From firewalls-owner Mon Apr 1 02:50:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id CAA09471 for firewalls-outgoing; Mon, 1 Apr 1996 02:38:31 -0800 (PST) Received: from mail.st.rim.or.jp (mail.st.rim.or.jp [202.255.181.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id CAA09463 for ; Mon, 1 Apr 1996 02:38:17 -0800 (PST) Received: from warpig (hellion.keicho.co.jp [202.229.19.163]) by mail.st.rim.or.jp (8.7.5/3.4W3-rim1.1) with SMTP id TAA04572; Mon, 1 Apr 1996 19:36:10 +0900 (JST) Message-ID: <315FB19E.453F@st.rim.or.jp> Date: Mon, 01 Apr 1996 19:36:14 +0900 From: Isamu Kobayashi Organization: Keicho, Ltd. X-Mailer: Mozilla 2.01Gold (WinNT; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: describe Content-Type: text/plain; charset=iso-2022-jp Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk describe firewalls From firewalls-owner Mon Apr 1 04:35:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id EAA14796 for firewalls-outgoing; Mon, 1 Apr 1996 04:28:00 -0800 (PST) Received: from bsd.synx.com (rt.synx.com [194.167.81.239]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id EAA14742 for ; Mon, 1 Apr 1996 04:27:20 -0800 (PST) Received: from s3.synx.com (s3 [192.1.1.247]) by bsd.synx.com (8.6.12/8.6.12) with SMTP id NAA00511; Mon, 1 Apr 1996 13:25:55 +0100 Received: from rs1 by s3.synx.com id aa13734; 1 Apr 96 13:11 GMT Date: Mon, 1 Apr 1996 14:22:30 -2300 () From: Remy NONNENMACHER To: Rob Sansom cc: firewalls@greatcircle.com Subject: Re: Interesting packets fron the net In-Reply-To: <9603281843.AA01291@apu.connectix.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 28 Mar 1996, Rob Sansom wrote: > I recently started as the network admin at Connectix, and put up some > filters on our Inet router. All packets are filtered in the incoming > interface, and over the past few weeks, I have received some interesting > statistics on our access-lists (Cisco). > > Below is to deny all packets from the outside that say they're from the > inside. > > deny ip 111.222.333.0 0.0.0.255 any (82 matches) ^^^ The problem started when Cisco bought a truck of Pentium from Intel at low cost. This new version has the incredible capability to compress a byte to less than 8 bits, offering the capacity to receive packets with adresses like : 1270.0.0.0,9999999999 or 598234858.2903948283940.103948982349.192388234 ;-) > deny ip 444.555.666.0 0.0.0.255 any > deny ip 777.888.999.0 0.0.0.255 any (662 matches) > > And... > > deny ip 111.222.333.0 0.0.0.255 any (10 matches) > deny ip 444.555.666.0 0.0.0.255 any (30 matches) > deny ip 777.888.999.0 0.0.0.255 any > > And.. (this is interesting) > > deny ip host 127.0.0.1 any (2 matches) > > As well as... > > deny tcp any any eq 1521 (8 matches) Oracle > deny tcp any any eq 1525 (8 matches) Oracle > deny tcp any any eq 2049 (6 matches) Why TCP to NFS?? > > The TCP on ports > 1023 may be ftp servers or something similar that just > happen to choose those ports for a return connection, but I kind of doubt > it. At my preveious job, I had a similar setup and never observed > anything like that. > > I am trying to impliment some sort of reasonable security here, but am > having trouble getting anyone interested in the above as well as > providing me the tools that I need. > > > I am open to any suggestions from those out there who have been in > similar situations (disinterest in security, etc...), as well as response > to the above access list violations. > > Thanks in advance, > ------------------------------------------------------------------------------- S Y N C H R O N I X S.A. Avn des ANDES, Bat. LE CEDRE - 91952 LES ULIS - FRANCE Tel : +33 1 64462626 - FAX : +33 1 64466976 - Internet : Synx.com Remy NONNENMACHER - APAV Dpt. (remy@synx.com) #include #include -- "Jump through the Window" -- M$ "Don't forget you are at the 20th floor" -- Me From firewalls-owner Mon Apr 1 05:05:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA17161 for firewalls-outgoing; Mon, 1 Apr 1996 05:00:12 -0800 (PST) Received: from inet-smtp-gw-1.us.oracle.com (inet-smtp-gw-1.us.oracle.com [192.86.155.81]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id FAA17080 for ; Mon, 1 Apr 1996 05:00:01 -0800 (PST) Received: from mailm1.de.oracle.com by inet-smtp-gw-1.us.oracle.com with SMTP (8.6.12/37.7) id EAA30500; Mon, 1 Apr 1996 04:58:03 -0800 Received: by mailm1.de.oracle.com (5.65/37.3) id AA29659; Mon, 1 Apr 96 15:02:50 +0100 Message-Id: <9604011402.AA29659@mailm1.de.oracle.com> Date: Mon, 1 Apr 96 15:02:50 +0100 From: "CGUTFLEI.DE.ORACLE.COM" To: firewalls@greatcircle.com Subject: Firewall-1 Version2.0 & Oracle SQL*Net Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi wizards, I urgently need an information whether it is possible to commincate from outside from the Checkpoint firewall via SQL*Net from Oracle through the firewall with an Oracle database and in return from the database via SQL*Net through the firewall? The net protocol is TCP/IP. The outside machine is SUN Sparc20 and the inside machine is WIN/NT. Please send all answers directly to my mail adress, because I'm not member of the mail-list. Thanks in advance. Kind regards Claus From firewalls-owner Mon Apr 1 05:20:39 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA17546 for firewalls-outgoing; Mon, 1 Apr 1996 05:07:33 -0800 (PST) Received: from mpdgw2.symbios.com (mpdgw2.symbios.com [204.131.200.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id FAA17531 for ; Mon, 1 Apr 1996 05:07:28 -0800 (PST) Received: (from root@localhost) by mpdgw2.symbios.com (8.6.8.1/8.6.6) id GAA21878 for ; Mon, 1 Apr 1996 06:05:26 -0700 Received: from aztec.ncrmicro.ncr.com(153.72.199.214) by mpdgw2.symbios.com via smap (V1.3) id sma021873; Mon Apr 1 06:05:08 1996 Received: from helios.ks.symbios.com (helios.wichitaks.ncr.com [153.79.160.148]) by Symbios.COM (8.6.8.1/8.6.6) with SMTP id GAA04934 for ; Mon, 1 Apr 1996 06:05:07 -0700 Received: from corona by helios.ks.symbios.com (4.1/SMI-4.1) id AA08801; Mon, 1 Apr 96 07:05:06 CST From: swaltner@helios.ks.symbios.com (Steve Waltner) Received: by corona (4.1) id AA17760; Mon, 1 Apr 96 07:05:05 CST Date: Mon, 1 Apr 96 07:05:05 CST Message-Id: <9604011305.AA17760@corona> To: firewalls@greatcircle.com Subject: Patch to log plug-gw X-Status: N X-Mailer: Applixware 4.0(555.36) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Someone recently posted a patch to make plug-gw log the data stream to a file. I didn't save this, even though I meant to when I saw it. I'm trying to debug a problem on our internal news server, which would be a lot easier if I could see the data stream coming from our news feeders. Would someone please mail me this patch for plug-gw.c? Thanks for your help. Steve -- Steve Waltner | Steve.Waltner@symbios.com Symbios Logic | Phone: (316) 636-8498 3718 N. Rock Road | FAX: (316) 636-8889 Wichita, KS 67226 | From firewalls-owner Mon Apr 1 05:35:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id EAA17066 for firewalls-outgoing; Mon, 1 Apr 1996 04:59:51 -0800 (PST) Received: from mwunix.mitre.org (mwunix.mitre.org [128.29.154.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id EAA17060 for ; Mon, 1 Apr 1996 04:59:47 -0800 (PST) Received: from smiley.sit (smiley.mitre.org [128.29.140.20]) by mwunix.mitre.org (8.6.10/8.6.4) with SMTP id HAA27270; Mon, 1 Apr 1996 07:57:48 -0500 Received: from [128.29.140.101] (wneugent-mac) by smiley.sit (4.1/SMI-4.1) id AA29565; Mon, 1 Apr 96 07:57:02 EST X-Sender: wneugent@smiley.mitre.org Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 1 Apr 1996 08:00:48 -0400 To: Gavin.Longmuir@mailhost.dpie.gov.au From: wneugent@smiley.mitre.org (Bill Neugent) Subject: Re: Information Required: Bell-LaPadula Security Model Cc: bell@mitre.org, ljl@mitre.org, Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Gavin, I've cc'd both David Bell and Len LaPadula, who should be able to help you. David, Len, Maybe you can parlay this into a trip to Australia. Bill ------------------------------ From: "Gavin Longmuir, x6486" Date: Mon, 01 Apr 1996 16:50:17 +1000 Subject: Information Required: Bell-LaPadula Security Model I'm looking for information on the Bell-LaPadula Security Model (? if that is the correct name for it). I've come across this referance under guidlines on filtering on security labels (I'm unsure if this is a referance to the security label in a IP header or something else, hense this request). Gavin. - -- Gavin Longmuir - Internet Applications and Platforms Manager Information Management and Services Branch Commonwealth Department of Primary Industries and Energy Voice:+61 6 271 6486 FAX:+61 6 272 4997 Internet:Gavin.Longmuir@dpie.gov.au ------------------------------ From firewalls-owner Mon Apr 1 06:05:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA21242 for firewalls-outgoing; Mon, 1 Apr 1996 05:57:34 -0800 (PST) Received: from gaia.eurobretagne.fr (gaia.eurobretagne.fr [194.51.217.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id FAA21236 for ; Mon, 1 Apr 1996 05:57:28 -0800 (PST) Received: from (ppp-brest-49.eurobretagne.fr [194.51.218.49]) by gaia.eurobretagne.fr (8.6.12/8.6.12) with SMTP id PAA20153 for ; Mon, 1 Apr 1996 15:55:24 +0200 From: chapalain@EuroBretagne.FR Date: Mon, 1 Apr 96 15:46:31 PST Subject: Firewall and routers... To: firewalls@GreatCircle.COM X-MAILER: Chameleon 4.6, TCP/IP for Windows, NetManage Inc. X-PRIORITY: 3 (Normal) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello all of you... I'm a student and new to this list... I have to study all kinds of firewall in the market.I heard a lot about security routers (auditing,alerting,...), application gateways, proxy... My question is simple: althought routers works at layer 3 and can deny access with conditions like source and destination address, port number, interface, direction...is a router-firewall really unsecure? If the access lists are really safe, are there attacks (like pinging) that routers can't support? If there are, please, give me examples... Regards. ------------------------------------ Laurent Mazars E-mail: chapalain@mail.eurobretagne.fr tel: (1) 98.00.31.42 fax: (1) 98.28.40.05 Date: 01.04.1996 ------------------------------------- From firewalls-owner Mon Apr 1 06:26:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA21797 for firewalls-outgoing; Mon, 1 Apr 1996 06:08:06 -0800 (PST) Received: from shifra.info.umoncton.ca ([139.103.16.122]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA21781 for ; Mon, 1 Apr 1996 06:07:58 -0800 (PST) Received: (from musta@localhost) by shifra.info.umoncton.ca (8.6.11/8.6.9) id KAA02249; Mon, 1 Apr 1996 10:04:16 -0400 Date: Mon, 1 Apr 1996 10:04:11 -0400 (AST) From: Mustapha To: Adam Prato cc: Phil Tucker , firewalls@GreatCircle.COM, tuckerp@WT200055.CSS.GORDON.ARMY.MIL Subject: Practical UNIX & Internet Security, 2nd Edition. In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 28 Mar 1996, Adam Prato wrote: > [...] > Practical Unix Security (Vol 2 should be released soon, > if its not already > [...] Practical UNIX & Internet Security, 2nd Edition (April 1996) By Simpson Garfinkel & Gene spafford O'Reilly & associates ISBN 1-56592-148-8 950 Pages $39.95 Best Regards -Mustapha -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- PLEASE REPLY TO musta@eve.info.umoncton.ca -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Mustapha Obeid under-graduate student Computer Science Department, Moncton University Moncton, NB, Canada - E1A 3E9 Fields of Interests: Network Security & Cryptography. *Life would be so much easier if we could just look at the source code* -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- From firewalls-owner Mon Apr 1 06:50:30 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA23224 for firewalls-outgoing; Mon, 1 Apr 1996 06:39:33 -0800 (PST) Received: from gatekeeper.mcimail.com (gatekeeper.mcimail.com [192.147.45.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA23218 for ; Mon, 1 Apr 1996 06:39:30 -0800 (PST) Received: from mailgate.mcimail.com (mailgate.mcimail.com [166.38.40.3]) by gatekeeper.mcimail.com (8.6.12/8.6.10) with SMTP id OAA18335; Mon, 1 Apr 1996 14:34:56 GMT Received: from mcimail.com by mailgate.mcimail.com id ab07166; 1 Apr 96 14:37 WET Date: Mon, 1 Apr 96 09:36 EST From: Karl Janice To: Firewalls Subject: ReRedundundantdant Connections Message-Id: <62960401143626/0006731076PK5EM@MCIMAIL.COM> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk MHS: Source date is: 1-Apr-96 09:30 EST Text item: Text_1 >Question - Why not use a single ISP? i.e. they (MCI, ATT, etc) >should have redundant systems and as long as you get separate >physical links to separate nodes of their net you should be >reasonably safe. At least where we are, upstate ny area, grabbing two POPs of the same network is a chore. We had a tough time setting the same criteria for our private pt.2.pt. connections, but finally have that. By load sharing with MCI and ATT, a truely diverse route was attainable. From firewalls-owner Mon Apr 1 07:08:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA24541 for firewalls-outgoing; Mon, 1 Apr 1996 06:58:34 -0800 (PST) Received: from nsco.network.com (nsco.network.com [129.191.1.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA24535 for ; Mon, 1 Apr 1996 06:58:28 -0800 (PST) Received: from anubis.network.com by nsco.network.com (4.1/1.34) id AA00149; Mon, 1 Apr 96 08:59:12 CST Received: from blefscu.network.com by anubis.network.com (4.1/SMI-4.1) id AA02911; Mon, 1 Apr 96 08:57:25 CST Date: Mon, 1 Apr 96 08:57:25 CST From: amolitor@anubis.network.com (Andrew Molitor) Message-Id: <9604011457.AA02911@anubis.network.com> To: firewalls@greatcircle.com Subject: Re: Interesting packets fron the net Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Rob Sansom wrote: > Below is to deny all packets from the outside that say they're from the > inside. [ I read this as a few hundred packets over a few weeks ] This might have just been one of your routers gone mad, or something. If you have multiple connection points to the internet, perhaps you occasionally route intra-network packets through the outside by accident. Try to avoid this ;) It's also the signature of an IP spoofing attack. If you had the actual packets logged, you could tell more certainly. I don't think ciscos can log denied packets, but I may well be wrong. > deny tcp any any eq 1521 (8 matches) Oracle > deny tcp any any eq 1525 (8 matches) Oracle > deny tcp any any eq 2049 (6 matches) Why TCP to NFS?? This reads like someone doing port sweeps on you, at least in part. Probing all ports to see if they can get through to any sort of server. > I am trying to impliment some sort of reasonable security here, but am > having trouble getting anyone interested in the above as well as > providing me the tools that I need. I can't be sure you've been attacked or probed, but there's certainly evidence to suggest you might have been (especially if you do NOT have multiple Internet connections). There's certainly enough to warrant allocating some engineering time to further investigation. PRODUCT PLUG ALERT NSC routers can log packets, and we also sell a neat tool from Haystack Labs (the Gods of audit reduction) that catches the logged packets, and detects attack signatures in real time. T1->Ethernet router for, err, a little under $2K? NetStalker is $5K, I think, and will want a workstation to itself. You can, of course, also write audit reduction/attack detection tools yourself. There are several SATAN detectors, and I cannot imagine there are not any IP spoofing detectors out there, for free. Cobble together a Sun, tcpdump and some perl. If your time is not free, I bet NetStalker is cheaper. Andrew Molitor, Ph.D. (Recovering) From firewalls-owner Mon Apr 1 07:39:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA25001 for firewalls-outgoing; Mon, 1 Apr 1996 07:06:30 -0800 (PST) Received: from pimaia2w.prodigy.com (pimaia2w.prodigy.com [192.207.105.46]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA24995 for ; Mon, 1 Apr 1996 07:06:19 -0800 (PST) Received: from mailout3.prodigy.com ([199.4.137.97]) by pimaia2w.prodigy.com (8.6.10/8.6.9) with SMTP id KAA18266 for ; Mon, 1 Apr 1996 10:03:49 -0500 Date: Mon, 01 Apr 1996 10:01:56 EST From: HFDK41A@prodigy.com (MR. JOHN K MOLNAR) X-Mailer: PRODIGY Services Company Internet mailer [PIM 3.2-086.45] Message-Id: <097.04903727.HFDK41A@prodigy.com> To: Firewalls@GreatCircle.com Subject: Encryption Devices Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi; We are just starting up our operation and it will include services to our corporate clients, such as www access and DNS services through our firewall. We are beginning to get questions from clients about the use of encryption devices and don't have any experience with them. I saw a device called Time Step at one of the recent shows and was impressed, but that's the only one I know about Can anyone recommend any other devices or know about any that I should pursue. Either post and answer for comment or contact me personally at hfdk41a@prodigy.com Thanks, -John Molnar From firewalls-owner Mon Apr 1 08:01:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA26199 for firewalls-outgoing; Mon, 1 Apr 1996 07:32:41 -0800 (PST) Received: from runabout.igt.com ([199.125.189.96]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA26192 for ; Mon, 1 Apr 1996 07:32:37 -0800 (PST) Message-Id: Date: Mon, 1 Apr 96 10:32 EST From: srini@runabout.igt.com (Srini Seetharam) To: Firewalls@GreatCircle.COM Subject: RE: trusting the processor chip Sender: firewalls-owner@GreatCircle.COM Precedence: bulk us028272@interramp.com (JEFF C FLYNN) writes : Does anyone know of articles regarding the possibility of subverting processor chips? Is this a realistic threat? Is it possible to hack vhdl compilers to embed intentional security flaws in silicon? Known cases? Attempts? TIA, Jeff >From a hardware designer's point of view, this would be very difficult to pull off effectively. The designer of the CAD tool (VHDL Compiler) would have to know and understand the thought process of the human designer and then selectively subvert the designs in areas that affect the security policy implemented by the processor. And then the tool would have to produce the silicon gates that are simulated in various other simulation tools produced by different vendors and for different fab houses. This is extremely difficult and has the probability of success only in designs that are few thousand gates or even less. Most modern processors are in the range of hundreds of thousands of gates to millions of gates. The probability of success is infinitessimal and the associated cost of such a task would be far too great to produce any noticable benfit. There are much easier software methods of subverting security. srini From firewalls-owner Mon Apr 1 09:15:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA29210 for firewalls-outgoing; Mon, 1 Apr 1996 08:19:30 -0800 (PST) Received: from lnms0 (lnms0.ctcc.gov.za [165.25.22.231]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA29202 for ; Mon, 1 Apr 1996 08:19:20 -0800 (PST) Received: from Dataproc_nov by lnms0 with smtp (Smail3.1.29.1 #1) id m0u3m3R-000291C; Mon, 1 Apr 96 18:02 EET Received: from DATAPROC/INTERNET by Dataproc_nov (Mercury 1.21); 1 Apr 96 17:58:53 +0200 Received: from INTERNET by DATAPROC (Mercury 1.21); 1 Apr 96 17:58:26 +0200 From: "Alan Bradley" Organization: CT City Council - Dataproc Server To: firewalls@greatcircle.com Date: Mon, 1 Apr 1996 17:58:21 +0200 Subject: Instant Internet Reply-to: abradley@ctcc.gov.za X-mailer: PMail v3.0 (R1) Message-ID: <1698A553C2F@Dataproc_nov> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi All, Can anyone provide we with information about a product called Instant Internet. Is it a fully fledged firewall ? Any and all information would be appreciated. Thanks, Alan Bradley. Cape Town City Council Cape Town South Africa E-mail: abradley@ctcc.gov.za From firewalls-owner Mon Apr 1 09:17:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA29319 for firewalls-outgoing; Mon, 1 Apr 1996 08:21:09 -0800 (PST) Received: from vidnoe.yourtown.com (vidnoe.yourtown.com [199.125.234.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA29301 for ; Mon, 1 Apr 1996 08:20:57 -0800 (PST) Received: by vidnoe.yourtown.com (4.1/SMI-4.1) id AA24145; Mon, 1 Apr 96 11:15:52 EST Date: Mon, 1 Apr 96 11:15:52 EST From: bve@vidnoe.yourtown.com (Bill Van Emburg) Message-Id: <9604011615.AA24145@vidnoe.yourtown.com> To: tuckerp@css583.gordon.army.mil Cc: firewalls@greatcircle.com, tuckerp@WT200055.CSS.GORDON.ARMY.MIL In-Reply-To: <9603271047.AA16948@WT200055.CSS.GORDON.ARMY.MIL> (tuckerp@css583.gordon.army.mil) Subject: SysAdmin Security course... Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From: "Phil Tucker" I am searching for a good hands-on "Systems Administrator --Security---course". Manage and secure multi-vendor Unix systems (hands on firewall implementation). Don't need "concepts" or reference books. Have plenty of these. You might want to attend the SANS conference in Washington, D.C. this May. I believe the e-mail for more info is: sans@clark.net. -BVE (Bill Van Emburg) (bve@yourtown.com) (http://yourtown.com) "You do what you want, and if you didn't, you don't" From firewalls-owner Mon Apr 1 09:19:39 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA27914 for firewalls-outgoing; Mon, 1 Apr 1996 07:57:28 -0800 (PST) Received: from utopia.hacktic.nl (utopia.hacktic.nl [194.109.9.42]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA27907 for ; Mon, 1 Apr 1996 07:57:19 -0800 (PST) Received: (from remailer@localhost) by utopia.hacktic.nl (8.6.12/8.6.12) id RAA22069 for firewalls@GreatCircle.com; Mon, 1 Apr 1996 17:55:18 +0200 Date: Mon, 1 Apr 1996 17:55:18 +0200 Message-Id: <199604011555.RAA22069@utopia.hacktic.nl> To: firewalls@GreatCircle.com From: anon-remailer@utopia.hacktic.nl (Anonymous) Organization: Hack-Tic International, Inc. Comments: Hack-Tic may or may not approve of the content of this posting Comments: Please report misuse of this automated remailing service to Comments: Subject: Nothing to do with Firewalls :: & Dawgs & Sara Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Some fans complained that my posting about Sara was done in bad taste. Well, the underlying architecture of a MaNiMaL is still a dog. Think about what dawgs will eat by instinct. I rest my case. There have been a few rare occasions where my imagination got a little, er, provocative, so in case this happened to be one of those regular, er, rare occasions, I apologize. Sara, I am sorry that I insinuated that you engaged in delicious activities with the Dawg. To help dispel any misunderstandings about what happened, I decided to tell the truth. I was trotting around the East End, looking for Tubby Isaac's jellied eel stall. My tracking sniffers kept getting thrown off course by the smell of unwashed immigrants. Just as I was about to give up, I spotted a posse of fine Amerikaynian belles walking along behind a British BullShitter. Turned out they were on a Jack the Ripper walking tour. I tagged onto the back of the group and enjoyed the detailed explanation of fine craftsmanship that was very precisely done. At the end of the walk I invited Sara to dinner in a pub under a bridge on the edge of the financial district. She dined on hamburgers, eggs and chips while I enjoyed an Alpo and Kidney pie. After dinner we took a stroll in the moonlight across Tower Bridge. My hind-brain, which you may recall is female, started this girl-talk conversation with Sara. I just tuned both of them out while they had a right good natter. From the little park on the south side of the bridge, we strolled along the south bank of the Thames, in the silvery light of the fake antique street lamps. I watched the retired politicians and civil servants trying to sail their little boats on the Thames. It was low tide and they kept ramming their boats into the mud, the same thing they did to the country before they all retired. After about two hours of Sara and my hind-brain nattering, I couldn't take any more. I genteely kissed Sara's hand and saw her into a cab back to her hotel. Then I peed on every lamp post across the bridge to Big Ben. Tried to pee on that too but got kicked in the ass by a copper. There you have it. I bared my souls. Who do you believe? Me or me? Brian/Flash says that some guy said he was anal retentive. He is really pleased. Says it is the nicest insult he ever received. Hey, you there! Yes, you with the thorns! If you drop that bloody cross one more time, I'm really going to nail you. Sick Puppy, the Cat_Eating_Dawg cavorting with commercial blondes in Amsterdam From firewalls-owner Mon Apr 1 09:21:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA27286 for firewalls-outgoing; Mon, 1 Apr 1996 07:47:26 -0800 (PST) Received: from utopia.hacktic.nl (utopia.hacktic.nl [194.109.9.42]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA27256 for ; Mon, 1 Apr 1996 07:47:11 -0800 (PST) Received: (from remailer@localhost) by utopia.hacktic.nl (8.6.12/8.6.12) id RAA21389 for firewalls@GreatCircle.com; Mon, 1 Apr 1996 17:45:12 +0200 Date: Mon, 1 Apr 1996 17:45:12 +0200 Message-Id: <199604011545.RAA21389@utopia.hacktic.nl> To: firewalls@GreatCircle.com From: anon-remailer@utopia.hacktic.nl (Anonymous) Organization: Hack-Tic International, Inc. Comments: Hack-Tic may or may not approve of the content of this posting Comments: Please report misuse of this automated remailing service to Comments: Subject: Nothing to do with Firewalls :: & Dawgs & Sara Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Some fans complained that my posting about Sara was done in bad taste. Well, the underlying architecture of a MaNiMaL is still a dog. Think about what dawgs will eat by instinct. I rest my case. There have been a few rare occasions where my imagination got a little, er, provocative, so in case this happened to be one of those regular, er, rare occasions, I apologize. Sara, I am sorry that I insinuated that you engaged in delicious activities with the Dawg. To help dispel any misunderstandings about what happened, I decided to tell the truth. I was trotting around the East End, looking for Tubby Isaac's jellied eel stall. My tracking sniffers kept getting thrown off course by the smell of unwashed immigrants. Just as I was about to give up, I spotted a posse of fine Amerikaynian belles walking along behind a British BullShitter. Turned out they were on a Jack the Ripper walking tour. I tagged onto the back of the group and enjoyed the detailed explanation of fine craftsmanship that was very precisely done. At the end of the walk I invited Sara to dinner in a pub under a bridge on the edge of the financial district. She dined on hamburgers, eggs and chips while I enjoyed an Alpo and Kidney pie. After dinner we took a stroll in the moonlight across Tower Bridge. My hind-brain, which you may recall is female, started this girl-talk conversation with Sara. I just tuned both of them out while they had a right good natter. From the little park on the south side of the bridge, we strolled along the south bank of the Thames, in the silvery light of the fake antique street lamps. I watched the retired politicians and civil servants trying to sail their little boats on the Thames. It was low tide and they kept ramming their boats into the mud, the same thing they did to the country before they all retired. After about two hours of Sara and my hind-brain nattering, I couldn't take any more. I genteely kissed Sara's hand and saw her into a cab back to her hotel. Then I peed on every lamp post across the bridge to Big Ben. Tried to pee on that too but got kicked in the ass by a copper. There you have it. I bared my souls. Who do you believe? Me or me? Brian/Flash says that some guy said he was anal retentive. He is really pleased. Says it is the nicest insult he ever received. Hey, you there! Yes, you with the thorns! If you drop that bloody cross one more time, I'm really going to nail you. Sick Puppy, the Cat_Eating_Dawg cavorting with commercial blondes in Amsterdam From firewalls-owner Mon Apr 1 10:38:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA03338 for firewalls-outgoing; Mon, 1 Apr 1996 09:38:02 -0800 (PST) Received: from goodnet.com (goodnet.com [205.164.206.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA03331 for ; Mon, 1 Apr 1996 09:37:58 -0800 (PST) Received: (brianp@localhost) by goodnet.com (8.7.5/8.7.1) id KAA05561; Mon, 1 Apr 1996 10:34:54 -0700 (MST) Date: Mon, 1 Apr 1996 10:34:53 -0700 (MST) From: Brian Prentiss To: firewalls@greatcircle.com Subject: Wierd address observed Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello all, I have been observing something in some firewall logs, and it piqued my curiosity. I have noticed that someone from network 0, specifically 0.8.0.69 has been doing (legitimate seeming) DNS queries. Is this network not reserved? I was under the (perhaps false) impression that network 0 was off limits. Does anyone have any insight into this, or noticed any of this themselves? Thanks in advance Brian Prentiss From firewalls-owner Mon Apr 1 10:39:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA03684 for firewalls-outgoing; Mon, 1 Apr 1996 09:47:05 -0800 (PST) Received: from vidnoe.yourtown.com (vidnoe.yourtown.com [199.125.234.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA03674 for ; Mon, 1 Apr 1996 09:46:56 -0800 (PST) Received: by vidnoe.yourtown.com (4.1/SMI-4.1) id AA24272; Mon, 1 Apr 96 12:43:46 EST Date: Mon, 1 Apr 96 12:43:46 EST From: bve@vidnoe.yourtown.com (Bill Van Emburg) Message-Id: <9604011743.AA24272@vidnoe.yourtown.com> To: auampdrv@ibmmail.com Cc: Firewalls@greatcircle.com In-Reply-To: <199603290836.AAA16529@mycroft.GreatCircle.COM> (auampdrv@ibmmail.com) Subject: Re: mail addresses Sender: firewalls-owner@GreatCircle.COM Precedence: bulk (George Janczuk wrote about his policy of using userIDs as mail addresses, and the opposition of some members of his organization to this scheme.) There is certainly an argument to be made about not giving out any more info than is necessary, although I understand your point about "security thru obscurity." The problem, of course, is that security implementations are never perfect, so a little "obscurity" is a GOOD THING(tm). However, let me approach this problem from an entirely different angle, which comes to an answer for very different reasons. For my users e-mail address, I generate mail aliases which follow a common scheme, such as first initial,last name. If there is a conflict at this point, I switch to first name, last initial. If there is *still* a conflict, I revert to first initial, last name, with sequence numbers appended. The rationale for this has nothing to do with security, although it adds a little "security thru obscurity" as a side-effect. The rationale is simply this: I want users' e-mail addresses to be easy for them, and the people they correspond with, to remember. Usually, a user's e-mail address can be guessed, which can be particularly useful. Even if you use the same scheme for user IDs on your machines, it's not good enough, because most user IDs are limited to eight characters. Mail aliases can be as long as the user's name. (Of course, we can provide aliases that are shorter, when things get out of hand, but at least we can choose something the user can remember!) I am a firm believer in providing convenience to my users, and if a little "obscurity" is added in the process, so much the better.... -BVE (Bill Van Emburg) (bve@yourtown.com) (http://yourtown.com) "You do what you want, and if you didn't, you don't" From firewalls-owner Mon Apr 1 10:39:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA05221 for firewalls-outgoing; Mon, 1 Apr 1996 10:10:20 -0800 (PST) Received: from hitachi.com (msd.hitachi.com [137.168.1.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA05215 for ; Mon, 1 Apr 1996 10:10:14 -0800 (PST) Received: from osc.hitachi.com by hitachi.com (4.1/SMI-4.1) id AA12459; Mon, 1 Apr 96 10:10:39 PST Received: from enterprise ([205.158.60.129]) by osc.hitachi.com (4.1/SMI-4.1) id AA00293; Mon, 1 Apr 96 09:23:19 PST Date: Mon, 1 Apr 96 09:23:19 PST Message-Id: <9604011723.AA00293@osc.hitachi.com> X-Sender: bstout@osc.hitachi.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: Bill Stout Subject: Re: firewalls and CKE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I will follow tradition, which is, rather than lurk and be thought a fool, post and remove all doubt (see redundant internet connections, etc). I first sent this to fwtk-users. Ooops. Since someone from TIS replied to the previous message (below): "You know nothing about this then. Be happy to educate you, but your posting makes it clear that you didn't read our explanations or we didn't write them well enough. NO keys are ever stored. " I would like someone from TIS explain in plain language what CKE does, if it doesn't store encryption key in escrow? Simply, you know, like 'CKE for idiots', 'CKE for congress members', 'CKE for CEOs', or 'CKE for harried sys admins'. BTW - I did read http://www.tis.com/crypto/cke.html. Very lengthy. Excerpt from http://www.tis.com/crypto/cke/info/drcds396.html#anchor172960 "The Data Recovery Center (DRC) is the "safe hiding place" for the DRC private keys used to unlock DRFs for emergency access to encrypted messages or files. It maintains a database of registered users, including their authentication codes. It is also where the user, his/her corporation, or his/her government can go to obtain the session key needed to unlock a file in the event the original session key is lost." ___________________________________________________________________________ Previous message follows (previously to fwtk-usres): ____________________________________________________________________________ CKE gets the big raspberry! CKE is automated compromise of encrypted data. As an ex-crypto person, the only way a crypto key is secure is when only the sender and receiver possess it, and they destroy that key after it has been used. The fact that any other person has access to that key compromises that key and any data transmitted with it. If I understand TIS's CKE/DRC concept correctly, a corporation which chooses to use encrypted links must give an internationally authorized Data Recovery Center keys to all encrypted, transmitted corporate data. This means not only the dark forces within our government can get the keys to corporate secrets, but also dark forces within foreign governments can do the same! Standard intelligence procedure is to record and store traffic for later analysis/decryption. If a foreign key is compromised (usually by human error, or HUMIT - human intelligence), the stored data can later be decrypted. For security, keys need to be changed and destroyed often, like passwords, and frequency of change is dependent on the level of secrecy required. Old keys must then be destroyed, otherwise in the event a key is lost, all data sent with the old key is assumed compromised. In the NSA, the loss of a used crypto key is disastrous, however the compromise of unused keys is no big deal (if you know it's been compromised, you'll never use it). The ONLY secure way encrypted links will work is to give corporations the ability to generate their own long encryption keys for symmetric encryption, and change these keys on a daily basis. The issue for discussion then should be is Key Distribution, do you send the new key via courier or other very secure electronic mode? The highest form of encryption is to use one very long key, for ONE-time use only, and to destroy it! I am one (I hope of the majority) which is convinced that our corporate messages and data are none of any governments' business. Requiring a company with encrypted links to maintain keys in a DRC is horrifying. None of what I do is the business of any country, ditto for what people do in my company overseas. A misguided agent within the government can cause more damage to a corporation or individual than a hacker or criminal could ever dream. /*Going off tangent*/ Having said that, I had a completely different viewpoint once. The tactical name of the game for old associates who were in Special Ops/Psychological Ops was to influence a populations' opinions (foreign AND domestic). The best way to benchmark where you are, is to monitor (survail communications of) the target population. You test a psychological operation plan by sending inputs (news/stories/PR/etc) into the public, watch the reaction, go back and fine-tune your input until you get the desired output (votes, self-serving laws, etc). Psychological operations exist by the way, to manipulate your and my opinions and thoughts for a stated goal. Not being able to influence or monitor the thoughts of a group of people was the problem to dwell on back then. The strategic methods for this are not earth shattering. Standard procedure for the Pentagon is to run computerized war simulations, and the intelligence agencies likewise run foreign political/economic/social simulations (why else do you think they buy such major quantities of supercomputers for, science?). The Federal Reserve bank (not really a government entity) also runs economic simulations constantly. Other agencies also do the same for domestic economic/political/social simulations. Simulation output is then manipulated, strategic plans are created, then made operational by 'programizing' the plan. The last thing they want is to lose their ability to monitor traffic content. In this manner systems which 'grep' content of voice/data traffic streams for keyphrases are not 'really' tapping an individual's line, but 'only' the flow of communication. /*Going WAY off tangent - personal opinions follow*/ Centralization of power is one obvious strategic goal, notice the 'war' on various vices over the last 20 years, creating confiscation laws, strong anti-gun laws, desire to track all transactions, and the migration of police/law/military combat power from states to feds and above (NATO?). Our military is also used more and more as a police force in conjunction with multinational forces. Eventually it gets hard to coordinate enforcement when something is illegal in one country and legal in another (i.e.; obscenity laws). Eventually I think there will be a desire to 'globalize' or standardize laws and individual rights for ease of enforcement. Various National Constitutions would then get in the way and would have to be compromised. Including ours. But I'm sure this will be made palatable by the efforts of our Psychological operations. As Hume once said (as I've also seen on another persons 'sig' line), "It is seldom that liberty of any kind is lost all at once." /*End of tangents */ William B. Stout Senior Systems Administrator Hitachi Data Systems Open Systems Center Santa Clara, California 408-970-4822 From firewalls-owner Mon Apr 1 11:22:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA06160 for firewalls-outgoing; Mon, 1 Apr 1996 10:29:39 -0800 (PST) Received: from starbase.ingress.com ([199.171.57.