From firewalls-owner Fri Mar 1 00:36:09 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id VAA00132 for firewalls-outgoing; Thu, 29 Feb 1996 21:05:13 -0800 (PST) Received: from WYVERN.AZTECH.NET (AZTech.Net [198.182.221.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id TAA00574 for ; Thu, 29 Feb 1996 19:01:23 -0800 (PST) Received: by aztech.net (MX V4.0-1 VAX) id 1; Thu, 29 Feb 1996 19:54:40 -700 Date: Thu, 29 Feb 1996 19:54:37 -700 From: Steve Gibbons To: cypherpunks@toad.com CC: firewalls@greatcircle.com, _steve@aztech.net Message-ID: <0099EA68.385ABF20.1@aztech.net> Subject: RE: Possible Java hack Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Some of you may remember an assertion that I made (and posted here) about a month ago under the the thread "Possible Java hack". The latest publicized Princeton hack is exactly the same thing that I eventually came up with, and I've consolidated my findings at (Crypto and Firewalls relevance will become aparent, once you take a look.) FYI, -- Steve@AZTech.Net From firewalls-owner Fri Mar 1 00:52:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id VAA00188 for firewalls-outgoing; Thu, 29 Feb 1996 21:07:03 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id TAA00854 for ; Thu, 29 Feb 1996 19:02:09 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id MAA20432; Thu, 29 Feb 1996 12:32:21 -0800 Received: from su1.in.net(199.0.62.2) by mycroft via smap (V1.3mjr) id sma020429; Thu Feb 29 12:31:17 1996 Received: from pm3-23.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA24799; Thu, 29 Feb 96 15:31:04 -0500 Date: Thu, 29 Feb 96 15:31:04 -0500 Message-Id: <9602292031.AA24799@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.com From: Frank Willoughby Subject: RE: VPN's over the internet Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A note or two of interest about VPN's over the Internet: o Most commercial firewalls offer firewall->firewall encryption, so extra encryption h/w or s/w isn't usually needed. o Many (most?) firewalls when performing firewall->firewall encryption are only providing an IP encryption tunnel through the firewalls. It is important to note that *NO* applications filtering is performed. While this may offer protection from a MITM (Man-In-The-Middle) attack (Internet, etc), it offers *NO* protection from the other entity's network. A problem on their network is a problem on your network. o It is usually beneficial to firewall VPN connections to localize contamination in the event one of the VPN entities is breached. Food for thought. Best Regards, Frank The opinions expressed above are of the author and may not necessarily be representative of Fortified Networks Inc. Fortified Networks Inc. - Management & Information Security Consulting Phone: (317) 573-0800 - http://www.fortified.com/fortified Home of the Free Internet Firewall Evaluation Checklist From firewalls-owner Fri Mar 1 01:30:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id VAA03575 for firewalls-outgoing; Thu, 29 Feb 1996 21:45:00 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id VAA01674 for ; Thu, 29 Feb 1996 21:17:49 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id CAA17647; Thu, 29 Feb 1996 02:10:46 -0800 Received: from hk.super.net(202.14.67.4) by mycroft via smap (V1.3mjr) id sma017612; Thu Feb 29 02:10:12 1996 Received: from is3.hk.super.net (root@is3.hk.super.net [202.14.67.36]) by hk.super.net (8.7.4/8.7.1) with ESMTP id SAA24610; Thu, 29 Feb 1996 18:12:04 +0800 (HKT) Received: from sect5-p0969 (max1-1.hk.super.net [202.64.17.1]) by is3.hk.super.net (8.7.1/8.7.1) with SMTP id SAA04440; Thu, 29 Feb 1996 18:12:01 +0800 (HKT) Message-ID: <31366ABF.1C90@hk.super.net> Date: Thu, 29 Feb 1996 18:10:55 -0900 From: Vinci CHOU X-Mailer: Mozilla 2.0 (Win95; I) MIME-Version: 1.0 To: pauck@wmd.de CC: Firewalls@GreatCircle.Com Subject: Re: SQL*Net proxy? References: <9602271456.AA27573@rs3.wmd.de> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk gary flynn wrote: > > Oracle servers that are configured as mulithreaded wil use dynamic > ports. Several firewall vendors are working with Oracle to develop > a SQLnet proxy. I don't know the timeframe. The Oracle SQL*Net manuel mentioned V2 added support of asynchronous data send/receive. This capability was added to support the Oracle7 multi-threaded server. Gary, is this the thing you are refering to ? However, when I asked Oracle, we've already mentioned that we are using V1 and still they gave the reply that the port number for the shadow process cannot be determined ! Marco Pauck wrote: > > We use plug-gw for SQL*Net v2 as well. > There are possibly ways to configure V2 that plug-gw can't deal with, > but with our plain-vanilla configuration it works OK. > Do any one have any idea that whether it is a difference due to configuration or the difference between V1/V2 ? Marco Pauck also wrote: > > We use TIS's plug-gw proxy for SQL*Net V1 (1521/tcp) and V2 (1525/tcp) > and it just works! > > It should also be possible to use a packet filter instead. > The TIS Firewall Toolkit Overview in http://ftp.tis.com/Home/NetworkSecurity/Firewalls/Firewalls.html has a section for plug-gw. It mentioned that : "plug-gw can act as a general portal between the protected network and the outside network; therefore, it should be used sparingly and with caution. Since it acts only as a data pipe, .... In a sense, plug-gw is similar to adding a configuration rule to a router that permits traffic only between two systems on a single port, except that it logs all transactions." If it is true, I can't see how it can handle dynamic port numbers. Can any one explain it to me ? Vinci. From firewalls-owner Fri Mar 1 01:30:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id VAA00242 for firewalls-outgoing; Thu, 29 Feb 1996 21:09:00 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id TAA00486 for ; Thu, 29 Feb 1996 19:01:07 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id QAA21493; Thu, 29 Feb 1996 16:31:36 -0800 From: Adam_Safier_at_CSC/NCC@cscgt.gsfc.nasa.gov Received: from gsfc.nasa.gov(128.183.7.22) by mycroft via smap (V1.3mjr) id sma021485; Thu Feb 29 16:31:16 1996 Received: from cscgt.gsfc.nasa.gov by gsfc.nasa.gov (5.65/Ultrix3.0-C) id AA15171; Thu, 29 Feb 96 19:31:50 -0500 Received: from cc:Mail by cscgt.gsfc.nasa.govid AA825650912; Thu, 29 Feb 96 19:15:51 PST Date: Thu, 29 Feb 96 19:15:51 PST Message-Id: <9601298256.AA825650912@cscgt.gsfc.nasa.gov> To: avalon@coombs.anu.edu.au, John Hopkins Cc: srzpem@swissre.ch, Firewalls@GreatCircle.COM Subject: Re[2]: Subject: Firewall-1-v1.2.1 & OSPF Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Be warned, exporting to RIP can cause major headaches if you have variable size subnets on both sides of the router. Variable size subnets are one of the neat things about OSPF but RIP is braindead about them. It might work if your RIP subnet mask is the same or bigger than the your biggest OSPF subnet mask and all your systems are nicely separated on a major subnet boundry on either side of the router. Have you tried to simply set up default routs? Simply point your last boundry/border router to the firewall as a default or set a static route with a big mask. It's been too long since I set passed OSPF through a filtering router but I did it once upon a time. Essentially I opened a simple filter pass through for a specific UDP port and a TCP port between two specific IP addresses (on either end of a serial link). Then forgot about it for 2 years+. Sorry I can't remember the UDP and TCP port numbers - my files are elsewhere and buried. You might try looking in the OSPF RFC's, check it in a complete resource allocation table or call your router vendor. One port is around 560. Alzheimers must be setting in but I think the other is also below 1024. Good luck, Adam Safier Computer Scientist - and aspirant to be an absent minded professor CSC-SED Infosec ______________________________ Reply Separator _________________________________ Subject: Re: Subject: Firewall-1-v1.2.1 & OSPF Author: John Hopkins at inetgt Date: 2/28/96 11:38 PM One option is to export OSPF into rip, use rip throught the firewall then re-import rip into ospf. It's not ideal, but a solution. > > > Anybody with experience about how handle OSPF broadcasts with firewall-1 ? > > I tried to configure it in a token ring network and I endet up with a Received: by ccmail from csc.com >From firewalls-owner@GreatCircle.COM X-Envelope-From: firewalls-owner@GreatCircle.COM Received: from relay5.UU.NET by csc.com with smtp (Smail3.1.29.1 #1) id m0trzCl-001Absa; Wed, 28 Feb 96 22:38 EST Received: from miles.greatcircle.com by relay5.UU.NET with ESMTP id QQaeyo11823; Wed, 28 Feb 1996 22:31:53 -0500 (EST) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA26111 for firewalls-outgoing; Wed, 28 Feb 1996 09:27:51 -0800 (PST) Received: from callisto.lif.icnet.uk (callisto.lif.icnet.uk [143.65.1.5]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id JAA26097 for ; Wed, 28 Feb 1996 09:26:35 -0800 (PST) Received: by callisto.lif.icnet.uk; Wed, 28 Feb 1996 17:22:54 GMT Date: Wed, 28 Feb 1996 17:22:54 +0000 (GMT) From: John Hopkins Subject: Re: Subject: Firewall-1-v1.2.1 & OSPF To: Darren Reed Cc: Martin Peter , Firewalls@GreatCircle.COM In-Reply-To: <199602281116.DAA14139@miles.greatcircle.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Fri Mar 1 01:42:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id VAA00258 for firewalls-outgoing; Thu, 29 Feb 1996 21:11:50 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id TAA00526 for ; Thu, 29 Feb 1996 19:01:14 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id QAA21512; Thu, 29 Feb 1996 16:34:36 -0800 Received: from sgi.com(192.48.153.1) by mycroft via smap (V1.3mjr) id sma021506; Thu Feb 29 16:33:49 1996 Received: from boytoy.csd.sgi.com by sgi.sgi.com via ESMTP (950405.SGI.8.6.12/910110.SGI) id QAA02530; Thu, 29 Feb 1996 16:35:33 -0800 Received: by boytoy.csd.sgi.com (951211.SGI.8.6.12.PATCH1042/911001.SGI) id QAA00015; Thu, 29 Feb 1996 16:34:53 -0800 From: "SGI Security Coordinator" Message-Id: <9602291634.ZM13@boytoy.csd.sgi.com> Date: Thu, 29 Feb 1996 16:34:53 -0800 X-Mailer: Z-Mail-SGI (3.2S.2 10apr95 MediaMail) To: agent99@boytoy.csd.sgi.com Subject: SGI Security Advisory 19960301-01-P Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ooops....forgot the release notice. FOR GENERAL PUBLIC RELEASE -----BEGIN PGP SIGNED MESSAGE----- ______________________________________________________________________________ Silicon Graphics Inc. Security Advisory Title: Security vulnerabilities in rpc.statd program Number: 19960301-01-P Date: February 29, 1996 ______________________________________________________________________________ Silicon Graphics provides this information freely to the SGI user community for its consideration, interpretation, implementation and use. Silicon Graphics recommends that this information be acted upon as soon as possible. Silicon Graphics will not be liable for any indirect, special, or consequential damages arising from the use of, failure to use or improper use of any of the instructions or information in this Security Advisory. ______________________________________________________________________________ It has been found that there are some security vulnerabilities within the /usr/etc/rpc.statd program. After further investigation, SGI recommends the following steps for neutralizing this possible means of exploit. It is HIGHLY RECOMMENDED that these measures be done on ALL SGI systems running IRIX 3.x, 4.x, 5.x and 6.x. The issue will be permanently corrected in a future release of IRIX. - -------------- - --- Impact --- - -------------- The vulnerabilities found within the rpc.statd program could be used in several including removal of files and denial of service attacks. An existing account on the target system is not necessary. - ---------------- - --- Solution --- - ---------------- **** IRIX 3.x **** Silicon Graphics Inc, no longer supports the IRIX 3.x operating system and therefore has no patches or binaries to provide. If possible, it is recommended that the system be upgrade to a supported version of IRIX (see below) and then install the patch for that particular IRIX version. **** IRIX 4.x **** As of the date of this document, SGI does not have a IRIX 4.x binary replacement that addresses this particular issue. If in the future, a replacement binary is generated, additional advisory information will be provided. If possible, it is recommended that the system be upgrade to a supported version of IRIX (see below) and then install the patch for that particular IRIX version. **** IRIX 5.0.x, 5.1.x **** For the IRIX operating systems versions 5.0.x and 5.1.x, an upgrade to 5.2 or better is required first. When the upgrade is completed, then the patches described in the following sections can be applied depending on the final version of the upgrade. **** IRIX 5.2 **** For the IRIX operating system version 5.2, an inst-able patch has been generated and made available via anonymous FTP and your service/support provider. The patch is number 1145 and will install on IRIX 5.2 only. The SGI anonymous FTP site is sgigate.sgi.com (204.94.209.1) or its mirror, ftp.sgi.com. Patch 1145 can be found in the following directories on the FTP server: ~ftp/Security or ~ftp/Patches/5.2 ##### Checksums #### The actual patch will be a tar file containing the following files: Filename: patchSG0001145 Algorithm #1 (sum -r): 44131 2 patchSG0001145 Algorithm #2 (sum): 6431 2 patchSG0001145 MD5 checksum: 21AA35CB9907CE65E7E9F2CED4C5911A Filename: patchSG0001145.eoe1_sw Algorithm #1 (sum -r): 00315 35 patchSG0001145.eoe1_sw Algorithm #2 (sum): 33929 35 patchSG0001145.eoe1_sw MD5 checksum: 40B85524141352FA8EE027230BE6322C Filename: patchSG0001145.idb Algorithm #1 (sum -r): 45044 2 patchSG0001145.idb Algorithm #2 (sum): 60514 2 patchSG0001145.idb MD5 checksum: 784C192324E1D4CEAD0866CCE279EBC2 Filename: patchSG0001145.nfs_man Algorithm #1 (sum -r): 54026 6 patchSG0001145.nfs_man Algorithm #2 (sum): 4258 6 patchSG0001145.nfs_man MD5 checksum: 8B9266952D84D7B86386674FBEDDFC57 Filename: patchSG0001145.nfs_sw Algorithm #1 (sum -r): 11017 111 patchSG0001145.nfs_sw Algorithm #2 (sum): 29091 111 patchSG0001145.nfs_sw MD5 checksum: F52AC0B723600A408A3F3FF1AF637E95 **** IRIX 5.3, 6.0, 6.0.1, 6.1 **** For the IRIX operating system versions 5.3, 6.0, 6.0.1, and 6.1 an inst-able patch has been generated and made available via anonymous FTP and your service/support provider. The patch is number 1128 and will install on IRIX 5.3, 6.0 and 6.0.1 only. The SGI anonymous FTP site is sgigate.sgi.com (204.94.209.1) or its mirror, ftp.sgi.com. Patch 1128 can be found in the following directories on the FTP server: ~ftp/Security or ~ftp/Patches/5.3 ~ftp/Patches/6.0 ~ftp/Patches/6.0.1 ~ftp/Patches/6.1 ##### Checksums #### The actual patch will be a tar file containing the following files: Filename: patchSG0001128 Algorithm #1 (sum -r): 20931 3 patchSG0001128 Algorithm #2 (sum): 29192 3 patchSG0001128 MD5 checksum: 133D5686F71C291FBFB03826171E6C74 Filename: patchSG0001128.eoe1_sw Algorithm #1 (sum -r): 61563 23 patchSG0001128.eoe1_sw Algorithm #2 (sum): 36962 23 patchSG0001128.eoe1_sw MD5 checksum: CECD51825804C10EFC91AB21E64608A7 Filename: patchSG0001128.idb Algorithm #1 (sum -r): 27583 2 patchSG0001128.idb Algorithm #2 (sum): 59737 2 patchSG0001128.idb MD5 checksum: 0F242B0EEACF2F1A3C97B67C1924C887 Filename: patchSG0001128.nfs_man Algorithm #1 (sum -r): 55436 5 patchSG0001128.nfs_man Algorithm #2 (sum): 39750 5 patchSG0001128.nfs_man MD5 checksum: 2D902C2D245E370CA3747762075B4AFD Filename: patchSG0001128.nfs_sw Algorithm #1 (sum -r): 16238 124 patchSG0001128.nfs_sw Algorithm #2 (sum): 57740 124 patchSG0001128.nfs_sw MD5 checksum: 2DEC03983024A7583D6B94431048014E - ----------------------------------------- - --- SGI Security Information/Contacts --- - ----------------------------------------- Past SGI Advisories and security patches can be obtained via anonymous FTP from sgigate.sgi.com or its mirror, ftp.sgi.com. These security patches and advisories are provided freely to all interested parties. For issues with the patches on the FTP sites, email can be sent to cse-security-alert@csd.sgi.com. For assistance obtaining or working with security patches, please contact your SGI support provider. If there are questions about this document, email can be sent to cse-security-alert@csd.sgi.com. For reporting *NEW* SGI security issues, email can be sent to security-alert@sgi.com or contact your SGI support provider. A support contract is not required for submitting a security report. -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAwUBMTZBErQ4cFApAP75AQGZ/wP+Na2rwJNtfLjTb+r62Qqql3/X8dJKDhKu c75INm4OA24HJP8ICGucUhrrr7phTWx7OkkkepDpPHySyES8gyXfJ5XF+aWGkVMN hgOuVYMnPJUnA+qiAyyGiYDJQRtaNpaDHifbOSWg2CCv30Hi5aTTy3FsJKSNpn6V mCQZ5l7bnGI= =pCex -----END PGP SIGNATURE----- From firewalls-owner Fri Mar 1 01:42:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id VAA00249 for firewalls-outgoing; Thu, 29 Feb 1996 21:10:28 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id TAA00520 for ; Thu, 29 Feb 1996 19:01:12 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id QAA21456; Thu, 29 Feb 1996 16:18:35 -0800 Received: from sgi.com(192.48.153.1) by mycroft via smap (V1.3mjr) id sma021454; Thu Feb 29 16:18:10 1996 Received: from boytoy.csd.sgi.com by sgi.sgi.com via ESMTP (950405.SGI.8.6.12/910110.SGI) id QAA00826; Thu, 29 Feb 1996 16:19:47 -0800 Received: by boytoy.csd.sgi.com (951211.SGI.8.6.12.PATCH1042/911001.SGI) id QAA29910; Thu, 29 Feb 1996 16:18:41 -0800 From: "SGI Security Coordinator" Message-Id: <9602291618.ZM29908@boytoy.csd.sgi.com> Date: Thu, 29 Feb 1996 16:18:41 -0800 X-Mailer: Z-Mail-SGI (3.2S.2 10apr95 MediaMail) To: agent99@boytoy.csd.sgi.com Subject: SGI Security Advisory 19960301-01-P Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- ______________________________________________________________________________ Silicon Graphics Inc. Security Advisory Title: Security vulnerabilities in rpc.statd program Number: 19960301-01-P Date: February 29, 1996 ______________________________________________________________________________ Silicon Graphics provides this information freely to the SGI user community for its consideration, interpretation, implementation and use. Silicon Graphics recommends that this information be acted upon as soon as possible. Silicon Graphics will not be liable for any indirect, special, or consequential damages arising from the use of, failure to use or improper use of any of the instructions or information in this Security Advisory. ______________________________________________________________________________ It has been found that there are some security vulnerabilities within the /usr/etc/rpc.statd program. After further investigation, SGI recommends the following steps for neutralizing this possible means of exploit. It is HIGHLY RECOMMENDED that these measures be done on ALL SGI systems running IRIX 3.x, 4.x, 5.x and 6.x. The issue will be permanently corrected in a future release of IRIX. - -------------- - --- Impact --- - -------------- The vulnerabilities found within the rpc.statd program could be used in several including removal of files and denial of service attacks. An existing account on the target system is not necessary. - ---------------- - --- Solution --- - ---------------- **** IRIX 3.x **** Silicon Graphics Inc, no longer supports the IRIX 3.x operating system and therefore has no patches or binaries to provide. If possible, it is recommended that the system be upgrade to a supported version of IRIX (see below) and then install the patch for that particular IRIX version. **** IRIX 4.x **** As of the date of this document, SGI does not have a IRIX 4.x binary replacement that addresses this particular issue. If in the future, a replacement binary is generated, additional advisory information will be provided. If possible, it is recommended that the system be upgrade to a supported version of IRIX (see below) and then install the patch for that particular IRIX version. **** IRIX 5.0.x, 5.1.x **** For the IRIX operating systems versions 5.0.x and 5.1.x, an upgrade to 5.2 or better is required first. When the upgrade is completed, then the patches described in the following sections can be applied depending on the final version of the upgrade. **** IRIX 5.2 **** For the IRIX operating system version 5.2, an inst-able patch has been generated and made available via anonymous FTP and your service/support provider. The patch is number 1145 and will install on IRIX 5.2 only. The SGI anonymous FTP site is sgigate.sgi.com (204.94.209.1) or its mirror, ftp.sgi.com. Patch 1145 can be found in the following directories on the FTP server: ~ftp/Security or ~ftp/Patches/5.2 ##### Checksums #### The actual patch will be a tar file containing the following files: Filename: patchSG0001145 Algorithm #1 (sum -r): 44131 2 patchSG0001145 Algorithm #2 (sum): 6431 2 patchSG0001145 MD5 checksum: 21AA35CB9907CE65E7E9F2CED4C5911A Filename: patchSG0001145.eoe1_sw Algorithm #1 (sum -r): 00315 35 patchSG0001145.eoe1_sw Algorithm #2 (sum): 33929 35 patchSG0001145.eoe1_sw MD5 checksum: 40B85524141352FA8EE027230BE6322C Filename: patchSG0001145.idb Algorithm #1 (sum -r): 45044 2 patchSG0001145.idb Algorithm #2 (sum): 60514 2 patchSG0001145.idb MD5 checksum: 784C192324E1D4CEAD0866CCE279EBC2 Filename: patchSG0001145.nfs_man Algorithm #1 (sum -r): 54026 6 patchSG0001145.nfs_man Algorithm #2 (sum): 4258 6 patchSG0001145.nfs_man MD5 checksum: 8B9266952D84D7B86386674FBEDDFC57 Filename: patchSG0001145.nfs_sw Algorithm #1 (sum -r): 11017 111 patchSG0001145.nfs_sw Algorithm #2 (sum): 29091 111 patchSG0001145.nfs_sw MD5 checksum: F52AC0B723600A408A3F3FF1AF637E95 **** IRIX 5.3, 6.0, 6.0.1, 6.1 **** For the IRIX operating system versions 5.3, 6.0, 6.0.1, and 6.1 an inst-able patch has been generated and made available via anonymous FTP and your service/support provider. The patch is number 1128 and will install on IRIX 5.3, 6.0 and 6.0.1 only. The SGI anonymous FTP site is sgigate.sgi.com (204.94.209.1) or its mirror, ftp.sgi.com. Patch 1128 can be found in the following directories on the FTP server: ~ftp/Security or ~ftp/Patches/5.3 ~ftp/Patches/6.0 ~ftp/Patches/6.0.1 ~ftp/Patches/6.1 ##### Checksums #### The actual patch will be a tar file containing the following files: Filename: patchSG0001128 Algorithm #1 (sum -r): 20931 3 patchSG0001128 Algorithm #2 (sum): 29192 3 patchSG0001128 MD5 checksum: 133D5686F71C291FBFB03826171E6C74 Filename: patchSG0001128.eoe1_sw Algorithm #1 (sum -r): 61563 23 patchSG0001128.eoe1_sw Algorithm #2 (sum): 36962 23 patchSG0001128.eoe1_sw MD5 checksum: CECD51825804C10EFC91AB21E64608A7 Filename: patchSG0001128.idb Algorithm #1 (sum -r): 27583 2 patchSG0001128.idb Algorithm #2 (sum): 59737 2 patchSG0001128.idb MD5 checksum: 0F242B0EEACF2F1A3C97B67C1924C887 Filename: patchSG0001128.nfs_man Algorithm #1 (sum -r): 55436 5 patchSG0001128.nfs_man Algorithm #2 (sum): 39750 5 patchSG0001128.nfs_man MD5 checksum: 2D902C2D245E370CA3747762075B4AFD Filename: patchSG0001128.nfs_sw Algorithm #1 (sum -r): 16238 124 patchSG0001128.nfs_sw Algorithm #2 (sum): 57740 124 patchSG0001128.nfs_sw MD5 checksum: 2DEC03983024A7583D6B94431048014E - ----------------------------------------- - --- SGI Security Information/Contacts --- - ----------------------------------------- Past SGI Advisories and security patches can be obtained via anonymous FTP from sgigate.sgi.com or its mirror, ftp.sgi.com. These security patches and advisories are provided freely to all interested parties. For issues with the patches on the FTP sites, email can be sent to cse-security-alert@csd.sgi.com. For assistance obtaining or working with security patches, please contact your SGI support provider. If there are questions about this document, email can be sent to cse-security-alert@csd.sgi.com. For reporting *NEW* SGI security issues, email can be sent to security-alert@sgi.com or contact your SGI support provider. A support contract is not required for submitting a security report. -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAwUBMTZBErQ4cFApAP75AQGZ/wP+Na2rwJNtfLjTb+r62Qqql3/X8dJKDhKu c75INm4OA24HJP8ICGucUhrrr7phTWx7OkkkepDpPHySyES8gyXfJ5XF+aWGkVMN hgOuVYMnPJUnA+qiAyyGiYDJQRtaNpaDHifbOSWg2CCv30Hi5aTTy3FsJKSNpn6V mCQZ5l7bnGI= =pCex -----END PGP SIGNATURE----- From firewalls-owner Fri Mar 1 01:53:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA00126 for firewalls-outgoing; Thu, 29 Feb 1996 18:11:44 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id QAA02158 for ; Thu, 29 Feb 1996 16:02:43 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id NAA20756; Thu, 29 Feb 1996 13:35:26 -0800 Received: from klee.logicon.com(137.51.252.5) by mycroft via smap (V1.3mjr) id sma020750; Thu Feb 29 13:35:10 1996 Received: from cclink.logicon.com (cclink-out.logicon.com) by logicon.com (5.0/SMI-4.2) id AA08599; Thu, 29 Feb 96 13:51:25 PST Received: from cc:Mail by cclink.logicon.com id AA825630368; Thu, 29 Feb 96 13:23:41 PST Date: Thu, 29 Feb 96 13:23:41 PST From: "LUI, Firewalls-BBS" Message-Id: <9601298256.AA825630368@cclink.logicon.com> To: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Usubscribe Firewalls From firewalls-owner Fri Mar 1 01:55:30 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA01681 for firewalls-outgoing; Thu, 29 Feb 1996 15:58:59 -0800 (PST) Received: from internet.milkyway.com (milkyway.com [198.53.167.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id PAA01641 for ; Thu, 29 Feb 1996 15:58:48 -0800 (PST) Date: Thu, 29 Feb 1996 15:58:48 -0800 (PST) Message-Id: <199602292358.PAA01641@miles.greatcircle.com> X-Authentication-Warning: internet: Host perseids.milkyway.com claimed to be [192.168.77.77] From: "Hung Vu" Reply-To: "Hung Vu" To: firewalls@greatcircle.com Subject: Re: RealAudio and Firewalls Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message <2.2.32.19960227010455.006ded34@us.checkpoint.com> "Emily G. Cohen" writes: > CheckPoint FireWall-1 supports RealAudio securely > TODAY, and is the first firewall to do so. > See the CheckPoint home page at www.checkpoint.com > for the press release (December 5, 1995) and the > free downloadable code for FireWall-1 users. > Black Hole users have been using RealAudio securely for a while now. I not sure about who is the first :) www.milkyway.com or info@milkyway.com for more information on Black Hole. Hung. From firewalls-owner Fri Mar 1 02:31:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id VAA01795 for firewalls-outgoing; Thu, 29 Feb 1996 21:32:41 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id VAA01018 for ; Thu, 29 Feb 1996 21:30:36 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id XAA16440; Wed, 28 Feb 1996 23:09:27 -0800 Received: from rcooper.the-wire.com(198.53.192.91) by mycroft via smap (V1.3mjr) id sma016438; Wed Feb 28 23:09:17 1996 Received: from ts9-07.vcr.InfoRamp.Net ([204.191.152.187]) by Mail.RC.Toronto.on.ca (post.office MTA v1.9.1 evaluation license) with SMTP id AAA222; Thu, 29 Feb 1996 02:11:34 -0500 Received: by ts9-07.vcr.InfoRamp.Net with Microsoft Mail id <01BB0632.44F41940@ts9-07.vcr.InfoRamp.Net>; Wed, 28 Feb 1996 23:12:45 -0500 Message-ID: <01BB0632.44F41940@ts9-07.vcr.InfoRamp.Net> From: Russ To: "firewalls@greatcircle.com" , "'Chris Carlson'" Subject: RE: What port does NT use for logins? Date: Wed, 28 Feb 1996 22:56:51 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk TCP 139, NBSessions is used for the actual login sequence. You will actually have to enable udp 137, udp/tcp 138, and tcp 139 to enable full NT access. By rights, udp 138 shouldn't be necessary, and udp 137 could be eliminated if browsing is not going to be used. Cheers, Russ From firewalls-owner Fri Mar 1 02:32:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA00864 for firewalls-outgoing; Thu, 29 Feb 1996 15:38:44 -0800 (PST) Received: from gatekeeper.hsa.com (phony.hsa.com [206.135.12.6]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id PAA00856 for ; Thu, 29 Feb 1996 15:38:39 -0800 (PST) Received: from gatekeeper.hsa.com (daemon@localhost) by gatekeeper.hsa.com (8.6.12/8.6.12) with ESMTP id PAA06885 for ; Thu, 29 Feb 1996 15:12:25 -0800 Received: from hsa.com ([140.4.3.4]) by gatekeeper.hsa.com (8.6.12/8.6.12) with ESMTP id PAA06881 for ; Thu, 29 Feb 1996 15:12:25 -0800 Received: by hsa.com id PAA19628; Thu, 29 Feb 1996 15:36:17 -0800 Date: Thu, 29 Feb 1996 15:36:22 From: Matt Holdrege Message-Id: <19960229153622matt@matt> To: rafa@uap.edu.ph Subject: Re: 3Com Routers Cc: firewalls@greatcircle.com X-Mailer: Pronto E-Mail [version 2.0] MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > If any of the subscribers uses 3Com, I would appreciate sharing some > experiences regarding filtering in 3Com routers--perhaps by private mail > if the topic is not of general interest. 3TECH newsletter had a list of common "firewall" filters that should be set on 3COM Internet routers. You can call them or check at www.3com.com and look for 3TECH. Matt Holdrege matt@hsa.com From firewalls-owner Fri Mar 1 02:41:01 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id VAA02339 for firewalls-outgoing; Thu, 29 Feb 1996 21:34:36 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id VAA01733 for ; Thu, 29 Feb 1996 21:32:31 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id VAA15567; Wed, 28 Feb 1996 21:00:04 -0800 Received: from brutus.uap.edu.ph(203.172.10.6) by mycroft via smap (V1.3mjr) id sma015563; Wed Feb 28 20:59:44 1996 Received: from itcl1.uap.edu.ph (203.172.10.138) by brutus.uap.edu.ph (EMWAC SMTPRS 0.60) with SMTP id ; Thu, 29 Feb 1996 13:01:18 +0800 Received: by itcl1.uap.edu.ph with Microsoft Mail id <01BB06A6.62043000@itcl1.uap.edu.ph>; Thu, 29 Feb 1996 13:03:56 -0000 Message-ID: <01BB06A6.62043000@itcl1.uap.edu.ph> From: Rafael Portillo To: "'Perry The Cynic'" Cc: "firewalls@greatcircle.com" Subject: RE: Proxy-server for AOL client??? Date: Thu, 29 Feb 1996 13:03:54 -0000 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Perry, I am interested in your AOL relay. Could you send it over? Thank you Rafa For what it's worth, I've written an AOL relay demon that is freely available for the asking. AOL is just using a single outbound TCP channel, so it's not complicated. The demon logs connections, forces connections to AOL (only), and runs as "nobody" (or anybody else you like) under inetd. -- perry From firewalls-owner Fri Mar 1 02:42:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA00182 for firewalls-outgoing; Thu, 29 Feb 1996 18:13:23 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id QAA01965 for ; Thu, 29 Feb 1996 16:02:13 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id OAA21048; Thu, 29 Feb 1996 14:58:31 -0800 Received: from atlantis.actrix.gen.nz(192.100.53.23) by mycroft via smap (V1.3mjr) id sma021046; Thu Feb 29 14:58:19 1996 Received: (from uukellux@localhost) by atlantis.actrix.gen.nz (8.6.11/8.6.9) id JAA09561 for firewalls@greatcircle.com; Fri, 1 Mar 1996 09:40:45 +1300 >Received: by nzqa.govt.nz; Fri, 01 Mar 96 09:32:13 Message-ID: <70093731019BCCD1@nzqa.govt.nz> Date: Fri, 01 Mar 96 09:32:13 From: Mark Goring To: firewalls@greatcircle.com Subject: Net security X-Mailer: UGate [Ver. 1.99p] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Out of interest, as this seems to be the place to ask... Any opinions as to what level of security the system behind the firewall should be? I recently attended a seminar where it was recommended the system behind the firewall should be B2 level secure. Anyone? *-*Mark Goring voice: +64 4 802 3015 *-* *-*P.O Box 160, Wellington Fax: +64 4 802 3112 *-* *-*New Zealand internet: mark@nzqa.govt.nz *-* *-*Diplomacy is the art of saying "Nice Doggy" until *-* *-* you can find a rock *-* From firewalls-owner Fri Mar 1 02:59:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA01077 for firewalls-outgoing; Thu, 29 Feb 1996 15:47:20 -0800 (PST) Received: from global.globale.net (global.ca [204.101.90.