: from netcomsv.netcom.com (uucp3.netcom.com [163.179.3.3]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id PAA16886 for ; Wed, 3 Jan 1996 15:52:46 -0800 (PST) Received: by netcomsv.netcom.com with UUCP (8.6.12/SMI-4.1) id PAA28483; Wed, 3 Jan 1996 15:27:11 -0800 Received: from cc:Mail by nascar.sf.frb.org id AA820711609 Wed, 03 Jan 96 15:26:49 Date: Wed, 03 Jan 96 15:26:49 From: "Abernathy, Jim" Message-Id: <9600038207.AA820711609@nascar.sf.frb.org> To: firewalls@greatcircle.com, Chris Kostick Subject: Re: encrypting modems Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Chris, Here is an old list of Modem Encryption vendors I had. This is old and they may have combined with another company or moved but here they are. I have worked with vendores Jones Futurex and Racal-Milgo qite a bit with some of their products. This is not an endorsement for any of these vendors: Old Security Modem Vendors List: Adaptive Computer Technologies, CA 415 324-0121 Anchor Automation, CA 818 998-6100 AT&T, NJ 201 221-2200 Bizcomp Corp, CA 408 733-7800 CASE/Datatel, Inc NJ 609 424-4451 Cermetek Microelectronics Inc, CA 408 752-5000 Codex Corp, MA 617 364-2000 Concord Data Systems Inc, MA 508 460-0808 CXR Telcom/Anderson Jacobson, CA 408 435-8520 Data Race, Inc, TX 512 692-3909 Datec, Inc, NC 800 334-7722 Digital Pathways, Inc, CA 415 964-0707 Emucom, Inc, 508 970-1189 Fastcomm Data Corp, VA 703 620-3900 Gandalf Data Inc, 312 541-6060, 800 GANDALF Jones Futurex, CA 916 632-3456 Microcom Inc, MA 508 551-1000 Natural Microsystems Corp, MA 508 655-0700 NEC America, Inc, CA 408 433-1250 Octocom Systems, MA 508 658-6050 Okidata Corp, NJ 609 235-2600 Prometheus Productions, Inc, OR 503 624-0571 Racal-Milgo, Inc, FL 305 476-5609, 800 327-4440 Racal-Vadic, Inc CA 408 946-2227 Singer Data Products Inc, IL 312 860-6500 Transend Corp, CA 415 851-3402 Tri-Data Systems Inc, CA 408 746-2900 Universal Data Systems, AL 205 721-8000 Visionary Electronics, Inc, CA 415 751-8811 Western DataCom Co, OH 216 835-1510 ZyXEL, CA 714 693-0808 Jim Abernathy FRB San Francisco 415 974-2798 ______________________________ Reply Separator _________________________________ Subject: encrypting modems Author: Chris Kostick at INET-MAIL-GATEWAY@FRB12 Date: 1/2/96 10:34 PM Received: by ccmail Received: from netcomsv.sf.frb.org by sf.frb.org (UUPC/extended 1.11) with UUCP; Tue, 02 Jan 1996 22:32:50 PST Received: from relay1.UU.NET by netcomsv.netcom.com with ESMTP (8.6.12/SMI-4.1) id WAA16335; Tue, 2 Jan 1996 22:09:47 -0800 Received: from miles.greatcircle.com by relay1.UU.NET with ESMTP id QQzwwm26756; Wed, 3 Jan 1996 01:07:42 -0500 (EST) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222 -1) id TAA15904 for firewalls-outgoing; Tue, 2 Jan 1996 19:46:51 -0800 (PST) Received: from relay.ashton.csc.com (relay.ashton.csc.com [20.2.54.2]) by miles.g reatcircle.com (8.7.1/Miles-951221-1) with SMTP id TAA15899 for ; Tue, 2 Jan 1996 19:46:45 -0800 (PST) Received: by relay.ashton.csc.com; id WAA16968; Tue, 2 Jan 1996 22:45:56 -0500 Received: from mccoy.ashton.csc.com(20.2.51.2) by relay.ashton.csc.com via smap ( g3.0.1) id sma016966; Tue, 2 Jan 96 22:45:47 -0500 Received: (from ckostick@localhost) by mccoy.ashton.csc.com (8.6.9/8.6.9) id WAA0 0783 for firewalls@greatcircle.com; Tue, 2 Jan 1996 22:58:55 -0500 From: Chris Kostick X-ccAdmin: Postmaster@netcomsv.sf.frb.org Message-Id: <199601030358.WAA00783@mccoy.ashton.csc.com> Subject: encrypting modems To: firewalls@greatcircle.com Date: Tue, 2 Jan 1996 22:58:55 -0500 (EST) X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can anyone provide me a list of vendors who make encrypting modems? That is, a modem with encryption in hardware rather than software on a machine just sending out over a modem. -- chris From firewalls-owner Wed Jan 3 18:11:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA21026 for firewalls-outgoing; Wed, 3 Jan 1996 18:03:49 -0800 (PST) Received: from ra1.randomc.com (ra1.randomc.com [205.160.16.20]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id SAA21021 for ; Wed, 3 Jan 1996 18:03:45 -0800 (PST) Received: (llama@localhost) by ra1.randomc.com (8.6.12/8.6.10) id UAA09190; Wed, 3 Jan 1996 20:59:43 -0500 From: Jonny Llama Message-Id: <199601040159.UAA09190@ra1.randomc.com> Subject: Re: Compression is useful - but for security, not To: PADGETT@hobbes.orl.mmc.com (A. Padgett Peterson, P.E. Information Security) Date: Wed, 3 Jan 1996 20:59:43 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: <960103094524.2020153c@hobbes.orl.mmc.com> from "A. Padgett Peterson, P.E. Information Security" at Jan 3, 96 09:45:24 am X-Info: finger llama@randomc.com | pgp -fka +force X-Mailer: ELM [version 2.4 PL22] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > I rote > >> 1) Compression aids performance. It does not aid security (at best is SBO). > Julian wresponded: > >Not so! Compressed plain text, which is then ciphered is several orders > >of magnitude harder to break (depending on the compression scheme and attack). > > Any cipher scheme that is effectively strengthened by compression is not > very good encryption IMNSHO. True, if you use a rearranged XXENCODE table > as your cipher scheme, compression will make it more difficult to break > (provided you remove the headers). Triple DES or SKIPJACK is hard enough > to break that comression makes no effective difference. > > Warmly, > Padgett > Compressing data obscures redundancies in the plaintext, taking diffusion and confusion one extra step. This characteristic is found in atleast one of two of its forms in any 'good' cipher. Unless that wizzing was something flying past my head.. -llama From firewalls-owner Wed Jan 3 20:37:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id UAA23536 for firewalls-outgoing; Wed, 3 Jan 1996 20:32:10 -0800 (PST) Received: from furnace.cybergraphic.com.au (furnace.cybergraphic.com.au [203.5.40.10]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id UAA23531 for ; Wed, 3 Jan 1996 20:32:05 -0800 (PST) Received: from mailgate.cybergraphic.com.au (mailgate.cybergraphic.com.au [203.5.40.130]) by furnace.cybergraphic.com.au (8.6.12/8.6.12) with SMTP id PAA07059; Thu, 4 Jan 1996 15:33:01 +1100 Received: from ccMail by mailgate.cybergraphic.com.au (SMTPLINK V2.10.08) id AA820798228; Thu, 04 Jan 96 09:24:20 eet Date: Thu, 04 Jan 96 09:24:20 eet From: "Greg Hume" Message-Id: <9600048207.AA820798228@mailgate.cybergraphic.com.au> To: pc@bim.be, firewalls@greatcircle.com Subject: Re[2]: Firewall for Windows NT? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have tried with out success to find any information on this. could you quote you source please or point me in the right direction Thanks Greg. Systems Analyst. ______________________________ Reply Separator _________________________________ Subject: Re: Firewall for Windows NT? Author: pc@bim.be at mailgate Date: 1/4/96 5:54 AM A firewall called "catapult" is announced by Microsoft. I don't know when it will be available. Philippe -- Ph. Cayphas Senior Engineer E-Mail: pc@bim.be Telephone: +32(10)47.08.32 Fax : +32(10)47.08.11 Postal Mail : Ph. Cayphas BIM sa 4, Av. Albert Einstein 1348 Louvain-La-Neuve Belgium From firewalls-owner Wed Jan 3 21:07:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id UAA24184 for firewalls-outgoing; Wed, 3 Jan 1996 20:58:56 -0800 (PST) Received: from hg.oro.net (hg.oro.net [198.68.62.43]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id UAA24179 for ; Wed, 3 Jan 1996 20:58:51 -0800 (PST) From: ibg@oro.net Received: from 204.119.228.175 (ibg.oro.net [204.119.228.175]) by hg.oro.net (8.6.12/8.6.12) with SMTP id UAA09885 for ; Wed, 3 Jan 1996 20:58:11 -0800 Date: Wed, 3 Jan 1996 20:58:11 -0800 Message-Id: <199601040458.UAA09885@hg.oro.net> Subject: Re: Firewalls-Digest V5 #3 To: Firewalls@GreatCircle.COM X-Mailer: AIR Mail 3.X (SPRY, Inc.) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please stop sending these e-mails. Thanks. From firewalls-owner Wed Jan 3 21:22:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id UAA24158 for firewalls-outgoing; Wed, 3 Jan 1996 20:58:24 -0800 (PST) Received: from hg.oro.net (hg.oro.net [198.68.62.43]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id UAA24153 for ; Wed, 3 Jan 1996 20:58:20 -0800 (PST) From: ibg@oro.net Received: from 204.119.228.175 (ibg.oro.net [204.119.228.175]) by hg.oro.net (8.6.12/8.6.12) with SMTP id UAA09873 for ; Wed, 3 Jan 1996 20:57:40 -0800 Date: Wed, 3 Jan 1996 20:57:40 -0800 Message-Id: <199601040457.UAA09873@hg.oro.net> Subject: Re: Firewalls-Digest V5 #4 To: Firewalls@GreatCircle.COM X-Mailer: AIR Mail 3.X (SPRY, Inc.) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please stop sending these e-mails. Thanks. From firewalls-owner Wed Jan 3 21:37:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id UAA24193 for firewalls-outgoing; Wed, 3 Jan 1996 20:59:20 -0800 (PST) Received: from hg.oro.net (hg.oro.net [198.68.62.43]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id UAA24188 for ; Wed, 3 Jan 1996 20:59:15 -0800 (PST) From: ibg@oro.net Received: from 204.119.228.175 (ibg.oro.net [204.119.228.175]) by hg.oro.net (8.6.12/8.6.12) with SMTP id UAA09898 for ; Wed, 3 Jan 1996 20:58:34 -0800 Date: Wed, 3 Jan 1996 20:58:34 -0800 Message-Id: <199601040458.UAA09898@hg.oro.net> Subject: Re: Firewalls-Digest V5 #2 To: Firewalls@GreatCircle.COM X-Mailer: AIR Mail 3.X (SPRY, Inc.) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please stop sending these e-mails. Thanks. From firewalls-owner Wed Jan 3 23:07:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id WAA28012 for firewalls-outgoing; Wed, 3 Jan 1996 22:57:48 -0800 (PST) Received: from relay-4.mail.demon.net (relay-4.mail.demon.net [158.152.1.64]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id WAA28007 for ; Wed, 3 Jan 1996 22:57:31 -0800 (PST) Received: from post.demon.co.uk ([158.152.1.72]) by relay-4.mail.demon.net id ab06294; 4 Jan 96 6:55 GMT Received: from mntcmp2.demon.co.uk ([158.152.99.108]) by relay-3.mail.demon.net id aa20514; 4 Jan 96 6:53 GMT Received: by mntcmp2.demon.co.uk (Smail3.1.28.1 #5) id m0tXjYF-0006JDC; Thu, 4 Jan 96 06:53 GMT Message-Id: From: Jon Whitton Subject: Bastion netmask query To: firewalls@greatcircle.com Date: Thu, 4 Jan 1996 06:53:26 +0000 (GMT) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We have a class C of our own A.B.C.0 and are currently configuring the network as follows: Addresses A.B.C.1 to 15 ISP +-----------+ +-----------+ Lease | Cisco |----------------------| ftp/web | plus others ---- | 2514 | | machine | as needed Line | |----------| | | +-----------+ | +-----------+ | subnet is A.B.C.16 to 31 | | eth0 A.B.C.31 +-----------+ | Bastion | Dual Homed | Machine | | | +-----------+ | eth1 A.B.C.32 | | subnet is A.B.C.32 to 254 -------------------|------------------------ Secure Internal Can anyone confirm what the netmasks and broadcast addresses should be for the two bastion ethernet devices. We are having some trouble agreeing on these. TIA, Jon -- ================================================================================ Jon Whitton. Internet Address: jonw@mntcmp2.demon.co.uk ================================================================================ -- From firewalls-owner Thu Jan 4 00:37:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id AAA29326 for firewalls-outgoing; Thu, 4 Jan 1996 00:25:14 -0800 (PST) Received: from dxmint.cern.ch (dxmint.cern.ch [128.141.1.113]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id AAA29321 for ; Thu, 4 Jan 1996 00:25:10 -0800 (PST) From: gamble@dxcoms.cern.ch Received: from dxcoms.cern.ch by dxmint.cern.ch id AA07832; Thu, 4 Jan 1996 09:24:29 +0100 Received: from localhost.cern.ch by dxcoms.cern.ch; (5.65v3.0/1.1.8.2/28Jul95-0949AM) id AA23767; Thu, 4 Jan 1996 09:24:28 +0100 Message-Id: <9601040824.AA23767@dxcoms.cern.ch> To: firewalls@GreatCircle.com Cc: gamble@dxcoms.cern.ch, pdetemme@cisco.com Subject: Looking for a speaker Date: Thu, 04 Jan 96 09:24:28 +0100 X-Mts: smtp Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Folks, This is not exactly a normal firewalls question, but I am looking for help on this topic on behalf of someone else:- On March 13th 1996 Cisco Systems SA (Switzerland) is organising a short seminar on security and are looking for someone who would be able to give a short presentation on this topic. If there is anyone who would be interested could they please contact Pascal DETEMMERMAN, pdetemme@cisco.com for more information. I believe the venue will be in the Geneva area. Thanks. Oh ... and happy New Year ... From firewalls-owner Thu Jan 4 03:22:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id DAA03510 for firewalls-outgoing; Thu, 4 Jan 1996 03:10:43 -0800 (PST) Received: from tre-vta.valmet.com (tre-vta.valmet.com [139.74.39.201]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id DAA03505 for ; Thu, 4 Jan 1996 03:10:37 -0800 (PST) From: PDA-BB@ccmail.valmet.com Received: (from root@localhost) by tre-vta.valmet.com (8.6.9/8.6.6) id NAA17028 for firewalls@greatcircle.com; Thu, 4 Jan 1996 13:10:30 +0200 Message-Id: <199601041110.NAA17028@tre-vta.valmet.com> Date: Thu, 4 Jan 1996 13:06 EET To: firewalls@greatcircle.com Subject: Firewalls in Many Countries Received: from cc:Mail by tre-vta.valmet.com (cc:Mail/INTERNET-router version 1.4.4) Thu, 04 Jan 96 13:10:29 EET Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ---------------------------------- Forwarded ---------------------------------- From: telomas@upj.com at INTERNET Date: 1/3/96 3:31PM Forwarded by: firewalls-owner@greatcircle.com at INTERNET *To: firewalls@greatcircle.com at INTERNET Subject: Firewalls in Many Countries ------------------------------------------------------------------------------- The Pharmacia and Upjohn Companies merged last November. We are merging/changing the firewalls and Internet access points within the company. How do you do that and still give adequate service levels? We have queried our ISP and only received vague answers. It has been hard for me to find knowledgeable people within companies that understand firewalls, security issues and network issues. I am a strong proponent of local administration because I do not see how you can provide adequate response time to serious problems if the people that are supporting the firewall or if the vendor that supports the firewall is across the ocean. However, others within our new company think that centralization of firewall support and firewalls is critical. There is also a group that feels does not want to "pay" for the external IP traffic running across the internal network if adequate security can be provided by adding additional firewalls. KEY QUESTIONS: How many firewalls and Internet sites of access should we have and how should they be supported? Select and support one firewall vendor? Local versus remote administration? Service Level: Respond to security problems immediately, and fix technical problems within 24 hours. Therefore, even mail could be down at a site for 24 hours although this seems like a long time to me. Management is very sensitive to the idea of the Internet and because of this, investigating unknown problems is a high priority. Users: We have a current or potential Internet user population of over 1000 users in Uppsala, Sweden; Milan, Italy; Kalamazoo, Michigan (USA); and Tsukuba, Japan. There are many other smaller sites that do (or will) receive Internet access by using the firewalls. Firewalls: We currently have two firewalls for Internet access: Kalamazoo (firewall is ANS Interlock - Solaris) Uppsala (firewall is Dec Seal). We will probably add a third in Japan shortly. Services allowed: Outbound FTP, TELNET, HTTP and of course smtp for mail. A few additional services are being piloted but have not yet been approved (WinCIM for Compuserve; SciFinder for access to an external database. Essentially anyone who has been given a TCP/IP address on an authorized network can obtain access to Internet services. TCP/IP addresses: We have one class B address and multiple class C's. From firewalls-owner Thu Jan 4 04:07:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id DAA04341 for firewalls-outgoing; Thu, 4 Jan 1996 03:52:16 -0800 (PST) Received: from lint.cisco.com (lint.cisco.com [171.68.235.77]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id DAA04336 for ; Thu, 4 Jan 1996 03:52:09 -0800 (PST) Received: from pferguso-pc.cisco.com (c1robo8.cisco.com [171.68.13.18]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id DAA21062; Thu, 4 Jan 1996 03:50:46 -0800 Message-Id: <199601041150.DAA21062@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 04 Jan 1996 06:51:13 -0500 To: Jon Whitton From: Paul Ferguson Subject: Re: Bastion netmask query Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 06:53 AM 1/4/96 +0000, Jon Whitton wrote: > >We have a class C of our own A.B.C.0 and are currently configuring the >network as follows: > This is a confusing statement [We have a class C of our own A.B.C.0...]. What exactly does it mean? It would certainly help to tell us what the network address actually is. > Addresses A.B.C.1 to 15 > > ISP +-----------+ +-----------+ > Lease | Cisco |----------------------| ftp/web | plus others > ---- | 2514 | | machine | as needed > Line | |----------| | | > +-----------+ | +-----------+ > | subnet is A.B.C.16 to 31 > | > | eth0 A.B.C.31 > +-----------+ > | Bastion | Dual Homed > | Machine | > | | > +-----------+ > | eth1 A.B.C.32 > | > | subnet is A.B.C.32 to 254 > -------------------|------------------------ Secure Internal > >Can anyone confirm what the netmasks and broadcast addresses should be for the >two bastion ethernet devices. > >We are having some trouble agreeing on these. > >TIA, Jon > Firstly, if you are using a 4 bit subnet mask on a traditional 'class c' network, then the subnet 'A.B.C.32 to 254' is an invalid subnet. I would suggest obtaining and reading RFC-1878, Variable Length Subnet Table For IPv4. - paul -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Thu Jan 4 06:10:10 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA06617 for firewalls-outgoing; Thu, 4 Jan 1996 05:59:58 -0800 (PST) Received: from relay.tis.com (relay.tis.com [192.94.214.100]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id FAA06612 for ; Thu, 4 Jan 1996 05:59:54 -0800 (PST) Received: by relay.tis.com; id EAA22332; Thu, 4 Jan 1996 04:01:02 -0500 Received: from sol.tis.com(192.33.112.100) by relay.tis.com via smap (g3.0.3) id xma022330; Thu, 4 Jan 96 04:00:58 -0500 Received: from jupiter.tis.com by tis.com (4.1/SUN-5.64) id AA22198; Thu, 4 Jan 96 08:53:10 EST From: Jody C Patilla Message-Id: <9601041353.AA22198@tis.com> Subject: Re: Livingston Firewall IRX router To: firewalls@GreatCircle.COM Date: Thu, 4 Jan 1996 08:52:51 -0500 (EST) In-Reply-To: <199601032110.NAA05372@uni.ins.com> from "Kenneth Kron" at Jan 3, 96 01:10:08 pm Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > As far as the livingston IRX router I really don't know as I haven't used it. > I'd like to hear from folks who are actually using it, please. ========================================================================= Jody C. Patilla jcp@tis.com Trusted Information Systems Glenwood, Md. From firewalls-owner Thu Jan 4 07:25:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA07937 for firewalls-outgoing; Thu, 4 Jan 1996 07:04:48 -0800 (PST) Received: from hobbes.orl.mmc.com (hobbes.orl.mmc.com [141.240.192.100]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id HAA07932 for ; Thu, 4 Jan 1996 07:04:43 -0800 (PST) Date: Thu, 4 Jan 1996 10:04:02 -0500 (EST) From: "A. Padgett Peterson, P.E. Information Security" To: firewalls@greatcircle.com Message-Id: <960104100402.20c00896@hobbes.orl.mmc.com> Subject: Firewalls in many countries Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >It has been hard for me to find knowledgeable people within >companies that understand firewalls, security issues and network >issues. Is more complicated than that - you need someone who understands the corporate environment as well. It has strengths and weaknesses that are different from the bulk of the Internet community which is primarily military/academic/government/individuals. Believe me, operation inside a large corporation is different, not better, not worse, but different. >I am a strong proponent of local administration because I do not >see how you can provide adequate response time to serious >problems if the people that are supporting the firewall or if the >vendor that supports the firewall is across the ocean. However, >others within our new company think that centralization of >firewall support and firewalls is critical. Been there, done that, centralization is essential to security. Otherwise the preference of one component may jeopardize other elements. To avoid that there *must* be a common set of basic policies that govern all activities within the corporation. Each operating element can be permitted choices within that framework but the fact is that Internet security is a dynamic, rapidly evolving technology and a coprorate Czar is necessary to avoid endless bickering and committees that cannot respond quickly to emerging threats. The basic problem with a democratic organization is that of education of the citizens. Users (and management is a user) do no have the background and the resources are not available to give them the background necessary to make intelligent choices. So you have to select someone or a small group of people who have the background/training to make the decisions *and have the decisions applied*. >There is also a >group that feels does not want to "pay" for the external IP >traffic running across the internal network if adequate security >can be provided by adding additional firewalls. Fact: all rules are unfair to someone. Problems occur if that "someone" can obstruct "the greatest good for the greatest number". In the corporate world, doing nothing is the easiest choice. The *wrong* choice but the easiest one. >KEY QUESTIONS: How many firewalls and Internet sites of access >should we have and how should they be supported? Select and >support one firewall vendor? Local versus remote administration? That depends on your communications requirements and the level of protection rquired by the data (aka "What is the potential loss if compromised ?" - am fortunate to work for a company that has multi- billion dollar contracts so the question rarely arises. Have found that that some simplification is necessary - first except for special cases, do not worry about individual nodes, concern yourself with the networks and subnets. Have found that three sets of criteria are enough: 1) Fully exposed networks e.g. Internet connections 2) Limited exposure networks e.g. PNS leased lines to partners/customers who have signed an agreement for security 3) Internal networks. Type 1 is covered by corporate policy and has the most stringent requirements since a breach could potentially expose the enterprise. A single mechanism and corporate apporved vendor(s) are required. Types of connection permitted are limited (e.g. no UDP except DNS and that is limited to specified, trusted servers). At least two levels of protection (firewall/trusted host) are required. Type 2 has less stringent requirements and more flexibility for the site but is still somewhat constrained. The contract is considered a level of security but at least one additional level is necessary. Administration is by the site but central approval for connects is necessary. Type 3 are permitted unlimited access but no node is automatically trusted, instead networks containing sensitive material are separated by controls but may be as simple as the packet filtering provided by routers. Controls are up to the site/project/department though consulting from the central organization is available. >Service Level: Respond to security problems immediately, and fix >technical problems within 24 hours. Therefore, even mail could >be down at a site for 24 hours although this seems like a long >time to me. Management is very sensitive to the idea of the >Internet and because of this, investigating unknown problems is a >high priority. "Now" is better. I carry a beeper 24hours as do the rotating on- call staff. This must be available at each site though help desks may be centralized. What happens if the firewall goes down ? Do you have hot backup capability ? What if a backhoe takes out your trunks ? How do you determine if a security problem exists ? Do you have authority to cut off a system arbritarily (couple of years ago had to make a decision whether to shut down an entire production facility. The fact that a VP was standing there did not remove my authority to do so.) >Users: We have a current or potential Internet user population of >over 1000 users in Uppsala, Sweden; Milan, Italy; Kalamazoo, >Michigan (USA); and Tsukuba, Japan. There are many other smaller >sites that do (or will) receive Internet access by using the >firewalls. Would consider that "medium sized". Large is when you have over 5,000 at a single site or over 100,000 total) >Firewalls: We currently have two firewalls for Internet access: >Kalamazoo (firewall is ANS Interlock - Solaris) Uppsala (firewall >is Dec Seal). We will probably add a third in Japan shortly. Well that could count as a single layer - what about modems/PPP ? >Services allowed: Outbound FTP, TELNET, HTTP and of course smtp >for mail. Nobody uses GOPHER ? FINGER is blocked ? SHTP (port 443) ? Are you sure ? Just some thoughts, Padgett From firewalls-owner Thu Jan 4 07:52:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA08401 for firewalls-outgoing; Thu, 4 Jan 1996 07:40:38 -0800 (PST) Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id HAA08396 for ; Thu, 4 Jan 1996 07:40:34 -0800 (PST) Received: from cixgate by relay2.UU.NET with SMTP id QQzxbq02898; Thu, 4 Jan 1996 10:39:54 -0500 (EST) Received: from manzanita.DEV.3Com.COM.noname ([139.87.180.206]) by cixgate (4.1/SMI-4.1/3com-cixgate-GCA-931027-01) id AA27646; Thu, 4 Jan 96 07:48:42 PST Received: by manzanita.DEV.3Com.COM.noname (4.1/SMI-4.1) id AA07331; Thu, 4 Jan 96 07:34:31 PST Date: Thu, 4 Jan 96 07:34:31 PST From: bobk@manzanita.DEV.3Com.COM (Bob Konigsberg) Message-Id: <9601041534.AA07331@manzanita.DEV.3Com.COM.noname> To: firewalls@greatcircle.com, jonw@mntcmp2.demon.co.uk Subject: Re: Bastion netmask query Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You wrote: > > We have a class C of our own A.B.C.0 and are currently configuring the > network as follows: > > Addresses A.B.C.1 to 15 > > ISP +-----------+ +-----------+ > Lease | Cisco |----------------------| ftp/web | plus others > ---- | 2514 | | machine | as needed > Line | |----------| | | > +-----------+ | +-----------+ > | subnet is A.B.C.16 to 31 > | > | eth0 A.B.C.31 > +-----------+ > | Bastion | Dual Homed > | Machine | > | | > +-----------+ > | eth1 A.B.C.32 > | > | subnet is A.B.C.32 to 254 > -------------------|------------------------ Secure Internal > > Can anyone confirm what the netmasks and broadcast addresses should be for the > two bastion ethernet devices. First of all, these nets are using three different subnet classification schemes. This can cause problems unless carefully managed. The subnet mask 255.255.255.240 will divide your class C address space into 16 subnets of 15 hosts each A.B.C.0, A.B.C.16, A.B.C.32, A.B.C.48, A.B.C.64, A.B.C.80, A.B.C.96, A.B.C.112, A.B.C.128, A.B.C.144, A.B.C.160, A.B.C.176, A.B.C.192, A.B.C.208, A.B.C.224, A.B.C.240. The subnet mask 255.255.255.224 will effectively divide your class C address space into 8 subnets of 31 hosts each: A.B.C.0, A.B.C.32, A.B.C.64, A.B.C.96, A.B.C.128, A.B.C.160, A.B.C.192, A.B.C.224. The subnet mask 255.255.255.192 will divide your class C into 4 subnets of 63 hosts each. A.B.C.0, A.B.C.64, A.B.C.128, A.B.C.192. It is possible to use different masks on each side of the router and bastions machine, but unless you are carefull (or using OSPF) (I don't know how IGRP works), you are asking for trouble by splitting up subnets unevenly. In addition, you will find that any subnet that is part of a smaller division scheme, but not actually used must be thrown away if this is done with RIP (RIP V.2 can help some). On the other hand, you may be able to divide up the Class C, and then assign multiple subnets to your larger net, as long as you remember to use the smaller subnet masking scheme, and let the router handle communications between subnets. I could write a lot more on the subject, but not being sure of your objectives, I'd rather not second guess you here. Good luck, BobK From firewalls-owner Thu Jan 4 09:37:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA11325 for firewalls-outgoing; Thu, 4 Jan 1996 09:31:04 -0800 (PST) Received: from mail.co.stanislaus.ca.us ([204.31.216.7]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id JAA11320 for ; Thu, 4 Jan 1996 09:31:00 -0800 (PST) Received: from STANCO#u#1-Message_Server by mail.co.stanislaus.ca.us with Novell_GroupWise; Thu, 04 Jan 1996 09:33:35 -0800 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 04 Jan 1996 09:46:32 -0800 From: Mike Romeo To: jcp@tis.com Cc: firewalls@GreatCircle.COM Subject: Re: Livingston Firewall IRX router -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, We are using a Livingston Firewall IRX @ our site, we try to block all but essential services and then limit those to the hosts that require them. The filtering in the IRX is basically in and/or out on each interface with the following criteria: 1. Source and Destination address with masking/subnetting 2. Protocol (TCP/UDP/ICMP) 3. Source and Destination port (gt/lt/eq, TCP & UDP) or Message Type (ICMP) 4. Established Session The only problem I've had is that when I try to set up a filter for ICMP type 0 (ECHO REPLY if I read the RFC correctly) it refuses to accept that, so I just blocked all ICMP which can be a pain when we have a connectivity problem with our ISP. I'm no TCP Guru and I'm not sure what you mean by dynamic/stateful packet filtering if you clarify (read dumb down) the question maybe I would be able to answer it. Setup was easy, but when you update the filter list there is no way to insert a rule so you have to rekey all the rules after the one you insert which allows a lot of room for finger checks and can cause an inadvertent hole in your system. The packet filtering syntax is less cryptic than CISCO's (IMHO) If you want any more info I'll be happy to try and help ------------------------------------------------------------------------------- Michael Romeo, Sr Systems Programmer Stanislaus County, Modesto Ca. 209-525-5805 romeo@mail.co.stanislaus.ca.us From firewalls-owner Thu Jan 4 10:37:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA13132 for firewalls-outgoing; Thu, 4 Jan 1996 10:35:43 -0800 (PST) Received: from northshore.ecosoft.com (northshore.ecosoft.com [192.233.85.129]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA13126 for ; Thu, 4 Jan 1996 10:35:39 -0800 (PST) Received: from slip-9-14.shore.net by northshore.ecosoft.com with SMTP id AA29503 (5.67a/IDA-1.5 for ); Thu, 4 Jan 1996 13:34:06 -0500 Message-Id: <199601041834.AA29503@northshore.ecosoft.com> Date: Thu, 04 Jan 96 18:35:01 0500 From: Vin McLellan Organization: Privacy Guild X-Mailer: Mozilla 1.1N (Macintosh; I; 68K) Mime-Version: 1.0 To: firewalls@greatcircle.com Subject: Email antivirus software debuts X-Url: http://www.cnet.com/Content/News/Files/0,16,350,00.html Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk FYI: A press release notes Central House Technologies, dba IMA Tech, will distribute software that scans email and attached documents for viruses. The product, Mimesweeper, is priced at $2,875 for 100 users. Mimesweeper redirects incoming mail to a mailbox where it is scanned for unidentifiable attachments or viruses. Messages can pass through the network only if they are scanned, according to Central House officials. Mimesweeper runs on Microsoft Windows NT 3.5 and will support Microsoft Mail and Novell's Groupwise software in the near future, CH officials said. From firewalls-owner Thu Jan 4 10:52:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA13307 for firewalls-outgoing; Thu, 4 Jan 1996 10:48:27 -0800 (PST) Received: from geoworks.com (fusion.geoworks.com [198.211.200.200]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA13291 for ; Thu, 4 Jan 1996 10:48:21 -0800 (PST) Received: from selenium.geoworks.com.geoworks by geoworks.com (4.1/SMI-4.1) id AA00194; Thu, 4 Jan 96 10:47:11 PST Date: Thu, 4 Jan 96 10:47:11 PST From: cdoane@geoworks.com (Chris Doane) Message-Id: <9601041847.AA00194@geoworks.com> To: jcp@tis.com, ROMEO@mail.co.stanislaus.ca.us Subject: Re: Livingston Firewall IRX router -Reply Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I think Mr. Romeo's mail pretty well covered the features found in the Firewall IRX, but here's something else to consider: Livingston's "free" support is the worst I've ever encountered, expect at the very least a one week turn-around on calls, and this after repeated daily attempts to speak with an engineer. Documentation is abysmal, even the newer version available as a .ps file on their ftp server. I could live with this, except that I've discovered some undocumented features that have caused me grave headaches (ie., setting an IP filter automatically denies all IPX traffic - IPX filtering is extremely poorly documented, not a single example of the syntax). This has been my experience for every occasion I've had to contact Livingston, I would not mention these problems except that I've found this aggravation to far outweigh the benefits of the product. Sincerely, Chris Doane From firewalls-owner Thu Jan 4 11:27:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA13659 for firewalls-outgoing; Thu, 4 Jan 1996 11:10:39 -0800 (PST) Received: from relay5.UU.NET (relay5.UU.NET [192.48.96.15]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id LAA13653 for ; Thu, 4 Jan 1996 11:10:34 -0800 (PST) Received: from uucp2.UU.NET by relay5.UU.NET with SMTP id QQzxce24629; Thu, 4 Jan 1996 14:09:56 -0500 (EST) Received: from vanguard.UUCP by uucp2.UU.NET with UUCP/RMAIL ; Thu, 4 Jan 1996 14:09:56 -0500 Received: by vanguard.hmp.com (UUPC/extended 1.12b); Thu, 04 Jan 1996 11:32:04 MST Date: Thu, 04 Jan 1996 11:31:58 MST From: "Scott Deshaies" Message-ID: <30ec1d24.vanguard@vanguard.hmp.com> Organization: High Mountain Press, Inc. Reply-To: "Scott Deshaies" To: "Mike Romeo" Cc: "Firewalls Mailing List" Subject: Re: Livingston Firewall IRX router -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 04 Jan 1996 09:46:32 -0800, "Mike Romeo" wrote: > Setup was easy, but when you update the filter list there is no way to > insert a rule so you have to rekey all the rules after the one you insert > which allows a lot of room for finger checks and can cause an > inadvertent hole in your system. The packet filtering syntax is less > cryptic than CISCO's (IMHO) If you use PMConsole, you can insert a line and it does the magic of moving all of the lower rules down for you. (At least it seems to in PMConsole for Windows - I can't vouch for the X version) -- >> Scott R. Deshaies <> High Mountain Press, Inc. << >> MIS Manager <> 2530 Camino Entrada * Santa Fe, NM 87505 << >> sdeshaies@hmp.com <> Direct:505/474-5103 http://www.hmp.com << From firewalls-owner Thu Jan 4 13:22:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA16920 for firewalls-outgoing; Thu, 4 Jan 1996 13:15:19 -0800 (PST) Received: from calima (CALIMA.CIAT.CGIAR.ORG [198.93.225.3]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id NAA16913 for ; Thu, 4 Jan 1996 13:15:13 -0800 (PST) Received: by calima (Smail3.1.29.1 #1) id m0tXv7g-00032VC; Thu, 4 Jan 96 16:14 WDT Date: Thu, 4 Jan 1996 16:14:48 -0300 (WDT) From: Juan Carlos Machado X-Sender: juank@calima To: firewalls@greatcircle.com Subject: Xtacacs client software for Windows Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk For people interested in TACACS client software for Windows, this is avaliable at ftp.cica.indiana.edu/pub/pc/win3/winsock/xtacac12.zip If information needed about instalation and configuration, feel free to contact me. Juank, _________________________________________________________ ========================================================= Juan Carlos Machado Z. jmachado@calima.ciat.cgiar.org j.machado@cgnet.com Network Support Voice Ph#: (57-2)4450-422 >>>>>>>>>>>>>>>>>>>>>>>>>> :) <<<<<<<<<<<<<<<<<<<<<<<<<<< CIAT (International Center for Tropical Agriculture) Cali - Valle - Colombia. Phone: 4450000 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ JK:= NOT(reflect(opinions' self,opinions' employer)); From firewalls-owner Thu Jan 4 15:37:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA19535 for firewalls-outgoing; Thu, 4 Jan 1996 15:25:34 -0800 (PST) Received: from citecuh.citec.qld.gov.au (citecuh.citec.qld.gov.au [203.5.10.10]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id PAA19525 for ; Thu, 4 Jan 1996 15:25:13 -0800 (PST) Received: (from mail@localhost) by citecuh.citec.qld.gov.au (8.6.10/8.6.10) id JAA28192; Fri, 5 Jan 1996 09:18:35 +1000 Received: from citecub.citec.qld.gov.au(131.242.4.98) by citecuh.citec.qld.gov.au via smap (V1.3) id /mail/incoming/sma028173; Fri Jan 5 09:18:14 1996 Received: by citecub.citec.qld.gov.au (5.0/SMI-SVR4) id AA19977; Fri, 5 Jan 1996 09:23:46 +1000 From: sgcccdc@citec.qld.gov.au (Colin Campbell) Message-Id: <9601042323.AA19977@citecub.citec.qld.gov.au> Subject: Re: Bastion netmask query To: bobk@manzanita.DEV.3Com.COM (Bob Konigsberg) Date: Fri, 5 Jan 1996 09:23:45 +1000 (EST) Cc: firewalls@greatcircle.com In-Reply-To: <9601041534.AA07331@manzanita.DEV.3Com.COM.noname> from "Bob Konigsberg" at Jan 4, 96 07:34:31 am X-Mailer: ELM [version 2.4 PL24 PGP3 *ALPHA*] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My mailer thinks Bob Konigsberg said: > [picture chomped] > > First of all, these nets are using three different subnet > classification schemes. This can cause problems unless carefully managed. > > The subnet mask 255.255.255.240 will divide your class C > address space into 16 subnets of 15 hosts each > A.B.C.0, A.B.C.16, A.B.C.32, A.B.C.48, > A.B.C.64, A.B.C.80, A.B.C.96, A.B.C.112, > A.B.C.128, A.B.C.144, A.B.C.160, A.B.C.176, > A.B.C.192, A.B.C.208, A.B.C.224, A.B.C.240. > > > The subnet mask 255.255.255.224 will effectively divide your class C > address space into 8 subnets of 31 hosts each: > A.B.C.0, A.B.C.32, A.B.C.64, A.B.C.96, > A.B.C.128, A.B.C.160, A.B.C.192, A.B.C.224. > > The subnet mask 255.255.255.192 will divide your class C into 4 subnets > of 63 hosts each. > A.B.C.0, A.B.C.64, > A.B.C.128, A.B.C.192. > The network people here will not allow the first and last subnets to be used because there are too many systems around that do not support the classless routing required. Apparently these systems work out whether the address is an A, B or C and then applies the netmask. Thus A.B.C.0 subnetted is no differnet to A.B.C.0 w/o subnet and A.B.C.192. has a "network address" of all "1"s which is the broadcast address. Anyone care to comment? [chomp the rest] Colin From firewalls-owner Thu Jan 4 16:52:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id QAA21754 for firewalls-outgoing; Thu, 4 Jan 1996 16:38:11 -0800 (PST) Received: from venera.isi.edu (venera.isi.edu [128.9.0.32]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id QAA21743 for ; Thu, 4 Jan 1996 16:38:07 -0800 (PST) From: bmanning@ISI.EDU Received: from zed.isi.edu by venera.isi.edu (5.65c/5.61+local-22) id ; Thu, 4 Jan 1996 16:37:13 -0800 Posted-Date: Thu, 4 Jan 1996 16:29:59 -0800 (PST) Message-Id: <199601050029.AA07586@zed.isi.edu> Received: by zed.isi.edu (5.65c/4.0.3-4) id ; Thu, 4 Jan 1996 16:29:59 -0800 Subject: Re: Bastion netmask query To: sgcccdc@citec.qld.gov.au (Colin Campbell) Date: Thu, 4 Jan 1996 16:29:59 -0800 (PST) Cc: bobk@manzanita.dev.3com.com, firewalls@greatcircle.com In-Reply-To: <9601042323.AA19977@citecub.citec.qld.gov.au> from "Colin Campbell" at Jan 5, 96 09:23:45 am X-Mailer: ELM [version 2.4 PL25] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > The subnet mask 255.255.255.192 will divide your class C into 4 subnets > > of 63 hosts each. > > A.B.C.0, A.B.C.64, > > A.B.C.128, A.B.C.192. > > > > The network people here will not allow the first and last subnets to be > used because there are too many systems around that do not support the > classless routing required. Apparently these systems work out whether > the address is an A, B or C and then applies the netmask. Thus A.B.C.0 > subnetted is no differnet to A.B.C.0 w/o subnet and A.B.C.192. has a > "network address" of all "1"s which is the broadcast address. > > Anyone care to comment? > > Colin Two RFC's: RFC 1878 - Variable Length Subnet Table For IPv4 RFC 1597 - Private Networks. -- --bill From firewalls-owner Thu Jan 4 19:37:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id TAA24534 for firewalls-outgoing; Thu, 4 Jan 1996 19:28:07 -0800 (PST) Received: from ix8.ix.netcom.com (ix8.ix.netcom.com [199.182.120.8]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id TAA24529 for ; Thu, 4 Jan 1996 19:28:04 -0800 (PST) Received: from ix-wp1-20.ix.netcom.com by ix8.ix.netcom.com (8.6.12/SMI-4.1/Netcom) id TAA20010; Thu, 4 Jan 1996 19:27:26 -0800 Date: Thu, 4 Jan 1996 19:27:26 -0800 Message-Id: <199601050327.TAA20010@ix8.ix.netcom.com> X-Sender: sgfarkas@ix.netcom.com X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: SorG Farkas Subject: Gauntlet from TIS Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If any of you has experience with Gauntlet, I would appreciate any info about it (if it does what it promises, if it's reliable, any problems you encountered, any do's and don'ts, experience with the support from them, etc.). We are considering it for my company. Thanks a lot. From firewalls-owner Thu Jan 4 19:55:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id TAA24458 for firewalls-outgoing; Thu, 4 Jan 1996 19:21:35 -0800 (PST) Received: from kinks.eng.usf.edu (kinks.eng.usf.edu [131.247.14.94]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id TAA24453 for ; Thu, 4 Jan 1996 19:21:32 -0800 (PST) Received: (from black@localhost) by kinks.eng.usf.edu (8.7.1/8.7.1) id WAA07917; Thu, 4 Jan 1996 22:20:49 -0500 (EST) Date: Thu, 4 Jan 1996 22:20:48 -0500 (EST) From: James Black X-Sender: black@kinks To: firewalls@greatcircle.com Subject: sorry, wrong heading Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, Sorry for sending an improper message, I used the wrong heading. ========================================================================== James Black (Comp Sci/Comp Eng sophomore) e-mail: black@eng.usf.edu http://www.eng.usf.edu/~black/index.html "An idea that is not dangerous is unworthy of being called an idea at all." Oscar Wilde ************************************************************************** From firewalls-owner Thu Jan 4 20:07:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id TAA24490 for firewalls-outgoing; Thu, 4 Jan 1996 19:24:19 -0800 (PST) Received: from relay.ashton.csc.com (relay.ashton.csc.com [20.2.54.