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA06152 for ; Mon, 1 Apr 1996 10:29:25 -0800 (PST) Received: from cbk.tiac.net by starbase.ingress.com (SMI-8.6/SMI-SVR4 ) id NAA09001; Mon, 1 Apr 1996 13:23:43 -0500 Date: Mon, 1 Apr 1996 13:23:43 -0500 Message-Id: <199604011823.NAA09001@starbase.ingress.com> X-Sender: cbk@ingress.com X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: cbk@ingress.com (Charles B. Kaplan) Subject: Re: IP Duplicate Addresses Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The solutions for finding your bothersome user are farily standard, however what do you do when the user happens to pick the IP# of an interface on your backbone router. :-) That is what happened to me a few months back. Now instead of 2 users calling into the help desk/etc you get a whole segment......most annoying -CK From firewalls-owner Mon Apr 1 11:55:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA06937 for firewalls-outgoing; Mon, 1 Apr 1996 10:39:12 -0800 (PST) Received: from mailhost.Ipsilon.COM (foo-5-10.Ipsilon.COM [205.226.5.12]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA06921 for ; Mon, 1 Apr 1996 10:39:01 -0800 (PST) Received: from mailhost.ipsilon.com (localhost [127.0.0.1]) by mailhost.Ipsilon.COM (8.6.11/8.6.10) with ESMTP id KAA14285; Mon, 1 Apr 1996 10:35:31 -0800 Message-Id: <199604011835.KAA14285@mailhost.Ipsilon.COM> X-Mailer: exmh version 1.6.4 10/10/95 To: Bill Stout cc: Firewalls@GreatCircle.COM Subject: Re: Dreams & Dawgs & Phoenixes & Sara Gordon & Covering my Tail In-reply-to: Your message of "Thu, 28 Mar 1996 09:53:31 PST." <9603281753.AA24004@osc.hitachi.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 01 Apr 1996 10:35:31 -0800 From: Craig Anderson Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I think Sick Puppy finally lost it. > > Naw, he's just a foreign agent sending coded messages through the list. From firewalls-owner Mon Apr 1 12:24:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA11625 for firewalls-outgoing; Mon, 1 Apr 1996 11:50:59 -0800 (PST) Received: from recom.recom.com (recom.recom.com [204.213.88.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA11593 for ; Mon, 1 Apr 1996 11:50:44 -0800 (PST) Received: (from uucp@localhost) by recom.recom.com (8.6.12/8.6.9) with UUCP id OAA16832; Mon, 1 Apr 1996 14:54:18 -0500 Received: from ss5mth19.franklin.com by ss5mth51.franklin.com (4.1/SMI-4.0) id AA16513; Mon, 1 Apr 96 14:43:35 EST Received: by ss5mth19.franklin.com (4.1/SMI-4.0) id AA10605; Mon, 1 Apr 96 14:43:16 EST Date: Mon, 1 Apr 96 14:43:16 EST From: austin@franklin.com (Austin Hastings) Message-Id: <9604011943.AA10605@ss5mth19.franklin.com> To: auampdrv@ibmmail.com Cc: Firewalls@GreatCircle.COM In-Reply-To: <199603290836.AAA16529@mycroft.GreatCircle.COM> (auampdrv@ibmmail.com) Subject: Re: mail addresses Reply-To: austin@franklin.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From: "George Janczuk" An area in our organisation is disputing our policy to use user-IDs (eg: unix and other account names) as external internet mailbox addresses on security grounds and are trying to mandate the use of a translation/alias table. I see several questions that need answering: 1) Surely they know that they cannot mandate that everyone's login-name be changed. So, is the "person's name" -> login mapping trivial? That is, if my name is "Austin Hastings", is it likely that my login will be "austin" or "hastings" or "austinh" or "ahasting" or some such? If so, "hiding" the user logins is pointless. 2) How much connectivity do you allow? Remember the first rule of firewalls: Decide what you want to implement before you start. Do you allow "finger" or "who" access? If so, "hiding" the user logins is pointless. 3) How much *EXTERNAL* account-hacking do you expect? Normally, the targets account name is irrelevant -- hackers are interested in userid 0, not "System Administrator". Is this group genuinely this paranoid about security, or are they protecting the users while letting the root account fall to sendmail? If so, "hiding" the user logins is pointless. Finally, and not wholly related, how much do you care about these people? If you're the security officer and these complaints are coming from some just-out who happens to be responsible for doing admin on a VAX in some back room, then it's probably a game of "My firewall is more paranoid than your firewall". Step on them. =Austin From firewalls-owner Mon Apr 1 12:50:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA13549 for firewalls-outgoing; Mon, 1 Apr 1996 12:20:06 -0800 (PST) Received: from gateway.damark.com (GATEWAY.DAMARK.COM [204.17.145.230]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA13527 for ; Mon, 1 Apr 1996 12:19:53 -0800 (PST) Received: by gateway.damark.com; id OAA09369; Mon, 1 Apr 1996 14:17:40 -0600 Received: from unknown(172.31.254.231) by gateway.damark.com via smap (g3.0.1) id sme009367; Mon, 1 Apr 96 14:17:36 -0600 Received: by damark.com (5.65/1.2-eef) id AA14123; Mon, 1 Apr 96 14:16:45 -0600 Message-Id: <9604012016.AA14123@damark.com> From: "william.wells" To: FIREWALLS Subject: RE: mail addresses Date: Mon, 01 Apr 96 14:12:00 CST Sender: firewalls-owner@GreatCircle.COM Precedence: bulk George Janczuk and Bill Van Emburg have been discussing mail addresses. I add: We map all mail addresses between Internet and internal. We do this for several reasons, but security via obscurity is not one of them. The main reason is to maintain a consistent external mail address. To accomplish this: 1. we disallow any system reference in a mail address. All mail can only be addressed to xxx@damark.com. We also do this to prevent an external person mailing directly to our internal systems (ex: mmdf@xxx.damark.com). 2. we map all addresses to/from a consistent map on the Internet mail hub. Our internal mail addresses may change, but the Internet one doesn't unless there is a name change. In the case of a name change, the mail handler will do the forwarding to the destination and/or informing the sender, as required 3. we map addresses to control which IDs can be mailed to (and which can be mailed from). For example, from the Internet, you cannot mail to 'root' or any of the other system or application IDs on our internal systems unless we specifically alias them. If an employee is not in the map, they cannot send or receive Internet mail. William Wells Manager, Technical Support Damark International, Inc. william.wells@damark.com (this isn't my real internal address) From firewalls-owner Mon Apr 1 13:29:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA15751 for firewalls-outgoing; Mon, 1 Apr 1996 12:53:24 -0800 (PST) Received: from tuna.wang.com (tuna.wang.com [150.124.136.4]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA15739 for ; Mon, 1 Apr 1996 12:53:17 -0800 (PST) Received: from mail.wangfed.com (ns.wangfed.com [159.94.10.19]) by tuna.wang.com (8.6.12/8.6.12tf1) with SMTP id PAA08615; Mon, 1 Apr 1996 15:51:04 -0500 Received: from hfsi.hfsi.com by mail.wangfed.com (1.37.109.4/A.09.00a) id AA24969; Mon, 1 Apr 96 15:40:53 -0600 Received: from [159.94.14.48] by hfsi (BULL 5.61++/B.O.S 02.01) id AA27908; Mon, 1 Apr 96 15:44:33 -0500 Date: Mon, 1 Apr 96 15:44:33 -0500 Message-Id: <9604012044.AA27908@hfsi> From: "KM" Reply-To: "KM" To: eazuara@SUNULSA.ULSA.MX Cc: firewalls@GreatCircle.com Subject: Re: Security on the internet Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message The Cool Henri writes: > Hi, i've been around for a while, but never really post anything until > now. > If someone could help me i'll be REALLY THANKFULL !!! > i need to know the most used internet security implementations and where > to find more info about them. I'm new on the subject so i only now for now > the firewalls and a thing someone told me today called "karberos" or > something like that. That's "Kerberos" - it's a crypto-based scheme developed by MIT (under the ausipices of their Project Athena) for I&A in a distributed computing environment. You'll find lots of information on it at the following URLs: http://mitvma.mit.edu/mit/kerberos.html There is a competing scheme which is actually more complete, developed by a consortium in Europe, and called "Sesame". You can find information - and the source code for version 1 - at: http://www.esat.kuleuven.ac.be/cosic/sesame.html K.M. Goertzel, Program/Project Manager Secure Systems and Services Operation WANG FEDERAL, Inc. 7900 Westpark Drive - MS 700 McLean, VA 22102-4299 USA TEL: 703-827 3914 FAX: 703-827 3161 EMAIL: goertzek@wangfed.com WEB: http://www.wangfed.com +-------------------------------------------+ | I am not young enough to know everything. | | - J.M. Barrie | +-------------------------------------------+ From firewalls-owner Mon Apr 1 13:51:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA19292 for firewalls-outgoing; Mon, 1 Apr 1996 13:34:23 -0800 (PST) Received: from nic.teale.ca.gov (nic.teale.ca.gov [134.187.1.33]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA19278 for ; Mon, 1 Apr 1996 13:34:16 -0800 (PST) Received: from smtp.dgs.ca.gov ([165.235.112.252]) by nic.teale.ca.gov (4.1/SMI-4.1) id AA05870; Mon, 1 Apr 96 13:41:28 PST Received: from cc:Mail by smtp.dgs.ca.gov id AA828394485; Mon, 01 Apr 96 13:29:44 PST Date: Mon, 01 Apr 96 13:29:44 PST From: "Morgan, Noel" Message-Id: <9603018283.AA828394485@smtp.dgs.ca.gov> To: Firewalls@GreatCircle.COM Subject: Re: Duplicate IP Addressess Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [stealth mode off] NT supports the NBTSTAT command which allows you read the name cache table on a local or remote NIC based upon either the IP address or NetBIOS name of the host, (as well as the MAC address). Try NBTSTAT -? at the NT command prompt for assistance [stealth mode on] ...................................................................... Cheap, fast, correct, on-time....Choose only one. Noel Morgan Internet: nmorgan@wintermute.win.net Microsoft Certified Systems Engineer CIS: 73760,3722 3Com 3Wizard ...................................................................... Standard Disclaim: The above statements and opinions are strictly mine, and do not represent any company or organization's position. From firewalls-owner Mon Apr 1 14:06:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA21092 for firewalls-outgoing; Mon, 1 Apr 1996 14:02:05 -0800 (PST) Received: from cplc.com (gatekeeper.cplc.com [199.72.137.82]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id OAA21086 for ; Mon, 1 Apr 1996 14:02:01 -0800 (PST) Received: by gatekeeper.cplc.com id <26886>; Mon, 1 Apr 1996 16:58:16 -0500 Date: Mon, 1 Apr 1996 17:00:29 -0500 From: Paul Kvanvig Subject: Re: About the firewalls using RIP or static routes X-Sender: kvanvig@mail To: firewalls@GreatCircle.COM MIME-version: 1.0 X-Mailer: Windows Eudora Pro Version 2.2 (32) Content-type: text/plain; charset="us-ascii" Content-transfer-encoding: 7BIT Message-Id: <96Apr1.165816est.26886@gatekeeper.cplc.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Well to answer the question; dynamic routes are a security problem since routing updates can be easily forged. Unless your firewall is a layer 2 device, it will have routes. And these should be static. -Paul Kvanvig At 12:16 AM 3/29/96 -0500, you wrote: > >Answer: No routes. > >- paul > >At 10:51 PM 3/27/96 -0600, Armando Aguilar wrote: > >>Hello, >> Which is better on a Firewall , static routes or dinamic routes? >> >>Thanks. >> >> >>-- >>------------------------------------------------------------------------ >> Armando Aguilar Soluciones Avanzadas de Redes >> E-mail: armando@sar.net Camino Real a Xochimilco No. 60 >> Tel. (+52+5) 420-5900 Tepepan Xochimilco >> Fax. (+52+5) 420-5909 Mexico, D.F. 16020 >>------------------------------------------------------------------------ >> > >-- >Paul Ferguson || || >Consulting Engineering || || >Reston, Virginia USA |||| |||| >tel: +1.703.716.9538 ..:||||||:..:||||||:.. >e-mail: pferguso@cisco.com c i s c o S y s t e m s > > From firewalls-owner Mon Apr 1 14:21:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA20319 for firewalls-outgoing; Mon, 1 Apr 1996 13:49:59 -0800 (PST) Received: from ns.cu-online.com (ns.cu-online.com [205.198.248.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA20303 for ; Mon, 1 Apr 1996 13:49:52 -0800 (PST) Received: from argus.cu-online.com (argus.cu-online.com [205.198.248.112]) by ns.cu-online.com (8.6.12/8.6.9) with ESMTP id JAA14387 for ; Mon, 11 Mar 1996 09:25:47 -0600 Received: by argus.cu-online.com (SMI-8.6/SMI-SVR4) id PAA22830; Mon, 1 Apr 1996 15:49:42 -0600 Date: Mon, 1 Apr 1996 15:49:42 -0600 From: mcnabb@argus.cu-online.com (Paul McNabb) Message-Id: <199604012149.PAA22830@argus.cu-online.com> To: Firewalls@GreatCircle.COM Subject: Java Security & Decaf(tm) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: "G.Grenier" > > What do you think of the Computing Canada's article ("JavaScript escalates > privacy fears") stating that JavaScript "...has the ability to enter a > user's Netscape Navigator 2.0 Preferences file, snatch the user's email > address and forward it to another Ineternet address without the consent or > knowledge of the user. ..." It is trivial for Argus's Decaf product to separate out those resources available within the VM/browser from those available to the user when operating outside of the browser. That is, the browser, any applets it runs, and any "descendents" of the applets can be treated with the same security restrictions. A few lines of code would have to be added to the VM/browser if you wanted the applets to run in a different Decaf environment than the VM/browser itself, but other than that, there is no problem at all in solving problems like this. In fact, with Decaf, you could write an applet that could run either a program or function in a more restricted environment than the "parent applet." BTW, all of this applies even if the VM/browser is running as superuser/root. A brief explanation of Decaf for those who haven't tried it: Decaf puts read/write/execute restrictions on a per-environment basis rather than a per-user basis. The user ID is not used. The decaf environments can be either hierarchical or compartmentalized or both. NOTE: This is *not* a B1 labeling scheme, although you can run decaf on top of a Solaris 2.x system with Argus's C2, B1, and trusted network modules installed. Another interesting configuration is to run a firewall on top of all the various Argus security modules. The C2 module gets rid of superuser on unix -- that solves lots of problems with all kinds of network daemons. Imagine: Solaris with no superuser, restricted operating environments unrelated to chroot or UID, and MAC labels. Also, when operating in *any* decaf environment, there are some things that root can no longer do, such as create new devices. This prevents a rogue applet from creating a new device pointing at the raw disk or memory and then trying to bypass any OS security. paul ------------------------------------------------------------ Paul McNabb mcnabb@argus.cu-online.com Argus Systems Group, Inc. TEL 217-384-6300 1405A East Florida Avenue FAX 217-384-6404 Urbana, IL 61801 USA ------------------------------------------------------------ From firewalls-owner Mon Apr 1 14:51:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA22663 for firewalls-outgoing; Mon, 1 Apr 1996 14:29:51 -0800 (PST) Received: from trex.smoky.ccsd.k12.co.us (trex.smoky.ccsd.k12.co.us [166.113.35.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA22646 for ; Mon, 1 Apr 1996 14:29:37 -0800 (PST) Received: from shhs1.ccsd.k12.co.us (Ushhs1@localhost) by trex.smoky.ccsd.k12.co.us (8.6.12/8.6.9) with UUCP id MAA28071; Mon, 1 Apr 1996 12:23:32 -0700 From: Shannon_Herber@shhs1.ccsd.k12.co.us (Shannon Herber) Reply-To: Shannon_Herber@shhs1.ccsd.k12.co.us To: stefan.grip@mailbox.swipnet.se Cc: firewalls@greatcircle.com Subject: Re: Hi Date: 01 Apr 1996 19:17:29 GMT Message-Id: <61406.1237961@shhs1.ccsd.k12.co.us> Organization: shhs1 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Stefan, Sorry to hear about your problems with Windows '95, I'm glad that you got them fixed. I didhn't write sooner because I had Spring Break last week and I went to California, Arizona and New Mexico. I visited two colleges in California, I really liked them and I hope that I am going to be accepted to them because I am sure that I would love going to college there. We (my family and I ) went to Arizona and New Mexico to visit relatives and old friends, I was born there (Arizona) and my parents used to live there for a really long time. It was a very nice trip and I was able to spend time with my family. I got to meet some of my great-aunts and great-uncles, and cousins that I have never even met. I found out that my grandfather had 7 brothers and sisters, and they all had kids, and my family is so big that there are people I have never even met before. It is really big. Other than that I really didn't do anything special, it*was just nice to get away form school for awhile. Well, I hope you feel better from all of your fighting (Hapkido and things) and I will talk to you later! Bye! --Shannon-- From firewalls-owner Mon Apr 1 15:04:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA23966 for firewalls-outgoing; Mon, 1 Apr 1996 14:45:21 -0800 (PST) Received: from wsi.com (wsi1.wsi.com [205.184.203.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA23927 for ; Mon, 1 Apr 1996 14:45:01 -0800 (PST) Received: from rivendell.wsi.com by wsi.com (5.0/SMI-SVR4) id AA18607; Mon, 1 Apr 1996 17:42:20 +0500 Received: by rivendell.wsi.com (5.x/SMI-SVR4) id AA20852; Mon, 1 Apr 1996 17:41:06 -0500 Date: Mon, 1 Apr 1996 17:41:06 -0500 From: david@wsi.com (David Flinn) Message-Id: <9604012241.AA20852@rivendell.wsi.com> To: firewalls@greatcircle.com Subject: ? (Network Address Translation) NAT questions Cc: david@wsi.com X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, My customer requires the following for their firewall: 1) two token ring interfaces (yikes !) 2) map many RFC 1597 internal addresses to one valid external Class C address 3) map many external Class C addresses to many internal RFC 1597 addresses. I have found that fullfilling these requirements is non-trival. - PIX from cisco fails test 1. - Raptor passes test 1 and 2 but fails 3. (probably others as well) - Checkpoint passes 2 and 3 but fails 1. (at least on Sparc, unsure about HP) Does anyone know any other firewall vendors that can do this? The real problem I see with most application proxy servers is number three. Let's say my customer has six internal servers running lotus notes. They need their sales people to dial up a PPP session to get at these different servers. Most application gateways only allow 1 valid class c address to be used. So, if I need to get at six notes servers, I usually would use six different ip addresses. Raptor, et al, would only let me access one server via one port number. Checkpoint allows me to map 1597 addresses to true addresses bi-directionally, but doesn't run using token ring (I don't believe their marketing material). Any clues to this Many-to-Many problem? Thanks for your thoughts, david ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ | david flinn workgroup solutions | | enterprise technology manager 76 blanchard road | | 617-238-8562 burlington, ma 01803 | | 617-229-9991 (fax) david@wsi.com | ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ From firewalls-owner Mon Apr 1 15:06:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA22920 for firewalls-outgoing; Mon, 1 Apr 1996 14:34:18 -0800 (PST) Received: from nsco.network.com (nsco.network.com [129.191.1.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA22882 for ; Mon, 1 Apr 1996 14:33:43 -0800 (PST) Received: from anubis.network.com by nsco.network.com (4.1/1.34) id AA07989; Mon, 1 Apr 96 15:27:03 CST Received: from blefscu.network.com by anubis.network.com (4.1/SMI-4.1) id AA10574; Mon, 1 Apr 96 15:25:15 CST Date: Mon, 1 Apr 96 15:25:15 CST From: amolitor@anubis.network.com (Andrew Molitor) Message-Id: <9604012125.AA10574@anubis.network.com> To: firewalls@greatcircle.com Subject: FTP PASV vs. non-PASV - Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There's been a spate of postings on Usenet concerning a new anonymous FTP daemon that doesn't bind to port 20 to create outbound (active) data connections, for security reasons. I've also gone around with some people running firewalls on this one, since MY firewall doesn't like clients on the inside using PASV. The orthodox answer to my woes is 'use PASV, you nitwit.' I have developed the following table of exposures required to make variations of FTP transfers work between sites C (client) and S (server) | Site C | Site S -----------+----------------------+--------------------------- Std FTP | Allow INbound TCP | Allow OUTbound TCP | 20 -> (1024..65535) | 20 -> (1024..65535) -----------+----------------------+--------------------------- PASV FTP | Allow OUTbound TCP | Allow INbound TCP | (1024..65535) -> | (1024..65535) -> | (1024..65535) | (ftpd defined range) -----------+----------------------+--------------------------- non-std | Allow INbound TCP | Allow OUTbound (i.e. anon | (1024..65535) -> | (1024..65535) -> ftpd) | (1024..65535) | (1024..65535) -----------+----------------------+--------------------------- Firstly, have I got this pretty much right? Note that the server exposure is smallest in the standard FTP case, except for this little wrinkle that if you're goofy enough to let internal hosts trust your FTP server, you have a problem. Note that the server exposure is worst for the non-standard FTPd, in some sense. Outbound connections, if your filters can manage them as distinct from inbound, are a bit safer than inbound ones. Note that PASV is basically suctional as anything for the server, since it HAS to allow a range of local ports, if it wants to serve multiple clients, and it HAS to allow inbound connections. Note, lastly, that the table changes somewhat if you use packet filters that can't detect TCP setup packets (SYN, ~ACK, etc), and that it changes quite a bit more in the presence of stateful filters that can punch suitable holes to match a PORT command. I confess to some puzzlement regarding the low esteem granted the normal FTP method, which actually pins down a port, in favor of the other methods which let both ends float free. IP has always been the nicest protocol to do packet filtering on, since it has the good grace to nail down port numbers for you instead of dynamically assigning everything. The new improved model of FTP probably makes sense if you can afford to keep a packet filter between your anonymous FTP server and the rest of your machines, but it's half a solution, surely. Comments? Andrew From firewalls-owner Mon Apr 1 15:21:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA25973 for firewalls-outgoing; Mon, 1 Apr 1996 15:09:24 -0800 (PST) Received: from svcs1.digex.net (svcs1.digex.net [204.91.197.224]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id PAA25947 for ; Mon, 1 Apr 1996 15:09:16 -0800 (PST) Received: from mambo (fred.digex.net [164.109.213.78]) by svcs1.digex.net (8.6.12/8.6.12) with SMTP id SAA05658; Mon, 1 Apr 1996 18:07:05 -0500 Message-ID: <316060DE.312B@access.digex.net> Date: Mon, 01 Apr 1996 18:03:58 -0500 From: "Eliot T. Ware" Organization: U.S. Department of the Treasury (UNIBAND) X-Mailer: Mozilla 2.0GoldB2 (WinNT; I) MIME-Version: 1.0 To: abradley@ctcc.gov.za CC: firewalls@GreatCircle.COM Subject: Re: Instant Internet References: <1698A553C2F@Dataproc_nov> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Alan Bradley wrote: > > Hi All, > > Can anyone provide we with information about a product called Instant > Internet. Is it a fully fledged firewall ? > > Any and all information would be appreciated. > > Thanks, > Alan Bradley. > > Cape Town City Council > Cape Town > South Africa > E-mail: abradley@ctcc.gov.za Alan - It is not a firewall. It provides IP/IPX gateway services using two separate interfaces on a 486/33 box. One interface only runs IP and the other only IPX. It dynamically assigns ports to the IPX clients to track IP usage out of the other interface. Now, whether that constitutes a secure wall or not (I believe it does and am actively trying to find someone to tell me why it doesn't) is up to interpretation and frequently escalates into a holy war. We are evaluating it here and I haven't been able to find any way to get through the thing from the IP side to a client/server on the IPX side. - Eliot -- Eliot T. Ware, CNE voice: (202) 622-1302 Global Systems Manager fax: (202) 622-2582 U.S. Department of the Treasury (UNIBAND) preferred: etware@access.digex.net alternate: eliot.ware@treas.sprint.com From firewalls-owner Mon Apr 1 15:36:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA27203 for firewalls-outgoing; Mon, 1 Apr 1996 15:28:05 -0800 (PST) Received: from cronopio.ibase.br (cronopio.ibase.br [200.18.178.15]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id PAA27189 for ; Mon, 1 Apr 1996 15:27:55 -0800 (PST) Received: (from uucp) by cronopio.ibase.br (8.6.12/Revision: 1.203 ) id UAA21840 for firewalls@greatcircle.com; Mon, 1 Apr 1996 20:18:02 -0300 Date: Mon, 1 Apr 1996 14:38:11 -0300 Received: from bud.pix.com.br by boemia.pix.com.br id aa04449; 1 Apr 96 14:38 BRA X-Sender: fernando@bavaria.pix.com.br X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable To: "Jason H .Lamar." , Phil Tucker From: Fernando Cabral Subject: Re: your mail - WHOM? Cc: firewalls@greatcircle.com, tuckerp@wt200055.css.gordon.army.mil Message-ID: <9604011438.aa04449@boemia.pix.com.br> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 14:24 29/3/1996 -0500, Jason H .Lamar. wrote: Please, let's stop using "Your mail" as subject. This is useless. - fernando -------------------------------------------------------------------- Fernando Cabral PADR=C3O iX Inform=E1tica Sistemas Abertos Ltda. Voice: +55 61 274-6092 SCLN 116, bloco H, cj. 53 Fax: +55 61 274-5302 70773-585 Brasilia-DF --= Brasil From firewalls-owner Mon Apr 1 16:05:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id QAA29264 for firewalls-outgoing; Mon, 1 Apr 1996 16:02:34 -0800 (PST) Received: from su1.in.net (su1.in.net [199.0.62.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id QAA29212 for ; Mon, 1 Apr 1996 16:02:22 -0800 (PST) Received: from pm1-27.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA05495; Mon, 1 Apr 96 18:58:56 -0500 Date: Mon, 1 Apr 96 18:58:56 -0500 Message-Id: <9604012358.AA05495@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.com From: Frank Willoughby Subject: Re: SysAdmin Security course... Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From the desk of Phil Tucker: > > From: "Phil Tucker" > > I am searching for a good hands-on "Systems Administrator > --Security---course". Manage and secure multi-vendor > Unix systems (hands on firewall implementation). Don't need > "concepts" or reference books. Have plenty of these. Another alternative is to get your hands on an old 486 with @8MB+ of memory and @250MB+ and install a copy of FreeBSD or Linux on it (available from a CD or Bookstore or on the Web at various locations). It may be "awk"ward at first , but you'll get the hang of it. Try it & you'll "C" what I mean. 8^) But seriously, the best approach to learn something is to take it apart, figure out how it works, and then try to get it to do what you want to do (time permitting, of course). Experimenting at home on this may help you get the experience you may need while helping to reduce the number of misteaks you make at work (and subsequent embarassment). Good Luck! Best Regards, Frank Any sufficiently advanced bug is indistinguishable from a feature. -- Rich Kulawiec The opinions expressed above are of the author and may not necessarily be representative of Fortified Networks Inc. Fortified Networks Inc. - Information Security Consulting Phone: (317) 573-0800 http://www.fortified.com - Home of the Free Internet Firewall Evaluation Checklist From firewalls-owner Mon Apr 1 16:26:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA28963 for firewalls-outgoing; Mon, 1 Apr 1996 15:59:15 -0800 (PST) Received: from citecuh.citec.qld.gov.au (citecuh.citec.qld.gov.au [203.5.10.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id PAA28936 for ; Mon, 1 Apr 1996 15:58:42 -0800 (PST) Received: (from mail@localhost) by citecuh.citec.qld.gov.au (8.7.5/8.7.3) id JAA15119; Tue, 2 Apr 1996 09:49:10 +1000 (EST) X-Authentication-Warning: citecuh.citec.qld.gov.au: mail set sender to using -f Received: from guru.citec.qld.gov.au(147.132.20.47) by citecuh.citec.qld.gov.au via smap (V1.3) id /mail/incoming/sma015114; Tue Apr 2 09:49:06 1996 Received: (from sgcccdc@localhost) by guru.citec.qld.gov.au (8.6.12/8.6.12) id JAA09393; Tue, 2 Apr 1996 09:55:40 +1000 From: Colin Campbell Message-Id: <199604012355.JAA09393@guru.citec.qld.gov.au> Subject: Re: Clarification on Encryption Export Using CKE To: asafier@explorer.csc.com (Adam Safier) Date: Tue, 2 Apr 1996 09:55:38 +1000 (EST) Cc: firewalls@greatcircle.com In-Reply-To: from "Adam Safier" at Mar 29, 96 06:52:00 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My mailer thinks Adam Safier said: > > At 10:23 PM 3/27/96 -0700, Bill Thompson wrote: > > >So while > >it is not impossible for a US govenment agency to get an encryption key, it > >is difficult, and they are not in the driver's seat. If they are motivated > >to expend this kind of energy, my bet is that we might want them to > >succeed, because they are probably protecting us. > [chomp] > > 5 - A key registration requirement stifles new development (assuming all > encryption is outlawed unless registered with fed. - I'm coming in a bit > late into this discussion so this may not be relevant to CKE only discussion.) What would happen to the "system" if everyone changed their keys very often? For example, I syschronize both ends to run something like the Securid key generation and have both ends change their keys every time a new session starts up. Doesn't that make CKE unworkable. As someone pointed out, the encryption is only being used to keep the session private, not the data when it reaches the endpoints. Or am I on the wrong boat? In which case tell me to shut up (nicely). Colin From firewalls-owner Mon Apr 1 16:28:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA27772 for firewalls-outgoing; Mon, 1 Apr 1996 15:39:18 -0800 (PST) Received: from tera.bctel.net (tera.bctel.net [204.174.64.252]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id PAA27758 for ; Mon, 1 Apr 1996 15:39:12 -0800 (PST) Received: (from nobody@localhost) by tera.bctel.net (8.7.4/8.7.1) id PAA13662; Mon, 1 Apr 1996 15:37:13 -0800 (PST) X-Authentication-Warning: tera.bctel.net: nobody set sender to using -f Received: from mocha.bctel.net(204.174.66.5) by tera via smap (V1.3) id sma013659; Mon Apr 1 15:37:11 1996 Received: (from murrell@localhost) by mocha.bctel.net (8.7.5/8.7.3) id PAA22549; Mon, 1 Apr 1996 15:38:43 -0800 (PST) From: Brian Murrell Message-Id: <199604012338.PAA22549@mocha.bctel.net> Date: Mon, 1 Apr 1996 15:38:42 -0800 (PST) To: pferguso@cisco.com Cc: armando@sar.net, firewalls@GreatCircle.COM Subject: Re[2]: About the firewalls using RIP or static routes In-Reply-To: <199603290515.VAA22417@lint.cisco.com> X-Mailer: Ishmail 1.2-960212-sol24 MIME-Version: 1.0 Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk from the quill of Paul Ferguson on scroll <199603290515.VAA22417@lint.cisco.com> > Answer: No routes. That answer doesn't scale very well. How 'bout dynamic routing in the core only?? For instance: what if your network is very large and your firewall is used to choke many other networks all gated by routers out to the Internet. Managing the static routes everywhere gets tedious and leaves room for error. Why not have the routers that border the networks statically populated but updating the firewall (who of course only listens to route updates on it's "internal" interfaces) dynamically. This way you don't have to populate the firewall with static routes everytime another network (accesses by yet another router) wants access to the Internet. Just be sure that the router that borders the new network doesn't listen to route updates from the network side if you don't trust those folks. I suppose we get into the never-ending definition of a firewall though. In the above scenario where you have control of the internal network border routers and trust them (because you control them) they actually become a part of your firewall. Thots?? b. -- Brian J. Murrell murrell@bctel.net BCTel Advanced Communications brian@ilinx.com Vancouver, B.C. brian@wimsey.com 604 454 5279 From firewalls-owner Mon Apr 1 16:30:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA25455 for firewalls-outgoing; Mon, 1 Apr 1996 15:02:28 -0800 (PST) Received: from outpost.wg.waii.com (outpost.wg.waii.com [198.3.192.