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id PAA01072 for ; Thu, 29 Feb 1996 15:47:15 -0800 (PST) Received: from ppp24.globale.net (ppp24.globale.net [204.101.90.24]) by global.globale.net (8.6.8.1/SCA-6.6) with SMTP id XAA05555 for ; Thu, 29 Feb 1996 23:41:45 GMT Date: Thu, 29 Feb 1996 23:41:45 GMT Message-Id: <199602292341.XAA05555@global.globale.net> X-Sender: ecaron@globale.net X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: Eric Caron Subject: Access servers Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I wish to express my gratefulness to those who answered the question I previously submitted. We are currently working on a dial-up access project. We have looked at access servers that support Tacacs+ or Radius authentication protocols. We are also looking at Windows NT as an alternative. Does anyone have implemented this solution? If so, will NT allow us to segregate our network in order to give to some users, access to parts of the network and full access to others? Can we limit access to specific services such as Telnet, FTP, etc.? Should NT be an alternative, is the management overhead significant? If anyone can help us, you answers will be much apreciated. Regards, Eric Caron. *********************************************** * To be or not to be... | William Shakespeare * * To be is to be. | Jean-Paul Sartre * * To be do be do. | Frank Sinatra * *********************************************** From firewalls-owner Fri Mar 1 03:02:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id VAA00147 for firewalls-outgoing; Thu, 29 Feb 1996 21:27:23 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id VAA00419 for ; Thu, 29 Feb 1996 21:14:01 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id UAA22174; Thu, 29 Feb 1996 20:08:44 -0800 Received: from starbase.ingress.com(199.171.57.2) by mycroft via smap (V1.3mjr) id sma022170; Thu Feb 29 20:08:11 1996 Received: from cbk.tiac.net by starbase.ingress.com (SMI-8.6/SMI-SVR4 ) id WAA05228; Thu, 29 Feb 1996 22:28:17 -0500 Date: Thu, 29 Feb 1996 22:28:17 -0500 Message-Id: <199603010328.WAA05228@starbase.ingress.com> X-Sender: cbk@ingress.com X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: cbk@ingress.com (Charles B. Kaplan) Subject: Re: IP fragments and packet filters Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >The only time you're ever likely to see a packet with FO=1 is if a bad guy is >knocking at your door. Would there ever be exceptions to this that would stem from the passing of data long distance, and thus forcing the data into a bigger pipe (say an ATM link cross country), and then back out of the pipe, possible becoming fragmented. IE, my east coast LAN wants to connect to my west coast LAN, which will involve traversing (substitute your favorate backbone providers) ATM link. Therefor my 68byte header + data get dumped into larger (I forget frame size at the moment) ATM cell, which could POSSIBLY ?? cause one byte to cross a cell boundry, and thuse appear fragmented to the remote site ? I guess this couldn't happen since everything is still a multiple of 8, so it should always fit on a boundry ?? Comments from someone who understands this better than I..... -Charles Kaplan From firewalls-owner Fri Mar 1 03:12:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id VAA01634 for firewalls-outgoing; Thu, 29 Feb 1996 21:32:16 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id VAA01035 for ; Thu, 29 Feb 1996 21:30:39 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id XAA16469; Wed, 28 Feb 1996 23:15:27 -0800 Received: from mail.crl.com(165.113.1.22) by mycroft via smap (V1.3mjr) id sma016455; Wed Feb 28 23:15:13 1996 Received: from [192.0.2.1] (crl4.crl.com) by mail.crl.com with SMTP id AA17443 (5.65c/IDA-1.5 for ); Wed, 28 Feb 1996 23:14:00 -0800 Message-Id: <199602290714.AA17443@mail.crl.com> X-Sender: jhue@mail.crl.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 28 Feb 1996 23:20:01 -0700 To: Firewalls@GreatCircle.COM From: jhue@crl.com (Jonathan Hue) Subject: Re: Proxy-server for AOL client? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >I am expecting that the answer to this question will be a firm "no", has >anyone out there heard of a way of setting up a proxy server so that the >AOL client on a users machine can use tcp/ip through a firewall to reach AOL? Why would you expect the answer to be no? It is trivially simple to proxy the AOL client. A couple minutes with a sniffer, or just poking through the files that come with the AOL application makes it obvious how to do it. On the Mac, the AOL client uses a single TCP connection; the destination port is 5190 on host americaonline.aol.com. This can be proxied with plug-gw from the TIS fwtk, along with changing "americaonline.aol.com" in the file TCPack to the name of your firewall. About five minutes of work. I'd still suggest using a sniffer though, otherwise you might not know that your username and password get sent in the clear. -Jonathan jhue@crl.com From firewalls-owner Fri Mar 1 03:45:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id VAA03425 for firewalls-outgoing; Thu, 29 Feb 1996 21:38:15 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id VAA01269 for ; Thu, 29 Feb 1996 21:16:27 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id EAA18282; Thu, 29 Feb 1996 04:24:54 -0800 Received: from dns.ottawa.net(205.211.4.4) by mycroft via smap (V1.3mjr) id sma018276; Thu Feb 29 04:24:31 1996 Received: from slip-ppp18.ottawa.net (slip-ppp18.ottawa.net [205.211.5.18]) by dns.ottawa.net (8.6.12/8.6.9) with SMTP id HAA14305; Thu, 29 Feb 1996 07:25:02 -0500 Date: Thu, 29 Feb 1996 07:25:02 -0500 Message-Id: <199602291225.HAA14305@dns.ottawa.net> X-Sender: bjm@ottawa.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: asafier@explorer.csc.com From: bjm@ottawa.net (Brian McIntosh) Subject: Re: VPN's over the internet Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Raptor has had encrypted firewall-firewall VPN for some time. They also have encrypted VPN from firewall to home-based PC or mobile laptop. Regards, Brian > >Several Firewall vendors now produce firewalls with firewall-firewall >link encryption. I recently installed Smartwall from V-One (Gauntlet >VAR) and it worked fine. > -snip- > >Last I heard Raptor, Sun and possibly others had or were working on >encrypted links - a flood is coming. DEC and others make stand alone >encryption boxs to toss on the front of your network. > >Always ask about key distribution and the security of remote management - >assuming your policy allows remote management (a sore point.) > >Have fun, >Adam Safier >Computer Scientist >CSC-SED Infosec > >This is my 2 cents worth (or less), not my employers. > > >On Mon, 26 Feb 1996, Joseph L. Moll wrote: >> I am in the middle of a design that will require a Firewall product that >> will also serve as a end node to a VPN. >> >> I would appreciate any input from folks that have actually implemented this >> configuration. > > =============================================================== Brian J. McIntosh UniSol Inc. 53 Courtney Road Tel: 613 831 6373 Kanata, Ontario Fax: 613 831 4739 Canada, K2L 1M1 Email: bjm@ottawa.net =============================================================== From firewalls-owner Fri Mar 1 04:15:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA00204 for firewalls-outgoing; Thu, 29 Feb 1996 18:14:50 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id QAA02068 for ; Thu, 29 Feb 1996 16:02:28 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id OAA20907; Thu, 29 Feb 1996 14:15:29 -0800 Received: from dns.eng.auburn.edu(131.204.10.13) by mycroft via smap (V1.3mjr) id sma020893; Thu Feb 29 14:14:59 1996 Received: from netman.eng.auburn.edu (netman.eng.auburn.edu [131.204.12.24]) by dns.eng.auburn.edu (8.7.4/8.6.4) with ESMTP id QAA28203; Thu, 29 Feb 1996 16:16:32 -0600 (CST) From: Doug Hughes Received: from localhost (doug@localhost) by netman.eng.auburn.edu (8.6.4/8.6.4) id QAA27221; Thu, 29 Feb 1996 16:16:28 -0600 Date: Thu, 29 Feb 1996 16:16:28 -0600 Subject: Re: catastrophe logs To: jmr@winternet.com Cc: firewalls@greatcircle.com Message-Id: In-Reply-To: <199602290013.SAA09235@klondike> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >How do you folks store a safe copy of syslog info? >_Building_Internet_Firewalls_ recommends building a "dropsafe" logging >device out of a PC connected to a serial port on the bastion host: > > Configure the PC in such a way that it boots up into a terminal > program in "record" mode, and that every so often (every > 100,000 bytes, for example), the log files are rotated and pruned > so the system never runs out of disk space. > >Now I can configure any one of a dozen terminal programs to log >everything that comes over the serial port, but how do I accomplish >the pruning/rotating of the log files? If there a some PC software >out there that does this? kermit, the best terminal software I know >of, doesn't seem to be capable of this trick. Have you folks written >a home-brew solution? > >Thanks for any and all help. > >-John Rauser >jmr@winternet.com > Well, we don't go to quite that level of effort to secure logs, though some do. We have a restricted access unix machine that can only be logged into from certain machines in a certain way, by a small group of about 8 users. I compress the logs and store them on floppy or tape every couple of months. Another solution some might use would be to just use an old almost-suplus printer and have the logs dumped to the printer. This could even be used in parallel to disk access. THe printer would be a permanent record while the disk would make the logs searchable for specific records. An old printronix or other green-bar printer might do this pariticularly well (as long as it wasn't in an office.. NOISY). -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug@eng.auburn.edu Pro is to Con as progress is to congress From firewalls-owner Fri Mar 1 04:28:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA00466 for firewalls-outgoing; Thu, 29 Feb 1996 15:23:32 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id PAA00461 for ; Thu, 29 Feb 1996 15:23:27 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id PAA21169; Thu, 29 Feb 1996 15:18:25 -0800 Received: from mailhost1.primenet.com(198.68.32.51) by mycroft via smap (V1.3mjr) id sma021167; Thu Feb 29 15:17:52 1996 Received: from usr3.primenet.com (root@usr3.primenet.com [198.68.32.13]) by mailhost1.primenet.com (8.7.3/8.7.1) with ESMTP id QAA27171; Thu, 29 Feb 1996 16:18:58 -0700 (MST) Received: (from boogie@localhost) by usr3.primenet.com (8.7.3/8.7.3) id QAA29889; Thu, 29 Feb 1996 16:18:58 -0700 (MST) Date: Thu, 29 Feb 1996 17:18:56 -0600 (CST) From: Reef Shafer To: Ken Hardy cc: firewalls@GreatCircle.COM Subject: Re: What port does NT use for logins? In-Reply-To: <199602281453.AA20718@ignatz.bridge.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk While were on the subject of windows logins, does any one have any DETAILED information about how microsoft implemented the login process. The microsoft winnt tcp/ip whitepaper mentions that the following ports are used for NetBIOS over tcp/ip: 137/udp (name services) 138/udp (datagram services) 139/tcp (session services) but doesn't give any info about source or destination ports. is this a process that maps 137 src --> 137 dst or is it "random" src --> 137 dst? additionally, can i limit outside connections to the WINS server only, or do i need to allow connections to all internal hosts that i want the "outsider" to see? I want to add a set of filters to my firewall to allow a machine outside the local subnet to browse the screened network and have access to files. I have looked for examples of a "MS-net Ruleset" but have failed to find anything. Any help would be greatly appreciated. boogie On Wed, 28 Feb 1996, Ken Hardy wrote: > Chris Carlson asked: > > >What port number does Windows NT clients/servers use for logging into > >each other via IP? > > I'll presume that you mean NetBIOS over TCP. There's an RFC for it > (don't have the number handy.) It uses: > > netbios-ns 137/udp > netbios-ssn 139/tcp > > The 137/udp is for name resolution, and the connection happens over > 139/tcp. I *think* that you could get by without the udp port if you > use static names (in lmhosts file); I'm working on an experiment now > to see if I could just proxy 139/tcp through a firewall and get > connected. > > I'm using plug-gw for a many-to-one type of configuration, but I > believe that the SMB protocol (which is what rides over the NetBIOS > connection) contains the name of the target in the openning message, so > it might to be possible to design a proxy that's aware of the protocol > and reads the target name to provide a many-to-many service (complete > with ACLs). I'm unaware of such a proxy (and am not considering > writing one.) > > -KH > From firewalls-owner Fri Mar 1 04:37:39 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id VAA01844 for firewalls-outgoing; Thu, 29 Feb 1996 21:33:00 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id VAA01126 for ; Thu, 29 Feb 1996 21:30:52 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id XAA16357; Wed, 28 Feb 1996 23:02:26 -0800 Received: from relay5.uu.net(192.48.96.15) by mycroft via smap (V1.3mjr) id sma016344; Wed Feb 28 23:01:25 1996 Received: from nsco.network.com by relay5.UU.NET with SMTP id QQaezc14191; Thu, 29 Feb 1996 02:00:18 -0500 (EST) Received: from mnbp.network.com (ushub.network.com) by nsco.network.com (4.1/1.34) id AA11416; Thu, 29 Feb 96 00:59:11 CST Received: by mnbp.network.com with Microsoft Mail id <31354D7A@mnbp.network.com>; Thu, 29 Feb 96 00:53:46 CST From: Craig McLellan To: firewalls Subject: Re: VPN's over the internet Date: Thu, 29 Feb 96 00:50:00 CST Message-Id: <31354D7A@mnbp.network.com> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The problem with these "add-ons" is that they are just that, mere "feature" check lists. When you start digging into what software vendors are offering you quickly find that it is typically rather rudimentarily. Things like manual keys, DES only support and encryption vs. cryptography (replay prevention, non-repudiation, etc.) are all issues that must be addressed. Just my $02 worth. RGRDS.....clm ---------- From: firewalls-owner To: Joseph L. Moll Cc: firewalls Subject: Re: VPN's over the internet Date: February 28, 1996 12:55 Several Firewall vendors now produce firewalls with firewall-firewall link encryption. I recently installed Smartwall from V-One (Gauntlet VAR) and it worked fine. My big issue with multi-firewall designs is the problem of remote management vs. an expert at each site. Smartwall has secure Telnet based on their one-time password product so you can be at two places at once. I managed not to lock myself out too often...8-) Performance is another issue. Smartwall had an optional DES encryption board (- with German markings (huh?)) to boost performance but that forced them to use the same password/key on all firewalls in the VPN that talked to each other. I think that's acceptable since the VPN essentially extends your local net to the remote site. If one firewall/site is compromised the whole net is compromised. Of course you could add filter rules on each box if you don't want a full access VPN..... Last I heard Raptor, Sun and possibly others had or were working on encrypted links - a flood is coming. DEC and others make stand alone encryption boxs to toss on the front of your network. Always ask about key distribution and the security of remote management - assuming your policy allows remote management (a sore point.) Have fun, Adam Safier Computer Scientist CSC-SED Infosec This is my 2 cents worth (or less), not my employers. On Mon, 26 Feb 1996, Joseph L. Moll wrote: > I am in the middle of a design that will require a Firewall product that > will also serve as a end node to a VPN. > > I would appreciate any input from folks that have actually implemented this > configuration. From firewalls-owner Fri Mar 1 04:44:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA00344 for firewalls-outgoing; Thu, 29 Feb 1996 15:18:43 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA01946 for ; Thu, 29 Feb 1996 11:04:40 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id HAA18832; Thu, 29 Feb 1996 07:15:00 -0800 From: bmanning@ISI.EDU Received: from venera.isi.edu(128.9.0.32) by mycroft via smap (V1.3mjr) id sma018830; Thu Feb 29 07:14:04 1996 Received: from zed.isi.edu by venera.isi.edu (5.65c/5.61+local-22) id ; Thu, 29 Feb 1996 07:15:47 -0800 Received: by zed.isi.edu (5.65c/4.0.3-4) id ; Thu, 29 Feb 1996 07:11:05 -0800 Received: from venera.isi.edu by zephyr.isi.edu (5.65c/5.61+local-20) id ; Thu, 29 Feb 1996 07:11:54 -0800 Received: from zephyr.isi.edu by venera.isi.edu (5.65c/5.61+local-22) id ; Thu, 29 Feb 1996 07:11:53 -0800 Received: by zephyr.isi.edu (5.65c/5.61+local-20) id ; Thu, 29 Feb 1996 06:45:53 -0800 Received: from venera.isi.edu by zephyr.isi.edu (5.65c/5.61+local-20) id ; Thu, 29 Feb 1996 06:45:51 -0800 Received: from zed.isi.edu by venera.isi.edu (5.65c/5.61+local-22) id ; Thu, 29 Feb 1996 06:45:50 -0800 Posted-Date: Thu, 29 Feb 1996 06:41:09 -0800 (PST) Message-Id: <199602291441.AA13807@zed.isi.edu> Received: by zed.isi.edu (5.65c/4.0.3-4) id ; Thu, 29 Feb 1996 06:41:09 -0800 Subject: Re: host tables versus bind To: mis@seiden.com Date: Thu, 29 Feb 1996 06:41:09 -0800 (PST) Cc: mcr@milkyway.com, bind@uunet.uu.net, pier@ISI.EDU In-Reply-To: <9602260110.AA02471@seiden.com> from "Mark Seiden" at Feb 25, 96 05:10:17 pm X-Mailer: ELM [version 2.4 PL25] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > regarding actually *using* names rather than numbers, there are some > low-value services that perhaps names are appropriate for, in general: > e.g. access to outward-only proxies or low value services, or services > which use other forms of authentication (e.g. encryption). > > regarding whether internal DNS servers are susceptible to attack: in > some environments they can be attacked by insiders not all of whom are > trustworthy, but my point was mostly directed at engineering for > reliability -- one would hope a firewall would not need to rely on n > other computers also being up for it to do its job correctly. > .... > > I guess not. What kind of firewall technology are you using that > embeds IP addresses/names all over the place and doesn't let you change > them easily? > I welcome the demise of /etc/hosts. > > mark seiden, mis@seiden.com, 1-(415) 592 8559 (voice) Interesting discussion. There is a group of people over there -> that are discussing the ramifications of periodic renumbering of infrastructure components. The basic premise is that renumbering of infrastructure will become more prevelent as the Internet grows. (discussions on the validity of this premise are for private email to me) The end result is that the use of dotted quads as persistant identifiers will become greatly reduced. There will be an increasing dependence on services like DNS and DHCP to have enabled infrastructure. If you have some thoughts on the scope of changes that this will bring to the trust model on which current firewalls are built, your comments are encouraged. general list - pier-request@isi.edu Dave O'Leary - doleary@cisco.com Howard C. Berkowitz - hcb@mail.clark.net http://www.isi.edu/div7/pier the papers link. --bill From firewalls-owner Fri Mar 1 04:48:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA00131 for firewalls-outgoing; Thu, 29 Feb 1996 18:57:08 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id SAA01025 for ; Thu, 29 Feb 1996 18:53:12 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id QAA21338; Thu, 29 Feb 1996 16:02:34 -0800 Date: Thu, 29 Feb 1996 16:02:34 -0800 Message-Id: <199603010002.QAA21338@mycroft.GreatCircle.COM> Received: from milkyway.com(198.53.167.2) by mycroft via smap (V1.3mjr) id sma021330; Thu Feb 29 16:01:51 1996 Received: from perseids.milkyway.com (perseids.milkyway.com [192.168.77.77]) by internet with SMTP (DuhMail/2.0) id SAA19210; Thu, 29 Feb 1996 18:58:12 -0500 X-Authentication-Warning: internet: Host perseids.milkyway.com claimed to be [192.168.77.77] From: "Hung Vu" Reply-To: "Hung Vu" To: rjc@mari.co.uk Cc: firewalls@greatcircle.com Subject: Re: VPN's over the internet Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Most high end firewall vendors support VPN with secure remote PC access; however only Milkyway Networks' Black Hole offers strong key management using Northern Telecom's Entrust X.509 certificates for both VPN and remote pc access. Check out www.milkyway.com or info@milkyway.com. Hung. In message <313378E2@landlord.mari.co.uk> Robert Campbell writes: > > Please try and talk to someone at Borderware they are about to release a > firewall version supporting VPN encrypted. > Tell them I sent you. > robert.campbell@mari.co.uk > ---------- > From: firewalls-owner > To: firewalls > Subject: VPN's over the internet > Date: 26 February 1996 17:41 > > I am in the middle of a design that will require a Firewall product that > will also serve as a end node to a VPN. > > I would appreciate any input from folks that have actually implemented this > configuration. > > Regards, > --- > Joseph (Joe) L. Moll mailto:jmoll@acquion.com > http://www.acquion.com phone:864-281-4108 fax:864-281-4576 > Acquion, Inc. Greenville, SC USA -- Specialists in Electronic Commerce > > From firewalls-owner Fri Mar 1 04:58:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA00761 for firewalls-outgoing; Thu, 29 Feb 1996 18:48:41 -0800 (PST) Received: from scruz.net (nic.scruz.net [165.227.1.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id SAA00754 for ; Thu, 29 Feb 1996 18:48:36 -0800 (PST) From: jcg@scruznet.com Received: from jcg.wcdssi.com by scruz.net (8.7.3/1.34) id SAA11978; Thu, 29 Feb 1996 18:46:45 -0800 (PST) Date: Thu, 29 Feb 96 18:36:29 PST Subject: Re: USE OF 'MANAGED' INTERNET CONNECTION To: firewalls@count04.mry.scruznet.com, Bill Van Emburg Cc: chris.clark@iis.net, tim.meingardt@iis.net, gblolmxb@ibmmail.com, firewalls@GreatCircle.COM, firewalls@count04.mry.scruznet.com X-PRIORITY: 3 (Normal) X-Mailer: Chameleon 4.6, TCP/IP for Windows, NetManage Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bill, You are not nuts but you might also want to look at Internet Information Services Inc.. They are located in Rockville, MD. Their Web address is WWW.iis.net. I have seen their service and feel it is, by far, the best available in the commercial market. John 'That's my professional opinion not personal, and BTW, everything I say is the opinion of the company.' ========================================================= Date:2/29/96 Time: 6:43:36 PM John Guinasso E-mail: jcg@wcdssi.com Data Systems Security Inc. 4960 Almaden Expressway, MS237, San Jose, Ca 95118 Voice: 408-323-8556, Fax: 408-323-8557 http://www.scruznet.com/~jcg/dssi.htm ========================================================= --- On Mon, 29 Jan 96 16:45:39 EST Bill Van Emburg wrote: >Interestingly enough, I recently came across an ISP who may just >convince me to use them to provide the "serious" security.... > >Pilot Network Systems is an access provider whose entire concept is >focused on security. Access is simply a consequence of this focus. >They seem to be a good choice for a company that wants >serious/up-to-date protection, but doesn't want to go overboard on >firewalls and expertise in-house. I envision that, with an I-net >connection provided by them, I should be able to rely on nothing more >than basic IP packet filtering (in my routers), and let Pilot handle >the proxies, and the careful monitoring/logging. > >Any thoughts from the community at large? Am I nuts? Anybody who >uses them wish to comment? > > > -BVE > (er..that's Bill Van Emburg) > (bve@yourtown.com) > "You do what you want, and if you didn't, you don't" > -----------------End of Original Message----------------- From firewalls-owner Fri Mar 1 04:59:29 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id XAA07030 for firewalls-outgoing; Thu, 29 Feb 1996 23:01:36 -0800 (PST) Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id XAA06995 for ; Thu, 29 Feb 1996 23:01:27 -0800 (PST) Received: from cixgate by relay2.UU.NET with SMTP id QQafct16145; Fri, 1 Mar 1996 01:58:30 -0500 (EST) Received: from manzanita.DEV.3Com.COM.noname ([139.87.180.206]) by cixgate (4.1/SMI-4.1/3com-cixgate-GCA-931027-01) id AA16514; Thu, 29 Feb 96 08:25:28 PST Received: by manzanita.DEV.3Com.COM.noname (4.1/SMI-4.1) id AA10388; Thu, 29 Feb 96 08:09:02 PST Date: Thu, 29 Feb 96 08:09:02 PST From: bobk@manzanita.DEV.3Com.COM (Bob Konigsberg) Message-Id: <9602291609.AA10388@manzanita.DEV.3Com.COM.noname> To: firewalls@Greatcircle.com, rafa@uap.edu.ph Subject: Re: 3Com Routers Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please see my article on building a firewall with 3Com routers in the April 1995 issue of 3Tech magazine. The article is also available online at: http://www.3com.com/0files/mktg/pubs/3tech/firewall.html Have fun, BobK From firewalls-owner Fri Mar 1 05:13:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id BAA19515 for firewalls-outgoing; Fri, 1 Mar 1996 01:48:19 -0800 (PST) Received: from halon.vggas.com (halon.vggas.com [194.216.201.253]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id BAA19504 for ; Fri, 1 Mar 1996 01:48:09 -0800 (PST) Received: from smtpgate.vggas.com (smtpgate.vggas.com [192.168.0.15]) by halon.vggas.com (8.7.1/8.7.1) with SMTP id JAA32088 for ; Fri, 1 Mar 1996 09:43:45 GMT Received: by smtpgate.vggas.com with Microsoft Mail id <313737E8@smtpgate.vggas.com>; Fri, 01 Mar 96 09:46:16 PST From: James Youngman VGGAS To: "'firewalls@GreatCircle.COM'" Subject: Proxy for netbios-session Date: Fri, 01 Mar 96 09:45:00 PST Message-ID: <313737E8@smtpgate.vggas.com> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is there anywhere I can find a proxy for netbios-over-TCP/IP? We have a requirement for offsite users to retrieve mail remotely, and in the MIS department's rush to embrace Microsoft, they took on Microsoft Mail, and so I can't even use APOP. James. From firewalls-owner Fri Mar 1 05:36:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id BAA18198 for firewalls-outgoing; Fri, 1 Mar 1996 01:35:35 -0800 (PST) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id BAA18173 for ; Fri, 1 Mar 1996 01:35:18 -0800 (PST) Message-Id: <199603010935.BAA18173@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA279152903; Fri, 1 Mar 1996 20:35:03 +1100 From: Darren Reed Subject: Re: Pentagon displays due respect for hackers To: sgcccdc@citec.qld.gov.au (Colin Campbell) Date: Fri, 1 Mar 1996 20:35:03 +1100 (EDT) Cc: darrell@teleport.com, firewalls@GreatCircle.COM In-Reply-To: <199602282357.JAA03770@guru.citec.qld.gov.au> from "Colin Campbell" at Feb 29, 96 09:57:23 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Colin Campbell, sie said: > > My mailer thinks Darrell Fuhriman said: > > > > > > ... ip fragmentation attacks, > > > > > > Wozzat? > > > > Fragment the IP packet so the address are in different packets, as well as > > the port number. The router can't buffer them, and can't filter > > them until it knows all the information. So, it lets them through. And > > since most firewalls only block on the SYN... tada.. open connection. > > So, if I run input filters only, I am susceptible to this attack. Correct? Possibly. Most vendors/implementations patched this - eventually. Make sure you understand how it is handled. > I take it, then, that output filters kill this attack to other hosts but the > router still susceptible since the packet never makes it to the output > filters? No, if your output filter drops the packet, it becomes an IP spoofing attack problem (guess the TCP ISS value in the reply you don't see). darren From firewalls-owner Fri Mar 1 05:56:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id CAA21189 for firewalls-outgoing; Fri, 1 Mar 1996 02:03:37 -0800 (PST) Received: from relay1.pipex.net (relay1.pipex.net [158.43.128.6]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id CAA21161 for ; Fri, 1 Mar 1996 02:03:28 -0800 (PST) Received: from london.ecaltd.com by flow.pipex.net with SMTP (PP); Fri, 1 Mar 1996 10:00:13 +0000 Received: by london.ecaltd.com with Microsoft Mail id <3136CAA8@london.ecaltd.com>; Fri, 01 Mar 96 10:00:08 GMT From: "Anthony.W.Youngman" To: "'_firewalls'" Subject: FW: rx but no tx wiring for ethernet Date: Fri, 01 Mar 96 09:57:00 GMT Message-ID: <3136CAA8@london.ecaltd.com> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Soembody will probably correct me, but I think the twisted pair standard says that for 10Mb ethernet, the blue and brown pairs are not used. Of the orange and green pairs, one is tx, one is rx (thats wires 1&2, 3&6). I'm not sure which is which, but breaking one of those should make it receive-only. ---------- From: firewalls-owner[SMTP:firewalls-owner@GreatCircle.COM] Sent: 29 February 1996 07:26 To: firewalls Subject: rx but no tx wiring for ethernet I dont know if it can be done with ethernet because of it being a contention kinda thing but is it posible to make a twisted-pair cable to only receive? I played around with the wiring but could not get it to work. Maybe it depends on what brand of card? Any help in this area is much apreciated. --blast From firewalls-owner Fri Mar 1 05:57:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id DAA29304 for firewalls-outgoing; Fri, 1 Mar 1996 03:53:31 -0800 (PST) Received: from bramber.windsor.com (bramber.windsor.com [199.181.96.54]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id DAA29124 for ; Fri, 1 Mar 1996 03:52:29 -0800 (PST) Received: (from erics@localhost) by bramber.windsor.com (8.6.12/8.6.12) id GAA10744; Fri, 1 Mar 1996 06:50:03 -0500 From: "Eric V. Smith" Message-Id: <199603011150.GAA10744@bramber.windsor.com> Subject: Re: IP fragments and packet filters To: cbk@starbase.ingress.com (Charles B. Kaplan) Date: Fri, 1 Mar 1996 06:50:02 -0500 (EST) Cc: Firewalls@GreatCircle.COM In-Reply-To: <199603010328.WAA05228@starbase.ingress.com> from "Charles B. Kaplan" at Feb 29, 96 10:28:17 pm Reply-To: EricSmith@windsor.com X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Charles B. Kaplan wrote: > > >The only time you're ever likely to see a packet with FO=1 is if a bad guy is > >knocking at your door. > > Would there ever be exceptions to this that would stem from the passing of > data long distance, and thus forcing the data into a bigger pipe (say an ATM > link cross country), and then back out of the pipe, possible becoming > fragmented. See rfc1858, "Security Considerations for IP Fragment Filtering". -- Eric V. Smith | Some for renown on scraps of learning dote, EricSmith@windsor.com | And think they grow immortal as they quote. Windsor Software Corp +----------------------------------+ Edward Young http://www.windsor.com/ Windows NT, Unix, SQL Server | English poet From firewalls-owner Fri Mar 1 05:58:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id EAA02591 for firewalls-outgoing; Fri, 1 Mar 1996 04:38:07 -0800 (PST) Received: from lint.cisco.com (lint.cisco.com [171.68.235.77]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id EAA02562 for ; Fri, 1 Mar 1996 04:37:51 -0800 (PST) Received: from pferguso-pc.cisco.com (c1robo5.cisco.com [171.68.13.5]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id EAA18924; Fri, 1 Mar 1996 04:35:11 -0800 Message-Id: <199603011235.EAA18924@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 01 Mar 1996 07:35:58 -0500 To: cbk@starbase.ingress.com (Charles B. Kaplan) From: Paul Ferguson Subject: Re: IP fragments and packet filters Cc: Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The fragmentation and, more importantly, reassembly should happen in this case transparently long before it reaches your router/firewall/whatever. - paul At 10:28 PM 2/29/96 -0500, Charles B. Kaplan wrote: >>The only time you're ever likely to see a packet with FO=1 is if a bad guy is >>knocking at your door. > >Would there ever be exceptions to this that would stem from the passing of >data long distance, and thus forcing the data into a bigger pipe (say an ATM >link cross country), and then back out of the pipe, possible becoming >fragmented. > >IE, my east coast LAN wants to connect to my west coast LAN, which will >involve traversing (substitute your favorate backbone providers) ATM link. >Therefor my 68byte header + data get dumped into larger (I forget frame size >at the moment) ATM cell, which could POSSIBLY ?? cause one byte to cross a >cell boundry, and thuse appear fragmented to the remote site ? > >I guess this couldn't happen since everything is still a multiple of 8, so >it should always fit on a boundry ?? > >Comments from someone who understands this better than I..... > >-Charles Kaplan > -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Fri Mar 1 06:24:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id CAA25550 for firewalls-outgoing; Fri, 1 Mar 1996 02:56:51 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id CAA25545 for ; Fri, 1 Mar 1996 02:56:44 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id CAA23196; Fri, 1 Mar 1996 02:51:42 -0800 Received: from mail.comnet.mt(193.82.255.25) by mycroft via smap (V1.3mjr) id sma023191; Fri Mar 1 02:50:05 1996 Received: by michelle.magnet.mt id <21880>; Fri, 1 Mar 1996 11:56:02 +0100 Date: Fri, 1 Mar 1996 12:01:13 +0100 From: Alex Chircop Organization: Management Systems Unit Ltd. X-Mailer: Mozilla 2.0GoldB1 (Win95; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: RE: Support of already used IP addresses X-URL: http://granite/logon Content-Type: text/plain; charset=iso-8859-1 Message-Id: <96Mar1.115602gmt+0100.21880@michelle.magnet.mt> Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You can try something like this: ------ R O U T E R ------- F I R E W A L L ------ | ---- I N T E R N E = T ------------ Your intranet Priv addr network | such as 172.16.0.0 | or 10.0.0.0 Proxy Server with register= ed address and configure all your clients to use the proxy server. That way the c= lients will be able to access all addresses, but are limited to the facilities avai= lable on the proxy server. If you use the CERN HTTPD you will have access to go= pher, ftp and http together with https if you install the SSL patch. Hope this helps ... could others please comment on this design ? Regards, Alex Chircop - Admin alex.j.chircop@magnet.mt / postmaster@magnet.mt Management Systems Unit Ltd. Malta - Europe ************************************************** *** Check out http://www.magnet.mt/ ************ ************************************************** >From: Marc Rapoport >Date: Thu, 29 Feb 1996 16:29:49 +0100 >Subject: Support of already used IP adresses >Hi, our private Intranet adressing plan is using several class B that = are >already >allocated on the Internet, as our Intranet was created long before we >planned to interconnect >with the Internet. >We use a single firewall which masks our private adresses, but we are = not >able to reach > the public portion of the Internet that uses the same IP adresses. >The only solution i know to handle that problem is to use 2 firewalls >serialized=20 >with a pseudo network between the Intranet and the Internet. >Does anybody knows a product able to solve this problem with only one = firewall ? >Thanks in advance. >=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D >=F6=F6 Marc Rapoport : rapoport@iway.fr = =F6=F6 >=F6=F6 AGF.SI Tour Franklin - La Defense 8 = =F6=F6 >=F6=F6 92042 PARIS LA DEFENSE CEDEX = =F6=F6 >=F6=F6 Tel : 49.03.31.77 Fax : 47.67.07.90 = =F6=F6 >=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D From firewalls-owner Fri Mar 1 06:36:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA04439 for firewalls-outgoing; Fri, 1 Mar 1996 05:04:26 -0800 (PST) Received: from dax.sai.com (dax.sai.com [198.137.245.66]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id FAA04430 for ; Fri, 1 Mar 1996 05:04:16 -0800 (PST) Received: from dax.sai.com by dax.sai.com with smtp (Smail3.1.29.1 #3) id m0tsUV0-003pLtC; Fri, 1 Mar 96 08:03 EST Date: Fri, 1 Mar 1996 08:03:54 -0500 (EST) From: Darryl Wagoner To: Marc Rapoport cc: Firewalls@GreatCircle.COM Subject: Re: Support of already used IP adresses In-Reply-To: <9602291529.AA26947@agf.fr> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 29 Feb 1996, Marc Rapoport wrote: The correct way to solve this is to use the private class A network address that was reserve for this purpose. I think it is 10.0.0.0. but don't quote me on it. -- Darryl Wagoner darryl@sai.com http://www.sai.com/ Office: 603.672.0736 Fax: 603-672-4846 Web Pages for hire. Check out NH & MA Movies http://www.sai.com/movies From firewalls-owner Fri Mar 1 06:43:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id EAA03838 for firewalls-outgoing; Fri, 1 Mar 1996 04:58:25 -0800 (PST) Received: from delphi.ndhm.gtegsc.com (delphi.ndhm.gtegsc.com [155.95.155.160]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id EAA03811 for ; Fri, 1 Mar 1996 04:58:00 -0800 (PST) Received: from mail.ndhm.gtegsc.com by delphi.ndhm.gtegsc.com with SMTP; Fri, 1 Mar 1996 12:56:18 -0500 (EST) Message-ID: Date: 1 Mar 1996 07:52:18 U From: "FreedmanJ" Subject: RE: Pentagon displays due respect for hackers To: "Dale M. Johnson" , "firewalls" X-Mailer: Mail*Link SMTP-MS 3.0.2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Unknown Microsoft mail form. Approximate representation follows. To: Dale M. Johnson; firewalls From: FreedmanJ on Fri, Mar 1, 1996 7:52 AM Subject: RE: Pentagon displays due respect for hackers RFC Header:Received: by mail.ndhm.gtegsc.com with SMTP;1 Mar 1996 05:06:29 U Received: from relay3.UU.NET by delphi.ndhm.gtegsc.com with SMTP; Fri, 1 Mar 1996 10:05:55 -0500 (EST) Received: from miles.greatcircle.com by relay3.UU.NET with ESMTP id QQafdg14820; Fri, 1 Mar 1996 05:00:20 -0500 (EST) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA03015 for firewalls-outgoing; Wed, 28 Feb 1996 15:59:36 -0800 (PST) Received: from citecuh.citec.qld.gov.au (citecuh.citec.qld.gov.au [203.5.10.