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id TAA24485 for ; Thu, 4 Jan 1996 19:24:15 -0800 (PST) Received: by relay.ashton.csc.com; id WAA22835; Thu, 4 Jan 1996 22:23:26 -0500 Received: from mccoy.ashton.csc.com(20.2.51.2) by relay.ashton.csc.com via smap (g3.0.1) id sma022831; Thu, 4 Jan 96 22:23:19 -0500 Received: (from ckostick@localhost) by mccoy.ashton.csc.com (8.6.9/8.6.9) id WAA07347; Thu, 4 Jan 1996 22:36:36 -0500 From: Chris Kostick Message-Id: <199601050336.WAA07347@mccoy.ashton.csc.com> Subject: Summary of encrypting modems To: firewalls@greatcircle.com Date: Thu, 4 Jan 1996 22:36:36 -0500 (EST) Cc: john.malouf@hksystems.com (John Malouf) In-Reply-To: <199601031546.KAA18448@relay.ashton.csc.com> from "John Malouf" at Jan 3, 96 08:48:52 am X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A summary of encrypting modems and vendors in response to the post I put out. >Can anyone provide me a list of vendors who make encrypting modems? >That is, a modem with encryption in hardware rather than software >on a machine just sending out over a modem. > >-- >chris -- REPSONSE -- Contact Paralon Technologies in Bellview (Sp?) Washington for an 'encrypting black box' that goes between the modem and the serial port and works with regular modems... Far cheaper than encrypting modems. It is hardware DES encryption... with a negotiated session key. -- REPSONSE -- This is in answer to your request for info on encrypting modems... I recently received info from a local consulting firm about the SafeNet solutions from Information Resource Engineering, Inc. (IRE) All I really have is a brochure, but it gives some numbers etc for contacting IRE directly. Here you go, I hope this helps. Information Resource Engineering, Inc. 8029 Corporate Drive Baltimore, Maryland 21236 (410)931-7500 (410)931-7524 FAX -- REPSONSE -- the top of the line zyxel does v.34, isdn, and hardware des encryption. don't know how it negotiates the encryption parameters, so you probably have to use them in pairs. -- REPSONSE -- look at http://www.netcomm.com.au/2_produc/smartmdm.htm for the SmartModem product. it says encryption, but unclear as to how it's implemented. -- REPSONSE -- Chris, Here is an old list of Modem Encryption vendors I had. This is old and they may have combined with another company or moved but here they are. I have worked with vendores Jones Futurex and Racal-Milgo qite a bit with some of their products. This is not an endorsement for any of these vendors: Old Security Modem Vendors List: Adaptive Computer Technologies, CA 415 324-0121 Anchor Automation, CA 818 998-6100 AT&T, NJ 201 221-2200 Bizcomp Corp, CA 408 733-7800 CASE/Datatel, Inc NJ 609 424-4451 Cermetek Microelectronics Inc, CA 408 752-5000 Codex Corp, MA 617 364-2000 Concord Data Systems Inc, MA 508 460-0808 CXR Telcom/Anderson Jacobson, CA 408 435-8520 Data Race, Inc, TX 512 692-3909 Datec, Inc, NC 800 334-7722 Digital Pathways, Inc, CA 415 964-0707 Emucom, Inc, 508 970-1189 Fastcomm Data Corp, VA 703 620-3900 Gandalf Data Inc, 312 541-6060, 800 GANDALF Jones Futurex, CA 916 632-3456 Microcom Inc, MA 508 551-1000 Natural Microsystems Corp, MA 508 655-0700 NEC America, Inc, CA 408 433-1250 Octocom Systems, MA 508 658-6050 Okidata Corp, NJ 609 235-2600 Prometheus Productions, Inc, OR 503 624-0571 Racal-Milgo, Inc, FL 305 476-5609, 800 327-4440 Racal-Vadic, Inc CA 408 946-2227 Singer Data Products Inc, IL 312 860-6500 Transend Corp, CA 415 851-3402 Tri-Data Systems Inc, CA 408 746-2900 Universal Data Systems, AL 205 721-8000 Visionary Electronics, Inc, CA 415 751-8811 Western DataCom Co, OH 216 835-1510 ZyXEL, CA 714 693-0808 From firewalls-owner Thu Jan 4 23:56:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id XAA28453 for firewalls-outgoing; Thu, 4 Jan 1996 23:51:17 -0800 (PST) Received: from bbmail1.unisys.com (bbmail1.unisys.com [192.63.200.5]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id XAA28448 for ; Thu, 4 Jan 1996 23:51:13 -0800 (PST) Received: from mvdns1.mv-oc.unisys.com (mvdns1.mv.unisys.com [192.59.253.100]) by bbmail1.unisys.com (8.6.12/8.6.12) with SMTP id HAA14906 for ; Fri, 5 Jan 1996 07:50:31 GMT Received: by mvdns1.mv-oc.unisys.com (4.1/SMI-4.1-1.8) id AA18074; Thu, 4 Jan 96 23:59:20 PST From: fw@MV-oc.Unisys.COM (Firewall information) Message-Id: <9601050759.AA18074@mvdns1.mv-oc.unisys.com> Subject: Re: Firewall-1 Documentation To: firewalls@greatcircle.com Date: Thu, 4 Jan 1996 23:59:18 +57823603 (PST) In-Reply-To: from "Thierry Boivin" at Nov 30, 95 04:40:12 pm X-Mailer: ELM [version 2.4 PL21] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Actually I have purchased additonal copies of the manual for 1.2 for out vendor Qualix (415) 572-0200. I don't know if you can buy them without having purchased the product. Chris Liebsack Unisys > > >From: F.Wetzels@amc.uva.nl > >Date: Wed, 29 Nov 1995 09:54:20 +0100 > >Subject: Firewall-1 Documentation > >To: firewalls@greatcircle.com > >X-Sun-Charset: US-ASCII > >Sender: firewalls-owner@GreatCircle.COM > >Precedence: bulk > > > >Hi, > > > >I was wondering if there is any documentation about the latest > >version of the firewall-1 product. I do not mean www.checkpoint.com. > >(or something like that) but a solid, (now) well written documentation. > >Or is it delivered on CD? The documentation that came with version > >1.07 was very poor. > > > > > > > >Frank. > > > > Extracted from Solstice FireWall-1 (release 1.2.1) Installation and User's > Guide: > > "All solstice fireWall-1 products are separately licensed and require a > licence password to enable them. The "solstice Firewall-1 Base Pack" > includes the documentation for all solstice Firewall-1 products as well as > all basic software components. These products may be used in demonstration > mode without obtaining a password." > > In france, The price of this "Base Pack" is about 220$. > > > _______________________________________________ > Thierry Boivin > Control Data Toulouse /\ ~ > 36 rue Jacques Babinet / \/\ /\ > 31100 Toulouse (France) / \ \ / \ > Tel:62115432 Fax:61400842 / o \ / \ > Thierry.Boivin@cdc.com | / \ > _______________________________________________ > > > From firewalls-owner Fri Jan 5 03:07:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id DAA02432 for firewalls-outgoing; Fri, 5 Jan 1996 03:02:30 -0800 (PST) Received: from relay-4.mail.demon.net (relay-4.mail.demon.net [158.152.1.64]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id DAA02426 for ; Fri, 5 Jan 1996 03:02:18 -0800 (PST) Received: from post.demon.co.uk ([158.152.1.72]) by relay-4.mail.demon.net id ab07038; 5 Jan 96 10:57 GMT Received: from splus.demon.co.uk ([158.152.176.47]) by relay-3.mail.demon.net id aa16290; 5 Jan 96 10:55 GMT Date: Fri, 5 Jan 1996 10:46:15 GMT From: Ian Miller Reply-To: firewalls@splus.demon.co.uk Message-Id: <44@splus.demon.co.uk> To: firewalls@greatcircle.com Subject: Re: Re: Livingston Firewall IRX router -Reply X-Mailer: FIMail V0.9d X-User: Alpha Test Version Of FI-Mail, DisWin 1.5C:\WINDOWS\DEMON\WINDIS Lines: 15 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In your message dated Thursday 4, January 1996 you wrote : > The only problem I've had is that when I try to set up a filter for ICMP > type 0 (ECHO REPLY if I read the RFC correctly) it refuses to accept > that, so I just blocked all ICMP which can be a pain when we have a > connectivity problem with our ISP. I noticed this problem too. It does not seem to accept zero as a 'port number', so you cannot say "eq 0". However it accepts "lt 1" which should be equivalent, which is what I am using. [Though I haven't actually been about to test the filter yet.] Ian -- From firewalls-owner Fri Jan 5 05:52:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA04647 for firewalls-outgoing; Fri, 5 Jan 1996 05:43:15 -0800 (PST) Received: from relay6.UU.NET (relay6.UU.NET [192.48.96.16]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id FAA04640 for ; Fri, 5 Jan 1996 05:43:08 -0800 (PST) Received: from gw.rmcs.cranfield.ac.uk by relay6.UU.NET with SMTP id QQzxfa09454; Fri, 5 Jan 1996 08:42:07 -0500 (EST) Date: Fri, 5 Jan 1996 13:38:33 GMT From: Neil To: firewalls@greatcircle.com Message-Id: <960105133833.212c@rmcs.cranfield.ac.uk> Subject: Source Routed Packets Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am currently using, in a trial firewall, a Sun SPARC 10 running a kernel with IP packet forwarding turned off. The only problem is that SunOS will still (I believe) allow IP source routed packets through the bastion host. Is there a software fix for this available that does not mean buying a screening Cisco or something like that? Yours Aye, Neil * Neil A Carson * The Royal Military College of Science, Shrivenham * e-mail carson@rmcs.cranfield.ac.uk * Address: Kitchener Mess, RMCS, Shrivenham SN6 8LA. Tel: (01793) 784428 (Home) From firewalls-owner Fri Jan 5 06:52:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA05410 for firewalls-outgoing; Fri, 5 Jan 1996 06:38:33 -0800 (PST) Received: from su1.in.net (su1.in.net [199.0.62.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id GAA05405 for ; Fri, 5 Jan 1996 06:38:29 -0800 (PST) Received: from pm1-29.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA07804; Fri, 5 Jan 96 09:37:15 -0500 Date: Fri, 5 Jan 96 09:37:15 -0500 Message-Id: <9601051437.AA07804@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Neil From: frankw@in.net (Frank Willoughby) Subject: Re: Source Routed Packets Cc: firewalls@GreatCircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Neil, >I am currently using, in a trial firewall, a Sun SPARC 10 running a kernel >with IP packet forwarding turned off. > >The only problem is that SunOS will still (I believe) allow IP source >routed packets through the bastion host. > It is difficult to tell which firewall you are evaluating. Can you be more specific? >Is there a software fix for this available that does not mean buying a >screening Cisco or something like that? > > Yours Aye, > > Neil > >* Neil A Carson >* The Royal Military College of Science, Shrivenham >* e-mail carson@rmcs.cranfield.ac.uk >* Address: Kitchener Mess, RMCS, Shrivenham SN6 8LA. Tel: (01793) 784428 (Home) Best Regards, Frank Fortified Networks Inc. - Management & Information Security Consulting Phone: (317) 573-0800 - http://www.fortified.com/fortified/ The opinions expressed above are of the author and may not necessarily be representative of Fortified Networks Inc. From firewalls-owner Fri Jan 5 07:10:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA05861 for firewalls-outgoing; Fri, 5 Jan 1996 07:02:50 -0800 (PST) Received: from mwunix.mitre.org (mwunix.mitre.org [128.29.154.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id HAA05855 for ; Fri, 5 Jan 1996 07:02:46 -0800 (PST) Received: from smiley.sit (smiley.mitre.org [128.29.140.20]) by mwunix.mitre.org (8.6.10/8.6.4) with SMTP id KAA24402 for ; Fri, 5 Jan 1996 10:02:08 -0500 Received: from [128.29.140.130] (mckenney-mac) by smiley.sit (4.1/SMI-4.1) id AA13057; Fri, 5 Jan 96 10:02:02 EST Date: Fri, 5 Jan 96 10:02:01 EST Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.COM From: mckenney@smiley.mitre.org (Brian W. McKenney) Subject: SSL and S-HTTP Proxy support Cc: mckenney@smiley.mitre.org Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I would like to have an update as to which commercial firewall vendors support or plan to support (when) an SSL and/or S-HTTP proxy. I will post a summary. This is the information that I have: 1. TIS Gauntlet: SSL annd S-HTTP proxies in next release. 2. KarlBridge/KarlBrouter: S-HTTP proxy 3. Milkyway Blackhole: S--HTTP 4. SOS Brimstone: S-HTTP proxy 5. Technologic Interceptor: S-HTTP proxy 6. V-One SmartWall: S-HTTP proxy License versions of TIS Gauntlet will support whatever the next Gauntlet release supports. -Brian Respectfully, Brian W. McKenney (mckenney@mitre.org) Network Security Engineering The MITRE Corporation Mail Stop: Z-231 7525 Colshire Drive McLean, VA 22102 Voice: 703-883-5463 Fax: 703-883-1245 From firewalls-owner Fri Jan 5 07:55:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA06299 for firewalls-outgoing; Fri, 5 Jan 1996 07:26:10 -0800 (PST) Received: from colt.milepost.com (colt.milepost.com [164.57.50.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id HAA06294 for ; Fri, 5 Jan 1996 07:26:04 -0800 (PST) Received: (from phil@localhost) by colt.milepost.com (8.6.12/8.6.9) id JAA08470 for firewalls@GreatCircle.COM; Fri, 5 Jan 1996 09:24:38 -0600 From: Phil Howard Message-Id: <199601051524.JAA08470@colt.milepost.com> Subject: Re: Re: Livingston Firewall IRX router -Reply To: firewalls@GreatCircle.COM Date: Fri, 5 Jan 1996 09:24:37 -0600 (CST) X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ian Miller writes... > > The only problem I've had is that when I try to set up a filter for ICMP > > type 0 (ECHO REPLY if I read the RFC correctly) it refuses to accept > > that, so I just blocked all ICMP which can be a pain when we have a > > connectivity problem with our ISP. > > I noticed this problem too. It does not seem to accept zero as a 'port number', > so you cannot say "eq 0". However it accepts "lt 1" which should be equivalent, > which is what I am using. [Though I haven't actually been about to test the > filter yet.] Hmmm. They told me this would be fixed when I reported it over a year ago. -- Phil Howard KA9WGN +-------------------------------------------------+ Linux Consultant | The enemy of my enemy is NOT my friend... | Milepost Services | ...but he is a convenient ally! | phil@milepost.com +-------------------------------------------------+ From firewalls-owner Fri Jan 5 08:07:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA06866 for firewalls-outgoing; Fri, 5 Jan 1996 07:51:36 -0800 (PST) Received: from bwh.harvard.edu (bwh.harvard.edu [134.174.81.34]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id HAA06847 for ; Fri, 5 Jan 1996 07:51:29 -0800 (PST) Received: from calloway.bwh.harvard.edu (calloway.bwh.harvard.edu [134.174.81.46]) by bwh.harvard.edu (8.6.9/8.6.9) with ESMTP id KAA27683; Fri, 5 Jan 1996 10:50:51 -0500 From: Adam Shostack X-Organization: Brigham & Womens Hospital, A Teaching Affiliate of Harvard Medical School Received: by calloway.bwh.harvard.edu (8.6.9) id KAA08493; Fri, 5 Jan 1996 10:49:26 -0500 Message-Id: <199601051549.KAA08493@calloway.bwh.harvard.edu> Subject: Re: Source Routed Packets To: CARSON@rmcs.cranfield.ac.uk (Neil) Date: Fri, 5 Jan 1996 10:49:25 -0500 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <960105133833.212c@rmcs.cranfield.ac.uk> from "Neil" at Jan 5, 96 01:38:33 pm X-PGP: 0xE794DA91 FD3C3450FEB4A0B8 18F2E72CA82D29B8 X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You wrote: | I am currently using, in a trial firewall, a Sun SPARC 10 running a kernel | with IP packet forwarding turned off. | | The only problem is that SunOS will still (I believe) allow IP source | routed packets through the bastion host. | | Is there a software fix for this available that does not mean buying a | screening Cisco or something like that? It a simple kernel modification. In /usr/sys/`arch/conf/FIREWALL (or whatever you have named your kernel.) options "IPFORWARDING=-1" There is a README in that directory that explains how to rebuild the kernel, if you're not used to doing it, or need a reminder. In a gerneric SUNOS kernel, I'd suggest turning off (or considering why you need) QUOTA: No users, no changes, no need to do quotas. NFSCLIENT, NFSSERVER: No File Security? Get rid of it. PCFS: Do you need that floppy for anything other than Tripwire? IPC(message, semaphore, shmem): Shared memory? Too complex. TCPdebug: Do you use trpt? Does anyrthing you plan to run on the firewall use it? RFS, VFSstats: Again, no sharing of disks. VDDRV (Loadable modules): Unless you have a device that demands them, loadmodule strikes me as more access to the kernel than you want. WINSVJ: Sunview? You're going to run it? The snit, pf, and nbuf pseudo-devices should probably go; your firewall is not a sniffer, or a network test device. I'd get rid of audio, too, unless you're using it for a PRNG seed. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Fri Jan 5 10:38:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA09941 for firewalls-outgoing; Fri, 5 Jan 1996 10:23:42 -0800 (PST) Received: from hosaka.smallworks.com (hosaka.SmallWorks.COM [192.207.126.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA09936 for ; Fri, 5 Jan 1996 10:23:38 -0800 (PST) Received: by hosaka.smallworks.com (5.x/SMI-SVR4) id AA19436; Fri, 5 Jan 1996 12:07:37 -0600 Date: Fri, 5 Jan 1996 12:07:37 -0600 From: jim@SmallWorks.COM (Jim Thompson) Message-Id: <9601051807.AA19436@hosaka.smallworks.com> To: CARSON@rmcs.cranfield.ac.uk, adam@bwh.harvard.edu Subject: Re: Source Routed Packets Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >You wrote: > >It a simple kernel modification. > >In /usr/sys/`arch/conf/FIREWALL (or whatever you have named your >kernel.) > >options "IPFORWARDING=-1" This won't prevent source routing. Jim From firewalls-owner Fri Jan 5 11:07:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA10281 for firewalls-outgoing; Fri, 5 Jan 1996 10:41:04 -0800 (PST) Received: from hatteras.ch.inri.com (hatteras.ch.inri.com [198.202.184.13]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA10276 for ; Fri, 5 Jan 1996 10:40:33 -0800 (PST) Received: from assateague (assateague.ch.inri.com [198.202.184.111]) by hatteras.ch.inri.com (8.6.12/8.6.6) with SMTP id NAA00513; Fri, 5 Jan 1996 13:41:08 -0500 Date: Fri, 5 Jan 1996 13:41:08 -0500 Message-Id: <199601051841.NAA00513@hatteras.ch.inri.com> X-Sender: wlb@hatteras.ch.inri.com X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: mckenney@smiley.mitre.org (Brian W. McKenney) From: wbunting@ch.inri.com (Bill Bunting) Subject: Re: SSL and S-HTTP Proxy support Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >I would like to have an update as to which commercial firewall vendors >support or plan to support (when) an SSL and/or S-HTTP proxy. I will post >a summary. > >This is the information that I have: > >1. TIS Gauntlet: SSL annd S-HTTP proxies in next release. >2. KarlBridge/KarlBrouter: S-HTTP proxy >3. Milkyway Blackhole: S--HTTP >4. SOS Brimstone: S-HTTP proxy >5. Technologic Interceptor: S-HTTP proxy >6. V-One SmartWall: S-HTTP proxy > >License versions of TIS Gauntlet will support whatever the next Gauntlet >release supports. > > > -Brian > >Respectfully, > >Brian W. McKenney (mckenney@mitre.org) >Network Security Engineering >The MITRE Corporation Mail Stop: Z-231 >7525 Colshire Drive McLean, VA 22102 >Voice: 703-883-5463 Fax: 703-883-1245 SSL is not the type of protocol that requries a proxy. SSL is a Secure Sockets Layer API that can be used with any TCP port. For example, you can use SSL to secure a FTP, Telnet, WWW, or any other TCP protocol. Did TIS really tell you that they have a SSL proxy?? If so, what does it do? Am I missing something? Best regards, -Bill. --------------------------------------- | Bill Bunting, Software Engineer | ****** |Inter-National Research Institute, Inc.| ***_******_ __ _ | 1441 Crossways Boulevard, Suite 102 | ===//=/\**//=/- )==//= | Chesapeake, Virginia 23320 | {==//=//\\//=//||==//== | V(804)424-8675 F(804)420-4262 | =//=//==\/*//=||=//=== | (wbunting@inri.com) | ********* | (bunting@cs.odu.edu) | ***** | http://www.cs.odu.edu/~bunting | --------------------------------------- From firewalls-owner Fri Jan 5 11:22:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA10654 for firewalls-outgoing; Fri, 5 Jan 1996 10:55:26 -0800 (PST) Received: from tintagel.kesmai.com (tintagel-out.kesmai.com [199.95.72.66]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA10639 for ; Fri, 5 Jan 1996 10:55:19 -0800 (PST) Received: by tintagel.kesmai.com; id NAA12279; Fri, 5 Jan 1996 13:52:23 -0500 Received: from muddy.kesmai.com(199.95.75.19) by tintagel.kesmai.com via smap (g3.0.1) id sma012276; Fri, 5 Jan 96 13:52:19 -0500 Received: from sandy_bryant (kespc222.kesmai.com [199.95.75.222]) by muddy.kesmai.com (8.6.12/8.6.9) with SMTP id NAA01907; Fri, 5 Jan 1996 13:53:17 -0500 Date: Fri, 5 Jan 1996 13:53:17 -0500 Message-Id: <199601051853.NAA01907@muddy.kesmai.com> X-Sender: slb@muddy.kesmai.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: SorG Farkas , firewalls@GreatCircle.COM From: sandy bryant Subject: Re: Gauntlet from TIS Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 07:27 PM 1/4/96 -0800, SorG Farkas wrote: >If any of you has experience with Gauntlet, I would appreciate any info >about it (if it does what it promises, if it's reliable, any problems you >encountered, any do's and don'ts, experience with the support from them, >etc.). We are considering it for my company. Thanks a lot. > > We've run one here for about a year. I regard it as sort of one step up the price vs. effort ladder from installing the TIS toolkit yourself - although actually now TIS has ceased upgrading the free toolkit and the last upgrade of GAUNTLET was a significant upgrade which added truly transparent proxies. I have been happy with it - the proxies are reasonably easy to set up and flexible enough to keep the staff happy behind the firewall. TIS is still small enough that when I call with a problem, I get to talk to someone technical who probably even helped with the development. For the price, I think it's a good choice. sandy bryant kesmai corp. sandy@kesmai.com From firewalls-owner Fri Jan 5 11:40:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA11294 for firewalls-outgoing; Fri, 5 Jan 1996 11:21:48 -0800 (PST) Received: from ns2.cpicorp.com (ns2.cpicorp.com [204.233.170.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA11289 for ; Fri, 5 Jan 1996 11:21:44 -0800 (PST) Received: (from bkoen@localhost) by ns2.cpicorp.com (8.6.12/8.6.9) id TAA14429; Fri, 5 Jan 1996 19:54:16 -0600 Date: Fri, 5 Jan 1996 19:54:15 -0600 (CST) From: Bryan Koen To: firewalls@greatcircle.com Subject: BorderWare Product Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We are looking possibly at using the Borderware product here at CPI Corp. I would like to know if anybody is currently using this package and what experiences (good/bad) they have had with it. Thanks, Bryan Koen SysAdmin CPI Corp. ========================================================================== These opinions are my own and do not reflect in any way on CPI Corporation. From firewalls-owner Fri Jan 5 11:52:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA11460 for firewalls-outgoing; Fri, 5 Jan 1996 11:25:07 -0800 (PST) Received: from bwh.harvard.edu (bwh.harvard.edu [134.174.81.34]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA11455 for ; Fri, 5 Jan 1996 11:25:03 -0800 (PST) Received: from calloway.bwh.harvard.edu (calloway.bwh.harvard.edu [134.174.81.46]) by bwh.harvard.edu (8.6.9/8.6.9) with ESMTP id OAA00459; Fri, 5 Jan 1996 14:24:27 -0500 From: Adam Shostack X-Organization: Brigham & Womens Hospital, A Teaching Affiliate of Harvard Medical School Received: by calloway.bwh.harvard.edu (8.6.9) id OAA09213; Fri, 5 Jan 1996 14:23:02 -0500 Message-Id: <199601051923.OAA09213@calloway.bwh.harvard.edu> Subject: Re: Source Routed Packets To: jim@SmallWorks.COM (Jim Thompson) Date: Fri, 5 Jan 1996 14:23:02 -0500 (EST) Cc: CARSON@rmcs.cranfield.ac.uk, adam@bwh.harvard.edu, firewalls@GreatCircle.COM In-Reply-To: <9601051807.AA19436@hosaka.smallworks.com> from "Jim Thompson" at Jan 5, 96 12:07:37 pm X-PGP: 0xE794DA91 FD3C3450FEB4A0B8 18F2E72CA82D29B8 X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jim wrote, responding to me: | >You wrote: | > | >It a simple kernel modification. | > | >In /usr/sys/`arch/conf/FIREWALL (or whatever you have named your | >kernel.) | > | >options "IPFORWARDING=-1" | | This won't prevent source routing. D'oh! I should learn not to post before coffee. :) -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Fri Jan 5 12:10:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA11221 for firewalls-outgoing; Fri, 5 Jan 1996 11:17:37 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA11216 for ; Fri, 5 Jan 1996 11:17:33 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-951213) id LAA14767; Fri, 5 Jan 1996 11:15:07 -0800 Received: from unknown(134.127.16.1) by mycroft via smap (V1.3mjr) id sma014754; Fri Jan 5 11:14:33 1996 Received: from baltimore.ssds.com (baltimore.ssds.com [134.127.34.1]) by denver.ssds.com (8.6.9/8.6.9.SSDSnet-hub) with ESMTP id MAA25950; Fri, 5 Jan 1996 12:14:55 -0700 Received: (from mam@localhost) by baltimore.ssds.com (8.6.9/8.6.9.SSDSnet-site) id OAA11953; Fri, 5 Jan 1996 14:14:48 -0500 Date: Fri, 5 Jan 1996 14:14:47 -0500 (EST) From: Mike Malik -- Dover DE X-Sender: mam@baltimore To: Frank Willoughby cc: Neil , firewalls@GreatCircle.COM Subject: Re: Source Routed Packets In-Reply-To: <9601051437.AA07804@su1.in.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Well all he has to be specific about is the version of Sun OS that he is running. If it is SunOS4.1.X you need to patch the kernal to turn off source routing. (this patch is to the best of my knowledge not supported by SUN) it can be found in the archives of this mailing list. If it is Solaris 2.X I have been told you can turn off ip source routing using ndd. I have not verified the part about Solaris. Mike ( ( | ( Mike Malik (mam@ssds.com) ) ) (| ), inc. 9841 Broken Land Parkway,Suite 100 business driven Columbia, MD 21046 technology solutions 410-381-4313 FAX: 410-381-2170 On Fri, 5 Jan 1996, Frank Willoughby wrote: > Date: Fri, 5 Jan 96 09:37:15 -0500 > From: Frank Willoughby > To: Neil > Cc: firewalls@GreatCircle.COM > Subject: Re: Source Routed Packets > > Neil, > > > >I am currently using, in a trial firewall, a Sun SPARC 10 running a kernel > >with IP packet forwarding turned off. > > > >The only problem is that SunOS will still (I believe) allow IP source > >routed packets through the bastion host. > > > > It is difficult to tell which firewall you are evaluating. Can you be > more specific? > > > >Is there a software fix for this available that does not mean buying a > >screening Cisco or something like that? > > > > Yours Aye, > > > > Neil > > > >* Neil A Carson > >* The Royal Military College of Science, Shrivenham > >* e-mail carson@rmcs.cranfield.ac.uk > >* Address: Kitchener Mess, RMCS, Shrivenham SN6 8LA. Tel: (01793) 784428 (Home) > > Best Regards, > > > Frank > Fortified Networks Inc. - Management & Information Security Consulting > Phone: (317) 573-0800 - http://www.fortified.com/fortified/ > > > The opinions expressed above are of the author and may not > necessarily be representative of Fortified Networks Inc. > > From firewalls-owner Fri Jan 5 12:20:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA10675 for firewalls-outgoing; Fri, 5 Jan 1996 10:56:06 -0800 (PST) Received: from SanFrancisco01.POP.InterNex.Net (SanFrancisco01.POP.InterNex.Net [205.158.3.50]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id KAA10670 for ; Fri, 5 Jan 1996 10:56:00 -0800 (PST) Received: from Anthros.Com ([205.158.235.130]) by SanFrancisco01.POP.InterNex.Net (post.office MTA v1.9.1 ID# 0-11028) with SMTP id AAA10541 for ; Fri, 5 Jan 1996 10:54:41 -0700 Received: from phoebe.Anthros.Com by Anthros.Com (5.0/SMI-SVR4) id AA03549; Fri, 5 Jan 1996 10:53:57 -0800 Received: by phoebe.Anthros.Com (5.x/SMI-SVR4) id AA17178; Fri, 5 Jan 1996 10:51:11 -0800 Date: Fri, 5 Jan 1996 10:51:11 -0800 From: daemeonr@Anthros.Com@Anthros.Com Message-Id: <9601051851.AA17178@phoebe.Anthros.Com> To: firewalls@greatcircle.com Subject: Re: Holes in SunOS sendmail -Reading Root Mail X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The System administrator is incompetent (or more likely a sequence of underpaid wanna-be system administrators whose aggregate value equals one incompetent system admin). It is physically impossible to configure Sendmail to do what you saw, but easy for any root user (and they must be root or had the system hacked by someone who became root - i.e. the Sun security patches were not applied). Note that we have a thread here that assumes Suns are screwed up. The disadvantages of Suns are that (a) any fool can buy both a machine and a bootleg copy of the OS (b) both are cheap and (c) because of (b) they are common in colleges and university colleges. As a result, there are a bunch of wanna-be (i.e. cheap) admins out there who are screwing up Sun's - and Sun gets the bad rap! The OS security holes exist on every system from SCO, IBM or HP. The difference is that IBM, HP, and SGI customers are less likely to be of the low-life variety, hence more likely to run a professional organization with skilled admins. Note that vast majority of Sun shops are likewise profesionally run, but why do you think your low-price-leader Internet provider is using Sun`s? => From firewalls-owner@GreatCircle.COM Sat Dec 23 18:58 PST 1995 => Date: Sat, 23 Dec 1995 22:22:55 +0400 => X-Sender: gscpraba@emirates.net.ae => Mime-Version: 1.0 => To: Doug Hughes => From: gscpraba@ns2.emirates.net.ae (G.S.C.Prabhakar (The Sun)) => Subject: Re: Holes in SunOS sendmail -Reading Root Mail => Cc: firewalls@greatcircle.com => Sender: firewalls-owner@GreatCircle.COM => Content-Type: text/plain; charset="us-ascii" => => > => > => >> => >>Hello again all, => >> => >> SunOS sendmail. Apparently there are some holes in it that allow a => >>potential cracker to gain root privilidge on the host system, and install => >>password sniffers etc. => => >There are so many of such wide variety that it becomes tough to keep => >track of them all. => > => >among them: => >syslog buffer overflow gives root access => >executing local mailer in a certain way gives root access => >probably a race condition or two. => => => In one of the Internet Mail services I log in the ordinary user can just => read all the mail sent to the root. Is the Root Mail box is normally kept => like that other systems or it was a configuration negligence by the systems => people ? => => command to read that mail to root is => when this command is given by the normal user => => cat /var/mail/root => => Then You can read all the mail send to the root . => => Can somebody clarify ? => => GSC Prabhakar. => => => **************************************************************************** => ***** => " Wishing You a very Merry Christmas and Prosperous New Year 1996" => => G.S.C.Prabhakar (gscpraba@emirates.net.ae) => Internet Consultant & Trainer- => P.O.Box 72432 => Abu Dhabi. => United Arab Emirates. => => Pager : 91-555-304 => **************************************************************************** => ******* => From firewalls-owner Fri Jan 5 12:22:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA12988 for firewalls-outgoing; Fri, 5 Jan 1996 12:08:39 -0800 (PST) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id MAA12958 for ; Fri, 5 Jan 1996 12:08:33 -0800 (PST) Message-Id: <199601052008.MAA12958@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA076902503; Sat, 6 Jan 1996 07:08:23 +1100 From: Darren Reed Subject: NAT & NFS ? To: Firewalls@GreatCircle.COM (Firewalls Mailing List) Date: Sat, 6 Jan 1996 07:08:23 +1100 (EDT) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is anyone using NFS (or RPC) over a WAN/LAN with a NAT in between the client and server, actively rewriting the addresses in all the packets involved ? If so, have any problems or unexpected situations arisen ? thanks, darren From firewalls-owner Fri Jan 5 13:48:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA13131 for firewalls-outgoing; Fri, 5 Jan 1996 12:13:12 -0800 (PST) Received: from bluenote.ccrwest.org (bluenote.ccrwest.org [192.203.205.129]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id MAA13126 for ; Fri, 5 Jan 1996 12:13:03 -0800 (PST) Received: by bluenote.ccrwest.org (4.1/CCRWEST-I1.19) id AA15274; Fri, 5 Jan 96 12:10:44 PST Received: from ccrwest.ccrwest.org(192.203.205.65) by bluenote.ccrwest.org via smap (V1.3) id sma015272; Fri, 5 Jan 1996 12:10:17 -0800 Received: from poco.ccrwest.org by ccrwest.ccrwest.org (4.1/CCRWEST-2.9) id AA03139; Fri, 5 Jan 96 12:10:17 PST Received: by poco.ccrwest.org (4.1/ccrwest-1.6) id AA19043; Fri, 5 Jan 96 12:10:15 PST Date: Fri, 5 Jan 96 12:10:15 PST From: Rich Schultz Message-Id: <9601052010.AA19043@poco.ccrwest.org> To: CARSON@rmcs.cranfield.ac.uk, adam@bwh.harvard.edu, jim@SmallWorks.COM Subject: Re: Source Routed Packets Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >It is a simple kernel modification. > > > >In /usr/sys/`arch/conf/FIREWALL (or whatever you have named your > >kernel.) > > > >options "IPFORWARDING=-1" > > This won't prevent source routing. Yes and no. If you set this option, the SunOS 4.1.3 kernel will NOT source route from one interface to another, but it will let you source route in and out the same interface. I have confirmed this by reading the code and by throwing source-routed packets at a host configured this way. This means, if you have one interface connected to the Internet and another connected to your private net, no one can source-route from one net to the other, but they can bounce packets off of your host to make mischief elsewhere. Rich Schultz rich@ccrwest.org From firewalls-owner Fri Jan 5 13:59:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA13050 for firewalls-outgoing; Fri, 5 Jan 1996 12:11:02 -0800 (PST) Received: from mwunix.mitre.org (mwunix.mitre.org [128.29.154.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id MAA13045 for ; Fri, 5 Jan 1996 12:10:58 -0800 (PST) Received: from smiley.sit (smiley.mitre.org [128.29.140.20]) by mwunix.mitre.org (8.6.10/8.6.4) with SMTP id PAA00165; Fri, 5 Jan 1996 15:10:21 -0500 Received: from [128.29.140.130] (mckenney-mac) by smiley.sit (4.1/SMI-4.1) id AA01779; Fri, 5 Jan 96 15:10:14 EST Date: Fri, 5 Jan 96 15:10:14 EST Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: wbunting@ch.inri.com (Bill Bunting) From: mckenney@smiley.mitre.org (Brian W. McKenney) Subject: Re: SSL and S-HTTP Proxy support Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >SSL is not the type of protocol that requries a proxy. SSL is a Secure >Sockets Layer API that can be used with any TCP port. For example, you can >use SSL to secure a FTP, Telnet, WWW, or any other TCP protocol. Did TIS >really tell you that they have a SSL proxy?? If so, what does it do? Dual-homed gateway-based firewalls with IP forwarding disabled need to relay connections between an SSL-enhanced Web browser and server. Hence, an SSL proxy is needed to relay these connections. Capabilities among SSL proxies may differ. In most cases, SSL proxies may behave just like HTTP proxies in that they (a) can accept/reject connections based on IP addresses and (b) support the logging of connections. Additional functionality may be added to an SSL proxy (e.g., validation of signatures), but this may result in the addition of server code modules on the firewall. This practice conflicts with firewall goals to keep proxies simple and small. Note that firewall vendors will provide support for an SSL proxy. Netscape provides an SSL proxy today. From firewalls-owner Fri Jan 5 15:44:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA06730 for firewalls-outgoing; Fri, 5 Jan 1996 15:37:43 -0800 (PST) Received: from hawk.hcsc.com (hawk.hcsc.com [204.5.22.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id PAA06725 for ; Fri, 5 Jan 1996 15:37:38 -0800 (PST) Received: from london.hcsc.com by hawk.hcsc.com (5.61/harris-5.1) id AA04458; Fri, 5 Jan 96 18:36:33 -0500 Received: by london.csd.harris.com (5.61/HARRIS-4.0) id AA05401; Fri, 5 Jan 96 23:37:01 GMT From: jon@london.hcsc.com (Jon Shallow) Message-Id: <9601052337.AA05401@london.csd.harris.com> Subject: Re: NAT & NFS ? To: firewalls-owner@GreatCircle.COM (Darren Reed) Date: Fri, 5 Jan 96 23:36:30 GMT In-Reply-To: <199601052008.MAA12958@miles.greatcircle.com>; from "Darren Reed" at Jan 6, 96 7:08 am X-Mailer: ELM [version 2.2 PL10] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This works fine on the Harris CyberGuard. TCP, UDP, RPC, ICMP all get suitably rewritten - even the ICMP error codes. The 'inside' system can initiate talk to the 'external' system, but the 'external' system has no knowledge of the 'internal' IP address - just the firewall. > > > Is anyone using NFS (or RPC) over a WAN/LAN with a NAT in between the client > and server, actively rewriting the addresses in all the packets involved ? > If so, have any problems or unexpected situations arisen ? > > thanks, > darren > Regards Jon From firewalls-owner Fri Jan 5 16:29:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id QAA07639 for firewalls-outgoing; Fri, 5 Jan 1996 16:14:08 -0800 (PST) Received: from eagle.wd.cubic.com ([149.63.94.9]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id QAA07634 for ; Fri, 5 Jan 1996 16:14:04 -0800 (PST) Received: (mischler@localhost) by eagle.wd.cubic.com (8.6.9/8.3) id RAA19347; Fri, 5 Jan 1996 17:09:51 -0800 Date: Fri, 5 Jan 1996 17:09:51 -0800 From: Dave Mischler Message-Id: <199601060109.RAA19347@eagle.wd.cubic.com> To: avalon@coombs.anu.edu.au, Firewalls@GreatCircle.COM Subject: Re: NAT & NFS ? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Is anyone using NFS (or RPC) over a WAN/LAN with a NAT in between the client > and server, actively rewriting the addresses in all the packets involved ? > If so, have any problems or unexpected situations arisen ? I have used IPRoute's NAT to translate NFS client addresses from RFC 1597 addresses to global addresses. The only problems I had were related to the speed of the links (too slow). You can get IPRoute for evaluation from ftp://ftp.coast.net/SimTel/msdos/network/iprv080.zip From firewalls-owner Fri Jan 5 16:44:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id QAA08197 for firewalls-outgoing; Fri, 5 Jan 1996 16:39:12 -0800 (PST) Received: from NYXGATE1.btco.com (gate1.btco.com [198.83.51.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id QAA08188 for ; Fri, 5 Jan 1996 16:39:07 -0800 (PST) Received: (from mailer@localhost) by NYXGATE1.btco.com (8.7.1/8.6.9) id TAA22834 for ; Fri, 5 Jan 1996 19:38:13 -0500 (EST) X-Authentication-Warning: NYXGATE1.btco.com: mailer set sender to using -f Received: from lncsex0003.eu.btco.com(160.82.152.218) by NYXGATE1.btco.com via smap (V1.3) id sma026999; Fri Jan 5 19:37:58 1996 Received: (from news@localhost) by LNCSEX0003.eu.btco.com (8.7.1/BTmail) id AAA30371; Sat, 6 Jan 1996 00:37:59 GMT To: firewalls@greatcircle.com Path: newsadm From: Todd Aven Newsgroups: btco.list.firewalls Subject: Patches to BIND 4.9.3 available to support delegation in split-DNS configurations Date: Sat, 06 Jan 1996 00:32:11 +0000 Organization: Bankers Trust Company Lines: 48 Message-ID: <30EDC30B.4504@BankersTrust.Com> NNTP-Posting-Host: lnrasw0001.eu.btco.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Mailer: Mozilla 2.0b3 (WinNT; I) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have written small patches to BIND 4.9.3-REL which may prove useful to this audience. The problem that is solved arises when you configure a DNS server with a 'forwarders' directive to pass queries to the firewall but do not (or can not) make the server authoritative for all internal zones. This happens because the standard BIND code ignores zone delegation records when the server is configured with a list of forwarders. My solution (not endorsed by Paul Vixie who is going to be working on a much better and more elegant solution) is to add a new directive called 'noforward' which takes a list of domain names which should never be forwarded to the address(es) configured in the 'forwarders' directive. Consider a typical global organization, say 'nutsnbolts.com', which has a geographically-oriented DNS hierarchy: nutsnbolts.com Core facilities na.nutsnbolts.com North American hosts eu.nutsnbolts.com European hosts ap.nutsnbolts.com Asia/Pacific hosts sv.nutsnbolts.com Services Zone nutsnbolts.com has proper NS delegation records for na, eu, ap, and sv (all of which are served elsewhere within the organization). Server xyzzy is authoritative for zone nutsnbolts and has a 'forwarders' directive to pass queries to the firewall DNS server. With standard BIND, a DNS query directed to xyzzy for 'test.eu.nutsnbolts.com' will be sent to the firewall where it probably will be flatly rejected, since the data probably isn't out there in a typical split-DNS configuration. However, with my patches and a 'noforward nutsnbolts.com' directive, the query will be referred or recursed to the server authoritative for 'eu.nutsnbolts.com' and resolved (or not) the way one would expect. The patches are pretty small (152 lines in total) and pretty easy to inspect. For more complex situations, such as when xyzzy is not authoritative for the top level internal domain or in-addr.arpa domains, use of the experimental 'stub' directive (included in the standard BIND distribution) proves to be a very useful complement to 'noforward'. Anyone interested in obtaining the patches should email me directly, so as to keep volume on this list to a minimum. Regards, Todd.Aven@BankersTrust.Com From firewalls-owner Fri Jan 5 17:29:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id RAA10255 for firewalls-outgoing; Fri, 5 Jan 1996 17:27:02 -0800 (PST) Received: from tide10.microsoft.com (tide10.microsoft.com [131.107.3.20]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id RAA10241 for ; Fri, 5 Jan 1996 17:26:50 -0800 (PST) Received: by tide10.microsoft.com; id RAA24566; Fri, 5 Jan 1996 17:39:02 -0800 Received: from unknown(157.54.17.74) by tide10.microsoft.com via smap (g3.0.3) id xma024518; Fri, 5 Jan 96 17:38:46 -0800 Received: from xnet1 (xnet1.microsoft.com [157.54.17.204]) by imail2.microsoft.com (8.7.1/8.7.1) with SMTP id RAA10982 for ; Fri, 5 Jan 1996 17:28:32 -0800 (PST) X-Received: from xmtp3 by xnet1 with receive; Fri, 5 Jan 1996 17:25:34 -0800 X-Received: from RED-70-MSG by xmtp3 with recvsmtp; Fri, 5 Jan 1996 17:25:27 -0800 Received: by red-70-msg.itg.microsoft.com with Microsoft Exchange (IMC 4.18.611) id <01BADB92.CCC3C480@red-70-msg.itg.microsoft.com>; Fri, 5 Jan 1996 17:25:25 -0800 Message-ID: From: "Kurt Buff (Volt Comp)" To: "firewalls@greatcircle.com" Subject: RE: Bastion netmask query Date: Thu, 4 Jan 1996 22:00:01 -0800 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.18.611 X-MsXMTID: xmtp3960106012527RECVSMTP[01.52.00]00000104-23306 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It seems to me that someone with half a brain (not me, I only have 1/4) could write a simple program (PERL, VB, ??) that would take some input (number of nodes, number of segments, network address(es), etc.) and output some reasonable netmasking and segmenting suggestions, including forbidden/unwise host addresses (due to broadcast address conflicts, etc.). Does anyone know of such a beastie? Or would this really be such a hard thing to write? Kurt ---------- From: bobk@manzanita.DEV.3Com.COM[SMTP:bobk@manzanita.DEV.3Com.COM] Sent: Thursday, January 04, 1996 7:34 To: firewalls@greatcircle.com; jonw@mntcmp2.demon.co.uk Subject: Re: Bastion netmask query You wrote: > > We have a class C of our own A.B.C.0 and are currently configuring the > network as follows: > > Addresses A.B.C.1 to 15 > > ISP +-----------+ +-----------+ > Lease | Cisco |----------------------| ftp/web | plus others > ---- | 2514 | | machine | as needed > Line | |----------| | | > +-----------+ | +-----------+ > | subnet is A.B.C.16 to 31 > | > | eth0 A.B.C.31 > +-----------+ > | Bastion | Dual Homed > | Machine | > | | > +-----------+ > | eth1 A.B.C.32 > | > | subnet is A.B.C.32 to 254 > -------------------|------------------------ Secure Internal > > Can anyone confirm what the netmasks and broadcast addresses should be for the > two bastion ethernet devices. First of all, these nets are using three different subnet classification schemes. This can cause problems unless carefully managed. The subnet mask 255.255.255.240 will divide your class C address space into 16 subnets of 15 hosts each A.B.C.0, A.B.C.16, A.B.C.32, A.B.C.48, A.B.C.64, A.B.C.80, A.B.C.96, A.B.C.112, A.B.C.128, A.B.C.144, A.B.C.160, A.B.C.176, A.B.C.192, A.B.C.208, A.B.C.224, A.B.C.240. The subnet mask 255.255.255.224 will effectively divide your class C address space into 8 subnets of 31 hosts each: A.B.C.0, A.B.C.32, A.B.C.64, A.B.C.96, A.B.C.128, A.B.C.160, A.B.C.192, A.B.C.224. The subnet mask 255.255.255.192 will divide your class C into 4 subnets of 63 hosts each. A.B.C.0, A.B.C.64, A.B.C.128, A.B.C.192. It is possible to use different masks on each side of the router and bastions machine, but unless you are carefull (or using OSPF) (I don't know how IGRP works), you are asking for trouble by splitting up subnets unevenly. In addition, you will find that any subnet that is part of a smaller division scheme, but not actually used must be thrown away if this is done with RIP (RIP V.2 can help some). On the other hand, you may be able to divide up the Class C, and then assign multiple subnets to your larger net, as long as you remember to use the smaller subnet masking scheme, and let the router handle communications between subnets. I could write a lot more on the subject, but not being sure of your objectives, I'd rather not second guess you here. Good luck, BobK From firewalls-owner Fri Jan 5 20:29:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id UAA13307 for firewalls-outgoing; Fri, 5 Jan 1996 20:21:46 -0800 (PST) Received: from starbase.ingress.com (ingress.com [199.171.57.