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id PAA25441 for ; Mon, 1 Apr 1996 15:02:21 -0800 (PST) Received: from mail.wg.waii.com by outpost.wg.waii.com with SMTP id AA11174 (5.65c/IDA-1.4.4 for ); Mon, 1 Apr 1996 16:58:27 -0600 Received: from voyager.wg.waii.com (voyager.wg.waii.com [137.144.170.51]) by mail.wg.waii.com (8.7.5/8.7.3) with SMTP id QAA22557 for ; Mon, 1 Apr 1996 16:58:25 -0600 Received: by voyager.wg.waii.com id AA23856 (5.67b/IDA-1.5 for Firewalls@GreatCircle.COM); Mon, 1 Apr 1996 16:58:22 -0600 From: Mark Whetzel Message-Id: <199604012258.AA23856@voyager.wg.waii.com> Subject: Re: Wierd address observed To: Firewalls@GreatCircle.COM Date: Mon, 1 Apr 96 16:58:21 CST In-Reply-To: <199604011846.KAA07371@miles.greatcircle.com>; from "firewalls-digest-owner@GreatCircle.COM" at Apr 1, 96 10:46 am Reply-To: mark.whetzel@waii.com X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: Brian Prentiss > Date: Mon, 1 Apr 1996 10:34:53 -0700 (MST) > Subject: Wierd address observed > > I have noticed that someone from network 0, specifically 0.8.0.69 has > been > doing (legitimate seeming) DNS queries. Is this network not reserved? > I was under the (perhaps false) impression that network 0 was off limits. > > Does anyone have any insight into this, or noticed any of this themselves? Assuming this is not an 'april fools', the IP address 0.8.0.69 is one of the many interfaces used by NS.UU.NET. nslookup > set query=any > ns.uu.net. Non-authoritative answer: ns.uu.net internet address = 137.39.1.3 ns.uu.net internet address = 206.6.1.1 ns.uu.net internet address = 137.191.2.149 ns.uu.net internet address = 0.8.0.69 ns.uu.net internet address = 206.6.1.127 ns.uu.net internet address = 198.6.1.1 ns.uu.net internet address = 198.6.1.127 Authoritative answers can be found from: UU.NET nameserver = UUCP-GW-1.PA.DEC.COM UU.NET nameserver = UUCP-GW-2.PA.DEC.COM UU.NET nameserver = NS.EU.net UU.NET nameserver = NS.UU.net UUCP-GW-1.PA.DEC.COM internet address = 204.123.2.18 UUCP-GW-1.PA.DEC.COM internet address = 16.1.0.18 UUCP-GW-2.PA.DEC.COM internet address = 16.1.0.19 NS.EU.net internet address = 192.16.202.11 NS.UU.net internet address = 137.39.1.3 NS.UU.net internet address = 206.6.1.1 NS.UU.net internet address = 137.191.2.149 NS.UU.net internet address = 0.8.0.69 NS.UU.net internet address = 206.6.1.127 NS.UU.net internet address = 198.6.1.1 NS.UU.net internet address = 198.6.1.127 Curiously, a reverse lookup of "69.0.8.0.in-addr.arpa." will fail, with "Non-existent domain". -- Mark Whetzel My comments are my own, not my company's. Western Geophysical - A division of Western Atlas International Inc., A Subsidary of Western Atlas Inc. DOMAIN addr: markw@airgun.wg.waii.com VOICE: (713) 963-2544 UUNET address: uunet!airgun!markw From firewalls-owner Mon Apr 1 16:35:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA27077 for firewalls-outgoing; Mon, 1 Apr 1996 15:25:55 -0800 (PST) Received: from arnie.systems.sa.gov.au (arnie.systems.sa.gov.au [143.216.242.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id PAA27011 for ; Mon, 1 Apr 1996 15:24:36 -0800 (PST) Received: from state.systems.sa.gov.au by arnie.systems.sa.gov.au (PMDF V4.3-7 #13538) id <01I326G3RPE80038CU@arnie.systems.sa.gov.au>; Tue, 2 Apr 1996 08:49:50 +1030 Received: from dogbert.systems.sa.gov.au (dogbert.systems.sa.gov.au) by state.systems.sa.gov.au (PMDF V5.0-4 #13538) id <01I326FWKGCW002QPH@state.systems.sa.gov.au>; Tue, 02 Apr 1996 08:49:39 +0930 Received: from jolt.systems.sa.gov.au (jolt.systems.sa.gov.au [143.216.237.8]) by dogbert.systems.sa.gov.au (8.6.12/8.6.12) with SMTP id IAA01402; Tue, 02 Apr 1996 08:55:31 +0930 Date: Mon, 01 Apr 1996 18:51:02 +0930 From: Garth Kidd Subject: Re: Firewalls-Digest V5 #200 In-reply-to: firewalls-digest-owner@GreatCircle.COM "Firewalls-Digest V5 #200" (Mar 31, 21:35) To: Firewalls@GreatCircle.COM, nicholscs@agedwards.com Message-id: <960402095216.ZM2871@jolt.systems.sa.gov.au> MIME-version: 1.0 X-Mailer: Z-Mail 4.0 (4.0.0 Aug 21 1995) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT References: <199604010535.VAA21689@miles.greatcircle.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I have heard of a commercial product known as Veracity that is used to > check the integrity of critical data and operating systems files. It > sounds like a Tripwire type of program. Has anyone used Veracity or > have any comments on the product? Veracity features: - Creates a snapshot of an entire directory tree. - Snapshot files: - Are platform independent. - Are about 1/300th the size of the directory tree. - Are human readable text files that can be sent by email. - Can be cryptographically locked so any modification will be detected. - Tailor checking within target tree using pathname pattern/action rules. - Can verify heterogeneous file transfers (eg Unix to MS-DOS): - Copes with text files EOLs (etc) changing. - Copes with filename changes (truncation, upper case, etc). - Built in scripting languag allows checking to be automated. - Digest algorithms: SHA0, SHA1, MD2, MD4, MD5, Snefru (four versions). - Checksum algorithms: CRC-16, CRC-32, Fletcher, Internet, sum. - Can provide full binary or text differences for particular files. - Can monitor all Unix file attributes. Platforms: MS-DOS Macintosh SunOS Solaris VAX/VMS OpenVMS AXP DEC OSF/1 Ultrix HP/UX SGI BSD/OS ... and more. Rocksoft are working to expand the range of platforms. Demo licences are available if you'd like to test the product before you buy. Send mail to demo@rocksoft.com for more information and a demo license. Their web site is at: http://www.rocksoft.com/ If you'd rather jump straight to information on Veracity: http://www.on.net/clients/rocksoft/rocksoft/veracity.html Veracity's author, Dr Ross N Williams, is also known for the FunnelWeb literate programming tool, his papers on compression algorithms and software patent law, the {farming} entry in the Jargon File, and for a much-celebrated document on computer science educational technology. An AltaVista search on "Ross" +"Williams" will show many of these, but please don't confuse him with the Hawaiian surfer. Dr Williams is more often to be found surfing thermals, in a glider. -- garth@dogbert.systems.sa.gov.au | Garth Kidd +61-8-207-7740 (voice) | Professional Services Division +61-8-207-7860 (fax) | Southern Systems | Adelaide, AUSTRALIA From firewalls-owner Mon Apr 1 16:37:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id QAA00411 for firewalls-outgoing; Mon, 1 Apr 1996 16:15:32 -0800 (PST) Received: from mail.RC.Toronto.on.ca (rcooper.the-wire.com [198.53.192.91]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id QAA00395 for ; Mon, 1 Apr 1996 16:15:21 -0800 (PST) Received: from RWCooper.RC.Toronto.on.ca ([205.206.47.2]) by mail.RC.Toronto.on.ca (post.office MTA v1.9.3 evaluation license) with SMTP id AAA63 for ; Mon, 1 Apr 1996 19:13:05 -0500 Received: by RWCooper.RC.Toronto.on.ca with Microsoft Mail id <01BB1FFE.25C45A40@RWCooper.RC.Toronto.on.ca>; Mon, 1 Apr 1996 19:05:09 -0500 Message-ID: <01BB1FFE.25C45A40@RWCooper.RC.Toronto.on.ca> From: Russ To: "'Firewalls'" Subject: Object Authentication (was: Java) Date: Mon, 1 Apr 1996 19:05:08 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I want to thank all those that responded to my yelping about the WinVerifyTrust spec. For only the second time in my life, I really think I have the makings for a commercial product here. While I want to discuss the technology at length, I would really like to talk to anyone interested in investing in an idea first. Cheers, Russ From firewalls-owner Mon Apr 1 17:21:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id RAA04867 for firewalls-outgoing; Mon, 1 Apr 1996 17:07:58 -0800 (PST) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA04833 for ; Mon, 1 Apr 1996 17:07:47 -0800 (PST) Received: (adam@localhost) by homeport.org (8.6.9/8.6.9) id UAA18140; Mon, 1 Apr 1996 20:08:30 -0500 From: Adam Shostack Message-Id: <199604020108.UAA18140@homeport.org> Subject: Re: Bill on CKE To: PADGETT@hobbes.orl.mmc.com (A. Padgett Peterson P.E. Information Security) Date: Mon, 1 Apr 1996 20:08:30 -0500 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <960328215411.2022134e@hobbes.orl.mmc.com> from "A. Padgett Peterson P.E. Information Security" at Mar 28, 96 09:54:11 pm X-Mailer: ELM [version 2.4 PL24 ME8b] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Padgett, You're forgetting the other half of the liability issue, and that is the requirement that keys be stored. Using DH, users can exchange a key, and then throw away all the information used to generate a session key. If this is done, after a conversation ends, it can't be read. Forcing a key escrow scheme on top of this raises the possibility that a breach in your GAK scheme will make all of your historical traffic readable. We can easily get to strong file and message encryption with local key recovery using a couple of small modifications to PGP.* We can't get instant network access without substantially raising the risks. Adam * PGP includes a 'metoo' option, which encrypts a copy of the session key with your public key, so you can read encrypted messages you've sent. Its pretty easy to modify this to encrypt to a 'data recovery key' as well, and in fact Viacrypt seems to have done so. A. Padgett Peterson P.E. Information Security wrote: | Bill can be excused for being a bit biased in the matter but I happen to | agree with him. I do expect large US corporations (such as my employer | for whom I do not speak. Notary Sojack) to hold their own keys. However it | is the foreign agreements that are the compelling reason to accept key | escrow if you need to do business internationally. | The key here (and what I think concerns most people) is not the escrow but | not knowing if the escrow had been excercised. If someone you trust (not the | US Gov) is the holder then I suspect there will not be a problem. | Bottom line, CKE seems to me to be an acceptable technical answer to | a political question. Just wonder if the USGov will accept liability if | it gets broken since it was their idea. Right. | | Warmly, | Padgett | -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Mon Apr 1 18:21:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA11714 for firewalls-outgoing; Mon, 1 Apr 1996 18:14:44 -0800 (PST) Received: from lint.cisco.com (lint-ether.cisco.com [198.93.170.22]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id SAA11663 for ; Mon, 1 Apr 1996 18:14:22 -0800 (PST) Received: from pferguso-pc.cisco.com (c2robo13.cisco.com [171.68.13.45]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id SAA16893; Mon, 1 Apr 1996 18:11:04 -0800 Message-Id: <199604020211.SAA16893@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 01 Apr 1996 21:12:11 -0500 To: Paul Kvanvig From: Paul Ferguson Subject: Re: About the firewalls using RIP or static routes Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 05:00 PM 4/1/96 -0500, Paul Kvanvig wrote: > >Well to answer the question; dynamic routes are a security problem since >routing updates can be easily forged. Unless your firewall is a layer 2 >device, it will have routes. And these should be static. > Yes -- thanks for expounding for me. :-) - paul >-Paul Kvanvig > >At 12:16 AM 3/29/96 -0500, you wrote: >> >>Answer: No routes. >> >>- paul >> >>At 10:51 PM 3/27/96 -0600, Armando Aguilar wrote: >> >>>Hello, >>> Which is better on a Firewall , static routes or dinamic routes? >>> >>>Thanks. >>> >>> From firewalls-owner Mon Apr 1 18:51:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id RAA09238 for firewalls-outgoing; Mon, 1 Apr 1996 17:49:08 -0800 (PST) Received: from Alcon.Com (ns2.alcon.com [204.251.168.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id RAA09211 for ; Mon, 1 Apr 1996 17:48:57 -0800 (PST) Received: (from geboykin@localhost) by Alcon.Com (8.7.2/8.6.12) id TAA13685; Mon, 1 Apr 1996 19:48:41 -0600 Date: Mon, 1 Apr 1996 19:48:41 -0600 (CST) From: Greg Boykin To: Paul McNabb cc: madderra@emss.com, Firewalls@GreatCircle.COM Subject: Re: Java Security & Decaf(tm) In-Reply-To: <199604012149.PAA22830@argus.cu-online.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 1 Apr 1996, Paul McNabb wrote: > > From: "G.Grenier" > > > > What do you think of the Computing Canada's article ("JavaScript escalates > > privacy fears") stating that JavaScript "...has the ability to enter a > > user's Netscape Navigator 2.0 Preferences file, snatch the user's email > > address and forward it to another Ineternet address without the consent or > > knowledge of the user. ..." > Couldn't any of the nice little Netscape add-ins do the same thing on a much broader scale and easier than creating an applet? Hmmm...what does that credit card add-in really do? -Greg- geboykin@alcon.com From firewalls-owner Mon Apr 1 19:06:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA10454 for firewalls-outgoing; Mon, 1 Apr 1996 18:00:42 -0800 (PST) Received: from tera.bctel.net (tera.bctel.net [204.174.64.252]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id SAA10395 for ; Mon, 1 Apr 1996 18:00:25 -0800 (PST) Received: (from nobody@localhost) by tera.bctel.net (8.7.4/8.7.1) id RAA16092; Mon, 1 Apr 1996 17:58:23 -0800 (PST) X-Authentication-Warning: tera.bctel.net: nobody set sender to using -f Received: from mocha.bctel.net(204.174.66.5) by tera via smap (V1.3) id sma016090; Mon Apr 1 17:58:22 1996 Received: (from murrell@localhost) by mocha.bctel.net (8.7.5/8.7.3) id RAA25304; Mon, 1 Apr 1996 17:59:52 -0800 (PST) From: Brian Murrell Message-Id: <199604020159.RAA25304@mocha.bctel.net> Date: Mon, 1 Apr 1996 17:59:51 -0800 (PST) To: david@wsi.com Cc: firewalls@GreatCircle.COM Subject: Re: ? (Network Address Translation) NAT questions In-Reply-To: <9604012241.AA20852@rivendell.wsi.com> X-Mailer: Ishmail 1.2-960212-sol24 MIME-Version: 1.0 Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk from the quill of david@wsi.com (David Flinn) on scroll <9604012241.AA20852@rivendell.wsi.com> > 1) two token ring interfaces (yikes !) > - Checkpoint passes 2 and 3 but fails 1. (at least on Sparc, unsure about > HP) Why does checkpoint fail on number 1?? Does it not like token-ring cards (read: frames)?? Where did you discover that it don't like TR. b. -- Brian J. Murrell murrell@bctel.net BCTel Advanced Communications brian@ilinx.com Vancouver, B.C. brian@wimsey.com 604 454 5279 From firewalls-owner Mon Apr 1 19:18:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id RAA10223 for firewalls-outgoing; Mon, 1 Apr 1996 17:59:18 -0800 (PST) Received: from gw2.att.com (gw2.att.com [192.20.239.134]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA10179 for ; Mon, 1 Apr 1996 17:58:57 -0800 (PST) Received: from vodka.sse.att.com (vodka.gc.att.com) by ig2.att.att.com id AA09793; Mon, 1 Apr 96 10:19:42 EST Message-Id: <9604011519.AA09793@ig2.att.att.com> From: mdr@vodka.sse.att.com Subject: Re: DOS based firewalls: Reply to Riggins latest To: hancock@network-1.com (Dr. Bill Hancock) Date: Mon, 1 Apr 1996 10:23:07 -0500 (EST) Cc: mdr@vodka.sse.att.com, firewalls@greatcircle.com In-Reply-To: from "Dr. Bill Hancock" at Mar 25, 96 11:16:20 am X-Mailer: ELM [version 2.4 PL23-upenn2.7] Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bill, Thanks for the response. I'm impressed with the details given by yourself and Marcus. And I'm glad that the letter that started this all afforded you an occasion to defend your approach. > presentations, articles and in papers on the subject (some of these are on > our web site and others are scattered around the 'net). I have a high-speed > firewall research project going on where I am presenting a paper at the > InterOP engineering conference next week that covers this (layered network > security defenses) in great detail. Bottom line is that a layered approach > to security is always preferred with proper audit trail and proper > accounting at each layer for detection and management. Agreed. Hope to get a copy of the paper, I probably won't be able to make it to InterOP. > I refer you to Marcus Ranum's e-mail response to this subject. He was ONE > of the testing experts we contracted. I Wish he'd chipped in earlier on this thread. It was great to hear a respected outside opinion who's seen the details. > > >Yeah right, it couldn't possibly fail "open, Period". And w/o > >independent evaluation we have only your word to back that up. Isn't > >this "trust me its secure" in full force now? > > No. It was tested - rigorously and properly. Again, I refer you to Marcus' > e-mail. Hmmm. I think that we'll just have to agree to disagree here :) Even with independent review I have a hard time swallowing that conclusion. Marcus refused to enforce that blanket statement too. [snip: lots of good methodology] [snip: credentials] > And you are entitled to your opinion and I mine. Occasionally, these will > differ. That's what discussion like this is all about. Thanks for the postings and thanks for responding with logical arguments and information instead of heated arguments. That sets an example that I wish that all would follow. I know that that's *really* hard to do when someone is talking about your baby. Mark Riggins Secure Systems Engineering AT&T Bell Labs From firewalls-owner Mon Apr 1 19:21:10 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA11360 for firewalls-outgoing; Mon, 1 Apr 1996 18:11:32 -0800 (PST) Received: from QUEENS.ORG (gwmail.queens.org [204.94.115.6]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id SAA11346 for ; Mon, 1 Apr 1996 18:11:18 -0800 (PST) Received: from QMC-Message_Server by QUEENS.ORG with Novell_GroupWise; Mon, 01 Apr 1996 16:05:36 -1000 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Mon, 01 Apr 1996 16:09:00 -1000 From: DARRYL PANG To: Firewalls@GreatCircle.COM Subject: Firewalls-Digest V5 #196 -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk FYI. Suggestions for user's that always forget their passwords. This is an unauthorized excerpt from one of the digests I receive. I've highlighted the two most important suggestions from this post. ------------------------------ From: Warren Moore Date: 28 Mar 96 8:02:31 Subject: Re: Password Generation While it's somewhat off-topic, several folks have written lately concerning pronounceable passwords and the generation thereof. Allow me to add to the confusion. We all know that: 1) Reusable password aren't safe, 2) Passwords need to be safe, 3) Passwords need to be hard to crack, 4) Passwords need to be easy to remember, 5) and a whole lot of other binary sets that are mutually exclusive. Those of us old enough to remember coding in machine language also remember that computer passwords weren't originally for security purposes at all, but were accounting/billing codes. However, we're stuck with them. The powers that be in our various companies/organizations either aren't enlightened enough to spend $35-65 each for tokens for several thousand users :-), or to mandate that everyone use Skey, or don't want to rock the boat, or whatever. The scheme that I've pushed for years creates passwords that are first of all easy for the user to remember *which is by far the most important thing from the user's viewpoint,* extremely difficult for a cracker to guess, and immune to dictionary attacks. It's based on pass-phrases, but helps with the keying difficulty. Simply think up a phrase that you can remember, preferably including a date: "I drive a 1954 Corvette in parades." (Boy, I wish!) "My houseboat is a 1966 Coronet." (Sold it.) "I was born in May of 1943." (Yes, I am one of Marcus' "greybeards".) Use the first letter of each word and part of the date to derive the password: ida54cip. mhia66c. iwbimo43. Mix lower-case or upper-case as you wish, or even follow conventional rules of capitalization in your own grammar and treat it as a sentence: Ida54Cip. Mhia66C. IwbiMo43. If you can't think of a sentence on your own, use a song: "Just sit right back and you'll hear a tale, a tale of a fateful trip. That started from this tropic port, aboard this tiny ship." ("Gilligan's Isle" theme song for the c ulturally depraved.) "Jsrbayhat," "atoaft," Tsfttp," "atts." Works for me. - --- Warren S. Moore, CISSP Information Security Specialist Cincinnati Bell Information Systems Inc. ------------------------------ Mahalo, DPP. \m/ ^_^ \m/ The packet goes out the card, into the copper, out the router, onto the fiber, across the world, thru the copper............ NOTHING BUT NET. From firewalls-owner Tue Apr 2 10:25:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA02323 for firewalls-outgoing; Tue, 2 Apr 1996 10:11:40 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA03509 for ; Tue, 2 Apr 1996 09:33:26 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id AAA18577; Tue, 2 Apr 1996 00:05:04 -0800 Received: from locke.ccil.org(205.164.136.88) by mycroft via smap (V1.3mjr) id sma018563; Tue Apr 2 00:04:44 1996 Received: (xavier@localhost) by locke.ccil.org (8.6.9/8.6.10) id DAA10050; Tue, 2 Apr 1996 03:08:03 -0500 Date: Tue, 2 Apr 1996 03:08:01 -0500 (EST) From: Xavier Subject: Re: quit To: Roxy123952@aol.com cc: firewalls@GreatCircle.COM In-Reply-To: <960321163725_451674213@mail06> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 21 Mar 1996 Roxy123952@aol.com wrote: > quit roxy123952 > BEEEEEP! ..wrong answer. From firewalls-owner Tue Apr 2 11:39:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA12815 for firewalls-outgoing; Tue, 2 Apr 1996 11:26:36 -0800 (PST) Received: from beach.sctc.com (beach.sctc.com [192.55.214.50]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id LAA12809 for ; Tue, 2 Apr 1996 11:26:31 -0800 (PST) Received: from beach.sctc.com (daemon@localhost) by beach.sctc.com (8.7.2/8.7.2) with ESMTP id NAA13088; Tue, 2 Apr 1996 13:24:32 -0600 (CST) Received: from sphinx.sctc.com (sphinx.sctc.com [172.17.192.3]) by beach.sctc.com (8.7.2/8.7.2) with ESMTP id NAA13084; Tue, 2 Apr 1996 13:24:32 -0600 (CST) Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by sphinx.sctc.com (8.7.1/8.6.10) with SMTP id NAA22754; Tue, 2 Apr 1996 13:24:56 -0600 (CST) Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id NAA14718; Tue, 2 Apr 1996 13:24:55 -0600 Date: Tue, 2 Apr 1996 13:24:55 -0600 From: Rick Smith Message-Id: <199604021924.NAA14718@shade.sctc.com> To: firewalls@greatcircle.com Cc: smith@sctc.com, us028272@interramp.com Subject: Re: trusting the processor chip Sender: firewalls-owner@GreatCircle.COM Precedence: bulk us028272@interramp.com (JEFF C FLYNN) asks: >Does anyone know of articles regarding the possibility of subverting >processor chips? Is this a realistic threat? Is it possible to hack vhdl >compilers to embed intentional security flaws in silicon? Known cases? >Attempts? This is probably science fiction, particularly at the VHDL level. Maybe someone could make a crime of opportunity out of a microcode flaw, but there's a risk of it being found out during testing. To do it right would require collusion of the design and test teams. They need to ensure the back door stays closed, isn't tickled by "normal" testing and only opens when really requested. So a lot of people are in on the secret even before it gets exploited for nefarious purposes. And what nefarious purposes would pay for the risks and costs of this? If the secret got out, the design team, product line, and company would be dead in the marketplace and probably spend the rest of their lives responding to lawsuits. What could you use this for that is worth the risk? Trying to do it to the compiler (like Thompson inserting a back door in login using the Unix C compiler) is, again, theoretically possible. But the only reason to hack the compiler would be to do the deed without involving the processor development team. Risky in terms of building a reliable back door and the risk of detection. It might not work and the changes might be detected. To do it right would probably involve as many technical people as the processor development itself. Even "high grade threats" have finite resources -- there aren't that many processor design gurus in the world to start with. At best, this might make a good plot element for Tom Clancy. Rick. smith@sctc.com secure computing corporation From firewalls-owner Tue Apr 2 11:46:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA02438 for firewalls-outgoing; Tue, 2 Apr 1996 10:13:56 -0800 (PST) Received: from uu11.psi.com (uu11.psi.com [38.8.24.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA00345 for ; Tue, 2 Apr 1996 09:25:05 -0800 (PST) Received: from gate.funb.com by uu11.psi.com (5.65b/4.0.940727-PSI/PSINet) via SMTP; id AA15184 for ; Tue, 2 Apr 96 12:00:30 -0500 Received: by funb.com (4.1/SMI-4.1) id AA19761; Tue, 2 Apr 96 12:00:29 EST Received: from cm_mailhost.capmark.funb.com by gate.funb.com via SMTP (V1.3) id sma019758; Tue Apr 2 12:00:25 1996 Received: from funws302.capmark.funb.com (funws302 [168.175.7.54]) by capmark.funb.com (8.7.4/8.7.3) with ESMTP id MAA00322; Tue, 2 Apr 1996 12:00:19 -0500 (EST) From: "Mark Horn [ Net Ops ]" Received: (mhorn@localhost) by funws302.capmark.funb.com (8.6.12/8.6.12) id MAA07741; Tue, 2 Apr 1996 12:00:04 -0500 Message-Id: <199604021700.MAA07741@funws302.capmark.funb.com> Subject: Re: Redundant Internet Connections To: bstout@osc.hitachi.com (Bill Stout) Date: Tue, 2 Apr 1996 12:00:00 -0500 (EST) Cc: Firewalls@GreatCircle.COM In-Reply-To: <9603271814.AA20898@osc.hitachi.com> from "Bill Stout" at Mar 27, 96 10:14:46 am X-Mailer: ELM [version 2.4 PL24 ME8] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bill Stout says: >I did some research into load balancing vs. redundant >internet connections once. FYI, some pretty good docs discussing just this issue: http://fairy.tlg.net/Documents/multi-homing.to.mci http://fairy.tlg.net/Documents/multi-homing.between.providers Cheers, -- Mark Horn mhorn@funb.com Free Advice and Opinions -- Refunds Available From firewalls-owner Tue Apr 2 11:53:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA02470 for firewalls-outgoing; Tue, 2 Apr 1996 10:15:34 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA00452 for ; Tue, 2 Apr 1996 09:26:02 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id GAA21791; Tue, 2 Apr 1996 06:03:20 -0800 Received: from donald.interpac.be(193.53.125.80) by mycroft via smap (V1.3mjr) id sma021783; Tue Apr 2 06:02:22 1996 Received: from INTERPC.interpac.be ([194.78.32.98]) by donald.interpac.be (8.7.3/8.7.1) with SMTP id QAA21624 for ; Tue, 2 Apr 1996 16:06:41 +0200 (MET DST) Message-ID: <31614297.827@interpac.be> Date: Tue, 02 Apr 1996 16:07:03 +0100 From: Gaetan Dhont Organization: Network Research Belgium X-Mailer: Mozilla 2.0 (Win95; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: FTP Proxy Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi. Could somebody explain this ? - how does de FTP Proxy to forward the data from the outside to the internal FTP ? - how does de FTP Proxy to forward the data from the inside to the Internet ? Is this schema correct ? schema 1) internet ----------> FTP Proxy ------------> internal FTP port 20 - - - - - > port 1234 port 21 - - - - - > port 1235 internet <---------- FTP Proxy <------------ internal FTP port 20 < - - - - - port 1236 port 21 < - - - - - port 1237 with port 1234, 1235, 1236, 1237 are generic port above 1024 And for internal FTP transaction ? schema 2) FTP internal <-----------> internal FTP port 20 port 21 If this 2 precedent schema is correct, the FTP need 2 configuration port. Am I in the wrong way ? Thank you in advance for your response. Regards. From firewalls-owner Tue Apr 2 12:23:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA02492 for firewalls-outgoing; Tue, 2 Apr 1996 10:17:07 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA02559 for ; Tue, 2 Apr 1996 09:31:01 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id BAA19418; Tue, 2 Apr 1996 01:20:19 -0800 Received: from nsco.network.com(129.191.1.1) by mycroft via smap (V1.3mjr) id sma019398; Tue Apr 2 01:18:48 1996 Received: from mnbp.network.com (ushub.network.com) by nsco.network.com (4.1/1.34) id AA15048; Tue, 2 Apr 96 02:32:12 CST Received: by mnbp.network.com with Microsoft Mail id <3160E49B@mnbp.network.com>; Tue, 02 Apr 96 02:26:03 CST From: Greg Brennan To: firewalls mailing list Subject: FW: Encryption Devices Date: Tue, 02 Apr 96 02:25:00 CST Message-Id: <3160E49B@mnbp.network.com> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Check out the BorderGuard from NSC. It does encryption (DES, Triple DES, IDEA, and exportable NSC1), RSA Authentication (with Diffie-Hellman key exchange), and has a very fast application level packet filtering facility which allows administrators to apply "policy based" Secure VPNs (S/VPNs). Web page at http://www.network.com - Greg ---------- From: firewalls-owner To: Firewalls Subject: Encryption Devices Date: April 1, 1996 10:01AM Hi; We are just starting up our operation and it will include services to our corporate clients, such as www access and DNS services through our firewall. We are beginning to get questions from clients about the use of encryption devices and don't have any experience with them. I saw a device called Time Step at one of the recent shows and was impressed, but that's the only one I know about Can anyone recommend any other devices or know about any that I should pursue. Either post and answer for comment or contact me personally at hfdk41a@prodigy.com Thanks, -John Molnar From firewalls-owner Tue Apr 2 12:49:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA15095 for firewalls-outgoing; Tue, 2 Apr 1996 12:33:53 -0800 (PST) Received: from cronopio.ibase.br (cronopio.ibase.br [200.18.178.15]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA15079 for ; Tue, 2 Apr 1996 12:33:12 -0800 (PST) Received: (from uucp) by cronopio.ibase.br (8.6.12/Revision: 1.203 ) id RAA23931 for firewalls@greatcircle.com; Tue, 2 Apr 1996 17:32:02 -0300 Date: Tue, 2 Apr 1996 07:59:13 -0300 Received: from bud.pix.com.br by boemia.pix.com.br id aa06087; 2 Apr 96 7:59 BRA X-Sender: fernando@bavaria.pix.com.br X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable To: matt@uts.edu.au, Fernando Cabral From: Fernando Cabral Subject: Re: your mail - WHOM? - Sorry, I must insist Cc: sigurd@access.digex.net, tuckerp@css583.gordon.army.mil, firewalls@greatcircle.com, tuckerp@wt200055.css.gordon.army.mil Message-ID: <9604020759.aa06087@boemia.pix.com.br> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 12:24 2/4/1996 +1000, matt@uts.edu.au wrote: >Fernando Cabral wrote this... > >> At 14:24 29/3/1996 -0500, Jason H .Lamar. wrote: > >> Please, let's stop using "Your mail" as subject. This is useless. > >the reason the mail subject is "Re: your mail" is quite often because >the original sender didnt have a subject at all... check the source >code of your favorite mail reader.... I know! We have two problems two solve: 1) convince people NOT to send a message without a subject; 2) If you got a message without a subject, then add one, or get rid of the message without paying attention to it. - fernando -------------------------------------------------------------------- Fernando Cabral PADR=C3O iX Inform=E1tica Sistemas Abertos Ltda. Voice: +55 61 274-6092 SCLN 116, bloco H, cj. 53 Fax: +55 61 274-5302 70773-585 Brasilia-DF --= Brasil From firewalls-owner Tue Apr 2 12:53:19 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA02515 for firewalls-outgoing; Tue, 2 Apr 1996 10:18:37 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA02628 for ; Tue, 2 Apr 1996 09:31:11 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id CAA20027; Tue, 2 Apr 1996 02:14:24 -0800 Received: from relay2.uu.net(192.48.96.7) by mycroft via smap (V1.3mjr) id sma020025; Tue Apr 2 02:13:59 1996 Received: from pegase.total.fr by relay2.UU.NET with SMTP id QQajrl21477; Tue, 2 Apr 1996 05:15:21 -0500 (EST) Received: from tidtest.total.fr (tidtest.total.fr [146.249.165.73]) by pegase.total.fr (8.6.8/8.6.6) with SMTP id MAA13845; Tue, 2 Apr 1996 12:14:29 +0200 Received: by tidtest.total.fr (4.1/SMI-4.1) id AA03478; Tue, 2 Apr 96 12:13:31 +0200 Message-Id: <9604021013.AA03478@tidtest.total.fr> To: mark.whetzel@waii.com Cc: Firewalls@greatcircle.com Subject: Re: Wierd address observed In-Reply-To: Your message of "Mon, 01 Apr 1996 16:58:21 CST." <199604012258.AA23856@voyager.wg.waii.com> X-Cuse: "The dog ate my network" Date: Tue, 02 Apr 1996 12:13:24 +0100 From: Michel Lavondes Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message <199604012258.AA23856@voyager.wg.waii.com>, Mark Whetzel writes: > > From: Brian Prentiss > > Date: Mon, 1 Apr 1996 10:34:53 -0700 (MST) > > Subject: Wierd address observed > > > > I have noticed that someone from network 0, specifically 0.8.0.69 has > > been > > doing (legitimate seeming) DNS queries. Is this network not reserved? > > I was under the (perhaps false) impression that network 0 was off limits. > > > > Does anyone have any insight into this, or noticed any of this themselves? > > Assuming this is not an 'april fools', the IP address 0.8.0.69 is one of > the many interfaces used by NS.UU.NET. > > [...] > Not quite. There are bogus addresses for ns.uu.net floating around. This is probably one of them. See the bind archives for further info. AFAIR, this was discussed last week or week before last. Michel Lavondes (lavondes@tidtest.total.fr) #include ** CDA warning : don't read this if you're under 18 ** Don't whistle while you piss Hagbard Celine From firewalls-owner Tue Apr 2 13:08:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA16301 for firewalls-outgoing; Tue, 2 Apr 1996 12:58:35 -0800 (PST) Received: from out.tracor.com (in.tracor.com [131.189.127.250]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA16276 for ; Tue, 2 Apr 1996 12:58:27 -0800 (PST) Received: from galileo.tracor.com (galileo.tracor.com [131.189.101.200]) by out.tracor.com (8.6.12/8.6.12) with ESMTP id OAA00555 for ; Tue, 2 Apr 1996 14:56:18 -0600 Received: from sparky.sdd.tracor.com (sparky.sdd.tracor.com [131.189.27.1]) by galileo.tracor.com (8.6.5/8.6.12) with SMTP id OAA10496 for ; Tue, 2 Apr 1996 14:56:16 -0600 Received: from brazos.sdd.tracor.com by sparky.sdd.tracor.com (4.1/SMI-4.1) id AA05130; Tue, 2 Apr 96 14:56:14 CST Received: (from plupa@localhost) by brazos.sdd.tracor.com (8.6.12/8.6.12) id OAA07043 for firewalls@GreatCircle.COM; Tue, 2 Apr 1996 14:56:12 -0600 Date: Tue, 2 Apr 1996 14:56:12 -0600 From: Paul Lupa X4184 Message-Id: <199604022056.OAA07043@brazos.sdd.tracor.com> To: firewalls@GreatCircle.COM Subject: Survey: What type of Authentication do you use. X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Fellow list subscribers: I am interested in knowing what type of authentication is being used on firewalls. I would appreciate if any of you who are at liberty to tell would send me the number of sites that you are aware of that use the following authentication systems: SecurID skey snk default Password Results will be posted back to the list. Thanks Paul Lupa ================================================================= Tracor Applied Sciences Internet: Paul_Lupa@tracor.com 6500 Tracor Ln MS 27-17 Voice: (512) 929-4184 Austin, Texas 78725 FAX: (512) 929-4163 From firewalls-owner Tue Apr 2 13:25:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA02566 for firewalls-outgoing; Tue, 2 Apr 1996 10:20:22 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA00777 for ; Tue, 2 Apr 1996 09:26:52 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id DAA20940; Tue, 2 Apr 1996 03:22:00 -0800 Received: from ns0.alcatel.no(155.4.1.1) by mycroft via smap (V1.3mjr) id sma020938; Tue Apr 2 03:21:28 1996 Received: from netop7258.alcatel.no by gatekeeper.alcatel.no (8.7.1/ANSN-HUB) id NAA13827; Tue, 2 Apr 1996 13:25:34 +0200 Message-ID: <31611D22.7C52@alcatel.no> Date: Tue, 02 Apr 1996 13:27:14 +0100 From: Kare Presttun Organization: Alcanet International X-Mailer: Mozilla 2.01 (Win95; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: Re: firewalls and CKE References: <199604011846.KAA07371@miles.greatcircle.com> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bill, > = > From: Bill Stout > Date: Mon, 1 Apr 96 09:23:19 PST > Subject: Re: firewalls and CKE > = > I will follow tradition, which is, rather than lurk and be thought a > fool, post and remove all doubt (see redundant internet connections, > etc). > = > I first sent this to fwtk-users. Ooops. > = > Since someone from TIS replied to the previous message (below): > "You know nothing about this then. Be happy to educate you, but your > posting makes it clear that you didn't read our explanations or we > didn't write them well enough. NO keys are ever stored. " > I would like someone from TIS explain