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id PAA03010 for ; Wed, 28 Feb 1996 15:59:31 -0800 (PST) Received: (from mail@localhost) by citecuh.citec.qld.gov.au (8.6.10/8.6.10) id JAA10584; Thu, 29 Feb 1996 09:51:26 +1000 Received: from guru.citec.qld.gov.au(147.132.20.47) by citecuh.citec.qld.gov.au via smap (V1.3) id /mail/incoming/sma010577; Thu Feb 29 09:51:25 1996 Received: (from sgcccdc@localhost) by guru.citec.qld.gov.au (8.6.12/8.6.12) id JAA03770; Thu, 29 Feb 1996 09:57:25 +1000 From: Colin Campbell Message-Id: <199602282357.JAA03770@guru.citec.qld.gov.au> Subject: Re: Pentagon displays due respect for hackers To: darrell@teleport.com (Darrell Fuhriman) Date: Thu, 29 Feb 1996 09:57:23 +1000 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Darrell Fuhriman" at Feb 28, 96 10:59:41 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Fragment the IP packet so the address are in different packets, as well as > the port number. The router can't buffer them, and can't filter > them until it knows all the information. So, it lets them through. And > since most firewalls only block on the SYN... tada.. open connection. I am not sure I understand this attack. Are you talking about the addresses in the IP header - if so then how can you fragment that? Jerry Freedman,Jr From firewalls-owner Fri Mar 1 07:14:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA07607 for firewalls-outgoing; Fri, 1 Mar 1996 05:42:00 -0800 (PST) Received: from zcias1.ziff.com (zcias1.ziff.com [140.244.1.69]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id FAA07593 for ; Fri, 1 Mar 1996 05:41:54 -0800 (PST) Received: from iongate.staff.ichange.com (198-112-128-9.ichange.com) by zcias1.ziff.com (PMDF V5.0-5 #10330) id <01I1TGORG68W00A7O6@zcias1.ziff.com> for firewalls@GreatCircle.com; Fri, 01 Mar 1996 08:37:29 -0500 (EST) Received: by iongate.staff.ichange.com (IBM OS/2 SENDMAIL VERSION 1.3.2) /1.0) id AA4166; Fri, 01 Mar 1996 08:35:28 -0800 Received: from IChange with "Lotus Notes Mail Gateway for SMTP" id 02631AAE9E04502A852562E0004A63D5; Fri, 01 Mar 1996 08:35:28 +0000 Date: Fri, 01 Mar 1996 08:35:35 -0400 (EDT) From: Bill Conaway Subject: Gated and Firewall-1 2.0 To: firewalls Message-id: <9603011635.AA4166@iongate.staff.ichange.com> MIME-version: 1.0 Content-type: Text/Plain Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anyone tried using Merit's Gated with two firewalls in lieu of a high availability product like OpenVision or Qualix? From firewalls-owner Fri Mar 1 07:14:10 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA09497 for firewalls-outgoing; Fri, 1 Mar 1996 06:10:58 -0800 (PST) Received: from balder.ssds.com (balder.ssds.com [204.131.72.62]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA09482 for ; Fri, 1 Mar 1996 06:10:50 -0800 (PST) Received: (from mail@localhost) by balder.ssds.com (8.6.9/8.6.9.SSDSnet-hub) id HAA08474; Fri, 1 Mar 1996 07:09:14 -0700 Received: from baltimore.ssds.com(134.127.34.1) by balder.ssds.com via smap (V1.3) id sma008470; Fri Mar 1 07:09:11 1996 Received: by baltimore.ssds.com id JAA22740; Fri, 1 Mar 1996 09:09:09 -0500 (EST) Date: Fri, 1 Mar 1996 09:09:09 -0500 (EST) From: Mike Malik -- Dover DE X-Sender: mam@baltimore To: Mark Goring cc: firewalls@GreatCircle.COM Subject: Re: Net security In-Reply-To: <70093731019BCCD1@nzqa.govt.nz> Message-ID: MIME-Version: 1.0 Content-Type: TEXT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 1 Mar 1996, Mark Goring wrote: > Out of interest, as this seems to be the place to ask... > Any opinions as to what level of security the system behind the firewall > should be? > I recently attended a seminar where it was recommended the system behind > the firewall should be B2 level secure. > Anyone? What are you trying to protect ? How much does it cost you if you lose it ? Try to spend less than that. Mike ( ( | ( Mike Malik (mam@ssds.com) ) ) (| ), inc. 9841 Broken Land Parkway,Suite 100 business driven Columbia, MD 21046 technology solutions 410-381-4313 FAX: 410-381-2170 From firewalls-owner Fri Mar 1 08:05:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA13697 for firewalls-outgoing; Fri, 1 Mar 1996 07:16:42 -0800 (PST) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA13680 for ; Fri, 1 Mar 1996 07:16:32 -0800 (PST) Received: (adam@localhost) by homeport.org (8.6.9/8.6.9) id KAA12331; Fri, 1 Mar 1996 10:18:55 -0500 From: Adam Shostack Message-Id: <199603011518.KAA12331@homeport.org> Subject: Re: catastrophe logs To: jmr@winternet.com (John Rauser) Date: Fri, 1 Mar 1996 10:18:55 -0500 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <199602290013.SAA09235@klondike> from "John Rauser" at Feb 28, 96 06:13:26 pm X-Mailer: ELM [version 2.4 PL24 ME8b] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk John Rauser wrote: | Now I can configure any one of a dozen terminal programs to log | everything that comes over the serial port, but how do I accomplish | the pruning/rotating of the log files? If there a some PC software | out there that does this? kermit, the best terminal software I know | of, doesn't seem to be capable of this trick. Have you folks written | a home-brew solution? Perl runs on dos. I'm not sure how to get dos to emulate cron, so I'd probably toss linux or *bsd on the machine, and forget dos. Use what you know. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Fri Mar 1 08:05:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA14284 for firewalls-outgoing; Fri, 1 Mar 1996 07:22:48 -0800 (PST) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA14271 for ; Fri, 1 Mar 1996 07:22:42 -0800 (PST) Received: (adam@localhost) by homeport.org (8.6.9/8.6.9) id KAA12363; Fri, 1 Mar 1996 10:25:40 -0500 From: Adam Shostack Message-Id: <199603011525.KAA12363@homeport.org> Subject: Re: Net security To: MARK@nzqa.govt.nz (Mark Goring) Date: Fri, 1 Mar 1996 10:25:40 -0500 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <70093731019BCCD1@nzqa.govt.nz> from "Mark Goring" at Mar 1, 96 09:32:13 am X-Mailer: ELM [version 2.4 PL24 ME8b] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mark Goring wrote: | Out of interest, as this seems to be the place to ask... | Any opinions as to what level of security the system behind the firewall | should be? | I recently attended a seminar where it was recommended the system behind | the firewall should be B2 level secure. It depends on what you have on the network. :) Less flipantly, you need to weigh costs vs risk. The reason firewalls are useful is because it makes it possible to concetrate your risks. This is handy because its impossible to secure every machine in a class B net. If you have a set of 12 machines which control the issuance of money, you should make each of them quite secure. If you have a lab full of student acccess terminals, you should assume the lab contains hostile folks and either tie it down very tightly, or label it hostile. Or both. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Fri Mar 1 08:13:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA15929 for firewalls-outgoing; Fri, 1 Mar 1996 07:49:33 -0800 (PST) Received: from crl.crl.com (crl.com [165.113.1.12]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA15923 for ; Fri, 1 Mar 1996 07:49:28 -0800 (PST) Received: by crl.crl.com id AA19289 (5.65c/IDA-1.5); Fri, 1 Mar 1996 07:25:30 -0800 Date: Fri, 1 Mar 1996 07:25:28 -0800 (PST) From: Tim Keanini To: Doug Hughes Cc: jmr@winternet.com, firewalls@greatcircle.com Subject: Re: catastrophe logs In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 29 Feb 1996, Doug Hughes wrote: > > > > >How do you folks store a safe copy of syslog info? > >_Building_Internet_Firewalls_ recommends building a "dropsafe" logging > >device out of a PC connected to a serial port on the bastion host: > > > > Configure the PC in such a way that it boots up into a terminal > > program in "record" mode, and that every so often (every > > 100,000 bytes, for example), the log files are rotated and pruned > > so the system never runs out of disk space. > > Well, we don't go to quite that level of effort to secure logs, though > some do. We have a restricted access unix machine that can only be logged > into from certain machines in a certain way, by a small group of about 8 > users. I compress the logs and store them on floppy or tape every couple > of months. > Doug Hughes Engineering Network Services > System/Net Admin Auburn University The problem with the serial type of logging is that it just does not scale. If you are having to deal with 10 hosts or more in a DMZ network, and I am not saying that everyone does but if you are, you know what kind of logs and udp traffic is going on. There are two issues: 1) The first is purly a network traffic issue. At some point, these really chatty machines that are telling the loghost everything, fill up the wire with syslog packets. If you try and solve this with a serial connection, you lose on two counts. One is that the dropsafe side, even with a 16550 UART will not be able to take in all the logs from all hosts. Two is that your packetfiltering routers cant be hacked to send the syslog stuff to a serial stream (at least I have not been able to do it without affecting the performace of the router). 2) the idea of the safe in dropsafe is that this unit that is recieving the logs is only reachable by these hosts sending logs to it. I have a firewall system that I manage by which I have used a Kalpana PRO16 etherswitch to make sure that at the MAC layer, only these hosts can reach the drop safe. I have also done this type of thing with setting up VLANSs for other isolations under the TCP/IP layer. This way, you can tell the logging machines port, that only these mac addresses can reach it and be damn sure that one of those address is not a router. I am still searching for the untimate system but until then...a hacking we will go. --blast From firewalls-owner Fri Mar 1 08:19:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA12610 for firewalls-outgoing; Fri, 1 Mar 1996 07:00:21 -0800 (PST) Received: from zcias1.ziff.com (zcias1.ziff.com [140.244.1.69]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id HAA12568 for ; Fri, 1 Mar 1996 07:00:11 -0800 (PST) Received: from iongate.staff.ichange.com (198-112-128-9.ichange.com) by zcias1.ziff.com (PMDF V5.0-5 #10330) id <01I1TJFKZ92O00CNZH@zcias1.ziff.com> for Firewalls@GreatCircle.COM; Fri, 01 Mar 1996 09:56:22 -0500 (EST) Received: by iongate.staff.ichange.com (IBM OS/2 SENDMAIL VERSION 1.3.2) /1.0) id AA4495; Fri, 01 Mar 1996 09:54:21 -0800 Received: from IChange with "Lotus Notes Mail Gateway for SMTP" id 80A39ED94EC4774A852562E0004FF1F1; Fri, 01 Mar 1996 09:54:19 +0000 Date: Fri, 01 Mar 1996 09:37:05 -0400 (EDT) From: Bill Conaway Subject: Re: IP fragments and packet filters To: "Charles B. Kaplan" Cc: Firewalls Message-id: <9603011754.AA4495@iongate.staff.ichange.com> MIME-version: 1.0 Content-type: Text/Plain Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Charles B. Kaplan wrote: > > >The only time you're ever likely to see a packet with FO=1 is if a bad guy is > >knocking at your door. > > Would there ever be exceptions to this that would stem from the passing of > data long distance, and thus forcing the data into a bigger pipe (say an ATM > link cross country), and then back out of the pipe, possible becoming > fragmented. See rfc1858, "Security Considerations for IP Fragment Filtering". -- Eric V. Smith | Some for renown on scraps of learning dote, EricSmith@windsor.com | And think they grow immortal as they quote. Windsor Software Corp +----------------------------------+ Edward Young http://www.windsor.com/ Windows NT, Unix, SQL Server | English poet From firewalls-owner Fri Mar 1 08:21:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA10600 for firewalls-outgoing; Fri, 1 Mar 1996 06:27:27 -0800 (PST) Received: from anchorsteam ([38.251.136.100]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA10586 for ; Fri, 1 Mar 1996 06:27:20 -0800 (PST) Received: from samadams.unifiedtech.com by anchorsteam (5.x/SMI-SVR4) id AA16179; Fri, 1 Mar 1996 09:21:51 -0500 Received: by samadams.unifiedtech.com (SMI-8.6/SMI-SVR4) id JAA03140; Fri, 1 Mar 1996 09:27:19 -0500 Date: Fri, 1 Mar 1996 09:27:19 -0500 From: Mike.Jones@unifiedtech.com (Mike Jones) Message-Id: <199603011427.JAA03140@samadams.unifiedtech.com> To: firewalls@GreatCircle.com, frankw@in.net Subject: RE: VPN's over the internet X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Frank Willoughby writes... > A note or two of interest about VPN's over the Internet: > o Many (most?) firewalls when performing firewall->firewall encryption > are only providing an IP encryption tunnel through the firewalls. > It is important to note that *NO* applications filtering is performed. > While this may offer protection from a MITM (Man-In-The-Middle) attack > (Internet, etc), it offers *NO* protection from the other entity's > network. A problem on their network is a problem on your network. This is a *very good* point. I was talking to a customer recently who manufactures snowmobile equipment and works with the likes of Polaris, Arctic Cat, etc., and who would like to exchange some pretty sensitive (trade secret) information with them over the Internet. They initially wanted me to come in and talk about VPN's and FW-FW encryption, but after I brought this point up to them they suddenly realized that end-to-end encryption with something like PGP is better for some applications. > o It is usually beneficial to firewall VPN connections to localize > contamination in the event one of the VPN entities is breached. Frank, could you elaborate just a bit on what you mean by "localize contamination"? Mike Jones | mike.jones@unifiedtech.com You throw me your best stuff. I'll see if I can hit it. That's big league baseball. - Bob Horner From firewalls-owner Fri Mar 1 08:24:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA13127 for firewalls-outgoing; Fri, 1 Mar 1996 07:07:38 -0800 (PST) Received: from su1.in.net (su1.in.net [199.0.62.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA13122 for ; Fri, 1 Mar 1996 07:07:34 -0800 (PST) Received: from pm1-24.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA03447; Fri, 1 Mar 96 10:03:58 -0500 Date: Fri, 1 Mar 96 10:03:58 -0500 Message-Id: <9603011503.AA03447@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.com From: Frank Willoughby Subject: RE: VPN's over the internet Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Verily, at 09:27 AM 3/1/96 -0500, Mike Jones did write: >Frank Willoughby writes... >> A note or two of interest about VPN's over the Internet: >> o Many (most?) firewalls when performing firewall->firewall encryption >> are only providing an IP encryption tunnel through the firewalls. >> It is important to note that *NO* applications filtering is performed. >> While this may offer protection from a MITM (Man-In-The-Middle) attack >> (Internet, etc), it offers *NO* protection from the other entity's >> network. A problem on their network is a problem on your network. > >This is a *very good* point. I was talking to a customer recently who >manufactures snowmobile equipment and works with the likes of Polaris, >Arctic Cat, etc., and who would like to exchange some pretty sensitive >(trade secret) information with them over the Internet. They initially >wanted me to come in and talk about VPN's and FW-FW encryption, but >after I brought this point up to them they suddenly realized that >end-to-end encryption with something like PGP is better for some >applications. > >> o It is usually beneficial to firewall VPN connections to localize >> contamination in the event one of the VPN entities is breached. > >Frank, could you elaborate just a bit on what you mean by "localize >contamination"? Sure. Here's two instances. SCENARIO 1 Suppose a hacker was able to break into the other network and you only have FW->FW encryption. After the hacker has shut down security logging & auditing and created a couple of new accounts, the individual will start looking for other systems to crack. Since your network is an extension of the other network (via the VPN), your network is a likely target. Since the firewall in this case only supports encrypted tunneling, the pipe (link) between the two firewalls is completely transparent to the hacker and provides absolutely no protection against the hacker from setting up shop on your network. If the firewall did support filtering _in_addition_to_ encrypting the link between the two firewalls, the hacker will have a much more difficult time in crossing from the compromised network to your network. SCENARIO 2 Someone on the other network happened to accidently upload a Worm. While the other entity's personnel are frantically running around trying to prevent the spread of the Worm and trying to reboot the systems so they can be cleaned up, the Worm is happily hopping from system to system. It happens to notice that there a system on your network is reachable & decides to commence attacking your systems. Nothing stops the Worm from getting to your network since the firewall is only using an encrypted tunnel from firewall to firewall. Of course, if the firewall were to provide applications filtering correctly, the damage would be contained to the contaminated network. Note that both scenarios above assume that you don't trust anyone on the other network & the firewalls are Applications Gateways, and they are correctly configured. There are at least two solutions to resolving the above-mentioned vulnerabilities: o Purchase a firewall which supports Firewall->Firewall encryption AND will also provide applications filtering (via proxy, etc) of the encrypted links. o Place a hardware encryption box between the firewall and the VPN access point as illustrated the (crude) diagram below. your network->FW->HEB->public net->HEB->FW->their network FW=Firewall HEB=Hardware Encryption Box (obviously, it also decrypts) > > Mike Jones | mike.jones@unifiedtech.com > >You throw me your best stuff. I'll see if I can hit it. That's big >league baseball. > - Bob Horner Best Regards, Frank The opinions expressed above are of the author and may not necessarily be representative of Fortified Networks Inc. Fortified Networks Inc. - Management & Information Security Consulting Phone: (317) 573-0800 - http://www.fortified.com/fortified Home of the Free Internet Firewall Evaluation Checklist From firewalls-owner Fri Mar 1 09:03:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA11499 for firewalls-outgoing; Fri, 1 Mar 1996 06:41:17 -0800 (PST) Received: from gatekeeper.Bridge.COM (gatekeeper.bridge.com [167.76.159.11]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA11486 for ; Fri, 1 Mar 1996 06:41:12 -0800 (PST) Received: (from mailproxy@localhost) by gatekeeper.Bridge.COM (8.6.12/8.6.9) id IAA07927; Fri, 1 Mar 1996 08:39:12 -0600 Received: from ignatz.bridge.com(167.76.24.6) by gatekeeper.Bridge.COM via smap (V1.0mjr) id sma007901; Fri Mar 1 08:39:00 1996 Received: from ignatz (ignatz.bridge.com) by ignatz.bridge.com with SMTP id AA16061 (5.67b/IDA-1.5); Fri, 1 Mar 1996 08:46:12 -0600 Date: Fri, 1 Mar 1996 08:46:12 -0600 (CST) From: Ken Hardy X-Sender: ken@ignatz To: Reef Shafer Cc: firewalls@GreatCircle.COM Subject: Re: What port does NT use for logins? In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk SMB documentation is available under ftp://nimbus.anu.edu.au/pub/tridge. Don't know if it has what you're after. - KH From firewalls-owner Fri Mar 1 09:45:09 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA16504 for firewalls-outgoing; Fri, 1 Mar 1996 07:59:50 -0800 (PST) Received: from internet.agf.fr (firewall.agf.fr [194.98.34.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA16490 for ; Fri, 1 Mar 1996 07:59:38 -0800 (PST) Received: by internet.agf.fr; id RAA18818; Fri, 1 Mar 1996 17:09:43 +0100 Received: from frkj58.agf.fr(128.193.17.150) by firewall.agf.fr via smap (g3.0.3) id xma018808; Fri, 1 Mar 96 17:09:34 +0100 Received: from frki78.agf.fr ([128.193.4.163]) by agf.fr (5.x/SMI-SVR4-memo-941118) id AA17377; Fri, 1 Mar 1996 16:52:39 +0100 Date: Fri, 1 Mar 1996 16:52:39 +0100 Message-Id: <9603011552.AA17377@agf.fr> X-Sender: rapoport@internet X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: Marc Rapoport Subject: Support of already used IP adresses:Chapter 2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk First of all, Thanks a lot for all the answers i received so quickly (Daryl, James, Joshua, Steven, Brendan & all the others not quoted here). I will try to make a global answer & give some more information. - For those who suggest to use 10.0.0.0 from RFC 1597 : As I knew this RFC, i agree with you, but when we chose our adressing plan, this wasn't really published. With the recent growth of our private IP network, it would represent a really hard task to renumber the entire newtwork. It won't be a problem anymore when we will use DHCP and WINS everywhere :) . - For those who suggest some adress based translators (NSC, ...): As you mentioned, they are not able to manage the IP adresses that are not in the IP header but in the data part, can some of you make comments about that (which protocols are problematic, ..) ? - For those who suggest to use proxy based firewalls (Borderware, ANS, ...), we already use one, it is a TIS based firewall (just guess which one :) ). What i want to add is that the problem doesn't come from the use of a filter packet based or proxy based firewall. It comes from the implementation of the standard IP layer, which is used in all firewalls products (as far as i know). The firewalls use the IP layer included in the UNIX OS, even if modified in some way (no IP forward, no IP redirect ...). BUT, for this IP routing layer, an IP adress can only exist on ONE interface. Example : You define a IP subnet "S" on your Intranet that already exist on the Internet. A station from S on the Internet want to connect to your firewall. If the IP layer of the firewall sees a packet with the S IP adress coming from the external Ethernet adapter, then it will decide it is some kind of IP spoofing attack, and reject it. One solution to this proble could be that the IP layer is able to manage couples (IP adress A , adapter 1) and (IP adress A, adapter 2), instead of IP adress A -> adapter . The A adress from adapter 1 could be considered as trusted and the one from adapter 2 untrusted. I know this not a "politically correct" routing mecanism, but a firewall is not supposed to be a standard IP host. Now, a station from S on the Intranet wants to connect to a server which is also in the S subnet on the Internet. The packet arrives OK to the internal adapter and the proxy application, but when it goes again from the proxy, the IP layer routes it back to the Intranet instead of the Internet. Why not suppose that if a packet comes from the Intranet (internal adapter) , then it means that it wants to "go out" (external adapter)? What's the use of making a round trip from Intranet to Intranet? You may think that the probability of such a case if very small, but our problem is we don't use just one S net, but S1, S2, S3,.. nets. The more our network expands, the more B class we use from the Internet that become unreachable (once defined as trusted in the firewall, it can no longer appear on the Internet side). With this information, can you still confirm me that there are (and which ones ?) firewall products able to handle that problem ? Thanks for your patience! Marc. For those who didn't read Chapter 1, here is my question : >Hi, our private Intranet adressing plan is using several class B that are already >allocated on the Internet, as our Intranet was created long before we planned to interconnect >with the Internet. >We use a single firewall which masks our private adresses, but we are not able to reach > the public portion of the Internet that uses the same IP adresses. >The only solution i know to handle that problem is to use 2 firewalls serialized >with a pseudo network between the Intranet and the Internet. >Does anybody knows a product able to solve this problem with only one firewall ? >Thanks in advance. > ========================================================================= || Marc Rapoport : rapoport@iway.fr || || AGF.SI Tour Franklin - La Defense 8 || || 92042 PARIS LA DEFENSE CEDEX || || Tel : 49.03.31.77 Fax : 47.67.07.90 || ========================================================================= From firewalls-owner Fri Mar 1 09:48:29 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA17831 for firewalls-outgoing; Fri, 1 Mar 1996 08:25:24 -0800 (PST) Received: from commons.cmold.com (commons.baka.com [204.255.183.49]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA17817 for ; Fri, 1 Mar 1996 08:25:09 -0800 (PST) Received: (from Uactech@localhost) by commons.cmold.com (8.6.12/8.6.12) with UUCP id LAA02244 for firewalls@GreatCircle.COM; Fri, 1 Mar 1996 11:50:47 -0500 Received: from ithaca.actech.com (ithaca [198.41.4.11]) by spencer.actech.com (8.7.1/8.7.1) with SMTP id LAA02083 for ; Fri, 1 Mar 1996 11:19:53 -0500 (EST) Received: from ovid by ithaca.actech.com (920330.SGI/SMI-4.0) id AA07479; Fri, 1 Mar 96 11:21:40 -0500 Received: by ovid.actech.com (5.x/SMI-SVR4) id AA01420; Fri, 1 Mar 1996 11:21:37 -0500 Received: from Messages.8.5.N.CUILIB.3.45.SNAP.NOT.LINKED.ovid.sun4.51 via MS.5.6.ovid.sun4_51; Fri, 1 Mar 1996 11:21:37 -0500 (EST) Message-Id: Date: Fri, 1 Mar 1996 11:21:37 -0500 (EST) From: Steve Gaarder To: firewalls@GreatCircle.COM Subject: Re: VPN's over the internet In-Reply-To: <199602291225.HAA14305@dns.ottawa.net> References: <199602291225.HAA14305@dns.ottawa.net> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am in the process of building a VPN using the tcp tunnel feature of ssh. This has the drawbacks of being limited to tcp connections, and requiring that each port be explicitly tunnelled (though this last could also be considered a security feature). On the other hand, the software is free, and, having been developed outside the US, can be used all over the world. Also, it uses public key cryptography, simplifying key management. Steven Gaarder Network and Systems Administrator gaarder@actech.com A C Technology, Ithaca, N.Y., USA From firewalls-owner Fri Mar 1 09:51:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA17631 for firewalls-outgoing; Fri, 1 Mar 1996 08:21:13 -0800 (PST) Received: from border.dreamworks.com (dreamworks.com [204.250.57.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id IAA17626 for ; Fri, 1 Mar 1996 08:21:07 -0800 (PST) Received: from border.dreamworks.com (daemon@localhost) by border.dreamworks.com (8.7.2/8.7.2) with ESMTP id IAA11725 for ; Fri, 1 Mar 1996 08:21:10 -0800 (PST) Received: from gateway (gateway.dreamworks.com [10.1.1.2]) by border.dreamworks.com (8.7.2/8.7.2) with SMTP id IAA11719 for ; Fri, 1 Mar 1996 08:21:10 -0800 (PST) Received: from msmail.dreamworks.com by gateway (SMI-8.6/SMI-SVR4) id IAA10512; Fri, 1 Mar 1996 08:21:33 -0800 Received: by msmail.dreamworks.com with Microsoft Mail id <31372418@msmail.dreamworks.com>; Fri, 01 Mar 96 08:21:44 PST From: "Palmer, John" To: Darryl Wagoner , Marc Rapoport Cc: Firewalls Subject: Re: Support of already used IP adresses Date: Fri, 01 Mar 96 08:19:00 PST Message-ID: <31372418@msmail.dreamworks.com> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Darryl, You may want to check out the RFC 1918, which details the use of private intranets. John ---------- From: Darryl Wagoner To: Marc Rapoport Cc: Firewalls Subject: Re: Support of already used IP adresses Date: Friday, March 01, 1996 8:03AM On Thu, 29 Feb 1996, Marc Rapoport wrote: The correct way to solve this is to use the private class A network address that was reserve for this purpose. I think it is 10.0.0.0. but don't quote me on it. -- Darryl Wagoner darryl@sai.com http://www.sai.com/ Office: 603.672.0736 Fax: 603-672-4846 Web Pages for hire. Check out NH & MA Movies http://www.sai.com/movies From firewalls-owner Fri Mar 1 09:53:01 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA18040 for firewalls-outgoing; Fri, 1 Mar 1996 08:31:14 -0800 (PST) Received: from gatekeeper.ray.com (gatekeeper.ray.com [138.125.162.