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id UAA13302 for ; Fri, 5 Jan 1996 20:21:42 -0800 (PST) Received: from cbk.tiac.net by starbase.ingress.com (SMI-8.6/SMI-SVR4 ) id XAA03816; Fri, 5 Jan 1996 23:21:13 -0500 Date: Fri, 5 Jan 1996 23:21:13 -0500 Message-Id: <199601060421.XAA03816@starbase.ingress.com> X-Sender: cbk@ingress.com X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: cbk@ingress.com (Charles B. Kaplan) Subject: SSL and S-HTTP Proxy support Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From what I remember S-HTTP can be fully negotiated within the 'standard' HTTP ports/protocol. Therefor any proxy supporting HTTP should work with S-HTTP. Next, while SSL COULD be implimented accross multiple protocols, etc, the 'only' wide spread use presentally is via netscape, and that makes use of port 443 'normally'. The BorderWare Firewall Server, from BNTI out of the box proxys port 80, 8001, 8080, and 443, all when its WWW proxy is enabled. I don't see why however you couldn't say use plug-gw on port 443 to do the same types of things. NOTE however, putting your web server inside your firewall, and then proxying to it is a BIG risk. That ofcourse is why BorderWare provides a 3'rd network interface for 'secured servers'. Well, enough plugging of BorderWare....if you didn't guess I resell it. Anyone care to either veryify or correct the above S-HTTP notes ? -Charles Kaplan for more information on BorderWare call 800-254-7159 From firewalls-owner Fri Jan 5 20:44:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id UAA13331 for firewalls-outgoing; Fri, 5 Jan 1996 20:24:24 -0800 (PST) Received: from odin.community.net (odin.community.net [140.174.119.10]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id UAA13326 for ; Fri, 5 Jan 1996 20:24:21 -0800 (PST) Received: from [140.174.226.108] (n108.coco.community.net [140.174.226.108]) by odin.community.net with SMTP id UAA17610; Fri, 5 Jan 1996 20:22:58 -0800 Date: Fri, 5 Jan 1996 20:22:58 -0800 Message-Id: <199601060422.UAA17610@odin.community.net> Subject: Re: Security managing Cisco Routers From: Bill Husler To: "Paul Ferguson" cc: Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>At 02:15 PM 12/27/95 GMT, Pietro wrote: >>> >>>>My actual problem is to managed several Cisco Routers situated >>>>on a public network from a central site, from where there is no >>>>way to garantee secure communication. >>>> > >>I have heard that Firewall-1 will manage the configurations of CISCO >>routers remotely. I believe the way it works is that you set up the >>configuration or a Firewall-1 Administrative Workstations and it send >>some sort of encrypted/secured transmission to the router to downlowd the >>new config. >>Bill >> > >Although I'm not intimately familiar with the internal mechanisms of >Firewall-1, I do have a problem with the above paragraph, since we >do not (yet) support encrypted transport mechanisms. :-) > >- paul > >-- >Paul Ferguson || || >Consulting Engineering || || >Reston, Virginia USA |||| |||| >tel: +1.703.716.9538 ..:||||||:..:||||||:.. >e-mail: pferguso@cisco.com c i s c o S y s t e m s > > Paul, Your absolutely right! I talked to our Firewall-1 dudes (actually SUN) and they said that communication is in the clear. I don't know what I heard that made me believe otherwise. Sorry if I muddied the waters. I also asked them to describe why we should have "warm fuzzies" that the changes being made to the router configuration are indeed being sent from the FW-1 admin and not some admin wannabe. I will post their response. Bill From firewalls-owner Fri Jan 5 20:59:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id UAA13612 for firewalls-outgoing; Fri, 5 Jan 1996 20:47:40 -0800 (PST) Received: from odin.community.net (odin.community.net [140.174.119.10]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id UAA13607 for ; Fri, 5 Jan 1996 20:47:36 -0800 (PST) Received: from [140.174.226.108] (n108.coco.community.net [140.174.226.108]) by odin.community.net with SMTP id UAA19237 for ; Fri, 5 Jan 1996 20:46:16 -0800 Date: Fri, 5 Jan 1996 20:46:16 -0800 Message-Id: <199601060446.UAA19237@odin.community.net> Subject: Re: SSL and S-HTTP Proxy support From: Bill Husler To: Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From: Brian W. McKenney, mckenney@smiley.mitre.org > >I would like to have an update as to which commercial firewall vendors >support or plan to support (when) an SSL and/or S-HTTP proxy. I will post >a summary. > >This is the information that I have: > >1. TIS Gauntlet: SSL annd S-HTTP proxies in next release. >2. KarlBridge/KarlBrouter: S-HTTP proxy >3. Milkyway Blackhole: S--HTTP >4. SOS Brimstone: S-HTTP proxy >5. Technologic Interceptor: S-HTTP proxy >6. V-One SmartWall: S-HTTP proxy > >License versions of TIS Gauntlet will support whatever the next Gauntlet >release supports. > You can add ANS Interlock to you list. Bill From firewalls-owner Fri Jan 5 23:14:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id XAA15912 for firewalls-outgoing; Fri, 5 Jan 1996 23:01:20 -0800 (PST) Received: from NS1.stl.net (stl.net [199.217.196.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id XAA15907 for ; Fri, 5 Jan 1996 23:01:16 -0800 (PST) Received: from sam.stl.net (sam.stl.net [199.217.196.3]) by NS1.stl.net (8.6.11/8.6.9) with SMTP id BAA16391 for ; Sat, 6 Jan 1996 01:49:18 -0600 Date: Sat, 6 Jan 1996 01:49:18 -0600 Message-Id: <199601060749.BAA16391@NS1.stl.net> X-Sender: bart@pu.com (Unverified) X-Mailer: Windows Eudora Version 1.4.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: bart@pu.com (Bart Rivard) Subject: Steps in building a firewall, Right or Wrong? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I think one of the things about building a firewall that has surprised me is how really simple it really is. It makes me wonder if I have done something wrong. Many people say use the TIS toolkit but I really don't see any reason. Here is the steps I have taken tell me what you think. 1) Installed FreeBSD on a Pentium 100 with 32 MB of Ram and two Ethernet NICs 2) Configured the Kernel such that IP forwarding and Source routing are disabled. 3) Deleted all accounts on the system except root 4) Gave root a password with number, letters, uppercase and lowercase, 10 long 5) Deleted everything out of inetd.conf except DNS 6) Configured DNS so that the only machine it knows about is a Web server which is in the DMZ and the firewall machine and wildcard MX record. 7) Configured resolv.conf on firewall to point to the internal network DNS. 8) Turned off source routing on the CISCO 2500 router and added filters which disabled all UDP traffic except port DNS/53, all TCP inbound traffic except SMTP to firewall, News from specific news server to firewall http to web server in DMZ. Allow all outbound TCP traffic. Thinking about disabling all ICMP traffic on router, what do you think? 9) Configured CERN web server as a proxy on the firewall using a weird port number. Wrapped the port with TCP Wrappers and only allow access from internal IP addresses. Internal IP addresses are 192.168.0.0 thru 192.168.255.255. Wish I could limit access to web proxy by network interface but don't know how? 10)Modified a mail program so that it read mail from port 25 and writes to disk mail messages. Completely dumb program. Does not handle distribution list, aliases or anything. I then pick mail up off of disk and send it to internal CC mail gateway. Was there shareware to do equivalent? Can sendmail pick mail up off of disk? Is it safe to have sendmail pick mail up off of disk and distribute? 11)Put TCP Wrapper around news server port to only except connection from our news provider at AT&T and internal network. Also use inn access control to limit access from internal network for reading news and news provider for dumping news. Well that about it. We provide outbound Web, Gopher, FTP and WAIS through the CERN Proxy. Is this safe? We don't allow any UDP to pass firewall. We don't allow anything to come in from the outside through the firewall except mail. The firewall doubles as a news server so we don't allow news to pass through firewall but the firewall doubles as a news server. Is it safe to use a firewall as a news server? Please comment!! Send all comments to bart@pu.com. TIA, Bart From firewalls-owner Sat Jan 6 05:14:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA20595 for firewalls-outgoing; Sat, 6 Jan 1996 05:10:13 -0800 (PST) Received: from lint.cisco.com (lint.cisco.com [171.68.235.77]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id FAA20590 for ; Sat, 6 Jan 1996 05:10:10 -0800 (PST) Received: from pferguso-pc.cisco.com (c1robo6.cisco.com [171.68.13.16]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id FAA17555; Sat, 6 Jan 1996 05:08:46 -0800 Message-Id: <199601061308.FAA17555@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sat, 06 Jan 1996 08:09:15 -0500 To: "Kurt Buff (Volt Comp)" From: Paul Ferguson Subject: RE: Bastion netmask query Cc: "firewalls@greatcircle.com" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sure, you could hack something together to do this, but why not simply use RFC-1878 instead? - paul At 10:00 PM 1/4/96 -0800, Kurt Buff (Volt Comp) wrote: >It seems to me that someone with half a brain (not me, I only have 1/4) >could write a simple program (PERL, VB, ??) that would take some input >(number of nodes, number of segments, network address(es), etc.) and output >some reasonable netmasking and segmenting suggestions, including >forbidden/unwise host addresses (due to broadcast address conflicts, etc.). >Does anyone know of such a beastie? Or would this really be such a hard >thing to write? > >Kurt > -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Sat Jan 6 15:05:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA27839 for firewalls-outgoing; Sat, 6 Jan 1996 14:36:54 -0800 (PST) Received: from hawk.hcsc.com (hawk.hcsc.com [204.5.22.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id DAA19713 for ; Sat, 6 Jan 1996 03:49:33 -0800 (PST) Received: from london.hcsc.com by hawk.hcsc.com (5.61/harris-5.1) id AA26435; Sat, 6 Jan 96 06:48:38 -0500 Received: by london.csd.harris.com (5.61/HARRIS-4.0) id AA06276; Sat, 6 Jan 96 11:49:06 GMT From: jon@london.hcsc.com (Jon Shallow) Message-Id: <9601061149.AA06276@london.csd.harris.com> Subject: Re: NAT & NFS ? To: avalon@coombs.anu.edu.au (Darren Reed) Date: Sat, 6 Jan 96 11:49:05 GMT Cc: firewalls@greatcircle.com In-Reply-To: <9601060009.AA05624@hawk.hcsc.com>; from "Darren Reed" at Jan 6, 96 11:10 am X-Mailer: ELM [version 2.2 PL10] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Darren, Some NAT definitions I am using to answer your NFS question. NAT: The change of an IP address within a packet to hide or withold IP addresses that are not 'public'. This is implied when proxies are in use, but also is done in the IP layer. external: One of potentially many interfaces which NATs packets as they pass over the interface. internal: One of potentially many interfaces which does not NAT packets. session: Transmission and receipt of packets which includes TCP/UDP transmits and ICMP error receipts. Any packet 'session' can be initiated from internal to external as internal host has full visibility of external address space. The external host will only see packets coming from the firewall. Returned packets will get forwarded (with IP address translated) back to the originator. Any packet 'session' initiated from external will never get to internal as there is absolutely no visibility of internal address space. The above is true for all TCP, UDP, RPC, and ICMP packets. (For those that do not know, RPC is a protocol using TCP or UDP packets as a carrier. NFS then uses RPC for communication protocol.) Now to NFS ..... If an external host has a NFS exported file system, any internal host can mount that file system (as permitted by the normal NFS export rules). If NAT takes place at the IP layer, no extra work or enabling is required at the filrewall. The things to be aware of 1. The external host will see the NFS read/write etc activity coming from the firewall IP address, not the internal host IP address. The exports file needs to reflect this. 2. The external host will see the mount request coming from the firewall IP address, and embedded within the mount request RPC packet is the name of the host doing the mount request. The external host will lookup this embedded host name, and if the IP address is not the same as the firewall address, the mount request is refused. You will need to 'fake' the internal hosts IP address on the external host if the firewall cannot translate the embedded host name. Regards Jon BTW Are there many firewalls out there that can filter on RPC as NFS through a firewall is scary. Harris CyberGuard can. > In some mail from Jon Shallow, sie said: > > > > This works fine on the Harris CyberGuard. TCP, UDP, RPC, ICMP all get > > suitably rewritten - even the ICMP error codes. > > > > The 'inside' system can initiate talk to the 'external' system, but the > > 'external' system has no knowledge of the 'internal' IP address - just > > the firewall. > > This doesn't quite answer what I was wondering... > > I'm particularly interested in what this means for NFS...does it mean > your internal systems need to be setup to allow the firewall to NFS to > them so that external systems can be provided with NFS ? > > > > Is anyone using NFS (or RPC) over a WAN/LAN with a NAT in between the client > > > and server, actively rewriting the addresses in all the packets involved ? > > > If so, have any problems or unexpected situations arisen ? > > darren > From firewalls-owner Sat Jan 6 17:44:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id RAA00945 for firewalls-outgoing; Sat, 6 Jan 1996 17:42:21 -0800 (PST) Received: from gxl.woodtech.com (gxl.woodtech.com [204.248.87.4]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id RAA00938 for ; Sat, 6 Jan 1996 17:42:17 -0800 (PST) Received: (from joey@localhost) by gxl.woodtech.com (8.6.12/8.6.12) id TAA02804; Sat, 6 Jan 1996 19:50:40 -0600 Date: Sat, 6 Jan 1996 19:50:40 -0600 (CST) From: "Joe Smith (Really!)" To: Bart Rivard cc: firewalls@GreatCircle.COM Subject: Re: Steps in building a firewall, Right or Wrong? In-Reply-To: <199601060749.BAA16391@NS1.stl.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sat, 6 Jan 1996, Bart Rivard wrote: > 3) Deleted all accounts on the system except root Unless you are limiting access to the system from the console, I would create one account (secured as you did root) to login to the system, and then su to root to do admin work. From firewalls-owner Sat Jan 6 18:59:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA01740 for firewalls-outgoing; Sat, 6 Jan 1996 18:47:46 -0800 (PST) Received: from uu10.psi.com (uu10.psi.com [38.8.4.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id SAA01735 for ; Sat, 6 Jan 1996 18:47:42 -0800 (PST) Received: from po.gis.prc.com by uu10.psi.com (5.65b/4.0.061193-PSI/PSINet) via SMTP; id AA03601 for Firewalls@GreatCircle.COM; Sat, 6 Jan 96 21:46:49 -0500 Apparently-To: Message-Id: Date: 6 Jan 1996 21:57:29 U From: "Server #7000007" Subject: Undeliverable Mail X-Mailer: Mail*Link SMTP-MS 3.0.2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Unknown Microsoft mail form. Approximate representation follows. Message: Firewalls-Digest V5 #7 Sent: Fri, Jan 5, 1996 9:36 PM To: Harris Tom On Server: PRC Bellevue NE MS Date: Sat, Jan 6, 1996 9:57 PM Reason: Could not be delivered because the destination Microsoft Mail server could not be found. From firewalls-owner Sun Jan 7 01:44:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id BAA08605 for firewalls-outgoing; Sun, 7 Jan 1996 01:42:31 -0800 (PST) Received: from uu10.psi.com (uu10.psi.com [38.8.4.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id BAA08600 for ; Sun, 7 Jan 1996 01:42:28 -0800 (PST) Received: from po.gis.prc.com by uu10.psi.com (5.65b/4.0.061193-PSI/PSINet) via SMTP; id AA25370 for Firewalls@GreatCircle.COM; Sun, 7 Jan 96 04:41:35 -0500 Apparently-To: Message-Id: Date: 7 Jan 1996 04:51:49 U From: "Server #7000007" Subject: Undeliverable Mail X-Mailer: Mail*Link SMTP-MS 3.0.2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Unknown Microsoft mail form. Approximate representation follows. Message: Firewalls-Digest V5 #8 Sent: Sat, Jan 6, 1996 4:30 AM To: Harris Tom On Server: PRC Bellevue NE MS Date: Sun, Jan 7, 1996 4:51 AM Reason: Could not be delivered because the destination Microsoft Mail server could not be found. From firewalls-owner Sun Jan 7 05:44:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA10968 for firewalls-outgoing; Sun, 7 Jan 1996 05:16:49 -0800 (PST) Received: from vogon.muc.de (vogon.muc.de [193.174.4.4]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id FAA10963 for ; Sun, 7 Jan 1996 05:16:38 -0800 (PST) Received: from cottage ([194.94.228.134]) by vogon.muc.de with SMTP id <93554-2>; Sun, 7 Jan 1996 14:15:08 +0100 Comments: Authenticated sender is From: "Andreas Grau" To: firewalls@greatcircle.com Date: Sun, 7 Jan 1996 15:12:30 +0100 Subject: Off-Topic: Selling Firewalls Reply-to: grau@muc.de X-mailer: Pegasus Mail for Windows (v2.23) Message-Id: <96Jan7.141508met.93554-2@vogon.muc.de> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please don't flame me for this (possibly) off-topic question, but I think, the best answer for my question is with the members of this great list. I started working for a VAR of firewalls and other network related products. When it comes to writing proposals, I feel there must be tools to effectively support the selling process - how to draw network designs - how to calculate network topology, eg. IP-numbers and netmasks - how to calculate the costs for the equipment (firewalls, routers ...) - how to ... How do you network consultants and reseller work out there, how do you make your life easier when it comes to desktop work. I feel there are better tools than M$-Word or Powerpoint to generate good proposals and solutions. TIA, Andreas -- Andreas Grau grau@muc.de From firewalls-owner Sun Jan 7 19:44:39 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id TAA22712 for firewalls-outgoing; Sun, 7 Jan 1996 19:39:15 -0800 (PST) Received: from osa.osa.com.au (osa.osa.com.au [203.6.130.129]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id TAA22707 for ; Sun, 7 Jan 1996 19:39:08 -0800 (PST) Received: from redgum.osa.com.au (redgum.osa.com.au [15.16.33.1]) by osa.osa.com.au (8.6.12/8.6.9) with ESMTP id OAA29613 for ; Mon, 8 Jan 1996 14:38:07 +1100 Received: from zeus.osa.com.au (zeus.osa.com.au [15.16.33.60]) by redgum.osa.com.au (8.6.9/8.6.9) with SMTP id OAA16315 for ; Mon, 8 Jan 1996 14:36:30 +1100 Received: by zeus.osa.com.au (AIX 4.1/UCB 5.64/4.03) id AA16914; Mon, 8 Jan 1996 14:38:05 +1100 From: tma@osa.com.au (Tim Adam) Message-Id: <9601080338.AA16914@zeus.osa.com.au> Subject: Re: SSL and S-HTTP Proxy support To: firewalls@GreatCircle.COM Date: Mon, 8 Jan 1996 14:38:04 +1100 (EST) In-Reply-To: <199601051841.NAA00513@hatteras.ch.inri.com> from "Bill Bunting" at Jan 5, 96 01:41:08 pm Organization: Open Software Associates X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bill Bunting writes: > SSL is not the type of protocol that requries a proxy. SSL is a Secure > Sockets Layer API that can be used with any TCP port. For example, you can > use SSL to secure a FTP, Telnet, WWW, or any other TCP protocol. Did TIS > really tell you that they have a SSL proxy?? If so, what does it do? See ftp://ds.internic.net/internet-drafts/draft-luotonen-ssl-tunneling-02.txt Tim. -- Tim Adam tma@osa.com.au http://www.osa.com.au/ Open Software Associates Melbourne, Australia From firewalls-owner Sun Jan 7 20:29:39 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id UAA23468 for firewalls-outgoing; Sun, 7 Jan 1996 20:18:06 -0800 (PST) Received: from switchblade.v-one.com (switchblade.iwi.com [137.39.156.214]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id UAA23463 for ; Sun, 7 Jan 1996 20:18:02 -0800 (PST) Received: (from mjr@localhost) by switchblade.v-one.com (8.6.9/8.6.9) id XAA25510 for firewalls@greatcircle.com; Sun, 7 Jan 1996 23:17:38 -0500 From: "Marcus J. Ranum" Message-Id: <199601080417.XAA25510@switchblade.v-one.com> Subject: new home for FAQ, and job openings To: firewalls@greatcircle.com Date: Sun, 7 Jan 1996 23:17:37 -0500 (EST) Reply-To: mjr@switchblade.v-one.com Organization: V-One Corporation, Baltimore, MD Office URL: Mjr's page Phone: 410-889-8569 X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The Internet Firewalls FAQ's home has moved once again. I'll be maintaining it now from: http://www.v-one.com/pubs/fw-faq/faq.htm Please update your pointers and web pages if you have hyperlinks. Also: if you're looking for, or know people who are good who are looking for work with a hot networking company, please see: http://www.v-one.com/misc/news.htm Thanks! mjr. From firewalls-owner Mon Jan 8 00:44:39 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id AAA26869 for firewalls-outgoing; Mon, 8 Jan 1996 00:24:26 -0800 (PST) Received: from mailhost.ixos.de (HOST.50.22.ixos.de [149.235.50.22]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id AAA26855 for ; Mon, 8 Jan 1996 00:24:19 -0800 (PST) From: snoopy@munich.ixos.de Received: from polo.ixos.de ixos.de by mailhost.ixos.de with SMTP (5.65+/ixos-1.0.7) via Internet for greatcircle.com id AA02357; Mon, 8 Jan 96 09:23:15 +0100 Message-Id: <9601080823.AA02376@polo.ixos.de> Received: from localhost ixos by polo.ixos.de (4.1/iXOS/lan-1.0.6) via EUnet for mailhost id AA02376; Mon, 8 Jan 96 09:23:13 +0100 X-Mailer: exmh version 1.6.4 10/10/95 To: gamble@dxcoms.cern.ch Cc: firewalls@GreatCircle.com, pdetemme@cisco.com Subject: Re: Looking for a speaker In-Reply-To: Your message of "Thu, 04 Jan 1996 09:24:28 +0100." <9601040824.AA23767@dxcoms.cern.ch> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Date: Mon, 08 Jan 1996 09:23:12 +0100 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi there, I would perhaps do it: I have a brother in Vevey - might be a nice chance to go an visit him. If you pay the travel, I would like to do it. I am the Sysadmin here and I do give tutorials and talks on such subjects... Love, Snoopy -- snoopy@munich.ixos.de "The USA have Bill Clinton, Stevie Wonder,Bob Hope, Johnny Cash. We have Helmut Kohl - no wonder, no hope, no cash..." From firewalls-owner Mon Jan 8 02:16:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id CAA00718 for firewalls-outgoing; Mon, 8 Jan 1996 02:12:04 -0800 (PST) Received: from hugin.mainz.dk (Hugin.mainz.dk [130.227.10.10]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id CAA00713 for ; Mon, 8 Jan 1996 02:11:59 -0800 (PST) Date: Mon, 08 Jan 1996 11:11:01 +0100 (MET) Date-warning: Date header was inserted by MAINZ.DK From: Kim Wohlert Subject: RE: Bastion netmask query To: Firewalls@GreatCircle.COM Message-id: <01HZRKLT6HNM0003MC@MAINZ.DK> MIME-version: 1.0 X-Mailer: Windows Eudora Light Version 1.5.2 Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From: "Kurt Buff (Volt Comp)" >Date: Thu, 4 Jan 1996 22:00:01 -0800 >Subject: RE: Bastion netmask query > >It seems to me that someone with half a brain (not me, I only have 1/4) >could write a simple program (PERL, VB, ??) that would take some input >(number of nodes, number of segments, network address(es), etc.) and output >some reasonable netmasking and segmenting suggestions, including >forbidden/unwise host addresses (due to broadcast address conflicts, etc.). >Does anyone know of such a beastie? Or would this really be such a hard >thing to write? > No, and someone did. It is called RFC 1878: http://www.internic.net/rfc/rfc1878.txt T. Pummill, B. Manning, "Variable Length Subnet Table For IPv4", 12/26/1995. (Pages=8) -Kim =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Kim Wohlert |Internet:Kim.Wohlert@mainz.dk erik mainz a/s |X.400: c=DK a=DK400 p=Minerva Dortheavej 7 |o=mainz s=Wohlert g=Kim DK-2400 Copenhagen |Phone: +45 38 34 77 88 Denmark |Fax: +45 31 19 16 25 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Books: Virtual Reality unplugged From firewalls-owner Mon Jan 8 04:14:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id DAA02387 for firewalls-outgoing; Mon, 8 Jan 1996 03:52:40 -0800 (PST) Received: from synet.edu.cn (saint.synet.edu.cn [202.112.29.85]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id DAA02382 for ; Mon, 8 Jan 1996 03:52:26 -0800 (PST) Received: from neu.edu.cn (bengal.neu.edu.cn) by synet.edu.cn (5.x/SMI-SVR4) id AA11994; Mon, 8 Jan 1996 19:53:05 +0800 Received: by neu.edu.cn (4.1/SMI-4.1) id AA05119; Mon, 8 Jan 96 19:53:25 CsT From: guxj@neu.edu.cn (Gu Xinji) Message-Id: <9601081153.AA05119@neu.edu.cn> Subject: Proxy ? To: firewalls@GreatCircle.com Date: Mon, 8 Jan 1996 19:53:25 +0800 (CsT) Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We are going to provide Internet service,and need some kind of packet filtering or proxy services so that the govenment won't kick us out. my questions are(I only want firewall function for WWW) : 1). What kind of machine(Sun's) do I need to install proxy server on, so that it can support 20,000 users ? or is this possible(one machine) ? 2). If I use a SS20 with 128M memory as proxy server, how many users can it support? 3). Would it be better for me to use a Cisco7500(or what better?) to filter out certain http addresses than use proxy service? again, can Cisco support so many users? 4). What kind of proxy product would you recommend for efficiency , and easy operation(especially on client end)? Thanks in advance. Xinji Gu guxj@neu.edu.cn From firewalls-owner Mon Jan 8 05:33:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA04423 for firewalls-outgoing; Mon, 8 Jan 1996 05:26:07 -0800 (PST) Received: from mail.nyc.pipeline.com (mail.nyc.pipeline.com [198.80.32.13]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id FAA04411 for ; Mon, 8 Jan 1996 05:26:02 -0800 (PST) Received: from pipe4.nyc.pipeline.com (jya@pipe4.nyc.pipeline.com [198.80.32.44]) by mail.nyc.pipeline.com (8.7.3/8.7.3) with ESMTP id IAA20730; Mon, 8 Jan 1996 08:25:06 -0500 (EST) From: John Young Received: (jya@localhost) by pipe4.nyc.pipeline.com (8.6.9/8.6.9) id IAA02811; Mon, 8 Jan 1996 08:25:06 -0500 Date: Mon, 8 Jan 1996 08:25:06 -0500 Message-Id: <199601081325.IAA02811@pipe4.nyc.pipeline.com> To: firewalls@GreatCircle.com Cc: frankw@in.net Subject: Mitnick & the TCP Sequence Number Attack on Shimomura (LONG posting) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Responding to msg by frankw@in.net (Frank Willoughby) on Sun, 7 Jan 11:41 PM Two clarifications of the post by Frank Willoughby on the TCP/IP attack described in Jonathan's Littman new book: 1. The material posted is directly from Littman's book, not my paraphrase. 2. The attacker has not been proven to be Mitnick, only alleged. Whether it was Mitnick is a principal question of Littman's book. From firewalls-owner Mon Jan 8 06:50:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA05788 for firewalls-outgoing; Mon, 8 Jan 1996 06:22:30 -0800 (PST) Received: from dsn20 ([164.167.138.20]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id GAA05775 for ; Mon, 8 Jan 1996 06:22:18 -0800 (PST) Received: from [164.167.86.100] by dsn20 (5.59/25-eef) id AA15571; Mon, 8 Jan 96 08:47:35 EST Message-Id: <9601081347.AA15571@dsn20> Comments: Authenticated sender is From: "Bob Resino" To: grau@muc.de, firewalls@GreatCircle.COM Date: Mon, 8 Jan 1996 09:18:24 +0000 Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7BIT Subject: Re: Off-Topic: Selling Firewalls Reply-To: pnh1rgr@mclo10.med.navy.mil X-Mailer: Pegasus Mail for Windows (v2.10) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Please don't flame me for this (possibly) off-topic question, but I > think, the best answer for my question is with the members of this great list. > > I started working for a VAR of firewalls and other network related > products. When it comes to writing proposals, I feel there must be > tools to effectively support the selling process > > - how to draw network designs > - how to calculate network topology, eg. IP-numbers and netmasks > - how to calculate the costs for the equipment (firewalls, routers ...) > - how to ... > > How do you network consultants and reseller work out there, how do > you make your life easier when it comes to desktop work. I feel > there are better tools than M$-Word or Powerpoint to generate good > proposals and solutions. > > TIA, Andreas > -- Andreas Grau grau@muc.de > You might want to think about a CAD package, like Intergraph Microstation or IsiCad. The Microstation poduct has links to several database formats and there are several cell libraries for data-comms available. With Windows ODCB, this data can be incorporated into Excel, Word and/or Powerpoint. I have used IsiCad to do network maps and updates for HP OpenView. I guess it depends on what your looking for. Bob Resino (RGR24) Head, MID/Data-telecommunications 804-398-7400 x322 MCLO, HSO, Norfolk, VA (US Navy) Fax 804-398-7265 pnh1rgr@mclo10.med.navy.mil From firewalls-owner Mon Jan 8 07:14:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA06745 for firewalls-outgoing; Mon, 8 Jan 1996 07:04:34 -0800 (PST) Received: from emh.ramstein.af.mil (emh.ramstein.af.mil [132.25.130.14]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id HAA06731 for ; Mon, 8 Jan 1996 07:04:29 -0800 (PST) Received: from outgate.ramstein.af.mil by emh.ramstein.af.mil with SMTP (1.37.109.16/16.2) id AA115153485; Mon, 8 Jan 1996 16:04:45 +0100 Received: by outgate.ramstein.af.mil with Microsoft Mail id <30F1B0F4@outgate.ramstein.af.mil>; Mon, 08 Jan 96 16:04:04 PST From: Hescock Brian TSgt 786CS/SCNBN To: firewalls Subject: firewall reviews/comparisons Date: Mon, 08 Jan 96 16:00:00 PST Message-Id: <30F1B0F4@outgate.ramstein.af.mil> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I just subscribed to your mail list today so please forgive my first question: 1) Which software is required to view the .Z files and where can I get it? 2) I've been searching for information on the best firewall to purchase for our needs and have not come across any reviews/comparisons on which is best (I have a list of all of the firewalls available and their descriptions but not any comparisons). Anyone know of any reviews and where to find them? We require a firewall which would could support a very high throughput so we would probably require a hardware-based firewall. Configuring our front-end router to act as a firewall isn't a practical option. Any information would be appreciated. Thanks, Brian Hescock hescockb@86aw4.ramstein.af.mil From firewalls-owner Mon Jan 8 10:01:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA11194 for firewalls-outgoing; Mon, 8 Jan 1996 09:56:09 -0800 (PST) Received: from beach.sctc.com (beach.sctc.com [192.55.214.50]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id JAA11189 for ; Mon, 8 Jan 1996 09:56:05 -0800 (PST) Received: from beach.sctc.com (daemon@localhost) by beach.sctc.com (8.7.2/8.7.2) with ESMTP id LAA17201; Mon, 8 Jan 1996 11:55:08 -0600 (CST) Received: from sphinx.sctc.com (sphinx.sctc.com [172.17.192.3]) by beach.sctc.com (8.7.2/8.7.2) with ESMTP id LAA17190; Mon, 8 Jan 1996 11:55:03 -0600 (CST) Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by sphinx.sctc.com (8.7.1/8.6.10) with SMTP id LAA09147; Mon, 8 Jan 1996 11:55:38 -0600 (CST) Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id LAA21565; Mon, 8 Jan 1996 11:55:39 -0600 Date: Mon, 8 Jan 1996 11:55:39 -0600 From: Rick Smith Message-Id: <199601081755.LAA21565@shade.sctc.com> To: firewalls@greatcircle.com Cc: smith@sctc.com, mckenney@smiley.mitre.org Subject: Re: SSL and S-HTTP Proxy support Sender: firewalls-owner@GreatCircle.COM Precedence: bulk mckenney@smiley.mitre.org (Brian W. McKenney) writes: >I would like to have an update as to which commercial firewall vendors >support or plan to support (when) an SSL and/or S-HTTP proxy. I will post >a summary. The answer depends on what you're trying to do. If you're trying to let clients residing on a protected internal net browse an external, less trustworthy net (the Internet) then all the major firewalls should provide similar service, including our Sidewinder. The service is based on a generic proxy that tunnels the traffic through the firewall. Some firewalls (like Sidewinder) can apply access controls as follows: 1) permit/deny traffic according to source IP address. 2) permit/deny traffic according to destination IP address. 3) restrict to inbound only or outbound only. 4) require login/password from browser. All except 4) are generic proxy controls and not specific to Web service. As far as I know, *nobody* actually cracks the SSL at the firewall and applies access control on the crypto credentials being passed. With today's Netscape browsers, of course, this can only authenticate the server being accessed, not the client. I don't know of anyone doing this with SHTTP, either. If anyone does, I'd be interested to hear what security objectives are involved and what mechanism is used. If, on the other hand, you need to provide Web service to clients on a potentially hostile external network (the Internet) then existing proxy techniques aren't going to protect you much. You need to host the Web service on a platform capable of resisting sophisticated attacks. That's a different problem. Rick. smith@sctc.com secure computing corporation From firewalls-owner Mon Jan 8 10:44:19 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA11383 for firewalls-outgoing; Mon, 8 Jan 1996 10:03:14 -0800 (PST) Received: from emmalani.queens.hawaii.org ([168.105.7.14]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA11365 for ; Mon, 8 Jan 1996 10:02:53 -0800 (PST) Received: from smtp.queens.hawaii.org by emmalani.queens.hawaii.org (AIX 3.2/UCB 5.64/4.03) id AA06154; Mon, 8 Jan 1996 07:50:45 -1000 Received: from QMC-Message_Server by QUEENS.HAWAII.ORG with Novell_GroupWise; Mon, 08 Jan 1996 07:59:11 -1000 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Mon, 08 Jan 1996 07:56:01 -1000 From: DARRYL PANG To: Firewalls@GreatCircle.COM Subject: Firewalls-Digest V5 #8 -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk FYI gang. And "NO" we are NEVER going to use FreeBSD!! Mahalo, DPP. \m/ ^_^ \m/ ++++++++++++++++++++++++++++++++++++ A Manager does the thing right. A Leader does the right thing. ++++++++++++++++++++++++++++++++++++ >>> 01/05/96 11:00pm >>> Firewalls-Digest Saturday, 6 January 1996 Volume 05 : Number 008 In this issue: SSL and S-HTTP Proxy support Re: Security managing Cisco Routers Re: SSL and S-HTTP Proxy support Steps in building a firewall, Right or Wrong? See the end of the digest for information on subscribing to the Firewalls or Firewalls-Digest mailing lists and on how to retrieve back issues. ---------------------------------------------------------------------- From: cbk@ingress.com (Charles B. Kaplan) Date: Fri, 5 Jan 1996 23:21:13 -0500 Subject: SSL and S-HTTP Proxy support >From what I remember S-HTTP can be fully negotiated within the 'standard' HTTP ports/protocol. Therefor any proxy supporting HTTP should work with S-HTTP. Next, while SSL COULD be implimented accross multiple protocols, etc, the 'only' wide spread use presentally is via netscape, and that makes use of port 443 'normally'. The BorderWare Firewall Server, from BNTI out of the box proxys port 80, 8001, 8080, and 443, all when its WWW proxy is enabled. I don't see why however you couldn't say use plug-gw on port 443 to do the same types of things. NOTE however, putting your web server inside your firewall, and then proxying to it is a BIG risk. That ofcourse is why BorderWare provides a 3'rd network interface for 'secured servers'. Well, enough plugging of BorderWare....if you didn't guess I resell it. Anyone care to either veryify or correct the above S-HTTP notes ? - -Charles Kaplan for more information on BorderWare call 800-254-7159 ------------------------------ From: Bill Husler Date: Fri, 5 Jan 1996 20:22:58 -0800 Subject: Re: Security managing Cisco Routers >>>At 02:15 PM 12/27/95 GMT, Pietro wrote: >>> >>>>My actual problem is to managed several Cisco Routers situated >>>>on a public network from a central site, from where there is no >>>>way to garantee secure communication. >>>> > >>I have heard that Firewall-1 will manage the configurations of CISCO >>routers remotely. I believe the way it works is that you set up the >>configuration or a Firewall-1 Administrative Workstations and it send >>some sort of encrypted/secured transmission to the router to downlowd the >>new config. >>Bill >> > >Although I'm not intimately familiar with the internal mechanisms of >Firewall-1, I do have a problem with the above paragraph, since we >do not (yet) support encrypted transport mechanisms. :-) > >- paul > >-- >Paul Ferguson || || >Consulting Engineering || || >Reston, Virginia USA |||| |||| >tel: +1.703.716.9538 ..:||||||:..:||||||:.. >e-mail: pferguso@cisco.com c i s c o S y s t e m s > > Paul, Your absolutely right! I talked to our Firewall-1 dudes (actually SUN) and they said that communication is in the clear. I don't know what I heard that made me believe otherwise. Sorry if I muddied the waters. I also asked them to describe why we should have "warm fuzzies" that the changes being made to the router configuration are indeed being sent from the FW-1 admin and not some admin wannabe. I will post their response. Bill ------------------------------ From: Bill Husler Date: Fri, 5 Jan 1996 20:46:16 -0800 Subject: Re: SSL and S-HTTP Proxy support >From: Brian W. McKenney, mckenney@smiley.mitre.org > >I would like to have an update as to which commercial firewall vendors >support or plan to support (when) an SSL and/or S-HTTP proxy. I will post >a summary. > >This is the information that I have: > >1. TIS Gauntlet: SSL annd S-HTTP proxies in next release. >2. KarlBridge/KarlBrouter: S-HTTP proxy >3. Milkyway Blackhole: S--HTTP >4. SOS Brimstone: S-HTTP proxy >5. Technologic Interceptor: S-HTTP proxy >6. V-One SmartWall: S-HTTP proxy > >License versions of TIS Gauntlet will support whatever the next Gauntlet >release supports. > You can add ANS Interlock to you list. Bill ------------------------------ From: bart@pu.com (Bart Rivard) Date: Sat, 6 Jan 1996 01:49:18 -0600 Subject: Steps in building a firewall, Right or Wrong? Hi, I think one of the things about building a firewall that has surprised me is how really simple it really is. It makes me wonder if I have done something wrong. Many people say use the TIS toolkit but I really don't see any reason. Here is the steps I have taken tell me what you think. 1) Installed FreeBSD on a Pentium 100 with 32 MB of Ram and two Ethernet NICs 2) Configured the Kernel such that IP forwarding and Source routing are disabled. 3) Deleted all accounts on the system except root 4) Gave root a password with number, letters, uppercase and lowercase, 10 long 5) Deleted everything out of inetd.conf except DNS 6) Configured DNS so that the only machine it knows about is a Web server which is in the DMZ and the firewall machine and wildcard MX record. 7) Configured resolv.conf on firewall to point to the internal network DNS. 8) Turned off source routing on the CISCO 2500 router and added filters which disabled all UDP traffic except port DNS/53, all TCP inbound traffic except SMTP to firewall, News from specific news server to firewall http to web server in DMZ. Allow all outbound TCP traffic. Thinking about disabling all ICMP traffic on router, what do you think? 9) Configured CERN web server as a proxy on the firewall using a weird port number. Wrapped the port with TCP Wrappers and only allow access from internal IP addresses. Internal IP addresses are 192.168.0.0 thru 192.168.255.255. Wish I could limit access to web proxy by network interface but don't know how? 10)Modified a mail program so that it read mail from port 25 and writes to disk mail messages. Completely dumb program. Does not handle distribution list, aliases or anything. I then pick mail up off of disk and send it to internal CC mail gateway. Was there shareware to do equivalent? Can sendmail pick mail up off of disk? Is it safe to have sendmail pick mail up off of disk and distribute? 11)Put TCP Wrapper around news server port to only except connection from our news provider at AT&T and internal network. Also use inn access control to limit access from internal network for reading news and news provider for dumping news. Well that about it. We provide outbound Web, Gopher, FTP and WAIS through the CERN Proxy. Is this safe? We don't allow any UDP to pass firewall. We don't allow anything to come in from the outside through the firewall except mail. The firewall doubles as a news server so we don't allow news to pass through firewall but the firewall doubles as a news server. Is it safe to use a firewall as a news server? Please comment!! Send all comments to bart@pu.com. TIA, Bart ------------------------------ End of Firewalls-Digest V5 #8 ***************************** To unsubscribe from Firewalls-Digest, send the following command in the body of a message to "Majordomo@GreatCircle.COM": unsubscribe firewalls-digest To subscribe, send the command "subscribe firewalls-digest" instead. If you want to subscribe or unsubscribe something other than the account the mail is coming from, such as a local redistribution list, then append that address to the command; for example, to subscribe "local-firewalls": subscribe firewalls-digest local-firewalls@your.domain.net A non-digest (direct mail) version of this list is also available; to subscribe to that instead, replace all instances of "firewalls-digest" in the commands above with "firewalls". Compressed back issues are available for anonymous FTP from FTP.GreatCircle.COM, in pub/firewalls/digest/vNN.nMMM.Z (where "NN" is the volume number, and "MMM" is the issue number). From firewalls-owner Mon Jan 8 13:30:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA16064 for firewalls-outgoing; Mon, 8 Jan 1996 13:00:40 -0800 (PST) Received: from su1.in.net (su1.in.net [199.0.62.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id UAA23625 for ; Sun, 7 Jan 1996 20:42:26 -0800 (PST) Received: from pm4-20.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA17466; Sun, 7 Jan 96 23:41:31 -0500 Date: Sun, 7 Jan 96 23:41:31 -0500 Message-Id: <9601080441.AA17466@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.com From: frankw@in.net (Frank Willoughby) Subject: Mitnick & the TCP Sequence Number Attack on Shimomura (LONG posting) Cc: John Young Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The following mail was posted on the Cypherpunks mailing list by John Young (whose name appears on the cc:). I have his permission to post his mail here. John mentioned that he was curious about responses to his posting in this mailing list, so I would like to request that you cc: him in your replies to this thread. Also, John mentioned that the info cited in his posting is extracted from Jonathan Littman's book: Jonathan Littman, an investigative reporter, has published "The Fugitive Game: Online With Kevin Mitnick," Little Brown, 1996. 