in plain language what CKE does, if= > it doesn't store encryption key in escrow? Simply, you know, like > 'CKE for idiots', 'CKE for congress members', 'CKE for CEOs', or > 'CKE for harried sys admins'. Nothing strange with the language in their documents. > = > BTW - I did read http://www.tis.com/crypto/cke.html Very lengthy. > Excerpt from http://www.tis.com/crypto/cke/info/drcds396.html#anchor17296= 0 If you did read this stuff you should understand that it does not store keys in escrow (like clipper). When you generate a message, you encrypt the message key with the public key of the recipient (like normal), _and_ with the public key of the information recovery center, but you do not send the message to the center. If the authorities (or the user in the case= he lost his master key for file decryption) need to have messages deciphere= d, they can take them to the center (with the recovery field included) and have them deciphered. No great magic here, just a bit of logic. I prefer th= is approach over the escrow stuff, if you (like it looks) have to choose betwe= en evils. > = > "The Data Recovery Center (DRC) is the "safe hiding place" for the > DRC private keys used to unlock DRFs for emergency access to > encrypted messages or files. It maintains a database of registered > users, including their authentication codes. It is also where the user, > his/her corporation, or his/her government can go to obtain the session > key needed to unlock a file in the event the original session key > is lost." This explanation should do it. Best regards, K=E5re ---------------------------------------------------------- K=E5re Presttun Alcanet International SC Tel : +47 2263 7601 P.O. Box 60 Fax : +47 2263 8887 N-0508 Oslo Mobile: +47 9082 7068 NORWAY mailto:Kare.Presttun@alcatel.no http://www.alcatel.com From firewalls-owner Tue Apr 2 13:40:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA09113 for firewalls-outgoing; Tue, 2 Apr 1996 10:51:17 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA03203 for ; Tue, 2 Apr 1996 10:26:54 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id IAA22469; Tue, 2 Apr 1996 08:53:30 -0800 Received: from pobox.upenn.edu(130.91.72.31) by mycroft via smap (V1.3mjr) id sma022466; Tue Apr 2 08:52:30 1996 Received: from [130.91.74.27] (MAC02.DA.UPENN.EDU [130.91.74.27]) by pobox.upenn.edu (8.7.4/8.7.3) with SMTP id LAA31939; Tue, 2 Apr 1996 11:56:22 -0500 (EST) Date: Tue, 2 Apr 1996 11:56:22 -0500 (EST) Message-Id: <199604021656.LAA31939@pobox.upenn.edu> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.COM, tuckerp@WT200055.CSS.GORDON.ARMY.MIL From: millar@pobox.upenn.edu (Dave Millar) Subject: Re: your mail [UNIX security training] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Some of the better Security books would be: > >Practical Unix Security (Vol 2 should be released soon, if its not already) >Building Internet Firewalls >UNIX System Administration Handbook (sections on security and logging). > I agree that the books are great, but if you're coming to the field cold, reading books is a tough way to start out. MIS Training Institute of Framingham, MA (I have no connection with them) teaches a great three-day class (with a follow-on two-day workshop) on the audit and security of unix-based operating systems. They also get into a pretty good treatment of tcp/ip. It assumes no prior knowledge of UNIX, but does expect familiarity with the basic concepts. When I took it 2-3 years ago, Ed Dorsey was teaching it, and did an excellent job. Dave --------------------------------------------------------- Dave Millar University Information Security Officer University of Pennsylvania For security matters: security@isc.upenn.edu (read by Data Admin. staff) Other matters: millar@isc.upenn.edu voice: (215) 898-2172 fax: (215) 898-0386 For PGP 2.6 Public key: http://www.upenn.edu/security-privacy/ PGP Fingerprint: 28 FB 09 DC C7 96 C2 53 1A B8 BE 3B 73 32 46 4C From firewalls-owner Tue Apr 2 13:44:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA09119 for firewalls-outgoing; Tue, 2 Apr 1996 10:52:45 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA05883 for ; Tue, 2 Apr 1996 10:33:22 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id VAA16817; Mon, 1 Apr 1996 21:24:58 -0800 Received: from p201.iwl.net(204.177.208.201) by mycroft via smap (V1.3mjr) id sma016806; Mon Apr 1 21:23:58 1996 Received: (from dennis@localhost) by SterCtl.com (8.6.12/8.6.12) id XAA00770 for firewalls@greatcircle.com; Mon, 1 Apr 1996 23:29:53 -0600 From: Dennis Moroney Message-Id: <199604020529.XAA00770@SterCtl.com> Subject: Re: Interesting packets fron the net To: firewalls@greatcircle.com Date: Mon, 1 Apr 1996 23:29:52 -0600 (CST) In-Reply-To: <9604011457.AA02911@anubis.network.com> from "Andrew Molitor" at Apr 1, 96 08:57:25 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to Andrew Molitor: > > Rob Sansom wrote: > > Below is to deny all packets from the outside that say they're from the > > inside. > [ I read this as a few hundred packets over a few weeks ] > > This might have just been one of your routers gone mad, or > something. If you have multiple connection points to the internet, > perhaps you occasionally route intra-network packets through the > outside by accident. Try to avoid this ;) > > It's also the signature of an IP spoofing attack. If you had > the actual packets logged, you could tell more certainly. I don't think > ciscos can log denied packets, but I may well be wrong. > > > deny tcp any any eq 1521 (8 matches) Oracle > > deny tcp any any eq 1525 (8 matches) Oracle > > deny tcp any any eq 2049 (6 matches) Why TCP to NFS?? Yes, you are wrong. Add the verb 'log' to the end of an access-list rule and you will get the source IP address, destination IP address as well as the source and destination ports. Caveat, it is really easy to break the access-list rules and make you think the router is getting 'spoofed'. I know because I stupidly did not double check my work while I was in a hurry one afternoon. Hope this helps... -- Dennis Moroney From firewalls-owner Tue Apr 2 14:09:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA09168 for firewalls-outgoing; Tue, 2 Apr 1996 10:54:24 -0800 (PST) Received: from snd-fw.med.navy.mil ([159.71.152.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA06330 for ; Tue, 2 Apr 1996 10:34:23 -0800 (PST) Received: by snd-fw.med.navy.mil; id KAA00120; Tue, 2 Apr 1996 10:35:05 -0800 Received: from unknown(192.108.14.10) by snd-fw.med.navy.mil via smap (V3.1) id xma000110; Tue, 2 Apr 96 10:34:55 -0800 Received: from [159.71.39.242] by snd10.med.navy.mil (5.59/25-eef) id AA02556; Tue, 2 Apr 96 10:25:41 PST Message-Id: <2.2.32.19960402201407.0067d7bc@snd10.med.navy.mil> X-Sender: snd1trz@snd10.med.navy.mil X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 02 Apr 1996 12:14:07 -0800 To: Firewalls@GreatCircle.com From: "Todd R. Zimmerman" Subject: Securid BAD Tech Support Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anybody use Securid in conjunction with a TIS Gauntlet Firewall??? I have been trying desperately to speak with technical support personnel at Security Dynamics in Cambridge, MA. Over the last week I have spent a total of 165 minutes on hold waiting to speak with the help desk. Leaving messages does not work because I must sit at my desk until they call back. If I leave for some reason and miss the return call I then must call Security Dynamics and start the process all over again. It really pisses me off...This is totally unsatisfactory tech support. Now I'll get off my soapbox and get on with the problem: When an outside user accesses our net he/she must be authenticated by the Firewall. I would like the user to be able to use Securid to be authenticated on the firewall. I was told by Securid Sales (now I'm an owner) that the client for Sercurid comes with the TIS Gauntlet Firewall. I have no documentation on how to get the two machines to talk to each other. Any help please... _/_/_/_/ _/_/_/_/ _/_/_/_/ Todd R. Zimmerman _/ _/ _/ _/ Network Manager / Computer Specialist _/ _/_/_/_/ _/ Naval Medical Center, San Diego _/ _/ _/ _/ (619)532-9314 Pager 979-2195 _/ _/ _/ _/_/_/_/ snd1trz@snd10.med.navy.mil ** Disclaimer: The views expressed here do not reflect the official policy ** ** or position of the Department of Defense or the U.S. Government. ** From firewalls-owner Tue Apr 2 14:43:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA04073 for firewalls-outgoing; Tue, 2 Apr 1996 10:28:59 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA03761 for ; Tue, 2 Apr 1996 10:28:14 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id GAA21979; Tue, 2 Apr 1996 06:33:22 -0800 Received: from di2.disclosure.com(206.181.208.4) by mycroft via smap (V1.3mjr) id sma021976; Tue Apr 2 06:32:45 1996 Received: (from scott@localhost) by disclosure.com (8.7.3/8.7.3) id JAA04642; Tue, 2 Apr 1996 09:40:53 -0500 (EST) Date: Tue, 2 Apr 1996 09:40:53 -0500 (EST) From: Scott Barman To: firewalls@greatcircle.com Subject: Re: ? (Network Address Translation) NAT questions In-Reply-To: <9604012241.AA20852@rivendell.wsi.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 1 Apr 1996, David Flinn wrote: > Hi, > > My customer requires the following for their firewall: > > 1) two token ring interfaces (yikes !) > 2) map many RFC 1597 internal addresses to one valid external Class C address > 3) map many external Class C addresses to many internal RFC 1597 addresses. > > I have found that fullfilling these requirements is non-trival. > > - PIX from cisco fails test 1. > - Raptor passes test 1 and 2 but fails 3. (probably others as well) > - Checkpoint passes 2 and 3 but fails 1. (at least on Sparc, unsure about HP) > > Does anyone know any other firewall vendors that can do this? Test 1 is a failing of almost every firewall vendor out there. It is even a failing of most Unix vendors who for years lived in their own ethernet world. With the market expanding and a lot of these traditional Novell-on-TR shops looking for better servers, internet connectivity, and firewalls, not too many firewalls or Unix vendors can really do token ring. This is not to say I am a token ring fan, but I think there would be a lot of surprises if these vendors looked into the numbers and saw how many shops are running token ring. For example, when I started here a year ago, they were all token ring. I had to "isolate" the "dreaded foreign topology" when I proposed a firewall that was ethernet only. I had to bridge the ethernet to token ring using a SPARC Classic--and Sun's TR implementation is not know for its robustness! OK firewalls vendors. If you can do the three points above I would be willing to bet you would be able to get you into shops you may have never dreamed of getting into! Time to stop being ethernet centric and add token ring before you lose out to NT drek! scott barman -- scott barman DISCLAIMER: I speak to anyone who will listen, scott@disclosure.com and I speak only for myself. barman@ix.netcom.com Java: Sun's answer to the Unix Virus! From firewalls-owner Tue Apr 2 14:45:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA18047 for firewalls-outgoing; Tue, 2 Apr 1996 13:31:20 -0800 (PST) Received: from relay-2.mail.demon.net (disperse.demon.co.uk [158.152.1.77]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA18039 for ; Tue, 2 Apr 1996 13:31:02 -0800 (PST) Received: from post.demon.co.uk ([158.152.1.72]) by relay-2.mail.demon.net id ad12264; 2 Apr 96 20:57 +0100 Received: from swrcc.demon.co.uk ([158.152.34.161]) by relay-3.mail.demon.net id aa07971; 2 Apr 96 20:56 +0100 Received: (from MAPI Compliant System) by swrcc.demon.co.uk id b50b8afd Mon, 1 Apr 96 11:16:11 Date: Mon, 1 Apr 96 11:16:11 GMT From: Nick Boyce Reply-To: nick@swrcc.demon.co.uk Message-Id: To: firewalls@greatcircle.com Subject: RE: Dos based Firewalls X-Mailer: DICS Mapi Gateway 4.5 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk nick@swrcc.demon.co.uk Hi There Firepersons, Sorry, but this *may* be a repeat of a message I tried to send to the list on 19th.March.96; it was my first posting and I sent it to "firewalls-owner@", but never saw it appear; I'm trying again, this time to "firewalls@"; if this is the message's 1st appearance then sorry for the delay - if this is its 2nd appearance then sorry for wasting the bandwidth. On 19.March.96 K Sudershan asked :- > Is there any public domain Dos based firewall available ? The only software coming close to this requirement that I know of is "IPRoute" by David F. Mischler. This is a packet-filtering address translating (if you want it) IP router *shareware* package needing a 286-or-better PC fitted with some combination of a serial dialup IP link (SLIP or PPP) and one or more ethernet cards; it uses Crynwr (version 11 preferred) packet drivers to access the ethernet cards. The packet-filtering facilities allow you to configure the usual "secured" access based on source and destination IP addresses *and* port numbers, with drop or deny rejection and logging of permitted and rejected packets. We downloaded version 0.86 (early days yet ?) from our ISP's ftp site - ftp.demon.co.uk - and have tried it out, but after reading the document "Network (In)Security Thru Packet Filtering" by Brent Chapman as recommended in IPRoute's docs, I realised this approach to IP security has its limitations (which I'm hoping this list will clarify for me ...) and we haven't yet rolled the package out for live use. My boss wants to buy a hideously expensive "hardened-Unix" based commercial firewall instead (to keep the auditors happy). Personally, coming from the dinosaur world of proprietary mainframe operating systems as I do, I can't imagine a "hardened Unix" - the damn thing seems to leak like a sieve (puts on asbestos suit and takes cover ...) ... Back to the point: IPRoute seems to work very well, though I'm hoping its author might soup up the management interface ("console" facility) a bit (up-arrow to retrieve the last command, etc.) and make the layout of the logging file a bit easier to read. If you go to find it, look for "iprv086.zip"; at the Demon site it was in /pub/ibmpc/msdos/apps/iprv, and I've also seen it on the Simtel mirror at sunsite.doc.ic.ac.uk. Does anyone know of any other such packages ? Right, I'm going back to struggle with "vi(le)" again now, Take care out there, Nick From firewalls-owner Tue Apr 2 14:46:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA09377 for firewalls-outgoing; Tue, 2 Apr 1996 10:58:08 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA07387 for ; Tue, 2 Apr 1996 10:36:54 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id UAA16471; Mon, 1 Apr 1996 20:55:51 -0800 Received: from mail.clark.net(168.143.0.10) by mycroft via smap (V1.3mjr) id sma016460; Mon Apr 1 20:54:51 1996 Received: from clark.net (proberts@clark.net [168.143.0.7]) by mail.Clark.Net (8.7.3/8.6.5) with ESMTP id XAA08265; Mon, 1 Apr 1996 23:58:28 -0500 (EST) Received: from localhost (proberts@localhost) by clark.net (8.7.1/8.7.1) with SMTP id XAA15599; Mon, 1 Apr 1996 23:58:25 -0500 (EST) X-Authentication-Warning: clark.net: proberts owned process doing -bs Date: Mon, 1 Apr 1996 23:58:24 -0500 (EST) From: "Paul D. Robertson" To: Colin Campbell cc: firewalls@GreatCircle.COM Subject: Re: Clarification on Encryption Export Using CKE In-Reply-To: <199604012355.JAA09393@guru.citec.qld.gov.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 2 Apr 1996, Colin Campbell wrote: > What would happen to the "system" if everyone changed their keys very often? > For example, I syschronize both ends to run something like the Securid key > generation and have both ends change their keys every time a new session > starts up. Doesn't that make CKE unworkable. As someone pointed out, the > encryption is only being used to keep the session private, not the data when > it reaches the endpoints. > My guess is that any escrow laws would make it necessary for the government to have the keys prior to use, pretty much making session keys useless. While there is some merit to having key escrow in a commercial environment, even there, mandated escrow is untenable. A good number of companies don't back up e-mail because it's a legal nightmare, if you have it around, not because you're evading the law, but because if you do keep it, and the law comes knocking, you'll spend lots of precious resources going through it with them. I also think there may be issues with regards to what a current or former employee has done. Having been fairly close to one of the most visible e-mail cases to ever come forth, I can tell you that it's *expensive* to go through archives, not to mention very intrusive. Lets face it, with the advent of VPNs (or whatever you want to call them), there's going to be a lot of encrypted data going around that's encrypted to protect it in transit. I don't fancy the thought of a government process determining my keychange interval, but I doubt they'll allow me to generate a few million keys, and say "It'll be one of these". For now I'd rather go buy my crypto overseas. > Or am I on the wrong boat? In which case tell me to shut up (nicely). > > Colin > Right boat in my book. > Paul. ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From firewalls-owner Tue Apr 2 14:49:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA04454 for firewalls-outgoing; Tue, 2 Apr 1996 10:30:00 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA04072 for ; Tue, 2 Apr 1996 10:28:58 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id GAA22040; Tue, 2 Apr 1996 06:49:22 -0800 Received: from relay5.uu.net(192.48.96.15) by mycroft via smap (V1.3mjr) id sma022032; Tue Apr 2 06:48:30 1996 Received: from uucp4.UU.NET by relay5.UU.NET with SMTP id QQajsd10688; Tue, 2 Apr 1996 09:52:12 -0500 (EST) Received: from panynj.UUCP by uucp4.UU.NET with UUCP/RMAIL ; Tue, 2 Apr 1996 09:52:34 -0500 Received: by panynj.gov (DECUS UUCP /2.0/2.0/2.0/); Tue, 2 Apr 96 09:25:03 EST Date: Tue, 2 Apr 96 09:25:03 EST Message-Id: <009A03FEBD3B5600.20600CB1@panynj.gov> From: davey_s@panynj.gov Subject: ANY SHORT CUTS??? To: firewalls-digest@greatcircle.com X-VMS-Mail-To: PACOMM::UUCP%"firewalls-digest@greatcircle.com" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello Firewall Digest Owner and fellow Subscribers: Does anyone know of a way to make this Firewall Digest (or any public mailing list) forward me only the e-mail that has certain information pertaining to only topics of my interest. The firewall digest is a joy to read and has a lot of great information; however, I would like to save time and only read the digests that include information about a particular product (i.e., IRX Routers, Crypto-based products), a certain type of firewall (i.e., Firewall-1, RAPTOR), information from / about a certain group (i.e., Computer Emergency Response Team (CERT), HACKERS), or about a certain topic (i.e., IP Spoofing attacks, logic bombs, trojan horses, firewall administration). If anyone has / uses such a filter please let me know. If there is no such thing in existence, it would be a great product / utility for someone to develop either on the digest owners side (while subscribing to a digest, the subscriber has the option to create a "hot" list of words / topics that must (optional) be included in the header and/or body of the document) or on the subscribers side (the Internet e-mail package used or a third party package, has a feature to only except e-mail from a subscription that includes words / topics from the subscribers editable "hot" list). PRE-RETURN RESPONSE 1: The find / search function only provides the ability to search a document for (1) topic at a time. If I have 10 to 20 topics of interest, I would have to repeat the find / search 10 to 20 times. This does NOT save time. PRE-RETURN RESPONSE 2: Yes, if there is/are NO existing product(s) that provide this feature and one who reads this message develops one, royalties for this concept/idea would be greatly appreciated; even though The 'time' such a utility would / will save me and the rest of the Internet e-mail world is immeasurable. If you would like to reach me directly, please send e-mail to [ davey_s@panynj.gov ] or [ davey@alpha.fdu.edu ]. Thank you for your time and cooperation in this matter. Sincerely, Steven A.N.Q.L. Davey ============================================================================== S A V E T I M E ... S A V E M O N E Y ... S A V E M E !!! ============================================================================== *********************************************************************** The views expressed in this message are those of the author and do not necessarily reflect official positions of the Port Authority of New York & New Jersey or its subsidiaries *********************************************************************** From firewalls-owner Tue Apr 2 14:51:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA09198 for firewalls-outgoing; Tue, 2 Apr 1996 10:54:40 -0800 (PST) Received: from disclosure.com (di2.disclosure.com [206.181.208.4]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id KAA09190 for ; Tue, 2 Apr 1996 10:54:31 -0800 (PST) Received: (from scott@localhost) by disclosure.com (8.7.3/8.7.3) id NAA05550; Tue, 2 Apr 1996 13:56:35 -0500 (EST) Date: Tue, 2 Apr 1996 13:56:35 -0500 (EST) From: Scott Barman To: firewalls@greatcircle.com Subject: DNS Spoofing and Java Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I was looking at Sun's statement regarding the bug they fixed and my copy of the JDK (I still only have 1.0) and started thinking (I know... that can be dangerous :-) about the attack using bogus DNS entries. Sun states: The problem is with a bug in the implementation of the security model, not with the model itself. (http://java.sun.com/sfaq/960327.html) Besides sounding like Micro$haft and their response to Samba (it's the client's fault, not ours) I was wondering, could this problem be avoided if, to verify the address, the Verifier check and enforce reverse name mappings?? [NOTE: The following is a review for those who haven't been following. This is a very terse description. If you want more information see the URL I give below.] If we take the example of the folks at Princeton who discovered the problem (http://www.cs.princeton.edu/~ddean/java/dns-scenario.html): The victim: stooge.victim.org (IP 10.10.10.1) target.victim.org (IP 10.10.10.2) The attacker: www.attacker.org (IP 172.16.16.16) Attacker creates a DNS entry for bogus.attacker.org and when querried will return the pair of addresses (10.10.10.2, 172.16.16.16). The unsuspecting client surfs over to www.attacker.org, downloads an applet, and runs it. This applet askes to be connected to the system bogus.attacker.org. The Verifier does a DNS qurry and gets the above pair or addresses. Because the original connection came from 172.16.16.16, the Verifier will accept the request but connect to the first address in the pair (10.10.10.2). The Princeton people attacked an old sendmail bug, but you can do anything you want, including attacking using the "r" commands! [END OF REVIEW] This brings up two questions (which I hope Sun already addressed): 1) Why not connect back to 172.16.16.16? If this is where the applet came from, then why choose the first in the list? This is where I have problems with Sun's statement. This is not the fault of the security model, but of their code for "changing" the return address! 2) Why not do a reverse name lookup to verify this address? The way I have internal DNS's setup, if you lookup 2.10.10.10.in-addr.arpa, the internal DNS will return an internal name. That internal name will not be the same as the attacker's name (see above), so the connection should be rejected. In fact, what would happen if you looked up 16.16.16.172.in-addr.arpa? Would you get www.attacker.org or bogus.attacker.org? My guess would be you would probably get www.attacker.org and no CNAME for bogus.attacker.org, at which time all sorts of red flags, bell and whistles should go off alerting the world to this problem, no? Then the question becomes: How many people set up their internal DNS with reverse name mapping?? Yes, I know this is a little bit outside of firewalls, but has to do with setting up and securing systems inside of those firewalls. BTW: If there's a Java security list and someone is on it, you have my permission to forward this note to that list providing you keep my name (and .sig) attached. scott barman -- scott barman DISCLAIMER: I speak to anyone who will listen, scott@disclosure.com and I speak only for myself. barman@ix.netcom.com Java: Sun's answer to the Unix Virus! From firewalls-owner Tue Apr 2 14:53:17 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA08476 for firewalls-outgoing; Tue, 2 Apr 1996 10:40:06 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA03197 for ; Tue, 2 Apr 1996 10:26:53 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id HAA22272; Tue, 2 Apr 1996 07:50:26 -0800 Received: from cgohpx02.nppdnet.com(192.132.206.6) by mycroft via smap (V1.3mjr) id sma022266; Tue Apr 2 07:49:38 1996 Received: (from daemon@localhost) by cgohpx02.nppdnet.com (8.6.12/8.6.12) id JAA13952 for ; Tue, 2 Apr 1996 09:53:13 -0600 Received: from cgohpx01.nppdnet(161.201.12.6) by cgohpx02.nppdnet.com via smap (V1.3) id sma013937; Tue Apr 2 09:52:46 1996 Received: (from daemon@localhost) by cgohpx01.nppdnet.com (8.6.12/8.6.12) id JAA20738 for ; Tue, 2 Apr 1996 09:53:35 -0600 Received: from unknown(161.201.3.101) by cgohpx01.nppdnet.com via smap (V1.3) id sma020736; Tue Apr 2 09:53:27 1996 Message-ID: <31614EAE.4B8D@nppd.com> Date: Tue, 02 Apr 1996 09:58:38 -0600 From: "Derek D. Feagin" X-Mailer: Mozilla 2.0 (Win95; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: POP3 Server Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a little off topic but I know I will be able to get some answers here. I was wondering if anybody can point me in the right direction in finding a pop3 server for HPUX. Is there a defacto standard for pop3 servers? Thanks in advance, Derek -- Derek D. Feagin | "Man does not live he just survives, Network Support Specialist | we spleep 'til He arrives." Telephone: 402-563-5874 | Fax: 402-563-5551 | - Larry Norman - So Long Ago The Garden Email: gatekeeper@nppd.com ---------------------------------------------------- Nebraska Public Power District ---------------------------------------------------- From firewalls-owner Tue Apr 2 14:58:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA09014 for firewalls-outgoing; Tue, 2 Apr 1996 10:48:54 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA06609 for ; Tue, 2 Apr 1996 10:35:08 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id UAA16150; Mon, 1 Apr 1996 20:26:45 -0800 Received: from nsco.network.com(129.191.1.1) by mycroft via smap (V1.3mjr) id sma016132; Mon Apr 1 20:24:30 1996 Received: from anubis.network.com by nsco.network.com (4.1/1.34) id AA13451; Mon, 1 Apr 96 22:19:44 CST Received: from blefscu.network.com by anubis.network.com (4.1/SMI-4.1) id AA16490; Mon, 1 Apr 96 22:17:56 CST Date: Mon, 1 Apr 96 22:17:56 CST From: amolitor@anubis.network.com (Andrew Molitor) Message-Id: <9604020417.AA16490@anubis.network.com> To: firewalls@greatcircle.com Subject: Re: About the firewalls using RIP or static routes Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Well to answer the question; dynamic routes are a security problem since > routing updates can be easily forged. Unless your firewall is a layer 2 > device, it will have routes. And these should be static. > > -Paul Kvanvig Layer 2 devices (by which I assume you mean 'a bridge') also have routes, they just happen to be dynamically learned host routes, which are even more trivial to forge (get a packet with the right source MAC address to the right port, and you win). Look for the ability to nail down the bridge forwarding table, in your favoritie bridging firewall, or guard your network segment closely. A two port job could conceivably just copy all packets out the interface it didn't arrive on, and do no 'forwarding'. That'd probably be ok too. Packets don't go anywhere if the device doesn't know where to send them! It doesn't matter what layer you're at. Andrew From firewalls-owner Tue Apr 2 15:01:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA19115 for firewalls-outgoing; Tue, 2 Apr 1996 13:57:53 -0800 (PST) Received: from gatekeeper.qualix.com (gatekeeper.qualix.com [192.91.182.105]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA19109 for ; Tue, 2 Apr 1996 13:57:48 -0800 (PST) Received: from qualix.qualix by gatekeeper.qualix.com (8.6.9/Q940531.1) id NAA15276; Tue, 2 Apr 1996 13:52:32 -0800 Received: from qualix20.qualix by qualix.qualix (4.1/SMI-4.1-Q931113.1) id AA17269; Tue, 2 Apr 96 13:52:31 PST Received: from spirit.qualix by qualix20.qualix (SMI-8.6/SMI-SVR4) id NAA29095; Tue, 2 Apr 1996 13:43:28 -0800 Received: by spirit.qualix (5.x/SMI-SVR4) id AA24899; Tue, 2 Apr 1996 13:42:16 -0800 From: security@qualix.com (Nik D. Knoth) Message-Id: <9604022142.AA24899@spirit.qualix> Subject: Re: fw-1 question -- 2 token rings To: firewalls@GreatCircle.COM Date: Tue, 2 Apr 1996 13:42:15 -0800 (PST) Cc: hle@qualix.com (Hung Le) X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Someone posted the following yesterday (Sorry, i've lost the attrib): > :> > > My customer requires the following for their firewall: > :> > > > :> > > 1) two token ring interfaces (yikes !) > :> > > 2) map many RFC 1597 internal addresses to one valid external Class C address > :> > > 3) map many external Class C addresses to many internal RFC 1597 addresses. > :> > > > :> > > I have found that fullfilling these requirements is non-trival. > :> > > > :> > > - PIX from cisco fails test 1. > :> > > - Raptor passes test 1 and 2 but fails 3. (probably others as well) > :> > > - Checkpoint passes 2 and 3 but fails 1. (at least on Sparc, unsure about HP) I've checked this with our FireWall-1 Gurus and have been told that this information is incorrect. In fact, FW-1 has no trouble supporting 2 TR if.s both on HP and Sparc. If there are other questions on this, please pass them along. -nik -- Nik D. Knoth Email: nik@qualix.com Qualix Support Team Office: 415.638.4106 The Qualix Group, Inc. Fax: 415.572.1300 From firewalls-owner Tue Apr 2 15:04:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA20570 for firewalls-outgoing; Tue, 2 Apr 1996 14:29:08 -0800 (PST) Received: from hitachi.com (msd.hitachi.com [137.168.1.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA20564 for ; Tue, 2 Apr 1996 14:29:01 -0800 (PST) Received: from osc.hitachi.com by hitachi.com (4.1/SMI-4.1) id AA24167; Tue, 2 Apr 96 14:29:24 PST Received: from enterprise ([205.158.60.129]) by osc.hitachi.com (4.1/SMI-4.1) id AA02434; Tue, 2 Apr 96 13:41:58 PST Date: Tue, 2 Apr 96 13:41:58 PST Message-Id: <9604022141.AA02434@osc.hitachi.com> X-Sender: bstout@osc.hitachi.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: Bill Stout Subject: Re: Firewall and DNS Server Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I had many experiences with NIS+ and Solaris 2.3. The most amusing story that comes to mind is my set of systems losing track of and swapping telnet sessions. Admittedly this was fixed with a Sun security patch, but the experience of working with 'root' access and suddenly getting thrown into a consultants session, not knowing where MY root session went, left an indelible print in my memory. NIS/NIS+ for Firewalls? Sun barely uses NIS+ internally. This may be because most sys admins in Sun are consultants though. (True as of 6/95, haven't checked since) Even if NIS+ becomes secure, I don't think it shouldn't be used on a firewall because the firewall needs to be (see name) separated from the rest of the infrastructure. ... or should it?... ### Warning, unhashed thought forming! ### Sudden reputation-killing thought entered my mind... Why not make node-based firewall software for servers? Replace server IP stacks with a security stack that permits and denies incoming IP/port specific access, and use master-slave security nodes that controls the stacks... And/or front-end the servers with a firewalling/switch. We firewallers are only addressing the "20% of security breaches are from the outside" issue anyway, so firewall the servers! This combined with virtual switched networks reduce the chances of packet sniffing (ever try to sniff an ethernet switch?) and need for (40% performance hit) encryption. Sounds NIS+-like... Hmmm.... William B. Stout Senior Systems Administrator Hitachi Data Systems Open Systems Center Santa Clara, California 408-970-4822 From firewalls-owner Tue Apr 2 15:07:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA08534 for firewalls-outgoing; Tue, 2 Apr 1996 10:41:31 -0800 (PST) Received: from border.com (janus.border.com [199.71.190.98]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id KAA08526 for ; Tue, 2 Apr 1996 10:41:26 -0800 (PST) Received: by janus.border.com id <18435-1>; Tue, 2 Apr 1996 13:40:10 -0500 Message-Id: <96Apr2.134010est.18435-1@janus.border.com> To: Brian Murrell Cc: pferguso@cisco.com, armando@sar.net, firewalls@greatcircle.com Subject: Re: Re[2]: About the firewalls using RIP or static routes References: <199604012338.PAA22549@mocha.bctel.net> In-Reply-To: Brian_Murrell's message of "Mon, 01 Apr 1996 18:38:42 -0500". <199604012338.PAA22549@mocha.bctel.net> From: "Harald Koch" Date: Tue, 2 Apr 1996 09:44:47 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message <199604012338.PAA22549@mocha.bctel.net>, Brian Murrell writes: > > For instance: what if your network is very large and your firewall is used > to choke many other networks all gated by routers out to the Internet. > Managing the static routes everywhere gets tedious and leaves room for > error. Why not have the routers that border the networks statically > populated but updating the firewall (who of course only listens to route > updates on it's "internal" interfaces) dynamically. There's a technique that the larger NSPs use, called "dynamic routing with static policy". That is, all of your routing exchange sessions are filtered with a statically configured list of acceptable announcements; updates for those networks are accepted, while others are (silently) ignored. In this way, your routers know which networks are available (so that they can drop packets if the net is down), but they won't accept bogus routing announcements. In this scenario, I would probably accept dynamic updates, although even then I'd want to ensure that traffic to an internal, unreachable network was dropped, instead of following default to the outside. Perhaps static routing, with dynamic discovery, with policy-filters, would satisfy my paranoia, but I'd have to think about it a bit more. > I suppose we get into the never-ending definition of a firewall though. In > the above scenario where you have control of the internal network border > routers and trust them (because you control them) they actually become a > part of your firewall. I personally believe strongly in the "defense in depth" methodology. So even if all of your internal routers are controlled by you, and have proper routing filters in place, you should *still* have separate filters on the gateway "firewall" (sic). If nothing else, it protects you against your own configuration mistakes. -- C. Harald Koch | Border Network Technologies Inc. chk@border.com | Senior System Developer +1 416 368 7157 (voice) | 20 Toronto Street, Suite 400, Toronto ON M5C 2B8 It's not whether you're paranoid. its whether you're paranoid *enough* From firewalls-owner Tue Apr 2 15:09:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA00173 for firewalls-outgoing; Tue, 2 Apr 1996 09:18:54 -0800 (PST) Received: from hobbes.orl.mmc.com (hobbes.orl.mmc.com [141.240.192.100]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id TAA22928 for ; Mon, 1 Apr 1996 19:46:11 -0800 (PST) Date: Mon, 1 Apr 1996 22:44:09 -0500 (EST) From: "A. Padgett Peterson P.E. Information Security" To: adam@lighthouse.homeport.org CC: firewalls@greatcircle.com Message-Id: <960401224409.20222e79@hobbes.orl.mmc.com> Subject: RE: Bill on CKE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > You're forgetting the other half of the liability issue, and >that is the requirement that keys be stored. Using DH, users can >exchange a key, and then throw away all the information used to >generate a session key. If this is done, after a conversation ends, >it can't be read. Forcing a key escrow scheme on top of this raises >the possibility that a breach in your GAK scheme will make all of your >historical traffic readable. Am well aware of that but have business continuty & "due care" needs that mandate that the corporation be able to read all encrypted messages which originate within its boudaries unless contractual agreements preclude or special permission is obtained (whew). > We can easily get to strong file and message encryption with >local key recovery using a couple of small modifications to PGP.