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA18018 for ; Fri, 1 Mar 1996 08:31:05 -0800 (PST) Received: from localhost (mailer@localhost) by gatekeeper.ray.com (8.6.4/8.6.5) id LAA05571; Fri, 1 Mar 1996 11:29:14 -0500 Received: from eoits1.eo.ray.com by gatekeeper.ray.com; Fri Mar 1 11:28:12 1996 Received: by eo.ray.com (5.0/SMI-SVR4) id AA04707; Fri, 1 Mar 1996 11:28:18 -0500 Date: Fri, 1 Mar 1996 11:28:18 -0500 From: hhantman@eo.ray.com (Howard Hantman) Message-Id: <9603011628.AA04707@eo.ray.com> To: Wally@ecaltd.com, firewalls@GreatCircle.COM Subject: Re: FW: rx but no tx wiring for ethernet Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Unfortunately, cutting that wire will also cause any hub at the other end of the link to lose its "link" detection. This may cause the hub to refuse to transmit any data on that line. You may need to disable link test on the other end, if it supports that option. Howard Hantman Manager, Technology Integration Corporate ITS Raytheon Company > Soembody will probably correct me, but I think the twisted pair standard > says that for 10Mb ethernet, the blue and brown pairs are not used. Of > the orange and green pairs, one is tx, one is rx (thats wires 1&2, 3&6). > I'm not sure which is which, but breaking one of those should make it > receive-only. > > ---------- > From: firewalls-owner[SMTP:firewalls-owner@GreatCircle.COM] > Sent: 29 February 1996 07:26 > To: firewalls > Subject: rx but no tx wiring for ethernet > > I dont know if it can be done with ethernet because of it being a > contention kinda thing but is it posible to make a twisted-pair cable to > only receive? > > I played around with the wiring but could not get it to work. Maybe it > depends on what brand of card? > > Any help in this area is much apreciated. > > --blast > > > > From firewalls-owner Fri Mar 1 09:55:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA17719 for firewalls-outgoing; Fri, 1 Mar 1996 08:23:40 -0800 (PST) Received: from inetgate.scitexdpi.com (firewall.sdp.scitex.com [149.115.248.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA17668 for ; Fri, 1 Mar 1996 08:23:21 -0800 (PST) Received: by inetgate.scitexdpi.com id AA03792 (5.67b/IDA-1.5 for ); Fri, 1 Mar 1996 11:19:03 -0500 Received: from mailhub.scitexdpi.com(172.16.9.23) by inetgate via smap (V1.3) id sma003788; Fri Mar 1 11:18:56 1996 Received: from mailhub.scitexdpi.com by mailhub with SMTP id AA04305 (5.67b/IDA-1.5 for ); Fri, 1 Mar 1996 11:18:56 -0500 Received: from sdphq-Message_Server by mailhub.scitexdpi.com with Novell_GroupWise; Fri, 01 Mar 1996 11:18:53 -0500 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Fri, 01 Mar 1996 11:18:11 -0500 From: Bob Allison To: Wally@ecaltd.com, firewalls@GreatCircle.com Subject: FW: rx but no tx wiring for ethernet -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You need to be careful when breaking the Rx pair, though. The hubs we have don't transmit to a port unless it thinks there is something connected there; it determines that existance by listening for link pulses on the Rx pair. No Rx pair, no link pulses, no traffic... >>> Anthony.W.Youngman 03/01/96 04:57am >>> Soembody will probably correct me, but I think the twisted pair standard says that for 10Mb ethernet, the blue and brown pairs are not used. Of the orange and green pairs, one is tx, one is rx (thats wires 1&2, 3&6). I'm not sure which is which, but breaking one of those should make it receive-only. ---------- From: firewalls-owner[SMTP:firewalls-owner@GreatCircle.COM] Sent: 29 February 1996 07:26 To: firewalls Subject: rx but no tx wiring for ethernet I dont know if it can be done with ethernet because of it being a contention kinda thing but is it posible to make a twisted-pair cable to only receive? I played around with the wiring but could not get it to work. Maybe it depends on what brand of card? Any help in this area is much apreciated. --blast From firewalls-owner Fri Mar 1 10:06:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA18411 for firewalls-outgoing; Fri, 1 Mar 1996 08:41:32 -0800 (PST) Received: from hnc.hnc.com (hnc.hnc.com [206.79.10.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id IAA18403 for ; Fri, 1 Mar 1996 08:41:27 -0800 (PST) Received: (from uucp@localhost) by hnc.hnc.com (8.7.1/8.7.1) id IAA08818 for ; Fri, 1 Mar 1996 08:34:02 -0800 (PST) Received: from serval.hnc.com(206.79.54.2) by hnc.hnc.com via smap (V1.3) id sma008807; Fri Mar 1 08:33:39 1996 Received: from spike.hnc.com (spike.hnc.com [191.9.201.52]) by serval.hnc.com (8.7.1/8.7.1) with ESMTP id IAA29727 for ; Fri, 1 Mar 1996 08:46:24 -0800 (PST) Received: from fred.hnc.com (fred.hnc.com [191.9.204.7]) by spike.hnc.com (8.7.1/8.7.1) with SMTP id IAA10211 for ; Fri, 1 Mar 1996 08:41:34 -0800 (PST) Message-Id: <199603011641.IAA10211@spike.hnc.com> Received: from pcdwl.hnc.com by fred.hnc.com with SMTP (1.38.193.4/16.2) id AA10502; Fri, 1 Mar 1996 08:48:12 -0800 X-Sender: dwl@spike X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 01 Mar 1996 08:41:58 -0800 To: firewalls@greatcircle.com From: David Loysen Subject: Re: FW: rx but no tx wiring for ethernet Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:57 AM 3/1/96 GMT, you wrote: > >Soembody will probably correct me, but I think the twisted pair standard >says that for 10Mb ethernet, the blue and brown pairs are not used. Of >the orange and green pairs, one is tx, one is rx (thats wires 1&2, 3&6). >I'm not sure which is which, but breaking one of those should make it >receive-only. > >I dont know if it can be done with ethernet because of it being a >contention kinda thing but is it posible to make a twisted-pair cable to >only receive? > >I played around with the wiring but could not get it to work. Maybe it >depends on what brand of card? > This is (I think) right. But I'll bet there isn't a standard ethernet driver around that would work in this configuration. Dosen't mean you couldn't find or write one. Just curious, why do you want to do this????? ===================================== It's warm and sunny here in southern california, just like it always is. What's it like where you are? From firewalls-owner Fri Mar 1 10:15:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA18856 for firewalls-outgoing; Fri, 1 Mar 1996 08:48:26 -0800 (PST) Received: from webspan.com (home.webspan.com [204.221.12.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id IAA18846 for ; Fri, 1 Mar 1996 08:48:11 -0800 (PST) Received: (from jgc@localhost) by webspan.com (8.7.1/8.6.9) id KAA17302 for firewalls@GreatCircle.COM; Fri, 1 Mar 1996 10:46:06 -0600 (CST) From: Jerry Champlin Message-Id: <199603011646.KAA17302@webspan.com> Subject: ethernet details (rx and tx) To: firewalls@GreatCircle.COM Date: Fri, 1 Mar 1996 10:46:05 -0600 (CST) X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This should hopefully answer most of the question about ethernet wiring excerpt from: Linux Ethernet-Howto Paul Gortmaker, Editor. v2.4, 27 May 1995 If you are only connecting two machines, it is possible to avoid using a hub, by swapping the Rx and Tx pairs (1-2 and 3-6). If you hold the RJ-45 connector facing you (as if you were going to plug it into your mouth) with the lock tab on the top, then the pins are numbered 1 to 8 from left to right. The pin usage is as follows: Pin Number Assignment ---------- ---------- 1 Output Data (+) 2 Output Data (-) 3 Input Data (+) 4 Reserved for Telephone use 5 Reserved for Telephone use 6 Input Data (-) 7 Reserved for Telephone use 8 Reserved for Telephone use >From my limited understanding, if you remove pin 3 and your software will cope with no incoming data, you will solve the problem. I think you will still need pin 6 to make the card happy. Hope this helps -Jerry *************************************************************************** //Keep it simple; as simple as posible, but no simpler.// --A. Einstein Jerry Champlin jgc@home.webspan.com URL: http://128.101.165.26/~jerry home: 612-623-4699 work: 612-333-5465 *************************************************************************** From firewalls-owner Fri Mar 1 10:27:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA18851 for firewalls-outgoing; Fri, 1 Mar 1996 08:48:19 -0800 (PST) Received: from inet1.tek.com (inet1.tek.com [134.62.48.21]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA18845 for ; Fri, 1 Mar 1996 08:48:11 -0800 (PST) Received: by inet1.tek.com id ; Fri, 1 Mar 1996 08:46:32 -0800 Received: from tektronix.tek.com(134.62.48.24) by inet1 via smap (V1.3) id sma023956; Fri Mar 1 08:46:27 1996 Received: from orca.wv.tek.com by tektronix.TEK.COM (4.1/8.2) id AA05655; Fri, 1 Mar 96 08:46:13 PST Received: from trouble.WV.TEK.COM by orca.wv.tek.com (4.1/8.2) id AA23608; Fri, 1 Mar 96 06:42:06 PST Received: by trouble.WV.TEK.COM (4.1/8.0) id AA01427; Fri, 1 Mar 96 06:38:33 PST Date: Fri, 1 Mar 1996 06:38:30 -0800 (PST) From: Kent Dahlgren To: "Joseph L. Moll" Cc: firewalls@greatcircle.COM Subject: Re: Sniffer for Windows NT. In-Reply-To: <2.2.32.19960228143928.006cd7d8@mail.acquion.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 28 Feb 1996, Joseph L. Moll wrote: > Windows NT Server with SMS installed includes a really nice Network Monitor. > I have not been able to find out if it is available without the purchase of > SMS. If someone gets a hold of the right person at Microsoft, please let me > know where I can buy my copy :) We just had to order a copy. Its my understanding that you have to buy SMS to get the monitor, but I found out something else I have to get. Apparently I have to get SQLServer too, because the network monitor uses it for some reason. But I don't know why, and I haven't taken the time to read up on it. Sorry if that's really weak, but that's what I know. "Any ideas expressed here may not reflect those of my employers" ______________________________________________________________________________ ______ T E K T R O N I X _ C P I D _ T E C H N I C A L _ S U P P O R T _______ / Voice: 1.800.835.6100 E-mail: support@colorprinters.tek.com Fax: 1.503.685.3063 WWW: www.tek.com BBS: 1.503.685.4504 E-World: Keyword Tektronix HAL: 1.503.682.7450 AOL: Keyword Tektronix Service: 1.800.835.6100 FTP: ftp.tek.com ______________________________________________________________________________ From firewalls-owner Fri Mar 1 10:43:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA18737 for firewalls-outgoing; Fri, 1 Mar 1996 08:46:32 -0800 (PST) Received: from border.dreamworks.com (dreamworks.com [204.250.57.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id IAA18727 for ; Fri, 1 Mar 1996 08:46:27 -0800 (PST) Received: from border.dreamworks.com (daemon@localhost) by border.dreamworks.com (8.7.2/8.7.2) with ESMTP id IAA15845 for ; Fri, 1 Mar 1996 08:46:38 -0800 (PST) Received: from gateway (gateway.dreamworks.com [10.1.1.2]) by border.dreamworks.com (8.7.2/8.7.2) with SMTP id IAA15839 for ; Fri, 1 Mar 1996 08:46:37 -0800 (PST) Received: from msmail.dreamworks.com by gateway (SMI-8.6/SMI-SVR4) id IAA10746; Fri, 1 Mar 1996 08:47:00 -0800 Received: by msmail.dreamworks.com with Microsoft Mail id <31372A10@msmail.dreamworks.com>; Fri, 01 Mar 96 08:47:12 PST From: "Palmer, John" To: Alex Chircop , firewalls Subject: RE: Support of already used IP addresses Date: Fri, 01 Mar 96 08:45:00 PST Message-ID: <31372A10@msmail.dreamworks.com> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Alex, The local routing tables would misdirect the packets. The local RIPs would show that network X is on a local interface and would not have any way to distinguish the difference between the a packet intended for the Internet and one intended for the local intranet. This is not a firewall issue, but a basic routing/network design issue. John Senior Network Planner DreamWorks SKG ---------- From: Alex Chircop To: firewalls Subject: RE: Support of already used IP addresses Date: Friday, March 01, 1996 12:01PM You can try something like this: ------ R O U T E R ------- F I R E W A L L ------ | ---- I N T E R N E = T ------------ Your intranet Priv addr network | such as 172.16.0.0 | or 10.0.0.0 Proxy Server with register= ed address and configure all your clients to use the proxy server. That way the c= lients will be able to access all addresses, but are limited to the facilities avai= lable on the proxy server. If you use the CERN HTTPD you will have access to go= pher, ftp and http together with https if you install the SSL patch. Hope this helps ... could others please comment on this design ? Regards, Alex Chircop - Admin alex.j.chircop@magnet.mt / postmaster@magnet.mt Management Systems Unit Ltd. Malta - Europe ************************************************** *** Check out http://www.magnet.mt/ ************ ************************************************** >From: Marc Rapoport >Date: Thu, 29 Feb 1996 16:29:49 +0100 >Subject: Support of already used IP adresses >Hi, our private Intranet adressing plan is using several class B that = are >already >allocated on the Internet, as our Intranet was created long before we >planned to interconnect >with the Internet. >We use a single firewall which masks our private adresses, but we are = not >able to reach > the public portion of the Internet that uses the same IP adresses. >The only solution i know to handle that problem is to use 2 firewalls >serialized=20 >with a pseudo network between the Intranet and the Internet. >Does anybody knows a product able to solve this problem with only one = firewall ? >Thanks in advance. >=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D >=F6=F6 Marc Rapoport : rapoport@iway.fr = =F6=F6 >=F6=F6 AGF.SI Tour Franklin - La Defense 8 = =F6=F6 >=F6=F6 92042 PARIS LA DEFENSE CEDEX = =F6=F6 >=F6=F6 Tel : 49.03.31.77 Fax : 47.67.07.90 = =F6=F6 >=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D From firewalls-owner Fri Mar 1 11:04:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA21161 for firewalls-outgoing; Fri, 1 Mar 1996 09:15:08 -0800 (PST) Received: from dub-img-2.compuserve.com (dub-img-2.compuserve.com [198.4.9.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA21140 for ; Fri, 1 Mar 1996 09:14:57 -0800 (PST) Received: by dub-img-2.compuserve.com (8.6.10/5.950515) id MAA02487; Fri, 1 Mar 1996 12:12:47 -0500 Date: 01 Mar 96 12:10:18 EST From: "Paul Chang @ GMI" <73512.2643@compuserve.com> To: Anyone Subject: Firewalls Message-ID: <960301171018_73512.2643_EHT28-1@CompuServe.COM> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I found your name in Winnt forum and would like to get info on firewalls for NT server. TIA Paul GMI 3/1/96 From firewalls-owner Fri Mar 1 11:06:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA24957 for firewalls-outgoing; Fri, 1 Mar 1996 10:26:54 -0800 (PST) Received: from hp01.vak12ed.edu (hp01.vak12ed.edu [141.104.150.251]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA24951 for ; Fri, 1 Mar 1996 10:26:44 -0800 (PST) Message-Id: <199603011826.KAA24951@miles.greatcircle.com> Received: by hp01.vak12ed.edu (1.38.193.5/16.2) id AA12558; Fri, 1 Mar 1996 13:24:34 -0500 From: "W.C. Epperson" Subject: filtering RPC ports To: firewalls@greatcircle.com Date: Fri, 01 Mar 1996 13:24:33 EST X-Mailer: Elm [revision: 109.16] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Recently there was a thread here in which it was noted that filtering portmap (111) traffic merely made it more difficult to find the RPC service ports, that if they could be guessed, they could be gotten to. What approaches, from a filtering perspective, might be employed to block these ports, since they appear to be arbitrarily and dynamically assigned (from observation and from reading the rfcs)? -- W.C. Epperson "I have great faith in fools. Senior SE Self-confidence, my friends call it." Information Security Officer --Edgar Allan Poe-- DBA Emeritus Curmudgeon-for-Life Virginia Dept. of Education epperson@pen.k12.va.us From firewalls-owner Fri Mar 1 11:09:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA21447 for firewalls-outgoing; Fri, 1 Mar 1996 09:20:08 -0800 (PST) Received: from mail.Clark.Net (mail.clark.net [168.143.0.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA21427 for ; Fri, 1 Mar 1996 09:19:57 -0800 (PST) Received: from [168.143.1.215] (hcb-ppp.clark.net [168.143.1.215]) by mail.Clark.Net (8.7.3/8.6.5) with SMTP id MAA13311 for ; Fri, 1 Mar 1996 12:17:40 -0500 (EST) Date: Fri, 1 Mar 1996 12:17:40 -0500 (EST) X-Sender: hcb@mail.clark.net Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: hcb@clark.net (Howard C. Berkowitz) Subject: OSPF and firewalls (general) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Several people commented on an earlier OSPF through Firewall-1 query that it may be worthwhile to examine the underlying routing structure. I concur; I'm curious about the original reason to firewall OSPF at all. As a primarily routing person, I generally think it's a bad idea, inconsistent with the architecture of OSPF. There are several considerations here. First, OSPF differs from most protocols one would firewall, as it uses no transport layer protocol. OSPF packets run directly over IP (the protocol identifier is 86 or 89; I'm feeling vertically dyslectic about that last digit). They will either be multicast to 224.0.0.5 and 224.0.0.6, or unicast to specific OSPF speaking routers. OSPF is definitely intended as an interior routing protocol to be run under common administration. Routers in the same area MUST see all updates from all other routers in that area, or the topological databases/sequencing gets out of synchronization and routing can collapse. MD5 authentication for OSPF routing updates recently was standardized, and is starting to appear in router implementations (e.g., Cisco 11.0). This may be a better approach for security than trying to firewall, but I still question putting OSPF at all on the outside. I believe it much more appropriate, from a routing architecture standpoint, to treat the outside as external to OSPF. Howard From firewalls-owner Fri Mar 1 11:11:39 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA24480 for firewalls-outgoing; Fri, 1 Mar 1996 10:14:04 -0800 (PST) Received: from ford.gbnet.org (ford.gbnet.org [192.188.96.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id KAA24475 for ; Fri, 1 Mar 1996 10:13:57 -0800 (PST) Received: (from steve@localhost) by ford.gbnet.org (8.7.1/8.6.12) id SAA12276; Fri, 1 Mar 1996 18:07:29 GMT From: Steve Kennedy Message-Id: <199603011807.SAA12276@ford.gbnet.org> Subject: Re: VPN's over the internet To: Mike.Jones@unifiedtech.com (Mike Jones) Date: Fri, 1 Mar 1996 18:07:29 +0000 (GMT) Cc: firewalls@GreatCircle.COM, frankw@in.net In-Reply-To: <199603011427.JAA03140@samadams.unifiedtech.com> from "Mike Jones" at Mar 1, 96 09:27:19 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to Mike Jones > Frank Willoughby writes... > > A note or two of interest about VPN's over the Internet: > > o Many (most?) firewalls when performing firewall->firewall encryption > > are only providing an IP encryption tunnel through the firewalls. > > It is important to note that *NO* applications filtering is performed. > > While this may offer protection from a MITM (Man-In-The-Middle) attack > > (Internet, etc), it offers *NO* protection from the other entity's > > network. A problem on their network is a problem on your network. > This is a *very good* point. I was talking to a customer recently who > manufactures snowmobile equipment and works with the likes of Polaris, > Arctic Cat, etc., and who would like to exchange some pretty sensitive > (trade secret) information with them over the Internet. They initially > wanted me to come in and talk about VPN's and FW-FW encryption, but > after I brought this point up to them they suddenly realized that > end-to-end encryption with something like PGP is better for some > applications. Have a look at the KarlBridge/KarlBrouter, this can do encrypted VPNs (using proprietary software encryptin currently, DES on its way). This will perform any filering BEFORE the tunnelling. have a look at http://www.karlnet.com/ in the US http://www.gbnet.net/kbridge/ in UK/Europe Regards Steve -- home steve@gbnet.org * Flat 2, 43 Howitt Road, Belsize Pk, London NW3 4LU work steve@demon.net * tel +44-(0)171 483 1169 FAX +44-(0)181 444 6103 www http://www.gbnet.net/ * bits steve@gbnet.net * Orange mobile +44-(0)973 600050 Euro firewall info - send mail to majordomo@gbnet.net (subscribe firewalls-uk) From firewalls-owner Fri Mar 1 11:13:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA23688 for firewalls-outgoing; Fri, 1 Mar 1996 10:01:14 -0800 (PST) Received: from webspan.com (home.webspan.com [204.221.12.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id KAA23651 for ; Fri, 1 Mar 1996 10:00:57 -0800 (PST) Received: (from jgc@localhost) by webspan.com (8.7.1/8.6.9) id LAA18278 for firewalls@GreatCircle.COM; Fri, 1 Mar 1996 11:58:58 -0600 (CST) From: Jerry Champlin Message-Id: <199603011758.LAA18278@webspan.com> Subject: Re: FW: rx but no tx wiring for ethernet To: firewalls@GreatCircle.COM Date: Fri, 1 Mar 1996 11:58:52 -0600 (CST) In-Reply-To: <3136CAA8@london.ecaltd.com> from "Anthony.W.Youngman" at Mar 1, 96 09:57:00 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Anthony.W.Youngman stated: > > > Soembody will probably correct me, but I think the twisted pair standard > says that for 10Mb ethernet, the blue and brown pairs are not used. Of > the orange and green pairs, one is tx, one is rx (thats wires 1&2, 3&6). > I'm not sure which is which, but breaking one of those should make it > receive-only. Excerpt from: Linux Ethernet-Howto Paul Gortmaker, Editor. v2.4, 27 May 1995 If you are only connecting two machines, it is possible to avoid using a hub, by swapping the Rx and Tx pairs (1-2 and 3-6). If you hold the RJ-45 connector facing you (as if you were going to plug it into your mouth) with the lock tab on the top, then the pins are numbered 1 to 8 from left to right. The pin usage is as follows: Pin Number Assignment ---------- ---------- 1 Output Data (+) 2 Output Data (-) 3 Input Data (+) 4 Reserved for Telephone use 5 Reserved for Telephone use 6 Input Data (-) 7 Reserved for Telephone use 8 Reserved for Telephone use I think you are right about cutting the Input Data (+) wire, although you need to be certain that your hub is still talking to the input data (-) wire. Hope this helps -Jerry *************************************************************************** //Keep it simple; as simple as posible, but no simpler.// --A. Einstein Jerry Champlin jgc@home.webspan.com URL: http://128.101.165.26/~jerry home: 612-623-4699 work: 612-333-5465 *************************************************************************** From firewalls-owner Fri Mar 1 12:06:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA28289 for firewalls-outgoing; Fri, 1 Mar 1996 11:25:24 -0800 (PST) Received: from ns.nexial.nl (ns.nexial.nl [193.78.27.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA28275 for ; Fri, 1 Mar 1996 11:25:15 -0800 (PST) Received: (from kim@localhost) by ns.nexial.nl (8.6.12/8.6.10) id UAA16885 for firewalls@greatcircle.com; Fri, 1 Mar 1996 20:22:15 +0100 From: Kim Hendrikse Message-Id: <199603011922.UAA16885@ns.nexial.nl> Subject: Searching this list To: firewalls@greatcircle.com Date: Fri, 1 Mar 1996 20:22:15 +0100 (MET) X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk For the benefit of newcomers to this list or those of you unaware of this service, we provide a "fuzzy" search interface to the firewalls mailing list This provides fault tolerant searching along with useful feedback and the ability to constraint the search to relevant time periods. This index also includes the CERT advisories, BOS mailing list and the 8 little green men advisories. The URL is: http://www.nexial.nl/cgi-bin/firewalls with other mailing lists and databases available off http://www.nexial.nl/search.html We hope you find this service useful. - Cheers Kim Hendrikse _____________________________________________________________________________ / \ |Nexial Systems E-mail: kim@nexial.nl | | Ph: +31 475 551643 | | Fax: +31 475 551552 | |St. Annastraat 4 | |6109 RH | |Ohe en Laak | |The Netherlands | | | |http://www.nexial.nl | \_____________________________________________________________________________/ From firewalls-owner Fri Mar 1 16:45:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA01217 for firewalls-outgoing; Fri, 1 Mar 1996 13:19:24 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA00678 for ; Fri, 1 Mar 1996 13:17:59 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id MAA24757; Fri, 1 Mar 1996 12:46:03 -0800 Received: from uuneo.neosoft.com(206.109.1.3) by mycroft via smap (V1.3mjr) id sma024750; Fri Mar 1 12:45:37 1996 Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.7.4/8.7.4) with UUCP id OAA27668 for GreatCircle.COM!firewalls; Fri, 1 Mar 1996 14:19:21 -0600 (CST) Received: by ris1.nmti.com (smail2.5) id AA00443; 1 Mar 96 13:48:36 CST (Fri) Received: by sonic.nmti.com; id AA26527; Fri, 1 Mar 1996 13:17:29 -0600 From: peter@nmti.com (Peter da Silva) Message-Id: <9603011917.AA26527@sonic.nmti.com.nmti.com> Subject: Re: VPN's over the internet To: Mike.Jones@unifiedtech.com (Mike Jones) Date: Fri, 1 Mar 1996 13:17:29 -0600 (CST) Cc: firewalls@GreatCircle.COM, frankw@in.net In-Reply-To: <199603011427.JAA03140@samadams.unifiedtech.com> from "Mike Jones" at Mar 1, 96 09:27:19 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > o It is usually beneficial to firewall VPN connections to localize > > contamination in the event one of the VPN entities is breached. > Frank, could you elaborate just a bit on what you mean by "localize > contamination"? Easy. You don't have to just firewall off the internet. You can firewall off the VPN. From firewalls-owner Fri Mar 1 16:48:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA01218 for firewalls-outgoing; Fri, 1 Mar 1996 13:19:27 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA00771 for ; Fri, 1 Mar 1996 13:18:11 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id MAA24755; Fri, 1 Mar 1996 12:46:02 -0800 Received: from lint.cisco.com(171.68.235.77) by mycroft via smap (V1.3mjr) id sma024748; Fri Mar 1 12:45:27 1996 Received: from pferguso-pc.cisco.com (c2robo8.cisco.com [171.68.13.40]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id MAA19694; Fri, 1 Mar 1996 12:45:58 -0800 Message-Id: <199603012045.MAA19694@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 01 Mar 1996 15:46:46 -0500 To: Marc Rapoport From: Paul Ferguson Subject: Re: Support of already used IP adresses Cc: Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 04:29 PM 2/29/96 +0100, Marc Rapoport wrote: >Hi, our private Intranet adressing plan is using several class B that are >already >allocated on the Internet, as our Intranet was created long before we >planned to interconnect >with the Internet. >We use a single firewall which masks our private adresses, but we are not >able to reach > the public portion of the Internet that uses the same IP adresses. >The only solution i know to handle that problem is to use 2 firewalls >serialized >with a pseudo network between the Intranet and the Internet. >Does anybody knows a product able to solve this problem with only one firewall ? >Thanks in advance. > Yes -- take a look at Network Translation's PIX (Private Internet Exchange). http://www.translation.com - paul > > >========================================================================= >|| Marc Rapoport : rapoport@iway.fr || >|| AGF.SI Tour Franklin - La Defense 8 || >|| 92042 PARIS LA DEFENSE CEDEX || >|| Tel : 49.03.31.77 Fax : 47.67.07.90 || >========================================================================= > -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Fri Mar 1 17:03:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA00748 for firewalls-outgoing; Fri, 1 Mar 1996 12:13:52 -0800 (PST) Received: from anchorsteam ([38.251.136.100]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA00741 for ; Fri, 1 Mar 1996 12:13:46 -0800 (PST) Received: from samadams.unifiedtech.com by anchorsteam (5.x/SMI-SVR4) id AA16687; Fri, 1 Mar 1996 15:07:58 -0500 Received: by samadams.unifiedtech.com (SMI-8.6/SMI-SVR4) id PAA03461; Fri, 1 Mar 1996 15:13:25 -0500 Date: Fri, 1 Mar 1996 15:13:25 -0500 From: Mike.Jones@unifiedtech.com (Mike Jones) Message-Id: <199603012013.PAA03461@samadams.unifiedtech.com> To: Mike.Jones@unifiedtech.com, steve@gbnet.org Subject: Re: VPN's over the internet Cc: firewalls@GreatCircle.COM, frankw@in.net X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Steve Kennedy writes... > According to Mike Jones > > Frank Willoughby writes... > > > A note or two of interest about VPN's over the Internet: > > > o Many (most?) firewalls when performing firewall->firewall encryption > > > are only providing an IP encryption tunnel through the firewalls. > > > It is important to note that *NO* applications filtering is performed. > > > While this may offer protection from a MITM (Man-In-The-Middle) attack > > > (Internet, etc), it offers *NO* protection from the other entity's > > > network. A problem on their network is a problem on your network. > > This is a *very good* point. I was talking to a customer recently who > > manufactures snowmobile equipment and works with the likes of Polaris, > > Arctic Cat, etc., and who would like to exchange some pretty sensitive > > (trade secret) information with them over the Internet. They initially > > wanted me to come in and talk about VPN's and FW-FW encryption, but > > after I brought this point up to them they suddenly realized that > > end-to-end encryption with something like PGP is better for some > > applications. > Have a look at the KarlBridge/KarlBrouter, this can do encrypted VPNs > (using proprietary software encryptin currently, DES on its way). > This will perform any filering BEFORE the tunnelling. Different problem, or I'm misunderstanding some terminology. In the normal case of an encrypted VPN set up by firewalls, if I (fred@bedrock.com) send email to jetson@spacely.com, the mail is unencrypted while traveling on my internal network to the firewall, encrypted between the firewalls, then unencrypted while traveling to its destination on the spacely.com network. If I'm sending something as sensitive as trade secret information, I really want to have user-to-user encryption, as with using PGP on the message before I send it and having the recipient decrypt it just before he reads it. By doing this, I only need to trust the receipient, not everybody who may have root access on his network. -- Mike.Jones@unifiedtech.com I once started reading a book in the middle of an interview. The guy asked me what I was doing. I asked him: If you were in a vehicle moving at the speed of light, and you turned on the headlights, would they do anything? He said he didn't know. I said: well then, I don't want to work for you. - Steven Wright From firewalls-owner Fri Mar 1 18:00:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA02794 for firewalls-outgoing; Fri, 1 Mar 1996 14:18:07 -0800 (PST) Received: from mail.nyc.pipeline.com (mail.nyc.pipeline.com [198.80.32.13]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id OAA02789 for ; Fri, 1 Mar 1996 14:18:01 -0800 (PST) Received: from pipe9.nyc.pipeline.com (smcc@pipe9.nyc.pipeline.com [198.80.32.49]) by mail.nyc.pipeline.com (8.7.3/8.7.3) with ESMTP id RAA17246 for ; Fri, 1 Mar 1996 17:16:02 -0500 (EST) Received: (smcc@localhost) by pipe9.nyc.pipeline.com (8.6.10/8.6.9) id RAA07740; Fri, 1 Mar 1996 17:15:59 -0500 Date: Fri, 1 Mar 1996 17:15:59 -0500 Message-Id: <199603012215.RAA07740@pipe9.nyc.pipeline.com> To: firewalls@greatcircle.com Subject: Checkpoint From: smcc@pipeline.com (System Management Consulting Company) X-PipeUser: smcc X-PipeHub: nyc.pipeline.com X-PipeGCOS: (System Management Consulting Company) X-Mailer: The Pipeline v3.4.