381 pp. $23.95. ISBN 0-316-52858-7. The relevance of the text to the firewalls mailing list is fairly obvious as it describes the operation of the TCP Sequence Number Prediction Attack used by Mitnick to break into Tsutomu Shimomura's computer. A number of people have sent me mails or called me about my previous postings on TCP Sequence Number Prediction Attacks. This mail should help to fill in some of the blanks on the subject. FWIW, I still maintain that this is a vulnerability in a number of firewalls (but then again, that's another thread). Enjoy. Best Regards, Frank PS - Stay tuned to my home page for some interesting free stuff in a day or two. Fortified Networks Inc. - Management & Information Security Consulting Phone: (317) 573-0800 - http://www.fortified.com/fortified/ The opinions expressed above are of the author and may not necessarily be representative of Fortified Networks Inc. ------------8< cut here 8<--------------------------------------------- Return-Path: From: John Young Date: Sun, 7 Jan 1996 15:43:02 -0500 To: cypherpunks@toad.com Subject: Toad Hop Sender: owner-cypherpunks@toad.com Precedence: bulk X-UIDL: 821054482.004 [Before it is publicized, KM describes for Littman the Christmas 1994 attack on Shimomura's systems as a "TCP/IP prediction packet attack." (. . .) below are by Littman.] Three days later, on January 23, Shimomura will describe the attack in a widely distributed public Internet post. IP source address spoofing and TCP/IP sequence number prediction are the technical terms Shimomura uses to describe it, much like Mitnick's description. But his analysis is extremely technical, and even some UNIX security experts find it tough going. That same day, about 2 P.M., CERT will blast out an advisory to its international mailing list of 12,000 Internet sites in the United States, Germany, Australia, the United Kingdom, Japan, and other countries. The vaguely worded report is much less specific than Mitnick's one-minute explanation on the telephone. Most likely, CERT is trying to provide enough detail so Internet sites can protect themselves against future attacks without providing so much detail that it could encourage copycat attacks. On one level, the hack is simple, a clever strike at a basic weakness of the Internet. Computers on the Internet are often programmed to trust other computers. The Internet was created to share information, and the attack on Shimomura, just like the Robert Morris Internet Worm attack seven years before, exploits that trust. The Internet has its own way of sending e-mail or files. Messages or files are split into smaller digital chunks or packets, each with its own envelope and address. When each message is sent, it's like a flock of birds that migrates to a planned location and reunites as a flock at the destination. Computers on the Internet often act like great flocks of birds that trust one another too. And all it takes is one enemy bird to infiltrate the flock. . . . On Christmas Day 1994 the attack begins. First, the intruder breaks into a California Internet site that bears the cryptic name toad.com. Working from this machine, the intruder issues seven commands to see who's logged on to Shimomura's workstation, and if he's sharing files with other machines. Finger is one of the common UNIX commands the intruder uses to probe Shimomura's machine. As a security professional Shimomura should have disabled the feature. Finger is so commonly used by hackers to begin attacks that 75 percent of Internet sites, or about 15 million of the more than 20 million Internet users, block its function to increase security. The intruder's making judgment calls on the fly about which commands will help him uncover which machines Shimomura's workstation might trust. He works fast. In six minutes he deduces the pattern of trust between Shimomura's UNIX workstation and an unknown Internet server. Then the automatic spoofing attack begins. It will all be over in sixteen seconds. The prediction packet attack program fires off a flurry of packets to busy out the trusted Internet server so it can't respond. Next, the program sends twenty more packets to Shimomura's UNIX workstation. The program is looking for a pattern in the initial sequence numbers -- the numbers used to acknowledge receipt of data during communications. The program deciphers the returned packets by subtracting each sequence number from the previous one. It notes that each new initial sequence number has grown by exactly 128,000. The program has unlocked the sequence number key. Shimomura's machine has to be idle for the attack to succeed. New Internet connections would change the initial sequence number and make it more difficult to predict the key. That's why the hacker attacks on Christmas Day. The attack program sends packets that appear to be coming from the trusted machine. The packet's return or source address is the trusted machine's Internet address. Shimomura's workstation sends a packet back to the trusted machine with its initial sequence number. But flooded by the earlier flurry of packets, the trusted server is still trying to handle the earlier traffic. It's tangled up. Taking advantage of the gagged server, the attacking program sends a fake acknowledgment. It looks real because it's got the source address of the trusted server, and the correct initial sequence number. Shimomura's workstation is duped. It believes it's communicating with a trusted server. Now the attacking program tells Shimomura's obedient workstation to trust everyone. It issues the simple UNIX "Echo" command to instruct Shimomura's workstation to trust the entire Internet. At that point, Shimomura's personal and government files are open game to the world. It's more than a humiliating blow to the security expert. By making Shimomura's machine accessible from any Internet site, the intruder has masked his own location. He can return from anywhere. The hacker can't believe his good luck. The attack is only successful because Shimomura has not disabled the "R" commands, three basic commands that allow users to remotely log-in or execute programs without a password. Tens of thousands of security-conscious Internet sites, representing well over a million users, routinely block access to the R commands to avoid its well publicized abuse by hackers. It takes a few keystrokes and about thirty seconds to shut off the R commands on an Internet server. You don't even have to turn off the machine. Why didn't Shimomura do it? . . . Mitnick laughs. "He's [Shimomura's] not happy. I have nothing to do with it. I'm just telling you what I hear through the grapevine." [Littman] "Who do you think might have done it?" I ask the likely suspect. "How did he figure it out himself?" "He [Shimomura] realized that somebody had edited his wrapper log, which shows incoming connections. Somebody actually modified those logs, and then he was able to reconstruct what happened through these logs that were mailed to another site unbeknownst to the intruder." Mitnick's actually telling me the evidence Shimomura collected to figure out the attack. The wrapper is supposed to control connections to Shimomura's server and log all connection attempts. It failed to protect Shimomura but still it logged the hacker's spoofed connection, and a copy of the log was e-mailed off-site. "So you were asking me if there's a secure e-mail site?" Mitnick continues, his voice suddenly hard. "My answer is no. This guy in my estimation is the brightest in security on the whole Internet. He blows people like Neil Clift away. I have a lot of respect for this guy. 'Cuz I know a lot about him. He doesn't know anything about me, hopefully, but he's good. "On the Internet, he's one of the best in the world." [pp. 222-25] ----- [KM] "I don't know what his motive is. I don't know the man at all. Alls I know is he's very technical and he's very good at what he does. He's in the top five." [JL] "What makes Shimomura so good?" [M] "When someone penetrates his system he knows what to look for. When you compile a program, it uses external files and libraries. This is the type of guy that would look at the access times of the files to try to figure out what type of program somebody was compiling. The guy's sharp." On UNIX systems it's possible to tell the last time a file was read. Mitnick's guessing that Shimomura could determine the type of application that was compiled (converted into the computer's most basic machine language) by examining the date stamps in certain system directories. He's also acknowledging he knows that the intruder compiled a program while he was on Shimomura's machine. Once again, Kevin Mitnick seems to have an amazing amount of detail on how Shimomura analyzes an attack. [M] "He's just very good at -- well, he's a spook. What do you expect? This is only what I hear in the grapevine." ... [L] "But does the grapevine say he's primarily a spook?" [M] "Unknown. He's good in security and he consults with companies like Trusted Information Systems, the people that develop Internet fire walls, and a lot of people in D.C. and the Virginia area." Trusted Information -- the name strikes a bell. Markoff quoted someone from Trusted Information in his front-page "Data Threat" article. [L] "Where is Trusted Information?" [M] "Oh, in Maryland, 301 area code. Baltimore, I believe." [L] "What are some of the Virginia companies Shimomura works with?" [M] "I just have the phone numbers," Mitnick reveals casually. "I haven't called them yet to see." [pp. 252-53] ----- Why not ask John Markoff about the real reason he called me twice this morning? So I ask him about the Shimomura Newsweek story, and the odd reference to cellular phones. He comes back with a stunning revelation. "Somebody hit a different Tsutomu machine last summer and the NSA was pissed," Markoff tells me. "They freaked out. There's no question about it." Why didn't he mention this in his New York Times stories? Why create the false appearance Shimomura was first hacked Christmas Day? "But it was a different machine?" I ask. "Am I being interviewed here?" It strikes me as an odd question. Markoff was the one who called me twice in the space of an hour. Who's interviewing whom? "Let's get on the same wavelength," Markoff suggests. "I'm glad to share this stuff with you, but I want to know where it's going to show up. 'Cuz I'm pretty close to Shimo and it's an issue for me." Before I can respond, he starts talking about Shimomura again. "I wrote that profile of Tsutomu because after I mentioned him in the bottom of my story ["Data Threat"] I basically outed him and a million reporters were all over him." "He wasn't happy about that?" "No, Tsutomu loves it," Markoff says. "He's playing his own games. "I'II tell you it's unclear what was taken [referring to the Christmas hack], and point two, I can send you a public posting by an Air Force information warfare guy who described what was taken and their assessment of the damage. "And there are lots of little snips of code that a brilliant hacker could probably use. But Tsutomu's mind works in very cryptic ways. It's not clear that without Tsutomu you're going to be able to do anything with it. "Now in this break-in I don't actually think a lot of stuff was taken." This break-in? Just how many times was Shimomura hacked before Christmas? But I ask a different question. "Why would an Air Force guy post something?" "Oh, Tsutomu," Markoff casually replies. "He produced a lot of software for the Air Force." "Where would he post this?" "Oh, to a mailing list. A lot of people were concerned about what was taken from his [Shimomura's] machine. What they [the hacker] got was a lot of his electronic mail. Some of it's kind of embarrassing. [But] I don't think people are going to find new ways to attack the network based on this particular attack. "There is another issue," Markoff cautions in a serious tone. "Tsutomu is a very sharp guy, and it is not impossible that that was a bait machine, which is why I stayed away from the issue." Is Markoff implying Shimomura, a rumored NSA spy, laid a trap? And what about Markoff's New York Times articles? Were they part of the trap, too? "Think about it for a second," Markoff pauses dramatically. "And you get into this wilderness-of-mirrors kind of world. And a lot of people that are writing don't know everything, and I don't know everything. "I've been protecting him [Shimomura] for five years. I get the profile and the [Wall Street] Journal is on him. They don't know how close he is to the military. It would make perfect sense. Who knows what's on the code? The guy is in the counterintelligence business." [pp. 258-60] From firewalls-owner Mon Jan 8 13:34:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA16438 for firewalls-outgoing; Mon, 8 Jan 1996 13:21:00 -0800 (PST) Received: from sivka.carrier.kiev.ua (sivka.carrier.kiev.ua [193.125.68.130]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id NAA16423 for ; Mon, 8 Jan 1996 13:20:48 -0800 (PST) Received: from elvisti.kiev.ua (uucp@localhost) by sivka.carrier.kiev.ua (Sendmail 8.who.cares/5) with UUCP id XAA11330 for Firewalls@GreatCircle.COM; Mon, 8 Jan 1996 23:21:00 +0200 Received: from office.elvisti.kiev.ua (office.elvisti.kiev.ua [193.125.28.33]) by spider2.elvisti.kiev.ua (8.6.12/8.ElVisti) with ESMTP id XAA19991 for ; Mon, 8 Jan 1996 23:24:57 +0200 Received: (from stesin@localhost) by office.elvisti.kiev.ua (8.6.12/8.ElVisti) id XAA17001; Mon, 8 Jan 1996 23:24:56 +0200 From: "Andrew V. Stesin" Message-Id: <199601082124.XAA17001@office.elvisti.kiev.ua> Subject: Re: Firewalls-Digest V5 #8 -Reply To: DPANG@QUEENS.HAWAII.ORG (DARRYL PANG) Date: Mon, 8 Jan 1996 23:24:55 +0200 (EET) Cc: Firewalls@GreatCircle.COM In-Reply-To: from "DARRYL PANG" at Jan 8, 96 07:56:01 am X-Mailer: ELM [version 2.4 PL24alpha5] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, # # FYI gang. And "NO" we are NEVER going to use # FreeBSD!! # Wouldn't you mind commenting your point with a bit more details, please? # # Mahalo, DPP. \m/ ^_^ \m/ # # ++++++++++++++++++++++++++++++++++++ # A Manager does the thing right. # A Leader does the right thing. # ++++++++++++++++++++++++++++++++++++ # [... the only mention about FreeBSD here -- a story from bart@pu.com -- skipped; what's wrong with it, anyway? ...] -- With best regards -- Andrew Stesin. +380 (44) 2760188 +380 (44) 2713457 +380 (44) 2713560 An undocumented feature is a coding error. From firewalls-owner Mon Jan 8 18:14:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA22203 for firewalls-outgoing; Mon, 8 Jan 1996 18:08:58 -0800 (PST) Received: from mercury.tdb.gov.sg ([202.42.225.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id SAA22198 for ; Mon, 8 Jan 1996 18:08:53 -0800 (PST) Received: (from mail@localhost) by mercury.tdb.gov.sg (8.6.12/8.6.12) id KAA08391 for ; Tue, 9 Jan 1996 10:08:07 +0800 Received: from smtpgw.tdb.gov.sg(202.42.225.225) by mercury.tdb.gov.sg via smap (V1.3) id sma015554; Tue Jan 9 10:07:49 1996 Received: by smtpgw.tdb.gov.sg with Microsoft Mail id <30F2AF7E@smtpgw.tdb.gov.sg>; Tue, 09 Jan 96 10:10:06 PST From: James Soh To: "'smtp:Firewalls@GreatCircle.COM'" Subject: Fw License Date: Tue, 01 Jan 80 17:44:00 PST Message-ID: <30F2AF7E@smtpgw.tdb.gov.sg> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is the Fw-license based on the number of internal IP addresses it protects? If our organisation has exceeded this IP protection, according to sources, it is unenforcible now, how will the FW behaves? Thanks. From firewalls-owner Mon Jan 8 20:44:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id UAA24711 for firewalls-outgoing; Mon, 8 Jan 1996 20:40:48 -0800 (PST) Received: from torres.nixltd.com.au (nautronix.com.au [203.9.79.137]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id UAA24706 for ; Mon, 8 Jan 1996 20:40:42 -0800 (PST) Received: (from uucp@localhost) by torres.nixltd.com.au (8.7.3/8.6.9) id MAA05450 for ; Tue, 9 Jan 1996 12:48:35 +0800 Received: from medusa.nixltd.com.au(192.9.200.15) by torres.nixltd.com.au via smap (V1.3) id sma005447; Tue Jan 9 12:48:08 1996 Received: by medusa.nautronix.com.au (4.1/SMI-4.1) id AA02927; Tue, 9 Jan 96 12:37:56 WST Date: Tue, 9 Jan 96 12:37:56 WST From: carl.johnson@nautronix.com.au (Carl Johnson) Message-Id: <9601090437.AA02927@medusa.nautronix.com.au> To: firewalls@greatcircle.com Subject: ssh Cc: harry.protoolis@nautronix.com.au Sender: firewalls-owner@GreatCircle.COM Precedence: bulk hi all, we're thinking of using ssh to allow users to login to our internal network via our firewall (fwtk), i.e we'll plug outside ssh connections straight thru to an internal machine running the sshd, whereupon the normal ssh authentication will happen. has anyone had (or can think of) any problems/bugs/holes etc with doing this? c From firewalls-owner Tue Jan 9 01:44:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id BAA00693 for firewalls-outgoing; Tue, 9 Jan 1996 01:25:36 -0800 (PST) Received: from gw.rmcs.cranfield.ac.uk (gw.rmcs.cranfield.ac.uk [193.63.243.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id BAA00683 for ; Tue, 9 Jan 1996 01:24:00 -0800 (PST) Date: Tue, 9 Jan 1996 9:22:49 GMT From: Neil To: firewalls@greatcircle.com Message-Id: <960109092249.2abf@rmcs.cranfield.ac.uk> Subject: RE: firewalls reviews/comparisons Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I just subscribed to your mail list today so please forgive my first > question: > 1) Which software is required to view the .Z files and where can I get it? uncompress wil do the trick, it comes as part of any standard unix setup. Do uncompress . > 2) I've been searching for information on the best firewall to purchase for > our > needs and have not come across any reviews/comparisons on which is > best (I have a list of all of the firewalls available and their descriptions > but > not any comparisons). Anyone know of any reviews and where to find them? > We require a firewall which would could support a very high throughput so > we would probably require a hardware-based firewall. Configuring our > front-end router to act as a firewall isn't a practical option. Any > information would be > appreciated. Thanks, There was a review of commercial firewalls in (I think) Byte or something like that a little while ago, the machines being the TIS Gauntlet, Border Ware and Firewall 1. Perhaps someone with a better memory than me can clarify. > Brian Hescock > hescockb@86aw4.ramstein.af.mil Yours Aye, Neil * Neil A Carson * The Royal Military College of Science, Shrivenham * e-mail carson@rmcs.cranfield.ac.uk * Address: Kitchener Mess, RMCS, Shrivenham SN6 8LA. Tel: (01793) 784428 (Home) From firewalls-owner Tue Jan 9 04:14:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id EAA03324 for firewalls-outgoing; Tue, 9 Jan 1996 04:02:34 -0800 (PST) Received: from ranma.coc.powell-river.bc.ca ([204.174.4.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id EAA03319 for ; Tue, 9 Jan 1996 04:02:22 -0800 (PST) Received: (from fubar@localhost) by ranma.coc.powell-river.bc.ca (8.6.9/8.6.9) id EAA05318; Tue, 9 Jan 1996 04:41:32 -0800 Date: Tue, 9 Jan 1996 04:41:30 -0800 From: Failed Uni-Bus Address Register Subject: IP/Port Filtering. (Was Re: SSL and S-HTTP Proxy support) To: firewalls@GreatCircle.COM In-Reply-To: <199601081755.LAA21565@shade.sctc.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 8 Jan 1996, Rick Smith wrote: [Discussion on SSL and other such stuff snipped..] > The service is based on a generic proxy that tunnels the traffic > through the firewall. Some firewalls (like Sidewinder) can apply > access controls as follows: > > 1) permit/deny traffic according to source IP address. > 2) permit/deny traffic according to destination IP address. > 3) restrict to inbound only or outbound only. > 4) require login/password from browser. We have been considering purchasing a firewall for our local ISP, and I've been reading this list trying to glean information on which setup would be best for us. One of the things we're looking for, and it's something I've not seen mentioned here, is the ability to outgoing traffic based on destination IP/PORT AND source IP. The reasoning behind this being the school district here would like to restrict student access to some services, while still allowing the faculty unrestricted access. Is there a setup that will do this? Is this fairly commonplace? Thanks in advance.. :) Aluve, Warren ---------------------------------------=--------------------------------- = fubar@ranma.coc.powell-river.bc.ca = Powell River Community Network = = Powell River, BC, Canada = System Development Staff = =--------------------------------------=--------------------------------= From firewalls-owner Tue Jan 9 04:29:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id EAA03480 for firewalls-outgoing; Tue, 9 Jan 1996 04:12:33 -0800 (PST) Received: from mailgate.ericsson.se (mailgate.ericsson.se [130.100.2.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id EAA03475 for ; Tue, 9 Jan 1996 04:12:23 -0800 (PST) Received: from poem.emw.ericsson.se (poem.emw.ericsson.se [136.225.97.22]) by mailgate.ericsson.se (8.6.11/1.0) with ESMTP id NAA11541 for ; Tue, 9 Jan 1996 13:11:21 +0100 Received: from shakespeare.emw.ericsson.se (shakespeare.emw.ericsson.se [136.225.97.10]) by poem.emw.ericsson.se (8.6.12/8.6.12) with SMTP id NAA12237 for ; Tue, 9 Jan 1996 13:12:47 +0100 Received: from hathaway.nis.gsunix (hathaway.emw.ericsson.se) by shakespeare.emw.ericsson.se (4.1/LME-DOM-2.2.4) id AA03932; Tue, 9 Jan 96 13:12:24 +0100 Date: Tue, 9 Jan 96 13:12:24 +0100 From: emwmf@emw.ericsson.se (Martin Fredriksson) Message-Id: <9601091212.AA03932@shakespeare.emw.ericsson.se> To: firewalls@greatcircle.com Subject: single service "fw" setup? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We have two networks (net1, net2) which are separated for security reasons. I now face the requirement to be able to share network (floating) licenses between these networks (yes, the legal aspects about this sharing have been taken care of...:-). The licens server runs on a Sun machine, and it works by listening to one specified TCP port, over which it recieves and answers license requests. It is possible to run several license servers on the same machine, but it has to be the SAME machine (licenses are locked to hostid). My suggestion, which I would very much appreciate comments to, is to use a dual homed Sun on which I run two instances of the license server, each serving a different port on each of the two interfaces. The Sun is attached to two intermediate networks (fwnet1, fwnet2), which are separated from the production networks (net1, net2) via filtering routers. Something like: net1 fwnet1 fwnet2 net2 ! ! ! ! !--- router ---!--- Sun server ---!--- router ---! ! ! ! ! The Sun machine is configured as defensively as possible (no ip forward, no services but the license servers running chroot:ed as unprivileged user, etc). The router filters are as prohibitive as possible, only allowing traffic to the designated license server TCP ports. I would very much appreciate comments on this suggestion! My main questions are: (1) Are there any obvious problems with this setup? (2) Are there any advantages in replacing/complementing the routers with a bastion-host (fwtk/plug-gw type of thing)? (3) Is there a better solution? Any tips or comments appreciated! Thanks, /// Martin F From firewalls-owner Tue Jan 9 07:14:56 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA06207 for firewalls-outgoing; Tue, 9 Jan 1996 06:59:22 -0800 (PST) Received: from su1.in.net (su1.in.net [199.0.62.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id GAA06200 for ; Tue, 9 Jan 1996 06:59:14 -0800 (PST) Received: from pm1-29.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA17357; Tue, 9 Jan 96 09:57:46 -0500 Date: Tue, 9 Jan 96 09:57:46 -0500 Message-Id: <9601091457.AA17357@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.com From: frankw@in.net (Frank Willoughby) Subject: Re: Off-Topic: Selling Firewalls Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > >> Please don't flame me for this (possibly) off-topic question, but I >> think, the best answer for my question is with the members of this great list. >> Wouldn't think of it. >> I started working for a VAR of firewalls and other network related >> products. When it comes to writing proposals, I feel there must be >> tools to effectively support the selling process >> >> - how to draw network designs I would recommend a grahics package called VISIO from the Shapeware Corp. (I believe their hopepage is http://www.visio.com). Their Windows-based product features "drag and drop" design capability. Another advantage is the fact that it runs on a laptop which makes it easy to update diagrams for customer-specific presentations while on the road (but not while driving). 8^) The product is available in most large computer stores. I don't remember what I paid for the software, but it was worth it in the time it saved me. (The markup on software in Europe is truly abominable). Assuming you know how you want the drawing to look like, you can put together a drawing in @15 minutes. The stencils for network diagrams are included in the" VISIO for Business Graphics" package which should suffice for what you need to do. They also have a Network diagram package which includes more network stencils for you (again, you probably won't need it). >> - how to calculate network topology, eg. IP-numbers and netmasks It really depends on what you want to look at (do you just want to figure out what protocols are out there, or do you want to have it draw a network topology diagram for you). Take a look at Network General, HP, DEC, Sun, etc. >> - how to calculate the costs for the equipment (firewalls, routers ...) >> - how to ... This also depends. Since you are a VAR, you are kind of stuck in your pricing & your ability to be neutral in recommending products to your customers (I don't have this problem). I know many companies (sadly) which have a markup of 200-300% of american products in Europe to take into account the currency fluctuations and keep the product price fairly stable. Don't forget to build a "fudge factor" in figuring out lead times in getting products delivered just in case the equipment doesn't arrive on the day you expect it to (snowstorms, strikes, government shutdowns, etc.). Another alternative is to tie the price of the equipment to the US dollar costs, add your profit margin, and hope the dollar stays stable enough until your next catalogue comes out. 8^) Given the current value of the dollar (undervalued IMHO), this may be a prudent move for now, anyway, you may want to change later (your mileage may vary, of course). Another thing you can do is to look at your competitor's prices and plot your course from there. Also, no matter which firewalls, routers, or other equipment you choose, try to find the best security product which represents the best value (including price & ability to provide adequate security) to the customer. >> >> How do you network consultants and reseller work out there, how do >> you make your life easier when it comes to desktop work. I feel >> there are better tools than M$-Word or Powerpoint to generate good >> proposals and solutions. >> >> TIA, Andreas >> -- Andreas Grau grau@muc.de Rather than spawn a PC vs Mac vs Workstation thread, I'll just say it just depends on your personal preferences. Two important features in whatever product you select are portability & reliability. You will definitely want to take the computer with you on the road & systems which are taken on the road suffer a fair amount of abuse. Having a system die on the way to a customer site won't work wonders for your image. BTW, don't forget to take into consideration the physical weight of the computer you are going to carry through airports, parking lots, endless corridors, etc. Laptop-size computers are truly wonderful devices. Hope the above helps you get started. Best Regards, Frank Fortified Networks Inc. - Management & Information Security Consulting Phone: (317) 573-0800 - http://www.fortified.com/fortified/ The opinions expressed above are of the author and may not necessarily be representative of Fortified Networks Inc. From firewalls-owner Tue Jan 9 08:59:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA08356 for firewalls-outgoing; Tue, 9 Jan 1996 08:53:25 -0800 (PST) Received: from aspensys ([198.77.70.103]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id IAA08351 for ; Tue, 9 Jan 1996 08:53:21 -0800 (PST) Received: from smtpinet.aspensys.com (smtpgate.aspensys.com) by aspensys (5.0/SMI-SVR4) id AA27172; Tue, 9 Jan 1996 11:46:24 +0500 Received: from ccMail by smtpinet.aspensys.com (SMTPLINK V2.10.08) id AA821218226; Tue, 09 Jan 96 12:09:35 EST Date: Tue, 09 Jan 96 12:09:35 EST From: "Jim Meritt" Message-Id: <9600098212.AA821218226@smtpinet.aspensys.com> To: firewalls@GreatCircle.com Subject: charlatan Sender: firewalls-owner@GreatCircle.COM Precedence: bulk When email is received, some places apparently check a couple of things (from field and ...?) and if they do not match (?) print the error message "You are a charlatan" and do not accept the mail. What are they checking? We appear to be a site which doesn't satisfy the checks from some places, and I REALLY want to be able to re-match... Jim Meritt From firewalls-owner Tue Jan 9 09:14:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA08547 for firewalls-outgoing; Tue, 9 Jan 1996 09:02:32 -0800 (PST) Received: from beach.sctc.com (beach.sctc.com [192.55.214.50]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id JAA08542 for ; Tue, 9 Jan 1996 09:02:28 -0800 (PST) Received: from beach.sctc.com (daemon@localhost) by beach.sctc.com (8.7.2/8.7.2) with ESMTP id LAA17121; Tue, 9 Jan 1996 11:01:29 -0600 (CST) Received: from sphinx.sctc.com (sphinx.sctc.com [172.17.192.3]) by beach.sctc.com (8.7.2/8.7.2) with ESMTP id LAA17116; Tue, 9 Jan 1996 11:01:28 -0600 (CST) Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by sphinx.sctc.com (8.7.1/8.6.10) with SMTP id LAA00891; Tue, 9 Jan 1996 11:02:04 -0600 (CST) Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id LAA04266; Tue, 9 Jan 1996 11:02:05 -0600 Date: Tue, 9 Jan 1996 11:02:05 -0600 From: Rick Smith Message-Id: <199601091702.LAA04266@shade.sctc.com> To: firewalls@greatcircle.com Cc: smith@sctc.com, jamessoh@tdb.gov.sg Subject: Re: Fw License Sender: firewalls-owner@GreatCircle.COM Precedence: bulk James Soh asks: >Is the Fw-license based on the number of internal IP addresses it protects? It probably depends on the vendor. Sidewinder is sold as a device, so the costs are related to the number of Sidewinders bought, not the traffic each one handles. Does anyone perceive a benefit to sites in charging according to the number of hosts protected? Is there some situation in which such charges might make sense? Rick. smith@sctc.com secure computing corporation From firewalls-owner Tue Jan 9 10:02:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA08349 for firewalls-outgoing; Tue, 9 Jan 1996 08:53:07 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id IAA08344 for ; Tue, 9 Jan 1996 08:53:03 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-951213) id IAA14732; Tue, 9 Jan 1996 08:50:19 -0800 Received: from bprevisora.fin.ec(157.100.183.2) by mycroft via smap (V1.3mjr) id sma014718; Tue Jan 9 08:49:20 1996 Received: from oscar by bprevisora.fin.ec with smtp (Smail3.1.28.1 #8) id m0tZj4R-0001KMC; Tue, 9 Jan 96 10:46 PST Message-Id: From: "Oscar Schneegans" Organization: Banco La Previsora To: Firewalls@GreatCircle.COM Date: Tue, 9 Jan 1996 11:01:24 -500 Subject: Where we get it Reply-to: previco2@previcompu.com.ec X-mailer: Pegasus Mail/Windows (v1.22) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: mcb@GreatCircle.COM (Michael C. Berch) We're looking for an Internet Security software solution, something like how the firewall concept or something other product Our basic problem is the matching of the Bank's private IP Address type B and the Bank's assigned Internet Address type C ; regarding the security matter and the possibility of anyone station inside the private network , to be allowed of access the Internet world masked with the corresponding type C Address . Atte. Ing. Oscar Schneegans Please contact us the soon as posible Thanks a million Phone: 566100 Ext-Fax :1100 563100 515000 Internet: oscar@bprevisora.fin.ec From firewalls-owner Tue Jan 9 10:12:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA08272 for firewalls-outgoing; Tue, 9 Jan 1996 08:51:16 -0800 (PST) Received: from beach.sctc.com (beach.sctc.com [192.55.214.50]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id IAA08259 for ; Tue, 9 Jan 1996 08:51:11 -0800 (PST) Received: from beach.sctc.com (daemon@localhost) by beach.sctc.com (8.7.2/8.7.2) with ESMTP id KAA16680; Tue, 9 Jan 1996 10:49:12 -0600 (CST) Received: from sphinx.sctc.com (sphinx.sctc.com [172.17.192.3]) by beach.sctc.com (8.7.2/8.7.2) with ESMTP id KAA16676; Tue, 9 Jan 1996 10:49:12 -0600 (CST) Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by sphinx.sctc.com (8.7.1/8.6.10) with SMTP id KAA00648; Tue, 9 Jan 1996 10:49:48 -0600 (CST) Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id KAA03813; Tue, 9 Jan 1996 10:49:49 -0600 Date: Tue, 9 Jan 1996 10:49:49 -0600 From: Rick Smith Message-Id: <199601091649.KAA03813@shade.sctc.com> To: firewalls@greatcircle.com Cc: smith@sctc.com, fubar@ranma.coc.powell-river.bc.ca Subject: Re: IP/Port Filtering. (Was Re: SSL and S-HTTP Proxy support) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Fubar of Powell River, BC writes: >We have been considering purchasing a firewall for our local ISP, and >I've been reading this list trying to glean information on which setup >would be best for us. > One of the things we're looking for, and it's >something I've not seen mentioned here, is the ability to outgoing >traffic based on destination IP/PORT AND source IP. > ... Is this fairly commonplace? The technique isn't hard to implement, so it's probably pretty common. Sidewinder has it. The only "gotcha" is that a long list of access permissions may eventually bog down the machine. Note that it only works as long as different classes of users (students, faculty) always use different IP addresses. Rick. smith@sctc.com secure computing corporation From firewalls-owner Tue Jan 9 10:29:56 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA10093 for firewalls-outgoing; Tue, 9 Jan 1996 10:18:15 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA10081 for ; Tue, 9 Jan 1996 10:18:11 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-951213) id KAA15402; Tue, 9 Jan 1996 10:15:26 -0800 Received: from unknown(206.0.206.200) by mycroft via smap (V1.3mjr) id sma015381; Tue Jan 9 10:14:49 1996 Received: (from kovar@localhost) by taz.nda.com (8.7.3/8.7.3) id KAA14356; Tue, 9 Jan 1996 10:13:32 -0800 (PST) From: David Kovar Message-Id: <199601091813.KAA14356@taz.nda.com> Subject: Re: Fw License To: jamessoh@tdb.gov.sg (James Soh) Date: Tue, 9 Jan 1996 10:13:31 -0800 (PST) Cc: Firewalls@GreatCircle.COM In-Reply-To: <30F2AF7E@smtpgw.tdb.gov.sg> from "James Soh" at Jan 1, 80 05:44:00 pm X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Is the Fw-license based on the number of internal IP addresses it protects? FW-1 "Light" will protect a 50 node network. FW-1 "Mid" will do 250 hosts. FW-1 is unlimited. > If our organisation has exceeded this IP protection, according to sources, > it is unenforcible now, how will the FW behaves? It will complain loudly and fill up your log files while doing so if it detects more than the licensed number of hosts. Sure, you can get around this, but it goes against the license. If you've purchased more than 50 pieces of hardware, you can afford the incremental cost in the FW-1 to protect them. Add $100 to the cost of each machine and you're there. -David From firewalls-owner Tue Jan 9 10:59:56 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA10711 for firewalls-outgoing; Tue, 9 Jan 1996 10:57:20 -0800 (PST) Received: from hub.impulse.net (hub.impulse.net [204.188.6.10]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA10706 for ; Tue, 9 Jan 1996 10:57:17 -0800 (PST) Received: from home.impulse.net.impulse.net (home.impulse.net [204.188.6.11]) by hub.impulse.net (8.6.12/8.6.12) with SMTP id KAA14288 for ; Tue, 9 Jan 1996 10:57:59 -0800 Date: Tue, 9 Jan 1996 10:57:59 -0800 Message-Id: <199601091857.KAA14288@hub.impulse.net> X-Sender: lena@hub.impulse.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: lena@hub.impulse.net (Lena Alker) Subject: weird e-mail Sender: firewalls-owner@GreatCircle.COM Precedence: bulk TEST MESSAGE a user on our system rec'd mail sent to this address, just trying to duplicate /********************************************************************* lena@impulse.net (Lena Alker, Impulse Engineering, Impulse Internet) PCB Designer specializing in PCB layout, assembly, and manufacturing *********************************************************************/ From firewalls-owner Tue Jan 9 11:55:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA11330 for firewalls-outgoing; Tue, 9 Jan 1996 11:14:23 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA11311 for ; Tue, 9 Jan 1996 11:14:18 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-951213) id LAA15845; Tue, 9 Jan 1996 11:11:33 -0800 Received: from su1.in.net(199.0.62.2) by mycroft via smap (V1.3mjr) id sma015839; Tue Jan 9 11:10:46 1996 Received: from pm2-03.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA00580; Tue, 9 Jan 96 14:11:27 -0500 Date: Tue, 9 Jan 96 14:11:27 -0500 Message-Id: <9601091911.AA00580@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.com From: frankw@in.net (Frank Willoughby) Subject: Attention Firewall Vendors (user->firewall encryption) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Attention firewall vendors, If your firewall supports/uses user->firewall encryption, I would appreciate it if you would give me a call at (317) 573-0800 and send me some literature at the following address: Fortified Networks Inc. 33 Harrowgate Drive Carmel, IN 46033 USA The info is necessary for an upcoming project. More details will be given to those who will respond. There is a potential sales opportunity to those who repond. In the interests of saving my time and yours, please respond only if your firewall supports user->firewall encryption. (It is assumed that your product already supports firewall->firewall encryption). Please feel free to e-mail me or call me at the number listed below. Thanks in advance for your help. Best Regards, Frank Fortified Networks Inc. - Management & Information Security Consulting Phone: (317) 573-0800 - http://www.fortified.com/fortified/ The opinions expressed above are of the author and may not necessarily be representative of Fortified Networks Inc. From firewalls-owner Tue Jan 9 12:14:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA12941 for firewalls-outgoing; Tue, 9 Jan 1996 11:32:39 -0800 (PST) Received: from mail.Clark.Net (mail.clark.net [168.143.0.10]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id LAA12936 for ; Tue, 9 Jan 1996 11:32:34 -0800 (PST) Received: from clark.net (clark.net [168.143.0.7]) by mail.Clark.Net (8.7.3/8.6.5) with ESMTP id OAA02042; Tue, 9 Jan 1996 14:30:50 -0500 (EST) Received: (from proberts@localhost) by clark.net (8.7.1/8.7.1) id OAA17592; Tue, 9 Jan 1996 14:30:49 -0500 (EST) Date: Tue, 9 Jan 1996 14:30:49 -0500 (EST) From: "Paul D. Robertson" To: Rick Smith cc: firewalls@GreatCircle.COM Subject: Re: Fw License In-Reply-To: <199601091702.LAA04266@shade.sctc.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 9 Jan 1996, Rick Smith wrote: > > It probably depends on the vendor. Sidewinder is sold as a device, so > the costs are related to the number of Sidewinders bought, not the > traffic each one handles. > > Does anyone perceive a benefit to sites in charging according to the > number of hosts protected? Is there some situation in which such > charges might make sense? > I could *almost* see it for chargeback accounting internally within a company. Internally though I'd see the politics being easier for charging back based on proxy usage, number of IP devices, or some less specific metric which is a little more easily measureable. I don't see how you would do it with reliability, unless you have a very small setup. Do SNA machines count as protected because there are machines inside the parimiter running IP and SNA? IPX? How many of us have much of an idea how many machines are connected at a give moment, given WAN links, dial-up, laptop users, etc? I have a few networks and network access points at my desk. Only one device is on the production networks 99% of the time, how do you count the rest? I know there is some merit to having the answers, I just can imagine how you'd (ok, not a really theoretical you, a very untheoretical me) keep a handle on it. Even putting a sniffer on each subnet for three days would take longer than you could keep current, and leave a fairly high margin of error. That margin of error would scare me away from a contract or licence, let alone WAN links, and departments with enough autonomy to merit their very own packet screens. Also, if you have multiple devices compromising your firewall, is the bastion bearing the brunt of protecting the network? If you buy parts of your firewall strategy on a normal pricing model, and part on machines on the other side, it's going to throw off the dollars when one cost goes up over time, and the others decrease. Small networks with chargeback accounting are the only place I could see this, and I'd envy the heck out of them :) Paul. ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From firewalls-owner Tue Jan 9 12:17:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA12085 for firewalls-outgoing; Tue, 9 Jan 1996 11:25:31 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA11853 for ; Tue, 9 Jan 1996 11:24:52 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-951213) id KAA15686; Tue, 9 Jan 1996 10:51:31 -0800 Received: from cfg.cfg.com(192.84.10.3) by mycroft via smap (V1.3mjr) id sma015682; Tue Jan 9 10:50:44 1996 Received: from p1.cfg.com (p1.cfg.com [192.84.10.11]) by cfg.cfg.com (8.6.11/CFG-950329) with SMTP id KAA07544; Tue, 9 Jan 1996 10:51:10 -0800 Message-Id: <2.2.16.19960109185111.4d7f2ab0@mail.cfg.com> X-Sender: shc@mail.cfg.com X-Mailer: Windows Eudora Pro Version 2.2 (16) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 09 Jan 1996 10:51:11 -0800 To: "Jim Meritt" From: Steve Caine Subject: Re: charlatan Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 12:09 01/09/96 EST, you wrote: > When email is received, some places apparently check a couple of > things (from field and ...?) and if they do not match (?) print the > error message "You are a charlatan" and do not accept the mail. > > What are they checking? Such sites may be running MMDF's SMTP daemon. It reverses your IP number and makes sure it matches the name you give in the HELO command. If it doesn't, it returns "250 xxx - you are a charlatan" where xxx is the argument you gave in the HELO. Steve. From firewalls-owner Tue Jan 9 12:44:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA12707 for firewalls-outgoing; Tue, 9 Jan 1996 11:27:53 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA12302 for ; Tue, 9 Jan 1996 11:26:18 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-951213) id JAA15247; Tue, 9 Jan 1996 09:56:24 -0800 Received: from hnc.hnc.com(206.79.10.2) by mycroft via smap (V1.3mjr) id sma015243; Tue Jan 9 09:55:37 1996 Received: (from uucp@localhost) by hnc.hnc.com (8.7.1/8.7.1) id KAA07625 for ; Tue, 9 Jan 1996 10:11:30 -0800 (PST) Received: from serval.hnc.com(206.79.54.2) by hnc.hnc.com via smap (V1.3) id sma007623; Tue Jan 9 10:11:24 1996 Received: from spike.hnc.com (spike.hnc.com [191.9.201.52]) by serval.hnc.com (8.7.1/8.7.1) with ESMTP id KAA01999 for ; Tue, 9 Jan 1996 10:01:29 -0800 (PST) Received: from fred.hnc.com (fred.hnc.com [191.9.204.7]) by spike.hnc.com (8.7.1/8.7.1) with SMTP id JAA06719 for ; Tue, 9 Jan 1996 09:58:50 -0800 (PST) Message-Id: <199601091758.JAA06719@spike.hnc.com> Received: from pcdwl.hnc.com by fred.hnc.com with SMTP (1.38.193.4/16.2) id AA12765; Tue, 9 Jan 1996 10:03:10 -0800 X-Sender: dwl@spike X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 09 Jan 1996 17:58:18 -0800 To: firewalls@greatcircle.com From: David Loysen Subject: Re: Off-Topic: Selling Firewalls Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:57 AM 1/9/96 -0500, you wrote: >> >> >>> Please don't flame me for this (possibly) off-topic question, but I >>> think, the best answer for my question is with the members of this great >list. >>> > >Wouldn't think of it. > > >>> I started working for a VAR of firewalls and other network related >>> products. When it comes to writing proposals, I feel there must be >>> tools to effectively support the selling process >>> Stuff Chopped---- Also you can try pinging on your vendors. I think 3Com, Cisco and Bay all have proposal writing software available for their resellers. dwl@hnc.com HNC Software Inc. David Loysen 5930 Cornerstone Ct. West (619) 546-8877 x245 San Diego, CA 92121-3728 fax (619) 452-6524 From firewalls-owner Tue Jan 9 12:59:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA12750 for firewalls-outgoing; Tue, 9 Jan 1996 11:28:04 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA12392 for ; Tue, 9 Jan 1996 11:26:38 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-951213) id JAA15238; Tue, 9 Jan 1996 09:55:24 -0800 Received: from su1.in.net(199.0.62.2) by mycroft via smap (V1.3mjr) id sma015233; Tue Jan 9 09:55:08 1996 Received: from pm4-02.