* I have the production release of Viacrypt PGP version 4.0 running on this notebook. It includes capability for a "corporate key". I just need two. Warmly, Padgett ps Belgium ? pps will someone tell the sique chienet that Sara is happily married (just saw both of them yesterday). From firewalls-owner Tue Apr 2 15:13:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA00262 for firewalls-outgoing; Tue, 2 Apr 1996 09:20:35 -0800 (PST) Received: from hti.net (wally.hti.net [198.70.56.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id TAA21664 for ; Mon, 1 Apr 1996 19:34:40 -0800 (PST) Received: from [198.70.56.53] (dialnet13.hti.net [198.70.56.53]) by hti.net (8.6.12/8.6.9) with SMTP id VAA19320; Mon, 1 Apr 1996 21:32:31 -0600 Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 1 Apr 1996 21:30:16 -0600 To: firewalls@GreatCircle.COM From: sengle@hti.net (Steven W. Engle) Subject: Netscape Navigator and Firewalls Cc: sengle@hti.net Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [Venting On] After spending a week battling with Netscape Navigator 2.01 to get it to function half-way decently with an Internet firewall, I've come to the conclusion that Navigator is overtly firewall hostile / brain-damaged. o Does PASV ftp without an option to turn PASV off o Enabling its SOCKS support results in it SOCKifying _everything_, even access to servers that don't need, or want, SOCKS connections (such as internal SMTP and HTTP servers). o It's built in support for ftp, wais, HTTP, etc., proxies is brain-damaged - specifically if an authenticating proxy, such as for ftp, is enabled at the firewall. To quote one of their technical notes "...the only way to do authentication through a firewall used to be to use the HTTP authentication mechanism." In the case of ftp, Navigator attempts to negotiate the ftp proxy via an HTTP session. Completely confuses the ftp proxy. o You can't configure it with a plug-in or helper application to handle ftp transfers - you have to live with / work around its PASV / non-authenticating capable ftp agent. [Venting Off] I can only assume this is intentional behavior in order to get people to buy Netscape's "proxy server". Has anyone ever configured and/or used one in conjunction with a firewall? Does it really work? Anyway, we finally got Navigator working (without SOCKS) through the firewall, including PASV ftp. -- Steve Engle DHT, Inc. sengle@hti.net From firewalls-owner Tue Apr 2 15:43:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id RAA09811 for firewalls-outgoing; Mon, 1 Apr 1996 17:55:01 -0800 (PST) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA09782 for ; Mon, 1 Apr 1996 17:54:47 -0800 (PST) Received: (adam@localhost) by homeport.org (8.6.9/8.6.9) id UAA18346; Mon, 1 Apr 1996 20:57:44 -0500 From: Adam Shostack Message-Id: <199604020157.UAA18346@homeport.org> Subject: Re: Clarification on Encryption Export Using CKE To: thompson@tis.com (Bill Thompson) Date: Mon, 1 Apr 1996 20:57:43 -0500 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Bill Thompson" at Mar 27, 96 10:24:15 pm X-Mailer: ELM [version 2.4 PL24 ME8b] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bill Thompson wrote: | > Bill misses an important third option, and that is to go to | >one of the many vendors of cryptographic tools who are not based in | >the USA. TIS did a survey, and found nearly 500 selling DES | >or stronger crypto. Its unfortunate that the US government has forced | >good companies like TIS to develop all these silly hacks to protect | >data confidentiality. | > | > TIS's survey can be found at: www.tis.com/crypto/survey.html | | It is true that there are vendors who purport to have tools that don't | include a recovery mechanism, and some of these even work as advertised. "If your software is full of bugs, what does that say about its security?" :) | Further, the users of a truly globally deployed encryption solution are not | going to be as competent as the few users who exist today. Recovery will | be a necessary feature, particularly with archived files. Even RSA has | acknowledged that their corporate clients have DEMANDED that an escrow | feature be available. Lots of other companies have ad hoc solutions for | escrow/recovery, primarily because there is a demand for it from their | customers. Unfortunalely, none of them work in the same way. Now I ask | you: If the marketplace wants recovery, the government demands it in order | to allow encryption to be exported, and TIS has a solution that satisfies | both sides (albeit with less control than the government had in mind), why | wouldn't we all endorse a method that puts the private sector in control, | and has the potential to become an interoperable global standard? As long as the private sector is in control. This means a company needs to be able to select my own key holders, including /dev/null. There are documents, phone converstations, and the like, which a company wants to be able to destroy. This is why shredders sell. If your crypto solution makes all your documents recoverable, your lawyers are likely to faint. | Politics and personal convictions aside, whether or not an encrypted file | or message is "escrowed" doesn't change the fact that we are required to | provide the government with information they are legally entitled to. CKE | places control of our "non-traditional" escrow in the hands of the private | sector, not the government, and it formalizes the process the government | has to go through in order to get keys from the private sector. As long as | we can control the locaation of the key recovery, which with reasonably | sized corporations will be at our own facilities, we are in no more of a | data security compromise position with CKE than with no escrow at all, and | we have introduced the ability to recover files and messages when we need | to. Politics, and personal convictions aside, we're required to provide the government with some subset of documents. In the United States, diaries still enjoy strong protection. Back, for a brief moment, to politics, this entire argument is clearly political, and TIS would be in a more honest position if they admitted that certain features of their DRC are required by government, not industry. -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Tue Apr 2 15:48:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA13036 for firewalls-outgoing; Mon, 1 Apr 1996 18:27:02 -0800 (PST) Received: from solarnum.itd.uts.edu.au ([138.25.16.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id SAA13001 for ; Mon, 1 Apr 1996 18:26:48 -0800 (PST) Received: from maverick.itd.uts.edu.au (matt@maverick.itd.uts.edu.au [138.25.16.41]) by solarnum.itd.uts.edu.au (8.7.3/8.7.1/uts) with ESMTP id MAA23971; Tue, 2 Apr 1996 12:23:51 +1000 (EAST) Received: (from matt@localhost) by maverick.itd.uts.edu.au (8.7.3/8.7.3/Jas) id MAA03442; Tue, 2 Apr 1996 12:24:20 +1000 Message-Id: <199604020224.MAA03442@maverick.itd.uts.edu.au> Subject: Re: your mail - WHOM? To: fernando%boemia@ibase.br (Fernando Cabral) Date: Tue, 2 Apr 1996 12:24:19 +1000 (EAST) Cc: sigurd@access.digex.net, tuckerp@css583.gordon.army.mil, firewalls@GreatCircle.COM, tuckerp@wt200055.css.gordon.army.mil In-Reply-To: <9604011438.aa04449@boemia.pix.com.br> from "Fernando Cabral" at Apr 1, 96 02:38:11 pm X-Ph: ph: +61 2 330 1390 fax: +61 2 330 1999 home: +61 2 9929 0717 X-Pager: +61 2 214 1111 #216098 or pager@maverick.itd.uts.edu.au X-Pgp-Finger: pub 2048/27FB4AE1 1995/09/30 Jas (Matthew K) X-Pgp-Finger: Key fingerprint = 3A1EEDBE7A6D498D E7953FB40A21A6C8 From: matt@uts.edu.au X-Mailer: ELM [version 2.4 PL25] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Fernando Cabral wrote this... > At 14:24 29/3/1996 -0500, Jason H .Lamar. wrote: > Please, let's stop using "Your mail" as subject. This is useless. the reason the mail subject is "Re: your mail" is quite often because the original sender didnt have a subject at all... check the source code of your favorite mail reader.... Matt -- #!/bin/sh echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sbA0D3F204445524F42snlbxq'|dc;exit Matthew Keenan Data Network Admin Information Technology Division University of Technology Sydney Australia It's nice to be in a position where people apologize because they assume there's humor in your work, based on past experience, but they're not sure where it is. -- Rob Pike From firewalls-owner Tue Apr 2 18:23:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA07845 for firewalls-outgoing; Tue, 2 Apr 1996 18:03:34 -0800 (PST) Received: from ibmmail.COM (ibmmail.com [199.171.26.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id SAA07814 for ; Tue, 2 Apr 1996 18:03:25 -0800 (PST) Message-Id: <199604030203.SAA07814@miles.greatcircle.com> Received: from ibmmail by ibmmail.COM (IBM VM SMTP V2R3) with BSMTP id 0952; Tue, 02 Apr 96 21:00:53 EST Date: Tue, 02 Apr 1996 21:01:17 EST From: "George Janczuk JZKGEQ - AMPLN1" To: Firewalls@greatcircle.com MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: more on mail addresses Sender: firewalls-owner@GreatCircle.COM Precedence: bulk =========================================================================== Thanks to everyone for their comments. I will elaborate on some details that were not clear in my original posting (+ answer some of the questions that people have asked). It is worth mentioning that we are not predominantly a UNIX site (though we do still have quite a number of UNIX boxes of various flavours scattered around). We additionally run IBM mainframes with RACF security, + Novell and NT networks. The user-IDs I was mentioning are a current (and longstanding) corporate-wide standard for unique IDs which are generated upon employment. These IDs are generally used as a fairly reliable user-ID key by the majority of our systems - and is indeed used as a synchronisation mechanism between mail directories (current mail systems include Verimations MEMO on the mainframe, Lotus Notes, Microsoft Mail + standard sendmail mail). As the IDs are unique already, we have decided to use flat mail addressing and use a consistent company domain after the AT sign. The mail hub looks after getting the mail to where it needs to go (this includes gateways to other mail systems). This means that mail addresses remain the same irrespective of which department an employee moves to, or even which mail system the particular department uses. Also - no host information is leaked due to the use of the flat structure (at least ostensibly - a couple of respondents have mentioned that information tends to leak via headers, and is even available via queries to the sendmail port, though this may be blocked via appropriate application firewalling). Now, a few respondents have mentioned aesthetics and ease-of-use as reasons for using schemes such as firstname_lastname@organisation.com.country. There are arguments for and against this sort of scheme (see the "Why are you so hostile to using full names for e-mail addresses?" section in the Sendmail FAQ for a counter argument) - however, I am more interested in the security aspects involved, as this is the point being debated. Security becomes as issue because the same user-ID tag is used for Novell, NT and mainframe RACF logins. Now, whilst external Internet access is regulated by a firewall, and internal security policies do apply (eg: mandated password changes, password composition guidelines, etc.), I do admit (as one respondent pointed out) that there is some merit to the security argument as some door knocking information becomes available. If actual physical access is gained to the site, and/or some boundary system is breached, then some door knocking may be performed using this information. If security policy information is sloppy on some internal systems then an exposure does exist. The real question is whether the risk of this exposure is adequate to justify the administrative maintenance burden of the large mapping table that is then required (our organisation contains roughly 10,000 mail users), and whether this solution does indeed address the problem. Lastly, the non-obvious mail-box ID sees to (albeit, once again by obscurity) make it somewhat harder to be the target for mail-bombs or abusive mail when only the name of the intended recipient is known (eg: dissatisfied customers trying to contact the MD directly, or even trying to make someone's day-to-day work difficult by mailing large volumes of data). How do the accessibility, frequency and repercussions of this type of threat compare to door knocking and password cracking? (this is not a rhetorical question - do people have comments on this?) As before - comments are welcomed. Also as before, dropping me a copy of responses at auampdrv@ibmmail.com in addition to the firewalls list would be appreciated. George Janczuk. From firewalls-owner Tue Apr 2 19:08:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA10113 for firewalls-outgoing; Tue, 2 Apr 1996 18:24:28 -0800 (PST) Received: from absolut-zero.winternet.com (absolut-zero.winternet.com [198.174.169.4]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id SAA10086 for ; Tue, 2 Apr 1996 18:24:17 -0800 (PST) Received: from parka (dufresne@parka.winternet.com [198.174.169.9]) by absolut-zero.winternet.com (8.7.5/8.7.5) with ESMTP id UAA09558; Tue, 2 Apr 1996 20:22:06 -0600 (CST) Received: (from dufresne@localhost) by parka (8.7.4/8.6.12) id UAA14710; Tue, 2 Apr 1996 20:22:04 -0600 (CST) Posted-Date: Tue, 2 Apr 1996 20:22:04 -0600 (CST) Date: Tue, 2 Apr 1996 20:22:04 -0600 (CST) From: Ron DuFresne To: Scott Barman cc: firewalls@GreatCircle.COM Subject: Re: DNS Spoofing and Java In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 2 Apr 1996, Scott Barman wrote: > > The victim: stooge.victim.org (IP 10.10.10.1) > target.victim.org (IP 10.10.10.2) > > The attacker: www.attacker.org (IP 172.16.16.16) > > Attacker creates a DNS entry for bogus.attacker.org and when querried > will return the pair of addresses (10.10.10.2, 172.16.16.16). > > The unsuspecting client surfs over to www.attacker.org, downloads an > applet, and runs it. This applet askes to be connected to the system > bogus.attacker.org. The Verifier does a DNS qurry and gets the above > pair or addresses. Because the original connection came from > 172.16.16.16, the Verifier will accept the request but connect to the > first address in the pair (10.10.10.2). The Princeton people attacked > an old sendmail bug, but you can do anything you want, including > attacking using the "r" commands! > [END OF REVIEW] > > This brings up two questions (which I hope Sun already addressed): > > 1) Why not connect back to 172.16.16.16? If this is where the applet > came from, then why choose the first in the list? This is where I have > problems with Sun's statement. This is not the fault of the security > model, but of their code for "changing" the return address! Actually, isn't this a shortcoming of DNS itself? DNS will return two addresses, but use the first in the list... Later, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From firewalls-owner Wed Apr 3 11:38:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA00211 for firewalls-outgoing; Wed, 3 Apr 1996 09:14:23 -0800 (PST) Received: from myall.awadi.com.au (myall.awadi.com.AU [150.207.2.65]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id UAA00427 for ; Tue, 2 Apr 1996 20:57:48 -0800 (PST) Received: from bunya.awadi ([150.207.2.63]) by myall.awadi.com.au (8.7.5/8.7.1) with SMTP id OAA06759; Wed, 3 Apr 1996 14:20:13 +0930 (CST) Received: from mallee.awadi by bunya.awadi (5.x/SMI-SVR4) id AA17896; Wed, 3 Apr 1996 14:19:53 +0930 Received: by mallee.awadi (SMI-8.6/SMI-SVR4) id OAA17189; Wed, 3 Apr 1996 14:19:51 +0930 From: blymn@awadi.com.au (Brett Lymn) Message-Id: <199604030449.OAA17189@mallee.awadi> Subject: Re: mail addresses To: william.wells@damark.com (william.wells) Date: Wed, 3 Apr 1996 14:19:50 +0930 (CST) Cc: firewalls@greatcircle.com In-Reply-To: <9604012016.AA14123@damark.com> from "william.wells" at Apr 1, 96 02:12:00 pm X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to william.wells: > > >George Janczuk and Bill Van Emburg have been discussing mail addresses. > >I add: > and I follow up. :-) >We map all mail addresses between Internet and internal. We do this for >several reasons, but security via obscurity is not one of them. The main >reason is to maintain a consistent external mail address. > We do too.... >To accomplish this: [snip}.... for all those reasons and one more: 4) Some of our users are using MicroSoft mail which forces the addressing of the user as user@postoffice.network.company.com.... Since they could not be bothered doing the work in mapping user id's to postoffices/networks in their smtp gateway. Hiding this IMHO is good from the point of aesthetics not security... -- Brett Lymn, Computer Systems Administrator, AWA Defence Industries =============================================================================== "Upgrading your memory gives you MORE RAM!" - ad in MacWAREHOUSE catalogue. From firewalls-owner Wed Apr 3 11:40:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA00140 for firewalls-outgoing; Wed, 3 Apr 1996 09:12:34 -0800 (PST) Received: from rex.Mischler.COM (mischler.com [206.7.138.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id UAA00529 for ; Tue, 2 Apr 1996 20:58:54 -0800 (PST) Received: (from mischler@localhost) by rex.Mischler.COM (8.7.5/8.7.3) id XAA12051; Tue, 2 Apr 1996 23:55:09 -0500 (EST) Date: Tue, 2 Apr 1996 23:55:09 -0500 (EST) From: Dave Mischler Message-Id: <199604030455.XAA12051@rex.Mischler.COM> To: nick@swrcc.demon.co.uk Subject: RE: Dos based Firewalls Cc: Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Is there any public domain Dos based firewall available ? > > The only software coming close to this requirement that I know of > is "IPRoute" by David F. Mischler. This is a packet-filtering address > translating (if you want it) IP router *shareware* package needing a > 286-or-better PC fitted with some combination of a serial dialup IP > link (SLIP or PPP) and one or more ethernet cards; it uses Crynwr > (version 11 preferred) packet drivers to access the ethernet cards. Thanks for the plug. See the Firewalls archives for 22-Dec-1992 for the conceptual origin of this package. It has existed as code for about a year. > We downloaded version 0.86 (early days yet ?) from our ISP's ftp > site - ftp.demon.co.uk - and have tried it out, but after reading > the document "Network (In)Security Thru Packet Filtering" by Brent > Chapman as recommended in IPRoute's docs, I realised this approach > to IP security has its limitations (which I'm hoping this list will > clarify for me ...) and we haven't yet rolled the package out for > live use. My boss wants to buy a hideously expensive "hardened-Unix" > based commercial firewall instead (to keep the auditors happy). I want to point out that the NAT facility translates IP addresses *and* TCP/UDP port numbers, and provides a stateful packet filter. This provides tighter security than classical packet filtering. The stateful filtering vs. application proxies argument has been recently reviewed here, so I don't think we need to cover it again... > If you go to find it, look for "iprv086.zip"; at the Demon site > it was in /pub/ibmpc/msdos/apps/iprv, and I've also seen it on the > Simtel mirror at sunsite.doc.ic.ac.uk. Check http://www.mischler.com/iproute/ for up to date information. Beta 0.90 ("iprb090.zip") fixes some serious problems in 0.86. - Dave From firewalls-owner Wed Apr 3 11:50:17 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA00226 for firewalls-outgoing; Wed, 3 Apr 1996 09:15:17 -0800 (PST) Received: from beach.sctc.com (beach.sctc.com [192.55.214.50]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA00217 for ; Wed, 3 Apr 1996 09:14:56 -0800 (PST) Received: from beach.sctc.com (daemon@localhost) by beach.sctc.com (8.7.2/8.7.2) with ESMTP id LAA26533; Wed, 3 Apr 1996 11:12:00 -0600 (CST) Received: from sphinx.sctc.com (sphinx.sctc.com [172.17.192.3]) by beach.sctc.com (8.7.2/8.7.2) with ESMTP id LAA26519; Wed, 3 Apr 1996 11:11:49 -0600 (CST) Received: from [172.17.1.61] (smith.sctc.com [172.17.1.61]) by sphinx.sctc.com (8.7.1/8.6.10) with SMTP id LAA15525; Wed, 3 Apr 1996 11:12:13 -0600 (CST) X-Sender: smith@mailhost.sctc.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 3 Apr 1996 11:12:51 -0600 To: Dave Sroelov From: smith@sctc.com (Rick Smith) Subject: Re: trusting the processor chip Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 7:54 AM 4/3/96, Dave Sroelov wrote: >just to add another $0.02 to the discussion, does anybody remember the >undocumented LOADALL instruction present on some of the Intel processors >like 286, 386, etc. > >it did wonderful things like allow you to completely subvert the memory >management and protection features of the chip... Design flaws are the first risk facing any security mechanism. Start by trying to flush out accidental flaws. That makes the intentional ones harder to hide, anyway. Rick. smith@sctc.com secure computing corporation From firewalls-owner Wed Apr 3 11:52:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA05854 for firewalls-outgoing; Wed, 3 Apr 1996 09:39:11 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA05155 for ; Wed, 3 Apr 1996 09:37:35 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id XAA27380; Tue, 2 Apr 1996 23:26:30 -0800 Received: from arnie.systems.sa.gov.au(143.216.242.3) by mycroft via smap (V1.3mjr) id sma027352; Tue Apr 2 23:26:10 1996 Received: from state.systems.sa.gov.au by arnie.systems.sa.gov.au (PMDF V4.3-7 #13538) id <01I341PPK0U8003OV3@arnie.systems.sa.gov.au>; Wed, 3 Apr 1996 16:56:24 +1030 Received: from dogbert.systems.sa.gov.au (dogbert.systems.sa.gov.au) by state.systems.sa.gov.au (PMDF V5.0-4 #13538) id <01I341PCQSV4002FBN@state.systems.sa.gov.au>; Wed, 03 Apr 1996 16:56:05 +0930 Received: from jolt.systems.sa.gov.au (jolt.systems.sa.gov.au [143.216.237.8]) by dogbert.systems.sa.gov.au (8.6.12/8.6.12) with SMTP id RAA03291; Wed, 03 Apr 1996 17:02:18 +0930 Date: Wed, 03 Apr 1996 17:57:50 +0930 From: Garth Kidd Subject: Veracity; Dr Ross N Williams In-reply-to: firewalls-digest-owner@GreatCircle.COM "Firewalls-Digest V5 #204" (Apr 2, 13:26) To: Firewalls@GreatCircle.COM Cc: ross@rocksoft.com.au, simon@internode.com.au Message-id: <960403175832.ZM2871@jolt.systems.sa.gov.au> MIME-version: 1.0 X-Mailer: Z-Mail 4.0 (4.0.0 Aug 21 1995) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT References: <199604022126.NAA17869@miles.greatcircle.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: Garth Kidd > Date: Mon, 01 Apr 1996 18:51:02 +0930 > Subject: Re: Firewalls-Digest V5 #200 > > [...] > > Veracity's author, Dr Ross N Williams, is also known for the FunnelWeb > literate programming tool, his papers on compression algorithms and > software patent law, the {farming} entry in the Jargon File, and for a > much-celebrated document on computer science educational technology. > > An AltaVista search on "Ross" +"Williams" will show many of these, but > please don't confuse him with the Hawaiian surfer. Dr Williams is more > often to be found surfing thermals, in a glider. Mea culpa. It appears that suspiciously high levels of blood in my caffeine-stream are responsible for a couple of errors in my article. Ross is more likely to be found plummeting out of planes than gliding in them (I momentarily confused him with another South Australian net.luminary, Simon Hackett), and denies any knowledge of {farming}, which may well turn out to have been Simon again. Veracity, I should point out, would have made neither of these mistakes :). -- garth@dogbert.systems.sa.gov.au | Garth Kidd +61-8-207-7740 (voice) | Network Services Branch +61-8-207-7860 (fax) | Southern Systems | Adelaide, AUSTRALIA From firewalls-owner Wed Apr 3 11:55:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA08508 for firewalls-outgoing; Wed, 3 Apr 1996 09:45:33 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA08249 for ; Wed, 3 Apr 1996 09:44:48 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id VAA25402; Tue, 2 Apr 1996 21:13:18 -0800 Received: from harbor.silcom.com(199.201.128.1) by mycroft via smap (V1.3mjr) id sma025397; Tue Apr 2 21:12:52 1996 Received: from beach.silcom.com (dlc@beach.silcom.com [199.201.128.19]) by harbor.silcom.com (8.6.12/8.6.9) with ESMTP id VAA16497; Tue, 2 Apr 1996 21:15:04 -0800 Received: by beach.silcom.com (8.6.12/SMI-4.1) id VAA00791; Tue, 2 Apr 1996 21:15:47 -0800 Date: Tue, 2 Apr 1996 21:15:44 -0800 (PST) From: David Carmean To: davey_s@panynj.gov cc: firewalls-digest@GreatCircle.COM Subject: Re: ANY SHORT CUTS??? In-Reply-To: <009A03FEBD3B5600.20600CB1@panynj.gov> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 2 Apr 1996 davey_s@panynj.gov wrote: > Hello Firewall Digest Owner and fellow Subscribers: > > Does anyone know of a way to make this Firewall Digest (or any public mailing > list) forward me only the e-mail that has certain information pertaining to only > topics of my interest. The firewall digest is a joy to read and has a lot of > great information; however, I would like to save time and only read the digests > that include information about a particular product (i.e., IRX Routers, > Crypto-based products), a certain type of firewall (i.e., Firewall-1, RAPTOR), > information from / about a certain group (i.e., Computer Emergency Response Team > (CERT), HACKERS), or about a certain topic (i.e., IP Spoofing attacks, logic > bombs, trojan horses, firewall administration). > I'm not aware of anyone doing server-side filtering, but the thought had occurred to me several weeks ago. But I have yet to think through the economic and social impacts of this method. Seems like it would be good for "the commons" not to send stuff people don't want to read, but I wonder what it would add to the server load. Anyway, if you do or can receive mail on a Unix host, your best bet is procmail. Your filter criteria can get as complex as you can keep track of in your head while writing the filter rules, and do a lot of other stuff with it as well. If you go this route, you should drop the digest version in favor of the regular version. You can search the subject lines and/or the body of the message. I don't do any subject/content filtering yet, because I'm too lazy to decide what I do and don't want to read, and afraid to miss anything. I mostly use it to sort my incoming mail into separate folders. Have to. I've already gotten 303 messages today and there are 2 1/2 hours to go. Available from As a sysadmin, I couldn't manage without it.... From firewalls-owner Wed Apr 3 11:57:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA07659 for firewalls-outgoing; Wed, 3 Apr 1996 09:43:26 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA07147 for ; Wed, 3 Apr 1996 09:42:15 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id JAA02382; Wed, 3 Apr 1996 09:35:44 -0800 Received: from nsco.network.com(129.191.1.1) by mycroft via smap (V1.3mjr) id sma002380; Wed Apr 3 09:35:11 1996 Received: from anubis.network.com by nsco.network.com (4.1/1.34) id AA13447; Wed, 3 Apr 96 11:03:55 CST Received: from blefscu.network.com by anubis.network.com (4.1/SMI-4.1) id AA05578; Wed, 3 Apr 96 11:02:06 CST Date: Wed, 3 Apr 96 11:02:06 CST From: amolitor@anubis.network.com (Andrew Molitor) Message-Id: <9604031702.AA05578@anubis.network.com> To: firewalls@greatcircle.com Subject: FTP PASV/non-PASV - Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A couple of good points have been made which I though I'd summarise. Firstly, my original table was unclear -- by in/out bound I should have clearly indicated that I meant directionality in the sense of connection origination. That is 'inbound >1023 -> 20' means, allow someone on the outside to create a connection to the inside, from ports >1023 to port 20. Secondly, the 'normal' approach does imply that the FTP server needs to have root privilege available to it to bind to port 20 to originate the data connection. I had not thought of this and was, as is my packet-filtering-centric habit, thinking mostly in terms of port-range exposure. Thirdly, I have ignored everything except the data connection, since (as far as I know) this is where the differences here lie, everything else is the same. So, I think, the summary looks something like: - PASV is good for the client, since the client controls the connections (originates both control & data conections), but at a cost of increased port-range exposure. It's less good or the server due to port-range exposures, but does not require rootly servers, and the server is pretty well hanging out there in the breeze anyways, what's a little more exposure. - Normal is good for everyone in terms of port exposure, but requires that the client admit inbound connections, and requires the server to have root privileges. - Normal/modified (same as normal, but server originates from non-privileged port, not port 20) is the same as Normal, but with increased port range exposure, and no rootness on the server. In selecting an FTP server model, one needs (apparently) to trade off: - root privileges in the daemon - port range exposures to the outside - port range exposure between the FTP server and your internal net If you can't filter between the server and your internal net, on source port, I think you pretty much have to go with the modified model that does not use port 20. If you can, the the tradeoff seems to be between root privilege and port-range exposure. I haven't quite worked out where stateful filters/firewalls that snoop PORT commands go, but they probably make the port-range exposure differences go away, I think. My apologies to those readers who have found my thinking out loud tedious. I hope that at least some readers have been trying to work out just what the issues here are as well and have found the conversation and my ramblings somewhat better than useless. Andrew From firewalls-owner Wed Apr 3 12:07:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA08012 for firewalls-outgoing; Wed, 3 Apr 1996 09:44:16 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA07509 for ; Wed, 3 Apr 1996 09:43:02 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id VAA25261; Tue, 2 Apr 1996 21:03:14 -0800 Received: from inet1.tek.com(134.62.48.21) by mycroft via smap (V1.3mjr) id sma025210; Tue Apr 2 21:02:53 1996 Received: by inet1.tek.com id ; Tue, 2 Apr 1996 21:05:08 -0800 Received: from tektronix.tek.com(134.62.48.24) by inet1 via smap (V1.3) id sma018239; Tue Apr 2 21:04:52 1996 Received: from orca.wv.tek.com by tektronix.TEK.COM (5.x/8.2) id AA20406; Tue, 2 Apr 1996 21:07:28 -0800 Received: from trouble.WV.TEK.COM by orca.wv.tek.com (4.1/8.2) id AA04028; Tue, 2 Apr 96 21:07:16 PST Received: by trouble.WV.TEK.COM (4.1/8.0) id AA06453; Tue, 2 Apr 96 21:02:40 PST Date: Tue, 2 Apr 1996 21:02:36 -0800 (PST) From: Kent Dahlgren To: davey_s@panynj.gov Cc: firewalls-digest@greatcircle.COM Subject: Re: ANY SHORT CUTS??? In-Reply-To: <009A03FEBD3B5600.20600CB1@panynj.gov> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sheesh. Procmail will do the job. One catch though, you'll have to do the research. On Tue, 2 Apr 1996 davey_s@panynj.gov wrote: > > Hello Firewall Digest Owner and fellow Subscribers: > > Does anyone know of a way to make this Firewall Digest (or any public mailing > list) forward me only the e-mail that has certain information pertaining to only > topics of my interest. The firewall digest is a joy to read and has a lot of > great information; however, I would like to save time and only read the digests > that include information about a particular product (i.e., IRX Routers, > Crypto-based products), a certain type of firewall (i.e., Firewall-1, RAPTOR), > information from / about a certain group (i.e., Computer Emergency Response Team > (CERT), HACKERS), or about a certain topic (i.e., IP Spoofing attacks, logic > bombs, trojan horses, firewall administration). > > If anyone has / uses such a filter please let me know. If there is no such > thing in existence, it would be a great product / utility for someone to develop > either on the digest owners side (while subscribing to a digest, the subscriber > has the option to create a "hot" list of words / topics that must (optional) be > included in the header and/or body of the document) or on the subscribers side > (the Internet e-mail package used or a third party package, has a feature to > only except e-mail from a subscription that includes words / topics from the > subscribers editable "hot" list). > > > PRE-RETURN RESPONSE 1: > > The find / search function only provides the ability to search a document for > (1) topic at a time. If I have 10 to 20 topics of interest, I would have > to repeat the find / search 10 to 20 times. This does NOT save time. > > > PRE-RETURN RESPONSE 2: > > Yes, if there is/are NO existing product(s) that provide this feature and one > who reads this message develops one, royalties for this concept/idea would be > greatly appreciated; even though The 'time' such a utility would / will save me > and the rest of the Internet e-mail world is immeasurable. > > > If you would like to reach me directly, please send e-mail to > [ davey_s@panynj.gov ] or [ davey@alpha.fdu.edu ]. Thank you for your time > and cooperation in this matter. > > > Sincerely, > > > Steven A.N.Q.L. Davey > > > ============================================================================== > > S A V E T I M E ... S A V E M O N E Y ... S A V E M E !!! > > ============================================================================== > > *********************************************************************** > The views expressed in this message are those of the author > and do not necessarily reflect official positions of the > Port Authority of New York & New Jersey or its subsidiaries > *********************************************************************** > "Any ideas expressed here may not reflect those of my employers" ______________________________________________________________________________ ______ T E K T R O N I X _ C P I D _ T E C H N I C A L _ S U P P O R T _______ / Voice: 1.800.835.6100 E-mail: support@colorprinters.tek.com Fax: 1.503.685.3063 WWW: www.tek.com BBS: 1.503.685.4504 E-World: Keyword Tektronix HAL: 1.503.682.7450 AOL: Keyword Tektronix Service: 1.800.835.6100 FTP: ftp.tek.com ______________________________________________________________________________ From firewalls-owner Wed Apr 3 12:09:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA01043 for firewalls-outgoing; Wed, 3 Apr 1996 09:27:57 -0800 (PST) Received: from apu.connectix.com (apu.connectix.com.159.247.204.in-addr.arpa [204.247.159.242]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA00841 for ; Wed, 3 Apr 1996 09:27:17 -0800 (PST) Received: from snowball.connectix.com by apu.connectix.com (5.64/Tenon-1.35.01) id AA05747; Wed, 3 Apr 96 09:27:20 -0800 (PST) Date: Wed, 3 Apr 96 09:27:20 -0800 (PST) Message-Id: <9604031727.AA05747@apu.connectix.com> Subject: Bad Line in Sendmail? From: Rob Sansom To: Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Anyone out there know what the 'bad line' error message is?? Is this an attack, or just Sendmail choking on a bad queue file? Dec 11 08:47:08 apu sendmail[12226]: AA12222: SYSERR: xfAA12222: line 21: readqf (AA12222:21): bad line "^B)" Mar 26 16:57:09 apu sendmail[80]: QAA00165: SYSERR: xfQAA00165: line 5: readqf(Q AA00165:5): bad line "$rSMTP": No such file or directory Mar 26 16:57:09 apu sendmail[80]: QAA00165: SYSERR: xfQAA00165: line 6: readqf(Q AA00165:6): bad line "$s[204.247.158.115]" Mar 26 16:57:10 apu sendmail[80]: QAA00165: SYSERR: xfQAA00165: line 7: readqf(Q AA00165:7): bad line "$_[204.247.158.115]" Mar 26 16:57:11 apu sendmail[81]: QAA00202: SYSERR: xfQAA00202: line 4: readqf(Q AA00202:4): bad line "$rESMTP": No such file or directory Mar 26 16:57:11 apu sendmail[81]: QAA00202: SYSERR: xfQAA00202: line 5: readqf(Q AA00202:5): bad line "$ssmtp1.interramp.com" Mar 26 16:57:11 apu sendmail[81]: QAA00202: SYSERR: xfQAA00202: line 6: readqf(Q AA00202:6): bad line "$_smtp1.interramp.com [38.8.45.2]" Mar 26 16:57:12 apu sendmail[82]: AA00506: SYSERR: xfAA00506: line 5: readqf(AA0 0506:5): bad line "Fw": No such file or directory Mar 26 16:57:12 apu sendmail[82]: AA00506: SYSERR: xfAA00506: line 6: readqf(AA0 0506:6): bad line "$_root@localhost" Mar 26 16:57:13 apu sendmail[83]: AA01513: SYSERR: xfAA01513: line 5: readqf(AA0 1513:5): bad line "Fw": No such file or directory Mar 26 16:57:13 apu sendmail[83]: AA01513: SYSERR: xfAA01513: line 6: readqf(AA0 1513:6): bad line "$_root@localhost" Mar 26 16:57:13 apu sendmail[84]: PAA00157: SYSERR: xfPAA00157: line 5: readqf(P AA00157:5): bad line "Fr": No such file or directory Mar 26 16:57:13 apu sendmail[84]: PAA00157: SYSERR: xfPAA00157: line 6: readqf(P AA00157:6): bad line "$rinternal" Mar 26 16:57:13 apu sendmail[84]: PAA00157: SYSERR: xfPAA00157: line 7: readqf(P AA00157:7): bad line "$slocalhost" Mar 26 16:57:13 apu sendmail[84]: PAA00157: SYSERR: xfPAA00157: line 8: readqf(P AA00157:8): bad line "$_localhost" Mar 26 16:57:15 apu sendmail[85]: AA00589: SYSERR: xfAA00589: line 5: readqf(AA0 0589:5): bad line "Fw": No such file or directory Mar 26 16:57:15 apu sendmail[85]: AA00589: SYSERR: xfAA00589: line 6: readqf(AA0 0589:6): bad line "$_root@localhost" Mar 26 16:57:15 apu sendmail[86]: AA00219: SYSERR: xfAA00219: line 5: readqf(AA0 0219:5): bad line "$_root@localhost": No such file or directory Mar 26 16:57:16 apu sendmail[87]: AA00643: SYSERR: xfAA00643: line 5: readqf(AA0 0643:5): bad line "$_root@localhost": No such file or directory Mar 26 16:57:17 apu sendmail[88]: AA00526: SYSERR: xfAA00526: line 5: readqf(AA0 0526:5): bad line "$_root@localhost": No such file or directory Mar 26 17:03:10 apu sendmail[79]: QAA00165: SYSERR: xfQAA00165: line 5: readqf(Q AA00165:5): bad line "$rSMTP": No such file or directory Mar 26 17:03:10 apu sendmail[79]: QAA00165: SYSERR: xfQAA00165: line 6: readqf(Q AA00165:6): bad line "$s[204.247.158.115]" Mar 26 17:03:10 apu sendmail[79]: QAA00165: SYSERR: xfQAA00165: line 7: readqf(Q AA00165:7): bad line "$_[204.247.158.115]" Mar 26 17:03:13 apu sendmail[79]: QAA00202: SYSERR: xfQAA00202: line 4: readqf(Q AA00202:4): bad line "$rESMTP" Mar 26 17:03:13 apu sendmail[79]: QAA00202: SYSERR: xfQAA00202: line 5: readqf(Q AA00202:5): bad line "$ssmtp1.interramp.com" Mar 26 17:03:13 apu sendmail[79]: QAA00202: SYSERR: xfQAA00202: line 6: readqf(Q AA00202:6): bad line "$_smtp1.interramp.com [38.8.45.2]" Mar 26 17:03:17 apu sendmail[79]: AA00506: SYSERR: xfAA00506: line 5: readqf(AA0 0506:5): bad line "Fw" Mar 26 17:03:17 apu sendmail[79]: AA00506: SYSERR: xfAA00506: line 6: readqf(AA0 0506:6): bad line "$_root@localhost" Mar 26 17:03:20 apu sendmail[79]: AA01513: SYSERR: xfAA01513: line 5: readqf(AA0 1513:5): bad line "Fw" Mar 26 17:03:20 apu sendmail[79]: AA01513: SYSERR: xfAA01513: line 6: readqf(AA0 1513:6): bad line "$_root@localhost" Mar 26 17:03:26 apu sendmail[79]: PAA00157: SYSERR: xfPAA00157: line 5: readqf(P AA00157:5): bad line "Fr" Mar 26 17:03:26 apu sendmail[79]: PAA00157: SYSERR: xfPAA00157: line 6: readqf(P AA00157:6): bad line "$rinternal" Mar 26 17:03:26 apu sendmail[79]: PAA00157: SYSERR: xfPAA00157: line 7: readqf(P AA00157:7): bad line "$slocalhost" Mar 26 17:03:26 apu sendmail[79]: PAA00157: SYSERR: xfPAA00157: line 8: readqf(P AA00157:8): bad line "$_localhost" Mar 26 17:03:32 apu sendmail[79]: AA00589: SYSERR: xfAA00589: line 5: readqf(AA0 0589:5): bad line "Fw" Mar 26 17:03:32 apu sendmail[79]: AA00589: SYSERR: xfAA00589: line 6: readqf(AA0 0589:6): bad line "$_root@localhost" Mar 26 17:03:39 apu sendmail[79]: AA00219: SYSERR: xfAA00219: line 5: readqf(AA0 0219:5): bad line "$_root@localhost" Mar 26 17:04:06 apu sendmail[79]: AA00643: SYSERR: xfAA00643: line 5: readqf(AA0 0643:5): bad line "$_root@localhost" Mar 26 17:04:10 apu sendmail[79]: AA00526: SYSERR: xfAA00526: line 5: readqf(AA0 0526:5): bad line "$_root@localhost" Mar 26 17:50:57 apu sendmail[267]: AA00526: SYSERR: xfAA00526: line 5: readqf(AA 00526:5): bad line "$_root@localhost" Mar 27 19:10:54 apu sendmail[4993]: AA04835: SYSERR: xfAA04835: line 15: readqf( AA04835:15): bad line "\POS^I,$ZNET by suntan.tandem.com (8.6.12/suntan5.960119 ) for Mar 27 19:10:54 apu sendmail[4993]: AA04835: SYSERR: xfAA04835: line 18: readqf( AA04835:18): bad line "\POS^I,$ZNET ^U5 (4.13/4.5) Mar 27 19:10:54 apu sendmail[4993]: AA04835: SYSERR: xfAA04835: line 21: readqf( AA04835:21): bad line "\POS^I,$ZNET ^U5>" Thanks in Advance, From firewalls-owner Wed Apr 3 16:57:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA11136 for firewalls-outgoing; Wed, 3 Apr 1996 10:16:39 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA01749 for ; Wed, 3 Apr 1996 09:29:53 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id WAA26669; Tue, 2 Apr 1996 22:42:46 -0800 Received: from toker.utb.falun.se(192.121.234.101) by mycroft via smap (V1.3mjr) id sma026618; Tue Apr 2 22:41:58 1996 Received: (from mail@localhost) by toker.utb.falun.se (8.7.1/8.7.1) id HAA11928 for ; Wed, 3 Apr 1996 07:32:47 +0200 X-Authentication-Warning: toker.utb.falun.se: mail set sender to using -f Received: from unknown(10.100.240.10) by toker.utb.falun.se via smap (V1.3) id sma011911; Wed Apr 3 07:32:29 1996 Received: (from mail@localhost) by mailix.utb.falun.se (8.6.11/8.6.9) id HAA08358 for ; Wed, 3 Apr 1996 07:32:25 +0100 Received: from unknown(10.38.240.2) by mailix.utb.falun.se via smap (V1.3) id sma008351; Wed Apr 3 07:32:23 1996 Received: from LUG_IKAROS/MAILQ by lug.utb.falun.se (Mercury 1.21); 3 Apr 96 07:32:21 +0100 Received: from MAILQ by LUG_IKAROS (Mercury 1.21); 3 Apr 96 07:32:18 +0100 From: "Daniel Ahlberg" Organization: Lugnetgymnasiet, Falun To: firewalls@greatcircle.com Date: Wed, 3 Apr 1996 07:32:13 +0100 Subject: X-mailer: Pegasus Mail v3.30 Message-ID: <176BE715E5@lug.utb.falun.se> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk join Daniel Ahlberg `988888' `989' 6889 e68888889' ,697888' ,88' ,e69' ,686ea688' ,88' ,888' ,e69' ,e69' ,888' ,d8e, ,888' ,682' .e6888b..6888B..6888888888B..6888B..e68888888Bb. WWW: http://www.geocities.com/SiliconValley/3629 Fid: 2:205/324.8 From firewalls-owner Wed Apr 3 17:21:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA14616 for firewalls-outgoing; Wed, 3 Apr 1996 10:51:30 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA11938 for ; Wed, 3 Apr 1996 10:27:18 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id FAA01148; Wed, 3 Apr 1996 05:53:33 -0800 Received: from uuneo.neosoft.com(206.109.1.3) by mycroft via smap (V1.3mjr) id sma001135; Wed Apr 3 05:52:41 1996 Received: from nmti.com (ficc@localhost) by uuneo.neosoft.com (8.7.5/8.7.4) with UUCP id HAA00383; Wed, 3 Apr 1996 07:19:18 -0600 (CST) Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id HAA20050; Wed, 3 Apr 1996 07:16:33 -0600 Received: by sonic.nmti.com; id AA03135; Wed, 3 Apr 1996 07:16:32 -0600 From: peter@nmti.com (Peter da Silva) Message-Id: <9604031316.AA03135@sonic.nmti.com.nmti.com> Subject: Re: DNS Spoofing and Java To: scott@di2.disclosure.com (Scott Barman) Date: Wed, 3 Apr 1996 07:16:32 -0600 (CST) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Scott Barman" at Apr 2, 96 01:56:35 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am somewhat surprised that Java would be using DNS for applet security at all. It knows the (IP) address it came from, why doesn't it just keep the IP address and only allow connections to that address? Yes, IP spoofing is also possible, but it's harder than DNS spoofing, and almost useless over a protocol like HTTP (TCP/IP, but stateless). And, of course, it needs to disable all applet network connections if the connection came via a proxy, since there's no way in principle it can know what sort of address translation rules are going on in the proxy!) (I hope I'm not the only person on this list who's paranoid enough to think of this...) From firewalls-owner Wed Apr 3 17:28:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA14775 for firewalls-outgoing; Wed, 3 Apr 1996 10:57:45 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA11985 for ; Wed, 3 Apr 1996 10:27:26 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id CAA00115; Wed, 3 Apr 1996 02:28:03 -0800 From: David.Barnwell@orchid.co.uk Received: from unknown(194.216.116.4) by mycroft via smap (V1.3mjr) id sma000112; Wed Apr 3 02:27:13 1996 Received: from david by bacon.orchid.co.uk (SMI-8.6/SMI-SVR4) id LAA02556; Wed, 3 Apr 1996 11:22:14 +0100 Message-Id: <199604031022.LAA02556@bacon.orchid.co.uk> X-Sender: david@bacon X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 03 Apr 1996 11:28:07 +0000 To: Firewalls@GreatCircle.COM Subject: Re: ? (Network Address Translation) NAT questions Sender: firewalls-owner@GreatCircle.COM Precedence: bulk david@wsi.com (David Flinn) wrote: >My customer requires the following for their firewall: >1) two token ring interfaces (yikes !) >2) map many RFC 1597 internal addresses to one valid external Class C address >3) map many external Class C addresses to many internal RFC 1597 addresses. >... We have installed Checkpoint FireWall-1 with Network Address Translation at a couple of Token Ring customers. We used the Sun version, Solstice FireWall-1 V1.2.1 with the NAT patch. Hardware configurations are: Leased 64kbit line from Internet provider Cisco 2511 or 2514 router Ethernet cable from router to Sun Sun Sparc 5 or Sparc 20 Sun TR board connected to internal TR network We initially had conflicts between FireWall-1 and TR source routing, but these were resolved by Sun. Note that we only used one TR board per customer -- I would be very interested to know if two TR boards would cause problems. Regards, David Barnwell Orchid Ltd 162 Bestobell Road, Slough, Berks SL1 4SZ, UK Tel: +44 1753 696069 Fax: +44 1753 567063 From firewalls-owner Wed Apr 3 17:44:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA14740 for firewalls-outgoing; Wed, 3 Apr 1996 10:56:01 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA11999 for ; Wed, 3 Apr 1996 10:27:29 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id FAA01136; Wed, 3 Apr 1996 05:52:32 -0800 Received: from uuneo.neosoft.com(206.109.1.3) by mycroft via smap (V1.3mjr) id sma001132; Wed Apr 3 05:51:45 1996 Received: from nmti.com (ficc@localhost) by uuneo.neosoft.com (8.7.5/8.7.4) with UUCP id HAA01482; Wed, 3 Apr 1996 07:32:25 -0600 (CST) Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id HAA20279; Wed, 3 Apr 1996 07:23:16 -0600 Received: by sonic.nmti.com; id AA11651; Wed, 3 Apr 1996 07:23:16 -0600 From: peter@nmti.com (Peter da Silva) Message-Id: <9604031323.AA11651@sonic.nmti.com.nmti.com> Subject: Re: Netscape Navigator and Firewalls To: sengle@hti.net (Steven W. Engle) Date: Wed, 3 Apr 1996 07:23:15 -0600 (CST) Cc: firewalls@GreatCircle.COM, sengle@hti.net In-Reply-To: from "Steven W. Engle" at Apr 1, 96 09:30:16 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Good god, I'm defending Netscape. > After spending a week battling with Netscape Navigator 2.01 to get it to > function half-way decently with an Internet firewall, I've come to the > conclusion that Navigator is overtly firewall hostile / brain-damaged. No more than any other WWW client. > o It's built in support for ftp, wais, HTTP, etc., proxies is > brain-damaged It conforms to the usual HTTP proxy mechanism. I don't know any browser that does anything different. In fact you usually provide a *URL* for the proxy that simply gets prepended to all requests. > I can only assume this is intentional behavior in order to get people to > buy Netscape's "proxy server". No, it's Netscape following standards for once. There are a plethora of HTTP proxies available. From firewalls-owner Wed Apr 3 18:29:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA13517 for firewalls-outgoing; Wed, 3 Apr 1996 10:38:14 -0800 (PST) Received: from hydra.acs.uci.edu (hydra.acs.uci.edu [128.200.16.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id KAA13483 for ; Wed, 3 Apr 1996 10:38:07 -0800 (PST) Received: from bingy.acs.uci.edu (strombrg@bingy.acs.uci.edu [128.200.34.36]) by hydra.acs.uci.edu (8.7.1/8.7.1) with SMTP id KAA18948 for ; Wed, 3 Apr 1996 10:36:06 -0800 (PST) Message-ID: <3162C514.3D78@hydra.acs.uci.edu> Date: Wed, 03 Apr 1996 10:36:04 -0800 From: Dan Stromberg X-Mailer: Mozilla 2.01 (X11; I; SunOS 5.5 sun4m) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: Re: BoS: DNS Spoofing and Java References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Scott Barman wrote: > > I was looking at Sun's statement regarding the bug they fixed and my > copy of the JDK (I still only have 1.0) and started thinking (I > know... that can be dangerous :-) about the attack using bogus DNS > entries. Sun states: > > The problem is with a bug in the implementation of the > security model, not with the model itself. > (http://java.sun.com/sfaq/960327.html) > > Besides sounding like Micro$haft and their response to Samba (it's the > client's fault, not ours) I was wondering, could this problem be > avoided if, to verify the address, the Verifier check and enforce > reverse name mappings?? Not really - microsoft attempted to deflecte blame inappropriately and ineffectually. In contrast, Sun has accepted more blame than they really should have. > [NOTE: The following is a review for those who haven't been following. > This is a very terse description. If you want more information > see the URL I give below.] > If we take the example of the folks at Princeton who discovered the > problem (http://www.cs.princeton.edu/~ddean/java/dns-scenario.html): > > The victim: stooge.victim.org (IP 10.10.10.1) > target.victim.org (IP 10.10.10.2) > > The attacker: www.attacker.org (IP 172.16.16.16) > > Attacker creates a DNS entry for bogus.attacker.org and when querried > will return the pair of addresses (10.10.10.2, 172.16.16.16). > > The unsuspecting client surfs over to www.attacker.org, downloads an > applet, and runs it. This applet askes to be connected to the system > bogus.attacker.org. The Verifier does a DNS qurry and gets the above > pair or addresses. Because the original connection came from > 172.16.16.16, the Verifier will accept the request but connect to the > first address in the pair (10.10.10.2). The Princeton people attacked > an old sendmail bug, but you can do anything you want, including > attacking using the "r" commands! > [END OF REVIEW] > > This brings up two questions (which I hope Sun already addressed): > > 1) Why not connect back to 172.16.16.16? If this is where the applet > came from, then why choose the first in the list? This is where I have > problems with Sun's statement. This is not the fault of the security > model, but of their code for "changing" the return address! Yes, but be careful: what if there's an http proxy in between? In other words, you can't just getpeername(), like might be initially expected. Presumably sun tried to work around this, by passing the initiating machine's _name_. However, given the current (insecure) state of the DNS, they should have been passing back the _ip_address_ of the initiating machine. This appears to be the full extent of sun's error on this issue - not realize that the DNS could be used to provide incorrect information. They could also continue passing the _name_, and then do a PTR check, but passing the _ip_address_ in the first place eliminates a some opportunities for trouble. > 2) Why not do a reverse name lookup to verify this address? The way I > have internal DNS's setup, if you lookup 2.10.10.10.in-addr.arpa, the > internal DNS will return an internal name. That internal name will not > be the same as the attacker's name (see above), so the connection should > be rejected. Because you should not _have_ to do a reverse lookup. Supporting detail: 1) If you check around in the bind archives, you'll find the use of PTR records for security is deprecated. 2) The PTR check isn't sufficient to make things really solid anyway, even from a DNS-perspective - it's still possible to fake out the DNS, you just have to do it some other way, if there's a PTR check added. 3) There is no good reason why the DNS should allow you to publish data about IP addresses that you haven't been delegated. Sure, there's a bit of existing practice that makes legitimate (as it were) use of this "flexibility", but it should not be allowed without specific delegation. That is, if I've been delegated 128.200.34.36 by the powers that be, there really isn't any good reason way anyone anywhere in the world can publish DNS information about this IP address. > In fact, what would happen if you looked up 16.16.16.172.in-addr.arpa? > Would you get www.attacker.org or bogus.attacker.org? My guess would be > you would probably get www.attacker.org and no CNAME for > bogus.attacker.org, at which time all sorts of red flags, bell and > whistles should go off alerting the world to this problem, no? > > Then the question becomes: How many people set up their internal DNS > with reverse name mapping?? I hope everyone does. We configure many of our machines to drop connections from machines without PTR's. I realize this contradicts my previous intimation that PTR's should not be relied upon for security. (Hey, it's far from infallible, but it's better than not having it at all, and it "came with the territory" when installing TCP wrappers, which are useful for other purposes). > Yes, I know this is a little bit outside of firewalls, but has to do > with setting up and securing systems inside of those firewalls. Quite a lot, yes. > BTW: If there's a Java security list and someone is on it, you have my > permission to forward this note to that list providing you keep my name > (and .sig) attached. It's been hashed out 'til many are sick of hearing about it. From firewalls-owner Wed Apr 3 19:24:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA14309 for firewalls-outgoing; Wed, 3 Apr 1996 10:44:15 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA11913 for ; Wed, 3 Apr 1996 10:27:13 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id FAA01137; Wed, 3 Apr 1996 05:52:32 -0800 Received: from uuneo.neosoft.com(206.109.1.3) by mycroft via smap (V1.3mjr) id smaa01132; Wed Apr 3 05:51:53 1996 Received: from nmti.com (ficc@localhost) by uuneo.neosoft.com (8.7.5/8.7.4) with UUCP id HAA01525; Wed, 3 Apr 1996 07:32:30 -0600 (CST) Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id HAA20287; Wed, 3 Apr 1996 07:25:57 -0600 Received: by sonic.nmti.com; id AA02330; Wed, 3 Apr 1996 07:25:56 -0600 From: peter@nmti.com (Peter da Silva) Message-Id: <9604031325.AA02330@sonic.nmti.com.nmti.com> Subject: Re: Java Security & Decaf(tm) To: geboykin@AlCon.Com (Greg Boykin) Date: Wed, 3 Apr 1996 07:25:56 -0600 (CST) Cc: mcnabb@argus.cu-online.com, madderra@emss.com, Firewalls@GreatCircle.COM In-Reply-To: from "Greg Boykin" at Apr 1, 96 07:48:41 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Couldn't any of the nice little Netscape add-ins do the same thing on > a much broader scale and easier than creating an applet? Yes, they can. And you have the choice of which plugins you install and use. You don't have that option with Java. From firewalls-owner Wed Apr 3 19:55:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA14362 for firewalls-outgoing; Wed, 3 Apr 1996 10:46:15 -0800 (PST) Received: from hp01.vak12ed.edu (hp01.vak12ed.edu [141.104.150.251]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA14355 for ; Wed, 3 Apr 1996 10:46:00 -0800 (PST) Message-Id: <199604031846.KAA14355@miles.greatcircle.com> Received: by hp01.vak12ed.edu (1.38.193.5/16.2) id AA15151; Wed, 3 Apr 1996 12:43:58 -0500 From: "W.C. \"Jay\" Epperson" Date: Wed, 03 Apr 1996 8:25:36 EST To: dennis@SterCtl.com (Dennis Moroney) Subject: Re: Interesting packets fron the net In-Reply-To: <199604020529.XAA00770@SterCtl.com>; from "Dennis Moroney" at Apr 1, 96 11:29 pm Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Some folks were saying: [snip] > > It's also the signature of an IP spoofing attack. If you had > > the actual packets logged, you could tell more certainly. I don't think > > ciscos can log denied packets, but I may well be wrong. > > [snip] > > Yes, you are wrong. Add the verb 'log' to the end of an access-list > rule and you will get the source IP address, destination IP address > as well as the source and destination ports. Ah, another undocumented feature (at least on _my_ UniversCD) from the "UNIX: Wrong Choice for Firewalls" folks. > > Caveat, it is really easy to break the access-list rules and make you > think the router is getting 'spoofed'. I know because I stupidly did > not double check my work while I was in a hurry one afternoon. > It's really easy to break anything when the documentation is hit or miss. Before you hit that "r" key: I use Cisco products, think the hardware, software, and support are great, just think the doc stinks. -- W.C. Epperson "I have great faith in fools. Senior SE Self-confidence, my friends call it." Information Security Officer --Edgar Allan Poe-- DBA Emeritus Curmudgeon-for-Life Virginia Dept. of Education epperson@pen.k12.va.us From firewalls-owner Wed Apr 3 20:49:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA18098 for firewalls-outgoing; Wed, 3 Apr 1996 12:03:31 -0800 (PST) Received: from socks1.raleigh.ibm.com (socks1.raleigh.ibm.com [192.35.236.15]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA18092 for ; Wed, 3 Apr 1996 12:03:25 -0800 (PST) Received: from rtpdce02.raleigh.ibm.com by socks1.raleigh.ibm.com (AIX 4.1/UCB 5.64/RTP-FW1.0) id AA85054; Wed, 3 Apr 1996 14:56:46 -0500 Received: from er.raleigh.ibm.com (er.raleigh.ibm.com [9.37.194.251]) by rtpdce02.raleigh.ibm.com (8.7.3/8.7.3/RTP-ral-1.0) with SMTP id OAA39000; Wed, 3 Apr 1996 14:56:36 -0500 Received: by er.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA26910; Wed, 3 Apr 1996 14:56:36 -0500 Message-Id: <9604031956.AA26910@er.raleigh.ibm.com> X-Mailer: exmh version 1.5.3 12/28/94 To: firewalls@greatcircle.com Cc: Dick Locke Subject: Lotus Notes/plug-gw/database replication Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 03 Apr 1996 14:56:31 +22324924 From: Dick Locke Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I tried searching through the archives, but did not see the specific answer I was looking for. Can the stock plug-gw from TIS be used to replicate Lotus Notes databases from inside a firewall to an external machine beyond the firewall? If so, how? Filtering traffic is not really an option for us. Any other suggestions on external replication would be greatly appreciated. Thanks! Dick -- Richard A. Locke rlocke@raleigh.ibm.com From firewalls-owner Wed Apr 3 21:07:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA21575 for firewalls-outgoing; Wed, 3 Apr 1996 13:31:58 -0800 (PST) Received: from mailgate.Cadence.COM (mailgate.Cadence.COM [158.140.2.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA21569 for ; Wed, 3 Apr 1996 13:31:53 -0800 (PST) Received: (from smap@localhost) by mailgate.Cadence.COM (8.6.8/8.6.8) id NAA02195; Wed, 3 Apr 1996 13:29:47 -0800 Received: from cds1004.cadence.com(158.140.32.39) by mailgate.cadence.com via smap (V1.0mjr) id sma828566984.002188; Wed Apr 3 13:29:44 1996 Received: (from alastair@localhost) by cds1004.Cadence.COM (8.7.3/8.7.3) id NAA01579; Wed, 3 Apr 1996 13:29:43 -0800 (PST) From: "Alastair Young" Message-Id: <9604031329.ZM1577@cds1004.Cadence.COM> Date: Wed, 3 Apr 1996 13:29:41 -0800 In-Reply-To: "Todd R. Zimmerman" "Securid BAD Tech Support" (Apr 2, 12:14pm) References: <2.2.32.19960402201407.0067d7bc@snd10.med.navy.mil> X-Mailer: Z-Mail (3.2.1 10apr95) To: "Todd R. Zimmerman" , Firewalls@GreatCircle.COM Subject: Re: Securid BAD Tech Support Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I second the bad tech support. I've been trying to get through for a week now. Our theory is that they are all out at Interop in Las Vegas. The Gauntlet/fwtk tn-gw telnet gateway authenticates to the TIS authentication daemon (authsrv in the fwtk). This daemon has the Security Dynamics client code in it. When you set a users authentication type to "S" it does SecurID for that user. The question I am trying to get an answer from SD about is: where is the command line interface you promised for administration functions. I asked the guy at the SD booth at OSS96 in Orlando last month and was assured it would be in the new 2.x server software. We just upgraded and I can't find hide nore hair of the command line interface. Grrrrr -- Alastair Young alastair@cadence.com Cadence Design Systems, IS Group (408)428-5278 Fax: (408)894-3487 555 River Oaks Parkway, 4B1 Ariel singles parts always wanted San Jose CA 95134 These statements and opinions are mine, not those of Cadence Design. From firewalls-owner Wed Apr 3 21:13:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA25760 for firewalls-outgoing; Wed, 3 Apr 1996 14:59:36 -0800 (PST) Received: from portal.east.saic.com (PORTAL.EAST.SAIC.COM [198.151.13.15]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA25753 for ; Wed, 3 Apr 1996 14:59:32 -0800 (PST) Received: from leosec.saic.com ([149.8.87.10]) by portal.east.saic.com via smtpd (for miles.greatcircle.com [198.102.244.34]) with SMTP; 3 Apr 1996 22:57:37 UT Received: by leosec.saic.com (5.x/SMI-SVR4) id AA06966; Wed, 3 Apr 1996 17:57:32 -0500 Date: Wed, 3 Apr 1996 17:57:32 -0500 From: dsulser@leosec.saic.com (David Sulser) Message-Id: <9604032257.AA06966@leosec.saic.com> To: Firewalls@GreatCircle.COM Subject: Re: Redundant Internet Connections & Firewalls X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings, This thread has hit on a current design issue for me. The information shared so far has been most helpful. I would like to put a firewall slant onto the issue. It is my understanding that current packet filter and other firewall technologies do not operate effectively at much above T-1 (1.544 Mbs) rates. The implication is that faced with higher network loads, some (or all) firewalls might let unwanted packets through. My questions are, what are the relative security demerits of connecting 2 T-1's to the segment right outside your firewall? As compared to say, a single T-3 or ATM connection? Has anyone tried to stress test such a setup? I realize a lot might depend on the hardware (router, host, etc) of individual firewall. Are any known to be better at filtering higher data rates? Thanks in advance for your input. Regards, David Sulser dsulser@leosec.saic.com From firewalls-owner Wed Apr 3 21:17:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA25238 for firewalls-outgoing; Wed, 3 Apr 1996 14:46:08 -0800 (PST) Received: from bastion.sware.com (bastion.sware.com [139.131.15.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA25229 for ; Wed, 3 Apr 1996 14:46:03 -0800 (PST) Received: from shlep.sware.com (shlep.sware.com [139.131.1.14]) by bastion.sware.com (8.6.12/8.6.5) with SMTP id RAA18138 for ; Wed, 3 Apr 1996 17:43:44 -0501 Received: by shlep.sware.com (5.65/2.0) from localhost id AA16887; Wed, 3 Apr 96 17:42:09 -0500 Message-Id: <9604032242.AA16887@shlep.sware.com> From: Renee Landers X-Mailer: SecureMail [2.3.2] Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Proxying Lotus Notes To: firewalls@GreatCircle.com Date: Wed, 03 Apr 96 17:42:09 EST Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello all. Let me know if there's a more appropriate list for this question, or if there's some documentation I need to be looking at. Has anyone ever tried to proxy Lotus Notes? We're using release 3.2, but might upgrade to 4.0. I looked through all the Notes documentation, and visited their website, and couldn't find any mentions of proxies, so I'm guessing that neither release's client is proxy-aware, but feel free to correct me (i'd love to be wrong). I've written a generic proxy, that just forwards the data to the intended server, but that doesn't seem to cut it with Notes. Another idea I had was that it might be possible to use the Notes server as a proxy, since it appears to be possible to direct/control client access to servers this way. However, I don't have any experience administering Notes, so I'm not sure how difficult this would be to set up, and I am also not aware of its security holes (assuming that there are some). Thanks Renee rlanders@sware.com From firewalls-owner Wed Apr 3 21:26:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA24790 for firewalls-outgoing; Wed, 3 Apr 1996 14:34:32 -0800 (PST) Received: from corsa.ucr.edu (cs.ucr.edu [138.23.169.133]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id OAA24783 for ; Wed, 3 Apr 1996 14:34:21 -0800 (PST) Received: (from dberger@localhost) by corsa.ucr.edu (8.7.3/8.7.1) id OAA09829 for Firewalls@greatcircle.com; Wed, 3 Apr 1996 14:32:31 -0800 (PST) From: Daniel Berger Message-Id: <199604032232.OAA09829@corsa.ucr.edu> Subject: Re: Firewalls-Digest V5 #206 To: Firewalls@greatcircle.com Date: Wed, 3 Apr 1996 14:32:30 -0800 (PST) In-Reply-To: <199604032011.MAA18379@miles.greatcircle.com> from "firewalls-digest-owner@greatcircle.com" at Apr 3, 96 12:11:14 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > o Enabling its SOCKS support results in it SOCKifying _everything_, > even access to servers that don't need, or want, SOCKS connections (such as > internal SMTP and HTTP servers). > - -- > Steve Engle > DHT, Inc. > sengle@hti.net > I fought with this one as well -- got no help from Netscape tech support, but there is an answer. socks respects the rules given in the sock.cnf file located in the windows directory -- the default is to socksify everything, but you can specify hosts (or entire networks) to contact directly. The file format is simple, but I don't have an example with me... Hope that helps... ...Dan Berger Department of Computer Science University of California, Riverside http://www.simsci.com/~dberger -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQCNAzANOykAAAEEAKhlH2vX4GvmECca8pxfspOsEVsDrnTi+xZ439PevZjjORyT YphjYMI57ulQ2DsSByscyviIJ1AN4amts1KYWY/YQ6MelfUJJEvJPjW16hP8ZYBU iq9Om3c+VcufhEH86wDzpzLlhEGAn8N3diWq9HxW4ZdiOSPY1ktaLfsB7XdlAAUR tDpEYW5pZWwgRi4gQmVyZ2VyIDxkYmVyZ2VyQGNzLnVjci5lZHU+IDxkYmVyZ2Vy QHNpbXNjaS5jb20+ =sjhY -----END PGP PUBLIC KEY BLOCK----- From firewalls-owner Wed Apr 3 21:26:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA27455 for firewalls-outgoing; Wed, 3 Apr 1996 15:32:39 -0800 (PST) Received: from world.net (sydney2.world.net [198.142.12.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id PAA27448 for ; Wed, 3 Apr 1996 15:32:30 -0800 (PST) Received: from suburbia.net (suburbia.net [203.4.184.1]) by world.net (8.7.4/8.6.6) with ESMTP id JAA03151 for ; Thu, 4 Apr 1996 09:28:57 +1000 (EST) Received: (proff@localhost) by suburbia.net (8.7.4/Proff-950810) id JAA12917 for firewalls@greatcircle.com; Thu, 4 Apr 1996 09:29:40 +1000 Date: Thu, 4 Apr 1996 09:29:40 +1000 From: Julian Assange Message-Id: <199604032329.JAA12917@suburbia.net> To: firewalls@greatcircle.com Subject: Reminder. Suburbia BOAF Sat 6 April Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ____ _ _ _ / ___| _ _| |__ _ _ _ __| |__ (_) __ _ \___ \| | | | '_ \| | | | '__| '_ \| |/ _` | ___) | |_| | |_) | |_| | | | |_) | | (_| | |____/ \__,_|_.__/ \__,_|_| |_.__/|_|\__,_| ------------------------------------------------------------------------------- Birds of a feather ____ _ _ | _ \ __ _ _ __| |_ _ _| | | |_) / _` | '__| __| | | | | | __/ (_| | | | |_| |_| |_| |_| \__,_|_| \__|\__, (_) |___/ Saturday April 6, 1996 (easter weekend) 8:30pm till day light boaf@suburbia.net Melbourne Australia (http://www.lonelyplanet.com/dest/aust/melb.htm) This is a reminder. There are only three days left to RSVP. If you haven't received the address yet, then you are not on the list. There is no door fee (please see the original invite). Ps. Despite the attention to detail, it will be a very laid back affair. DO NOT wear a tie. At least, not around your neck, or someone might attach it to the rafters. Despite the serious types during the day, we are fully BYO pillow. --- "I mean, after all; you have to consider we're only made out of dust. That's admittedly not much to go on and we shouldn't forget that. But even considering, I mean it's sort of a bad beginning, we're not doing too bad. So I personally have faith that even in this lousy situation we're faced with we can make it. You get me?" - Leo Bulero/PKD +---------------------+--------------------+----------------------------------+ |Julian Assange RSO | PO Box 2031 BARKER | Secret Analytic Guy Union | |proff@suburbia.net | VIC 3122 AUSTRALIA | finger for PGP key hash ID = | |proff@gnu.ai.mit.edu | FAX +61-3-98199066 | 0619737CCC143F6DEA73E27378933690 | +---------------------+--------------------+----------------------------------+ From firewalls-owner Wed Apr 3 21:28:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id QAA02844 for firewalls-outgoing; Wed, 3 Apr 1996 16:51:08 -0800 (PST) Received: from upsmot03.msn.com (upsmot03.msn.com [204.95.110.85]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id QAA02816 for ; Wed, 3 Apr 1996 16:50:51 -0800 (PST) Received: from upmajb04.msn.com ([204.95.110.81]) by upsmot03.msn.com (8.6.8.1/Configuration 4) with SMTP id QAA14515; Wed, 3 Apr 1996 16:42:18 -0800 Date: Thu, 4 Apr 96 00:26:15 UT From: "ADAM LARI" Message-Id: To: auampdrv@ibmmail.com Cc: Firewalls@GreatCircle.COM Subject: RE: mail addresses Sender: firewalls-owner@GreatCircle.COM Precedence: bulk HI everyone. We are looking for a firewall but our budget is very limited can any one suggest a solution . thanks Adam amooooo@msn.com ---------- From: firewalls-owner@GreatCircle.COM on behalf of Austin Hastings Sent: Monday, April 01, 1996 11:43 AM To: auampdrv@ibmmail.com Cc: Firewalls@GreatCircle.COM Subject: Re: mail addresses From: "George Janczuk" An area in our organisation is disputing our policy to use user-IDs (eg: unix and other account names) as external internet mailbox addresses on security grounds and are trying to mandate the use of a translation/alias table. I see several questions that need answering: 1) Surely they know that they cannot mandate that everyone's login-name be changed. So, is the "person's name" -> login mapping trivial? That is, if my name is "Austin Hastings", is it likely that my login will be "austin" or "hastings" or "austinh" or "ahasting" or some such? If so, "hiding" the user logins is pointless. 2) How much connectivity do you allow? Remember the first rule of firewalls: Decide what you want to implement before you start. Do you allow "finger" or "who" access? If so, "hiding" the user logins is pointless. 