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can anyone tell me what checkpoint is doing to secure the o/s and platform. Also you able to configure checkpoint on multible platforms and o/s. Any help would be appreciated. John Hirsch -- System Management Consulting Company New York - New York From firewalls-owner Fri Mar 1 18:20:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA05940 for firewalls-outgoing; Fri, 1 Mar 1996 15:19:08 -0800 (PST) Received: from gatekeeper.hsa.com (phony.hsa.com [206.135.12.6]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id PAA05924 for ; Fri, 1 Mar 1996 15:18:58 -0800 (PST) Received: from gatekeeper.hsa.com (daemon@localhost) by gatekeeper.hsa.com (8.6.12/8.6.12) with ESMTP id OAA12107 for ; Fri, 1 Mar 1996 14:53:11 -0800 Received: from hsa.com ([140.4.3.4]) by gatekeeper.hsa.com (8.6.12/8.6.12) with ESMTP id OAA12103 for ; Fri, 1 Mar 1996 14:53:10 -0800 Received: by hsa.com id PAA20992; Fri, 1 Mar 1996 15:17:15 -0800 Date: Fri, 1 Mar 1996 15:17:25 From: Matt Holdrege Message-Id: <19960301151725matt@matt> To: firewalls@greatcircle.com Subject: IP/IPX firewall X-Mailer: Pronto E-Mail [version 2.0] MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm looking for a firewall that would allow only certain IP and IPX addresses to access a LAN. At least one of the interfaces on the Firewall need to be Token Ring. The other could be Token Ring or Ethernet. Does such a beast exist? If not, is there an authentication tool that will run on AIX that will authenticate IP and IPX logins? TIA, Matt Holdrege matt@hsa.com From firewalls-owner Fri Mar 1 18:23:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA04685 for firewalls-outgoing; Fri, 1 Mar 1996 14:57:01 -0800 (PST) Received: from eagle1.raptor.com (raptor.com [204.7.243.11]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA04679 for ; Fri, 1 Mar 1996 14:56:52 -0800 (PST) Received: from raptor1.raptor.com ([204.7.242.10]) by eagle1.raptor.com via smtpd (for miles.greatcircle.com [198.102.244.34]) with SMTP; 1 Mar 1996 22:54:07 UT Received: from raptor1.raptor.com (localhost [127.0.0.1]) by raptor1.raptor.com (8.7.3/8.7.3) with ESMTP id RAA10556 for ; Fri, 1 Mar 1996 17:55:08 -0500 (EST) Message-Id: <199603012255.RAA10556@raptor1.raptor.com> To: firewalls-digest@GreatCircle.COM Subject: Re: VPN's over the internet Date: Fri, 01 Mar 1996 17:55:07 -0500 From: Brien Wheeler Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Subject: Re: VPN's over the internet > Date: February 28, 1996 12:55 > > Several Firewall vendors now produce firewalls with firewall-firewall > link encryption. I recently installed Smartwall from V-One (Gauntlet > VAR) and it worked fine. > > Last I heard Raptor, Sun and possibly others had or were working on > encrypted links - a flood is coming. DEC and others make stand alone > encryption boxs to toss on the front of your network. Raptor has been shipping VPN-capable firewalls since its 3.0 release (August '95). These platforms also include secure remote management capabilities. Brien Wheeler Software Engineer Raptor Systems, Inc. From firewalls-owner Fri Mar 1 18:24:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA03785 for firewalls-outgoing; Fri, 1 Mar 1996 14:37:09 -0800 (PST) Received: from lint.cisco.com (lint.cisco.com [171.68.235.77]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA03780 for ; Fri, 1 Mar 1996 14:37:05 -0800 (PST) Received: from pferguso-pc.cisco.com (c2robo8.cisco.com [171.68.13.40]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id OAA28626; Fri, 1 Mar 1996 14:33:53 -0800 Message-Id: <199603012233.OAA28626@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 01 Mar 1996 17:34:42 -0500 To: Darryl Wagoner From: Paul Ferguson Subject: Re: Support of already used IP adresses Cc: Marc Rapoport , Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk 'Address Allocation for Private Internets' is RFC-1918, which has superceded RFC-1597. - paul At 08:03 AM 3/1/96 -0500, Darryl Wagoner wrote: >On Thu, 29 Feb 1996, Marc Rapoport wrote: > >The correct way to solve this is to use the private class A network >address that was reserve for this purpose. I think it is 10.0.0.0. >but don't quote me on it. > >-- >Darryl Wagoner darryl@sai.com http://www.sai.com/ >Office: 603.672.0736 Fax: 603-672-4846 >Web Pages for hire. Check out NH & MA Movies http://www.sai.com/movies > -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Fri Mar 1 18:30:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id RAA13483 for firewalls-outgoing; Fri, 1 Mar 1996 17:05:33 -0800 (PST) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA13478 for ; Fri, 1 Mar 1996 17:05:27 -0800 (PST) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id UAA03081; Fri, 1 Mar 1996 20:00:23 -0500 Date: Fri, 1 Mar 1996 20:00:20 -0500 (EST) From: Rabid Wombat To: Paul Ferguson cc: "Charles B. Kaplan" , Firewalls@GreatCircle.COM Subject: Re: IP fragments and packet filters In-Reply-To: <199603011235.EAA18924@lint.cisco.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 1 Mar 1996, Paul Ferguson wrote: > The fragmentation and, more importantly, reassembly should happen in this > case transparently long before it reaches your router/firewall/whatever. > > - paul Yes - segment and re-assembly should occur at the edge devices. > > At 10:28 PM 2/29/96 -0500, Charles B. Kaplan wrote: > > >>The only time you're ever likely to see a packet with FO=1 is if a bad guy is > >>knocking at your door. > > > >IE, my east coast LAN wants to connect to my west coast LAN, which will > >involve traversing (substitute your favorate backbone providers) ATM link. > >Therefor my 68byte header + data get dumped into larger (I forget frame size > >at the moment) ATM cell, which could POSSIBLY ?? cause one byte to cross a > >cell boundry, and thuse appear fragmented to the remote site ? > > ATM uses 53 byte cells, 48 bytes of payload, 5 bytes header. Much smaller than your IP packtes. SAR should occur before reaching your firewall, however. - r.w. From firewalls-owner Fri Mar 1 18:47:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA22107 for firewalls-outgoing; Fri, 1 Mar 1996 18:40:15 -0800 (PST) Received: from okjunc.junction.net (okjunc.junction.net [199.166.227.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id SAA22094 for ; Fri, 1 Mar 1996 18:40:05 -0800 (PST) Received: (from michael@localhost) by okjunc.junction.net (8.6.11/8.6.11) id SAA07433; Fri, 1 Mar 1996 18:45:41 -0800 Date: Fri, 1 Mar 1996 18:45:39 -0800 (PST) From: Michael Dillon X-Sender: michael@okjunc.junction.net To: Firewalls@GreatCircle.COM Subject: RFC 1597 and 10/8 addresses In-Reply-To: <9603011552.AA17377@agf.fr> Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 1 Mar 1996, Marc Rapoport wrote: > - For those who suggest to use 10.0.0.0 from RFC 1597 : > As I knew this RFC, i agree with you, but when we chose our adressing plan, > this wasn't really published. If you are recommending that people use 10/8 adressing, it would be best to refer them to RFC1918 which just came out this past week and which supercedes 1597. Nothing really new in it, just a bit clearer explanation of private networks and their implications and so on. Michael Dillon Voice: +1-604-546-8022 Memra Software Inc. Fax: +1-604-546-3049 http://www.memra.com E-mail: michael@memra.com From firewalls-owner Fri Mar 1 18:59:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA19937 for firewalls-outgoing; Fri, 1 Mar 1996 18:18:24 -0800 (PST) Received: from magneto.acquion.com (magneto.acquion.com [206.154.17.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id SAA19925 for ; Fri, 1 Mar 1996 18:18:18 -0800 (PST) Received: from professorx (dial197.acqic.org [206.154.16.197]) by magneto.acquion.com (post.office MTA v1.9.1 ID# 0-11944) with SMTP id AAA153; Fri, 1 Mar 1996 21:17:57 -0500 Message-Id: <2.2.32.19960302021631.0069c2d4@mail.acquion.com> X-Sender: moll5029@mail.acquion.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 01 Mar 1996 21:16:31 -0500 To: Eric Caron From: "Joseph L. Moll" Subject: NT Access Servers Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello Eric. I have configured a few of these. There are a few things that you have to consider. The NT box will only act as a gateway to your network, i.e. you will have to place the NT box behind firewalls, etc to protect your network. It does, however, support dialback. It supports this very well. To my knowledge, there is no way to filter packets. NT Server 3.51 will host PPP clients only. You can change the authentication protocol to either PAP, CHAP, or CHAP with Microsoft encryption. If your clients are Microsoft (running RASv.2 I think, that's '95 and NT clients), you are best to go with the 3rd option. I have some MAC clients running MAC TCP and they only understand PAP, same with Trumpet Winsock clients (windows 3.1 clients). It's not quite listed this way, as I remember there are 3 options labeled very different from PAP, CHAP, and Microsoft CHAP, but that is the order. I think that PAP is listed as "accept any authentication, even clear text." Don't know why they listed that way. The overhead is no more than other NT user overhead. They actually authenticate against the NT registry. You will have to add an entry in the registry for the user and then give them Dialup Access in the RAS Administration program. It's really that simple. Regards, --- Joseph (Joe) L. Moll mailto:jmoll@acquion.com http://www.acquion.com phone:864-281-4108 fax:864-281-4576 Acquion, Inc. Greenville, SC USA -- Specialists in Electronic Commerce From firewalls-owner Fri Mar 1 19:14:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id TAA23787 for firewalls-outgoing; Fri, 1 Mar 1996 19:01:59 -0800 (PST) Received: from uu11.psi.com (uu11.psi.com [38.8.24.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id TAA23742 for ; Fri, 1 Mar 1996 19:01:45 -0800 (PST) Received: from uu1643.UUCP by uu11.psi.com (5.65b/4.0.940727-PSI/PSINet) via UUCP; id AA27287 for ; Fri, 1 Mar 96 21:57:02 -0500 Message-Id: <9603020257.AA27287@uu11.psi.com> Date: 1 Mar 1996 18:40:02 U From: "r bogard" Subject: I'm getting two transmissio To: "firewall guy" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm getting two transmissions Hi -- I just subscribed to the firewall digest & for some reason I'm getting duplicate copies sent with each transmission. My email address is rbogard@accesspr.com -- can you help? Thanks a million! From firewalls-owner Fri Mar 1 19:44:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id TAA25853 for firewalls-outgoing; Fri, 1 Mar 1996 19:28:28 -0800 (PST) Received: from lint.cisco.com (lint.cisco.com [171.68.235.77]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id TAA25840 for ; Fri, 1 Mar 1996 19:28:22 -0800 (PST) Received: from pferguso-pc.cisco.com (c2robo8.cisco.com [171.68.13.40]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id TAA21841; Fri, 1 Mar 1996 19:25:57 -0800 Message-Id: <199603020325.TAA21841@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 01 Mar 1996 22:26:45 -0500 To: Matt Holdrege From: Paul Ferguson Subject: Re: IP/IPX firewall Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 03:17 PM 3/1/96, Matt Holdrege wrote: >I'm looking for a firewall that would allow only certain IP and IPX >addresses to access a LAN. At least one of the interfaces on the Firewall >need to be Token Ring. The other could be Token Ring or Ethernet. Does such >a beast exist? > Yes -- its called a router. With filtering capabilities, of course. :-) - paul -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Fri Mar 1 20:14:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id UAA29661 for firewalls-outgoing; Fri, 1 Mar 1996 20:11:46 -0800 (PST) Received: from legend.txdirect.net (legend.txdirect.net [204.57.120.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id UAA29639 for ; Fri, 1 Mar 1996 20:11:39 -0800 (PST) Received: (from boyter@localhost) by legend.txdirect.net (8.7.3/8.7.3) id WAA26957 for Firewalls@GreatCircle.COM; Fri, 1 Mar 1996 22:09:26 -0600 (CST) Date: Fri, 1 Mar 1996 22:09:26 -0600 (CST) From: Brian Boyter Message-Id: <199603020409.WAA26957@legend.txdirect.net> To: Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Unfortunately, cutting that wire will also cause any hub at the other end of > the link to lose its "link" detection. >> I dont know if it can be done with ethernet because of it being a >> contention kinda thing but is it posible to make a twisted-pair cable to >> only receive? I know this thread was discussing twisted-pair, but we used a pair of ODS-236 fiber-optic modems with only one of the fibers connected to make a one-way hardware ethernet connection.... We tried several brands of fiber modems and only the ODS's worked (the others complained that there was no carrier detect).... Hope this helps.... Brian Boyter CSC-SED USAF Air Intelligence Agency boyter@txdirect.net Subject: rx but no tx wiring for ethernet From firewalls-owner Fri Mar 1 23:01:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id WAA13848 for firewalls-outgoing; Fri, 1 Mar 1996 22:45:10 -0800 (PST) Received: from crl.crl.com (crl.com [165.113.1.12]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id WAA13843 for ; Fri, 1 Mar 1996 22:45:06 -0800 (PST) Received: by crl.crl.com id AA28797 (5.65c/IDA-1.5); Fri, 1 Mar 1996 22:35:56 -0800 Date: Fri, 1 Mar 1996 22:35:56 -0800 (PST) From: Tim Keanini To: Howard Hantman Cc: Wally@ecaltd.com, firewalls@GreatCircle.COM Subject: Re: FW: rx but no tx wiring for ethernet In-Reply-To: <9603011628.AA04707@eo.ray.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 1 Mar 1996, Howard Hantman wrote: > Unfortunately, cutting that wire will also cause any hub at the other end of > the link to lose its "link" detection. This may cause the hub to refuse to > transmit any data on that line. You may need to disable link test on the other > end, if it supports that option. This is the sort of answer I was looking for. I thank you all for replying and I am here to say that even with both transmits cut, I still cant get this sniffer unit to sniff. I will check this 'link' detection out. I think that it is a factor. Just to keep triffic to a low, please reply to me and when I get something that accually works, I will post back the summary to the list. If ANYONE has done this, please email me. Thanks for all the help, blast From firewalls-owner Sat Mar 2 00:00:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id XAA16687 for firewalls-outgoing; Fri, 1 Mar 1996 23:58:38 -0800 (PST) Received: from fastlane.net (fastlane.net [204.251.16.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id XAA16681 for ; Fri, 1 Mar 1996 23:58:34 -0800 (PST) Received: from dal49.fastlane.net (dal49.fastlane.net [204.251.16.149]) by fastlane.net (8.7.3/8.7.3) with SMTP id CAA10484; Sat, 2 Mar 1996 02:50:56 -0600 (CST) Message-ID: <3137E6D3.3CD3@fastlane.net> Date: Sat, 02 Mar 1996 01:12:35 -0500 From: Howard Barnett Organization: Designs That Compute X-Mailer: Mozilla 2.0 (Win16; I) MIME-Version: 1.0 To: Tim Keanini CC: firewalls@GreatCircle.COM Subject: Re: rx but no tx wiring for ethernet References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Tim Keanini wrote: > > I dont know if it can be done with ethernet because > of it being a contention kinda thing but is it posible to > make a twisted-pair cable to only receive? > > I played around with the wiring but could not get > it to work. Maybe it depends on what brand of card? > > Any help in this area is much apreciated. > > --blastNo This is not posible, Ethernet hubs must hear heartbeat to connect a line. From firewalls-owner Sat Mar 2 06:13:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA02865 for firewalls-outgoing; Sat, 2 Mar 1996 05:59:34 -0800 (PST) Received: from gauntlet-1.trusted.com (gauntlet-1.trusted.com [204.254.155.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id FAA02860 for ; Sat, 2 Mar 1996 05:59:30 -0800 (PST) Received: by gauntlet-1.trusted.com; id JAA22988; Sat, 2 Mar 1996 09:05:49 -0500 Received: from vanidor.tis.com(192.94.214.98) by gauntlet-1.trusted.com via smap (V3.1) id xma022985; Sat, 2 Mar 96 09:05:42 -0500 Message-Id: <2.2.16.19960302135730.2aff796c@pop.trusted.com> X-Sender: avolio@pop.trusted.com X-Mailer: Windows Eudora Pro Version 2.2 (16) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sat, 02 Mar 1996 08:57:30 -0500 To: firewalls From: Frederick M Avolio Subject: Re: VPN's over the internet Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The RSA web page -- www.rsa.com -- has a pointer to a table listing results of the S/WAN interoperability tests as they are going on over the Internet. Fred From firewalls-owner Sat Mar 2 09:45:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA07674 for firewalls-outgoing; Sat, 2 Mar 1996 09:39:27 -0800 (PST) Received: from hobbes.orl.mmc.com (hobbes.orl.mmc.com [141.240.192.100]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA07669 for ; Sat, 2 Mar 1996 09:39:23 -0800 (PST) Date: Sat, 2 Mar 1996 12:37:49 -0500 (EST) From: "A. Padgett Peterson P.E. Information Security" To: firewalls@greatcircle.com Message-Id: <960302123749.20201e1e@hobbes.orl.mmc.com> Subject: VPNs Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Have a look at the KarlBridge/KarlBrouter, this can do encrypted VPNs >(using proprietary software encryptin currently, DES on its way). >have a look at http://www.karlnet.com/ in the US > http://www.gbnet.net/kbridge/ in UK/Europe Don't endorse products myself but have played with Karbridges before and like the concept. Uses an obsolete 386 PC with dual NICs. Does nothing but route/filter transparently. And since it does not respond to anything on the net (you have to program out-of-channel and reboot to change), is immune to most attacks. Would seem ideal for a situation in which you do not have adequate control of/in the router. Warmly, Padgett From firewalls-owner Sat Mar 2 10:01:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA07765 for firewalls-outgoing; Sat, 2 Mar 1996 09:46:03 -0800 (PST) Received: from lint.cisco.com (lint.cisco.com [171.68.235.77]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA07760 for ; Sat, 2 Mar 1996 09:45:59 -0800 (PST) Received: from pferguso-pc.cisco.com (c1robo11.cisco.com [171.68.13.11]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id JAA09092; Sat, 2 Mar 1996 09:43:33 -0800 Message-Id: <199603021743.JAA09092@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sat, 02 Mar 1996 12:44:22 -0500 To: Michael Dillon From: Paul Ferguson Subject: Re: RFC 1597 and 10/8 addresses Cc: Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 06:45 PM 3/1/96 -0800, Michael Dillon wrote: > >If you are recommending that people use 10/8 adressing, it would be best >to refer them to RFC1918 which just came out this past week and which >supercedes 1597. Nothing really new in it, just a bit clearer explanation >of private networks and their implications and so on. > One new item RFC-1918 does mention is the use of 'application layer gateways', such as NAT devices, to 'hide' the use of private Internet address space. - paul -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Sat Mar 2 10:15:17 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA07568 for firewalls-outgoing; Sat, 2 Mar 1996 09:31:42 -0800 (PST) Received: from hobbes.orl.mmc.com (hobbes.orl.mmc.com [141.240.192.100]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA07563 for ; Sat, 2 Mar 1996 09:31:38 -0800 (PST) Date: Sat, 2 Mar 1996 12:30:03 -0500 (EST) From: "A. Padgett Peterson P.E. Information Security" To: firewalls@greatcircle.com Message-Id: <960302123003.20201e1e@hobbes.orl.mmc.com> Subject: VPNs and single point failures Sender: firewalls-owner@GreatCircle.COM Precedence: bulk SCENARIO 1 ... >Since >the firewall in this case only supports encrypted tunneling, >the pipe (link) between the two firewalls is completely >transparent to the hacker and provides absolutely no protection >against the hacker from setting up shop on your network. (much more good stuff omitted) The traditional nework worldview is for "internal" and "external" networks with bastions and DMZs being special cases of "external". For some time I have been pushing for a third category that seems necessary for real world considerations: the "limited exposure network" or "LEN". Frank's examples point out this need. Basically for "internal" we need no formal protection except in special cases - can be left up to the users & local admins. External we assume to be populated by hackers/crackers/A6s/ things that go bump and is not to be trusted at all. For companies competing in the modern world, there is a need for secure communications with semi-trusted partners, those we trust with access to certain areas but not with the keys to the wineceller. *Every* program I have delt with in the last year has had similar needs & the only viable option I see is for a LEN. You can divide it up easily: for internal network, information is freely available. Where restriction is needed for a node, a single protection layer is adequate (login/password) with the understanding that covert channel (sniffers) attacks will work. For external networks my rule is "tell me three times". Single fail safe, dual fail safe, takes three different failures to breach security with the hope that I will notice one of the first two before the third occurs (I do not count the minefields except as warning devices). Logically then a LEN will suffice with two, the third being the contractual agreement with the remote site as a condition for connection. Single-fail-safe takes care of the condition Frank refers to and my rule is that such connections use either securely encrypted links (40 bit keys are no stronger than compression) or Telco provided PNS (Protected Network Services). The second stage is router/firewall enforced access only to trusted nodes (i.e. properly administered and I define what "properly" means) on trusted subnets. Using defined protocols. For the interested, there is a way in which NFS can be made "acceptable" - in general there is nothing wrong with the protocol itself, just the other services traditionally available on an NFS machine often conceal vulnerabilities. Thus I feel that one layer of protection is sufficient internally, two for LENs, and three for "the world". It works for me. Warmly, Padgett From firewalls-owner Sat Mar 2 10:30:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA08235 for firewalls-outgoing; Sat, 2 Mar 1996 10:06:51 -0800 (PST) Received: from montana.avicom.net (montana.avicom.net [204.212.252.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA08230 for ; Sat, 2 Mar 1996 10:06:46 -0800 (PST) Received: from pc115.avicom.net by montana.avicom.net; (5.65/1.1.8.2/07Nov95-0606PM) id AA24112; Sat, 2 Mar 1996 11:05:29 -0700 Message-Id: <1.5.4b11.32.19960302175950.006734d8@avicom.net> X-Sender: greagj@avicom.net X-Mailer: Windows Eudora Light Version 1.5.4b11 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sat, 02 Mar 1996 10:59:50 -0700 To: firewalls@greatcircle.com From: Greag Johnson Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Usubscribe Firewalls From firewalls-owner Sat Mar 2 11:03:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA08841 for firewalls-outgoing; Sat, 2 Mar 1996 10:25:23 -0800 (PST) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA08834 for ; Sat, 2 Mar 1996 10:25:16 -0800 (PST) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id NAA05440; Sat, 2 Mar 1996 13:20:05 -0500 Date: Sat, 2 Mar 1996 13:19:51 -0500 (EST) From: Rabid Wombat To: Paul Ferguson cc: Matt Holdrege , firewalls@GreatCircle.COM Subject: Re: IP/IPX firewall In-Reply-To: <199603020325.TAA21841@lint.cisco.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 1 Mar 1996, Paul Ferguson wrote: > At 03:17 PM 3/1/96, Matt Holdrege wrote: > > >I'm looking for a firewall that would allow only certain IP and IPX > >addresses to access a LAN. At least one of the interfaces on the Firewall > >need to be Token Ring. The other could be Token Ring or Ethernet. Does such > >a beast exist? > > > > Yes -- its called a router. With filtering capabilities, of course. :-) > > - paul > You can put a token ring interface and an ethernet interface into the platform supporting the firewall, and route between the interfaces, if you need more functionality than a typical router can provide. -.r.w. From firewalls-owner Sat Mar 2 12:00:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA12122 for firewalls-outgoing; Sat, 2 Mar 1996 11:47:23 -0800 (PST) Received: from hp01.vak12ed.edu (hp01.vak12ed.edu [141.104.150.251]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA12117 for ; Sat, 2 Mar 1996 11:47:18 -0800 (PST) Message-Id: <199603021947.LAA12117@miles.greatcircle.com> Received: by hp01.vak12ed.edu (1.38.193.5/16.2) id AA00671; Sat, 2 Mar 1996 14:45:07 -0500 From: "W.C. Epperson" Subject: Re: filtering RPC ports To: firewalls@greatcircle.com Date: Sat, 02 Mar 1996 14:45:07 EST In-Reply-To: <199603020322.VAA12390@delta.eecs.nwu.edu>; from "Robert Bonomi" at Mar 1, 96 9:22 pm X-Mailer: Elm [revision: 109.16] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mail headers suggest Robert Bonomi may have written in response: > + > + Recently there was a thread here in which it was noted that filtering > + portmap (111) traffic merely made it more difficult to find the RPC > + service ports, that if they could be guessed, they could be gotten to. > + > + What approaches, from a filtering perspective, might be employed to > + block these ports, since they appear to be arbitrarily and dynamically > + assigned (from observation and from reading the rfcs)? > > the -simple- one. "everything not specificially authorized is forbidden". > i.e. block _everything_, then open holes for _specific_ things. > > then you just have to make sure that your 'allowed' services come up > *before* 'portmapper client programs' do. this is a simple matter of > making sure things are in the right sequence in the system start-up files. > :) > I should have stated the filtering policy for the particular route: "Everything not specifically forbidden is permitted." Not terribly unusual for some portions of an academic network. -- W.C. Epperson "CAUTION: Objects in floating point Senior SE may not be as close as they appear." Curmudgeon-for-Life Virginia Dept. of Education From firewalls-owner Sat Mar 2 12:31:01 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA13037 for firewalls-outgoing; Sat, 2 Mar 1996 12:27:59 -0800 (PST) Received: from minerva1.bull.it (minerva1.bull.it [138.70.10.27]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA13028 for ; Sat, 2 Mar 1996 12:27:50 -0800 (PST) Received: by minerva1.bull.it (5.65c/940824-01) id AA12098; Sat, 2 Mar 96 21:04:28 +0100 From: gvilla@minerva1.bull.it (Guido Villa) Received-Date: Sat, 2 Mar 96 21:04:28 +0100 Message-Id: <199603022004.AA12098@minerva1.bull.it> Subject: Firewall Back-up To: firewalls@greatcircle.com Date: Sat, 2 Mar 1996 21:04:25 +0100 (MET) X-Mailer: ELM [version 2.4 PL22] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In order to get high-availability target this config should be set-up: OUT NET ---------------------------------------------------------------------- | | | .1 | .2 --------- --------- | | | | | | | | |master | |backup | --------- --------- | | IN NET | | ---------------------------------------------------------------------- "master" could crash or physical (tcp-ip down) or logical (telnet down). -- -- "backup" should be able to start automatically. Thinking about DNS reconfiguration to be activated as "backup" detects "master"'s failures (physical/logical), which kind of solution is known? I'm thinking for automatic updating of file "named" (ip-address .1 changed with .2). Any experiences with rerouting thru ROUTER? Guido Villa Bull HN Italia g.villa@it12.bull.it From firewalls-owner Sat Mar 2 12:45:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA13294 for firewalls-outgoing; Sat, 2 Mar 1996 12:36:56 -0800 (PST) Received: from Eisner.DECUS.Org (Eisner.DECUS.Org [192.67.173.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id MAA13280 for ; Sat, 2 Mar 1996 12:36:51 -0800 (PST) Received: from Eisner.DECUS.Org by Eisner.DECUS.Org (PMDF V4.2-12 #4291) id <01I1V9856F3Q00CZET@Eisner.DECUS.Org>; Sat, 2 Mar 1996 15:35:13 -0500 (EST) Date: Sat, 02 Mar 1996 15:35:13 -0500 (EST) From: Matt Holdrege Subject: Re: IP/IPX firewall To: firewalls@GreatCircle.COM Reply-to: holdrege@eisner.decus.org Message-id: <01I1V9856F3S00CZET@Eisner.DECUS.Org> Organization: Digital Equipment Computer Users Society X-VMS-To: IN%"firewalls@GreatCircle.COM" MIME-version: 1.0 Content-type: TEXT/PLAIN; CHARSET=US-ASCII Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>I'm looking for a firewall that would allow only certain IP and IPX >>addresses to access a LAN. At least one of the interfaces on the Firewall >>need to be Token Ring. The other could be Token Ring or Ethernet. Does such >>a beast exist? >Yes -- its called a router. With filtering capabilities, of course. :-) >- paul OK, OK. To be more specific, this firewall needs to have a user-friendly access list administrative interface. That rules out the Cisco routers that we use. :) Matt Holdrege holdrege@eisner.decus.org From firewalls-owner Sat Mar 2 14:51:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA18420 for firewalls-outgoing; Sat, 2 Mar 1996 14:27:54 -0800 (PST) Received: from charon.ppco.com (ppco.com [138.32.15.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA18408 for ; Sat, 2 Mar 1996 14:27:49 -0800 (PST) Received: by charon.ppco.com id AA12206 (InterLock SMTP Gateway 3.0 for firewalls@GreatCircle.com); Sat, 2 Mar 1996 16:26:10 -0600 Received: by charon.ppco.com (Internal Mail Agent-2); Sat, 2 Mar 1996 16:26:10 -0600 Received: by charon.ppco.com (Internal Mail Agent-1); Sat, 2 Mar 1996 16:26:10 -0600 Message-Id: <310FEC8B.1632@ppco.com> Date: Wed, 31 Jan 1996 23:26:19 +0100 From: Jon Ole Nome Organization: Phillips Petroleum X-Mailer: Mozilla 2.0b3 (Win95; I) Mime-Version: 1.0 To: firewalls@GreatCircle.com Subject: ANS Interlock firewall Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anybody have experience with the ANS Interlock firewall? We are in the process of installing one, and I'd like to avoid the major pitfalls (if any...). Thanks. Jon Ole Nome (jonome@ppco.com) Phillips Petroleum Company Norway From firewalls-owner Sat Mar 2 15:00:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA17377 for firewalls-outgoing; Sat, 2 Mar 1996 14:04:58 -0800 (PST) Received: from services.toploguk.co.uk (svc.toploguk.co.uk [192.112.49.3]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id HAA23450 for ; Wed, 28 Feb 1996 07:52:11 -0800 (PST) From: Paul Crossley To: mmdfemontoya@sigma.eafit.edu.co Subject: Failed mail (msg.ae26080) Cc: firewalls@greatcircle.com X-Mailer: ScoMail 3.0.Bd MIME-Version: 1.0 Date: Wed, 28 Feb 1996 15:40:28 +0000 (GMT) Message-ID: <9602281541.aa00736@services.toploguk.co.uk> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: Edwin Montoya > To: firewalls@greatcircle.com > Subject: version HTTP CERN for sco > Message-Id: > Mime-Version: 1.0 > Content-Type: TEXT/PLAIN; charset=US-ASCII > Sender: firewalls-owner@greatcircle.com > Precedence: bulk > > > Does anybody know where I can find a version of HTTP for sco ODT in binary? > > thanks in advance. > ftp.sco.com look in the TLS directory - there is a re-worked CERN server there somewhere - the info file should help you find it. Paul ------------------------------------------------------------------------- Paul Crossley (paul@toploguk.co.uk) Senior Consultant SCO ACE TopLog Limited TopLog House, Knaves Beech Business Centre, Loudwater, Bucks. HP10 9QY Phone (01628) 819444 Fax (01628) 819356 ------------------------------------------------------------------------- From firewalls-owner Sat Mar 2 15:01:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA17379 for firewalls-outgoing; Sat, 2 Mar 1996 14:05:06 -0800 (PST) Received: from netcomsv.netcom.com (uucp5.netcom.com [163.179.3.5]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id NAA03642 for ; Wed, 28 Feb 1996 13:01:34 -0800 (PST) Received: by netcomsv.netcom.com with UUCP (8.6.12/SMI-4.1) id MAA12863; Wed, 28 Feb 1996 12:24:56 -0800 Received: from fly.Com. by ccivax.Coded.COM (8.6.5/ULTRIX-4.1) id MAA07249; Wed, 28 Feb 1996 12:25:58 -0800 Received: by fly.Com. (5.0/SMI-SVR4) id AA16569; Wed, 28 Feb 96 12:21:58 PST Date: Wed, 28 Feb 96 12:21:58 PST From: kay@Coded.COM (Don Kay) Message-Id: <9602282021.AA16569@fly.Com.> To: asafier@explorer.csc.com Cc: firewalls@greatcircle.com Subject: Re: Logs: list Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I think Adam is right. I don't run a firewall yet, but I will soon. I subscribe to the list so I'll be better prepared when the time comes, and I think a little knowledge about interpreting logs will be helpfull. > > I would rather see the log discussions stay on this list. > > I would think understanding firewall logs or hearing how someone is > knowking on a FW is of interest to subscribers of firewalls. > > If you are really worried about generating "noise" just preface your subject > with Logs: and we can skip them if not interested. > > my 2 cents, > Adam Safier > > > > > > My apologies, I don't have any ideas, but reading your posting made me > > wonder if there was any interest in spinning off a list for discussion > > of firewall log analysis. I periodically see questions like this on the > > list, and have had some interesting packets brushing up against our > > firewall. It might be nice to have a place to discuss this type of thing > > without bothering the rest of the firewalls list. > > > > Is anyone else interested in a list like this? I might be able to round > > up a site to host it, and would be willing to devote some time to > > running it, or moderate it if necessary. > > > > - -- > > David Lewis > > dlewis@rt66.com > > > ------------------------------------------------------------------------------- Don Kay He who can destroy a thing, controls a thing. Coded Communications Carlsbad, Ca Paul Maud-Dib from "Dune" by Frank Herbert Kay@Coded.Com ------------------------------------------------------------------------------- From firewalls-owner Sat Mar 2 17:15:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id QAA23769 for firewalls-outgoing; Sat, 2 Mar 1996 16:59:02 -0800 (PST) Received: from ns.gbnet.net (ns.gbnet.net [194.70.126.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id QAA23764 for ; Sat, 2 Mar 1996 16:58:58 -0800 (PST) Received: (from jrg@localhost) by ns.gbnet.net (8.7.3/8.7.3) id AAA10441; Sun, 3 Mar 1996 00:50:15 GMT Date: Sun, 3 Mar 1996 00:50:15 GMT From: James R Grinter Message-Id: <199603030050.AAA10441@ns.gbnet.net> X-Subliminal: H is for Hypertext X-Mailer: Mail User's Shell (7.2.5 10/14/92) To: Adam Shostack , jmr@winternet.com (John Rauser) Subject: Re: catastrophe logs Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sat 2 Mar, 1996, Adam Shostack wrote: >Perl runs on dos. I'm not sure how to get dos to emulate cron, so >I'd probably toss linux or *bsd on the machine, and forget dos. Use >what you know. If you are looking for a DOS program that can do cron-like things, you might examine 'mistress', which does a similar job. (If you want to get hold of the author, his email address is now mark@kram.org and not as in the readme.) James. From firewalls-owner Sun Mar 3 05:00:09 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id EAA11056 for firewalls-outgoing; Sun, 3 Mar 1996 04:53:48 -0800 (PST) Received: from celene.rain.com (celene.rain.com [204.188.34.132]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id EAA11051 for ; Sun, 3 Mar 1996 04:53:42 -0800 (PST) Received: from localhost.rain.com (localhost.rain.com [127.0.0.1]) by celene.rain.com (8.7.3) with SMTP id MAA24839 for ; Sun, 3 Mar 1996 12:52:07 GMT Message-Id: <199603031252.MAA24839@celene.rain.com> X-Mailer: exmh version 1.6.4 10/10/95 To: firewalls@greatcircle.com Subject: Re: SQL*Net proxy? In-reply-to: Your message of "Tue, 27 Feb 1996 15:56:04 +0100." <9602271456.AA27573@rs3.wmd.