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA27180; Tue, 9 Jan 96 12:55:45 -0500 Date: Tue, 9 Jan 96 12:55:45 -0500 Message-Id: <9601091755.AA27180@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.com From: frankw@in.net (Frank Willoughby) Subject: Re: Fw License Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From the desk of Rick Smith: >James Soh asks: > >>Is the Fw-license based on the number of internal IP addresses it protects? > >It probably depends on the vendor. Sidewinder is sold as a device, so >the costs are related to the number of Sidewinders bought, not the >traffic each one handles. > >Does anyone perceive a benefit to sites in charging according to the >number of hosts protected? Is there some situation in which such >charges might make sense? > >Rick. >smith@sctc.com secure computing corporation Some vendors do this as a means to undercut their competitors. They are using the firewall product as a type of software license and use it to scale the price of the firewall (making it dependent on the number of hosts/users it is to support). It is particularly useful in small companies which only have a handful of systems to protect and don't expect any growth anytime soon and/or have very limited budgets. In spite of this, I personally am not in favor of this type of approach. Sudden growth (mergers, acquisitions, etc) could impact the licensing of the firewall & either get the customer in hot water with SPA or the vendor or face a denial-of-service for those extra connections until the customer remembers to get an upgraded license. This could be rather interesting if the person who ordered the firewall or was familiar with the licensing scheme wasn't around when the number of connections exceeded the license & no one else had a clue what was going on. 8^( Best Regards, Frank Fortified Networks Inc. - Management & Information Security Consulting Phone: (317) 573-0800 - http://www.fortified.com/fortified/ The opinions expressed above are of the author and may not necessarily be representative of Fortified Networks Inc. From firewalls-owner Tue Jan 9 13:44:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA15802 for firewalls-outgoing; Tue, 9 Jan 1996 13:23:48 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id NAA15642 for ; Tue, 9 Jan 1996 13:23:21 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-951213) id NAA17382; Tue, 9 Jan 1996 13:19:03 -0800 Received: from callisto.eci-esyst.com(199.186.17.2) by mycroft via smap (V1.3mjr) id sma017372; Tue Jan 9 13:18:04 1996 Received: by eci-esyst.com (4.1/SMI-4.1) id AA11587; Tue, 9 Jan 96 16:14:29 EST Received: from rodney.eci-esyst.com(199.186.17.5) by callisto.eci-esyst.com via smap (V1.3mjr) id sma011558; Tue Jan 9 16:13:36 1996 Received: from qmgate (qmgate.eci-esyst.com) by callisto (4.1/SMI-4.1) id AA02343; Tue, 9 Jan 96 16:14:59 EST Message-Id: Date: 9 Jan 1996 16:12:06 -0500 From: "Tim Darnauer" Subject: smap/smapd question To: "firewalls*GreatCircle.COM" X-Mailer: Mail*Link SMTP-QM 3.0.2 Mime-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1"; Name="Message Body" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk smap/smapd question via Mail*Link=AE for = PowerTalk*/QM The problem is that mail destined for the Internet is queued by sendmail = if the destination host is down. Mail destined for a host on the inside = (protected) network is not queued by sendmail if the internal mail host = is down. Instead I get a "mail loop" and the message is returned to the = sender after 30 hops. Does anyone know how or why smap, smapd, and sendmail are doing this? = Obviously I have a problem with my configuration but I've run out of = ideas. Thanks, Tim From firewalls-owner Tue Jan 9 13:59:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA15804 for firewalls-outgoing; Tue, 9 Jan 1996 13:23:49 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id NAA15646 for ; Tue, 9 Jan 1996 13:23:22 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-951213) id MAA16933; Tue, 9 Jan 1996 12:41:54 -0800 Received: from bwh.harvard.edu(134.174.81.34) by mycroft via smap (V1.3mjr) id sma016899; Tue Jan 9 12:40:57 1996 Received: from mingus.harvard.edu (mingus.bwh.harvard.edu [134.174.81.51]) by bwh.harvard.edu (8.6.9/8.6.9) with SMTP id PAA18821; Tue, 9 Jan 1996 15:41:35 -0500 From: Adam Shostack Message-Id: <199601092041.PAA18821@bwh.harvard.edu> X-Organization: Brigham & Womens Hospital, A Teaching Affiliate of Harvard Medical School Subject: Re: Fw License To: smith@sctc.com (Rick Smith) Date: Tue, 9 Jan 1996 15:41:12 -0500 (EST) Cc: firewalls@greatcircle.com (Firewalls mailing list) In-Reply-To: <199601091702.LAA04266@shade.sctc.com> from "Rick Smith" at Jan 9, 96 11:02:05 am X-PGP: 0xE794DA91 FD3C3450FEB4A0B8 18F2E72CA82D29B8 X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Rick Smith wrote: | It probably depends on the vendor. Sidewinder is sold as a device, so | the costs are related to the number of Sidewinders bought, not the | traffic each one handles. | | Does anyone perceive a benefit to sites in charging according to the | number of hosts protected? Is there some situation in which such | charges might make sense? If your firewall is available on a software only basis, then it might make sense to have a different fee for smaller customers. If a company with 15 computers has an old 486 around that they want to use to handle their fractional T1, and your software can use that, then it might be a cost-effective way to go. There are lots of companies out there who don't want to spend $1000/computer to protect themselves, which is what some firewalls can cost over a small set of hosts. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Tue Jan 9 18:01:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id RAA23497 for firewalls-outgoing; Tue, 9 Jan 1996 17:50:59 -0800 (PST) Received: from cbn.cbn.com.sg ([203.120.18.128]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id RAA23492 for ; Tue, 9 Jan 1996 17:50:54 -0800 (PST) Received: (from ngps@localhost) by cbn.cbn.com.sg (8.6.12/8.6.12) id JAA05351; Wed, 10 Jan 1996 09:44:09 +0800 Date: Wed, 10 Jan 1996 09:44:08 +0800 (SST) From: Ng Pheng Siong To: Rick Smith cc: firewalls@GreatCircle.COM, fubar@ranma.coc.powell-river.bc.ca Subject: Re: IP/Port Filtering. (Was Re: SSL and S-HTTP Proxy support) In-Reply-To: <199601091649.KAA03813@shade.sctc.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 9 Jan 1996, Rick Smith wrote: > Fubar of Powell River, BC writes: > > One of the things we're looking for, and it's > >something I've not seen mentioned here, is the ability to outgoing > >traffic based on destination IP/PORT AND source IP. > > The technique isn't hard to implement, so it's probably pretty common. > Sidewinder has it. The only "gotcha" is that a long list of access > permissions may eventually bog down the machine. So how long is long, for Sidewinder, say? Cheers. - PS -- Ng Pheng Siong NetCentre Pte Ltd * Singapore Finger for PGP key. From firewalls-owner Tue Jan 9 19:07:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA23784 for firewalls-outgoing; Tue, 9 Jan 1996 18:05:21 -0800 (PST) Received: from smtp2.interramp.com (smtp2.interramp.com [38.8.200.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id SAA23779 for ; Tue, 9 Jan 1996 18:05:16 -0800 (PST) Received: from [38.11.94.121] by smtp2.interramp.com (8.6.12/SMI-4.1.3-PSI-irsmtp) id VAA01342; Tue, 9 Jan 1996 21:04:23 -0500 X-Sender: cd000674@pop3.interramp.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 9 Jan 1996 22:58:01 +0900 To: firewalls@GreatCircle.COM From: dolphin@interramp.com (Tidewater Cyberfish) Subject: Re: Fw License Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Some vendors do this as a means to undercut their competitors. And some do it to better manage the growth of such elements as new product development, and the product customer support requirements of different sized organizations. >They are using the firewall product as a type of software license >and use it to scale the price of the firewall (making it dependent >on the number of hosts/users it is to support). It is particularly >useful in small companies which only have a handful of systems to >protect and don't expect any growth anytime soon and/or have very >limited budgets. Unless you sell a "one-size-fits-all" product" to a "one-size-only- needed-by-all" market, it's the only prudent way to do it. >In spite of this, I personally am not in favor of this type of >approach. >Sudden growth (mergers, acquisitions, etc) could impact the >licensing of >the firewall & either get the customer in hot water with >SPA or the >vendor or face a denial-of-service for those extra >connections until the >customer remembers to get an upgraded license. Yeah, in some organizations that are asleep at the wheel. But for the most part it just doesn't happens that way. First off mergers, acquisitions and other "sudden growth" occurances just do not have this kind of impact on corporate enterprise security. I have been involved in better than a dozen such "sudden growths" and these issues are part of the reason why it usually takes three to eighteen months to get through the "sign-off" on a merged or absorbed entity. To those involved in these exercises, security is at or very near the top of that list. Additionally, if a customer has purchased a decent firewall from a reputable vendor who offers a scalable product, who is paying attention to the post-sale needs, and downstream growth needs of his customer then there's little reason for handwringing. Most of the "it fell through the cracks" or "denial of service" problems I've encountered are due to someone just not paying attention to the issues that justify their paychecks. >This could be rather interesting if the person who ordered the firewall >>or was familiar with the licensing scheme wasn't around when the number >>of connections exceeded the license & no one else had a clue what was >>going on. At which time I would be strongly inclined to ask my CIO/DIRIRM for an explanation... rmck __________________________________________________ Bob McKisson Cypress Systems Corporation McLean, VA 22102 (703) 273-2150 Voice (703) 273-2151 FAX (703) 691-2434 STU-III pelican@interramp.com National Capital Region dolphin@interramp.com Norfolk/Chesapeake/VA Beach From firewalls-owner Tue Jan 9 20:22:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id UAA02690 for firewalls-outgoing; Tue, 9 Jan 1996 20:14:16 -0800 (PST) Received: from newsgw.mentorg.com (newsgw.mentorg.com [137.202.128.5]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id UAA02682 for ; Tue, 9 Jan 1996 20:14:11 -0800 (PST) Received: from wv.wv.mentorg.com by newsgw.mentorg.com (8.6.4/CF5.22R) id XAA01788; Tue, 9 Jan 1996 23:12:59 -0500 Received: from pdxml2.mentorg.com by wv.wv.mentorg.com (8.6.8.1/CF5.22R) id UAA26544; Tue, 9 Jan 1996 20:13:00 -0800 Message-ID: Date: 6 Jan 1996 01:41:06 -0800 From: "PDXML2" Subject: PLEASE RE-SEND, E-MAIL ADMI To: "firewalls-digest@GreatCircle.CO" X-Mailer: Mail*Link SMTP/QM 3.0.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mail*Link(r) SMTP Firewalls-Digest V5 #8 Received: by pdxml2.mentorg.com with SMTP;6 Jan 1996 01:35:41 -0800 Received: from relay7.UU.NET by newsgw.mentorg.com (8.6.4/CF5.22R) id EAA22326; Sat, 6 Jan 1996 04:30:18 -0500 Received: from miles.greatcircle.com by relay7.UU.NET with ESMTP id QQzxib26519; Sat, 6 Jan 1996 04:29:17 -0500 (EST) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id BAA17120 for firewalls-digest-outgoing; Sat, 6 Jan 1996 01:00:14 -0800 (PST) Date: Sat, 6 Jan 1996 01:00:14 -0800 (PST) Message-Id: <199601060900.BAA17120@miles.greatcircle.com> From: firewalls-digest-owner@uunet.uu.net To: firewalls-digest@GreatCircle.COM Subject: Firewalls-Digest V5 #8 Reply-To: Firewalls@GreatCircle.COM Errors-To: firewalls-digest-owner@uunet.uu.net Precedence: bulk Firewalls-Digest Saturday, 6 January 1996 Volume 05 : Number 008 In this issue: SSL and S-HTTP Proxy support Re: Security managing Cisco Routers Re: SSL and S-HTTP Proxy support Steps in building a firewall, Right or Wrong? See the end of the digest for information on subscribing to the Firewalls or Firewalls-Digest mailing lists and on how to retrieve back issues. ---------------------------------------------------------------------- From: cbk@ingress.com (Charles B. Kaplan) Date: Fri, 5 Jan 1996 23:21:13 -0500 Subject: SSL and S-HTTP Proxy support >From what I remember S-HTTP can be fully negotiated within the 'standard' HTTP ports/protocol. Therefor any proxy supporting HTTP should work with S-HTTP. Next, while SSL COULD be implimented accross multiple protocols, etc, the 'only' wide spread use presentally is via netscape, and that makes use of port 443 'normally'. The BorderWare Firewall Server, from BNTI out of the box proxys port 80, 8001, 8080, and 443, all when its WWW proxy is enabled. I don't see why however you couldn't say use plug-gw on port 443 to do the same types of things. NOTE however, putting your web server inside your firewall, and then proxying to it is a BIG risk. That ofcourse is why BorderWare provides a 3'rd network interface for 'secured servers'. Well, enough plugging of BorderWare....if you didn't guess I resell it. Anyone care to either veryify or correct the above S-HTTP notes ? - -Charles Kaplan for more information on BorderWare call 800-254-7159 ------------------------------ From: Bill Husler Date: Fri, 5 Jan 1996 20:22:58 -0800 Subject: Re: Security managing Cisco Routers >>>At 02:15 PM 12/27/95 GMT, Pietro wrote: >>> >>>>My actual problem is to managed several Cisco Routers situated >>>>on a public network from a central site, from where there is no >>>>way to garantee secure communication. >>>> > >>I have heard that Firewall-1 will manage the configurations of CISCO >>routers remotely. I believe the way it works is that you set up the >>configuration or a Firewall-1 Administrative Workstations and it send >>some sort of encrypted/secured transmission to the router to downlowd the >>new config. >>Bill >> > >Although I'm not intimately familiar with the internal mechanisms of >Firewall-1, I do have a problem with the above paragraph, since we >do not (yet) support encrypted transport mechanisms. :-) > >- paul > >-- >Paul Ferguson || || >Consulting Engineering || || >Reston, Virginia USA |||| |||| >tel: +1.703.716.9538 ..:||||||:..:||||||:.. >e-mail: pferguso@cisco.com c i s c o S y s t e m s > > Paul, Your absolutely right! I talked to our Firewall-1 dudes (actually SUN) and they said that communication is in the clear. I don't know what I heard that made me believe otherwise. Sorry if I muddied the waters. I also asked them to describe why we should have "warm fuzzies" that the changes being made to the router configuration are indeed being sent from the FW-1 admin and not some admin wannabe. I will post their response. Bill ------------------------------ From: Bill Husler Date: Fri, 5 Jan 1996 20:46:16 -0800 Subject: Re: SSL and S-HTTP Proxy support >From: Brian W. McKenney, mckenney@smiley.mitre.org > >I would like to have an update as to which commercial firewall vendors >support or plan to support (when) an SSL and/or S-HTTP proxy. I will post >a summary. > >This is the information that I have: > >1. TIS Gauntlet: SSL annd S-HTTP proxies in next release. >2. KarlBridge/KarlBrouter: S-HTTP proxy >3. Milkyway Blackhole: S--HTTP >4. SOS Brimstone: S-HTTP proxy >5. Technologic Interceptor: S-HTTP proxy >6. V-One SmartWall: S-HTTP proxy > >License versions of TIS Gauntlet will support whatever the next Gauntlet >release supports. > You can add ANS Interlock to you list. Bill ------------------------------ From: bart@pu.com (Bart Rivard) Date: Sat, 6 Jan 1996 01:49:18 -0600 Subject: Steps in building a firewall, Right or Wrong? Hi, I think one of the things about building a firewall that has surprised me is how really simple it really is. It makes me wonder if I have done something wrong. Many people say use the TIS toolkit but I really don't see any reason. Here is the steps I have taken tell me what you think. 1) Installed FreeBSD on a Pentium 100 with 32 MB of Ram and two Ethernet NICs 2) Configured the Kernel such that IP forwarding and Source routing are disabled. 3) Deleted all accounts on the system except root 4) Gave root a password with number, letters, uppercase and lowercase, 10 long 5) Deleted everything out of inetd.conf except DNS 6) Configured DNS so that the only machine it knows about is a Web server which is in the DMZ and the firewall machine and wildcard MX record. 7) Configured resolv.conf on firewall to point to the internal network DNS. 8) Turned off source routing on the CISCO 2500 router and added filters which disabled all UDP traffic except port DNS/53, all TCP inbound traffic except SMTP to firewall, News from specific news server to firewall http to web server in DMZ. Allow all outbound TCP traffic. Thinking about disabling all ICMP traffic on router, what do you think? 9) Configured CERN web server as a proxy on the firewall using a weird port number. Wrapped the port with TCP Wrappers and only allow access from internal IP addresses. Internal IP addresses are 192.168.0.0 thru 192.168.255.255. Wish I could limit access to web proxy by network interface but don't know how? 10)Modified a mail program so that it read mail from port 25 and writes to disk mail messages. Completely dumb program. Does not handle distribution list, aliases or anything. I then pick mail up off of disk and send it to internal CC mail gateway. Was there shareware to do equivalent? Can sendmail pick mail up off of disk? Is it safe to have sendmail pick mail up off of disk and distribute? 11)Put TCP Wrapper around news server port to only except connection from our news provider at AT&T and internal network. Also use inn access control to limit access from internal network for reading news and news provider for dumping news. Well that about it. We provide outbound Web, Gopher, FTP and WAIS through the CERN Proxy. Is this safe? We don't allow any UDP to pass firewall. We don't allow anything to come in from the outside through the firewall except mail. The firewall doubles as a news server so we don't allow news to pass through firewall but the firewall doubles as a news server. Is it safe to use a firewall as a news server? Please comment!! Send all comments to bart@pu.com. TIA, Bart ------------------------------ End of Firewalls-Digest V5 #8 ***************************** To unsubscribe from Firewalls-Digest, send the following command in the body of a message to "Majordomo@GreatCircle.COM": unsubscribe firewalls-digest To subscribe, send the command "subscribe firewalls-digest" instead. If you want to subscribe or unsubscribe something other than the account the mail is coming from, such as a local redistribution list, then append that address to the command; for example, to subscribe "local-firewalls": subscribe firewalls-digest local-firewalls@your.domain.net A non-digest (direct mail) version of this list is also available; to subscribe to that instead, replace all instances of "firewalls-digest" in the commands above with "firewalls". Compressed back issues are available for anonymous FTP from FTP.GreatCircle.COM, in pub/firewalls/digest/vNN.nMMM.Z (where "NN" is the volume number, and "MMM" is the issue number). From firewalls-owner Tue Jan 9 21:22:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id VAA03606 for firewalls-outgoing; Tue, 9 Jan 1996 21:00:18 -0800 (PST) Received: from montag33.residence.gatech.edu (montag33.residence.gatech.edu [199.77.171.12]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id VAA03601 for ; Tue, 9 Jan 1996 21:00:14 -0800 (PST) Received: (from brain21@localhost) by montag33.residence.gatech.edu (8.6.12/8.6.9) id XAA15779; Tue, 9 Jan 1996 23:57:55 -0500 Date: Tue, 9 Jan 1996 23:57:55 -0500 (EST) From: Brain21 To: Neil cc: firewalls@GreatCircle.COM Subject: Re: Source Routed Packets In-Reply-To: <960105133833.212c@rmcs.cranfield.ac.uk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 5 Jan 1996, Neil wrote: > I am currently using, in a trial firewall, a Sun SPARC 10 running a kernel > with IP packet forwarding turned off. > > The only problem is that SunOS will still (I believe) allow IP source > routed packets through the bastion host. > This may be an ignorant question here, but are you able to filter on bit sequences on your machine, or just port #s??? If you can filter on specific bits, filter out, on the first 8 bits of the options field in the TCP packets (bits 161-168) when they have the following bit sequence: 10000011 This is loose source routing (strict source routing is the same bits, but w/ a sequence of 10001001). Quick summary/options field quasi-tutorial: 161 168 +-+-+-+-+-+-+-+-+ | | | | | | | | | (I know my ascii sucks) +-+-+-+-+-+-+-+-+ bit 161- "copied flag" states that options must be copied if packet is fragmented (so it's "1" for "yes" or "on"). bits 162-163 - All are "0" except for Internet Time Stamp (which="2" or "10" - decimal and binary respectively) bits 164-168 - Number or "ID" field - "3"=loose source routing, "9"=strict source routing (00011 and 01001 respectively) so you have - 1 00 00011 for loose, and 1 00 01001 for strict. This brings me to my next question. This is something that I have asked before, but I can't believe that only *1* firewall allows this!... What firewalls *WILL* allow you to filter on bit sequences like I illustrated above??? When I asked this last time the only answer that I got was that V-One will allow you to do this to create your own, more specific rules. Is that possible? Does only *ONE* vendor support this? Thanks, Brain21 From firewalls-owner Tue Jan 9 21:52:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id VAA04199 for firewalls-outgoing; Tue, 9 Jan 1996 21:44:30 -0800 (PST) Received: from tide03.microsoft.com (tide03.microsoft.com [131.107.3.13]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id VAA04193 for ; Tue, 9 Jan 1996 21:44:26 -0800 (PST) Received: by tide03.microsoft.com; id VAA20024; Tue, 9 Jan 1996 21:50:56 -0800 Received: from unknown(157.54.17.73) by tide03.microsoft.com via smap (g3.0.3) id xma020010; Tue, 9 Jan 96 21:50:36 -0800 Received: from xnet2 (xnet2.microsoft.com [157.54.17.205]) by imail1.microsoft.com (8.7.1/8.7.1) with SMTP id VAA29394 for ; Tue, 9 Jan 1996 21:46:09 -0800 (PST) X-Received: from xmtp3 by xnet2 with receive; Tue, 9 Jan 1996 21:43:03 -0800 X-Received: from RED-70-MSG by xmtp3 with recvsmtp; Tue, 9 Jan 1996 21:42:51 -0800 Received: by red-70-msg.itg.microsoft.com with Microsoft Exchange (IMC 4.20.611) id <01BADEDB.6DD21AC0@red-70-msg.itg.microsoft.com>; Tue, 9 Jan 1996 21:42:52 -0800 Message-ID: From: "Kurt Buff (Volt Comp)" To: "firewalls@greatcircle.com" Subject: ip subnetting Date: Tue, 9 Jan 1996 21:42:50 -0800 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.20.611 X-MsXMTID: xmtp3960110054251RECVSMTP[01.52.00]00000123-62072 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Many thanks to those who replied from a relative newbie. I have rfc 1878 and am reviewing it. I will probably have replies privately to those who helped, as this is not strictly on topic for this list Kurt From firewalls-owner Tue Jan 9 22:07:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id VAA04653 for firewalls-outgoing; Tue, 9 Jan 1996 21:58:15 -0800 (PST) Received: from montag33.residence.gatech.edu (montag33.residence.gatech.edu [199.77.171.12]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id VAA04648 for ; Tue, 9 Jan 1996 21:58:10 -0800 (PST) Received: (from brain21@localhost) by montag33.residence.gatech.edu (8.6.12/8.6.9) id AAA16088; Wed, 10 Jan 1996 00:56:06 -0500 Date: Wed, 10 Jan 1996 00:56:06 -0500 (EST) From: Brain21 To: Frank Willoughby cc: firewalls@GreatCircle.COM, John Young Subject: Re: Mitnick & the TCP Sequence Number Attack on Shimomura (LONG posting) In-Reply-To: <9601080441.AA17466@su1.in.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I would like to know this... if Shimomura is so good (an I actually believe that he may be) then why did he leave the r-utils enabled? Why did he not use TCPWrappers to prevent spoofing? Why did he allow people to see inside his network (Mitnick saw that there was a machine "X-something" that he believed was trusted by Shimomura's machine)? I mean, I believe that Shimomura knew of the possibility of this type of attack WAY ahead of time (like months or years). Why no encryption to stop this type of attack? Why did he not use random sequence numbers? Was he just SOOO overwhelmed by his own greatness that he ignored these things? There are those, so I've heard, that believe that his ego ended up getting the best of him (karma). I don't know him so I can not make a judgement either way, but which way does the evidence point? It just doesn't make sense. BTW, where did the "Official Spoofing Page" go? I think it used to be something like www.msen.com/tubed/spoofing.html or something like that. It went down a few months ago. Just wondering why... Brain21 From firewalls-owner Tue Jan 9 22:36:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id VAA04052 for firewalls-outgoing; Tue, 9 Jan 1996 21:37:54 -0800 (PST) Received: from montag33.residence.gatech.edu (montag33.residence.gatech.edu [199.77.171.12]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id VAA04047 for ; Tue, 9 Jan 1996 21:37:50 -0800 (PST) Received: (from brain21@localhost) by montag33.residence.gatech.edu (8.6.12/8.6.9) id AAA15998; Wed, 10 Jan 1996 00:35:36 -0500 Date: Wed, 10 Jan 1996 00:35:36 -0500 (EST) From: Brain21 To: Bob Resino cc: grau@muc.de, firewalls@GreatCircle.COM Subject: Re: Off-Topic: Selling Firewalls In-Reply-To: <9601081347.AA15571@dsn20> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 8 Jan 1996, Bob Resino wrote: > > - how to draw network designs > > - how to calculate network topology, eg. IP-numbers and netmasks > > - how to calculate the costs for the equipment (firewalls, routers ...) > > - how to ... > > > You might want to think about a CAD package, like > Intergraph Microstation or IsiCad. The Microstation Don't know what they cost, but I believe that Microstation is MORE expensive than AutoCAD, which runs in the neighborhood of $5000. That's a little high for what the original poster wants to do, I think. Besides, he is obviously running Windows (mention of Powerpoint), and Microstation is UNIX isn't it? (not sure). I know that Freelance Graphic blows for this kind of stuff. Perhaps something like Corel Draw may be better? The latest version is 6.0, and I think you can get 5.0 and 4 for less than $100 or so now. This and a decent clipart package (or look, there is a usenet group for clip-art, I think) would be all that you really need for network diagrams. Then you could import these into Excel or 1-2-3 or something if you need to have cost projections and network diagrams on one page. As for IP addresses, etc. I think you are on your own there. Brain21 From firewalls-owner Tue Jan 9 23:07:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id XAA06458 for firewalls-outgoing; Tue, 9 Jan 1996 23:00:15 -0800 (PST) Received: from newsgw.mentorg.com (newsgw.mentorg.com [137.202.128.5]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id XAA06453 for ; Tue, 9 Jan 1996 23:00:10 -0800 (PST) Received: from wv.wv.mentorg.com by newsgw.mentorg.com (8.6.4/CF5.22R) id BAA10206; Wed, 10 Jan 1996 01:58:58 -0500 Received: from pdxml2.mentorg.com by wv.wv.mentorg.com (8.6.8.1/CF5.22R) id WAA29468; Tue, 9 Jan 1996 22:58:41 -0800 Message-ID: Date: 7 Jan 1996 01:56:55 -0800 From: "PDXML2" Subject: PLEASE RE-SEND, E-MAIL ADMI To: "firewalls-digest@GreatCircle.CO" X-Mailer: Mail*Link SMTP/QM 3.0.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mail*Link(r) SMTP Firewalls-Digest V5 #9 Received: by pdxml2.mentorg.com with SMTP;7 Jan 1996 01:51:21 -0800 Received: from relay7.UU.NET by newsgw.mentorg.com (8.6.4/CF5.22R) id EAA21637; Sun, 7 Jan 1996 04:45:54 -0500 Received: from miles.greatcircle.com by relay7.UU.NET with ESMTP id QQzxlu21430; Sun, 7 Jan 1996 04:37:25 -0500 (EST) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id BAA07197 for firewalls-digest-outgoing; Sun, 7 Jan 1996 01:00:21 -0800 (PST) Date: Sun, 7 Jan 1996 01:00:21 -0800 (PST) Message-Id: <199601070900.BAA07197@miles.greatcircle.com> From: firewalls-digest-owner@uunet.uu.net To: firewalls-digest@GreatCircle.COM Subject: Firewalls-Digest V5 #9 Reply-To: Firewalls@GreatCircle.COM Errors-To: firewalls-digest-owner@uunet.uu.net Precedence: bulk Firewalls-Digest Sunday, 7 January 1996 Volume 05 : Number 009 In this issue: RE: Bastion netmask query Re: NAT & NFS ? Re: Steps in building a firewall, Right or Wrong? Undeliverable Mail See the end of the digest for information on subscribing to the Firewalls or Firewalls-Digest mailing lists and on how to retrieve back issues. ---------------------------------------------------------------------- From: Paul Ferguson Date: Sat, 06 Jan 1996 08:09:15 -0500 Subject: RE: Bastion netmask query Sure, you could hack something together to do this, but why not simply use RFC-1878 instead? - - paul At 10:00 PM 1/4/96 -0800, Kurt Buff (Volt Comp) wrote: >It seems to me that someone with half a brain (not me, I only have 1/4) >could write a simple program (PERL, VB, ??) that would take some input >(number of nodes, number of segments, network address(es), etc.) and output >some reasonable netmasking and segmenting suggestions, including >forbidden/unwise host addresses (due to broadcast address conflicts, etc.). >Does anyone know of such a beastie? Or would this really be such a hard >thing to write? > >Kurt > - -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s ------------------------------ From: jon@london.hcsc.com (Jon Shallow) Date: Sat, 6 Jan 96 11:49:05 GMT Subject: Re: NAT & NFS ? Darren, Some NAT definitions I am using to answer your NFS question. NAT: The change of an IP address within a packet to hide or withold IP addresses that are not 'public'. This is implied when proxies are in use, but also is done in the IP layer. external: One of potentially many interfaces which NATs packets as they pass over the interface. internal: One of potentially many interfaces which does not NAT packets. session: Transmission and receipt of packets which includes TCP/UDP transmits and ICMP error receipts. Any packet 'session' can be initiated from internal to external as internal host has full visibility of external address space. The external host will only see packets coming from the firewall. Returned packets will get forwarded (with IP address translated) back to the originator. Any packet 'session' initiated from external will never get to internal as there is absolutely no visibility of internal address space. The above is true for all TCP, UDP, RPC, and ICMP packets. (For those that do not know, RPC is a protocol using TCP or UDP packets as a carrier. NFS then uses RPC for communication protocol.) Now to NFS ..... If an external host has a NFS exported file system, any internal host can mount that file system (as permitted by the normal NFS export rules). If NAT takes place at the IP layer, no extra work or enabling is required at the filrewall. The things to be aware of 1. The external host will see the NFS read/write etc activity coming from the firewall IP address, not the internal host IP address. The exports file needs to reflect this. 2. The external host will see the mount request coming from the firewall IP address, and embedded within the mount request RPC packet is the name of the host doing the mount request. The external host will lookup this embedded host name, and if the IP address is not the same as the firewall address, the mount request is refused. You will need to 'fake' the internal hosts IP address on the external host if the firewall cannot translate the embedded host name. Regards Jon BTW Are there many firewalls out there that can filter on RPC as NFS through a firewall is scary. Harris CyberGuard can. > In some mail from Jon Shallow, sie said: > > > > This works fine on the Harris CyberGuard. TCP, UDP, RPC, ICMP all get > > suitably rewritten - even the ICMP error codes. > > > > The 'inside' system can initiate talk to the 'external' system, but the > > 'external' system has no knowledge of the 'internal' IP address - just > > the firewall. > > This doesn't quite answer what I was wondering... > > I'm particularly interested in what this means for NFS...does it mean > your internal systems need to be setup to allow the firewall to NFS to > them so that external systems can be provided with NFS ? > > > > Is anyone using NFS (or RPC) over a WAN/LAN with a NAT in between the client > > > and server, actively rewriting the addresses in all the packets involved ? > > > If so, have any problems or unexpected situations arisen ? > > darren > ------------------------------ From: "Joe Smith (Really!)" Date: Sat, 6 Jan 1996 19:50:40 -0600 (CST) Subject: Re: Steps in building a firewall, Right or Wrong? On Sat, 6 Jan 1996, Bart Rivard wrote: > 3) Deleted all accounts on the system except root Unless you are limiting access to the system from the console, I would create one account (secured as you did root) to login to the system, and then su to root to do admin work. ------------------------------ From: "Server #7000007" Date: 6 Jan 1996 21:57:29 U Subject: Undeliverable Mail Unknown Microsoft mail form. Approximate representation follows. Message: Firewalls-Digest V5 #7 Sent: Fri, Jan 5, 1996 9:36 PM To: Harris Tom On Server: PRC Bellevue NE MS Date: Sat, Jan 6, 1996 9:57 PM Reason: Could not be delivered because the destination Microsoft Mail server could not be found. ------------------------------ End of Firewalls-Digest V5 #9 ***************************** To unsubscribe from Firewalls-Digest, send the following command in the body of a message to "Majordomo@GreatCircle.COM": unsubscribe firewalls-digest To subscribe, send the command "subscribe firewalls-digest" instead. If you want to subscribe or unsubscribe something other than the account the mail is coming from, such as a local redistribution list, then append that address to the command; for example, to subscribe "local-firewalls": subscribe firewalls-digest local-firewalls@your.domain.net A non-digest (direct mail) version of this list is also available; to subscribe to that instead, replace all instances of "firewalls-digest" in the commands above with "firewalls". Compressed back issues are available for anonymous FTP from FTP.GreatCircle.COM, in pub/firewalls/digest/vNN.nMMM.Z (where "NN" is the volume number, and "MMM" is the issue number). From firewalls-owner Tue Jan 9 23:25:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id XAA06828 for firewalls-outgoing; Tue, 9 Jan 1996 23:16:13 -0800 (PST) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id XAA06805 for ; Tue, 9 Jan 1996 23:16:01 -0800 (PST) Message-Id: <199601100716.XAA06805@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA020987851; Wed, 10 Jan 1996 18:10:51 +1100 From: Darren Reed Subject: Re: Source Routed Packets To: brain21@montag33.residence.gatech.edu (Brain21) Date: Wed, 10 Jan 1996 18:10:51 +1100 (EDT) Cc: CARSON@rmcs.cranfield.ac.uk, firewalls@GreatCircle.COM In-Reply-To: from "Brain21" at Jan 9, 96 11:57:55 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Brain21, sie said: [...] > What firewalls *WILL* allow you to filter on bit sequences like I > illustrated above??? When I asked this last time the only answer that I > got was that V-One will allow you to do this to create your own, more > specific rules. Is that possible? Does only *ONE* vendor support this? This is probably an overkill in functionality vs performance. Why is this such a problem ? Because for every rule which allows you to define an arbitary bit sequence, you have to parse the packet a new way to see if it matches. For a packet with IP options, it would mean checking all the IP options present to see if any match the mask. For IP options, this is somewhat not so useful, as there is a limited number which are defined, and even fewer which work end-to-end in most unix boxes. Filter languages, such as that from Cisco or IP Filter will recognise a large number (all) of the defined IP options. I'd thus expect V-One's firewall to be twice as slow as, say, FW-1. From firewalls-owner Wed Jan 10 00:10:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id XAA07935 for firewalls-outgoing; Tue, 9 Jan 1996 23:53:09 -0800 (PST) Received: from uud01.capvolmac.nl (uud01.capvolmac.nl [193.78.92.33]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id XAA07930 for ; Tue, 9 Jan 1996 23:53:04 -0800 (PST) Received: from inetgate.capvolmac.nl by uud01.capvolmac.nl (uud01 3.2/UCB 5.64/4.03) id AA15132; Wed, 10 Jan 1996 08:51:32 +0100 Received: from WUD00-Message_Server by inetgate.capvolmac.nl with Novell_GroupWise; Wed, 10 Jan 1996 08:49:40 +0100 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Wed, 10 Jan 1996 08:45:49 +0100 From: Sander Wels To: firewalls@greatcircle.com Subject: Firewall setup Sender: firewalls-owner@GreatCircle.COM Precedence: bulk currently I'm working on a project to implement what we call external communication services, i.e. centrally provide means to dial out, dail in for tele-workers and a connection to internet. The dail-in service is setup using M$ RAS and it's dail back facility. The dail out will be implemented using a Cisco 500 to create a modempool. The connection to the internet will be used to send mail and start FTP, telnet and HTTP sessions from the secure network to the big and nasty outerspace. To secure the internet connection, the mail and the dail out service we plan on using Firewall-1. The firewall will be located as follows: secure net ----------------------------------------------- | | ----------- ---------- | FW-1 | |MS RAS |------- dial in. ----------- ---------- DMZ | | | ------------ | -------------- | | | ----------- | ----------- |mail serv| | |Cisco 500| ----------- | ----------- | | Internet dail out as one can see we connect the internet to the firewall and create a DMZ on a seperate segment of the firewall. The cisco can only be used to dail out originating from the secure network (the phone lines will be configured dail out only) The MS RAS server will be set up to use dail back to static locations i.e. no mobile connections. The DMZ will initially only be used to connect the mail server to, a WWW-server may be connected in the future. Can anyone comment on this set up please. I would like to know the risks and if this situation is secure :) or not :(. TIA Sander Wels From firewalls-owner Wed Jan 10 10:11:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA00250 for firewalls-outgoing; Wed, 10 Jan 1996 09:46:49 -0800 (PST) Received: from s04.eps.ua.es (s04.eps.ua.es [193.145.232.32]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id AAA08787 for ; Wed, 10 Jan 1996 00:22:00 -0800 (PST) Received: from s01.eps.ua.es by s04.eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA36473; Wed, 10 Jan 1996 09:21:23 +0100 Received: from c12.eps.ua.es by eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA19018; Wed, 10 Jan 1996 09:21:21 +0100 Date: Wed, 10 Jan 1996 09:21:21 +0100 (MET) From: JOSE LUIS VERDEGUER NAVARRO Reply-To: JOSE LUIS VERDEGUER NAVARRO Subject: Re: Firewalls-Digest V4 #726 To: ibg@oro.net Cc: Firewalls@GreatCircle.COM In-Reply-To: <199512300658.WAA15177@hg.oro.net> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Wed Jan 10 10:57:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA00189 for firewalls-outgoing; Wed, 10 Jan 1996 09:43:48 -0800 (PST) Received: from s04.eps.ua.es (s04.eps.ua.es [193.145.232.32]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id AAA08818 for ; Wed, 10 Jan 1996 00:22:39 -0800 (PST) Received: from s01.eps.ua.es by s04.eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA43200; Wed, 10 Jan 1996 09:22:00 +0100 Received: from c12.eps.ua.es by eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA20892; Wed, 10 Jan 1996 09:21:59 +0100 Date: Wed, 10 Jan 1996 09:21:59 +0100 (MET) From: JOSE LUIS VERDEGUER NAVARRO Reply-To: JOSE LUIS VERDEGUER NAVARRO Subject: Re: Re^2: Holes in SunOS sendmail -Reading Root Mail To: bei@io.com Cc: Firewalls@GreatCircle.COM In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Wed Jan 10 11:25:30 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA00444 for firewalls-outgoing; Wed, 10 Jan 1996 09:57:42 -0800 (PST) Received: from s04.eps.ua.es (s04.eps.ua.es [193.145.232.32]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id AAA08854 for ; Wed, 10 Jan 1996 00:23:35 -0800 (PST) Received: from s01.eps.ua.es by s04.eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA38553; Wed, 10 Jan 1996 09:21:38 +0100 Received: from c12.eps.ua.es by eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA13675; Wed, 10 Jan 1996 09:21:38 +0100 Date: Wed, 10 Jan 1996 09:21:38 +0100 (MET) From: JOSE LUIS VERDEGUER NAVARRO Reply-To: JOSE LUIS VERDEGUER NAVARRO Subject: Re: SNMP <-> Firewalls To: Mike Cc: beames@ins.com, firewalls@GreatCircle.COM In-Reply-To: <199512281827.KAA12330@nanaimo.ark.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Wed Jan 10 12:52:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA00654 for firewalls-outgoing; Wed, 10 Jan 1996 10:06:17 -0800 (PST) Received: from s04.eps.ua.es (s04.eps.ua.es [193.145.232.32]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id AAA08822 for ; Wed, 10 Jan 1996 00:22:41 -0800 (PST) Received: from s01.eps.ua.es by s04.eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA19619; Wed, 10 Jan 1996 09:21:43 +0100 Received: from c12.eps.ua.es by eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA13687; Wed, 10 Jan 1996 09:21:42 +0100 Date: Wed, 10 Jan 1996 09:21:42 +0100 (MET) From: JOSE LUIS VERDEGUER NAVARRO Reply-To: JOSE LUIS VERDEGUER NAVARRO Subject: Re: Majordomo results: Firewalls-Digest V4 #728 To: Majordomo@au.wang.com Cc: Firewalls@GreatCircle.COM In-Reply-To: <199512281854.AA22946@chianina.au.wang.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Wed Jan 10 12:56:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA00296 for firewalls-outgoing; Wed, 10 Jan 1996 09:50:51 -0800 (PST) Received: from s04.eps.ua.es (s04.eps.ua.es [193.145.232.32]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id AAA08755 for ; Wed, 10 Jan 1996 00:21:34 -0800 (PST) Received: from s01.eps.ua.es by s04.eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA27529; Wed, 10 Jan 1996 09:21:27 +0100 Received: from c12.eps.ua.es by eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA04691; Wed, 10 Jan 1996 09:21:27 +0100 Date: Wed, 10 Jan 1996 09:21:27 +0100 (MET) From: JOSE LUIS VERDEGUER NAVARRO Reply-To: JOSE LUIS VERDEGUER NAVARRO Subject: Re: setuid/setgid local delivery agents To: packrat@tartarus.uwa.edu.au Cc: firewalls@GreatCircle.COM In-Reply-To: <199512290955.RAA01679@ratbox.rattus.uwa.edu.au> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Wed Jan 10 13:13:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA00676 for firewalls-outgoing; Wed, 10 Jan 1996 10:08:54 -0800 (PST) Received: from s04.eps.ua.es (s04.eps.ua.es [193.145.232.32]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id AAA08658 for ; Wed, 10 Jan 1996 00:19:57 -0800 (PST) Received: from s01.eps.ua.es by s04.eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA06429; Wed, 10 Jan 1996 09:20:40 +0100 Received: from c12.eps.ua.es by eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA17139; Wed, 10 Jan 1996 09:20:39 +0100 Date: Wed, 10 Jan 1996 09:20:39 +0100 (MET) From: JOSE LUIS VERDEGUER NAVARRO Reply-To: JOSE LUIS VERDEGUER NAVARRO Subject: Re: FW-1 does not prevent session hijacking? Please support clai To: Kare.Presttun@ansf.alcatel.fr Cc: Firewalls@GreatCircle.COM In-Reply-To: <9512291237.AA20064@istans.ansf.alcatel.fr> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Wed Jan 10 13:14:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA00318 for firewalls-outgoing; Wed, 10 Jan 1996 09:52:13 -0800 (PST) Received: from s04.eps.ua.es (s04.eps.ua.es [193.145.232.32]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id AAA08612 for ; Wed, 10 Jan 1996 00:19:23 -0800 (PST) Received: from s01.eps.ua.es by s04.eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA27383; Wed, 10 Jan 1996 09:20:15 +0100 Received: from c12.eps.ua.es by eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA14787; Wed, 10 Jan 1996 09:20:14 +0100 Date: Wed, 10 Jan 1996 09:20:14 +0100 (MET) From: JOSE LUIS VERDEGUER NAVARRO Reply-To: JOSE LUIS VERDEGUER NAVARRO Subject: Re: Firewalls needed for both dial-in AND dial-out To: /G=BECKY/S=HEROLD@mhs-pfg1.attmail.com Cc: firewalls@GreatCircle.com, /G=BECKY/S=HEROLD@mhs-pfg1.attmail.com In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Wed Jan 10 13:16:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA00330 for firewalls-outgoing; Wed, 10 Jan 1996 09:53:35 -0800 (PST) Received: from s04.eps.ua.es (s04.eps.ua.es [193.145.232.32]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id AAA08836 for ; Wed, 10 Jan 1996 00:23:06 -0800 (PST) Received: from s01.eps.ua.es by s04.eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA23547; Wed, 10 Jan 1996 09:20:17 +0100 Received: from c12.eps.ua.es by eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA14793; Wed, 10 Jan 1996 09:20:16 +0100 Date: Wed, 10 Jan 1996 09:20:16 +0100 (MET) From: JOSE LUIS VERDEGUER NAVARRO Reply-To: JOSE LUIS VERDEGUER NAVARRO Subject: Re: Security managing Cisco Routers To: Craig McLellan Cc: firewalls , pietro In-Reply-To: <30E831CE@mnbp.network.