3) How much *EXTERNAL* account-hacking do you expect? Normally, the targets account name is irrelevant -- hackers are interested in userid 0, not "System Administrator". Is this group genuinely this paranoid about security, or are they protecting the users while letting the root account fall to sendmail? If so, "hiding" the user logins is pointless. Finally, and not wholly related, how much do you care about these people? If you're the security officer and these complaints are coming from some just-out who happens to be responsible for doing admin on a VAX in some back room, then it's probably a game of "My firewall is more paranoid than your firewall". Step on them. =Austin From firewalls-owner Wed Apr 3 21:28:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA22557 for firewalls-outgoing; Wed, 3 Apr 1996 13:52:38 -0800 (PST) Received: from notes.cti.ca ([165.154.129.68]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA22523 for ; Wed, 3 Apr 1996 13:52:22 -0800 (PST) Received: by notes.cti.ca (IBM OS/2 SENDMAIL VERSION 1.3.2)/1.41) id AA9923; Wed, 03 Apr 96 16:42:28 -0800 Message-Id: <9604040042.AA9923@notes.cti.ca> Received: from CompucentreToronto with "Lotus Notes Mail Gateway for SMTP" id 00785378C5B797D885256301007172B6; Wed, 3 Apr 96 16:42:24 To: firewalls From: Steve Benesko/CTI Date: 3 Apr 96 16:39:22 EDT Subject: Re: Instant Internet Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Hi All, > >Can anyone provide we with information about a product called Instant >Internet. Is it a fully fledged firewall ? > >Any and all information would be appreciated. > Internet Anywhere qualifies as a firewall ONLY by protocol isolation. Which means that it is fine as long as you are not running TCPIP anywhere else on your network. I evaluated this product a couple of months ago, and I wasn't impressed. First off, it can only support a max of 50 users. Second, It is limited to the 16-bit winsock.dll which means mac, OS/2, Unix, and 32-bit windows95 apps are right out! Also, I am not even sure if it supports host filtering or not (I never got that far with the install before I lost my patience with it) >Cape Town City Council >Cape Town >South Africa This poses an interesting problem. You see "Instant internet" is only "Instant" if you happen to subscribe to a ISP that they support (Mostly United States ISP's). Otherwise, you have to wait up to 6 WEEKS (like I did) for a dialer script to connect to your provider. My suggestion is to use Quarterdeck's Iware Connect or Cisco's Internet Junction. Iware is an NLM that runs on your NetWare server. Used in conjunction with a proper router/gateway, it works wonders on Novell networks. The Number of users actually supported depends on how many license packs you buy for it. Iware has much better filtering and host screening options. For instance, You can get some kind of package for it that acts as "netwatch" or "CyberSitter" that can filter out unwanted sites via a central database (Very useful for schools) Then again this is ALL relative to what your security needs actually are. You can't just throw a firewall at it and it will magically go away. You need to first evaluate and establish a security policy, then look for a firewall or screening router that fits your requirements (if you indeed require one) In general, Netware IP is pretty secure from the internet so you may not even need a firewall. The only ways I have heard about that Netware IP can be attacked from are so obscure, they are barely a risk. (If somebody can prove otherwise, I would like to talk to you) Neither of these options can be used to screen out attacks to TCPIP, so consider your TCPIP side of things a DMZ and you should be fine on the IPX/SPX side as long as nobody pingfloods you or spoofs your address. From firewalls-owner Wed Apr 3 21:42:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA09768 for firewalls-outgoing; Wed, 3 Apr 1996 18:03:55 -0800 (PST) Received: from silence.sponsor.net (silence.sponsor.net [205.198.250.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id SAA09762 for ; Wed, 3 Apr 1996 18:03:49 -0800 (PST) Received: (from delph@localhost) by silence.sponsor.net (8.6.12/8.6.9) id UAA27350; Wed, 3 Apr 1996 20:06:52 -0600 Date: Wed, 3 Apr 1996 20:06:51 -0600 (CST) From: Max Levchin To: Firewalls@GreatCircle.COM Subject: Round-Robin DNS Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello everyone. This is my first question on this list so please forgive the a little bit off-topic. I need to run round-robin DNS for my web servers. How is it done and what does it entail in terms of security ? In light of recent DNS/Java exploit discussions I'd like to know what the security gurus here think of the idea in general, and particluarly applied to filrewalls, etc. Thanks a lot, please reply to me or to the list. -Max -------------------------------------------------------------------- Max R. Levchin SponsorNet New Media, Inc VP / Engineering "Building A Better Web Through Advertising!" From firewalls-owner Wed Apr 3 21:46:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id RAA07593 for firewalls-outgoing; Wed, 3 Apr 1996 17:44:13 -0800 (PST) Received: from Piano.Opus1.COM (Piano.Opus1.COM [192.245.12.69]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id RAA07557 for ; Wed, 3 Apr 1996 17:43:58 -0800 (PST) Received: from Opus1.COM by Opus1.COM (PMDF V5.0-5 #9830) id <01I33RJ8ZY7KDQFWKZ@Opus1.COM>; Wed, 03 Apr 1996 18:41:37 -0700 (MST) Date: Wed, 03 Apr 1996 18:33:09 -0700 (MST) From: "Joel M Snyder, jet-lagged" Subject: RE: DNS Spoofing and Java To: dufresne@winternet.com, firewalls@greatcircle.com Message-id: <01I345E75M74DQFWKZ@Opus1.COM> Organization: Opus One - +1 520 324 0494 MIME-version: 1.0 Content-type: TEXT/PLAIN; CHARSET=US-ASCII Content-transfer-encoding: 7BIT Fruit-of-the-day: akee Comments: Telecommunications and Information Technology Services Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> 1) Why not connect back to 172.16.16.16? If this is where the applet >> came from, then why choose the first in the list? This is where I have >> problems with Sun's statement. This is not the fault of the security >> model, but of their code for "changing" the return address! > >Actually, isn't this a shortcoming of DNS itself? DNS will return two >addresses, but use the first in the list... "DNS" doesn't return addresses to programs; in the typical Unix implementation, resolver code which talks to BIND returns addresses which might have been acquired using DNS protocols (or maybe host tables; this is hidden from the application in the generic Unix resolver routines). In most implementations, the DNS resolver returns a list of records (A records, in this example) and it's up to the application to decide which to use. 99% of programmers are lazy idiots who only use the first address---this is one reason that Netscape itself has no concept of failover if a WWW server happens to be replicated; their programmers don't really understand networking very well. More generally, the semantics of multiple RR records of a given type (except for MX) are undefined. Newer versions of the BIND software also round robin records, not just for which they are authoritative but also for which they are caching servers. This has the effect that your ordering of RR records in DNS messages may or may not affect the order in which they are presented to the application. Anyone doing DNS management now has to accept that the server ordering is irrelevant; only MX records now have weights attached to them. >OK, so you're a Ph.D. Just don't touch anything. Snort. jms Joel M Snyder, PhD, 1404 E Lind Rd, Tucson, AZ, 85719 Phone: +1 520 324 0494 (voice) +1 520 324 0495 (FAX) jms@Opus1.COM http://www.opus1.com/jms Opus One From firewalls-owner Wed Apr 3 22:11:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id RAA07375 for firewalls-outgoing; Wed, 3 Apr 1996 17:41:22 -0800 (PST) Received: from csc.com (explorer.csc.com [20.1.10.27]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA07324 for ; Wed, 3 Apr 1996 17:41:06 -0800 (PST) Received: from @explorer.csc.com by csc.com with smtp (Smail3.1.29.1 #1) id m0u4e0p-001AhnC; Wed, 3 Apr 96 20:38 EST Message-Id: Date: Wed, 3 Apr 96 20:38 EST X-Sender: asafier@explorer.csc.com X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: david@wsi.com (David Flinn) From: Adam Safier Subject: Re: ? (Network Address Translation) NAT questions Cc: firewalls@greatcircle.com, david@wsi.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I beleive V-One's SmartWall will do what you want. I had it doing 2 & 3 about 8 months ago. Last I talked to them they were developing a Token Ring interface (#1). SmartWall is TIS's Gauntlet VAR. http://www.v-one.com They are located in Rockville, Md. 301-838-8900. TIS is also in Rockville. Good luck. At 05:41 PM 4/1/96 -0500, David Flinn wrote: >Hi, > >My customer requires the following for their firewall: > >1) two token ring interfaces (yikes !) >2) map many RFC 1597 internal addresses to one valid external Class C address >3) map many external Class C addresses to many internal RFC 1597 addresses. > >I have found that fullfilling these requirements is non-trival. > >- PIX from cisco fails test 1. >- Raptor passes test 1 and 2 but fails 3. (probably others as well) >- Checkpoint passes 2 and 3 but fails 1. (at least on Sparc, unsure about HP) > >Does anyone know any other firewall vendors that can do this? > >The real problem I see with most application proxy servers is number >three. Let's say my customer has six internal servers running lotus >notes. They need their sales people to dial up a PPP session to get >at these different servers. Most application gateways only allow >1 valid class c address to be used. So, if I need to get at six >notes servers, I usually would use six different ip addresses. >Raptor, et al, would only let me access one server via one port >number. Checkpoint allows me to map 1597 addresses to true >addresses bi-directionally, but doesn't run using token ring >(I don't believe their marketing material). Any clues to this >Many-to-Many problem? > >Thanks for your thoughts, > >david > >++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ >| david flinn workgroup solutions | >| enterprise technology manager 76 blanchard road | >| 617-238-8562 burlington, ma 01803 | >| 617-229-9991 (fax) david@wsi.com | >++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ > > Adam Safier CSC-SED-Infosec asafier@csc.com Expressed opinions are my own and might not be shared by my employer or anyone else. From firewalls-owner Wed Apr 3 22:53:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id UAA23125 for firewalls-outgoing; Wed, 3 Apr 1996 20:16:04 -0800 (PST) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id UAA23085 for ; Wed, 3 Apr 1996 20:15:48 -0800 (PST) Received: (adam@localhost) by homeport.org (8.6.9/8.6.9) id WAA02468; Wed, 3 Apr 1996 22:35:03 -0500 From: Adam Shostack Message-Id: <199604040335.WAA02468@homeport.org> Subject: Re: Securid BAD Tech Support To: snd1trz@snd10.med.navy.mil (Todd R. Zimmerman) Date: Wed, 3 Apr 1996 22:35:02 -0500 (EST) Cc: Firewalls@GreatCircle.COM In-Reply-To: <2.2.32.19960402201407.0067d7bc@snd10.med.navy.mil> from "Todd R. Zimmerman" at Apr 2, 96 12:14:07 pm X-Mailer: ELM [version 2.4 PL24 ME8b] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Todd R. Zimmerman wrote: | Now I'll get off my soapbox and get on with the problem: | | When an outside user accesses our net he/she must be authenticated by the | Firewall. I would like the user to be able to use Securid to be | authenticated on the firewall. I was told by Securid Sales (now I'm an | owner) that the client for Sercurid comes with the TIS Gauntlet Firewall. I | have no documentation on how to get the two machines to talk to each other. | Any help please... Does gauntlet use the authmgr? If so, proto username securid should work. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Wed Apr 3 23:09:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id TAA20645 for firewalls-outgoing; Wed, 3 Apr 1996 19:52:38 -0800 (PST) Received: from lint.cisco.com (lint-ether.cisco.com [198.93.170.22]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id TAA20619 for ; Wed, 3 Apr 1996 19:52:30 -0800 (PST) Received: from pferguso-pc.cisco.com (c5robo2.cisco.com [171.68.13.130]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id TAA25505; Wed, 3 Apr 1996 19:49:06 -0800 Message-Id: <199604040349.TAA25505@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 03 Apr 1996 22:50:06 -0500 To: "Harald Koch" From: Paul Ferguson Subject: Re: Re[2]: About the firewalls using RIP or static routes Cc: Brian Murrell , armando@sar.net, firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:44 AM 4/2/96 -0500, Harald Koch wrote: > >There's a technique that the larger NSPs use, called "dynamic routing with >static policy". That is, all of your routing exchange sessions are filtered >with a statically configured list of acceptable announcements; updates for >those networks are accepted, while others are (silently) ignored. In this >way, your routers know which networks are available (so that they can drop >packets if the net is down), but they won't accept bogus routing >announcements. > Not only is this status quo, it is also *highly* encouraged & recommended. > >I personally believe strongly in the "defense in depth" methodology. So even >if all of your internal routers are controlled by you, and have proper >routing filters in place, you should *still* have separate filters on the >gateway "firewall" (sic). If nothing else, it protects you against your own >configuration mistakes. > Good advice, and again, highly recommended. - paul >-- >C. Harald Koch | Border Network Technologies Inc. >chk@border.com | Senior System Developer >+1 416 368 7157 (voice) | 20 Toronto Street, Suite 400, Toronto ON M5C 2B8 > It's not whether you're paranoid. its whether you're paranoid *enough* > -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Wed Apr 3 23:32:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA12389 for firewalls-outgoing; Wed, 3 Apr 1996 18:30:57 -0800 (PST) Received: from csc.com (explorer.csc.com [20.1.10.27]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id SAA12378 for ; Wed, 3 Apr 1996 18:30:51 -0800 (PST) Received: from @explorer.csc.com by csc.com with smtp (Smail3.1.29.1 #1) id m0u4emw-001AmzC; Wed, 3 Apr 96 21:28 EST Message-Id: Date: Wed, 3 Apr 96 21:28 EST X-Sender: asafier@explorer.csc.com X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Rabid Wombat From: Adam Safier Subject: Re: AW: Re: Re[2]: Redundant Internet Connec Cc: Adam Safier , "Augustin, Ulrike, I+K/EuroNet" , Firewalls Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 08:40 PM 3/31/96 -0500, Rabid Wombat wrote: >Much snipped .... > >You should have something >outside your domain registered, or you'll be very hard to find if >anything tips over :) I thought the point was to have dual paths to the same domain name. >The DNS domain registration costs $100 for two years, last I heard. This >includes entries for the DNS servers considered authoritative for your >domain, but not the IP addresses of the systems within the domain - these I'm an RFC 1597 fan.... only show your firewall and external DNS server address. (I will NOT show you mine if you show me yours :) >are handled by whatever DNS server is the authoratative (yours and/or >your ISP's) How is the authoritative server IP address defined at the Internic? I thought (mistake #1) that it would still use the standard DNS A labels and could therefor have two IP addresses associated with a single name entry. The Internic must have addressed this... they provide a whole bunch of altenate sites in the .cache. What if there were two enteries with the same name and different IP addresses in their cache file? Would it still work in a sequential manner? (I don't have access to a UNIX playground this month...;( >> Question - Why not use a single ISP? i.e. they (MCI, ATT, etc) should have redundant systems and as long as you get separate physical links to >This still only protects you against local loops being back-hoed, and > It is very hard to twist the >actual circuit routes, down to conduit channel and physical address of >If you really need to keep your 'net access up, get access in two >different geographic locations, via two different ISPs, and lease your I still don't understand why not the same ISP with major hubs in different locations, say N.Y.C. and Washington DC? Don't ISP's have distributed computing on their minds? Seems silly to carry traffic accross country to just sign on. I would expect a heirarchical user verification setup on a national basis. >own link between the two sites. Get both ISPs to supply both DNS entries, >and keep the time-to-live down to five minutes or so, to keep other >systems from caching the entry for extended periods (this will increase >DNS requests). Ouch! Five minute DNS updates could be a killer at a popular web site. And your own leased line is vulnerable to the backhoe/train. If the local backhoe is a real terror you can hit the microwave, radio modem, and infrared products. The local phone co. will be happy to tell you the address of your POP. Put the other end at a different POP. No real cheap way to do it but "local bypass" used to be a hot phrase. If the volume/speed requirement is low then VSAT might also be something to consider though you may need to find a company willing to let you share their earth hub to make things more affordable. Jason Ambrose had a good idea to use BGP4 - if your router and local links support it. Adam Safier CSC-SED-Infosec asafier@csc.com Expressed opinions are my own and might not be shared by my employer or anyone else. From firewalls-owner Wed Apr 3 23:58:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id XAA15155 for firewalls-outgoing; Wed, 3 Apr 1996 23:14:30 -0800 (PST) Received: from okjunc.junction.net (okjunc.junction.net [199.166.227.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id XAA15140 for ; Wed, 3 Apr 1996 23:14:23 -0800 (PST) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by okjunc.junction.net (8.6.11/8.6.11) with SMTP id XAA14462; Wed, 3 Apr 1996 23:22:58 -0800 Date: Thu, 4 Apr 1996 00:10:21 -0800 (PST) From: Michael Dillon To: Firewalls@GreatCircle.COM cc: auampdrv@ibmmail.com Subject: Re: more on mail addresses In-Reply-To: <199604030203.SAA07814@miles.greatcircle.com> Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 2 Apr 1996, George Janczuk JZKGEQ - AMPLN1 wrote: > Now, a few respondents have mentioned aesthetics and ease-of-use as > reasons for using schemes such as > firstname_lastname@organisation.com.country. There are arguments for and > against this sort of scheme (see the "Why are you so hostile to using full > names for e-mail addresses?" section in the Sendmail FAQ for a counter > argument) - however, I am more interested in the security aspects > involved, as this is the point being debated. Your CEO is named Peter Smith Peter_Smith@organization.com You hire Pete Smith to work on graphics for the widget brochures. Your VP finance sends email regarding the layoff of 500 employees with a breakdown by department and the names of several managers to be axed along with the managers current salaries. He addresses it to Pete_Smith@organization.com Ooops! UNO-what hits the fan after Pete posts this on a public company-wide discussion group... > security argument as some door knocking information becomes available. Run an SMTP proxy like smapd to prevent door-knocking. > Lastly, the non-obvious mail-box ID sees to (albeit, once again by > obscurity) make it somewhat harder to be the target for mail-bombs or > abusive mail when only the name of the intended recipient is known (eg: > dissatisfied customers trying to contact the MD directly, Bingo! Guess what Bill Gates email address is? Hint, it's not billg@microsoft.com, in fact it is not even known by most MS employees. This was done precisely because he became the target of crank email. Michael Dillon Voice: +1-604-546-8022 Memra Software Inc. Fax: +1-604-546-3049 http://www.memra.com E-mail: michael@memra.com From firewalls-owner Thu Apr 4 00:11:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id VAA29145 for firewalls-outgoing; Wed, 3 Apr 1996 21:05:44 -0800 (PST) Received: from su1.in.net (su1.in.net [199.0.62.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id VAA29125 for ; Wed, 3 Apr 1996 21:05:38 -0800 (PST) Received: from pm1-23.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA07209; Thu, 4 Apr 96 00:02:16 -0500 Date: Thu, 4 Apr 96 00:02:16 -0500 Message-Id: <9604040502.AA07209@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.com From: Frank Willoughby Subject: Re: Securid BAD Tech Support Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 12:14 PM 4/2/96 -0800, Todd R. Zimmerman allegedly wrote: >Does anybody use Securid in conjunction with a TIS Gauntlet Firewall??? > >I have been trying desperately to speak with technical support personnel at >Security Dynamics in Cambridge, MA. Over the last week I have spent a total >of 165 minutes on hold waiting to speak with the help desk. Leaving >messages does not work because I must sit at my desk until they call back. >If I leave for some reason and miss the return call I then must call >Security Dynamics and start the process all over again. It really pisses me >off...This is totally unsatisfactory tech support. > Sorry to hear about your problem. If it is any consolation, using SecurID (or any other authentication-only-based solution) is *NOT* adequate to protect your company from the risks of connecting your company to the Internet. >Now I'll get off my soapbox and get on with the problem: > >When an outside user accesses our net he/she must be authenticated by the >Firewall. I would like the user to be able to use Securid to be >authenticated on the firewall. I was told by Securid Sales (now I'm an >owner) that the client for Sercurid comes with the TIS Gauntlet Firewall. I >have no documentation on how to get the two machines to talk to each other. >Any help please... > The only thing that authentication-only solutions buy you is that you have (more or less) authenticated the user on the Internet for the brief instants when the connection is being set up. Any decent hacker will let monitor the traffic going to the firewall, watch the user authenticate himself to the firewall and then log onto their system. After the user has logged in and is happily typing away, the hacker will hijack the user's session - leaving the hacker logged in to the system, uploading system cracking software, trojan horses, worms, etc. - while the bewildered (and soon-to-be irate user is trying to figure out why the network connection just went down. >From a security standpoint, I'd recommend dumping any authentication-only solution (regardless of vendor) as it is simply not up to the challenges posed by connecting to the Internet. Other nits include: o worrying about keeping the authentication server in sync with the cards o the annoyance of entering multiple numbers into the card in time o the cost of the cards - perpetual cost (use & throw-away). - also not as cost-effective as other means o disposing of the cards (many batteries aren't environmentally safe and may require special handling when being discarded) It isn't necessary to put up with the above headaches when many crypto solutions are simply point & click. (Many of these are also much more cost-effective than the Securid cards are). FWIW, since you are in the Navy, you might want to check with your Security Officer about using Fortezza cards. Last, but not least, I wasn't trying to put you down or anything, however, I do share your enthusiasm for SecurID. (FWIW, I'm not wild about their competitors who supply authentication-only solutions either). The above are my opinions as an information security consultant who does *not* sell any crypto or authentication devices, software programs, or hardware, etc, etc.). > _/_/_/_/ _/_/_/_/ _/_/_/_/ Todd R. Zimmerman > _/ _/ _/ _/ Network Manager / Computer Specialist > _/ _/_/_/_/ _/ Naval Medical Center, San Diego > _/ _/ _/ _/ (619)532-9314 Pager 979-2195 >_/ _/ _/ _/_/_/_/ snd1trz@snd10.med.navy.mil > >** Disclaimer: The views expressed here do not reflect the official policy ** >** or position of the Department of Defense or the U.S. Government. ** > Best Regards, Frank Any sufficiently advanced bug is indistinguishable from a feature. -- Rich Kulawiec The opinions expressed above are of the author and may not necessarily be representative of Fortified Networks Inc. Fortified Networks Inc. - Information Security Consulting Phone: (317) 573-0800 http://www.fortified.com - Home of the Free Internet Firewall Evaluation Checklist From firewalls-owner Thu Apr 4 00:27:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id UAA27863 for firewalls-outgoing; Wed, 3 Apr 1996 20:57:13 -0800 (PST) Received: from WYVERN.AZTECH.NET (AZTech.Net [198.182.221.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id UAA27781 for ; Wed, 3 Apr 1996 20:56:37 -0800 (PST) Received: by aztech.net (MX V4.0-1 VAX) id 1; Wed, 03 Apr 1996 21:47:47 -700 Date: Wed, 03 Apr 1996 21:47:44 -700 From: Steve Gibbons To: scott@di2.disclosure.com CC: firewalls@greatcircle.com, best-of-security@suburbia.net, _steve@aztech.net Message-ID: <009A052F.A7CD6A60.1@aztech.net> Subject: RE: DNS Spoofing and Java Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In Article: , Scott Barman wrote: # I was looking at Sun's statement regarding the bug they fixed and my # copy of the JDK (I still only have 1.0) and started thinking (I # know... that can be dangerous :-) about the attack using bogus DNS # entries. Sun states: # The problem is with a bug in the implementation of the # security model, not with the model itself. # (http://java.sun.com/sfaq/960327.html) # Besides sounding like Micro$haft and their response to Samba (it's the # client's fault, not ours) I was wondering, could this problem be # avoided if, to verify the address, the Verifier check and enforce # reverse name mappings?? In some cases maybe. Practically, I don't think so. # [NOTE: The following is a review for those who haven't been following. # This is a very terse description. If you want more information # see the URL I give below.] # If we take the example of the folks at Princeton who discovered the # problem (http://www.cs.princeton.edu/~ddean/java/dns-scenario.html): [ deletia - Attack scenario ] # This brings up two questions (which I hope Sun already addressed): # 1) Why not connect back to 172.16.16.16? If this is where the applet # came from, then why choose the first in the list? This is where I have # problems with Sun's statement. This is not the fault of the security # model, but of their code for "changing" the return address! If I understand your point, you want to allow the server to be able to redirect subsequent connections to machines/interfaces other than the one that was originally connected to when downloading the applet. If this is the case, I agree, this is probably a desirable goal. # 2) Why not do a reverse name lookup to verify this address? The way I # have internal DNS's setup, if you lookup 2.10.10.10.in-addr.arpa, the # internal DNS will return an internal name. That internal name will not # be the same as the attacker's name (see above), so the connection should # be rejected. The problem is that there are several different "standard" ways of handling in-addr.arpa PTR RRs. For example: 1) [ you are presuming that ] "www.foo.com" might map to three addresses, (say) and that each of these would map back to "www.foo.com" 2) "www.foo.com" might map to three addresses, each of these might map back to "www[123].foo.com" or "gateway.foo.com", or something entireley different. 3) The forward mapping might be using CNAME or A RRs. 4) most addresses in my class C map to "aztech.net" 5) There may be (will be) others that I haven't thought of. My basic point is that the only consistent thing is inconsistency. # In fact, what would happen if you looked up 16.16.16.172.in-addr.arpa? # Would you get www.attacker.org or bogus.attacker.org? My guess would be # you would probably get www.attacker.org and no CNAME for # bogus.attacker.org, at which time all sorts of red flags, bell and # whistles should go off alerting the world to this problem, no? The algorithm for bell-ringing isn't a simple thing. eg. Should the browser ring a bell if I download an applet from www.FOO.net, that subsequently attempts to connect to an address whos PTR RR says that it's www.FOO.com? # Then the question becomes: How many people set up their internal DNS # with reverse name mapping?? Probably, the majority do, especially for their externally reachable systems. # Yes, I know this is a little bit outside of firewalls, but has to do # with setting up and securing systems inside of those firewalls. I agree, although some of my first posts on the subject were to the firewalls list as well, some time before the Princeton group actually came up with an exploit (See http://www.aztech.net/~steve/java/ for a timeline/details.) I have asked one of the current writers that's working on PKC signed DNS RRs to include a section on the "implimentation details" of verifying forward and reverse DNS lookups. It's my suggestion that an application (eg. an applet) that wants to verify that the address that it's connecting to is valid, only has to check that the "owning" signer of the A RR and the PTR RR are the same entity. This greatly simplifies the algorithm for "what matches, and/or is allowable?" Comments? -- Steve@AZTech.Net From firewalls-owner Thu Apr 4 01:00:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id XAA15688 for firewalls-outgoing; Wed, 3 Apr 1996 23:18:23 -0800 (PST) Received: from okjunc.junction.net (okjunc.junction.net [199.166.227.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id XAA15672 for ; Wed, 3 Apr 1996 23:18:14 -0800 (PST) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by okjunc.junction.net (8.6.11/8.6.11) with SMTP id XAA14548 for ; Wed, 3 Apr 1996 23:27:10 -0800 Date: Thu, 4 Apr 1996 00:14:34 -0800 (PST) From: Michael Dillon To: firewalls@GreatCircle.COM Subject: Re: Netscape Navigator and Firewalls In-Reply-To: Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 1 Apr 1996, Steven W. Engle wrote: > I can only assume this is intentional behavior in order to get people to > buy Netscape's "proxy server". Has anyone ever configured and/or used one > in conjunction with a firewall? Does it really work? Works with the CERN httpd proxy server http://www.w3.org Michael Dillon Voice: +1-604-546-8022 Memra Software Inc. Fax: +1-604-546-3049 http://www.memra.com E-mail: michael@memra.com From firewalls-owner Thu Apr 4 01:13:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id WAA08214 for firewalls-outgoing; Wed, 3 Apr 1996 22:20:56 -0800 (PST) Received: from artemis.rus.uni-stuttgart.de (artemis.rus.uni-stuttgart.de [129.69.18.28]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id WAA08195 for ; Wed, 3 Apr 1996 22:20:46 -0800 (PST) Received: from visbl.rus.uni-stuttgart.de (visbl.rus.uni-stuttgart.de [129.69.50.72]) by artemis.rus.uni-stuttgart.de with ESMTP id IAA04249 (8.6.12/IDA-1.6); Thu, 4 Apr 1996 08:18:43 +0200 Received: by visbl.rus.uni-stuttgart.de (950511.SGI.8.6.12.PATCH526/930416.SGI/BelWue-1.1) id IAA08668; Thu, 4 Apr 1996 08:19:42 +0200 From: Bernd.Lehle@RUS.Uni-Stuttgart.DE (Bernd Lehle) Message-Id: <199604040619.IAA08668@visbl.rus.uni-stuttgart.de> Subject: Re: Bad Line in Sendmail? To: sansom@connectix.com (Rob Sansom) Date: Thu, 4 Apr 1996 08:19:42 +0100 (DST) Cc: firewalls@GreatCircle.COM In-Reply-To: <9604031727.AA05747@apu.connectix.com> from "Rob Sansom" at Apr 3, 96 09:27:20 am MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Anyone out there know what the 'bad line' error message is?? Is this an > attack, or just Sendmail choking on a bad queue file? > > > Dec 11 08:47:08 apu sendmail[12226]: AA12222: SYSERR: xfAA12222: line 21: > readqf > (AA12222:21): bad line "^B)" > Mar 26 16:57:09 apu sendmail[80]: QAA00165: SYSERR: xfQAA00165: line 5: > readqf(Q > AA00165:5): bad line "$rSMTP": No such file or directory > Mar 26 16:57:09 apu sendmail[80]: QAA00165: SYSERR: xfQAA00165: line 6: > readqf(Q I have seen this before, when somebody tried to mail a binary file with some weird non-UNIX mailer. It frequently crashed a DEC Ultrix box. We could track the sender because he was also listed in the logs and told him to keep to the standards. Take a look at the logs right before the "bad line" messages. > 0506:6): bad line "$_root@localhost" > Mar 26 17:03:20 apu sendmail[79]: AA01513: SYSERR: xfAA01513: line 5: > readqf(AA0 > 1513:5): bad line "Fw" > Mar 26 17:03:20 apu sendmail[79]: AA01513: SYSERR: xfAA01513: line 6: > readqf(AA0 > 1513:6): bad line "$_root@localhost" > Mar 26 17:03:26 apu sendmail[79]: PAA00157: SYSERR: xfPAA00157: line 5: > readqf(P That sounds weird, though ... > Mar 27 19:10:54 apu sendmail[4993]: AA04835: SYSERR: xfAA04835: line 15: > readqf( > AA04835:15): bad line "\POS^I,$ZNET by suntan.tandem.com > (8.6.12/suntan5.960119 ^ > ) for | | Well, this might be the one causing the trouble ---| -- > Bernd Lehle - Stuttgart University Computer Center * A supercomputer < > Visualization / SFB 382 / Astrophysics * is a machine < > lehle@rus.uni-stuttgart.de Tel:+49-711-685-5531 * that runs an < > http://www.tat.physik.uni-tuebingen.de/~lehle * endless loop < > pgp? -> finger bernd@visbl.rus.uni-stuttgart.de * in 2 seconds < From firewalls-owner Thu Apr 4 01:29:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id XAA16854 for firewalls-outgoing; Wed, 3 Apr 1996 23:25:27 -0800 (PST) Received: from okjunc.junction.net (okjunc.junction.net [199.166.227.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id XAA16774 for ; Wed, 3 Apr 1996 23:25:07 -0800 (PST) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by okjunc.junction.net (8.6.11/8.6.11) with SMTP id XAA14631 for ; Wed, 3 Apr 1996 23:33:44 -0800 Date: Thu, 4 Apr 1996 00:21:06 -0800 (PST) From: Michael Dillon To: Firewalls@GreatCircle.COM Subject: Re: Firewalls-Digest V5 #196 -Reply In-Reply-To: Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 1 Apr 1996, DARRYL PANG wrote: > FYI. Suggestions for user's that always forget their > passwords. This is an unauthorized excerpt from one of the > digests I receive. Here's the reply I sent to that list... > If you can't think > of a sentence on your own, use a song: "Just sit right back > and you'll hear a tale, a tale of a fateful trip. That started > from this tropic port, aboard this tiny ship." ("Gilligan's Isle" > theme song for the c ulturally depraved.) "Jsrbayhat," > "atoaft," Tsfttp," "atts." Works for me. Now that this idea has become public it is no longer secure. There are archives of song lyrics available on the Internet and it is child's play to process them into a list of words to feed into crack. Michael Dillon Voice: +1-604-546-8022 Memra Software Inc. Fax: +1-604-546-3049 http://www.memra.com E-mail: michael@memra.com From firewalls-owner Thu Apr 4 02:29:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id CAA07766 for firewalls-outgoing; Thu, 4 Apr 1996 02:13:11 -0800 (PST) Received: from alcatel.fr (ns.alcatel.fr [193.104.30.131]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id CAA07735 for ; Thu, 4 Apr 1996 02:12:40 -0800 (PST) Received: from alcatel.fr (gatekeeper-ssn.alcatel.fr [155.132.180.241]) by mailgate.alcatel.fr (8.7.3/8.7.3) with ESMTP id MAA00821 for ; Thu, 4 Apr 1996 12:10:48 +0200 Received: from nsfws7 (nsfws7.ansf.alcatel.fr [159.217.81.12]) by nsfhh5.alcatel.fr (8.7.3/8.7.3) with SMTP id MAA11305 for ; Thu, 4 Apr 1996 12:10:23 +0200 (METDST) Message-ID: <3163A008.3AC3@ansf.alcatel.fr> Date: Thu, 04 Apr 1996 12:10:16 +0200 From: Bertrand Leconte Organization: Alcanet International France X-Mailer: Mozilla 2.0 (X11; I; SunOS 5.5 sun4u) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: Re: Netscape Navigator and Firewalls Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Peter da Silva wrote: > > Good god, I'm defending Netscape. > > > After spending a week battling with Netscape Navigator 2.01 to get it to > > function half-way decently with an Internet firewall, I've come to the > > conclusion that Navigator is overtly firewall hostile / brain-damaged. > > No more than any other WWW client. > > > o It's built in support for ftp, wais, HTTP, etc., proxies is > > brain-damaged > > It conforms to the usual HTTP proxy mechanism. I don't know any browser that > does anything different. In fact you usually provide a *URL* for the proxy > that simply gets prepended to all requests. > > > I can only assume this is intentional behavior in order to get people to > > buy Netscape's "proxy server". > > No, it's Netscape following standards for once. There are a plethora of HTTP > proxies available. We found that Netscape SOCKS support was broken: You take a Netscape (all versions, all plateforms), you enable the SOCKS server. If you want to make a FTP connection to a server which REFUSE the PASV mode, you will have a lot of problems: this doesn't work at all. The Netscape Proxy server, with SOCKS enabled have the same probleme. If you want to say to Netscape that it has to make a direct connection to a local host, you can try to put in /etc/socks.conf a "direct" line: direct local.class.C.network 255.255.255.0 -- Bertrand Leconte Alcanet International France Bertrand.Leconte@netfr.alcatel.fr From firewalls-owner Thu Apr 4 05:06:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id EAA16095 for firewalls-outgoing; Thu, 4 Apr 1996 04:43:35 -0800 (PST) Received: from citel (citel.upc.es [147.83.36.47]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id EAA16085 for ; Thu, 4 Apr 1996 04:43:29 -0800 (PST) Received: from jolibus (frankie@jolibus.upc.es [147.83.36.68]) by citel (8.7.3/8.6.11) with SMTP id OAA16472 for ; Thu, 4 Apr 1996 14:38:51 +0100 (WET DST) Message-ID: <3163D23A.25E454D6@citel.upc.es> Date: Thu, 04 Apr 1996 14:44:26 +0100 From: Francesc Guasch Organization: UPC X-Mailer: Mozilla 2.0 (X11; I; Linux 1.3.81 i586) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: virtual interface Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I got a Sun that I'm going to install virtual interface, that is, the same ethernet address with two different ip address. If anyone has tried this before and gots CISCO routers ... Will the CISCO's tables have a mess ? And the proxy arp's ? Thanks in advance. -- ^-^_-----\ mailto:frankie@citel.upc.es o o ) http://citel.upc.es/~frankie Y (_ (___(ssss phone: (343) 401 6809 From firewalls-owner Thu Apr 4 05:13:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA17498 for firewalls-outgoing; Thu, 4 Apr 1996 05:07:08 -0800 (PST) Received: from pinelands.oldmutual.com (pinelands.oldmutual.co.za [196.22.118.