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sun, 03 Mar 1996 04:52:06 -0800 From: Shawn Instenes Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Marco Pauck said: > > Hmmm, I'm quite surprised!? > > We use TIS's plug-gw proxy for SQL*Net V1 (1521/tcp) and V2 (1525/tcp) > and it just works! > > It should also be possible to use a packet filter instead. I'll second this- I've installed a number of firewalls that pass SQL*Net using just TIS FWTK plug-gw, both with Oracle's Secure Network Services and without. "It just works" is a good description. The server versions I've worked with are 7.0.16, 7.1.4, and 7.2.3, and all of them work. I've only tried SQL*Net V2. From firewalls-owner Sun Mar 3 07:15:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA12990 for firewalls-outgoing; Sun, 3 Mar 1996 07:00:34 -0800 (PST) Received: from puli.cisco.com (puli.cisco.com [171.69.1.174]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA12985 for ; Sun, 3 Mar 1996 07:00:29 -0800 (PST) Received: from localhost.cisco.com (localhost.cisco.com [127.0.0.1]) by puli.cisco.com (8.6.8+c/8.6.5) with SMTP id GAA12749; Sun, 3 Mar 1996 06:58:50 -0800 Message-Id: <199603031458.GAA12749@puli.cisco.com> To: Paul Ferguson Cc: Firewalls@GreatCircle.COM, yakov@cisco.com Subject: Re: RFC 1597 and 10/8 addresses In-Reply-To: Your message of "Sat, 02 Mar 1996 12:44:22 EST." <199603021743.JAA09092@lint.cisco.com> Date: Sun, 03 Mar 1996 06:58:50 -0800 From: Yakov Rekhter Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Paul, > >If you are recommending that people use 10/8 adressing, it would be best > >to refer them to RFC1918 which just came out this past week and which > >supercedes 1597. Nothing really new in it, just a bit clearer explanation > >of private networks and their implications and so on. > > > > One new item RFC-1918 does mention is the use of 'application layer gateways' , > such as NAT devices, to 'hide' the use of private Internet address space. Another difference is that RFC1918 has the status of BCP (Best Current Practices), while RFC1597 is just Informational. Yakov. From firewalls-owner Sun Mar 3 08:45:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA15677 for firewalls-outgoing; Sun, 3 Mar 1996 08:40:21 -0800 (PST) Received: from mail.Clark.Net (mail.clark.net [168.143.0.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id IAA15672 for ; Sun, 3 Mar 1996 08:40:16 -0800 (PST) Received: from clark.net (mjr@clark.net [168.143.0.7]) by mail.Clark.Net (8.7.3/8.6.5) with ESMTP id LAA25349 for ; Sun, 3 Mar 1996 11:38:43 -0500 (EST) From: "Marcus J. Ranum" Received: (from mjr@localhost) by clark.net (8.7.1/8.7.1) id LAA08371 for firewalls@greatcircle.com; Sun, 3 Mar 1996 11:38:41 -0500 (EST) Message-Id: <199603031638.LAA08371@clark.net> Subject: Re: Eternal war: gateway versus filtering To: firewalls@greatcircle.com Date: Sun, 3 Mar 1996 11:38:40 -0500 (EST) Reply-To: mjr@v-one.com Organization: V-One Corporation, Baltimore, MD Office Phone: 410-889-8569 X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >My question is am I right or wrong when I think that most critics made to >packet filtering (no user authentication, no application level knowledge, >firewall "open" when down, vulnerable to snooping, vulnerable because of IP >fragmentation, of udp connectionless protocol, of RPC...) do not apply to >Firewall-1 because of it's enhanced filtering features ? Yes and no -- there are a lot of subtle issues and one of these days I need to do a whitepaper, but until then maybe I can put a few ideas out for discussion. [I think ches and smb will be talking about some of this in the next rev of thier book, too] First off, the reason for application level gateways rather than "smart packet filtering" was mostly an implementation detail. If you remember back, there was a time when free versions of UNIXlike source weren't growing on trees, and if you hacked a firewall into the kernel you had to sign your brain rights away in perpetuity on a source license. It's a big win, portability-wise, and from a standpoint of making it easier to test code. Running an application gateway under Saber-C is a luxury you don't get with an in-kernel proxy. But I digress... :) The original idea of an application gateway was that it gave you a few things a simple router-based firewall didn't: 1) Since you were working at a TCP level, the view of your traffic was instantly converted to connection oriented, which made life a lot easier. 2) Since you were mediating the connection, you could put extra logging or security features into the proxy, which you can't do in a router. 3) It was easier to run under a debugger. Nowadays, with dynamic packet filtering, #1 no longer applies. The firewall (presumably) makes sure that the connections are managed and sequenced correctly. If implemented correctly it should be about the same degree of difficulty to spoof a dynamic packet filtering firewall as an application level firewall. So they are comparable. #2 is the trick, and it's inbound services that really grab you by the 50-ohm resistor. :( Suppose you have an application level proxy that recognizes the old Reply-To: "|..." sendmail hole. The proxy can provide blanket coverage for all systems behind it, if it filters that nonsense out. So that's a real benefit. If it's a screening firewall, unless there's what amounts to proxy code in the firewall, that stuff will get through. It means that: 1) You need to configure your firewall right 2) You need to secure (at least one system) behind the firewall Now, a smart packet filtering firewall might be able to do that particular check -- essentially a subroutine call built into the in-kernel filter -- then they'd be equivalent to an application gateway. The bottom line, however, is that if you're a duly paranoid network manager, you'll probably still block all incoming mail (regardless of the type of firewall) and direct it to a postoffice system behind the firewall, which is running a reasonably patched-up version of sendmail. Otherwise you're just asking to get nailed by the next sendmail hole that the application level proxy doesn't "know" about. I'm using sendmail as an example here, but it could be any service. :( If you have a TELNET proxy and I talk to it and then it connects me to a system behind it with a buggy telnetd, then I can still break your machine if I somehow manage to authenticate or steal an authenticated connection. The end result of this is that there's a strong pressure to LET NOTHING IN which means the Internet link isn't very useful -- so a balance has to occur. One other trend I'e noticed is lots of use of plug-gw to "enable" services inbound to captive processes on internal machines. That's *exactly* the same as packet filtering, conceptually. The bottom line is that whatever firewall you are using, you need to be extremely concerned about how inbound services are managed. You need to secure them as well as possible. You need to >>GAACK!<< implement host-based security! :) Firewalls are not, really, a solution for inbound services -- which is what everyone is evolving towards wanting to do. :) So -- application level firewalls and dynamic packet filters are basically the same thing as far as I am concerned, for outgoing access. For incoming data, you need to look at the application and how/if it can hurt you, and, at this point, I wouldn't rely on my firewall to protect me. Draw up a matrix of what needs to go in and what needs to go out. The firewall can cover what goes out, and you need to figure out on a case by case basis how to do host security for whatever comes in. Good luck! :) mjr. -- Chief Scientist, V-ONE Corporation -- "Security for a connected world" work http://www.v-one.com personal http://www.clark.net/pub/mjr/mjr-top.html From firewalls-owner Sun Mar 3 12:45:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA21107 for firewalls-outgoing; Sun, 3 Mar 1996 12:38:06 -0800 (PST) Received: from lint.cisco.com (lint.cisco.com [171.68.235.77]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA21086 for ; Sun, 3 Mar 1996 12:38:00 -0800 (PST) Received: from pferguso-pc.cisco.com (c1robo11.cisco.com [171.68.13.11]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id MAA17571; Sun, 3 Mar 1996 12:35:25 -0800 Message-Id: <199603032035.MAA17571@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 03 Mar 1996 15:36:20 -0500 To: Yakov Rekhter From: Paul Ferguson Subject: Re: RFC 1597 and 10/8 addresses Cc: Firewalls@GreatCircle.COM, yakov@cisco.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 06:58 AM 3/3/96 -0800, Yakov Rekhter wrote: >> >> One new item RFC-1918 does mention is the use of 'application layer gateways' >, >> such as NAT devices, to 'hide' the use of private Internet address space. > >Another difference is that RFC1918 has the status of BCP (Best Current >Practices), while RFC1597 is just Informational. > >Yakov. > Good point. :-) - paul -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Sun Mar 3 17:16:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id QAA26949 for firewalls-outgoing; Sun, 3 Mar 1996 16:30:13 -0800 (PST) Received: from mail.Clark.Net (mail.clark.net [168.143.0.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id QAA26944 for ; Sun, 3 Mar 1996 16:30:09 -0800 (PST) Received: from [130.128.2.12] (localtalk12.ietf.interop.net [130.128.2.12]) by mail.Clark.Net (8.7.3/8.6.5) with SMTP id TAA03299; Sun, 3 Mar 1996 19:26:16 -0500 (EST) X-Sender: hcb@mail.clark.net Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 3 Mar 1996 16:22:28 -0800 To: holdrege@Eisner.DECUS.Org From: hcb@clark.net (Howard C. Berkowitz) Subject: Re: IP/IPX firewall Cc: pferguso@cisco.com, firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>I'm looking for a firewall that would allow only certain IP and IPX >>>addresses to access a LAN. At least one of the interfaces on the Firewall >>>need to be Token Ring. The other could be Token Ring or Ethernet. Does such >>>a beast exist? > >>Yes -- its called a router. With filtering capabilities, of course. :-) > >>- paul > >OK, OK. To be more specific, this firewall needs to have a user-friendly access >list administrative interface. That rules out the Cisco routers that we use. :) Congratulations. You have successfully used "access list," "firewall," and "access list" reasonably coherently in the same sentence! :-) Howard From firewalls-owner Mon Mar 4 01:01:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id AAA11768 for firewalls-outgoing; Mon, 4 Mar 1996 00:57:43 -0800 (PST) Received: from mailserver.zia.ms.it (icaro.zia.ms.it [194.21.103.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id AAA11763 for ; Mon, 4 Mar 1996 00:57:16 -0800 (PST) Organization: Rete Telematica Apuana _ Consorzio Zona Industriale Apuana - Massa - Italy Received: from netix.it (caronte.netix.it [194.21.103.247]) by mailserver.zia.ms.it (8.6.12/8.6.12) with SMTP id KAA20282 for ; Mon, 4 Mar 1996 10:00:39 +0100 Received: from vega by netix.it (5.x/SMI-SVR4) id AA00977; Mon, 4 Mar 1996 09:53:30 +0100 Received: from netix by vega (5.0/SMI-SVR4) id AA00655; Mon, 4 Mar 1996 09:55:12 --100 Received: by netix (5.0/SMI-SVR4) id AA00416; Mon, 4 Mar 1996 09:55:08 --100 Date: Mon, 4 Mar 1996 09:55:08 --100 From: ap@netix.it (Aldo Pannocchia) Message-Id: <9603040855.AA00416@netix> To: firewalls@GreatCircle.COM Subject: Re: filtering RPC ports X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From firewalls-owner@GreatCircle.COM Mon Mar 4 09:49 MET 1996 > From: "W.C. Epperson" > Subject: filtering RPC ports > To: firewalls@GreatCircle.COM > Date: Fri, 01 Mar 1996 13:24:33 EST > > Recently there was a thread here in which it was noted that filtering > portmap (111) traffic merely made it more difficult to find the RPC > service ports, that if they could be guessed, they could be gotten to. > > What approaches, from a filtering perspective, might be employed to > block these ports, since they appear to be arbitrarily and dynamically > assigned (from observation and from reading the rfcs)? > -- FW-1 filter a single RPC service (identified by its port number). > W.C. Epperson "I have great faith in fools. > Senior SE Self-confidence, my friends call it." > Information Security Officer --Edgar Allan Poe-- > DBA Emeritus > Curmudgeon-for-Life > Virginia Dept. of Education > epperson@pen.k12.va.us > From firewalls-owner Mon Mar 4 01:45:19 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id AAA11702 for firewalls-outgoing; Mon, 4 Mar 1996 00:49:56 -0800 (PST) Received: from ns1.digital.fr (ns1.digital.fr [193.56.15.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id AAA11697 for ; Mon, 4 Mar 1996 00:49:49 -0800 (PST) Received: from vbormc.vbo.dec.com (vbormc.vbo.dec.com [16.36.208.94]) by ns1.digital.fr (8.7/8.7) with ESMTP id JAA14017; Mon, 4 Mar 1996 09:48:18 +0100 Received: (from root@localhost) by vbormc.vbo.dec.com (8.7.3/8.7) with UMC id JAA02608; Mon, 4 Mar 1996 09:43:22 +0100 Received: from umc by vbormc.vbo.dec.com via MR/VALMTS with conversational-MRIF; Mon, 04 Mar 96 09:43:22 +0100 Posted: Mon, 04 Mar 96 08:42:01 +0100 Date: Mon, 04 Mar 96 08:37:01 +0100 From: "MARC CHATEL @AEO" Message-ID: <21648040306991/6714513@FRMRC> To: firewalls@greatcircle.com Cc: rapoport@iway.fr Subject: Handling IP addressing conflicts with cascaded proxies Msg-Class: ALL-IN-1 IOS Server for VMS V3.0 PBL123A (US) ENGLISH 21-MAR-1992 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [This message is converted from WPS-PLUS to ASCII] Hello all, I see that the subject of handling multiple occurrences of the same IP network numbers has come up again. We should make this part of the firewall FAQ, I guess... The most common cases where this occurs is an organization that has umpteen network numbers (which are not InterNIC-registered) that now needs to connect to the Internet in some way. What should be put in the middle of the connection that will support the fact that some IP addresses exist on BOTH sides of the configuration? More importantly (everybody, hope that IPV6 comes in fast enough to minimize this), how will we handle cases where N > 2 IP internetworks have conflicting network numbers and need to be interconnected? It is true that some companies have come out with specific system/ software combinations to solve this problem. Some products have already been mentioned, others will be, I have no doubts about that. Building such a product practically REQUIRES messing around in the depths of a TCP/IP software stack in order to achieve the desired functionality. Some people may fear the potential security impact of such software modifications. I certainly would not feel confident if I was personally asked to modify an IP stack to do this... It should be remembered that IT IS POSSIBLE to achieve the desired functionality with much more mundane technology IF: a) the types of communications you need can all be proxied b) you have access to "classical" proxy software that supports auto-forwarding (a very simple functionality to implement, many available proxies, commercial or free, do this) c) you have two systems on which this proxy software can run (the two systems can become a "firewall" if you want) What needs to be done then is as simple as: 1. Configure each system to live in the IP environment of one side of your "firewall configuration" 2. Configure an interconnection IP network (often a short Ethernet cable between the two proxy machines). The IP network number used on the interconnection network ONLY NEEDS TO BE KNOWN TO THE TWO PROXY MACHINES. 3. Set up the proxy applications for the appropriate auto-forwarding configuration. I have written a document about proxies that (among other things) describes this setup. You may wish to take a look at it: http://ds.internic.net/internet-drafts/draft-rfced-info-chatel-00.txt Like all internet drafts, it is also available by FTP and on several mirrors: ftp.is.co.za (Africa) nic.nordu.net (Europe) ds.internic.net (US East Coast) ftp.isi.edu (US West Coast) munnari.oz.au (Pacific Rim) Of course, nobody should consider this document to be "The Truth" (beware of what you read). It is just a set of opinions from one guy in a corner, and exactly fits the "Request For Comments" concept... Regards, Marc Chatel E-mail: Marc.Chatel@aeo.mts.dec.com Disclaimer: On this forum, I only speak for myself, nobody else. From firewalls-owner Mon Mar 4 02:00:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id BAA14434 for firewalls-outgoing; Mon, 4 Mar 1996 01:50:15 -0800 (PST) Received: from mari.co.uk (atlas.mari.co.uk [193.37.33.242]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id BAA14429 for ; Mon, 4 Mar 1996 01:50:09 -0800 (PST) Received: by mari.co.uk (8.6.9/IEA-V1.0) id JAA28283; Mon, 4 Mar 1996 09:25:31 GMT Received: from kronos(10.4.8.13) by atlas.mari.co.uk via smap (V1.3) id sma028279; Mon Mar 4 09:25:28 1996 Received: by kronos (5.x/SMI-SVR4) id AA27867; Mon, 4 Mar 1996 09:49:46 GMT From: iea@mari.co.uk (Ian.Alder) Message-Id: <9603040949.AA27867@kronos> Subject: Re: Firewalls-Digest V5 #134 To: Firewalls@GreatCircle.COM Date: Mon, 4 Mar 1996 09:49:45 +0000 (GMT) In-Reply-To: <199603011845.KAA26118@miles.greatcircle.com> from "firewalls-digest-owner@GreatCircle.COM" at Mar 1, 96 10:45:35 am X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have seen a number of articles in the network press regarding firewalls that were not as secure as you would like to think that they are. Has anyone out there seriously tried to break thru firewall systems? Could the results be posted to this list? Are there any good packages out there to break firewalls? From firewalls-owner Mon Mar 4 02:17:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id BAA14296 for firewalls-outgoing; Mon, 4 Mar 1996 01:47:33 -0800 (PST) Received: from gate.gb.swissbank.com (gate.sbc.co.uk [193.114.243.33]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id BAA14271 for ; Mon, 4 Mar 1996 01:47:23 -0800 (PST) Received: from gb.swissbank.com by gate.gb.swissbank.com; Mon, 4 Mar 1996 09:45:40 GMT From: Richard Boardman Date: Mon, 4 Mar 1996 09:41:24 GMT Message-Id: <26407.199603040941@gpo.gb.swissbank.com> Received: from ln1d454swk(155.145.96.29) by gpo via smap (V1.3) id sma026290; Mon Mar 4 09:41:03 1996 To: Firewalls@GreatCircle.COM Subject: Web Caching Proxy Servers X-MD5: 73b75b0dcfa08c7b961007e9c4d08fbc X-SNEFRU: 1e8dd7de 13e7357d c90a0040 7bdcccba cd274930 a868ce7b 3e1c2e47 48e54a56 X-chksum-host: gpo.gb.swissbank.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm looking at web caching proxy servers on behalf of my company. Does anyone have any comments on available products or pointers to sources of information such as independent product evaluations or comparisions? (aside from the regular marketing blurb). We are aware of the Netscape proxy server, TIS http-gw and the CERN httpd, are there any other products (Unix/NT) out there that we should be evaluating? Our intention is to use it as a proxy only (ie. relaying and supplying requests for internal users -- there should be no outward-serving functionality at all). I'm interested in the following aspects :- * security -- source code availability -- any third party evaluations -- remapping/blocking of certain URLs -- content filtering (eg. Java) -- support for SSL, SHTTP -- secure logging * performance considerations -- cache configuration, consistency methods and tuning -- number of users -- throughput (requests/second) * general -- architecture (Unix/NT) -- support issues -- level of transparency to users -- ease of management Thanks for any help, please can people send replies to me direct, I'll post a summary. Rick -- >Rick Boardman>>IT>>>>>>>>>>>>>>>>>>>>>boardmr@gb.swissbank.com> ; Mon, 4 Mar 1996 04:26:40 -0800 (PST) Received: from email.enst.fr (root@email.enst.fr [137.194.160.46]) by enst.enst.fr (8.6.10/8.6.10) with ESMTP id NAA03598 for ; Mon, 4 Mar 1996 13:22:22 +0100 Received: from gavroche.enst.fr (gavroche.enst.fr [137.194.160.24]) by email.enst.fr (8.7.Beta.13/8.7.Beta.13) with ESMTP id NAA29717 for ; Mon, 4 Mar 1996 13:22:02 +0100 (MET) From: Kamel Khadri Received: (khadri@localhost) by gavroche.enst.fr (8.6.10/8.6.10) id NAA04469 for firewalls@GreatCircle.COM; Mon, 4 Mar 1996 13:21:59 +0100 Date: Mon, 4 Mar 1996 13:21:59 +0100 Message-Id: <199603041221.NAA04469@gavroche.enst.fr> To: firewalls@GreatCircle.COM X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk get me off this list please From firewalls-owner Mon Mar 4 05:15:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id EAA22258 for firewalls-outgoing; Mon, 4 Mar 1996 04:59:11 -0800 (PST) Received: from su1.in.net (su1.in.net [199.0.62.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id EAA22251 for ; Mon, 4 Mar 1996 04:59:06 -0800 (PST) Received: from pm2-09.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA02365; Mon, 4 Mar 96 07:55:37 -0500 Date: Mon, 4 Mar 96 07:55:37 -0500 Message-Id: <9603041255.AA02365@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.com From: Frank Willoughby Subject: Re: VPN's over the internet Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Verily at 09:40 AM 3/4/96 +0100, Damir Rajnovic did write: >>Frank Willoughby > Damir Rajnovic >Hello, > >> SCENARIO 1 >> Suppose a hacker was able to break into the other network and >> you only have FW->FW encryption. After the hacker has shut >> down security logging & auditing and created a couple of new >> accounts, the individual will start looking for other systems >> to crack. Since your network is an extension of the other >> network (via the VPN), your network is a likely target. Since >> the firewall in this case only supports encrypted tunneling, >> the pipe (link) between the two firewalls is completely >> transparent to the hacker and provides absolutely no protection >> against the hacker from setting up shop on your network. > >> If the firewall did support filtering _in_addition_to_ encrypting >> the link between the two firewalls, the hacker will have a much >> more difficult time in crossing from the compromised network to >> your network. > >[snip-snip] > >> There are at least two solutions to resolving the above-mentioned >> vulnerabilities: > >> o Purchase a firewall which supports Firewall->Firewall encryption >> AND will also provide applications filtering (via proxy, etc) of >> the encrypted links. > >> o Place a hardware encryption box between the firewall and the VPN >> access point as illustrated the (crude) diagram below. > >> your network->FW->HEB->public net->HEB->FW->their network > >> FW=Firewall >> HEB=Hardware Encryption Box (obviously, it also decrypts) > >> Best Regards, > >> Frank > >It's seems to me that second solution Frank propose is also vulnerable to >his first attack scenario. I don't see a difference between FW-to-FW >encription and putting two HEB's between two FW. HEB's only provides >encrypted tunnel beetwen FWs, and that's all. Or there is some other >catch? > >Gaus You are incorrect in your assumption. The difference is that the firewall performs applications filtering of the connections _in_addition_to_ FW->FW encryption (which is accomplished via the HEB or a firewall which performs FW->FW encryption). The encrypted link helps reduce MITM (Man-In-The-Middle) attacks such as Node Spoofing, Session Hijacking, etc. Filtering the applications essentially treats the other internal network as an untrusted network (like the Internet) and helps to reduce the risks by providing an extra measure of security. This also helps to contain any damage in the event that the other network is contanimated (hacker, Worm, etc.). Best Regards, Frank The opinions expressed above are of the author and may not necessarily be representative of Fortified Networks Inc. Fortified Networks Inc. - Management & Information Security Consulting Phone: (317) 573-0800 - http://www.fortified.com/fortified Home of the Free Internet Firewall Evaluation Checklist From firewalls-owner Mon Mar 4 05:30:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA22675 for firewalls-outgoing; Mon, 4 Mar 1996 05:13:25 -0800 (PST) Received: from su1.in.net (su1.in.net [199.0.62.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id FAA22669 for ; Mon, 4 Mar 1996 05:13:19 -0800 (PST) Received: from pm2-09.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA03008; Mon, 4 Mar 96 08:09:33 -0500 Date: Mon, 4 Mar 96 08:09:33 -0500 Message-Id: <9603041309.AA03008@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: iea@mari.co.uk (Ian.Alder) From: Frank Willoughby Subject: Re: Firewalls-Digest V5 #134 Cc: firewalls@GreatCircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Verily, at 09:49 AM 3/4/96 +0000, Ian Alder did write: >I have seen a number of articles in the network >press regarding firewalls that were not as secure >as you would like to think that they are. > >Has anyone out there seriously tried to break >thru firewall systems? > >Could the results be posted to this list? > >Are there any good packages out there to break firewalls? > Most of the above can be accomplished via a little research. In order to combat an opponent effectively, you must first understand their capabilities. The easiest way to figure out which firewalls are secure is to figure out what the vulnerabilities are and then check to see which firewalls are immune to these vulnerabilites. Here's a couple of resources about firewall vulnerabilities and implementation issues/"Gotchas": Cheswick & Bellovin's excellent book "Firewalls & Internet Security" ISBN: 0-201-63357-4 Cost: @30 US Dollars Steven Bellovin's equally excellent paper "Security Problems in the TCP/IP Protocol Suite" ftp from ftp.research.att (I think it is in the /dist/internet_security directory) The file is ipext.ps.Z (compressed postscript file) Cost: Free Fortified Networks Inc.'s Firewall Evaluator (Firewall Evaluation Checklist w/documentation) (Contact me or visit my home page for more info) Cost: $250 US Dollars Best Regards, Frank The opinions expressed above are of the author and may not necessarily be representative of Fortified Networks Inc. Fortified Networks Inc. - Management & Information Security Consulting Phone: (317) 573-0800 - http://www.fortified.com/fortified Home of the Free Internet Firewall Evaluation Checklist From firewalls-owner Mon Mar 4 05:45:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA22697 for firewalls-outgoing; Mon, 4 Mar 1996 05:13:45 -0800 (PST) Received: from iez.com (mail.iez.com [194.218.38.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id FAA22682 for ; Mon, 4 Mar 1996 05:13:32 -0800 (PST) Received: by iez.com (AIX 3.2/UCB 5.64/4.03) id AA10914; Mon, 4 Mar 1996 14:12:28 +0100 Received: from spibm02(172.16.13.62) by iez.com via smap (V1.3) id sma010656; Mon Mar 4 14:12:11 1996 Received: from iez.com by spibm02 (AIX 3.2/UCB 5.64/4.03) id AA17965; Mon, 4 Mar 1996 14:06:41 +0100 Message-Id: <9603041306.AA17965@spibm02> Received: from inhps-a by iez.com with SMTP (1.37.109.4/16.2) id AA15839; Mon, 4 Mar 96 14:06:41 +0100 Received: by inhps-a (1.38.193.3/16.2) id AA16048; Mon, 4 Mar 96 14:06:39 +0100 From: Rolf Weber Subject: Re: Eternal war: gateway versus filtering To: mjr@v-one.com Date: Mon, 4 Mar 1996 14:06:38 +0100 (MEZ) Cc: firewalls@greatcircle.com (firewalls) In-Reply-To: <199603031638.LAA08371@clark.net> from "Marcus J. Ranum" at Mar 3, 96 11:38:40 am X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > The original idea of an application gateway was that it > gave you a few things a simple router-based firewall didn't: > 1) Since you were working at a TCP level, the view of > your traffic was instantly converted to connection > oriented, which made life a lot easier. > 2) Since you were mediating the connection, you could > put extra logging or security features into the proxy, > which you can't do in a router. > 3) It was easier to run under a debugger. > yes, this (were|are) advantages from the view of developping. for end-users like me, there is another advantage: application gateways are much easier to understand, while packet filtering gateways are almost a 'black box' for most folks. and while it's MHO that's very important for a firewalled site to understand how they're protected, this is a very basic and important advantage. maybe all other advantages will disappear soon (or yet now), but this one will stay. > > that the application level proxy doesn't "know" about. I'm > using sendmail as an example here, but it could be any > service. :( If you have a TELNET proxy and I talk to it and > then it connects me to a system behind it with a buggy telnetd, > then I can still break your machine if I somehow manage to > authenticate or steal an authenticated connection. > i don't think it's quite the same, there is a little difference: in general, everybody and every host is allowed to mail to the protected site, so an attacker needs not to break something else before starting a sendmail attack. if someone wants to exploit an internal buggy telnetd, he first has to break into the telnet proxy...and in such a case, it's even a bad situation, the attacker can telnet to other ports (ok, you could deny this with a patched proxy). incoming telnet is indeed a difficult problem, really hard to solve sufficiently. sendmail (or other mailer) bugs could be avoided by placing the mailserver outside and to let the users take their mail from there with a pluged pop or another, more secure and encrypting service. but god forbid, i don't do so :-) rolf -- ----------------------------------------- Rolf Weber | All I ask is a chance IEZ AG D-64625 Bensheim | to prove that money ++49-6251-1309-113 | can't make me happy. From firewalls-owner Mon Mar 4 06:17:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA24245 for firewalls-outgoing; Mon, 4 Mar 1996 06:06:33 -0800 (PST) Received: from habanero.jmu.edu (habanero.jmu.edu [134.126.70.210]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id GAA24234; Mon, 4 Mar 1996 06:06:28 -0800 (PST) Message-Id: <199603041406.GAA24234@miles.greatcircle.com> Received: by habanero.jmu.edu (1.37.109.16/16.2) id AA101758286; Mon, 4 Mar 1996 09:04:46 -0500 Date: Mon, 4 Mar 1996 09:04:46 -0500 From: gary flynn To: firewalls-owner@GreatCircle.COM, pauck@wmd.de Subject: Re: SQL*Net proxy? Cc: Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: Vinci CHOU > gary flynn wrote: > > > > Oracle servers that are configured as mulithreaded wil use dynamic > > ports. Several firewall vendors are working with Oracle to develop > > a SQLnet proxy. I don't know the timeframe. > > The Oracle SQL*Net manuel mentioned V2 added support of asynchronous > data send/receive. This capability was added to support the Oracle7 > multi-threaded server. Gary, is this the thing you are refering to ? > However, when I asked Oracle, we've already mentioned that we are > using V1 and still they gave the reply that the port number for > the shadow process cannot be determined ! > I'm not familiar with "asynchronous send/receive". > caution. Since it acts only as a data pipe, .... In a sense, plug-gw > is similar to adding a configuration rule to a router that permits > traffic only between two systems on a single port, except that it > logs all transactions." > If it is true, I can't see how it can handle dynamic port numbers. Can > any one explain it to me ? > This is true and it cannot handle dynamic port numbers. If you're not running multithreaded servers, then it will probably work as the port is static. As someone mentioned previously, Oracle has a document explaining the issues with SQLnet and firewalls in fairly good detail. The document name is "SQL*Net and Firewalls" and is dated October 1995. It is labeled "Part C10451". The following is an excerpt from that document: "When the IP port number of the SQL*Net connection can be determined in advance, such as 1521, then connection can be permitted with some degree of security. Systems running multi-threaded servers, pre-spawned servers, or ones with architectures that do not support IP port sharing, require dynamic port allocation which tends to prevent connections. Firewall support where IP port redirection is employed requires an intelligent filter to monitor the port redirection information during the connect phase so that the filter can selectively open up the required port. Alternatively, a wide range of ports would have to be opened in advance, which would severely compromise security. In an application proxy solution the proxy itself handles IP port redirection issues." The architecture support mentioned above implies operating system and TCP/IP implementation. I've *heard* that AIX has this limitation. gary From firewalls-owner Mon Mar 4 07:16:39 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA25447 for firewalls-outgoing; Mon, 4 Mar 1996 06:52:23 -0800 (PST) Received: from diablo.ppp.de (diablo.ppp.de [193.141.101.34]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA25442 for ; Mon, 4 Mar 1996 06:52:18 -0800 (PST) Received: from wmdhh by diablo.ppp.de with uucp (Smail3.1.28.1 #1) id m0ttbau-000QXsC; Mon, 4 Mar 96 15:50 MET Received: from rs3.wmd.de by wmdhh with smtp (Smail3.1.26.7 #3) id m0ttcBR-0007XHC; Mon, 4 Mar 96 16:28 CET Received: by rs3.wmd.de (AIX 3.2/UCB 5.64/4.03.01) id AA21559; Mon, 4 Mar 1996 15:12:48 +0100 From: pauck@rs3.wmd.de (Marco Pauck) Message-Id: <9603041412.AA21559@rs3.wmd.de> Subject: Re: SQL*Net proxy? To: gary@habanero.jmu.edu (gary flynn) Date: Mon, 4 Mar 1996 15:12:48 +0100 (MEZ) Cc: firewalls@greatcircle.com In-Reply-To: <199603041415.PAA09234@gate1.wmd.de> from "gary flynn" at Mar 4, 96 09:04:46 am Reply-To: pauck@wmd.de X-Mailer: ELM [version 2.4 PL20] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > As someone mentioned previously, Oracle has a document explaining the > issues with SQLnet and firewalls in fairly good detail. The document > name is "SQL*Net and Firewalls" and is dated October 1995. It is labeled > "Part C10451". The following is an excerpt from that document: > > "When the IP port number of the SQL*Net connection can be determined in advance, > such as 1521, then connection can be permitted with some degree of security. > Systems running multi-threaded servers, pre-spawned servers, or ones with > architectures that do not support IP port sharing, require dynamic port allocation > which tends to prevent connections. Firewall support where IP port redirection > is employed requires an intelligent filter to monitor the port redirection > information during the connect phase so that the filter can selectively open > up the required port. Alternatively, a wide range of ports would have to be > opened in advance, which would severely compromise security. In an application > proxy solution the proxy itself handles IP port redirection issues." > > The architecture support mentioned above implies operating system and > TCP/IP implementation. I've *heard* that AIX has this limitation. I should mention that we use plug-gw with AIX 3.2.5 without problems. No, I don't know about AIX 4.1. Marco -- Marco Pauck - WMD GmbH Hamburg, Germany - http://www.wmd.de/ e-mail: pauck@wmd.de, phone: +49-40-58958-120, fax: +49-40-58958-199 Life would be so much easier if we could just see the source code. From firewalls-owner Mon Mar 4 08:17:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA26963 for firewalls-outgoing; Mon, 4 Mar 1996 07:37:22 -0800 (PST) Received: from wonderland.epic.co.uk (wonderland.epic.co.uk [194.159.80.