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Wed Jan 10 13:17:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA00496 for firewalls-outgoing; Wed, 10 Jan 1996 09:59:19 -0800 (PST) Received: from s04.eps.ua.es (s04.eps.ua.es [193.145.232.32]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id AAA08745 for ; Wed, 10 Jan 1996 00:21:30 -0800 (PST) Received: from s01.eps.ua.es by s04.eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA33631; Wed, 10 Jan 1996 09:21:11 +0100 Received: from c12.eps.ua.es by eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA14386; Wed, 10 Jan 1996 09:21:10 +0100 Date: Wed, 10 Jan 1996 09:21:10 +0100 (MET) From: JOSE LUIS VERDEGUER NAVARRO Reply-To: JOSE LUIS VERDEGUER NAVARRO Subject: Re: Dawg wants rootkit for Christmas To: Julian Assange Cc: Sick Puppy , firewalls@greatcircle.com In-Reply-To: <199512292356.KAA16186@suburbia.net> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Wed Jan 10 13:19:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA00565 for firewalls-outgoing; Wed, 10 Jan 1996 10:02:17 -0800 (PST) Received: from s04.eps.ua.es (s04.eps.ua.es [193.145.232.32]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id AAA08826 for ; Wed, 10 Jan 1996 00:22:42 -0800 (PST) Received: from s01.eps.ua.es by s04.eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA41163; Wed, 10 Jan 1996 09:22:04 +0100 Received: from c12.eps.ua.es by eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA04773; Wed, 10 Jan 1996 09:22:03 +0100 Date: Wed, 10 Jan 1996 09:22:03 +0100 (MET) From: JOSE LUIS VERDEGUER NAVARRO Reply-To: JOSE LUIS VERDEGUER NAVARRO Subject: Re: Firewalls - A Request To: Darren Reed Cc: Kenneth Smith , firewalls@GreatCircle.COM In-Reply-To: <199512280938.BAA11807@miles.greatcircle.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Wed Jan 10 13:21:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA00601 for firewalls-outgoing; Wed, 10 Jan 1996 10:03:37 -0800 (PST) Received: from s04.eps.ua.es (s04.eps.ua.es [193.145.232.32]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id AAA08879 for ; Wed, 10 Jan 1996 00:24:16 -0800 (PST) Received: from s01.eps.ua.es by s04.eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA18434; Wed, 10 Jan 1996 09:20:21 +0100 Received: from c12.eps.ua.es by eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA15826; Wed, 10 Jan 1996 09:20:20 +0100 Date: Wed, 10 Jan 1996 09:20:20 +0100 (MET) From: JOSE LUIS VERDEGUER NAVARRO Reply-To: JOSE LUIS VERDEGUER NAVARRO Subject: Re: java info To: Marianne Mueller Cc: raf@uzunx.com, firewalls@greatcircle.com, jcmurphy@smurfland.cit.buffalo.edu In-Reply-To: <9512302058.AA05518@puffin.Eng.Sun.COM> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Wed Jan 10 13:22:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA00342 for firewalls-outgoing; Wed, 10 Jan 1996 09:56:07 -0800 (PST) Received: from s04.eps.ua.es (s04.eps.ua.es [193.145.232.32]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id AAA08750 for ; Wed, 10 Jan 1996 00:21:25 -0800 (PST) Received: from s01.eps.ua.es by s04.eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA23950; Wed, 10 Jan 1996 09:21:30 +0100 Received: from c12.eps.ua.es by eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA19033; Wed, 10 Jan 1996 09:21:29 +0100 Date: Wed, 10 Jan 1996 09:21:29 +0100 (MET) From: JOSE LUIS VERDEGUER NAVARRO Reply-To: JOSE LUIS VERDEGUER NAVARRO Subject: Re: FW-1 does not prevent session hijacking? Please support claim. To: Mike Cc: nehynuci@nanaimo.ark.com, firewalls@GreatCircle.COM In-Reply-To: <199512281828.KAA12356@nanaimo.ark.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Wed Jan 10 13:24:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA00555 for firewalls-outgoing; Wed, 10 Jan 1996 10:00:59 -0800 (PST) Received: from s04.eps.ua.es (s04.eps.ua.es [193.145.232.32]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id AAA08811 for ; Wed, 10 Jan 1996 00:22:29 -0800 (PST) Received: from s01.eps.ua.es by s04.eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA21930; Wed, 10 Jan 1996 09:21:47 +0100 Received: from c12.eps.ua.es by eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA20609; Wed, 10 Jan 1996 09:21:46 +0100 Date: Wed, 10 Jan 1996 09:21:45 +0100 (MET) From: JOSE LUIS VERDEGUER NAVARRO Reply-To: JOSE LUIS VERDEGUER NAVARRO Subject: Re: FW-1 does not prevent session hijacking? Please support claim. To: Mike Cc: nehynuci@nanaimo.ark.com, firewalls In-Reply-To: <199512281827.KAA12343@nanaimo.ark.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Wed Jan 10 13:25:56 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA00668 for firewalls-outgoing; Wed, 10 Jan 1996 10:07:37 -0800 (PST) Received: from s04.eps.ua.es (s04.eps.ua.es [193.145.232.32]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id AAA08660 for ; Wed, 10 Jan 1996 00:19:58 -0800 (PST) Received: from s01.eps.ua.es by s04.eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA20233; Wed, 10 Jan 1996 09:20:24 +0100 Received: from c12.eps.ua.es by eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA15835; Wed, 10 Jan 1996 09:20:24 +0100 Date: Wed, 10 Jan 1996 09:20:24 +0100 (MET) From: JOSE LUIS VERDEGUER NAVARRO Reply-To: JOSE LUIS VERDEGUER NAVARRO Subject: Re: Firewalls-Digest V4 #726 To: Jon Spencer Cc: Hany Mohamed Gaber , firewalls-digest-owner@uunet.uu.net, firewalls-digest@GreatCircle.COM In-Reply-To: <199512310838.IAA15563@splinter> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Wed Jan 10 13:27:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA00127 for firewalls-outgoing; Wed, 10 Jan 1996 09:41:21 -0800 (PST) Received: from s04.eps.ua.es (s04.eps.ua.es [193.145.232.32]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id AAA08893 for ; Wed, 10 Jan 1996 00:24:27 -0800 (PST) Received: from s01.eps.ua.es by s04.eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA29736; Wed, 10 Jan 1996 09:20:45 +0100 Received: from c12.eps.ua.es by eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA15615; Wed, 10 Jan 1996 09:20:44 +0100 Date: Wed, 10 Jan 1996 09:20:44 +0100 (MET) From: JOSE LUIS VERDEGUER NAVARRO Reply-To: JOSE LUIS VERDEGUER NAVARRO Subject: Re: Brain21 To: Brain21 Cc: Gavin Ferreiro , "'firewalls@GreatCircle.COM'" In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Wed Jan 10 13:29:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA00239 for firewalls-outgoing; Wed, 10 Jan 1996 09:45:33 -0800 (PST) Received: from s04.eps.ua.es (s04.eps.ua.es [193.145.232.32]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id AAA08869 for ; Wed, 10 Jan 1996 00:23:59 -0800 (PST) Received: from s01.eps.ua.es by s04.eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA24337; Wed, 10 Jan 1996 09:20:35 +0100 Received: from c12.eps.ua.es by eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA16612; Wed, 10 Jan 1996 09:20:34 +0100 Date: Wed, 10 Jan 1996 09:20:33 +0100 (MET) From: JOSE LUIS VERDEGUER NAVARRO Reply-To: JOSE LUIS VERDEGUER NAVARRO Subject: Re: Holes in SunOS sendmail -Reading Root Mail To: Adam Prato Cc: Doug Hughes , Doug.Hughes@Eng.Auburn.EDU, mcleod@cynergy.com.au, firewalls@GreatCircle.COM In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Wed Jan 10 13:30:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA00337 for firewalls-outgoing; Wed, 10 Jan 1996 09:53:40 -0800 (PST) Received: from mailhub.cts.com (mailhub.cts.com [192.188.72.25]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id JAA00332 for ; Wed, 10 Jan 1996 09:53:36 -0800 (PST) Received: from lostcause by mailhub.cts.com with smtp (Smail3.1.29.1 #20) id m0ta4hN-000V0yC; Wed, 10 Jan 96 09:52 PST Message-Id: Date: Wed, 10 Jan 96 09:52 PST X-Sender: sksharp@mail.cts.com X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: "Steven K. Sharp" Subject: UDP and the unclean... Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please forgive me if this is a stupid question, but why is UDP such a bad thing? Especially things like RealAudio, this uses UDP to communicate (as do many other programs). What security risk does UDP pose? I've seen that most people filter out all UDP first and then work from there with TCP. Would it be a gaping hole to allow it? Thanks for any clarification. Steven From firewalls-owner Wed Jan 10 13:32:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA00635 for firewalls-outgoing; Wed, 10 Jan 1996 10:04:59 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id AAA08922 for ; Wed, 10 Jan 1996 00:25:01 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-951213) id AAA21603; Wed, 10 Jan 1996 00:20:58 -0800 Received: from s04.eps.ua.es(193.145.232.32) by mycroft via smap (V1.3mjr) id sma021558; Wed Jan 10 00:20:07 1996 Received: from s01.eps.ua.es by s04.eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA27532; Wed, 10 Jan 1996 09:21:28 +0100 Received: from c12.eps.ua.es by eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA12118; Wed, 10 Jan 1996 09:21:28 +0100 Date: Wed, 10 Jan 1996 09:21:28 +0100 (MET) From: JOSE LUIS VERDEGUER NAVARRO Reply-To: JOSE LUIS VERDEGUER NAVARRO Subject: Re: Thank you for the code To: wang Cc: Firewalls@GreatCircle.COM In-Reply-To: <9512298202.AA820259571@ccmail.nli-research.co.jp> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Wed Jan 10 13:34:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA00278 for firewalls-outgoing; Wed, 10 Jan 1996 09:49:31 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id AAA08867 for ; Wed, 10 Jan 1996 00:23:58 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-951213) id AAA21574; Wed, 10 Jan 1996 00:19:59 -0800 Received: from s04.eps.ua.es(193.145.232.32) by mycroft via smap (V1.3mjr) id sma021551; Wed Jan 10 00:19:34 1996 Received: from s01.eps.ua.es by s04.eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA27168; Wed, 10 Jan 1996 09:20:41 +0100 Received: from c12.eps.ua.es by eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA17142; Wed, 10 Jan 1996 09:20:40 +0100 Date: Wed, 10 Jan 1996 09:20:40 +0100 (MET) From: JOSE LUIS VERDEGUER NAVARRO Reply-To: JOSE LUIS VERDEGUER NAVARRO Subject: Re: setuid/setgid local delivery agents To: Bill Gianopoulos Cc: Doug Hughes , firewalls@GreatCircle.COM In-Reply-To: <199512291259.HAA02186@swlpak.msd.ray.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Wed Jan 10 14:11:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA00257 for firewalls-outgoing; Wed, 10 Jan 1996 09:48:08 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id AAA08921 for ; Wed, 10 Jan 1996 00:25:03 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-951213) id AAA21600; Wed, 10 Jan 1996 00:20:57 -0800 Received: from s04.eps.ua.es(193.145.232.32) by mycroft via smap (V1.3mjr) id sma021549; Wed Jan 10 00:19:24 1996 Received: from s01.eps.ua.es by s04.eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA21933; Wed, 10 Jan 1996 09:21:49 +0100 Received: from c12.eps.ua.es by eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA04741; Wed, 10 Jan 1996 09:21:47 +0100 Date: Wed, 10 Jan 1996 09:21:47 +0100 (MET) From: JOSE LUIS VERDEGUER NAVARRO Reply-To: JOSE LUIS VERDEGUER NAVARRO Subject: Re: FW-1 does not prevent session hijacking? Please support claim. To: Darren Reed Cc: Brain21 , frankw@in.net, firewalls@GreatCircle.COM In-Reply-To: <199512280903.BAA10538@miles.greatcircle.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Wed Jan 10 14:14:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA00141 for firewalls-outgoing; Wed, 10 Jan 1996 09:41:42 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id JAA00133 for ; Wed, 10 Jan 1996 09:41:37 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-951213) id JAA25789; Wed, 10 Jan 1996 09:38:40 -0800 Received: from mcfeely.bsfs.org(204.91.13.34) by mycroft via smap (V1.3mjr) id sma025785; Wed Jan 10 09:37:55 1996 Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id MAA15746; Wed, 10 Jan 1996 12:36:10 -0500 Date: Wed, 10 Jan 1996 12:36:05 -0500 (EST) From: Rabid Wombat To: Brain21 cc: Bob Resino , grau@muc.de, firewalls@GreatCircle.COM Subject: Re: Off-Topic: Selling Firewalls In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 10 Jan 1996, Brain21 wrote: > On Mon, 8 Jan 1996, Bob Resino wrote: > > > > - how to draw network designs > > > - how to calculate network topology, eg. IP-numbers and netmasks > > > - how to calculate the costs for the equipment (firewalls, routers ...) > > > - how to ... > > > I use Visio Pro to draw network topologies. It has a fair library of icons, and can import a wide variety of file types if you want to create your own from scratch or clip art. This is an M$-Wind0ws compatible product, but it sounds like that's what you're running. I use M$-Excel for calculating costs. If you want a customized solution, there are third-party database links to Autocad that would allow you to generate costs from a database linked to a drawing. This would be a much more expensive solution, in terms of software costs, workstation requirements, learning curve, configuration, etc., and wouldn't pay off unless you are doing nothing but costing/managing networks all day long. There is a facilities management package called AfMan that is an AutoCad add-on - it was designed to update faclities databases from changes made to an AutoCad drawing, do job costs, etc., but could easily be used/adapted to network costing / management. Contact Gene Wachowski at KDP, 301-419-0085 if interested. I'd recommend sticking with Visio, however.You can learn the basics and be up and running in half an hour, but it supports CAD-like functions, such as basic snaps, etc. Once this came out, I stopped using everything else. Shapeware Corporation, 1-800-446-3335 or 303-743-9533. > > > You might want to think about a CAD package, like > > Intergraph Microstation or IsiCad. The Microstation > > Don't know what they cost, but I believe that Microstation is MORE > expensive than AutoCAD, which runs in the neighborhood of $5000. That's > a little high for what the original poster wants to do, I think. > Besides, he is obviously running Windows (mention of Powerpoint), and > Microstation is UNIX isn't it? (not sure). I know that Freelance Graphic > blows for this kind of stuff. Perhaps something like Corel Draw may be > better? The latest version is 6.0, and I think you can get 5.0 and 4 for > less than $100 or so now. This and a decent clipart package (or look, > there is a usenet group for clip-art, I think) would be all that you > really need for network diagrams. Then you could import these into Excel > or 1-2-3 or something if you need to have cost projections and network > diagrams on one page. > > As for IP addresses, etc. I think you are on your own there. > > Brain21 > From firewalls-owner Wed Jan 10 14:26:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA00693 for firewalls-outgoing; Wed, 10 Jan 1996 10:10:15 -0800 (PST) Received: from s04.eps.ua.es (s04.eps.ua.es [193.145.232.32]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id AAA08662 for ; Wed, 10 Jan 1996 00:19:59 -0800 (PST) Received: from s01.eps.ua.es by s04.eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA18203; Wed, 10 Jan 1996 09:20:39 +0100 Received: from c12.eps.ua.es by eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA17136; Wed, 10 Jan 1996 09:20:38 +0100 Date: Wed, 10 Jan 1996 09:20:38 +0100 (MET) From: JOSE LUIS VERDEGUER NAVARRO Reply-To: JOSE LUIS VERDEGUER NAVARRO Subject: Re: Security managing Cisco Routers To: David Kovar Cc: Bill Husler , Firewalls@GreatCircle.COM In-Reply-To: <199512290850.DAA16307@nda.nda.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Wed Jan 10 15:27:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA07751 for firewalls-outgoing; Wed, 10 Jan 1996 12:18:52 -0800 (PST) Received: from ufrmsa1.Olivetti.za (ufrmsa1.Olivetti.za [160.124.2.20]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id MAA07746 for ; Wed, 10 Jan 1996 12:18:35 -0800 (PST) Received: from andy by ufrmsa1.Olivetti.za with uucp (Smail3.1.29.1 #3) id m0ta6xf-000IaXC; Wed, 10 Jan 96 22:17 GMT+0200 Date: Wed, 10 Jan 1996 22:11:15 +0200 (GMT+0200) From: Andrew Cameron To: firewalls@greatcircle.com Subject: Internet Policy/Security Policy Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I would like to know where I can find examples of an Internet/Security Policy for a company. I will need to write one in the near future and would like to draw on the experiance of others. Thanks in anticipation ----------------------------------------------------------------------------- Andrew Cameron Internet : andrew@andy.alt.za X.400 : C=ZA G=Andrew S=Cameron Admd=TELKOM400 ---------------------------------------------------------------------------- From firewalls-owner Wed Jan 10 15:31:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA10659 for firewalls-outgoing; Wed, 10 Jan 1996 14:03:31 -0800 (PST) Received: from relay3.UU.NET (relay3.UU.NET [192.48.96.8]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id OAA10654 for ; Wed, 10 Jan 1996 14:03:27 -0800 (PST) From: smb@research.att.com Received: from research.att.com by relay3.UU.NET with SMTP id QQzxyu25690; Wed, 10 Jan 1996 17:02:29 -0500 (EST) Message-Id: Received: from research.att.com by ns; Wed Jan 10 17:01:59 EST 1996 Received: from gryphon by research; Wed Jan 10 16:59:32 EST 1996 Received: by gryphon; Wed Jan 10 16:59:26 EST 1996 To: Firewalls@GreatCircle.COM cc: Brain21 Subject: Re: Mitnick & the TCP Sequence Number Attack on Shimomura (LONG posting) Date: Wed, 10 Jan 96 16:59:25 EST Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I would like to know this... if Shimomura is so good (an I actually believe that he may be) then why did he leave the r-utils enabled? Why did he not use TCPWrappers to prevent spoofing? Why did he allow people to see inside his network (Mitnick saw that there was a machine "X-something" that he believed was trusted by Shimomura's machine)? I mean, I believe that Shimomura knew of the possibility of this type of attack WAY ahead of time (like months or years). Why no encryption to stop this type of attack? Why did he not use random sequence numbers? TCP wrappers don't defend against sequence number guessing attacks. The essence of the attack is that the bad guy is using an IP address that you trust -- and it doesn't matter if it's check by rshd or the TCPwrapper; if it's fraudulent, it's fraudulent. It's harder than you might think to hide the existence of trusted machines, unless you're using an application or circuit firewall. Random sequence numbers break other things about TCP; see Appendix A to RFC 1185. For that matter, see my 1989 paper -- it's the best-known early description of the attack (and yes, Tsutomu did know of my paper; we discussed various generalizations of it in 1991 and 1992). Encryption, or cryptographic authentication a la Kerberos, would have done the trick. But a lot of people, including me, had doubts about whether or not the attack practical across a WAN. Obviously, we were wrong, and the reason we were wrong is that we didn't remember the exact gagging attack that Morris described in his 1985 tech report in which he reported the invention of this attack. A couple of months ago, I did come up with a strong but simple defense against sequence number attacks. For details, see ftp://ds.internic.net/internet-drafts/draft-rfced-info-bellovin-00.txt --Steve Bellovin From firewalls-owner Wed Jan 10 15:38:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA02616 for firewalls-outgoing; Wed, 10 Jan 1996 10:46:42 -0800 (PST) Received: from s04.eps.ua.es (s04.eps.ua.es [193.145.232.32]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id AAA08638 for ; Wed, 10 Jan 1996 00:19:51 -0800 (PST) Received: from s01.eps.ua.es by s04.eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA17428; Wed, 10 Jan 1996 09:20:35 +0100 Received: from c12.eps.ua.es by eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA15335; Wed, 10 Jan 1996 09:20:35 +0100 Date: Wed, 10 Jan 1996 09:20:35 +0100 (MET) From: JOSE LUIS VERDEGUER NAVARRO Reply-To: JOSE LUIS VERDEGUER NAVARRO Subject: Re: question To: Rob Deker Cc: firewalls@greatcircle.com In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Wed Jan 10 15:41:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA02378 for firewalls-outgoing; Wed, 10 Jan 1996 10:37:50 -0800 (PST) Received: from s04.eps.ua.es (s04.eps.ua.es [193.145.232.32]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id AAA08686 for ; Wed, 10 Jan 1996 00:20:31 -0800 (PST) Received: from s01.eps.ua.es by s04.eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA06458; Wed, 10 Jan 1996 09:20:58 +0100 Received: from c12.eps.ua.es by eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA18196; Wed, 10 Jan 1996 09:20:57 +0100 Date: Wed, 10 Jan 1996 09:20:57 +0100 (MET) From: JOSE LUIS VERDEGUER NAVARRO Reply-To: JOSE LUIS VERDEGUER NAVARRO Subject: Re: Holes in SunOS sendmail -Reading Root Mail To: Mike Culver Cc: firewalls@greatcircle.com In-Reply-To: <9512281459.AA28045@ncelec.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Wed Jan 10 15:45:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA02421 for firewalls-outgoing; Wed, 10 Jan 1996 10:40:42 -0800 (PST) Received: from s04.eps.ua.es (s04.eps.ua.es [193.145.232.32]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id AAA08640 for ; Wed, 10 Jan 1996 00:19:52 -0800 (PST) Received: from s01.eps.ua.es by s04.eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA23566; Wed, 10 Jan 1996 09:20:33 +0100 Received: from c12.eps.ua.es by eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA19425; Wed, 10 Jan 1996 09:20:33 +0100 Date: Wed, 10 Jan 1996 09:20:32 +0100 (MET) From: JOSE LUIS VERDEGUER NAVARRO Reply-To: JOSE LUIS VERDEGUER NAVARRO Subject: Re: Dawg GOT rootkit for Christmas To: Sick Puppy Cc: firewalls@greatcircle.com In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Wed Jan 10 15:48:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA02406 for firewalls-outgoing; Wed, 10 Jan 1996 10:40:28 -0800 (PST) Received: from s04.eps.ua.es (s04.eps.ua.es [193.145.232.32]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id AAA08606 for ; Wed, 10 Jan 1996 00:19:22 -0800 (PST) Received: from s01.eps.ua.es by s04.eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA25796; Wed, 10 Jan 1996 09:20:00 +0100 Received: from c12.eps.ua.es by eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA18835; Wed, 10 Jan 1996 09:19:59 +0100 Date: Wed, 10 Jan 1996 09:19:59 +0100 (MET) From: JOSE LUIS VERDEGUER NAVARRO Reply-To: JOSE LUIS VERDEGUER NAVARRO Subject: Re: FreeBSD as a firewall To: "KOHLS, KERSTEN" Cc: firewalls@greatcircle.com In-Reply-To: <9600028206.AA820620752@mail.cleveland.dfas.mil> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Wed Jan 10 15:52:09 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA02353 for firewalls-outgoing; Wed, 10 Jan 1996 10:34:54 -0800 (PST) Received: from s04.eps.ua.es (s04.eps.ua.es [193.145.232.32]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id AAA08586 for ; Wed, 10 Jan 1996 00:19:09 -0800 (PST) Received: from s01.eps.ua.es by s04.eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA22251; Wed, 10 Jan 1996 09:20:08 +0100 Received: from c12.eps.ua.es by eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA17319; Wed, 10 Jan 1996 09:20:07 +0100 Date: Wed, 10 Jan 1996 09:20:07 +0100 (MET) From: JOSE LUIS VERDEGUER NAVARRO Reply-To: JOSE LUIS VERDEGUER NAVARRO Subject: Re: ipx-bridging & ip-routing To: Pablo Cc: firewalls@greatcircle.com In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Wed Jan 10 15:55:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA02597 for firewalls-outgoing; Wed, 10 Jan 1996 10:45:23 -0800 (PST) Received: from s04.eps.ua.es (s04.eps.ua.es [193.145.232.32]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id AAA08633 for ; Wed, 10 Jan 1996 00:19:40 -0800 (PST) Received: from s01.eps.ua.es by s04.eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA08689; Wed, 10 Jan 1996 09:20:12 +0100 Received: from c12.eps.ua.es by eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA13757; Wed, 10 Jan 1996 09:20:12 +0100 Date: Wed, 10 Jan 1996 09:20:12 +0100 (MET) From: JOSE LUIS VERDEGUER NAVARRO Reply-To: JOSE LUIS VERDEGUER NAVARRO Subject: Re: Source Routing and Disabling To: Ray Hooker Cc: "'Firewall Mailing List'" In-Reply-To: <01BAD90A.16831660@async61.async.duke.edu> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Wed Jan 10 15:59:29 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA12524 for firewalls-outgoing; Wed, 10 Jan 1996 15:08:32 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA04486 for ; Wed, 10 Jan 1996 11:27:21 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-951213) id GAA24431; Wed, 10 Jan 1996 06:26:30 -0800 Received: from uustar.starnet.net(199.217.253.12) by mycroft via smap (V1.3mjr) id sma024429; Wed Jan 10 06:25:44 1996 Received: from hq.UUCP by uustar.starnet.net with UUCP id AA28529 (5.67b/IDA-1.5 for greatcircle.com!firewalls); Wed, 10 Jan 1996 08:16:49 -0600 Received: (from daemon@localhost) by hq.agedwards.com (8.6.9/8.6.9) id IAA04519 for firewalls@greatcircle.com.outbound; Wed, 10 Jan 1996 08:03:02 -0600 Received: from igate.agedwards.com (igate.agedwards.com [159.45.56.11]) by hq.agedwards.com (8.6.9/8.6.9) with ESMTP id IAA04515 for ; Wed, 10 Jan 1996 08:03:00 -0600 Received: from Microsoft Mail (PU Serial #1093) by igate.agedwards.com (PostalUnion/SMTP(tm) v2.1.8c for Windows NT(tm)) id AA-1996Jan10.075400.1093.22480; Wed, 10 Jan 1996 08:00:29 -0600 From: nicholscs@agedwards.com (Nichols,Christopher) To: firewalls@greatcircle.com ('SMTP: firewalls@greatcircle.com') Message-Id: <1996Jan10.075400.1093.22480@igate.agedwards.com> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Organization: A.G. Edwards & Sons Inc. St. Louis Date: Wed, 10 Jan 1996 08:00:29 -0600 Subject: SecureID Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am investigating the use of Security Dynamics ACE Servers and SecurID tokens and have a question concerning packet filtering and the passing of the SDI packets through our net. Given the design: A (Cisco)-----External Segment-----B(HP Box)----------C(Cisco)----------D(Internal Net) A - external router and authentication point B - HP Box where App for users on external segment resides (routing is off) C - Screening Filter/Firewall D - Internal Net where ACE Server would reside Since the design may exist in muliple sites, we plan to use strong filtering between the HP box (B) and the Internal Net (D). We are also considering a commercial firewall at C. My understanding is that the SDI authentication process uses dynamically assigned port numbers (udp) > 1024. That would require us to open all ports > 1024 at point C so that SDI could pass from A to D. This is not desirable. 1) With routing off at B does anyone know of an existing proxy to pass the SDI packets across from A to C? or has anyone written one? 2) How can we setup an effective firewall at C without having to open all ports > 1024 and still allow the SDI authentication process to pass? One suggestion was to use TACACS. Any thoughts? Chris From firewalls-owner Wed Jan 10 16:02:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA12906 for firewalls-outgoing; Wed, 10 Jan 1996 15:17:38 -0800 (PST) Received: from alpha.xerox.com (alpha.Xerox.COM [13.1.64.93]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id PAA12895 for ; Wed, 10 Jan 1996 15:17:03 -0800 (PST) Received: from x-wb-ngm-mime.cinops.xerox.com ([13.250.20.31]) by alpha.xerox.com with SMTP id <14729(6)>; Wed, 10 Jan 1996 15:15:33 PST X-Nvlenv-01Date-Transferred: 10-Jan-1996 15:38:47 -0500; at X-MC-AREA-HUB.xerox X-Nvlenv-01Date-Transferred: 10-Jan-1996 15:42:56 -0500; at X-WB-NGM-MIME.XEROX X-Nvlenv-01Date-Posted: 10-Jan-1996 15:42:41 -0500; at x-mc-xrx2-ms3.xerox Date: Wed, 10 Jan 1996 12:39:33 PST From: Scott_Rickard@mc.xerox.com (Rickard,Scott) To: firewalls@greatcircle.com Subject: Re: Mitnick & the TCP Sequence Number Attack on Shimomura (LONG Message-Id: <"<7124F430819C2976>7124F430819C2976@x-mc-xrx2-ms3.xerox"@-SMF-> Cc: brain21@montag33.residence.gatech.edu, jya@pipeline.com (John Young), frankw@in.net (Frank Willoughby) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Date: Tuesday, January 09, 1996 9:56PM Brain21 writes: >I would like to know this... if Shimomura is so good (an I actually >believe that he may be) then why did he leave the r-utils enabled? Why >did he not use TCPWrappers to prevent spoofing? Why did he allow people >to see inside his network (Mitnick saw that there was a machine >"X-something" that he believed was trusted by Shimomura's machine)? Snip >Just wondering why... The answer is quite clear if you have spook world experience and identify with several key elements quoted in Frank Willoughby's re-post of the Cypherpunks mailing list message regarding extracts from Jonathan Littman's book "The Fugitive Game: Online With Kevin Mitnick," In the extracts, Markoff mentions the issue of a bait machine and the possibility of Shimomura being closely affiliated with the DOD, NSA and other intelligence organizations. Shimomura is completely involved in the intelligence business and he definitely knows how to catch mice for rewards from the world's largest feline, the NSA. The NSA and other intelligence organizations go to great lengths to gather, analyze, correlate and confirm a tremendous amount of information. The NSA and other intelligence organizations attempt to influence perception by both publicly and privately publishing information or shrewdly allowing some type of "inadvertent mouse trap" access. In the extracts, Markoff also indicates that people live in "a wilderness-of-mirrors kind of world," with respect to the colossal intelligence and counterintelligence business that historians will eventually call the ninth wonder of the world. Globally, the intelligence and counterintelligence businesses are a multi-trillion dollar industry that thrives on information gathering, analysis and dissemination strategies. In the name of unusual essences of national security, honor, pride, greed or any combination of these components, generous numbers of international organizations exchange information between genuine and spurious alliances to cleverly buy, sell and release anticipated beneficial perception. As for the bigger question of why, humans will always contemplate, attempt and tolerate the conquering of others as long as they continue to want more. For a quick look at the tip of the complex intelligence iceberg, check out a copy of Codebusters, The Puzzle Palace, and War and Peace. Scott Rickard Senior IT Engineering Consultant Scott_Rickard@mc.xerox.com From firewalls-owner Wed Jan 10 16:11:29 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA12607 for firewalls-outgoing; Wed, 10 Jan 1996 15:10:50 -0800 (PST) Received: from relay.tis.com (relay.tis.com [192.94.214.100]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id OAA11241 for ; Wed, 10 Jan 1996 14:41:06 -0800 (PST) Received: by relay.tis.com; id MAA26253; Wed, 10 Jan 1996 12:46:04 -0500 Received: from sol.tis.com(192.33.112.100) by relay.tis.com via smap (g3.0.3) id xma026246; Wed, 10 Jan 96 12:45:54 -0500 Received: from sol.tis.com by tis.com (4.1/SUN-5.64) id AA11229; Wed, 10 Jan 96 17:38:00 EST Message-Id: <9601102238.AA11229@tis.com> To: firewalls@greatcircle.com Subject: Program Announcement - ISOC 1996 Symp. Netw. & Distr. Sys. Security Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Id: <11217.821313477.1@tis.com> Date: Wed, 10 Jan 1996 17:37:59 -0500 From: "David M. Balenson" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ------------------------------------------------------------------------------ THE INTERNET SOCIETY 1996 SYMPOSIUM ON NETWORK AND DISTRIBUTED SYSTEM SECURITY (NDSS '96) 22-23 FEBRUARY 1996 SAN DIEGO PRINCESS RESORT, SAN DIEGO, CALIFORNIA The symposium will bring together people who are building software and/or hardware to provide network and distributed system security services. The symposium is intended for those interested in the more practical aspects of network and distributed system security, focusing on actual system design and implementation, rather than in theory. We hope to foster the exchange of technical information that will encourage and enable the Internet community to apply, deploy and advance the state of the available security technology. ------------------------------------------------------------------------------ P R E L I M I N A R Y P R O G R A M WEDNESDAY, FEBRUARY 21 6:00 P.M. - 8:00 P.M. RECEPTION - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - THURSDAY, FEBRUARY 22 7:30 A.M. CONTINENTAL BREAKFAST 8:30 A.M. OPENING REMARKS 9:00 A.M. SESSION 1: ELECTRONIC MAIL SECURITY Chair: Stephen T. Kent (BBN Corporation, USA) Mixing E-mail with BABEL, Gene Tsudik and Ceki Gulcu (IBM Research Division, Zurich Research Laboratory, SWITZERLAND) An Integration of PGP and MIME, Kazuhiko Yamamoto (Nara Institute of Science and Technology, JAPAN) 10:00 A.M. BREAK 10:30 A.M. SESSION 2: DISTRIBUTED OBJECT SYSTEMS Chair: Dan Nessett (Sun Microsystems, USA) A Security Framework Supporting Domain Based Access Control in Distributed Systems, Nicholas Yialelis and Morris Sloman (Imperial College, London, UNITED KINGDOM) PANEL: Scalability of Security in Distributed Object Systems Chair: Dan Nessett (Sun Microsystems, USA) Panelists: Dan Nessett (Sun Microsystems, USA), Nicholas Yialelis (Imperial College, London, UNITED KINGDOM), and Bret Hartman (Odyssey Research Associates, USA) 12:00 NOON LUNCH 1:30 P.M. SESSION 3: DISTRIBUTED SYSTEM SECURITY Chair: Michael Roe (University of Cambridge, UNITED KINGDOM) A Flexible Distributed Authorization Protocol, Jonathan Trostle (CyberSAFE, USA) and B. Clifford Neuman (Information Sciences Institute, University of Southern California, USA) Preserving Integrity in Remote File Location and Retrieval, Trent Jaeger (University of Michigan, USA) and Aviel D. Rubin (Bellcore, USA) C-HTTP - The Development of a Secure, Closed HTTP-Based Network on the Internet, Takahiro Kiuchi (University of Tokyo, JAPAN) and Shigekoto Kaihara (University of Tokyo Hospital, JAPAN) 3:00 P.M. BREAK 3:30 P.M. SESSION 4: PANEL: INTELLECTUAL PROPERTY PROTECTION Chair: Peter Neumann (SRI International, USA) Panelists: David Bernstein (Electronic Publishing Resources, USA), Russ Housley (Spyrus, USA), and Dan Boneh (Princeton University, USA) 7:00 P.M. DINNER BANQUET - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - FRIDAY, FEBRUARY 23 7:30 A.M. CONTINENTAL BREAKFAST 8:30 A.M. SESSION 5: NETWORK SECURITY Chair: Matt Bishop (University of California at Davis, USA) Designing an Academic Firewall: Policy, Practice and Experience with SURF, Michael B. Greenwald, Sandeep K. Singhal, Jonathan R. Stone, and David R. Cheriton (Stanford University, USA) Digital Signature Protection of the OSPF Routing Protocol, Sandra Murphy and Madelyn Badger (Trusted Information Systems, USA) A Case Study of Secure ATM Switch Booting, Shaw-Cheng Chuang and Michael Roe (University of Cambridge, UNITED KINGDOM) 10:00 A.M. BREAK 10:30 A.M. SESSION 6: KEY MANAGEMENT Chair: Burt Kaliski (RSA Laboratories, USA) SKEME: A Versatile Secure Key Exchange Mechanism for Internet, Hugo Krawczyk (IBM T.J. Watson Research Center, USA) IDUP and SPKM: Developing Public-Key-Based APIs and Mechanisms for Communication Security Services, Carlisle Adams (Bell-Northern Research, CANADA) 11:30 A.M. LUNCH 1:00 P.M. SESSION 7: ENCRYPTION Chair: Paul Lambert (Oracle, USA) An Empirical Study of Secure MPEG Video Transmissions, Iskender Agi and Li Gong (SRI International, USA) Parallelized Network Security Protocols, Erich Nahum and David J. Yates (University of Massachusetts, USA), Sean O'Malley, Hilarie Orman and Richard Schroeppel (University of Arizona, USA) A "Bump in the Stack" Encryptor for MS-DOS Systems, David A. Wagner (University of California at Berkeley, USA) and Steven M. Bellovin (AT&T Bell Laboratories, USA) 2:30 P.M. BREAK 3:00 P.M. SESSION 8: PANEL: PUBLIC-KEY INFRASTRUCTURE Chair: Warwick Ford (Bell Northern Research, CANADA) Panelists: John Wankmueller (MasterCard International, USA), Taher ElGamal (Netscape Communications, USA), and Michael Baum (VeriSign, USA). ------------------------------------------------------------------------------ GENERAL CHAIR: Jim Ellis, CERT Coordination Center PROGRAM CHAIRS: David Balenson, Trusted Information Systems B. Clifford Neuman, USC Information Sciences Institute PROGRAM COMMITTEE: Tom Berson, Anagram Laboratories Matt Bishop, University of California at Davis Doug Engert, Argonne National Laboratory Warwick Ford, Bell Northern Research (Canada) Burt Kaliski, RSA Laboratories Steve Kent, BBN Corporation Paul Lambert, Oracle John Linn, OpenVision Technologies Teresa Lunt, Advanced Research Projects Agency Dan Nessett, Sun Microsystems Hilarie Orman, University of Arizona Michael Roe, Cambridge University (UK) Rob Rosenthal, U.S. National Institute of Standards and Technology Avi Rubin, Bellcore Jeff Schiller, Massachusetts Institute of Technology Rob Shirey, BBN Corporation Doug Tygar, Carnegie Mellon University Roberto Zamparo, Telia Research (Sweden) LOCAL ARRANGEMENTS CHAIR: Thomas Hutton, San Diego Supercomputer Center PUBLICATIONS CHAIR: Steve Welke, Institute for Defense Analyses REGISTRATIONS CHAIR: Donna Leggett, Internet Society STEERING GROUP Internet Research Task Force, Privacy and Security Research Group ------------------------------------------------------------------------------ BEAUTIFUL SAN DIEGO PRINCESS RESORT Location The Symposium venue is the San Diego Princess Resort, a tropical paradise on a forty-four acre island in Mission Bay, ten minutes from the international airport. Lush gardens landscaped with hundreds of species of tropical and subtropical plants are always ablaze with color and perfect for themed group events. Charming pathways wander among sparkling waterfalls, across quaint footbridges and sleepy lagoons filled with water lilies and waterfowl. A white sand beach curves around the island for over a mile, and the award-winning grounds encompass five swimming pools and six lighted tennis courts. Spouses and family members can catch a convenient Harbor Hopper for a quick trip to Sea World. After the Symposium, plan to spend the weekend visiting La Jolla, the world famous San Diego Zoo or Mexico, only 30 minutes by car or Trolley. Housing Information We have reserved a special block of sleeping rooms at the San Diego Princess Resort at the following rates: Lanai Patio & Garden View Rooms $ 81* Lanai Garden & Lagoon View Rooms $112 One Bedroom Suite $115 * This represents the Government Rate for San Diego. We have a limited number of rooms available at this rate. If you need a government rate, reserve your room early! You must present a valid government id upon check- in. Based on room type and space availability, these special group rates are applicable two days prior to and two days after the symposium. Current Room Tax is 10.5%. Check-in availability cannot be committed prior to 4:00 p.m. Check-out time is 12:00 noon. The San Diego Princess Resort will make every effort to accommodate any early arrivals, so make sure you give them your arrival time when you make your reservation. To make a reservation Contact the San Diego Princess Resort at 1-800-344-2626 (+1-619-274-4630 if outside the United States). To receive the special group rates, reservations must be made no later than January 20, 1996. CLIMATE February weather in San Diego is normally very pleasant. Early morning temperatures average 55 degrees while afternoon temperatures average 67 degrees. Generally, a light jacket or sweater is adequate during February; although, occasionally it rains. REGISTRATION FEES ISOC Non- Members Member Early registration (postmarked by Jan. 19) $295 $330 Late registration $365 $400 REGISTRATION INCLUDES - Attendance - Symposium Proceedings - Two luncheons - Reception - Banquet - Coffee Breaks FOR MORE INFORMATION on registration contact Donna Leggett by phone at 703-648-9888 or via e-mail to Ndss96reg@isoc.org. WEB PAGE - Additional information about the symposium and San Diego, as well as an on-line registration form, are available via the Web at: http://www.isoc.org/conferences/ndss96 ------------------------------------------------------------------------------ Internet Society Symposium on Network and Distributed System Security 22-23 February, 1996 San Diego, California, USA Registration Form --------------------------------------------------------------------------- Fill out this form and FAX it to NDSS'96 Registration (703) 648-9887, send it via electronic mail to Ndss96reg@isoc.org, or mail it to NDSS96, 12020 Sunrise Valley Drive, Suite 210, Reston, VA, 22091, USA --------------------------------------------------------------------------- Personal Information __Mr __Ms __Mrs __Dr __Prof __M __Prof Dr __Dip Ing __Ing __Miss __Mlle First Name: __________________________ Middle Name: _______________ Family Name: __________________________ __sr __jr __II __III __PhD Please enter your name as you would like it to appear on your conference name tag. Badge Name: _____________________________ Contact Information Your title: _____________________________ Your affiliation: _____________________________ Your address: _____________________________ _____________________________ City: _____________________________ State or Province: _____________________________ Postal Code: _____________ Country: _____________________________ Tel (work) Number: _____________________________ Tel (home) Number: _____________________________ Fax Number: _____________________________ EMail address: _____________________________ Special Needs? Do you have any special needs (vegetarian meals, wheelchair access, etc?): _________________________________________________________________________ _________________________________________________________________________ Appear on the Registrants List? ___ Please check here if you would NOT like your name included in the list of registrants. Payment Information All Payments must be in United States Dollars. Conference Charges If you are an Internet Society member, you are eligible for a reduced registration fee. Non-member symposium attendees will receive a one year Internet Society membership as part of the non-member registration fees. Check one: Before After January 19 January 19 ---------- ---------- ___Internet Society Member Conference Fee US$ 295.00 US$ 365.00 ___Non-Member Conference Fee US$ 330.00 US$ 400.00 Method of Payment 1. __ Check Make payable to the Internet Society. Checks must be postmarked before February 16, 1996 or you will not be registered. 2. __ Credit Card __ American Expres __ Mastercard __ Visa Name on Credit Card:__________________________ Credit Card Number:__________________________ Expiration Date:__________ 3. __ First Virtual First Virtual Account Number: _________________________ 4. __ Wire Transfer* Riggs Bank of Virginia Bank ABA number: 056001260 8315 Lee Highway Account number: Internet Society 148 387 10 Fairfax VA 22031 USA Wire Transfer Confirmation Number:____________________________ * Please process wire transfer before sending the registration form. 5. __ U.S. Government Purchase order* Please provide the P.O. Number: ___________________________ * Please fax or mail a copy of your purchase order along with your registration form. Cancellation Policy ------------------- Refunds will be issued for cancellations received before February 16, 1996. No refunds will be issued after February 16, 1996. --------------------------------------------------------------------------- From firewalls-owner Wed Jan 10 16:26:29 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA02604 for firewalls-outgoing; Wed, 10 Jan 1996 10:45:47 -0800 (PST) Received: from s04.eps.ua.es (s04.eps.ua.es [193.145.232.32]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id AAA08661 for ; Wed, 10 Jan 1996 00:19:59 -0800 (PST) Received: from s01.eps.ua.es by s04.eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA31793; Wed, 10 Jan 1996 09:20:52 +0100 Received: from c12.eps.ua.es by eps.ua.es (AIX 3.2/UCB 5.64/4.03) id AA14859; Wed, 10 Jan 1996 09:20:51 +0100 Date: Wed, 10 Jan 1996 09:20:51 +0100 (MET) From: JOSE LUIS VERDEGUER NAVARRO Reply-To: JOSE LUIS VERDEGUER NAVARRO Subject: Re: Reliability of TCP/IP.. To: Darren Reed Cc: Firewalls Mailing List In-Reply-To: <199512291035.CAA05753@miles.greatcircle.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Wed Jan 10 17:13:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id QAA16299 for firewalls-outgoing; Wed, 10 Jan 1996 16:47:27 -0800 (PST) Received: from icicle (icicle.winternet.com [198.174.169.5]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id QAA16294 for ; Wed, 10 Jan 1996 16:47:22 -0800 (PST) Received: from parka (dufresne@parka.winternet.com [198.174.169.9]) by icicle (8.6.12/8.6.12) with ESMTP id SAA24642; Wed, 10 Jan 1996 18:46:20 -0600 Received: (from dufresne@localhost) by parka (8.6.12/8.6.12) id SAA18848; Wed, 10 Jan 1996 18:47:28 -0600 Posted-Date: Wed, 10 Jan 1996 18:47:28 -0600 Date: Wed, 10 Jan 1996 18:47:28 -0600 (CST) From: Ron DuFresne To: Scott_Rickard@mc.xerox.com cc: firewalls@GreatCircle.COM, brain21@montag33.residence.gatech.edu, John Young , Frank Willoughby Subject: Re: Mitnick & the TCP Sequence Number Attack on Shimomura (LONG In-Reply-To: <"<7124F430819C2976>7124F430819C2976@x-mc-xrx2-ms3.xerox"@-SMF-> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Scott, In otherwords you're saying that Mitnick was 'invited' in, bordering on entrapment... Later, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From firewalls-owner Wed Jan 10 17:41:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id RAA16631 for firewalls-outgoing; Wed, 10 Jan 1996 17:04:16 -0800 (PST) Received: from crystal.nli-research.co.jp (crystal.nli-research.co.jp [202.248.71.130]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id RAA16626 for ; Wed, 10 Jan 1996 17:04:09 -0800 (PST) Received: from oakland.ri.nli-research.co.jp (oakland [202.48.5.21]) by crystal.nli-research.co.jp (8.6.12+2.4W/3.3W9-nli-research) with ESMTP id KAA05741; Thu, 11 Jan 1996 10:00:30 +0900 Received: from chicago.ri.nli-research.co.jp (chicago.ri.nli-research.co.jp [202.48.4.5]) by oakland.ri.nli-research.co.jp (8.6.12+2.4W/3.3W9-nli-research) with ESMTP id KAA07233; Thu, 11 Jan 1996 10:01:04 +0900 Received: from ccmail.nli-research.co.jp (ccmail [202.48.4.200]) by chicago.ri.nli-research.co.jp (8.6.12+2.4W/3.4Wbeta6-nlri_email_server) with SMTP id JAA18570; Thu, 11 Jan 1996 09:59:12 +0900 Received: from cc:Mail SMTPLINK 2.1 by ccmail.nli-research.co.jp id AA821383799; Thu, 11 Jan 96 09:50:43 JST Date: Thu, 11 Jan 96 09:50:43 JST From: "wang" Message-Id: <9601118213.AA821383799@ccmail.nli-research.co.jp> To: a01056@eps.ua.es Cc: Firewalls@GreatCircle.COM Subject: I cannot read your mail Sender: firewalls-owner@GreatCircle.COM Precedence: bulk JOSE LUIS VERDEGUER NAVARRO, I have received 3 pieces of your mails since yesterday, but they have only the mail header. So I cannot read the contents and I do not know why. I use cc:Mail and I suppose it's due to MIME or something else. In your mail header, > Mime-Version: 1.0 > Content-Type: TEXT/PLAIN; CHARSET=US=ASCII I do not know if the others you send mail to can read the contents Regards, Wang, Qin From firewalls-owner Wed Jan 10 17:43:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id RAA16559 for firewalls-outgoing; Wed, 10 Jan 1996 17:01:26 -0800 (PST) Received: from border.dreamworks.com (dreamworks.com [204.250.57.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id RAA16554 for ; Wed, 10 Jan 1996 17:01:22 -0800 (PST) Received: from border.dreamworks.com (daemon@localhost) by border.dreamworks.com (8.6.12/8.6.12) with ESMTP id QAA21211 for ; Wed, 10 Jan 1996 16:47:33 -0800 Received: from gateway (gateway.dreamworks.com [10.1.1.2]) by border.dreamworks.com (8.6.12/8.6.12) with ESMTP id QAA21206 for ; Wed, 10 Jan 1996 16:47:30 -0800 Received: from juice.dreamworks.com by gateway (SMI-8.6/SMI-SVR4) id RAA19466; Wed, 10 Jan 1996 17:00:01 -0800 Received: by juice.dreamworks.com (940816.SGI.8.6.9/940406.SGI.AUTO) for firewalls@greatcircle.com id RAA01752; Wed, 10 Jan 1996 17:02:45 -0800 From: "Alan C.Horn" Message-Id: <9601101702.ZM1750@juice.dreamworks.com> Date: Wed, 10 Jan 1996 17:02:43 -0800 X-Mailer: Z-Mail (3.2.2 10apr95 MediaMail) To: firewalls@greatcircle.com Subject: Encryption export laws from US.. Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I know this is slightly off topic for this list, but I thought maybe somebody would know. Apologies in advance to anyone who didn't want to read this. I'm looking for some information on the current US restrictions on Import/Export of encrypted data, using something like PGP. If anyone has any pointers towards some sources, it would be tremendously helpful. Many thanks for your time. Al -- "It's fifteen hundred miles to Ankh-Morpork" he said. "We've got three hundred and sixty three elephants, fifty carts of forage, the monsoon's about to break and we're wearing ... we're wearing ... sort of things, like glass, only dark... dark glass things on our eyes..." - Terry Pratchett "Moving Pictures". Alan Horn - Computer Support and Sysadmin - Dreamworks SKG. (+1 818 733 6000) [Personal Email : deorth@mono.org] [Work Email : ahorn@dreamworks.com] From firewalls-owner Wed Jan 10 17:54:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA11525 for firewalls-outgoing; Wed, 10 Jan 1996 14:52:12 -0800 (PST) Received: from fastlane.net (fastlane.net [204.251.16.10]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id OAA11518 for ; Wed, 10 Jan 1996 14:51:43 -0800 (PST) Received: (from lacoursj@localhost) by fastlane.net (8.6.8/8.6.6) id RAA01540; Wed, 10 Jan 1996 17:45:48 -0600 Date: Wed, 10 Jan 1996 17:45:48 -0600 (CST) From: "Jeffrey D. LaCoursiere" To: Brain21 cc: Neil , firewalls@GreatCircle.COM Subject: Re: Source Routed Packets In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [excellent quasi-tutorial deleted] I am fairly certain that Wellfleet allows you to do this, if you consider a Wellfleet configured with filters a firewall... j > > What firewalls *WILL* allow you to filter on bit sequences like I > illustrated above??? When I asked this last time the only answer that I > got was that V-One will allow you to do this to create your own, more > specific rules. Is that possible? Does only *ONE* vendor support this? > > Thanks, > > Brain21 > From firewalls-owner Wed Jan 10 17:56:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA07375 for firewalls-outgoing; Wed, 10 Jan 1996 12:07:40 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA05781 for ; Wed, 10 Jan 1996 11:36:41 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-951213) id AAA21693; Wed, 10 Jan 1996 00:26:58 -0800 Received: from saul2.u.washington.edu(140.142.56.21) by mycroft via smap (V1.3mjr) id sma021685; Wed Jan 10 00:26:51 1996 Received: by saul2.u.washington.edu (5.65+UW95.12/UW-NDC Revision: 2.33 ) id AA05695; Wed, 10 Jan 96 00:28:42 -0800 X-Sender: cabralje@saul2.u.washington.edu Date: Wed, 10 Jan 1996 00:28:42 -0800 (PST) From: James Cabral To: Firewalls@GreatCircle.COM Subject: Re: Firewalls-Digest V5 #6 In-Reply-To: <199601050757.XAA28538@miles.greatcircle.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am interested to hear from anyone who has implemented Network Address Translation with TIS Gauntlet firewall. In particular, did you encounter any difficulties with this configuration? Are there any advantages/disadvantages to Gauntlet in regard to address translation? Thanks, Jim Cabral Jim Cabral 7712 Corliss Ave N, Seattle, WA 98103 Puget Technology Group Inc., Systems Engineer, Voice/Pager/Fax 206/525-1242 Univ. of Washington, 206/543-1017 From firewalls-owner Wed Jan 10 17:57:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA03182 for firewalls-outgoing; Wed, 10 Jan 1996 11:06:58 -0800 (PST) Received: from pimaia2w.prodigy.com (pimaia2w.prodigy.com [192.207.105.46]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA03177 for ; Wed, 10 Jan 1996 11:06:55 -0800 (PST) Received: from mailinb1.prodigy.com (tinahost [199.4.137.91]) by pimaia2w.prodigy.com (8.6.10/8.6.9) with SMTP id OAA38878 for ; Wed, 10 Jan 1996 14:05:30 -0500 Date: Wed, 10 Jan 1996 14:05:00 EST From: HFDK41A@prodigy.com (MR. JOHN K MOLNAR) X-Mailer: PRODIGY Services Company Internet mailer [PIM 3.2-334.50] Message-Id: <091.08356360.HFDK41A@prodigy.com> To: firewalls@Greatcircle.com Subject: Mergent Gauntlet? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi I got a fax this morning from Mergent, offering to sell me their Gauntlet Firewall??? What's a Gauntlet if it's not from TIS? Or is this the same stuff?? Confused. Thanks, -John Molnar From firewalls-owner Wed Jan 10 17:59:19 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA07059 for firewalls-outgoing; Wed, 10 Jan 1996 12:00:37 -0800 (PST) Received: from relay4.UU.NET (relay4.UU.NET [192.48.96.14]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id MAA07046 for ; Wed, 10 Jan 1996 12:00:19 -0800 (PST) Received: from gmap-gw.leeds.ac.uk by relay4.UU.NET with ESMTP id QQzxyl10037; Wed, 10 Jan 1996 14:55:54 -0500 (EST) Received: from gmap3 (gmap-mailhub.leeds.ac.uk [129.11.200.3]) by gmap-gw.leeds.ac.uk (8.7.3/8.6.9) with SMTP id TAA16402 for ; Wed, 10 Jan 1996 19:44:41 GMT Received: from gmap.leeds.ac.uk (dannyc@gmap124 [129.11.200.124]) by gmap3 (8.6.12/8.6.9) with SMTP id TAA05024 for ; Wed, 10 Jan 1996 19:44:44 GMT From: Danny Cox Date: Wed, 10 Jan 1996 19:45:06 GMT Message-Id: <27217.9601101945@gmap.leeds.ac.uk> X-Planation: X-Faces images can be viewed with the XFaces program To: firewalls@greatcircle.com Subject: Firewall design - routers and commercial kit X-Sun-Charset: US-ASCII X-Face: (:_YnQcTM$q\Nl0.mYy:C'Y|(;&7.2m~Rc%xt; Wed, 10 Jan 1996 10:30:51 -0800 (PST) Received: from eredns.erenj.com(159.70.1.252) by ereapp.erenj.com via smap (V1.3) id sma003257; Wed Jan 10 13:29:37 1996 Posted-Date: Wed, 10 Jan 1996 13:29:36 -0500 From: "Bryan D. Boyle" Message-Id: <9601101329.ZM5477@maverick.erenj.com> Date: Wed, 10 Jan 1996 13:29:36 -0500 In-Reply-To: "Marcus J. Ranum" "Re: http-gw with authentication" (Jan 10, 12:59pm) References: <199601101759.MAA08450@switchblade.v-one.com> X-Phone: (908) 730-3338 X-Saying: Strange problems call for strange solutions. X-Face: "Pd&4kXWsi"3Hc_Y~I-ts24DN$w~Hh)&L-P9DZvE"~_~m),~Y&N_]TUIM*4.r@z$SxVL]}v=+IP>Fuq{zx%{KKj"Kys1Q5{|m*l}:[T;N:/=@5[xOIpR$%skp$f0#6^j\1+ -?l%Yk/+S8Y!3J@{~!Ao4-COV:Ft}{]oZ&1=!@<>UIh2s X-Mailer: Z-Mail (3.2.1 10apr95) To: firewalls@greatcircle.com Subject: Re: http-gw with authentication Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On 10 January 96, mjr abused small electrons by stating: > > [* how such a nightmare bodge of a protocol has been chosen > to be the vehicle for "electronic commerce" is a subject worth > a periodic boggle] Nah, on a periodic scan, perhaps, it is the 1990's proof of Gresham's Law. -- Bryan D. Boyle | EMAIL: bdboyle@erenj.com 908-730-3338 #include | http://www.access.digex.net/~bdboyle/index.html "It is only the ignorant who suppose themselves omniscient." --General Robert Edward Lee-- From firewalls-owner Wed Jan 10 18:02:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA06965 for firewalls-outgoing; Wed, 10 Jan 1996 11:59:22 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA06842 for ; Wed, 10 Jan 1996 11:58:37 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-951213) id CAA22996; Wed, 10 Jan 1996 02:55:15 -0800 Received: from haddock.demon.co.uk(158.152.16.191) by mycroft via smap (V1.3mjr) id sma022992; Wed Jan 10 02:54:48 1996 Received: from haddock.saa-cons.co.uk by smtpgate.saa-cons.co.uk with SMTP (5.65/1.3-eef) id AA11069; Wed, 10 Jan 96 11:00:47 GMT Received: by haddock.saa-cons.co.uk (AIX 3.2/UCB 5.64/5.00) id AA42344; Wed, 10 Jan 1996 11:00:46 GMT Date: Wed, 10 Jan 1996 11:00:39 +0000 (GMT) From: Dave Roberts To: firewalls@GreatCircle.COM Subject: Re: Mitnick & the TCP Sequence Number Attack on Shimomura In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 10 Jan 1996, Brain21 wrote: > Why did he not use TCPWrappers to prevent spoofing? I did't think that TCPWrapper was up to this. It can only do so much, which I believe is preventing source-routed packets, by disabling the socket option (according to the manual). If Mitnick was constructing his own IP packets (and I'm presuming he was), then he would have inserted the source address of the trusted host. Source routing would not have needed to be used. Your questions of why, are far too philisphosical for someone like me to have the pleasure to indulge in. :) -- Dave Roberts, Unix Systems Administrator, SAA Consultants Ltd, Plymouth, UK. "smap has the advantage [over bare sendmail] that it was written by somone who is almost certifiably paranoid" - Brent Chapman, London, 19 Oct 95. From firewalls-owner Wed Jan 10 18:04:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA06976 for firewalls-outgoing; Wed, 10 Jan 1996 11:59:31 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA06849 for ; Wed, 10 Jan 1996 11:58:39 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-951213) id BAA22424; Wed, 10 Jan 1996 01:59:12 -0800 Received: from mail1.digital.com(204.123.2.50) by mycroft via smap (V1.3mjr) id sma022421; Wed Jan 10 01:58:37 1996 Received: from ilosrv.ilo.dec.com by mail1.digital.com; (5.65 EXP 4/12/95 for V3.2/1.0/WV) id AA20125; Wed, 10 Jan 1996 01:54:30 -0800 Received: from ilofrs.ilo.dec.com by ilosrv.ilo.dec.com; (5.65/1.1.8.2/12Nov94-8.2MPM) id AA17451; Wed, 10 Jan 1996 09:53:56 GMT Received: by fwsrtr.fws.ilo.dec.com; (5.65/1.3/10May95) id AA01653; Wed, 10 Jan 1996 09:56:47 GMT Received: from karpov.fws.ilo.dec.com by hubba.fws.ilo.dec.com; (5.65/1.1.8.2/21Aug95-8.2MPM) id AA26262; Wed, 10 Jan 1996 09:55:12 GMT Organization: Digital Firewall Engineering Received: by karpov.fws.ilo.dec.com; (5.65v3.2/1.1.8.2/18Aug95-0213PM) id AA23434; Wed, 10 Jan 1996 09:53:55 GMT From: Dermot Tynan Message-Id: <9601100953.AA23434@karpov.fws.ilo.dec.com> Subject: Re: smap/smapd question To: tldb@eci-esyst.com (Tim Darnauer) Date: Wed, 10 Jan 1996 09:53:54 +0000 (GMT) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Tim Darnauer" at Jan 9, 96 04:12:06 pm Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Tim Darnauer wrote: > > Does anyone know how or why smap, smapd, and sendmail are doing this? > Obviously I have a problem with my configuration but I've run out of > ideas. You don't provide a lot of details, but surmising, I'd say look at your MX records as seen at the originating host, and study the "Received:" headers to see who is getting the mail. Mail loops can often come about because the originating host thinks machine A has the cheapest MX (outside of the target), whereas machine A thinks machine B is cheapest, and machine B thinks machine A is cheapest, etc. - Der PS: Sorry for posting to the group at large, but I don't know if Tim Darnauer can receive mail... :) -- Dermot Tynan +353 91 754608 dtynan@ilo.dec.com DTN: 822-4608 Digital Equipment International BV, Galway, Ireland From firewalls-owner Wed Jan 10 18:06:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA03041 for firewalls-outgoing; Wed, 10 Jan 1996 11:00:21 -0800 (PST) Received: from relay6.UU.NET (relay6.UU.NET [192.48.96.16]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id LAA03029 for ; Wed, 10 Jan 1996 11:00:10 -0800 (PST) Received: from gateway.deere.com by relay6.UU.NET with SMTP id QQzxyh03531; Wed, 10 Jan 1996 13:59:11 -0500 (EST) Received: by gateway.deere.com; id MAA10566; Wed, 10 Jan 1996 12:59:03 -0600 Received: from deere.com(192.43.1.3) by gateway.deere.com via smap (g3.0.1) id xma010524; Wed, 10 Jan 96 12:58:56 -0600 Received: from ci.deere.com (dts.90.deere.com) by deere.dx.deere.com (4.1/SMI-4.0) id AA18670; Wed, 10 Jan 96 12:59:01 CST Received: from dilligas.cam by ci.deere.com (4.1/SMI-4.0) id AA09343; Wed, 10 Jan 96 12:59:23 CST Date: Wed, 10 Jan 96 12:59:23 CST From: pf26376@ci.deere.com (Paul A. Fisher) Message-Id: <9601101859.AA09343@ci.deere.com> To: firewalls@greatcircle.com Subject: Allow SSL through a firewall? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Subject: Allow SSL through a firewall? I would like to allow access from the Internet to a WWW server that would have access to our corporate data. Because of the security implications, I would like that WWW server to be behind a firewall. I have tried to outline my design below and I would appreciate any comments about possible problems I may be opening myself up for. ************ ! client------* Internet *------Firewall---!---WWWserver ************ ! Internal Network The firewall would 'plug' (*not* proxy) port 443 inbound to the WWWserver. The WWWserver would run Netscape's Commerce server and use SSL to encrypt the entire session (non-SSL connections would be rejected). At that point we would have an encrypted session between the client and server that can pass whatever is necessary for the application (including userid's and passwords?). The purpose of 'plugging' port 443 through the firewall is the WWWserver would be behind the firewall and thus not be subject to attack using other services (telnet, sendmail, etc.). The http server would have to be secured against outside attack, but not the entire machine. Also, this allows the applications running on the WWWserver to have access to all of the internal data servers without having to find their way through the firewall. There are still some questions that we need to answer from an application standpoint: Is SSL encryption 'strong' enough for our purposes? Does the 'magic cookie' in the client present a problem? But from a network security standpoint, we shouldn't have a problem. Does anyone see any other problems with this proposed configuration? TIA, Paul Paul A. Fisher paulf@ci.deere.com Deere & Company, W3LSW ...uunet!deere!paulf John Deere Road (309) 765-4547 Moline, Illinois 61265 (309) 765-5242 FAX From firewalls-owner Wed Jan 10 18:08:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA06848 for firewalls-outgoing; Wed, 10 Jan 1996 11:58:40 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA06623 for ; Wed, 10 Jan 1996 11:58:01 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-951213) id BAA21987; Wed, 10 Jan 1996 01:11:07 -0800 Received: from relay.iunet.it(192.106.1.2) by mycroft via smap (V1.3mjr) id sma021983; Wed Jan 10 01:10:09 1996 Received: from etf.UUCP by relay.iunet.it with UUCP id AA02550 (5.65c8/IDA-1.4.4 for firewalls@greatcircle.com); Wed, 10 Jan 1996 09:56:34 +0100 Received: from cc:Mail by etf.etf.it id AA821296054 Wed, 10 Jan 96 09:47:34 Date: Wed, 10 Jan 96 09:47:34 From: "RDA" Message-Id: <9600108212.AA821296054@etf.etf.it> To: firewalls@greatcircle.com Subject: RE: firewalls reviews/comparisons Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ______________________________ Forward Header __________________________________ Subject: RE: firewalls reviews/comparisons Author: Neil at INTERNET Date: 1/9/96 3:41 PM >> 2) I've been searching for information on the best firewall to purchase >for > our >> needs and have not come across any reviews/comparisons on which is >> best (I have a list of all of the firewalls available and their >descriptions > but >> not any comparisons). Anyone know of any reviews and where to find >them? > We require a firewall which would could support a very high >throughput so > we would probably require a hardware-based firewall. >Configuring our >> front-end router to act as a firewall isn't a practical option. >Any > information would be >> appreciated. Thanks, >There was a review of commercial firewalls in (I think) Byte or something >like that a little while ago, the machines being the TIS Gauntlet, Border >Ware and Firewall 1. Perhaps someone with a better memory than me can >clarify. >> Brian Hescock >> hescockb@86aw4.ramstein.af.mil Hello, just for info, the Byte issue mentioned is from April '95 under the 'Network security' section. As a newbie myself, I found it quite useful. I'm hoping to set up a firewall based on NT 3.51 which will also act as a WWW proxy. Does anyone have any inside info on the expected release/functionalities of the Microsoft Catapult package ? Since most of the clients on the net I need to protect are running IPX (some run both IPX and TCP/IP), I would like to know the opinion of the experts on the possibility of a Web proxy machine also doing a 'protocol conversion'. i.e. surely it's theoretically possible for the WWW clients on the protected net to connect to the proxy over IPX (or Netbeui) and for the proxy to go out of a second card on TCP/IP to the Internet ??? I would imagine that blocking all TCP/IP through the firewall in this way would go a long way to protecting sensitive UNIX hosts on the inside. Has this been done before ? Am I seriously misguided ? Thanks for any opinions. Richard Anstey. ============================================================================= ======== E-mail messages from the European Training Foundation ========= ======== shall not in any way be legally binding. ========= ============================================================================= From firewalls-owner Wed Jan 10 18:15:09 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA05198 for firewalls-outgoing; Wed, 10 Jan 1996 11:31:42 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA04912 for ; Wed, 10 Jan 1996 11:29:55 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-951213) id DAA23326; Wed, 10 Jan 1996 03:56:20 -0800 Message-Id: <199601101156.DAA23326@mycroft.GreatCircle.COM> Received: from kuma.ciens.ucv.ve(150.185.72.83) by mycroft via smap (V1.3mjr) id sma023320; Wed Jan 10 03:55:33 1996 Received: by kuma.ciens.ucv.ve (1.37.109.4/16.2) id AA03885; Wed, 10 Jan 96 07:56:27 -0430 From: Carolina Elortegui Subject: SunOS, NIS and some intruder To: Firewalls@GreatCircle.COM Date: Wed, 10 Jan 96 7:56:26 SAT Mailer: Elm [revision: 70.85] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I just want some help understanding a fact happens here on friday. I'm the sysadmin in a lab with 4 HP and 2 Suns. I have work a lot with the HP, but almost never with the Suns, because there was another person that did it. This person let the lab, and now I have to learn about SunOS and BSD-like UNIX. There is a NIS server lets call it "A" and there is a NIS client lets call it "B". On thursday I delete a user from both systems, because we don't want him to access our net. On friday I found that the "user" I deleted the day before, accesed "B", and he has no login in the /etc/passwd; /etc/group, etc. I was looking with the last command what did happened, and I saw that the user accesed plenty times machine "B" that day. I am really new in sysadmin labors in the Sun machines, I really know HP-UX. Maybe there is something I don't know is happening with the NIS service and something about the Yellow Pages service. I have to tell you that the person that was here before me, just let the Suns like there where. I don't know what did they do there, I am knowing it rigth now. Thanks for helping me -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Carolina Elortegui Laboratorio de Postgrado Universidad Central de Venezuela Administrador Facultad de Ciencias Escuela de Computacion E-mail: celort@kuma.ciens.ucv.ve ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From firewalls-owner Wed Jan 10 18:44:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA18482 for firewalls-outgoing; Wed, 10 Jan 1996 18:23:35 -0800 (PST) Received: from hobbes.orl.mmc.com (hobbes.orl.mmc.com [141.240.192.100]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id SAA18477 for ; Wed, 10 Jan 1996 18:23:31 -0800 (PST) Date: Wed, 10 Jan 1996 21:22:28 -0500 (EST) From: "A. Padgett Peterson, P.E. Information Security" To: firewalls@greatcircle.com Message-Id: <960110212228.20200c26@hobbes.orl.mmc.com> Subject: re: Encryption export lawz from US Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Al rites: >I'm looking for some information on the current US restrictions on >Import/Export of encrypted data, using something like PGP. If anyone has any >pointers towards some sources, it would be tremendously helpful. Since the import/export of encrypted data/messages have no US restrictions, I doubt that you will find any. ITAR (International Trade in Arms Regulation) covers cryptographic devices and analysis tools e.g. what you need to *create* or break a cryptographic message (as I read it a decrypt-only engine is not covered -your milage may vary). Warmly, Padgett From firewalls-owner Wed Jan 10 18:49:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA18511 for firewalls-outgoing; Wed, 10 Jan 1996 18:24:35 -0800 (PST) Received: from lint.cisco.com (lint.cisco.com [171.68.235.77]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id SAA18506 for ; Wed, 10 Jan 1996 18:24:31 -0800 (PST) Received: from pferguso-pc.cisco.com (c2robo13.cisco.com [171.68.13.39]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id SAA29907; Wed, 10 Jan 1996 18:22:56 -0800 Message-Id: <199601110222.SAA29907@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 10 Jan 1996 21:23:26 -0500 To: "Alan C.Horn" From: Paul Ferguson Subject: Re: Encryption export laws from US.. Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You may want to redirect this request to the cypherpunks mailing list instead, where you have a more on-topic audience. - paul At 05:02 PM 1/10/96 -0800, Alan C.Horn wrote: > >I know this is slightly off topic for this list, but I thought maybe somebody >would know. Apologies in advance to anyone who didn't want to read this. > >I'm looking for some information on the current US restrictions on >Import/Export of encrypted data, using something like PGP. If anyone has any >pointers towards some sources, it would be tremendously helpful. > >Many thanks for your time. > >Al > > > >-- >"It's fifteen hundred miles to Ankh-Morpork" he said. "We've got three hundred >and sixty three elephants, fifty carts of forage, the monsoon's about to break >and we're wearing ... we're wearing ... sort of things, like glass, only dark... >dark glass things on our eyes..." > - Terry Pratchett "Moving Pictures". > >Alan Horn - Computer Support and Sysadmin - Dreamworks SKG. (+1 818 733 6000) > [Personal Email : deorth@mono.org] [Work Email : ahorn@dreamworks.com] > -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Wed Jan 10 19:06:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA17914 for firewalls-outgoing; Wed, 10 Jan 1996 18:09:29 -0800 (PST) Received: from stilton.cisco.com (stilton.cisco.com [171.69.1.161]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id SAA17857 for ; Wed, 10 Jan 1996 18:09:03 -0800 (PST) Received: from cisco.com (localhost.cisco.com [127.0.0.1]) by stilton.cisco.com (8.6.8+c/8.6.5) with ESMTP id SAA13168; Wed, 10 Jan 1996 18:07:36 -0800 Message-Id: <199601110207.SAA13168@stilton.cisco.com> To: nicholscs@agedwards.com (Nichols,Christopher) Cc: firewalls@GreatCircle.COM Subject: Re: SecureID In-Reply-To: Your message of "Wed, 10 Jan 1996 08:00:29 CST." <1996Jan10.075400.1093.22480@igate.agedwards.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Id: <13165.821326055.1@cisco.com> Date: Wed, 10 Jan 1996 18:07:36 -0800 From: David Carrel Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If the cisco is the authentication point, then you will need to use TACACS or TACACS+ to utilize the SecureID token card. Then run the TACACS or TACACS+ server on box D. Alternatively you could run the TACACS or TACACS+ server on B and run the SDI protocol from there to D. Definitely TACACS+ is prefered since it is encrypted and supports the resynchronization that the SecureID cards need every now and then. I'd venture that placing the server on B is less secure, but that's hard to say for sure without a clear picture of your topology. Dave > I am investigating the use of Security Dynamics ACE Servers and SecurID > tokens and have a question concerning packet filtering and the passing of > the SDI packets through our net. > > Given the design: > > A (Cisco)-----External Segment-----B(HP > Box)----------C(Cisco)----------D(Internal Net) > > A - external router and authentication point > B - HP Box where App for users on external segment resides (routing is off) > C - Screening Filter/Firewall > D - Internal Net where ACE Server would reside > > Since the design may exist in muliple sites, we plan to use strong filtering > between the HP box (B) and the Internal Net (D). We are also considering a > commercial firewall at C. My understanding is that the SDI authentication > process uses dynamically assigned port numbers (udp) > 1024. That would > require us to open all ports > 1024 at point C so that SDI could pass from A > to D. This is not desirable. > > 1) With routing off at B does anyone know of an existing proxy to pass the > SDI packets across from A to C? or has anyone written one? > 2) How can we setup an effective firewall at C without having to open all > ports > 1024 and still allow the SDI authentication process to pass? > > One suggestion was to use TACACS. Any thoughts? > > Chris > > > > From firewalls-owner Wed Jan 10 19:29:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA19166 for firewalls-outgoing; Wed, 10 Jan 1996 18:36:48 -0800 (PST) Received: from switchblade.v-one.com (switchblade.iwi.com [137.39.156.214]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id SAA19144 for ; Wed, 10 Jan 1996 18:36:40 -0800 (PST) Received: (from mjr@localhost) by switchblade.v-one.com (8.6.9/8.6.9) id VAA09986 for Firewalls@GreatCircle.COM; Wed, 10 Jan 1996 21:36:06 -0500 From: "Marcus J. Ranum" Message-Id: <199601110236.VAA09986@switchblade.v-one.com> Subject: Re: Firewalls-Digest V5 #14 To: Firewalls@GreatCircle.COM Date: Wed, 10 Jan 1996 21:36:05 -0500 (EST) In-Reply-To: <199601110004.QAA14210@miles.greatcircle.com> from "firewalls-digest-owner@uunet.uu.net" at Jan 10, 96 04:04:10 pm Reply-To: mjr@switchblade.v-one.com Organization: V-One Corporation, Baltimore, MD Office URL: Mjr's page Phone: 410-889-8569 X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Steven K. Sharp writes: >Please forgive me if this is a stupid question, but why is UDP such a bad >thing? Especially things like RealAudio, this uses UDP to communicate (as >do many other programs). What security risk does UDP pose? UDP in itself isn't a lot of a security risk. Indeed, you can trivially build highly secure protocols that run atop of UDP. The problem is that most writers of UDP-based protocols don't. :) Of course, the same may be said of writers of TCP-based protocols. :( The whole "UDP is evil" thing came about because it's a whole lot easier to spoof UDP traffic than it is TCP traffic. The thing that a lot of people (myself included!) didn't take into account was that "a whole lot harder" doesn't mean much when you're dealing with an attacker who has time on his hands. The TCP protocol is stateful - packets arrive neatly checksummed and sequenced (or at least with sequencing information) and only start to flow back and forth after a virtual connection negotiation protocol is successfully completed. UDP datagrams are simply spat at the recipient who has the choice of accepting them or not. To spoof a UDP packet probably takes 40 lines of C code. To spoof a TCP session probably takes 200, and a couple of systems in the right place, and a misconfigured router. So, a lot of security dweebs (myself included!) deal with UDP by putting a bullet through it, and kicking some sand over the corpse. To make matters worse a lot of UDP applications (most notably Sun RPC, and RealAudio) run on arbitrary ports, which makes them even harder to sensibly track. A lot of folks are comfortable letting UDP port 53 (DNS) into their firewalls. DNS is pretty well-known and well-behaved. Not so RPC. So - it's not that UDP is bad. It's more accurate to say that most of the UDP applications are bad, and we tend to tar the protocol with the same brush. An authenticated UDP-based datagram service would be a fine thing I'd have no problem letting through a firewall. RealAudio, to take (or make) an example, is one of those naughty UDP apps. It assumes that it can talk to arbitrary machines in your network on any of an arbitrary set of ports. Or it won't work. Brilliant design. The way to let it through the firewall is to open a hole for those port ranges. What happens to your network if there is some other service on those ports is your problem, not RealAudio's. :( My feeling, after wrestling with all these mis-designed protocols, is "bad protocols: just say 'no'" ...and then there's the Web. mjr. ---- Chief Scientist, V-ONE Corporation work http://www.v-one.com personal http://www.clark.net/pub/mjr/mjr-top.html From firewalls-owner Wed Jan 10 19:39:30 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA19154 for firewalls-outgoing; Wed, 10 Jan 1996 18:36:45 -0800 (PST) Received: from su1.in.net (su1.in.net [199.0.62.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id SAA19141 for ; Wed, 10 Jan 1996 18:36:38 -0800 (PST) Received: from pm1-30.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA03286; Wed, 10 Jan 96 21:35:39 -0500 Date: Wed, 10 Jan 96 21:35:39 -0500 Message-Id: <9601110235.AA03286@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.com From: frankw@in.net (Frank Willoughby) Subject: Re: Mitnick & the TCP Sequence Number Attack on Shimomura (LONG Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From the desk of Scott Rickard: >Date: Tuesday, January 09, 1996 9:56PM >Brain21 writes: > >>I would like to know this... if Shimomura is so good (an I actually >>believe that he may be) then why did he leave the r-utils enabled? Why >>did he not use TCPWrappers to prevent spoofing? Why did he allow people >>to see inside his network (Mitnick saw that there was a machine >>"X-something" that he believed was trusted by Shimomura's machine)? >Snip >>Just wondering why... > >The answer is quite clear if you have spook world experience and > identify with several key elements quoted in Frank Willoughby's > re-post of the Cypherpunks mailing list message regarding extracts > from Jonathan Littman's book "The Fugitive Game: Online With Kevin Mitnick," > >Scott Rickard >Senior IT Engineering Consultant >Scott_Rickard@mc.xerox.com Sorry, but I'm not much for conspiracy theories (unless we're talking about corporate politics). 8^) Personally, I think there is an easier explanation without having to reach for a conspiracy theory. I could take a couple of guesses what went wrong, but they would hold no more water than any other theories. In defense of Shimomura (who isn't here to defend himself), I'll stick to what I've heard that it wasn't anything he had any choice over. There are three advantages to this: 1) It gives Tsutomu Shimomura the benefit of a doubt. (Since we don't have all of the facts, I think he deserves the benefit of a doubt). 2) It provides a ready explanation for a person of his caliber having his system compromised. 3) It happens in real life - frequently. I've seen situations in many companies where a manager who was essentially clueless about security ordered the security person to lower their guard for a special high- priority project (are there really any other kind?) which had a (wildly) unrealistic deadline - usually as a result of poor planning. Sometimes you get lucky, sometimes you don't. Shimomura didn't. FWIW, a frequent scenario that plagues many Information Security Officers is when Project Managers plan everything down to the nth detail and somehow don't think of Information Security until they are ready to go live or the deadline is only a few days away (and then only when you gently remind them). (By then, it is usually too late to do anything except get extremely creative in your ability to design work-arounds & pull rabbits out of the hat & saving the day at the last minute.) At this point, it depends on how quickly the Information Security Officer can educate the Project Manager (or a couple of his higher-up managers) about the security risks of what is about to transpire and the probable risk to the Corporation (measured in dollars, manpower, equipment, etc.). Having said this, the Information Security Officer will then cross his fingers for luck, say a little prayer, and hope that the Corporate powers-to-be see the wisdom of his logic and won't allow the proposed security risk to happen. If things go well, the risk doesn't happen. If it does, then life suddenly gets very interesting and you have Carte Blanche for all the overtime you could ever dream of. 8^) As for me, I suspect the above scenario is more likely than a conspiracy theory. However, since none of us has access to the facts & Shimomura isn't here to clear the air, your theories are just as valid as mine. Best Regards, Frank Fortified Networks Inc. - Management & Information Security Consulting Phone: (317) 573-0800 - http://www.fortified.com/fortified/ The opinions expressed above are of the author and may not necessarily be representative of Fortified Networks Inc. From firewalls-owner Wed Jan 10 19:43:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA20030 for firewalls-outgoing; Wed, 10 Jan 1996 18:58:23 -0800 (PST) Received: from us.checkpoint.com (us.checkpoint.com [206.86.35.130]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id SAA20023 for ; Wed, 10 Jan 1996 18:58:19 -0800 (PST) Received: from gil.us.checkpoint.com (latte) by us.checkpoint.com (5.x/SMI-SVR4) id AA15069; Wed, 10 Jan 1996 18:58:08 -0800 Date: Wed, 10 Jan 1996 18:58:08 -0800 Message-Id: <9601110258.AA15069@ us.checkpoint.com> X-Sender: emily@us.checkpoint.com X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: Emily Cohen Subject: Re: SSL and S-HTTP Proxy support Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From: Bill Husler >Date: Fri, 5 Jan 1996 20:46:16 -0800 >Subject: Re: SSL and S-HTTP Proxy support > >>From: Brian W. McKenney, mckenney@smiley.mitre.org >> >>I would like to have an update as to which commercial firewall vendors >>support or plan to support (when) an SSL and/or S-HTTP proxy. I will post >>a summary. >> >>This is the information that I have: >> >>1. TIS Gauntlet: SSL annd S-HTTP proxies in next release. >>2. KarlBridge/KarlBrouter: S-HTTP proxy >>3. Milkyway Blackhole: S--HTTP >>4. SOS Brimstone: S-HTTP proxy >>5. Technologic Interceptor: S-HTTP proxy >>6. V-One SmartWall: S-HTTP proxy >> >>License versions of TIS Gauntlet will support whatever the next Gauntlet >>release supports. >> >You can add ANS Interlock to you list. >Bill > You can also add CheckPoint FireWall-1 to your list. We support both S-HTTP and SSL through our stateful inspection architecture. /emily From firewalls-owner Wed Jan 10 19:58:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id TAA20858 for firewalls-outgoing; Wed, 10 Jan 1996 19:16:34 -0800 (PST) Received: from quito.CS.Berkeley.EDU (quito.CS.Berkeley.EDU [128.32.43.69]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id TAA20853 for ; Wed, 10 Jan 1996 19:16:22 -0800 (PST) Received: (from daw@localhost) by quito.CS.Berkeley.EDU (8.6.11/8.6.9) id TAA26648 for firewalls@greatcircle.com; Wed, 10 Jan 1996 19:15:23 -0800 From: David A Wagner Message-Id: <199601110315.TAA26648@quito.CS.Berkeley.EDU> Subject: safe X windows proxy To: firewalls@greatcircle.com Date: Wed, 10 Jan 1996 19:15:22 -0800 (PST) X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm seeking a safe X windows proxy which will filter out dangerous X11 protocol requests from the outside, so I can use X across a firewall. The idea is simple: I want to be able to pop up a window on my (internal) X server, where the window is controlled by a X client on the external network. I don't want the outside client to be able to issue any dangerous requests -- I don't trust it. (For example, the external client shouldn't be able to grab key strokes typed into other windows.) A simple forwarder which blindly passes on all X traffic is not what I'm looking for -- I've seen x-gw and xforward, and I can't use them, since they don't do any filtering. I searched the firewalls archives diligently: no joy. (Hope this isn't a FAQ!) I read about a safe X proxy in the USENIX '95 Security Symposium proceedings; this Xgate thing sounded like exactly what I'm looking for, but I haven't been able to find source or contact the author (Brian Kahn). Any clues? Xnest looks vaguely interesting, but I'm not sure it's secure. Comments? Are there any other possibilities? Many thanks for any info you can offer! -- Dave Wagner daw@cs.berkeley.edu From firewalls-owner Wed Jan 10 20:13:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA19588 for firewalls-outgoing; Wed, 10 Jan 1996 18:45:50 -0800 (PST) Received: from su1.in.net (su1.in.net [199.0.62.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id SAA19583 for ; Wed, 10 Jan 1996 18:45:40 -0800 (PST) Received: from pm1-30.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA03626; Wed, 10 Jan 96 21:44:44 -0500 Date: Wed, 10 Jan 96 21:44:44 -0500 Message-Id: <9601110244.AA03626@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.com From: frankw@in.net (Frank Willoughby) Subject: Re: I cannot read your mail Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From the desk of Wang, Qin: >JOSE LUIS VERDEGUER NAVARRO, > >I have received 3 pieces of your mails since yesterday, but they have only the >mail header. So I cannot read the contents and I do not know why. I use cc:Mail >and I suppose it's due to MIME or something else. > >In your mail header, >> Mime-Version: 1.0 >> Content-Type: TEXT/PLAIN; CHARSET=US=ASCII > >I do not know if the others you send mail to can read the contents > >Regards, > >Wang, Qin I think he is using one of those "transparent proxies" in his firewall. These can sometimes cause the characters in the mail to assume the same color as the background - making them transparent. Fortunately, I have an opaque proxy and the text is converted back. Not bad postings acutally. 