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA26941 for ; Mon, 4 Mar 1996 07:37:14 -0800 (PST) Received: from post.epic.co.uk by wonderland.epic.co.uk (5.x/SMI-SVR4) id AA19409; Mon, 4 Mar 1996 15:35:53 GMT Received: from systems_pc8.epic.co.uk by post.epic.co.uk with smtp (Smail3.1.28.1 #3) id m0ttcNl-000DgVC; Mon, 4 Mar 96 15:41 GMT Message-Id: Date: Mon, 4 Mar 96 15:41 GMT X-Sender: steve@post.epic.co.uk X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls-digest@GreatCircle.COM From: Steve Phelps Subject: VirusWall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anyone used VirusWall for Solaris 2.X? Any recommendations or dont's? ------------------------------------------------------------------------- Steve Phelps Senior Technical Development Engineer EMG Limited 52 The Old Steine Brighton, UK. Voice: +44 1273 728686 extn. 406 Fax: +44 1273 821567 GPF encountered in module MICROSOFT.DLL Stack contents: ";;@|Where Do You Want to Go Today?_&..." From firewalls-owner Mon Mar 4 08:23:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA27900 for firewalls-outgoing; Mon, 4 Mar 1996 08:00:59 -0800 (PST) Received: from reachit.com (calvin.reachit.com [199.126.187.102]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA27893 for ; Mon, 4 Mar 1996 08:00:51 -0800 (PST) Received: Smail 3.1.29.1 running on reachit.com Router: match_mx_hosts Transport: smtp Message size: 1978 Mesage-ID: m0ttcdR-000zNrC Processed at: Mon, 4 Mar 96 10:57 EST Date: Mon, 4 Mar 1996 10:57:17 -0500 (EST) From: N D Ghaznavi X-Sender: ndg@calvin.apparel.org To: firewalls@greatcircle.com Subject: Re: Firewall Back-up In-Reply-To: <199603022004.AA12098@minerva1.bull.it> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sat, 2 Mar 1996, Guido Villa wrote: > In order to get high-availability target this config should be set-up: > > > OUT NET > ---------------------------------------------------------------------- > | | > | .1 | .2 > --------- --------- > | | | | > | | | | > |master | |backup | > --------- --------- > | | > IN NET | | > ---------------------------------------------------------------------- > > "master" could crash or physical (tcp-ip down) or logical (telnet down). > -- -- > > "backup" should be able to start automatically. > > Thinking about DNS reconfiguration to be activated as "backup" detects > "master"'s failures (physical/logical), which kind of solution is known? What about associating multiple ip's with your machine i.e. master.dom.com has x.x.x.1 and x.x.x.2 associated with it. When the master goes down slave comes up, and routing just works... (assuming no hardcoded IPs... probably a bad assumption!). > I'm thinking for automatic updating of file "named" (ip-address .1 changed > with .2). --n d ghaznavi----------------------------------------------------------- System Administrator ndg@cadlink.com --cadlink.com--------reachit.com--------ghaznavi.com--------apparel.org-- From firewalls-owner Mon Mar 4 08:31:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA28319 for firewalls-outgoing; Mon, 4 Mar 1996 08:14:50 -0800 (PST) Received: from srv-internet.ssb.it (srv-internet.ssb.it [192.106.128.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA28314 for ; Mon, 4 Mar 1996 08:14:45 -0800 (PST) Received: by srv-internet.ssb.it (8.6.11/SSB/UX-1.00) id RAA17794; Mon, 4 Mar 1996 17:30:32 +0100 Received: from email.ssb.it(192.106.129.170) by srv-internet.ssb.it via smap (V1.3) id sma017792; Mon Mar 4 17:30:27 1996 Message-ID: Date: 4 Mar 1996 17:22:26 U From: "Fabio Omenigrandi" Subject: Searching for a programmabl To: "FireWalls" X-Mailer: Mail*Link SMTP/QM 3.0.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk S S B Comunicazione interna 4-03-1996 17:15 Oggetto: Searching for a programmable Security Card Hi all, I'm searching for a programmable Security Card to use to build Electronic Commerce in Internet. If someone know a company that build such module please send me an email, it's very important. This Security Card has to be compatible with ISA (PCI) bus and it has to be implement RSA and DES algorithm. Thanks to all in advance. From firewalls-owner Mon Mar 4 08:48:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA28119 for firewalls-outgoing; Mon, 4 Mar 1996 08:06:34 -0800 (PST) Received: from inet1.tek.com (inet1.tek.com [134.62.48.21]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA28105 for ; Mon, 4 Mar 1996 08:06:26 -0800 (PST) Received: by inet1.tek.com id ; Mon, 4 Mar 1996 08:04:54 -0800 Received: from tektronix.tek.com(134.62.48.24) by inet1 via smap (V1.3) id sma024702; Mon Mar 4 08:04:41 1996 Received: from orca.wv.tek.com by tektronix.TEK.COM (4.1/8.2) id AA01824; Mon, 4 Mar 96 08:04:40 PST Received: from trouble.WV.TEK.COM by orca.wv.tek.com (4.1/8.2) id AA20136; Mon, 4 Mar 96 08:06:46 PST Received: by trouble.WV.TEK.COM (4.1/8.0) id AA02708; Mon, 4 Mar 96 08:03:07 PST Date: Mon, 4 Mar 1996 08:03:06 -0800 (PST) From: Kent Dahlgren To: firewalls@GreatCircle.COM Subject: IRC - possible problem. In-Reply-To: <199603041221.NAA04469@gavroche.enst.fr> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 4 Mar 1996, Kamel Khadri wrote: > get me off this list please Hahahaha...what a way to start the week. They are so cute when they are desperate. Anyhow..I got a question for the group. Anyone here familiar with IRC? Thats IRC, as in Internet Relay Chat. The thing that far too many people waste thier lives doing. Anyhow, I personally witnessed a "hack" that involves taking control of a remote person's...I hate to say keyboard, but that's about what it is. The attacker being able to execute remote commands from his (her) keyboard, on the victims system. Now I know that all of you administrators out there would never dream of allowing IRC, but in case you all know somebody that would do such a thing, and they had experienced anything like complaints of a "temporarily locked keyboard" or any other boogie men like that, let me know. dogman@trouble.wv.tek.com Patiently awaiting your return, Mr. Sick Pup. "Any ideas expressed here may not reflect those of my employers" ______________________________________________________________________________ ______ T E K T R O N I X _ C P I D _ T E C H N I C A L _ S U P P O R T _______ / Voice: 1.800.835.6100 E-mail: support@colorprinters.tek.com Fax: 1.503.685.3063 WWW: www.tek.com BBS: 1.503.685.4504 E-World: Keyword Tektronix HAL: 1.503.682.7450 AOL: Keyword Tektronix Service: 1.800.835.6100 FTP: ftp.tek.com ______________________________________________________________________________ From firewalls-owner Mon Mar 4 10:30:56 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA29687 for firewalls-outgoing; Mon, 4 Mar 1996 08:44:55 -0800 (PST) Received: from guardian (guardian.ecstech.com [204.241.131.34]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA29681 for ; Mon, 4 Mar 1996 08:44:51 -0800 (PST) Received: from [140.229.16.111] by guardian (SMI-8.6/SMI-SVR4) id LAA29830; Mon, 4 Mar 1996 11:39:38 -0500 Date: Mon, 4 Mar 1996 11:39:38 -0500 X-Sender: rayw@guardian.ecstech.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: ray.wilson@ecstech.com (Ray Wilson) Subject: Network Access Security Analysis Consultant Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am looking to find a consultant to join a team analyzing network security vulnerabilities. Please follow-up by direct email. The project will be to complete a comprehensive analysis of the client's network systems. Thank you. ray.wilson@ecstech.com From firewalls-owner Mon Mar 4 10:50:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA03865 for firewalls-outgoing; Mon, 4 Mar 1996 09:56:59 -0800 (PST) Received: from uuneo.neosoft.com (uuneo.neosoft.com [206.109.1.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA03857 for ; Mon, 4 Mar 1996 09:56:54 -0800 (PST) Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.7.4/8.7.4) with UUCP id LAA04427 for GreatCircle.COM!firewalls; Mon, 4 Mar 1996 11:11:03 -0600 (CST) Received: by ris1.nmti.com (smail2.5) id AA16693; 4 Mar 96 10:51:28 CST (Mon) Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id KAA21966; Mon, 4 Mar 1996 10:20:33 -0600 Received: by sonic.nmti.com; id AA23938; Mon, 4 Mar 1996 10:21:23 -0600 From: peter@nmti.com (Peter da Silva) Message-Id: <9603041621.AA23938@sonic.nmti.com.nmti.com> Subject: Re: Handling IP addressing conflicts with cascaded proxies To: chatel.marc@a1_annecy.frmrc.aeo.mts.dec.com (MARC CHATEL @AEO) Date: Mon, 4 Mar 1996 10:21:23 -0600 (CST) Cc: firewalls@GreatCircle.COM, rapoport@iway.fr In-Reply-To: <21648040306991/6714513@FRMRC> from "MARC CHATEL @AEO" at Mar 4, 96 08:37:01 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > More importantly (everybody, hope that IPV6 comes in fast enough > to minimize this), how will we handle cases where N > 2 IP internetworks > have conflicting network numbers and need to be interconnected? Renumber them so they don't conflict. From firewalls-owner Mon Mar 4 10:50:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA02891 for firewalls-outgoing; Mon, 4 Mar 1996 09:35:02 -0800 (PST) Received: from gateway.kellogg.com (gateway.kellogg.com [198.108.149.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA02686 for ; Mon, 4 Mar 1996 09:31:42 -0800 (PST) Received: by gateway.kellogg.com id AA09359 (InterLock SMTP Gateway 3.0 for firewalls@greatcircle.com); Mon, 4 Mar 1996 12:26:35 -0500 Received: by gateway.kellogg.com (Protected-side Proxy Mail Agent-1); Mon, 4 Mar 1996 12:26:35 -0500 Mime-Version: 1.0 Date: Mon, 4 Mar 1996 08:25:55 -0500 Message-Id: <13b14b70@cornelius.scp.com> From: Alex.Eveleigh@kellogg.com (Alex Eveleigh) Subject: Novell Standards Framework To: firewalls@greatcircle.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello Everyone, I know this request is a bit off topic, but I thought that since standards is an important part of security, some of you may be able to point me in the right direction. We are defining our Novell standards (specifically for 4.x NDS) from the ground up. I will be responsible for the security piece and we would like to know if there is anywhere that we could get either a sample of some standards that others have defined or even a framework to start from. These standards will be for everything not just security standards. If anyone has some information they would be willing to share or knows where we might get this type of information, that would give us a jump start in the process of creating these standards, and it would be greatly appreciated. Thanks, Alex From firewalls-owner Mon Mar 4 11:10:29 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA05828 for firewalls-outgoing; Mon, 4 Mar 1996 10:32:14 -0800 (PST) Received: from xetron.com (xetron.com [204.242.42.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA05815 for ; Mon, 4 Mar 1996 10:32:07 -0800 (PST) Received: (from uucp@localhost) by xetron.com (8.6.10/gw-950515) id NAA11267 for ; Mon, 4 Mar 1996 13:30:30 -0500 Received: from kgw2.xetron.com(129.228.20.253) by gate129.xetron.com via smap (V1.3) id sma011261; Mon Mar 4 13:30:06 1996 Received: (from news@localhost) by kgw2.xetron.com (8.6.10/h-950420) id NAA03461 for firewalls@greatcircle.com; Mon, 4 Mar 1996 13:30:04 -0500 From: Dave Steele Subject: Re: Web Caching Proxy Servers Message-ID: Nntp-Posting-Host: dss_mac.xetron.com Organization: Xetron Corp. References: <26407.199603040941@gpo.gb.swissbank.com> To: firewalls@greatcircle.com Date: Mon, 4 Mar 1996 18:21:11 GMT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article <26407.199603040941@gpo.gb.swissbank.com>, boardmr@gb.swissbank.com (Richard Boardman) wrote: > I'm looking at web caching proxy servers on behalf of my company. > ... > I'm interested in the following aspects :- ... > > * performance considerations > -- cache configuration, consistency methods and tuning > -- number of users > -- throughput (requests/second) I can't comment on throughput, but our network cache hit rate is very poor (about 10% with a 50 MB cache). So we are getting little benefit from the cache processing. If you have over 10-20 users, you should expect about the same number. I only keep it around because there is very little maintenance involved, and the cache is invisible to the end users. -- Dave Steele - daves@xetron.com Xetron Corp. 460 W. Crescentville Road Cincinnati, Ohio 45246 From firewalls-owner Mon Mar 4 11:32:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA01210 for firewalls-outgoing; Mon, 4 Mar 1996 09:04:41 -0800 (PST) Received: from NUki (nuki.netuse.de [193.98.110.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA01180 for ; Mon, 4 Mar 1996 09:04:21 -0800 (PST) Received: from white by Mail.NetUSE.de with uucp (SMail3.1.29.0 #5) ID m0ttdjL-0009H0C: Mon, 4 Mar 96 18:07 MET Received: by white.schulung.netuse.de (Smail3.1.29.0 #2) id m0ttcXP-0008vDC; Mon, 4 Mar 96 16:51 MET Received: from GATEWAY by white.schulung.netuse.de with netnews for firewalls@greatcircle.com (firewalls@greatcircle.com) To: firewalls@greatcircle.com Date: Mon, 4 Mar 1996 15:46:48 GMT From: kris@schulung.netuse.de (=?ISO-8859-1?Q?Kristian_K=F6hntopp?=) Message-ID: Organization: =?ISO-8859-1?Q?entf=E4llt?= References: <199603040900.BAA11989@miles.greatcircle.com> Subject: Re: Eternal war: gateway versus filtering Sender: firewalls-owner@GreatCircle.COM Precedence: bulk M.J.Ranum writes: > So -- application level firewalls and dynamic >packet filters are basically the same thing as far as I >am concerned, for outgoing access. For incoming data, >you need to look at the application and how/if it can >hurt you, and, at this point, I wouldn't rely on my >firewall to protect me. Hmm, along your lines of argumentation application level gateways and dynamic packet filters are basically the same thing. And if you are using plug gateways as an advanced way of implementing access control lists, there should be no big difference between OSI layer 7 gates and layer 4 gates. A proper application level gateway has more information than anything operating on layer 4, though. And if it decides to make use of this advanced knowledge (that is: if it implements the protocol spoken on this connection instead of simply shuffling bytes to the real application behind the firewall) it has more opportunities to check, log and control the connections going inside. Take mail for example: If you were using a plug-gw to connect your incoming SMTP port to some sendmail behind the firewall, nothing is really won. The plug-gw might be able to filter out some incoming hosts, but this is nothing you want to do with incoming mail. Since the protocol spoken on the incoming connection is not checked by the plug-gw, any attack to the sendmail behind the firewall is still possible. If you were using something like SMAP on the incoming SMTP port, you are operating at OSI layers 5 and 6. The gateway already does know about the protocol spoken at this port and can recognize and catch any protocol violations - something a packet filter will never be able to do. And if you were using something like MIMEsweeper on the incoming SMTP port, you are operating at OSI layer 7: The gateway now has some (admittedly limited) idea about the content of the messages themselves, that are transferred through it. It is able to scan the content of the messages for some unwanted characteristics and hold these messages back. The key here is to make use of the more advanced state information of the higher communication layers. A plug-gw ignores this additional information: While it is an "application", it acts basically acts as a some kind of packet filter. Only something more advanced that actually knows about the application protocols and the contents transferred can make use of the additional higher level protocol information and make decisions based on this information. If you were to create some kind of secure http proxy for example, it would be a good idea to really parse the URLs passed to you instead of simply shuffling them to the server on the other side. If the URL passed to you had for example CGI parameters attached, you could find out shell metacharacters in them and try to kill them or translate them into their %-representations or reject all further requests from this site. Of course this contradicts to a certain degree the "keep it simple stupid" approach presented by Cheswick/Bellovin: An application level gateway thatz actually tries to implement the protocol spoken at the port it guards is certainly more complex than a simple plug-gw and runs a higher risk of hiding some nasty bug somewhere inside... Kristian -- Kristian Koehntopp, Wassilystrasse 30, 24113 Kiel, +49 431 688897 ">just a lil' jonk mail to test if i can post this server Ya, siems set ju can post sis server. Bat sies is se wrong gruup! Test schud be sent tu a local Testgruup or de.test. Bai se way, you forgot to fill in yur Rielnaime." -- 072437008-0001@t-online.de, max@didi.tng.oche.de, de.newusers.questions From firewalls-owner Mon Mar 4 13:06:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA12274 for firewalls-outgoing; Mon, 4 Mar 1996 12:31:42 -0800 (PST) Received: from orpheus.amdahl.com (orpheus.amdahl.com [129.212.11.6]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA12258 for ; Mon, 4 Mar 1996 12:31:37 -0800 (PST) Received: from cynic.org by orpheus.amdahl.com with smtp (Smail3.1.29.1 #3) id m0ttgtQ-0001gOC; Mon, 4 Mar 96 12:30 PST Received: from sutr.cynic.org (localhost) by cynic.org (5.x/SMI-SVR4) id AA28873; Mon, 4 Mar 1996 12:29:59 -0800 Message-Id: <9603042029.AA28873@ cynic.org> To: firewalls@greatcircle.com Subject: Re: Proxy-server for AOL client??? In-Reply-To: Your message of Thu, 29 Feb 1996 13:03:54 GMT. <01BB06A6.62043000@itcl1.uap.edu.ph> Date: Mon, 04 Mar 1996 12:29:58 -0800 From: Perry The Cynic Sender: firewalls-owner@GreatCircle.COM Precedence: bulk For those who asked (more than I expected...): My AOL relay demon can be retrieved via anonymous ftp from ftp.amdahl.com:/pub/users/perry/aolrelay.tar If for some reason you have trouble using ftp, drop me a note and I'll mail you a copy. For those who asked what the big deal is - it isn't. It took me about two hours to write the thing, and another hour to document it. I'm sure that plug-gw will do fine; for that matter, a judicious hole in your router will do. I just happen to have a preference for custom relays. Cheers -- perry ------------------------------------------------------------------------ Perry The Cynic perry@cynic.org To a blind optimist, an optimistic realist must seem like a Cursed Cynic. ------------------------------------------------------------------------ From firewalls-owner Mon Mar 4 13:11:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA13114 for firewalls-outgoing; Mon, 4 Mar 1996 12:48:07 -0800 (PST) Received: from voicenet.com (mail.voicenet.com [192.204.28.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA13089 for ; Mon, 4 Mar 1996 12:47:22 -0800 (PST) From: psiphi@voicenet.com Received: from vdc703cv (cherryhill19.voicenet.com) by voicenet.com (4.1/SMI-4.1) id AA15831; Mon, 4 Mar 96 15:45:47 EST Message-Id: <9603042045.AA15831@voicenet.com> Comments: Authenticated sender is To: firewalls@greatcircle.com Date: Mon, 4 Mar 1996 15:46:01 +0000 Subject: WWW Servers & Firewalls Reply-To: psiphi@voicenet.com X-Mailer: Pegasus Mail for Windows (v2.23) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've been seaching for some documentation on how CGI scripting works in relation to setting up a WWW server on the outside of a firewall that would use CGI scripts to send and retrieve info from a database server on the inside of a firewall and also start tn3270 sessions from the WWW server to a SNA host inside of the firewall....is there any documentation on the net on how this works or examples..of this Also how are other folks implementing there WWW servers to work with their firewalls...as far as keeping corporate data secure and allowing only those external users with proper authorization access to this info..... My thoughts since I'm new to this thing is to have the WWW server on the screened external subnet... the external users would access this server and the server initiate any requests for additional info from a database or other backend service on the internal side of the firewall... The server would pass these requests through the firewall to the internal resources via some sort of CGI script. And these requests could be facilitated via a Generic Proxy on the firewall..... How more secure is this than allowing all external users to go through the proxy server to the WWW servers on the other side of the firewall..... I prefer the first option myself but some others prefer the second option becuase it is easier to setup but I think that it is less secure becuase if the WWW server is compromised then the intruders are already beyond the firewall... Anyone have any thoughts Brian psiphi@voicenet.com From firewalls-owner Mon Mar 4 13:35:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA13554 for firewalls-outgoing; Mon, 4 Mar 1996 12:58:26 -0800 (PST) Received: from minerva1.bull.it (minerva1.bull.it [138.70.10.27]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA13549 for ; Mon, 4 Mar 1996 12:58:21 -0800 (PST) Received: by minerva1.bull.it (5.65c/940824-01) id AA15508; Mon, 4 Mar 96 21:33:49 +0100 From: gvilla@minerva1.bull.it (Guido Villa) Received-Date: Mon, 4 Mar 96 21:33:49 +0100 Message-Id: <199603042033.AA15508@minerva1.bull.it> Subject: Re: Firewall Back-up To: sgcccdc@citec.qld.gov.au (Colin Campbell) Date: Mon, 4 Mar 1996 21:33:47 +0100 (MET) Cc: firewalls@greatcircle.com In-Reply-To: <199603040132.LAA08198@guru.citec.qld.gov.au> from "Colin Campbell" at Mar 4, 96 11:32:53 am X-Mailer: ELM [version 2.4 PL22] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Colin, it seems interesting. See in between ---- (below) for a couple of clarifications. Target should be "fully automatic method" for master/back-up swap (I mean without any operator intervention). Guido Villa > My mailer thinks Guido Villa said: > > > > In order to get high-availability target this config should be set-up: > > > > > > OUT NET > > ---------------------------------------------------------------------- > > | | > > | .1 | .2 > > --------- --------- > > | | | | > > | | | | > > |master | |backup | > > --------- --------- > > | | > > IN NET | | > > ---------------------------------------------------------------------- > > > > "master" could crash or physical (tcp-ip down) or logical (telnet down). > > -- -- > > > > "backup" should be able to start automatically. > > > > Thinking about DNS reconfiguration to be activated as "backup" detects > > "master"'s failures (physical/logical), which kind of solution is known? > > > > I'm thinking for automatic updating of file "named" (ip-address .1 changed > > with .2). > > Most good OSes(?) (BSDI, Solaris, Linux) allow overloading of IP > addresses on an interface. > > Consider first, the inside network. For this example, assume that master > is 192.9.200.2 and backup is 192.9.200.3. For the users we will have a > pseudo-host "firewall" with the address 192.9.200.1. Users should only > ever use "firewall". > > When master boots, it configures the inside interface to have > 192.9.200.2 (its real address) and 192.9.200.1 (to act as firewall). ---------------------------------------------------------------------------- How does "192.9.200.1" work ? (from DNS standpoint) ---------------------------------------------------------------------------- > Backup merely configures its inside interface as 192.9.200.3. > > When backup determines master has died, and it really must be sure, it > configures its inside interface with 192.9.200.1 and firewall is > listening again. > ---------------------------------------------------------------------------- How does "configures" work ? Is it automatic ? Does it require "reboot", others ? ---------------------------------------------------------------------------- > When master reboots it must check to see that "firewall" (192.9.200.1) > is not configured anywhere before it configures that address. > > You will also need to do the same thing for the outer interfaces. > > This way your DNS does not need to change and you simply run backup as a > secondary DNS server for master. > > Of course ALL sessions active when master dies will also die. With separate > machine it is impossible to maintain them. So telnet/ftp sessions will die > but WWW will probably continue although the page being loaded when "firewall" > died will need to be reloaded. > > Colin > From firewalls-owner Mon Mar 4 13:49:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA15380 for firewalls-outgoing; Mon, 4 Mar 1996 13:36:59 -0800 (PST) Received: from inet1.tek.com (inet1.tek.com [134.62.48.21]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA15339 for ; Mon, 4 Mar 1996 13:35:53 -0800 (PST) Received: by inet1.tek.com id ; Mon, 4 Mar 1996 13:33:39 -0800 Received: from tektronix.tek.com(134.62.48.24) by inet1 via smap (V1.3) id sma035085; Mon Mar 4 13:33:12 1996 Received: from orca.wv.tek.com by tektronix.TEK.COM (4.1/8.2) id AA02595; Mon, 4 Mar 96 13:33:06 PST Received: from trouble.WV.TEK.COM by orca.wv.tek.com (4.1/8.2) id AA26812; Mon, 4 Mar 96 12:14:43 PST Received: by trouble.WV.TEK.COM (4.1/8.0) id AA02897; Mon, 4 Mar 96 12:11:04 PST Date: Mon, 4 Mar 1996 12:11:03 -0800 (PST) From: Kent Dahlgren To: firewalls@GreatCircle.COM Subject: Re: IRC - possible problem. In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Due to the mail I've got, I'd like to amplify and clarify what I know. I can only confirm that this hack works from a UNIX based system; I don't know if works by attacking PC and Mac based IRC clients. It is possible due to a hole in the CTCP protocol that is part of the IRC distribution. I posted this here because I thought it may be the appropriate forum, but if it is not, please tell me, and I'll try and spead the word by other means. Actually, I'd like to know how I could notify the best people to address this thing, now that I know its a little bigger than I thought. dogman "Any ideas expressed here may not reflect those of my employers" ______________________________________________________________________________ ______ T E K T R O N I X _ C P I D _ T E C H N I C A L _ S U P P O R T _______ / Voice: 1.800.835.6100 E-mail: support@colorprinters.tek.com Fax: 1.503.685.3063 WWW: www.tek.com BBS: 1.503.685.4504 E-World: Keyword Tektronix HAL: 1.503.682.7450 AOL: Keyword Tektronix Service: 1.800.835.6100 FTP: ftp.tek.com ______________________________________________________________________________ From firewalls-owner Mon Mar 4 15:49:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA20527 for firewalls-outgoing; Mon, 4 Mar 1996 15:37:01 -0800 (PST) Received: from natproxy.ferntree.com.au ([203.12.79.20]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id PAA20521 for ; Mon, 4 Mar 1996 15:36:55 -0800 (PST) Received: by natproxy.ferntree.com.au; id KAA17718; Tue, 5 Mar 1996 10:35:15 +1100 Received: from unknown(172.16.1.20) by natproxy.ferntree.com.au via smap (V3.1) id xma017714; Tue, 5 Mar 96 10:35:08 +1100 Received: by natmailnotes.ferntree.com.au (IBM OS/2 SENDMAIL VERSION 1.3.14/2.12um) id AA2038; Tue, 05 Mar 96 10:32:38 +1000 Message-Id: <9603050032.AA2038@natmailnotes.ferntree.com.au> Received: from Ferntree with "Lotus Notes Mail Gateway for SMTP" id E3A4B8F7A71F64324A2562E40002BD4E; Tue, 5 Mar 96 10:32:35 To: Richard Boardman Cc: Firewalls From: Colin Spence Date: 5 Mar 96 10:40:29 Subject: Re: Web Caching Proxy Servers Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I'm looking at web caching proxy servers on behalf of my company. > We are aware of the Netscape proxy server, TIS http-gw and the CERN > httpd, are there any other products (Unix/NT) out there that we should > be evaluating? My understanding of the TIS http-gw is that it can't act as a Web Caching server. Please correct me if I am wrong or there is a workaround. From TIS: Further to our recent telephone conversation, with regard to caching Web Pages, Gauntlet at this time does not deal with the caching of Web Pages. Trusted Information Systems wont implement this on the Firewall as they have deemed it insecure, this isn't to say that in future versions of Gauntlet this will not be addresses as a possible futureenhancement if demand is appropriate. We suggest that for most implementations, the Caching in the Web Browsing software is sufficient. Regards, Colin Spence Ferntree Computer Corporation ================================================================================= I'm looking at web caching proxy servers on behalf of my company. Does anyone have any comments on available products or pointers to sources of information such as independent product evaluations or comparisions? (aside from the regular marketing blurb). We are aware of the Netscape proxy server, TIS http-gw and the CERN httpd, are there any other products (Unix/NT) out there that we should be evaluating? Our intention is to use it as a proxy only (ie. relaying and supplying requests for internal users -- there should be no outward-serving functionality at all). I'm interested in the following aspects :- * security -- source code availability -- any third party evaluations -- remapping/blocking of certain URLs -- content filtering (eg. Java) -- support for SSL, SHTTP -- secure logging * performance considerations -- cache configuration, consistency methods and tuning -- number of users -- throughput (requests/second) * general -- architecture (Unix/NT) -- support issues -- level of transparency to users -- ease of management Thanks for any help, please can people send replies to me direct, I'll post a summary. Rick -- >Rick Boardman>>IT>>>>>>>>>>>>>>>>>>>>>boardmr@gb.swissbank.com> ; Mon, 4 Mar 1996 16:02:04 -0800 (PST) Received: from panoramix.fi.upm.es by relay.fi.upm.es (PMDF V5.0-6 #15665) id <01I1YLVFXD720000F4@relay.fi.upm.es> for firewalls@greatcircle.com; Tue, 05 Mar 1996 01:00:24 +0100 (MET) Received: by panoramix.fi.upm.es (8.6.11/FI-3.2) Thu, 29 Feb 1996 10:05:34 +0100 Date: Thu, 29 Feb 1996 10:05:33 +0100 (MET) From: "Fco. Damian Ruiz Soriano" Subject: Linux NAT / ip-fw To: firewalls@greatcircle.com Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am a 4nd year computer science student at Universidad Politecnica de Madrid, in Spain; and I am involved in a graduate project on internet firewalls. Most of my research and reading has been in this area - with my main focus on developing a firewall to run in a Linux system. I'm interested in finding out any information on relating to NAT (Network Address Translation) programs preferably to run on a Linux system; and the ip-fw package for linux. If someone have more recent information on ip-fw package for linux (or NAT for Linux) I'd appreciate a mail. Thanks for your time, Damian _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ _/ damian@panoramix.fi.upm.es Damian Ruiz Soriano _/ _/ Caronte Proyect Universidad Politecnica de Madrid _/ _/ Facultad de Informatica, CCFI _/ _/ PHO: (+34) (1) 336 7452 Campus de Montegancedo _/ _/ FAX: (+34) (1) 336 7412 Boadilla del Monte E-28660 (SPAIN)_/ _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ From firewalls-owner Mon Mar 4 17:55:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id RAA25480 for firewalls-outgoing; Mon, 4 Mar 1996 17:15:50 -0800 (PST) Received: from night.dataphone.se (night.dataphone.se [194.23.92.80]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA25455 for ; Mon, 4 Mar 1996 17:15:32 -0800 (PST) Received: from night.dataphone.se (trident@night.dataphone.se [194.23.92.80]) by night.dataphone.se (8.6.12/8.6.9) with SMTP id CAA01488; Tue, 5 Mar 1996 02:13:21 +0100 Date: Tue, 5 Mar 1996 02:13:21 +0100 (MET) From: Magnus Bergman Reply-To: Magnus Bergman Subject: Re: IRC - possible problem. To: Kent Dahlgren cc: firewalls@GreatCircle.COM In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Due to the mail I've got, I'd like to amplify and clarify what I know. I > can only confirm that this hack works from a UNIX based system; I don't > know if works by attacking PC and Mac based IRC clients. It is possible > due to a hole in the CTCP protocol that is part of the IRC distribution. > I posted this here because I thought it may be the appropriate forum, but > if it is not, please tell me, and I'll try and spead the word by other > means. I don't think this is a bug in the ircII-client it self or in the IRC-implementations. Rather it is bugs/backdoors in different irc-scripts that make this kind of things possible. For example in the IRC-script phoenix.irc (I am not sure what versions it is/is not fixed in, I have been able to exploit it in phoenix 2.25 here though) there is a bug that makes it possible to execute any shell-commands remote if you have dcc autoget on. Generally autoget is always a big NO-NO anyway but it is enabled by default at least in phoenix 2.25. The important guideline is: NEVER EVER run a IRC-scripts that you have not looked through carefully. There are many nasty examples of scripts that look quite legitimate after the first brief look but have all kinds of backdoors/trojans and so on. Regards ------------------------------------------------------------------------------ Magnus Bergman Email: trident@dataphone.se System Administrator PGP Key: finger trident@night.dataphone.se Dataphone Sweden Inc. URL: http://www.trident.pp.se/ Stockholm / Sweden Cellular: +46-708-658332 ------------------------------------------------------------------------------ You don't love a woman because she is beautiful, but she is beautiful because you love her ------------------------------------------------------------------------------ From firewalls-owner Mon Mar 4 21:31:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id VAA03405 for firewalls-outgoing; Mon, 4 Mar 1996 21:27:19 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id VAA03400 for ; Mon, 4 Mar 1996 21:27:15 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id VAA06910; Mon, 4 Mar 1996 21:22:11 -0800 Received: from dub-img-1.compuserve.com(198.4.9.1) by mycroft via smap (V1.3mjr) id sma006908; Mon Mar 4 21:21:46 1996 Received: by dub-img-1.compuserve.com (8.6.10/5.950515) id AAA03336; Tue, 5 Mar 1996 00:23:25 -0500 Date: 05 Mar 96 00:20:16 EST From: "S. W. Sidebottom" <72242.2264@compuserve.com> To: web_secure Cc: firewalls Subject: Request for Information - Security Message-ID: <960305052015_72242.2264_EHJ48-1@CompuServe.COM> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Gentlemen (or persons, no disrespect intended), we are in the process of installing a Gauntlet internet firewall and have a number of internal Web sites. We are interested in becoming part of discussion groups on security issues and receiving any information on securing networks from internal and external attacks. Thanks Steve Sidebottom, CISA, CISSP Corporate Security Services E-6100 Saudi Aramco Dhahran 31311 Saudi Arabia From firewalls-owner Mon Mar 4 22:08:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id VAA04410 for firewalls-outgoing; Mon, 4 Mar 1996 21:54:54 -0800 (PST) Received: from fastlane.net (fastlane.net [204.251.16.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id VAA04405 for ; Mon, 4 Mar 1996 21:54:50 -0800 (PST) Received: from [204.251.16.78] ([204.251.16.78]) by fastlane.net (8.7.3/8.7.3) with SMTP id AAA28077; Tue, 5 Mar 1996 00:46:51 -0600 (CST) X-Authentication-Warning: fastlane.net: Host [204.251.16.78] didn't use HELO protocol Message-ID: <313BBE22.3F6D@fastlane.net> Date: Mon, 04 Mar 1996 23:08:02 -0500 From: Howard Barnett Organization: Designs That Compute X-Mailer: Mozilla 2.0 (Win16; I) MIME-Version: 1.0 To: Rabid Wombat CC: Firewalls@GreatCircle.COM Subject: Re: IP fragments and packet filters References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Rabid Wombat wrote: > > On Fri, 1 Mar 1996, Paul Ferguson wrote: > > > The fragmentation and, more importantly, reassembly should happen in this > > case transparently long before it reaches your router/firewall/whatever. > > > > - paul > > Yes - segment and re-assembly should occur at the edge devices. > > > > > At 10:28 PM 2/29/96 -0500, Charles B. Kaplan wrote: > > > > >>The only time you're ever likely to see a packet with FO=1 is if a bad guy is > > >>knocking at your door. > > > > > >IE, my east coast LAN wants to connect to my west coast LAN, which will > > >involve traversing (substitute your favorate backbone providers) ATM link. > > >Therefor my 68byte header + data get dumped into larger (I forget frame size > > >at the moment) ATM cell, which could POSSIBLY ?? cause one byte to cross a > > >cell boundry, and thuse appear fragmented to the remote site ? > > > > ATM uses 53 byte cells, 48 bytes of payload, 5 bytes header. Much smaller > than your IP packtes. SAR should occur before reaching your firewall, > however. > > - r.w.Right Lan Emulation makes the 48 byte payload transparent to IP. From firewalls-owner Mon Mar 4 23:59:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id XAA10330 for firewalls-outgoing; Mon, 4 Mar 1996 23:40:21 -0800 (PST) Received: from uustar.starnet.net (uustar.starnet.net [199.217.253.12]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA04675 for ; Mon, 4 Mar 1996 10:10:55 -0800 (PST) Received: from hq.UUCP by uustar.starnet.net with UUCP id AA25240 (5.67b/IDA-1.5 for greatcircle.com!firewalls); Mon, 4 Mar 1996 11:38:30 -0600 Received: (from daemon@localhost) by hq.agedwards.com (8.6.9/8.6.9) id LAA17879 for firewalls@greatcircle.com.outbound; Mon, 4 Mar 1996 11:10:40 -0600 Received: from igate.agedwards.com (igate.agedwards.com [159.45.56.11]) by hq.agedwards.com (8.6.9/8.6.9) with ESMTP id LAA17875 for ; Mon, 4 Mar 1996 11:10:38 -0600 Received: from Microsoft Mail (PU Serial #1093) by igate.agedwards.com (PostalUnion/SMTP(tm) v2.1.8c for Windows NT(tm)) id AA-1996Mar04.110800.1093.34752; Mon, 04 Mar 1996 11:11:45 -0600 From: nicholscs@agedwards.com (Nichols,Christopher) To: firewalls@greatcircle.com (' firewalls@greatcircle.com') Message-Id: <1996Mar04.110800.1093.34752@igate.agedwards.com> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Organization: A.G. Edwards & Sons Inc. St. Louis Date: Mon, 04 Mar 1996 11:11:45 -0600 Subject: tcpdump Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anyone compiled tcpdump and libpcap on an HP9000? Any hints/suggestions would be appreciated. Thanks Chris From firewalls-owner Tue Mar 5 00:48:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id AAA12430 for firewalls-outgoing; Tue, 5 Mar 1996 00:32:33 -0800 (PST) Received: from orodruin.CS.Berkeley.EDU (orodruin.CS.Berkeley.EDU [128.32.38.24]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id AAA12425 for ; Tue, 5 Mar 1996 00:32:29 -0800 (PST) Received: from espresso.CS.Berkeley.EDU.mammoth (espresso.CS.Berkeley.EDU [128.32.33.40]) by orodruin.CS.Berkeley.EDU (8.7.Gamma.0/8.7.Gamma.0) with SMTP id AAA14150 for ; Tue, 5 Mar 1996 00:30:59 -0800 (PST) Received: by espresso.CS.Berkeley.EDU.mammoth (5.x/SMI-SVR4) id AA02195; Tue, 5 Mar 1996 00:30:41 -0800 From: daw@orodruin.CS.Berkeley.EDU (David A Wagner) Message-Id: <9603050830.AA02195@espresso.CS.Berkeley.EDU.mammoth> Subject: fun with the web and security To: firewalls@greatcircle.com Date: Tue, 5 Mar 1996 00:30:41 -0800 (PST) Reply-To: daw@cs.berkeley.edu X-Mailer: ELM [version 2.4 PL25] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Here's a fun way to exploit security holes via the web: http://www.cs.berkeley.edu/~daw/js1.html A rough representation of its contents follow. (Apologies in advance if this topic has already appeared here; I thought it might be worth passing on a note of warning. Comments are welcome.) Whee! The web is awfully convenient for exploiting security bugs.... The following URL contacts your sendmail SMTP server and attempts to exploit an old, well-known security hole, trying to gain root access. Click _here_ to try it. As it stands, clicking on the URL above does not do anything harmful to your machine-- but it could! (This is a test of the emergency broadcast system. This is only a test.) ______________ We can get you to send arbitrary text, to an arbitrary port on an arbitrary host, from your machine. (If you are inside a firewall, we can thereby send arbitrary text to any internal machine by getting you to click on the link above.) The technique is simple: we list the host and port in a gopher URL, and encode the text to be sent in the path. For instance, a successful exploit of the hole could leave a backdoor root shell, and inform us via a pseudonym at an anonymous remailer. The exploit could be hidden by use of the JavaScript "width=1,height=1" techniques pioneered at John LoVerso's _JavaScript security hole page_; then you wouldn't even know when you'd been attacked. The exploit could be forced on you via many standard tricks: the Redirect: or META-EQUIV Refresh: or JavaScript mechanisms work fine, for instance. This is most dangerous when you are behind a firewall. Typically, there will be many machines inside a firewall which run insecure software. Normally, that would be safe, since the firewall prevents an outsider from connecting to the unsafe sendmail servers inside-- yet the example URL above allows outsiders like us to exploit security holes on the inside of your firewall. Nothing stops us from putting the IP address of a vulnerable machine inside your firewall in the URL above, and waiting for you to click on it: the firewall doesn't prevent connections from you to the internal vulnerable machine, and thus can't stop this attack. Using JavaScript, we don't even have to wait for you to click on anything. Furthermore, a JavaScript program could systematically and invisibly try all the machines inside your firewall. We could have used many other well-known security holes: there's nothing special about this particular sendmail bug (except that it was convenient for us to implement). ______________ Be afraid. Be very afraid. -- Ian Goldberg and David Wagner. P.S. Thanks to Steve Bellovin for discussing a similar issue with me last week. From firewalls-owner Tue Mar 5 01:31:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id BAA14323 for firewalls-outgoing; Tue, 5 Mar 1996 01:08:31 -0800 (PST) Received: from brian.dynasuk.co.uk (brian.dynasuk.co.uk [194.200.17.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id BAA14318 for ; Tue, 5 Mar 1996 01:08:26 -0800 (PST) Received: (from uucp@localhost) by brian.dynasuk.co.uk (8.6.11/8.6.9) id JAA10042; Tue, 5 Mar 1996 09:03:53 GMT Received: from ripley.dynasuk.co.uk(192.188.129.101) by brian.dynasuk.co.uk via smap (V1.3) id sma010040; Tue Mar 5 09:03:32 1996 Received: from zeberdee.dynasuk.co.uk (zeberdee.dynasuk.co.uk [192.188.129.134]) by ripley.dynasuk.co.uk (8.6.12/8.6.12) with SMTP id JAA04582; Tue, 5 Mar 1996 09:08:15 GMT Date: Tue, 5 Mar 1996 09:03:01 +0000 (GMT) From: Martin Hepworth To: boardmr@gb.swissbank.com cc: firewalls@greatcircle.com Subject: Caching the web Message-ID: X-Address: DynaSoft 8 South Parade Summertown Oxford OX2 7JL UK X-Voice: +44 (01)865 316333 X-Fax: +44 (01)865 316444 X-WWW: http://www.dynas.se MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Try the Harvest web cacher, its the one the academics use over here, check out http://harvest.cs.colorado.edu/ for the latest info. Martin Hepworth ***************************************************************** * Dynasoft * Tel No. +44 (0)1865 316333 * * 8 South Parade * Telefax +44 (0)1865 316444 * * Summertown * Support +44 (0)1865 316070 * * Oxford * E-mail: martin@dynasuk.co.uk * * OX2 7JL, UK * WWW : http://www.dynas.se * ***************************************************************** From firewalls-owner Tue Mar 5 02:02:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id BAA17823 for firewalls-outgoing; Tue, 5 Mar 1996 01:57:26 -0800 (PST) Received: from GOOFY.FI.UPM.ES (goofy.fi.upm.es [138.100.8.23]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id BAA17809 for ; Tue, 5 Mar 1996 01:57:00 -0800 (PST) Received: from panoramix.fi.upm.es by relay.fi.upm.es (PMDF V5.0-6 #15665) id <01I1Z6M727FG0000F4@relay.fi.upm.es> for firewalls@greatcircle.com; Tue, 05 Mar 1996 10:53:50 +0100 (MET) Received: by panoramix.fi.upm.es (8.6.11/FI-3.2) Tue, 5 Mar 1996 10:53:49 +0100 Date: Tue, 05 Mar 1996 10:53:48 +0100 (MET) From: "Fco. Damian Ruiz Soriano" Subject: Linux_NAT_ip_fw To: firewalls@greatcircle.com Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am a 4nd year computer science student at Universidad Politecnica de Madrid, in Spain; and I am involved in a graduate project on internet firewalls. Most of my research and reading has been in this area - with my main focus on developing a firewall to run in a Linux system. I'm interested in finding out any information on relating to NAT (Network Address Translation) programs preferably to run on a Linux system; and the ip-fw package for linux. If someone have more recent information on ip-fw package for linux (or NAT for Linux) I'd appreciate a mail. Thanks for your time, Damian _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ _/ damian@panoramix.fi.upm.es Damian Ruiz Soriano _/ _/ Caronte Proyect Universidad Politecnica de Madrid _/ _/ Facultad de Informatica, CCFI _/ _/ PHO: (+34) (1) 336 7452 Campus de Montegancedo _/ _/ FAX: (+34) (1) 336 7412 Boadilla del Monte E-28660 (SPAIN)_/ _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ From firewalls-owner Tue Mar 5 02:37:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id CAA19228 for firewalls-outgoing; Tue, 5 Mar 1996 02:21:12 -0800 (PST) Received: from mail-relay.scientia.com ([194.216.183.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id CAA19214 for ; Tue, 5 Mar 1996 02:20:59 -0800 (PST) Received: by mail-relay.scientia.com with SMTP id KAA03445 for ; Tue, 5 Mar 1996 10:19:37 GMT Message-Id: <199603051019.KAA03445@mail-relay.scientia.com> X-Sender: firewall@pop-server X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 05 Mar 1996 10:19:17 +0000 To: Firewalls@GreatCircle.COM From: Ian Miller Subject: IP fragmentation attacks (was: Pentagon displays due respect...) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:16 03/03/96 +0000, you wrote: >If you are doing something that needs to examine tcp flag bits >and the packet is a tcp packet >and the fragment offset in the IP header is 1 >then consider the packet suspect (do whatever you do with evil stuff) > I know this is the RFC1858 solution and it stops _most_ fragmentation attacks. However it still lets one through. I pointed this out to the RFC authors two months ago, and the only reply that I got accepted it is possible. The attack is as follows:- At least two fragments are sent. (It may require a third.) A) FO=0 length >= 16 [i.e. A complete header ] B) FO=0, length 8 bytes [i.e. Ports & Sequence number only] A) contains a completely valid header (e.g. SMTP connection request ACK = 0) B) contains what could be the start of a legal header for an existing connection only. (e.g. both ports > 1023 if you allow outgoing PASV-FTP) However the result of overwriting B with A is an illegal packet that the attacker is trying to get through. (e.g. Connecting to an X11 server) For the attack to work the attacker must find a way of getting the host under attack to combine the A with the rest of B. He can try transmitting in either order. (Obviously if B is transmitted first, it must be less than the whole message and there must be a third fragment with FO>1.) Whether it is possible to achieve the attacker's intended recombination will depend on the precise implementation of TCP the target host. I have little doubt that some TCP/IP stacks are vulnerable. In any case, the TCP/IP stacks on hosts behind a firewall should NOT be security critical components. If they are then the firewall has failed. I suspect that most filtering routers on the market are vulnerable to this sort of attack. Please tell me I am wrong. Ian From firewalls-owner Tue Mar 5 02:52:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id CAA19856 for firewalls-outgoing; Tue, 5 Mar 1996 02:28:48 -0800 (PST) Received: from srv-internet.ssb.it (srv-internet.ssb.it [192.106.128.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id CAA19843 for ; Tue, 5 Mar 1996 02:28:37 -0800 (PST) Received: by srv-internet.ssb.it (8.6.11/SSB/UX-1.00) id LAA08255; Tue, 5 Mar 1996 11:44:38 +0100 Received: from email.ssb.it(192.106.129.170) by srv-internet.ssb.it via smap (V1.3) id sma008253; Tue Mar 5 11:44:13 1996 Message-ID: Date: 5 Mar 1996 11:34:07 U From: "Fabio Omenigrandi" Subject: Correction on prev msg- Sec To: "FireWalls" , "SET Discuss" X-Mailer: Mail*Link SMTP/QM 3.0.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk S S B Inter Office Memorandum 5-03-1996 11:21 Oggetto: Correction on prev msg: Security Module Thanks all for the responses. I would like to have a second check for restrict the search. I'm searching for Security Module for PC. I haven't particular requirements for the PC, except that it has to use DOS/Windows. Thank You very much to all. Fabio Omenigrandi Security Analyst From firewalls-owner Tue Mar 5 03:31:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id DAA24301 for firewalls-outgoing; Tue, 5 Mar 1996 03:26:23 -0800 (PST) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id DAA24041 for ; Tue, 5 Mar 1996 03:25:43 -0800 (PST) Message-Id: <199603051125.DAA24041@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA277385136; Tue, 5 Mar 1996 22:25:36 +1100 From: Darren Reed Subject: Re: IP fragmentation attacks (was: Pentagon displays due To: firewalls@scientia.com (Ian Miller) Date: Tue, 5 Mar 1996 21:25:35 +1000 (EST) Cc: Firewalls@GreatCircle.COM In-Reply-To: <199603051019.KAA03445@mail-relay.scientia.com> from "Ian Miller" at Mar 5, 96 10:19:17 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Ian Miller, sie said: > > At 09:16 03/03/96 +0000, you wrote: > >If you are doing something that needs to examine tcp flag bits > >and the packet is a tcp packet > >and the fragment offset in the IP header is 1 > >then consider the packet suspect (do whatever you do with evil stuff) > > > I know this is the RFC1858 solution and it stops _most_ fragmentation > attacks. However it still lets one through. I pointed this out to the RFC > authors two months ago, and the only reply that I got accepted it is > possible. The attack is as follows:- > > At least two fragments are sent. (It may require a third.) > A) FO=0 length >= 16 [i.e. A complete header ] > B) FO=0, length 8 bytes [i.e. Ports & Sequence number only] > > A) contains a completely valid header (e.g. SMTP connection request ACK = 0) > B) contains what could be the start of a legal header for an existing > connection > only. (e.g. both ports > 1023 if you allow outgoing PASV-FTP) > > However the result of overwriting B with A is an illegal packet that the > attacker is trying to get through. (e.g. Connecting to an X11 server) > For the attack to work the attacker must find a way of getting the host > under attack to combine the A with the rest of B. He can try transmitting > in either order. (Obviously if B is transmitted first, it must be less than > the whole message and there must be a third fragment with FO>1.) > > Whether it is possible to achieve the attacker's intended recombination will > depend on the precise implementation of TCP the target host. I have little > doubt that some TCP/IP stacks are vulnerable. In any case, the TCP/IP > stacks on hosts behind a firewall should NOT be security critical > components. If they are then the firewall has failed. > > I suspect that most filtering routers on the market are vulnerable to this > sort of attack. > > Please tell me I am wrong. This was the whole point of the RFC - to point out that these packets are bad and that they probably shouldn't be forwarded. However, it is beyond the scope of a filtering router to presume it knows how the end point reassembles its datagrams. In the event that the above do go through and presuming that the port comparisons are permitted on the "8 byte packet", then the packet should be filtered _correctly_ for that given port pair. It doesn't matter that you've over ridden an SMTP connection, because that too must have been allowed through. The main danger lies in trying to filter on non-existant header data (ie TCP flags in the case of length = 8) and passing through data which will change the state of the packet being reassembled (FO=1). The above attack doesn't change the state of a TCP packet during reassembly, just the target service, which presumably is allowed anyway. I thus defined a "short" packet in IP Filter as being a packet that contains an incomplete transport header, that it is too short or the frgament offset is within the transport layer header (for TCP/UDP/ICMP). If these packets aren't blocked early, it will not attempt to match TCP flags if the FO!=0 and won't attempt to match the TCP flags if it is "short" (not enough data present) but will otherwise check ports if FO=0 and there is at least 4 data bytes present. In an unfiltered environment, what happens when packets are reassembled is upto the implementation at that point, but I have not seen the source to any which would have been (yet!) vulnerable to this attack. This was all discussed in detail around a year ago on this very same mailling list (took a few vendors a couple of shakes before they woke up :-) However, I haven't seen anything prohibiting an MTU of 28 for a network interface... darren From firewalls-owner Tue Mar 5 05:01:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id EAA29401 for firewalls-outgoing; Tue, 5 Mar 1996 04:55:48 -0800 (PST) Received: from ragnarok.hks.com (ragnarok.hks.com [192.101.199.9]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id EAA29396 for ; Tue, 5 Mar 1996 04:55:44 -0800 (PST) Received: from ragnarok (localhost [127.0.0.1]) by ragnarok.hks.com (8.7.3/8.7.3) with SMTP id HAA24811; Tue, 5 Mar 1996 07:54:11 -0500 (EST) Message-ID: <313C3971.167E@hks.com> Date: Tue, 05 Mar 1996 07:54:09 -0500 From: Jim Littlefield Organization: Hibbitt, Karlsson & Sorensen, Inc. X-Mailer: Mozilla 2.0 (X11; I; IRIX 5.3 IP20) MIME-Version: 1.0 To: Dave Steele CC: firewalls@GreatCircle.COM Subject: Re: Web Caching Proxy Servers References: <26407.199603040941@gpo.gb.swissbank.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dave Steele wrote: > > I can't comment on throughput, but our network cache hit rate is very > poor (about 10% with a 50 MB cache). So we are getting little benefit > from the cache processing. If you have over 10-20 users, you should > expect about the same number. Interesting, I guess your milage will vary. We are averaging 30% hit rate with ~120 users and a 100Mb cache (Harvest).Dave Steele wrote: -- Jim Littlefield "One time a cop pulled me over for running a stop sign. He said, 'Didn't you see the stop sign?' I said, 'Yeah, but I don't believe everything I read.'" - Steven Wright From firewalls-owner Tue Mar 5 05:16:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA00407 for firewalls-outgoing; Tue, 5 Mar 1996 05:14:00 -0800 (PST) Received: from eagle.wd.cubic.com (eagle.wd.Cubic.COM [149.63.94.9]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id FAA00402 for ; Tue, 5 Mar 1996 05:13:55 -0800 (PST) Received: (mischler@localhost) by eagle.wd.cubic.com (8.6.9/8.3) id FAA06372; Tue, 5 Mar 1996 05:12:10 -0800 Date: Tue, 5 Mar 1996 05:12:10 -0800 From: Dave Mischler Message-Id: <199603051312.FAA06372@eagle.wd.cubic.com> To: avalon@coombs.anu.edu.au, firewalls@scientia.com Subject: Re: IP fragmentation attacks (was: Pentagon displays due Cc: Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > However, I haven't seen anything prohibiting an MTU of 28 for a network > interface... RFC 791 defines the minimum MTU as 68 octets. This is also referenced by RFC 1191, and RFC 1533. From firewalls-owner Tue Mar 5 05:31:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA01184 for firewalls-outgoing; Tue, 5 Mar 1996 05:27:51 -0800 (PST) Received: from ntigate.rich.nt.com (ntigate.nt.com [192.135.215.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id FAA01179 for ; Tue, 5 Mar 1996 05:27:44 -0800 (PST) X400-Received: by mta NT.COM in /PRMD=NT/ADMD=MCI/C=US/; Relayed; Tue, 5 Mar 1996 13:23:14 +0000 X400-Received: by /PRMD=NT/ADMD=MCI/C=US/; Relayed; Tue, 5 Mar 1996 13:21:57 +0000 X400-Received: by /PRMD=NT/ADMD=MCI/C=US/; Relayed; Tue, 5 Mar 1996 13:22:39 +0000 X400-Received: by /PRMD=NT/ADMD=MCI/C=US/; Relayed; Tue, 5 Mar 1996 13:18:19 +0000 Date: Tue, 5 Mar 1996 13:18:19 +0000 X400-Originator: Mike.Attayek.0199191@nt.com X400-Recipients: non-disclosure:; X400-MTS-Identifier: [/PRMD=NT/ADMD=MCI/C=US/; Message-ID: To: Firewall Address Subject: None X-Mailer: Mail*Link SMTP-QM 3.0.2 Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII"; Name="Message Body" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk 3/5/96 8:17 AM None Our school system has a pilot WAN and internet access project with a = large telecommunications co. We have, as they say, direct access to the = internet, ie, no firewall. Could someone elaborate on the risks which = our school children may be exposed to by not operating behind a firewall? Many thanks! Mike Attayek 0199191@nt.com From firewalls-owner Tue Mar 5 05:50:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA01829 for firewalls-outgoing; Tue, 5 Mar 1996 05:41:07 -0800 (PST) Received: from postbox.anu.edu.au (postbox.anu.edu.au [150.203.76.16]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id FAA01815 for ; Tue, 5 Mar 1996 05:40:57 -0800 (PST) Received: from coombs.anu.edu.au by postbox.anu.edu.au with SMTP (1.37.109.16/16.2) id AA007253159; Tue, 5 Mar 1996 23:39:19 +1000 From: Darren Reed Received: by coombs.anu.edu.au (1.38.193.4) id AA06498; Wed, 6 Mar 1996 00:39:18 +1100 Message-Id: <9603051339.AA06498@coombs.anu.edu.au> Subject: Re: IP fragmentation attacks (was: Pentagon displays due To: mischler@eagle.wd.cubic.com (Dave Mischler) Date: Wed, 6 Mar 1996 00:39:18 +1100 (EDT) Cc: Firewalls@GreatCircle.COM In-Reply-To: <199603051312.FAA06372@eagle.wd.cubic.com> from "Dave Mischler" at Mar 5, 96 05:12:10 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Dave Mischler, sie said: > > > However, I haven't seen anything prohibiting an MTU of 28 for a network > > interface... > > RFC 791 defines the minimum MTU as 68 octets. This is also referenced > by RFC 1191, and RFC 1533. argh, not mentioned in 1122... but still, with enough option `padding', is 4 data bytes. From firewalls-owner Tue Mar 5 07:20:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA05552 for firewalls-outgoing; Tue, 5 Mar 1996 06:58:16 -0800 (PST) Received: from ford.gbnet.org (ford.gbnet.org [192.188.96.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id GAA05535 for ; Tue, 5 Mar 1996 06:58:05 -0800 (PST) Received: (from steve@localhost) by ford.gbnet.org (8.7.1/8.6.12) id OAA19985; Tue, 5 Mar 1996 14:55:27 GMT From: Steve Kennedy Message-Id: <199603051455.OAA19985@ford.gbnet.org> Subject: Re: Web Caching Proxy Servers To: little@hks.com (Jim Littlefield) Date: Tue, 5 Mar 1996 14:55:27 +0000 (GMT) Cc: daves@xetron.com, firewalls@GreatCircle.COM In-Reply-To: <313C3971.167E@hks.com> from "Jim Littlefield" at Mar 5, 96 07:54:09 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to Jim Littlefield > Dave Steele wrote: > > I can't comment on throughput, but our network cache hit rate is very > > poor (about 10% with a 50 MB cache). So we are getting little benefit > > from the cache processing. If you have over 10-20 users, you should > > expect about the same number. > Interesting, I guess your milage will vary. We are averaging 30% hit > rate with ~120 users and a 100Mb cache (Harvest).Dave Steele wrote: Demon Internet's cache is getting about 50% hit rate (60,000 customers), this is current running CERN, but will like run Harvest soon. Regards Steve -- home steve@gbnet.org * Flat 2, 43 Howitt Road, Belsize Pk, London NW3 4LU work steve@demon.net * tel +44-(0)171 483 1169 FAX +44-(0)181 444 6103 www http://www.gbnet.net/ * bits steve@gbnet.net * Orange mobile +44-(0)973 600050 Euro firewall info - send mail to majordomo@gbnet.net (subscribe firewalls-uk) From firewalls-owner Tue Mar 5 07:48:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA06640 for firewalls-outgoing; Tue, 5 Mar 1996 07:14:58 -0800 (PST) Received: from tuna.wang.com (tuna.wang.com [150.124.136.4]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA06633 for ; Tue, 5 Mar 1996 07:14:54 -0800 (PST) Received: from mail.wangfed.com (ns.wangfed.com [159.94.10.19]) by tuna.wang.com (8.6.12/8.6.12tf1) with SMTP id KAA09386 for ; Tue, 5 Mar 1996 10:13:21 -0500 Received: from hfsi.hfsi.com by mail.wangfed.com (1.37.109.4/A.09.00a) id AA29818; Tue, 5 Mar 96 10:03:46 -0600 Received: from [159.94.14.48] by hfsi.hfsi.com (BULL 5.61++/B.O.S 02.01) id AA22279; Tue, 5 Mar 96 10:08:13 -0500 Date: Tue, 5 Mar 96 10:08:13 -0500 Message-Id: <9603051508.AA22279@hfsi.hfsi.com> From: "KM" Reply-To: "KM" To: firewalls@GreatCircle.com Subject: Spoofing Subscriptions (fwd) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ------------ Forwarded Message begins here ------------ From: Slemo Warigon Date: Mon, 4 Mar 1996 12:49:26 -0800 To: Multiple recipients of list INFSEC-L Subject: Spoofing Subscriptions Someone has recently spoof-subscribed the U.S. president, vice-president and first lady (president@whitehouse.gov, vice-president@whitehouse.gov, and first.lady@whitehouse.gov) to various discussion lists on the Internet listservs. If you manage a discussion list, please be aware of this....... the White House Internet Services coordinator has been busy unsubscribing the accounts from numerous lists. Also, disregard any emails soliciting for info supposedly from these accounts. ------------ Forwarded Message ends here ------------ ------------------------------------------------------ K.M. Goertzel Manager, International Programmes and Special Projects Secure Systems and Services Operation Wang Federal, Inc. 7900 Westpark Drive - MS 700 McLean, Virginia 22102-4299 TEL: 703-827 3914 FAX: 703-827 3161 goertzek@wangfed.com http://www.wangfed.com +----------------------------------------------+ | ...I guessed not half | | Life's symphony till I had made hearts beat, | | And touched Love's body into trembling cries | | -- Wilfred Owen, MUSIC | +----------------------------------------------+ From firewalls-owner Tue Mar 5 08:37:56 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA06488 for firewalls-outgoing; Tue, 5 Mar 1996 07:13:02 -0800 (PST) Received: from tuna.wang.com (tuna.wang.com [150.124.136.4]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA06483 for ; Tue, 5 Mar 1996 07:12:57 -0800 (PST) Received: from mail.wangfed.com (ns.wangfed.com [159.94.10.19]) by tuna.wang.com (8.6.12/8.6.12tf1) with SMTP id KAA09345 for ; Tue, 5 Mar 1996 10:11:27 -0500 Received: from hfsi.hfsi.com by mail.wangfed.com (1.37.109.4/A.09.00a) id AA29803; Tue, 5 Mar 96 10:01:47 -0600 Received: from [159.94.14.48] by hfsi.hfsi.com (BULL 5.61++/B.O.S 02.01) id AA21909; Tue, 5 Mar 96 10:05:56 -0500 Date: Tue, 5 Mar 96 10:05:56 -0500 Message-Id: <9603051505.AA21909@hfsi.hfsi.com> From: "KM" Reply-To: "KM"