8^) 8^) 8^) All kidding aside. The same thing happened to me. I sent him a brief message telling him that his mails were arriving OK, but somehow his text didn't make the trip. Oh well. Hopefully he will get the problem fixed soon. Best Regards, Frank Fortified Networks Inc. - Management & Information Security Consulting Phone: (317) 573-0800 - http://www.fortified.com/fortified/ The opinions expressed above are of the author and may not necessarily be representative of Fortified Networks Inc. From firewalls-owner Wed Jan 10 20:43:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id TAA21962 for firewalls-outgoing; Wed, 10 Jan 1996 19:40:57 -0800 (PST) Received: from montag33.residence.gatech.edu (montag33.residence.gatech.edu [199.77.171.12]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id TAA21946 for ; Wed, 10 Jan 1996 19:40:44 -0800 (PST) Received: (from brain21@localhost) by montag33.residence.gatech.edu (8.6.12/8.6.9) id WAA18554; Wed, 10 Jan 1996 22:38:47 -0500 Date: Wed, 10 Jan 1996 22:38:47 -0500 (EST) From: Brain21 To: Doug Hughes cc: firewalls@greatcircle.com Subject: Re: Mitnick & the TCP Sequence Number Attack on Shimomura (LONG posting) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 10 Jan 1996, Doug Hughes wrote: > 2) the spoofing attack had not become common knowledge and widespread use > until this series of attacks was demonstrated. Papers had been around > for years on the potential for this, but, as I recall, until this time, > there weren't any hacker tools that were widely known about for exploiting. I agree, but the possibility is always there. If you are in the security business, then it pays to protect against everything possible, and not to underestimate your "adversaries." > Remember, (Not that this means anything but), the CERT advisory wasn't > published until 1/23 95 and the attacks took place over Xmas of '94. > To the best of my recollection, the sequence number randomizing (which > is MUCH harder to implement than the router rules that prevent spoofing) > wasn't available until January of '95 either. > Now, CERT is usually slow about announcing such things, but, the patch > was relatively simple to implement in a router, so, you'd think that > not long after they heard about it, it would be posted. Even the sites That doesn't necessarily mean anything. I've seen advisories come out from cert WELL after other advisories have come out on other mailing lists, with patches and everything. I think my point is that Shimomura should not have underestimated Mitnick or anyone, especially since he KNEW that it was possible. Overconfidence? I don't know. Maybe Shimomura didn't even set up the security there and trusted it? I don't know. I just find it kinda ironic. Brain21 From firewalls-owner Wed Jan 10 20:58:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id TAA22538 for firewalls-outgoing; Wed, 10 Jan 1996 19:55:36 -0800 (PST) Received: from montag33.residence.gatech.edu (montag33.residence.gatech.edu [199.77.171.12]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id TAA22533 for ; Wed, 10 Jan 1996 19:55:31 -0800 (PST) Received: (from brain21@localhost) by montag33.residence.gatech.edu (8.6.12/8.6.9) id WAA18582; Wed, 10 Jan 1996 22:53:30 -0500 Date: Wed, 10 Jan 1996 22:53:30 -0500 (EST) From: Brain21 To: Mike Shaver cc: frankw@in.net, firewalls@GreatCircle.COM, jya@pipeline.com Subject: Re: Mitnick & the TCP Sequence Number Attack on Shimomura (LONG posting) In-Reply-To: <199601101730.MAA13228@neon.ingenia.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 10 Jan 1996, Mike Shaver wrote: > Thus spake Brain21: > > I would like to know this... if Shimomura is so good (an I actually > > believe that he may be) then why did he leave the r-utils enabled? > > Convenience, I would guess. > Allowing access without passwords, I don't know. That's what I figured. Maybe a little carelessness? I would not be surprised if many of the security experts out there worked on less secure machines than what they set up for their clients. Hell, my father used to do top secret work for the Dept. of Defense (he neede "Q" clearance, and needs higher now) and the office where he worked communicated to it's other offices over the net. They used netcom. Not too terribly secure if you ask me. They did not use encryption. > > How do they prevent spoofing? They check IP address (and some DNS > stuff not related to IP-level spoofing) for "identification" the same Yes, my mistake (been told so many times now, as you can imagine), my mistake. > > Do you mean "why did he allow packets to reach machines on his > network"? Internet connectivity would seem a good reason. If I recall correctly (and I may not) Mitnick fingered the machines. IF so, why was it allowed? Why were the probes inside allowed at all? On big university machines, I can see, but you don't need to allow it for EVERY department. And you don't need to sacrifice a net connection either. > > > I believe that Shimomura knew of the possibility of this type of > > attack WAY ahead of time (like months or years). > > There was a paper published by (I believe) Steve Bellovin in (I > believe) the mid-80s that discussed this type of attack. Nothing new > here... > Late '80's and Shimomura knew about it by at least 90 or 91. The attack happened in (late) 94. From firewalls-owner Wed Jan 10 21:13:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id UAA24117 for firewalls-outgoing; Wed, 10 Jan 1996 20:20:52 -0800 (PST) Received: from montag33.residence.gatech.edu (montag33.residence.gatech.edu [199.77.171.12]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id UAA24095 for ; Wed, 10 Jan 1996 20:20:46 -0800 (PST) Received: (from brain21@localhost) by montag33.residence.gatech.edu (8.6.12/8.6.9) id XAA18642; Wed, 10 Jan 1996 23:05:33 -0500 Date: Wed, 10 Jan 1996 23:05:33 -0500 (EST) From: Brain21 To: scott_rickard@mc.xerox.com cc: firewalls@greatcircle.com Subject: Re: your mail Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I don't buy it. First off, the CIA wouldn't be involved (well, ok, at least not legally...). The is mainly the SS's territory, and the FBI sometimes gets onvolved as well. I doubt that it was a serious enough thing that hte NSA would get involved too. Let's assume that the CIA or NSA *were* involved via Shimomura, as you have implied may be a possibility. I doubt the Shimomura would have given such detailed account of the attacks so quickly. I would be more characteristic to keep it a little quiet, don't you think? It just does not sit well with me at all. BTW, did cypherpunks mention anything about how Mitnick got root on toad.com to do the spoofing? That's where Shimomura said the initial probes came from... Brain21 From firewalls-owner Wed Jan 10 21:28:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id UAA23330 for firewalls-outgoing; Wed, 10 Jan 1996 20:10:08 -0800 (PST) Received: from relay3.UU.NET (relay3.UU.NET [192.48.96.8]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id UAA23324 for ; Wed, 10 Jan 1996 20:09:55 -0800 (PST) From: mail06823@pop.net Received: from alterdial.UU.NET by relay3.UU.NET with SMTP id QQzxzs23004; Wed, 10 Jan 1996 23:08:58 -0500 (EST) Received: from 205.230.245.90 by alterdial.UU.NET with SMTP id QQzxzs23914; Wed, 10 Jan 1996 23:08:50 -0500 Date: Wed, 10 Jan 1996 23:08:50 -0500 Message-Id: MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit Subject: Survey on Dangers of SNMP / Respond with your 2 cents on the survey To: firewalls@greatcircle.com X-Mailer: SPRY Mail Version: 04.00.06.17 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I would appreciate it if you can take a moment to respond to my email address (not the whole list) to "vote" on if you think SNMP traffic should pass through a Firewall. Your response should be simple (Yes, No, Maybe based on a condition), or better still, please share your stories and experiences on the dangers. I understand that SNMP is great for management, but I do not want to jeopardize my company so that I can get tons of management information that I may not need (I would argue that paring down services and allowing the Firewall architecture to do it's job may be a viable alternative). I do not have a requirement to use my existing Enterprise Network Management system. Thanks for your responses, and I will post a synopsis when I receive enough results to be meaningful. Thanks. From firewalls-owner Wed Jan 10 22:28:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id VAA27245 for firewalls-outgoing; Wed, 10 Jan 1996 21:09:14 -0800 (PST) Received: from solarnum.itd.uts.edu.au (solarnum.itd.uts.EDU.AU [138.25.16.3]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id VAA27228 for ; Wed, 10 Jan 1996 21:08:59 -0800 (PST) Received: from maverick.itd.uts.edu.au (matt@maverick.itd.uts.EDU.AU [138.25.16.41]) by solarnum.itd.uts.edu.au (8.7.3/8.7.1/uts) with ESMTP id QAA08009 for ; Thu, 11 Jan 1996 16:05:48 +1100 (EST) Received: (from matt@localhost) by maverick.itd.uts.edu.au (8.7.3/8.7.3/Jas) id QAA01893 for firewalls@greatcircle.com; Thu, 11 Jan 1996 16:08:29 +1100 From: Jas (Matthew K) Message-Id: <199601110508.QAA01893@maverick.itd.uts.edu.au> Subject: Re: Firewalls-Digest V5 #14 To: firewalls@greatcircle.com (Firewalls Mailing List) Date: Thu, 11 Jan 1996 16:08:28 +1100 (EST) In-Reply-To: <199601110236.VAA09986@switchblade.v-one.com> from "Marcus J. Ranum" at Jan 10, 96 09:36:05 pm X-Gcb: -----BEGIN GEEK CODE BLOCK----- X-Gcb: Version: 3.1 X-Gcb: GAT/M/CS d-(++) s++:-- a-(?) C+++$ UVS++++$ P+++ L+ E++ W++ N++ X-Gcb: !o K+ w--- O+ M+ V-- PS+ PE+ Y+ PGP++ t+ 5+ X++ R tv- b++ DI+ X-Gcb: D+ e h- r !y X-Gcb: ------END GEEK CODE BLOCK------ X-Ph: ph: +61 2 330 1390 fax: +61 2 330 1999 home: +61 2 9929 0717 X-Pager: +61 2 214 1111 #849482 or 849482@pager.link.com.au X-Pgp-Finger: pub 2048/27FB4AE1 1995/09/30 Jas (Matthew K) X-Pgp-Finger: Key fingerprint = 3A1EEDBE7A6D498D E7953FB40A21A6C8 X-Mailer: ELM [version 2.4 PL25] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Marcus J. Ranum wrote this... > To make matters worse a lot of UDP applications (most > notably Sun RPC, and RealAudio) run on arbitrary ports, which > makes them even harder to sensibly track. A lot of folks are > comfortable letting UDP port 53 (DNS) into their firewalls. > DNS is pretty well-known and well-behaved. Not so RPC. well the client controls what protocol to connect with RPC (on the proviso that the server offers that protocol). almost all SunRPC programs that are compiled for use of IP offer both TCP and UDP (you have to go out of your way to stop TCP from working). some Sun offered RPC servers will only offer UDP, but most will offer both. and another beside, you cant pump more than 8Kb per request using UDP, so most RPC programs that pump large amounts of data will always be TCP. i have programmed in RPC for a number of years now, and i always use TCP for my RPC work. Matt -- #!/bin/sh echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sbA0D3F204445524F42snlbxq'|dc;exit Matthew Keenan Data Network Administrator Information Technology Division University of Technology Sydney Australia It's nice to be in a position where people apologize because they assume there's humor in your work, based on past experience, but they're not sure where it is. -- Rob Pike From firewalls-owner Wed Jan 10 23:28:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id XAA06194 for firewalls-outgoing; Wed, 10 Jan 1996 23:12:09 -0800 (PST) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id XAA06178 for ; Wed, 10 Jan 1996 23:12:02 -0800 (PST) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id CAA16906; Thu, 11 Jan 1996 02:01:20 -0500 Date: Thu, 11 Jan 1996 02:01:02 -0500 (EST) From: Rabid Wombat To: RDA cc: firewalls@GreatCircle.COM Subject: RE: firewalls reviews/comparisons In-Reply-To: <9600108212.AA821296054@etf.etf.it> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 10 Jan 1996, RDA wrote: > > ______________________________ Forward Header __________________________________ > Subject: RE: firewalls reviews/comparisons > Author: Neil at INTERNET > Date: 1/9/96 3:41 PM > > > > >> 2) I've been searching for information on the best firewall to purchase > >for > our > >> needs and have not come across any reviews/comparisons on which is > >> best (I have a list of all of the firewalls available and their > >descriptions > but > >> not any comparisons). Anyone know of any reviews and where to find > >them? > We require a firewall which would could support a very high > >throughput so > we would probably require a hardware-based firewall. > >Configuring our > >> front-end router to act as a firewall isn't a practical option. > >Any > information would be > >> appreciated. Thanks, > > >There was a review of commercial firewalls in (I think) Byte or something > >like that a little while ago, the machines being the TIS Gauntlet, Border > >Ware and Firewall 1. Perhaps someone with a better memory than me can > >clarify. > > >> Brian Hescock > >> hescockb@86aw4.ramstein.af.mil > > Hello, just for info, the Byte issue mentioned is from April '95 under the > 'Network security' section. As a newbie myself, I found it quite useful. > > I'm hoping to set up a firewall based on NT 3.51 which will also act as > a WWW proxy. Does anyone have any inside info on the expected > release/functionalities of the Microsoft Catapult package ? Since most > of the clients on the net I need to protect are running IPX (some run > both IPX and TCP/IP), I would like to know the opinion of the experts on > the possibility of a Web proxy machine also doing a 'protocol > conversion'. i.e. surely it's theoretically possible for the WWW clients > on the protected net to connect to the proxy over IPX (or Netbeui) and > for the proxy to go out of a second card on TCP/IP to the Internet ??? > I would imagine that blocking all TCP/IP through the firewall in this > way would go a long way to protecting sensitive UNIX hosts on the > inside. Has this been done before ? Am I seriously misguided ? Thanks > for any opinions. You might want to look into the Firefox Novix gateway. It converts IPX/SPX to TCP/IP, and can allocate IP addresses on a dynamic or static basis. It runs on Novell fileservers, which I assume you have, since you're running IPX. It also runs on Novell's MPR if you don't want to impact your servers. I don't know if they have an NT version - I haven't been keeping close tabs on them. Phone number is 800-230-6090/408-321-8344 or info@firefox.com. (I have no commercial interest in this company) - Wombat > > Richard Anstey. > > > ============================================================================= > ======== E-mail messages from the European Training Foundation ========= > ======== shall not in any way be legally binding. ========= > ============================================================================= > From firewalls-owner Wed Jan 10 23:43:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id XAA07125 for firewalls-outgoing; Wed, 10 Jan 1996 23:42:08 -0800 (PST) Received: from hosaka.smallworks.com (hosaka.SmallWorks.COM [192.207.126.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id XAA07120 for ; Wed, 10 Jan 1996 23:42:04 -0800 (PST) Received: by hosaka.smallworks.com (5.x/SMI-SVR4) id AA07116; Thu, 11 Jan 1996 01:30:14 -0600 Date: Thu, 11 Jan 1996 01:30:14 -0600 From: jim@SmallWorks.COM (Jim Thompson) Message-Id: <9601110730.AA07116@hosaka.smallworks.com> To: dannyc@gmap.leeds.ac.uk, firewalls@GreatCircle.COM Subject: Re: Firewall design - routers and commercial kit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Seems to me the obvious way (sort of) to do this is to use a screened subnet >arrangement. Ok .. fine. Am I duplicating kit doing this ? That is, by using >an exterior and interior router to create a screened net off which would hang >the commercial firewall etc, am I duplicating the routing function of the >commercial firewall or don't they have the same level of control over routing >as a CISCO would for example ? Some firewalls do. (NetGate and Firewall-1 do.) Actually, you can get better control with some of these than you can with a Cisco. For instance, you can't filter on ICMP type and code with Cisco's access lists... Jim From firewalls-owner Thu Jan 11 02:12:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id BAA12141 for firewalls-outgoing; Thu, 11 Jan 1996 01:50:24 -0800 (PST) Received: from ibmmail.COM (ibmmail.com [199.171.26.3]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id BAA12136 for ; Thu, 11 Jan 1996 01:50:17 -0800 (PST) From: gblolmxb@ibmmail.com Message-Id: <199601110950.BAA12136@miles.greatcircle.com> Received: from ibmmail by ibmmail.COM (IBM VM SMTP V2R3) with BSMTP id 0781; Thu, 11 Jan 96 04:48:27 EST Date: Thu, 11 Jan 1996 04:48:00 EST To: firewalls@greatcircle.com MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: RE: MITNICK & THE TCP SEQUENCE NUMBER ATTACK ON SHIMOMURA (L Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Scott Rickard wrote >>Globally, the intelligence and counterintelligence businesses are a multi-trillion dollar industry I think this is somewhat of an over exaggeration, certainly for the UK where the latest figures put intelligence spending at around 1% of Government spending, i.e. less than 0.5% of the GNP (which is around L700 billion) As an interesting aside, this figure has not gone down despite the advent of 'peace' in N. Ireland. Mark. From firewalls-owner Thu Jan 11 02:16:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id BAA12374 for firewalls-outgoing; Thu, 11 Jan 1996 01:56:22 -0800 (PST) Received: from myall.awadi.com.au (myall.awadi.com.AU [150.207.2.65]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id BAA12369 for ; Thu, 11 Jan 1996 01:56:13 -0800 (PST) Received: from bunya.awadi ([150.207.2.63]) by myall.awadi.com.au (8.7.1/8.7.1) with SMTP id UAA04358; Thu, 11 Jan 1996 20:25:10 +1030 (CST) Received: from mallee.awadi by bunya.awadi (5.x/SMI-SVR4) id AA27779; Thu, 11 Jan 1996 20:25:05 +1030 From: blymn@awadi.com.au (Brett Lymn) Message-Id: <9601110955.AA27779@bunya.awadi> Subject: Re: Mitnick & the TCP Sequence Number Attack on Shimomura (LONG posting) To: brain21@montag33.residence.gatech.edu (Brain21) Date: Thu, 11 Jan 1996 20:25:04 +1030 (CST) Cc: firewalls@greatcircle.com In-Reply-To: from "Brain21" at Jan 10, 96 10:53:30 pm X-Mailer: ELM [version 2.4 PL2] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to Brain21: > >Hell, my father used >to do top secret work for the Dept. of Defense (he neede "Q" clearance, >and needs higher now) and the office where he worked communicated to it's >other offices over the net. They used netcom. Not too terribly secure >if you ask me. They did not use encryption. > Ummmm I suspect that things may be a bit different to that which you have implied. Even in an organisation handling secret material a lot of the day to day running of the place is not classified - you know, things like when the next barbeque (or cook-out or whatever word you guys use for the process of carbonising meat over a flame outdoors whilst getting drunk.... :*) will be or getting someone to order more pens for the stationery cabinet - such things are not and should not be classified. I bet all the secret documents/matters were not sent over the net (though I could be wrong....) - it is certainly the way things work here. -- Brett Lymn, Computer Systems Administrator, AWA Defence Industries =============================================================================== "Upgrading your memory gives you MORE RAM!" - ad in MacWAREHOUSE catalogue. From firewalls-owner Thu Jan 11 02:59:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id CAA14390 for firewalls-outgoing; Thu, 11 Jan 1996 02:45:50 -0800 (PST) Received: from archimedes.vislab.navy.mil (archimedes.chinalake.navy.mil [129.131.31.8]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id CAA14385 for ; Thu, 11 Jan 1996 02:45:40 -0800 (PST) Received: from archimedes.vislab.navy.mil (parcival.vislab.navy.mil [129.131.31.12]) by archimedes.vislab.navy.mil (current-1701B/current-CL-CL) with ESMTP id CAA18112 for ; Thu, 11 Jan 1996 02:46:21 -0800 Posted-Date: Thu, 11 Jan 1996 02:46:21 -0800 Message-Id: <199601111046.CAA18112@archimedes.vislab.navy.mil> To: firewalls@greatcircle.com Subject: Re: Mitnick & the TCP Sequence Number Attack on Shimomura (LONG posting) In-reply-to: Your message of "Thu, 11 Jan 1996 20:25:04 +1030." <9601110955.AA27779@bunya.awadi> Date: Thu, 11 Jan 1996 02:46:14 -0800 From: Benjamin Allan Smith Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Brain21 wrote: >Hell, my father used >to do top secret work for the Dept. of Defense (he neede "Q" clearance, >and needs higher now) and the office where he worked communicated to it's >other offices over the net. They used netcom. Not too terribly secure >if you ask me. They did not use encryption. I highly doubt that. Every machine that I have seen on base which has Secret (or higher) data is not allowed to have *any* physical connection with the internet (the mjr 100% sure firewall to the internet--cut the wires). Once someone inadvertantly emailed the classified name of a project over a network connected to the Internet. The day was spent completely wiping all of the hard drives on all of the machines that might have received that email (3 complete overwrites with random data if I recall correctly) and then the OS and data were restored from the previous night's backups. A head rolled for that error. So if all that effort was made over a single word, I *highly* doubt that you father used netcom to discuss classified matters. Ben ------------------------------------------------------------------------------- Benjamin Smith------------bens@vislab.navy.mil---------1972 Land Rover SIII 88 Science Applications International Corporation Naval Air Warfare Center, Weapons Division, China Lake "...If I were running such a contest, I would specifically eliminate any entry from Ben involving driving the [Land] Rover anywhere. He'd drive it up the Amazon basin for a half can of Jolt and a stale cookie..." --Kevin Archie From firewalls-owner Thu Jan 11 03:14:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id DAA15242 for firewalls-outgoing; Thu, 11 Jan 1996 03:02:06 -0800 (PST) Received: from sheeba.rcooper.the-wire.com (rcooper.the-wire.com [198.53.192.91]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id DAA15228 for ; Thu, 11 Jan 1996 03:01:58 -0800 (PST) Received: from rwcooper.rcooper.the-wire.com ([205.206.47.2]) by sheeba.rcooper.the-wire.com (post.office MTA v1.9.1 evaluation license) with SMTP id AAA217; Thu, 11 Jan 1996 05:59:47 -0500 Received: by rwcooper.rcooper.the-wire.com with Microsoft Mail id <01BAE04E.69CB1DE0@rwcooper.rcooper.the-wire.com>; Thu, 11 Jan 1996 17:58:29 -0500 Message-ID: <01BAE04E.69CB1DE0@rwcooper.rcooper.the-wire.com> From: Russ Cooper To: RDA , "'Rabid Wombat'" Cc: "firewalls@GreatCircle.COM" Subject: RE: firewalls reviews/comparisons Date: Thu, 11 Jan 1996 17:58:27 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk First of all, IPX does not mean Netware servers any more. Microsoft uses IPX as there strategic transport of choice within their internal networks, and actively promotes its use on customer NT-based networks, with no thought to the presence of Netware servers. Much of the functionality of NT's domain systems is seriously hampered by TCP/IP yet robust with IPX/SPX. Firefox's Novix (www.firefox.com) is a great gateway product if you do have a Novell server, but it is not a Firewall. It does nothing, for example, to protect two privately connected networks from each other, where a firewall could handle those risks. Anyway, look to Raptor (www.raptor.com) to make an NT-based Eagle announcement on Monday. That will be the first true NT-based Firewall. As for Catapult from Microsoft, I'm still under NDA, so its still not talked about. Cheers, Russ Cooper Sr. Internet Integration Engineer SHL/Computer Innovations rcooper@the-wire.com -- rwcooper@shl.com "can someone tell me where to go today to get the money to go to where I want to go today" From firewalls-owner Thu Jan 11 04:14:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id EAA17330 for firewalls-outgoing; Thu, 11 Jan 1996 04:00:12 -0800 (PST) Received: from gmap-gw.leeds.ac.uk (gmap15.leeds.ac.uk [129.11.84.200]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id DAA17296 for ; Thu, 11 Jan 1996 03:59:54 -0800 (PST) Received: from gmap3 (gmap-mailhub.leeds.ac.uk [129.11.200.3]) by gmap-gw.leeds.ac.uk (8.7.3/8.6.9) with SMTP id LAA20340 for ; Thu, 11 Jan 1996 11:59:15 GMT Received: from gmap.leeds.ac.uk (dannyc@gmap124 [129.11.200.124]) by gmap3 (8.6.12/8.6.9) with SMTP id JAA06117 for ; Thu, 11 Jan 1996 09:42:00 GMT From: Danny Cox Date: Thu, 11 Jan 1996 09:40:54 GMT Message-Id: <223.9601110940@gmap.leeds.ac.uk> X-Planation: X-Faces images can be viewed with the XFaces program To: firewalls@greatcircle.com Subject: Re: Firewalls setup X-Sun-Charset: US-ASCII X-Face: (:_YnQcTM$q\Nl0.mYy:C'Y|(;&7.2m~Rc%xt To secure the internet connection, the mail and the dail out service > we plan on using > Firewall-1. The firewall will be located as follows: etc. In keeping with what I was asking recently, my understanding of Firewall-1 is that it is largely a router. Given this, are the CISCOs redundant in this design? This isn't meant to be critical btw; it's an issue I'm concerned about .. Thanks all, Danny From firewalls-owner Thu Jan 11 04:29:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id DAA17089 for firewalls-outgoing; Thu, 11 Jan 1996 03:50:58 -0800 (PST) Received: from uniwa.uwa.edu.au (uniwa.uwa.edu.au [130.95.128.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id DAA17084 for ; Thu, 11 Jan 1996 03:50:48 -0800 (PST) Received: from hedunx.hedland.edu.au ([223.254.252.2]) by uniwa.uwa.edu.au (8.6.11/8.6.9) with ESMTP id TAA22187; Thu, 11 Jan 1996 19:48:13 +0800 Received: from localhost (hartr@localhost) by hedunx.hedland.edu.au (8.6.4/8.6.4) id QAA16613; Thu, 11 Jan 1996 16:46:30 +0800 Date: Thu, 11 Jan 1996 16:46:29 +0800 (WST) From: Robert Hart Subject: Re: Internet Policy/Security Policy To: Andrew Cameron cc: firewalls@GreatCircle.COM In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 10 Jan 1996, Andrew Cameron wrote: > > I would like to know where I can find examples of an Internet/Security > Policy for a company. > > I will need to write one in the near future and would like to draw on > the experiance of others. Well, I have found the O'Reilly book "Building Internet Firewalls" chapter on this quite useful as I have been drafting up a policy for here... --- Robert Hart hartr@hedunx.hedland.edu.au Voice: +61 (0)91 72 0429 Fax: +61 (0)91 72 3560 Hedland College, PMB 1, South Hedland WA 6722 Australia From firewalls-owner Thu Jan 11 04:59:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id EAA18180 for firewalls-outgoing; Thu, 11 Jan 1996 04:48:13 -0800 (PST) Received: from cbn.cbn.com.sg (cbn.cbn.com.sg [203.120.18.128]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id EAA18175 for ; Thu, 11 Jan 1996 04:48:07 -0800 (PST) Received: (from ngps@localhost) by cbn.cbn.com.sg (8.6.12/8.6.12) id UAA12946; Thu, 11 Jan 1996 20:41:13 +0800 Date: Thu, 11 Jan 1996 20:41:13 +0800 (SST) From: Ng Pheng Siong To: Brain21 cc: Frank Willoughby , firewalls@GreatCircle.COM, John Young Subject: Re: Mitnick & the TCP Sequence Number Attack on Shimomura (LONG posting) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 10 Jan 1996, Brain21 wrote: > I would like to know this... if Shimomura is so good (an I actually > believe that he may be) then why did he leave the r-utils enabled? Why > did he not use TCPWrappers to prevent spoofing? Why did he allow people > to see inside his network (Mitnick saw that there was a machine > "X-something" that he believed was trusted by Shimomura's machine)? Shimomura had almost complete packet traces of the break-in, which allowed him to reconstruct the attack. It was a trap. - PS -- Ng Pheng Siong NetCentre Pte Ltd * Singapore Finger for PGP key. From firewalls-owner Thu Jan 11 05:43:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA19035 for firewalls-outgoing; Thu, 11 Jan 1996 05:23:55 -0800 (PST) Received: from nastg.gsfc.nasa.gov (nastg.gsfc.nasa.gov [192.86.21.220]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id FAA19030; Thu, 11 Jan 1996 05:23:47 -0800 (PST) Received: from maple.gsfc.nasa.gov by nastg.gsfc.nasa.gov (8.6.11/1.35) id IAA02782; Thu, 11 Jan 1996 08:31:01 -0500 Message-Id: <199601111331.IAA02782@nastg.gsfc.nasa.gov> X-Sender: ddriesma@nastg X-Mailer: Windows Eudora Version 1.4.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 11 Jan 1996 08:22:06 -0500 To: Firewalls@GreatCircle.COM, firewalls-digest@GreatCircle.COM From: ddriesma@nastg.gsfc.nasa.gov (Debbie Driesman) Subject: Re: Firewalls-Digest V5 #2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Padgett, Where can I get more information on PNS? I've tried a number of the web search tools and they didn't find anything. Thanks, Debbie >Firewalls-Digest Tuesday, 2 January 1996 Volume 05 : Number 002 > >From: "A. Padgett Peterson, P.E. Information Security" >Date: Tue, 2 Jan 1996 14:02:49 -0500 (EST) >Subject: Compression is useful - but for security, not > >>Being concerned about security, I did not want to present them a plan that >>did not also include some security considerations. Some of the Government >>people came up with the idea of using a compression box to reduce the number >>of required T1s. The box they recommended has V.35 ports, and would sit >>between the Cisco and the CSU/DSU. To be fair, the vendor told me his >>box did not do encryption, but since the data was compressed, it would not >>be in plain view. > >1) Compression aids performance. It does not aid security (at best is SBO). > >2) Sounds like you have dedicated lines. Have you considered requiring PNS > (Protected Network Service) from the telco ? (May have a different name > but should be available). With this your lines are isolated/protected > from other trunks. A dedicated line is not at the same risk as the Internet > and PNS is generally "good enough" for SBU (Sensitive but Unclassified) > traffic. > > When the idea was introduced a couple of years ago, it was to be > approved by the NSA and was a part of the FTS contract. Dunno where it > is now. > Warmly, > Padgett ***************************************************************************** Debbie Driesman, Computer Sciences Corp., 7700 Hubble Drive, Lanham, MD 20706 Phone: 301-794-2822, Fax: 301-794-9530 Email: ddriesma@nastg.gsfc.nasa.gov ***************************************************************************** From firewalls-owner Thu Jan 11 06:03:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA18880 for firewalls-outgoing; Thu, 11 Jan 1996 05:19:15 -0800 (PST) Received: from mwunix.mitre.org (mwunix.mitre.org [128.29.154.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id FAA18873 for ; Thu, 11 Jan 1996 05:19:10 -0800 (PST) Received: from smiley.sit (smiley.mitre.org [128.29.140.20]) by mwunix.mitre.org (8.6.10/8.6.4) with SMTP id IAA03621; Thu, 11 Jan 1996 08:18:13 -0500 Received: from [128.29.140.130] (mckenney-mac) by smiley.sit (4.1/SMI-4.1) id AA17824; Thu, 11 Jan 96 08:18:03 EST Date: Thu, 11 Jan 96 08:18:02 EST Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: pf26376@ci.deere.com (Paul A. Fisher) From: mckenney@smiley.mitre.org (Brian W. McKenney) Subject: Re: Allow SSL through a firewall? Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Subject: Allow SSL through a firewall? > >I would like to allow access from the Internet to a WWW server that would >have access to our corporate data. Because of the security implications, >I would like that WWW server to be behind a firewall. I have tried to >outline my design below and I would appreciate any comments about >possible problems I may be opening myself up for. > > > ************ ! > client------* Internet *------Firewall---!---WWWserver > ************ ! > Internal > Network > >The firewall would 'plug' (*not* proxy) port 443 inbound to the WWWserver. >The WWWserver would run Netscape's Commerce server and use SSL to encrypt >the entire session (non-SSL connections would be rejected). At that point >we would have an encrypted session between the client and server that can >pass whatever is necessary for the application (including userid's and >passwords?). The only problem that I see is that plug-gw must keep track of who is permitted to use the plug-gw proxy (via IP addresses). If you have a lot of consumers that must access your internal server then this could create a large net-perm table. Yes, you could set up a wildcard for multiple incoming connection hosts. Also note that there are handshake connections (handshake protocol) between the client and the server prior to establishing an encrypted session. These packets are not encrypted. Some would say that a screening router (say in a hybrid firewall) could perform a similar function. I would continue to run a stripped down SSL-based Web server. Depending on your firewall, I would suggest that you look at the Netscape SSL proxy and compare both approaches. An SSL proxy has the chance of getting enhanced over time, I doubt that plug-gw will be enhanced in the future. Other firewall products also plan to support SSL proxies. The strength of the encryption process also depends on what algorithms are employed between the client and server. Some would say that some exportable algorithms are not strong and could be broken. Another attack mentioned in the SSLv3 spec is that an attacker may try to make the clients and servers fall back to SSLv2, then they could exploit SSLv2 weaknesses (this can only happen if both parties employ an SSLv2 handshake). > >The purpose of 'plugging' port 443 through the firewall is the WWWserver >would be behind the firewall and thus not be subject to attack using other >services (telnet, sendmail, etc.). The http server would have to be >secured against outside attack, but not the entire machine. Also, this >allows the applications running on the WWWserver to have access to all >of the internal data servers without having to find their way through >the firewall. > >There are still some questions that we need to answer from an application >standpoint: > Is SSL encryption 'strong' enough for our purposes? This depends on what you want to protect. SSLv3 is much stronger than SSLv2. However, as with any protocol implementation, a new vulnerability may be discovered. The algorithms proposed in the SSLv3 spec (e.g., MD5, SHA, RSA) are commercial algorithms that are used in lots of commercial products. Netscape also plans to support FORTEZZA (NSA cryptography). > Does the 'magic cookie' in the client present a problem? >But from a network security standpoint, we shouldn't have a problem. > >Does anyone see any other problems with this proposed configuration? > >TIA, >Paul > >Paul A. Fisher paulf@ci.deere.com >Deere & Company, W3LSW ...uunet!deere!paulf >John Deere Road (309) 765-4547 >Moline, Illinois 61265 (309) 765-5242 FAX From firewalls-owner Thu Jan 11 06:07:09 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA19260 for firewalls-outgoing; Thu, 11 Jan 1996 05:30:31 -0800 (PST) Received: from wire.paladin.com (wire.paladin.com [198.69.226.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id FAA19243 for ; Thu, 11 Jan 1996 05:30:23 -0800 (PST) Received: (cjwoods@localhost) by wire.paladin.com (8.6.8/8.6.5) id IAA06393; Thu, 11 Jan 1996 08:24:32 -0500 Date: Thu, 11 Jan 1996 08:24:32 -0500 (EST) From: Chris Woods To: "Steven K. Sharp" cc: Firewalls@GreatCircle.COM Subject: Re: UDP and the unclean... In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 10 Jan 1996, Steven K. Sharp wrote: > Please forgive me if this is a stupid question, but why is UDP such a bad > thing? Especially things like RealAudio, this uses UDP to communicate (as > do many other programs). What security risk does UDP pose? As someone else detailed (more eloquently) earlier: UDP is a connectionless protocol: i.e., it does not require an established session for packets to be sent to and fro. For lack of a simpler, easier explanation: the sender "spews" the packets without first establishing a connected session, while the intended (or unintended...) recipient takes the packets based on a few limited criteria (source address, destination address/port, etc). RealAudio "randomizes" the UDP port that it tries to connect to within a range. That means that to accept RealAudio on your protected network, you must open a hole in your filter to allow UDP on a number of ports. Because of the way other UDP-based apps were written, this presents another vulnerability. > I've seen that most people filter out all UDP first and then work from there > with TCP. Would it be a gaping hole to allow it? See above, hope it clears things up for you. The last explanation did for me... Chris Woods Systems Administrator cjwoods@paladin.com (office) Paladin Computing Solutions cjwoods@gigotech.net (home) http://www.paladin.com "A computer without Windows is like a fish without a bicycle." From firewalls-owner Thu Jan 11 06:14:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA20665 for firewalls-outgoing; Thu, 11 Jan 1996 06:11:47 -0800 (PST) Received: from hobbes.orl.mmc.com (hobbes.orl.mmc.com [141.240.192.100]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id GAA20660 for ; Thu, 11 Jan 1996 06:11:43 -0800 (PST) Date: Thu, 11 Jan 1996 9:10:47 -0500 (EST) From: "A. Padgett Peterson, P.E. Information Security" To: firewalls@greatcircle.com Message-Id: <960111091047.20200f9e@hobbes.orl.mmc.com> Subject: Sequence number attacks Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Steve rote: >A couple of months ago, I did come up with a strong but simple defense >against sequence number attacks. For details, see >ftp://ds.internic.net/internet-drafts/draft-rfced-info-bellovin-00.txt Is easy also to make the first line in your firewall ACL "Deny incoming ". Belt and suspenders are good 8*). Warmly, Padgett From firewalls-owner Thu Jan 11 06:52:56 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA20553 for firewalls-outgoing; Thu, 11 Jan 1996 06:06:37 -0800 (PST) Received: from hobbes.orl.mmc.com (hobbes.orl.mmc.com [141.240.192.100]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id GAA20548 for ; Thu, 11 Jan 1996 06:06:33 -0800 (PST) Date: Thu, 11 Jan 1996 9:05:36 -0500 (EST) From: "A. Padgett Peterson, P.E. Information Security" To: firewalls@greatcircle.com Message-Id: <960111090536.20200f9e@hobbes.orl.mmc.com> Subject: re: "Please reply to Email address and not to the list" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >I would appreciate it if you can take a moment to respond to my email address >(not the whole list) to "vote" on if you think SNMP traffic should pass through >a Firewall. Is hard to do if the E-mail address is not in the body of the message and your E-Mail system does not preserve headers. PLEASE, if you want a direct reply, end the message with a name and E-mail address. Warmly, Padgett From firewalls-owner Thu Jan 11 06:59:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA21660 for firewalls-outgoing; Thu, 11 Jan 1996 06:44:10 -0800 (PST) Received: from hobbes.orl.mmc.com (hobbes.orl.mmc.com [141.240.192.100]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id GAA21650 for ; Thu, 11 Jan 1996 06:44:05 -0800 (PST) Date: Thu, 11 Jan 1996 9:43:08 -0500 (EST) From: "A. Padgett Peterson, P.E. Information Security" To: firewalls@greatcircle.com Message-Id: <960111094308.20200f9e@hobbes.orl.mmc.com> Subject: PNS Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Where can I get more information on PNS? I've tried a number of the web >search tools and they didn't find anything. Is a telco service - not that many are on the web - call your local telephone office. Is unlikely that the first person you reach will know what Protected Network Services are but tell them it is a security feature and eventually you should get to the right preson. Warmly, Padgett From firewalls-owner Thu Jan 11 07:27:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA20396 for firewalls-outgoing; Thu, 11 Jan 1996 05:59:42 -0800 (PST) Received: from hobbes.orl.mmc.com (hobbes.orl.mmc.com [141.240.192.100]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id FAA20391 for ; Thu, 11 Jan 1996 05:59:37 -0800 (PST) Date: Thu, 11 Jan 1996 8:58:40 -0500 (EST) From: "A. Padgett Peterson, P.E. Information Security" To: firewalls@greatcircle.com Message-Id: <960111085840.20200f9e@hobbes.orl.mmc.com> Subject: Re: Mitnik and helpers Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Frank rites: >In defense of Shimomura (who isn't here >to defend himself), I'll stick to what I've heard that it wasn't anything >he had any choice over. I have had trouble with this whole thing since the beginning. Security is not easy, is often inconvenient, but IMNSHO certain things go with the job. I use this account not because it has all of the bells and whistles but because it is more secure than most other options (note: I did not say "perfectly secure"). My "secure" mail server is an old Zenith 386sx-16 with 2 Mb of RAM and a 40 Mb disk. All it knows how to do is to receive mail and it keeps a log of all transactions - is hard to erase a line when it was printed by a Panasonic 1090 - onna PC there is this cntrl-P command 8*). When I send mail from this workstation (which cannot receive any itself), the reply address is either the mainframe or my local mail PC. Over the years I have found too many interactions between systems after the fact that compromise security and simply find it easier to segregate tasks between machines and use a different (cheap) machine for each task. Not to say I don't like Suns, have a Sparc sitting next to me, just that a PC does so many things so easily and is what the users I support have. Also what I have at home (an absurd number but mostly @ $25 each so what the heck). However sensitive stuff on a UNIX box on a network that has "R" commands enabled ? With a new CERT vulnerability identified every month ? Give me a break. Warmly, Padgett From firewalls-owner Thu Jan 11 07:29:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA21098 for firewalls-outgoing; Thu, 11 Jan 1996 06:26:38 -0800 (PST) Received: from gauntlet-1.trusted.com (gauntlet-1.trusted.com [204.254.155.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id GAA21093 for ; Thu, 11 Jan 1996 06:26:34 -0800 (PST) Received: by gauntlet-1.trusted.com; id JAA16404; Thu, 11 Jan 1996 09:29:19 -0500 Received: from vanidor.trusted.com(204.254.155.8) by gauntlet-1.trusted.com via smap (T3.1) id xmac16390; Thu, 11 Jan 96 09:28:53 -0500 Message-Id: <2.2.16.19960111142111.208fbaca@gauntlet-1.trusted.com> X-Sender: avolio@gauntlet-1.trusted.com X-Mailer: Windows Eudora Pro Version 2.2 (16) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 11 Jan 1996 09:21:11 -0500 To: HFDK41A@prodigy.com (MR. JOHN K MOLNAR), firewalls@GreatCircle.COM From: Frederick M Avolio Subject: Re: Mergent Gauntlet? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk TIS has about 50 or so resellers world-wide. Mergent is an authorized reseller and a bunch of extremely smart people. You are correct. TIS owns the name "Gauntlet" and the Gauntlet Internet Firewall is ours. Anyone selling it should be an authorized reseller. If you are unsure, you can always drop a note to gauntlet-sales@tis.com. Fred At 02:05 PM 1/10/96 EST, MR. JOHN K MOLNAR wrote: >Hi > >I got a fax this morning from Mergent, offering to sell me their >Gauntlet Firewall??? > >What's a Gauntlet if it's not from TIS? > >Or is this the same stuff?? > >Confused. > >Thanks, > >-John Molnar > > From firewalls-owner Thu Jan 11 07:30:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA21037 for firewalls-outgoing; Thu, 11 Jan 1996 06:24:24 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id GAA21032 for ; Thu, 11 Jan 1996 06:24:20 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-951213) id GAA01166; Thu, 11 Jan 1996 06:21:23 -0800 Received: from disperse.demon.co.uk(158.152.1.77) by mycroft via smap (V1.3mjr) id sma001162; Thu Jan 11 06:20:43 1996 Received: from theboard.reednews.co.uk ([194.159.23.1]) by relay-2.mail.demon.net id aa12013; 11 Jan 96 14:21 GMT Received: by reednews.co.uk (5.x/SMI-SVR4) id AA26523; Thu, 11 Jan 1996 14:23:00 GMT From: Gavin Aiken Message-Id: <9601111423.AA26523@reednews.co.uk> Subject: Re: Sunos and NIS To: Firewalls@greatcircle.com Date: Thu, 11 Jan 1996 14:22:59 +0000 (GMT) In-Reply-To: <199601110730.XAA06814@miles.greatcircle.com> from "firewalls-digest-owner@uunet.uu.net" at Jan 10, 96 11:30:28 pm X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I just want some help understanding a fact happens here on friday. > I'm the sysadmin in a lab with 4 HP and 2 Suns. I have work a lot > with the HP, but almost never with the Suns, because there was > another person that did it. This person let the lab, and now I > have to learn about SunOS and BSD-like UNIX. > There is a NIS server lets call it "A" and there is a NIS client lets > call it "B". On thursday I delete a user from both systems, because > we don't want him to access our net. On friday I found that the "user" > I deleted the day before, accesed "B", and he has no login