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id FAA17221 for ; Thu, 4 Apr 1996 05:02:46 -0800 (PST) Received: by pinelands.oldmutual.com; id NAA21984; Thu, 4 Apr 1996 13:56:35 +0100 Received: from unknown(160.123.45.3) by pinelands.oldmutual.com via smap (g3.0.3) id xma021978; Thu, 4 Apr 96 13:56:19 +0100 Received: from inv735524 ([160.123.1.81]) by internet_mail.oldmutual.com (post.office MTA v1.9.1 **** trial license expired ****) with SMTP id AAA34 for ; Thu, 4 Apr 1996 14:57:06 +0000 X-Sender: jbarnes@internet_mail.oldmutual.com X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: jbarnes@oldmutual.com (Jay Barnes) Subject: PC Anywhere & Co-session Date: Thu, 4 Apr 1996 14:57:06 +0000 Message-ID: <19960404145705594.AAA34@inv735524> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone know of any reported security holes concerning these products? They're being used in the normal situation, ie dial-in modem, LAN connected to the rest of our network. TIA Jay From firewalls-owner Thu Apr 4 05:27:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA17371 for firewalls-outgoing; Thu, 4 Apr 1996 05:05:30 -0800 (PST) Received: from anchorsteam (anchorsteam.unifiedtech.com [38.251.136.100]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id FAA17356 for ; Thu, 4 Apr 1996 05:05:23 -0800 (PST) Received: from samadams.unifiedtech.com by anchorsteam (5.x/SMI-SVR4) id AA07833; Thu, 4 Apr 1996 07:59:31 -0500 Received: by samadams.unifiedtech.com (SMI-8.6/SMI-SVR4) id IAA14946; Thu, 4 Apr 1996 08:04:12 -0500 Date: Thu, 4 Apr 1996 08:04:12 -0500 From: Mike.Jones@unifiedtech.com (Mike Jones) Message-Id: <199604041304.IAA14946@samadams.unifiedtech.com> To: Firewalls@GreatCircle.COM, michael@memra.com Subject: Re: more on mail addresses Cc: auampdrv@ibmmail.com X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Michael Dillon writes... > On Tue, 2 Apr 1996, George Janczuk JZKGEQ - AMPLN1 wrote: > > Now, a few respondents have mentioned aesthetics and ease-of-use as > > reasons for using schemes such as > > firstname_lastname@organisation.com.country. There are arguments for and > > against this sort of scheme (see the "Why are you so hostile to using full > > names for e-mail addresses?" section in the Sendmail FAQ for a counter > > argument) - however, I am more interested in the security aspects > > involved, as this is the point being debated. > Your CEO is named Peter Smith Peter_Smith@organization.com > You hire Pete Smith to work on graphics for the widget brochures. > Your VP finance sends email regarding the layoff of 500 employees with a > breakdown by department and the names of several managers to be axed > along with the managers current salaries. He addresses it to > Pete_Smith@organization.com > Ooops! UNO-what hits the fan after Pete posts this on a public company-wide > discussion group... Probably the same thing that hits the fan after he sends it to psmith@organization.com when the CEO's ID is smithp, or after he puts the wrong address (whatever name) on it in internal mail. The point here is that a message of that level of business importance should probably be hand delivered, not sent by any medium where there's a noticeable possibility of misdelivery. This isn't a problem *caused*, or even *exacerbated*, by the mail naming scheme. And, of course, it wouldn't be a problem at all if the VP finance encrypted the email with the CEO's public key before sending it; not doing that is pretty much the equivalent of sending a paper memo through the internal mail without sealing the envelope. In fact, from a human factors point of view, it seems likely that "non-obvious" (a better term might be "user hostile") mail names are *more* likely to cause misdelivery of mail, because it is less obvious if one has mistyped an address. They may also contributed to a false sense of security; if one believes that anyone who has one's *real* mail name is "OK", then it becomes that much easier to fool the recipient. Mike Jones Unified Technologies, Inc. yes, mike.jones@unifiedtech.com From firewalls-owner Thu Apr 4 06:58:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA21204 for firewalls-outgoing; Thu, 4 Apr 1996 06:34:53 -0800 (PST) Received: from gw3.att.com (gw4.att.com [204.179.186.34]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA21198 for ; Thu, 4 Apr 1996 06:34:50 -0800 (PST) Received: from fuwutai.UUCP by ig4.att.att.com id AA14129; Thu, 4 Apr 96 09:24:58 EST Message-Id: <9604041424.AA14129@ig4.att.att.com> Date: 4 Apr 96 09:25:00 -0500 From: shriram@fuwutai.att.com (Shriram K Easwaran +1 ) To: firewalls@GreatCircle.COM Subject: signoff firewalls shriram@fuwutai.att.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk signoff firewalls shriram@fuwutai.att.com From firewalls-owner Thu Apr 4 07:22:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA23013 for firewalls-outgoing; Thu, 4 Apr 1996 07:07:31 -0800 (PST) Received: from gatekeeper.strydr.com (gatekeeper.strydr.com [199.217.201.253]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA23005 for ; Thu, 4 Apr 1996 07:07:19 -0800 (PST) Received: (from Unknown UID 6@localhost) by gatekeeper.strydr.com (8.6.9/8.6.9) id JAA05779 for ; Thu, 4 Apr 1996 09:05:14 -0600 Received: from strydr.strydr.com(198.134.134.1) by gatekeeper.strydr.com via smap (V1.3) id sma005771; Thu Apr 4 09:04:55 1996 Received: (from ds3721@localhost) by strydr.strydr.com (8.6.12/8.6.11) id JAA25950 for firewalls@greatcircle.com; Thu, 4 Apr 1996 09:05:45 -0600 From: David Schnardthorst Message-Id: <199604041505.JAA25950@strydr.strydr.com> Subject: New Newsgroups To: firewalls@greatcircle.com Date: Thu, 4 Apr 1996 09:05:44 -0600 (CST) Organization: Stryder Communications, Inc. Address: 869 St. Francois, Florissant, Mo. 63031 Telephone: (314)838-6839 Fax: (314)838-8527 X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This may not be firewall related, however I am hoping somebody can tell me if they are having a similiar experience. I have a firewall running FWTK, with NNTP plugged to an inside news server, this morning I logged in, and I have over 200 new newsgroups, and they are still being created. They appear to have been initiated by tale@uunet.uu.net. Has anybody heard of a massive update, or should I be suspicious? Any help is greatly appreciated. ============================================================================ David Schnardthorst, Systems/Network Eng. * Phone: (314)838-6839 Stryder Communications, Inc. * Fax: (314)838-8527 869 St. Francois * E-Mail: ds3721@strydr.com Florissant, MO 63031 * URL: http://www.strydr.com ============================================================================ From firewalls-owner Thu Apr 4 07:24:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA23180 for firewalls-outgoing; Thu, 4 Apr 1996 07:10:00 -0800 (PST) Received: from gatekeeper.origin-at.co.uk (gatekeeper.origin-at.co.uk [194.130.16.17]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA23174 for ; Thu, 4 Apr 1996 07:09:54 -0800 (PST) Received: from mailhost (pc158.origin-at.co.uk [194.130.16.158]) by gatekeeper.origin-at.co.uk (V8) with SMTP id OAA20000; Thu, 4 Apr 1996 14:57:56 GMT Message-Id: <1.5.4.16.19960404160026.221f8e12@gatekeeper> X-Sender: jlarmour@gatekeeper X-Mailer: Windows Eudora Light Version 1.5.4 (16) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 04 Apr 1996 16:00:26 +0000 To: Scott Barman , firewalls@GreatCircle.COM From: Jonathan Larmour Subject: Re: DNS Spoofing and Java Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 13:56 02/04/96 -0500, Scott Barman wrote: [snip 8< ] >Besides sounding like Micro$haft and their response to Samba (it's the >client's fault, not ours) I was wondering, could this problem be >avoided if, to verify the address, the Verifier check and enforce >reverse name mappings?? [chomp] Certainly in BIND 4.9.3 REL, I can define -DSUNSECURITY, which adds extra code to the resolver lib to do the reverse mapping too, and logs failure if they aren't the same. So, for applications that use this resolver, they have the check done for them. What's more if you have shared libs, one change will update all your applications. However, note that it is the resolver that does this, not BIND itself. This of course assumes you are running on UNIX. Unfortunately this won't help PC's with their own proprietary resolvers that inevitably came with one of the many TCP/IP stacks, and which therefore cannot be updated. However, with a bastion host firewall, all the real outside connection work is done by proxies using the bastion's local resolver. So provided you have a bastion host, you can do these checks. Jonathan L. 323 Cambridge Science Park, Origin UK, Cambridge, England. CB4 4WG. Tel: +44 (1223)-423355 Fax: +44 (1223)-420724 E-mail: guess... Disclaimer: This is not a disclaimer From firewalls-owner Thu Apr 4 07:42:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA23311 for firewalls-outgoing; Thu, 4 Apr 1996 07:13:44 -0800 (PST) Received: from scruz.net (nic.scruz.net [165.227.1.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id HAA23304 for ; Thu, 4 Apr 1996 07:13:39 -0800 (PST) From: raf@ezunx.com Received: from x.ezunx.com by scruz.net (8.7.3/1.34) id HAA19746; Thu, 4 Apr 1996 07:11:37 -0800 (PST) Date: Thu, 4 Apr 96 07:16:29 PST Subject: cisco logging for firewalls To: firewalls@greatcircle.com X-PRIORITY: 3 (Normal) X-Mailer: Chameleon 4.6, TCP/IP for Windows, NetManage Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I know ciscos do logging of most packet info, but do they support syslogd so logs can be sent to another machine? thanks -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- ** Remember -- Life is NOT a dress rehearsal! (nor is it a small furry animal with funny feet and floppy ears...) From firewalls-owner Thu Apr 4 07:43:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA23419 for firewalls-outgoing; Thu, 4 Apr 1996 07:17:16 -0800 (PST) Received: from wet.blanket.com ([206.28.190.151]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA23411 for ; Thu, 4 Apr 1996 07:17:11 -0800 (PST) Received: from thermal.blanket.com by wet.blanket.com (NX5.67c/NX3.0M) id AA01620; Thu, 4 Apr 96 09:14:36 -0600 Message-Id: <3163E805.2483@blanket.com> Date: Thu, 04 Apr 1996 09:17:25 -0600 From: John Fulmer Organization: Secure Network Systems X-Mailer: Mozilla 2.01 (X11; I; SunOS 5.4 sun4m) Mime-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: Re: Firewalls-Digest V5 #208 References: <199604040900.BAA00258@miles.greatcircle.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > The only thing that authentication-only solutions buy you is that you > have (more or less) authenticated the user on the Internet for the brief > instants when the connection is being set up. Any decent hacker will > let monitor the traffic going to the firewall, watch the user authenticate > himself to the firewall and then log onto their system. After the user > has logged in and is happily typing away, the hacker will hijack the user's > session - leaving the hacker logged in to the system, uploading system > cracking software, trojan horses, worms, etc. - while the bewildered > (and soon-to-be irate user is trying to figure out why the network > connection just went down. However this is assuming that the `hacker` is sitting somewhere on the path of data flow, with a system with a hacked IP stack to allow hijacking. In practice the chances of this are actually fairly small. A simple data encryption scheme would make it almost nil. A combination of session encryption (expensive, from a CPU standpoint) and one-time password would by an ideal, strong access system; but until some encryption standards come about and are in general use, the one-time password is about as good as you can reasonably do for now. From firewalls-owner Thu Apr 4 09:55:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA25348 for firewalls-outgoing; Thu, 4 Apr 1996 08:01:55 -0800 (PST) Received: from uuneo.neosoft.com (uuneo.neosoft.com [206.109.1.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id IAA25340 for ; Thu, 4 Apr 1996 08:01:50 -0800 (PST) Received: from nmti.com (ficc@localhost) by uuneo.neosoft.com (8.7.5/8.7.4) with UUCP id JAA15090; Thu, 4 Apr 1996 09:49:39 -0600 (CST) Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id JAA03897; Thu, 4 Apr 1996 09:39:57 -0600 Received: by sonic.nmti.com; id AA23229; Thu, 4 Apr 1996 09:39:56 -0600 From: peter@nmti.com (Peter da Silva) Message-Id: <9604041539.AA23229@sonic.nmti.com.nmti.com> Subject: Re: Netscape Navigator and Firewalls To: Bertrand.Leconte@ansf.alcatel.fr (Bertrand Leconte) Date: Thu, 4 Apr 1996 09:39:56 -0600 (CST) Cc: firewalls@GreatCircle.COM In-Reply-To: <3163A008.3AC3@ansf.alcatel.fr> from "Bertrand Leconte" at Apr 4, 96 12:10:16 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > We found that Netscape SOCKS support was broken It could well be. I don't run SOCKS... everything I want to do with Netscape I can do without it, and I can control it better as well. From firewalls-owner Thu Apr 4 09:57:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA26091 for firewalls-outgoing; Thu, 4 Apr 1996 08:25:30 -0800 (PST) Received: from hp01.vak12ed.edu (hp01.vak12ed.edu [141.104.150.251]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA26083 for ; Thu, 4 Apr 1996 08:25:21 -0800 (PST) Message-Id: <199604041625.IAA26083@miles.greatcircle.com> Received: by hp01.vak12ed.edu (1.38.193.5/16.2) id AA24810; Thu, 4 Apr 1996 10:23:21 -0500 From: "W.C. Epperson" Subject: Re: more on mail addresses To: firewalls@greatcircle.com Date: Thu, 04 Apr 1996 10:23:21 EST In-Reply-To: ; from "Michael Dillon" at Apr 4, 96 12:10 (midnight) X-Mailer: Elm [revision: 109.16] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Michael said: > > Your CEO is named Peter Smith Peter_Smith@organization.com > You hire Pete Smith to work on graphics for the widget brochures. > Your VP finance sends email regarding the layoff of 500 employees with a > breakdown by department and the names of several managers to be axed > along with the managers current salaries. He addresses it to > Pete_Smith@organization.com > > Ooops! UNO-what hits the fan after Pete posts this on a public company-wide > discussion group... > The VP finance _belongs_ on the layoff list if he sends such a thing without using the CEO's public key or the like. -- W.C. Epperson "I have great faith in fools. Senior SE Self-confidence, my friends call it." Information Security Officer --Edgar Allan Poe-- DBA Emeritus Curmudgeon-for-Life Virginia Dept. of Education epperson@pen.k12.va.us From firewalls-owner Thu Apr 4 09:59:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA25540 for firewalls-outgoing; Thu, 4 Apr 1996 08:07:58 -0800 (PST) Received: from neon.ingenia.com (newneon.ingenia.com [205.207.219.29]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA25528 for ; Thu, 4 Apr 1996 08:07:46 -0800 (PST) Received: (from shaver@localhost) by neon.ingenia.com (8.6.12/8.6.9) id LAA02274; Thu, 4 Apr 1996 11:05:32 -0500 From: Mike Shaver Message-Id: <199604041605.LAA02274@neon.ingenia.com> Subject: Re: Firewalls-Digest V5 #196 -Reply To: michael@memra.com (Michael Dillon) Date: Thu, 4 Apr 1996 11:05:32 -0500 (EST) Cc: Firewalls@GreatCircle.COM In-Reply-To: from "Michael Dillon" at Apr 4, 96 00:21:06 am X-Mailer: ELM [version 2.4 PL24 PGP3 *ALPHA*] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thus spake Michael Dillon: > > If you can't think > > of a sentence on your own, use a song: "Just sit right back > > and you'll hear a tale, a tale of a fateful trip. That started > > from this tropic port, aboard this tiny ship." ("Gilligan's Isle" > > theme song for the c ulturally depraved.) "Jsrbayhat," > > "atoaft," Tsfttp," "atts." Works for me. > > Now that this idea has become public it is no longer secure. There are > archives of song lyrics available on the Internet and it is child's play > to process them into a list of words to feed into crack. This idea was public _long_ before it was posted to this list. Also, with strings like those from song lyrics, you're probably getting dangerously close to brute force, once you get through all the permutations. That's an attack regardless of what method you use to select your password. Mike -- #> Mike Shaver (shaver@ingenia.com) Ingenia Communications Corporation <# #> UNIX medicine man -- dark magick, cheap! <# #> <# #> When the going gets tough, the tough give cryptic error messages. <# #> "We believe in rough consensus and running code." <# From firewalls-owner Thu Apr 4 10:02:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA24260 for firewalls-outgoing; Thu, 4 Apr 1996 07:38:25 -0800 (PST) Received: from dub-img-2.compuserve.com (dub-img-2.compuserve.com [198.4.9.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA24234 for ; Thu, 4 Apr 1996 07:38:17 -0800 (PST) Received: by dub-img-2.compuserve.com (8.6.10/5.950515) id KAA17542; Thu, 4 Apr 1996 10:36:12 -0500 Date: 04 Apr 96 10:35:03 EST From: "Patrick M. Bartkus" <102557.3370@compuserve.com> To: Firewalls List Subject: Re: Securid BAD Tech Support Message-ID: <960404153503_102557.3370_HHU58-2@CompuServe.COM> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk AT Thu, 4 Apr 96 00:02:16 -0500 - Frank Willoughby allegedly wrote: >It isn't necessary to put up with the above headaches when many crypto >solutions are simply point & click. (Many of these are also much more >cost-effective than the Securid cards are). Frank, Many of your arguments are that SecurID only ensures that you know who set up the session initially. After that, the session can be hijacked. What are the "crypto solutions" you talk about? Could you send some pointers of where I could get more information on them? Patrick ---- Patrick Bartkus Sr. Network Support Analyst Fleet Mortgage Group Columbia, SC It truth is not absolute, how could there be justice. From firewalls-owner Thu Apr 4 10:05:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA27198 for firewalls-outgoing; Thu, 4 Apr 1996 08:55:44 -0800 (PST) Received: from bayflash.stpt.usf.edu (bayflash.stpt.usf.edu [131.247.140.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA27183 for ; Thu, 4 Apr 1996 08:55:40 -0800 (PST) Received: (johnson@localhost) by bayflash.stpt.usf.edu (8.6.11/8.6.5) id LAA27477; Thu, 4 Apr 1996 11:50:11 -0500 Date: Thu, 4 Apr 1996 11:50:11 -0500 (EST) From: Steven Johnson X-Sender: johnson@bayflash To: firewalls@GreatCircle.COM Subject: Re: Hi In-Reply-To: <61406.1237961@shhs1.ccsd.k12.co.us> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On 1 Apr 1996, Shannon Herber wrote: > Sorry to hear about your problems with Windows '95, I'm glad that you got > them fixed. I didhn't write sooner because I had Spring Break last week > and I went to California, Arizona and New Mexico. I visited two > colleges in California, I Somebody say something about SickPuppy being off-topic? :^) S T E V E N ("'-''-/").___..--''"'-._ http://www.stpt.usf.edu/~johnson '@_ @ ) '-. ( '-._.') (_Y_.)' ._ ) '._ '.''-..-' _..'--'_.._/- /--'_.' ,' johnson@stpt.usf.edu (il).-'' (li).' ((!.-' From firewalls-owner Thu Apr 4 10:07:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA24636 for firewalls-outgoing; Thu, 4 Apr 1996 07:49:00 -0800 (PST) Received: from gatekeeper.strydr.com (gatekeeper.strydr.com [199.217.201.253]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA24619 for ; Thu, 4 Apr 1996 07:48:49 -0800 (PST) Received: (from Unknown UID 6@localhost) by gatekeeper.strydr.com (8.6.9/8.6.9) id JAA05870 for ; Thu, 4 Apr 1996 09:46:44 -0600 Received: from strydr.strydr.com(198.134.134.1) by gatekeeper.strydr.com via smap (V1.3) id sma005867; Thu Apr 4 09:46:37 1996 Received: (from ds3721@localhost) by strydr.strydr.com (8.6.12/8.6.11) id JAA27227; Thu, 4 Apr 1996 09:47:18 -0600 From: David Schnardthorst Message-Id: <199604041547.JAA27227@strydr.strydr.com> Subject: Re: Newgroup Creation To: firewalls@greatcircle.com Date: Thu, 4 Apr 1996 09:47:14 -0600 (CST) In-Reply-To: from "David C Lawrence" at Apr 4, 96 10:25:18 am Organization: Stryder Communications, Inc. Address: 869 St. Francois, Florissant, Mo. 63031 Telephone: (314)838-6839 Fax: (314)838-8527 X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In the Original, David C Lawrence Says > >The 154 newgroups messages sent in my name on 4 April were forgeries. >Several sets of rmgroups will be issued. Note that some of the >newgroups were for groups that really are in the middle of the normal >group creation process, and will very likely eventually have real >newgroup messages sent for them. Here's the Answer to my original post. I just thought some people may be interested. ============================================================================ David Schnardthorst, Systems/Network Eng. * Phone: (314)838-6839 Stryder Communications, Inc. * Fax: (314)838-8527 869 St. Francois * E-Mail: ds3721@strydr.com Florissant, MO 63031 * URL: http://www.strydr.com ============================================================================ From firewalls-owner Thu Apr 4 10:10:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA27660 for firewalls-outgoing; Thu, 4 Apr 1996 09:06:39 -0800 (PST) Received: from hp01.vak12ed.edu (hp01.vak12ed.edu [141.104.150.251]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA27644 for ; Thu, 4 Apr 1996 09:06:09 -0800 (PST) Message-Id: <199604041706.JAA27644@miles.greatcircle.com> Received: by hp01.vak12ed.edu (1.38.193.5/16.2) id AA25784; Thu, 4 Apr 1996 11:03:38 -0500 From: "W.C. Epperson" Subject: Re: Interesting packets fron the net (fwd) To: firewalls@greatcircle.com Date: Thu, 04 Apr 1996 11:03:37 EST X-Mailer: Elm [revision: 109.16] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk sansom@connectix.com said about "access-list....log": > > Ok, so I'm not nuts. I spent half a day looking for the 'log' command > on my UniverseCD. Where will the logging information show up? Do I need > to set up the syslog thing beteween my router and one of my hosts?? > > Thanks in advance > Have been able to determine that this is implemented in IOS 11.0--still in FCS/LD phase of the life cycle (I call it "I can't-believe-it's-not- beta flavor"). Only CIO search hit is in the release notes, doesn't say where logging occurs, but implies syslog or something like it. Since Cisco overtly advises customers to use only GD (general deployment) releases for production network infrastructure, I'm not about to use early LD (limited deployment) for a security function. According to CIO a few minutes ago, current highest GD is 10.2(9), but they show obsolescence for that on 04/15/96. I'm running 10.2(11) on a TAC recommendation, and have had no problems I'd associate with that release. -- W.C. Epperson "I have great faith in fools. Senior SE Self-confidence, my friends call it." Information Security Officer --Edgar Allan Poe-- DBA Emeritus Curmudgeon-for-Life Virginia Dept. of Education epperson@pen.k12.va.us From firewalls-owner Thu Apr 4 12:12:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA29646 for firewalls-outgoing; Thu, 4 Apr 1996 09:41:46 -0800 (PST) Received: from hitachi.com (msd.hitachi.com [137.168.1.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA29629 for ; Thu, 4 Apr 1996 09:41:38 -0800 (PST) Received: from osc.hitachi.com by hitachi.com (4.1/SMI-4.1) id AA11916; Thu, 4 Apr 96 09:41:55 PST Received: from enterprise ([205.158.60.129]) by osc.hitachi.com (4.1/SMI-4.1) id AA04816; Thu, 4 Apr 96 08:54:18 PST Date: Thu, 4 Apr 96 08:54:17 PST Message-Id: <9604041654.AA04816@osc.hitachi.com> X-Sender: bstout@osc.hitachi.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: Bill Stout Subject: Re: Round-Robin DNS Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 08:06 PM 4/3/96 -0600, you wrote: > >Hello everyone. This is my first question on this list so please forgive >the a little bit off-topic. I need to run round-robin DNS for my web servers. >How is it done and what does it entail in terms of security ? This is what a round-robin site looks like: # nslookup www.ncsa.uiuc.edu ... Name: www.ncsa.uiuc.edu Addresses: 141.142.3.131, 141.142.3.132, 141.142.3.134, 141.142.3.76 141.142.3.70, 141.142.3.30, 141.142.3.130 #!! ... Non-authoritative answer: Name: www.ncsa.uiuc.edu Addresses: 141.142.3.134, 141.142.3.76, 141.142.3.70, 141.142.3.30 141.142.3.130, 141.142.3.131, 141.142.3.132 #!! ... Non-authoritative answer: Name: www.ncsa.uiuc.edu Addresses: 141.142.3.76, 141.142.3.70, 141.142.3.30, 141.142.3.130 141.142.3.131, 141.142.3.132, 141.142.3.134 Their nameserver has multiple address entries for www.ncsa.uiuc.edu in /var/named/named.ncsa, ex: www IN A 141.142.3.76 www IN A 141.142.3.70 www IN A 141.142.3.30 www IN A 141.142.3.130 www IN A 141.142.3.131 www IN A 141.142.3.132 www IN A 141.142.3.134 See DNS and BIND from O'Reilly (animal book), or sys admin for more info. >In light of >recent DNS/Java exploit discussions I'd like to know what the security >gurus here think of the idea in general, and particluarly applied to >filrewalls, etc. I know of no relation of DNS round-robin to security, or Java. Java runs at an application layer higher (user?) than what firewalls can filter, firewalls in general are useless against Java attacks, which are at this point only used against browsing web clients, not servers. >Thanks a lot, please reply to me or to the list. > >-Max > >-------------------------------------------------------------------- >Max R. Levchin SponsorNet New Media, Inc >VP / Engineering "Building A Better Web Through Advertising!" > William B. Stout Senior Systems Administrator Hitachi Data Systems Open Systems Center Santa Clara, California 408-970-4822 From firewalls-owner Thu Apr 4 12:14:10 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA29679 for firewalls-outgoing; Thu, 4 Apr 1996 09:45:03 -0800 (PST) Received: from hitachi.com (msd.hitachi.com [137.168.1.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA29666 for ; Thu, 4 Apr 1996 09:44:55 -0800 (PST) Received: from osc.hitachi.com by hitachi.com (4.1/SMI-4.1) id AA12092; Thu, 4 Apr 96 09:45:26 PST Received: from enterprise ([205.158.60.129]) by osc.hitachi.com (4.1/SMI-4.1) id AA04821; Thu, 4 Apr 96 08:57:49 PST Date: Thu, 4 Apr 96 08:57:49 PST Message-Id: <9604041657.AA04821@osc.hitachi.com> X-Sender: bstout@osc.hitachi.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: "Derek D. Feagin" From: Bill Stout Subject: Re: POP3 Server Cc: Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:58 AM 4/2/96 -0600, you wrote: >This is a little off topic but I know I will be able to get some answers here. > >I was wondering if anybody can point me in the right direction in finding a pop3 server for HPUX. > Is there a defacto standard for pop3 servers? > >Thanks in advance, >Derek >-- >Derek D. Feagin | "Man does not live he just survives, >Network Support Specialist | we spleep 'til He arrives." >Telephone: 402-563-5874 | > Fax: 402-563-5551 | - Larry Norman - So Long Ago The Garden > Email: gatekeeper@nppd.com > >---------------------------------------------------- > Nebraska Public Power District >---------------------------------------------------- > > Goto http://www.qualcomm.com/ProdTech/quest/techsupport/techsup.html#hostreq William B. Stout Senior Systems Administrator Hitachi Data Systems Open Systems Center Santa Clara, California 408-970-4822 From firewalls-owner Thu Apr 4 13:13:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA01687 for firewalls-outgoing; Thu, 4 Apr 1996 10:23:35 -0800 (PST) Received: from xyzzy.plugh.edmonton.ab.ca (xyzzy.plugh.edmonton.ab.ca [198.161.22.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA01670 for ; Thu, 4 Apr 1996 10:23:13 -0800 (PST) Received: (from uucp@localhost) by xyzzy.plugh.edmonton.ab.ca (8.6.12/8.6.9) id LAA00285; Thu, 4 Apr 1996 11:18:34 -0700 Received: from dannyppp.precise.ab.ca(192.168.30.36) by xyzzy.plugh.edmonton.ab.ca via smap (V1.3) id sma000283; Thu Apr 4 11:18:33 1996 Received: (from danny@localhost) by nahanni.BouletFermat.ab.ca (8.6.12/8.6.9) id LAA07924; Thu, 4 Apr 1996 11:20:04 -0700 Date: Thu, 4 Apr 1996 11:20:04 -0700 From: Danny Boulet Message-Id: <199604041820.LAA07924@nahanni.BouletFermat.ab.ca> To: firewalls@greatcircle.com, strombrg@hyrdra.acs.uci.edu.BouletFermat.ab.ca Subject: Re: BoS: DNS Spoofing and Java Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dan Stromberg suggested that Sun could have avoided the problem (Java applets being able to connect to arbitrary hosts) by passing back the IP address instead of the host name. It isn't clear to me that this solves anything. Given the obvious accuracy of Dan's comments about how the client could be talking to a proxy (i.e. it can't trust the getpeername return value), how can the client trust an IP address passed inside the data stream? Another way of putting it is: how can a client know which IP address an applet came from? There would seem to be a few alternatives: 1) trust the getpeername result - doesn't work because the peer might be a proxy instead of the real server. 2) trust something in the data stream - doesn't work without a considerably more elaborate authentication mechanism (anybody want to suggest that applets that want to connect back to the server MUST be served to you by a server that has a verifiable certificate (eg. an SSL certificate)?). 3) the client must realize that the applet was obtained from a proxy host. If the applet tries to connect back to the server then the client must ask the proxy host to establish the connection. This requires that one of the following be true: a) the client remembers where it originally got the applet from. b) the proxy host tells the client where the applet came from. c) the proxy host 'remembers' where the applet came from. 4) the client remembers the IP address of the server that it originally downloaded the applet from (i.e. the IP address that it connected to to get the applet or the URL that it passed to the proxy when it asked the proxy to download the applet). Unless I'm missing something, option 4 (which is equivalent to option 3a) seems cleanest. Options 3c and the certificate idea in option 2 are also workable although not exactly clean. -Danny From firewalls-owner Thu Apr 4 13:56:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA03354 for firewalls-outgoing; Thu, 4 Apr 1996 10:48:44 -0800 (PST) Received: from netcomsv.netcom.com (uucp7.netcom.com [163.179.3.7]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA03343 for ; Thu, 4 Apr 1996 10:48:37 -0800 (PST) Received: from kingtut.UUCP by netcomsv.netcom.com with UUCP (8.6.12/SMI-4.1) id KAA11733; Thu, 4 Apr 1996 10:11:40 -0800 Received: from auspex.ivac_eng (auspex-e2) by sis.com (4.1/SMI-4.1) id AA19131; Thu, 4 Apr 96 09:26:05 PST Received: from ivac35.ivac_eng by auspex.ivac_eng (4.1/SMI-4.1) id AA08618; Thu, 4 Apr 96 09:26:04 PST Date: Thu, 4 Apr 96 09:26:04 PST From: dengland@sis.com (Dave England) Message-Id: <9604041726.AA08618@auspex.ivac_eng> To: Firewalls@GreatCircle.COM Subject: Re: more on mail addresses Cc: Bill.Gates@microsoft.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Lastly, the non-obvious mail-box ID sees to (albeit, once again by > > obscurity) make it somewhat harder to be the target for mail-bombs or > > abusive mail when only the name of the intended recipient is known (eg: > > dissatisfied customers trying to contact the MD directly, > > Bingo! Guess what Bill Gates email address is? Hint, it's not > billg@microsoft.com, in fact it is not even known by most MS employees. > This was done precisely because he became the target of crank email. I think it's a plus to have customers complain to the CEO when they can't get their customer service issues addressed. If we want to get into the information age and out of the paper mail age, we better not use these tools to make it harder for customers. I'm disappointed to hear that Gates feels he has to hide behind technology and obscurity, this seems to be counter to what he preaches. Bill, What's your opinion? dave From firewalls-owner Thu Apr 4 13:58:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA03395 for firewalls-outgoing; Thu, 4 Apr 1996 10:49:40 -0800 (PST) Received: from inet1.tek.com (inet1.tek.com [134.62.48.21]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA03389 for ; Thu, 4 Apr 1996 10:49:35 -0800 (PST) Received: by inet1.tek.com id ; Thu, 4 Apr 1996 10:47:35 -0800 Received: from tektronix.tek.com(134.62.48.24) by inet1 via smap (V1.3) id sma023742; Thu Apr 4 10:47:08 1996 Received: from orca.wv.tek.com by tektronix.TEK.COM (5.x/8.2) id AA23424; Thu, 4 Apr 1996 10:49:42 -0800 Received: from trouble.WV.TEK.COM by orca.wv.tek.com (4.1/8.2) id AA14114; Thu, 4 Apr 96 10:49:31 PST Received: by trouble.WV.TEK.COM (4.1/8.0) id AA08109; Thu, 4 Apr 96 10:44:50 PST Date: Thu, 4 Apr 1996 10:44:49 -0800 (PST) From: Kent Dahlgren To: Shannon Herber Cc: stefan.grip@mailbox.swipnet.se, firewalls@greatcircle.COM Subject: Re: Hi In-Reply-To: <61406.1237961@shhs1.ccsd.k12.co.us> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On 1 Apr 1996, Shannon Herber wrote: > Stefan, > Sorry to hear about your problems with Windows '95, I'm glad that you got > them fixed. > I didhn't write sooner because I had Spring Break last week and I went to > California, Arizona and New Mexico. I visited two colleges in California, I [snip] Thank you for the re-cap of your spring break! Man, I was getting worried about you two! Those who browse the ftp site will forever more be able to see how your spring break went. Thanks! "Any ideas expressed here may not reflect those of my employers" ______________________________________________________________________________ ______ T E K T R O N I X _ C P I D _ T E C H N I C A L _ S U P P O R T _______ / Voice: 1.800.835.6100 E-mail: support@colorprinters.tek.com Fax: 1.503.685.3063 WWW: www.tek.com BBS: 1.503.685.4504 E-World: Keyword Tektronix HAL: 1.503.682.7450 AOL: Keyword Tektronix Service: 1.800.835.6100 FTP: ftp.tek.com ______________________________________________________________________________ From firewalls-owner Thu Apr 4 14:04:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA16438 for firewalls-outgoing; Thu, 4 Apr 1996 13:53:34 -0800 (PST) Received: from relay1.shore.net (relay1.shore.net [192.233.85.129]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id NAA16412 for ; Thu, 4 Apr 1996 13:53:24 -0800 (PST) Received: from [198.115.179.222] (slip-16-25.shore.net [204.167.111.225]) by relay1.shore.net (8.7.5/8.7.3) with SMTP id QAA24160; Thu, 4 Apr 1996 16:51:12 -0500 (EST) X-Sender: vin@shell1.shore.net Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 4 Apr 1996 16:53:24 -0500 To: firewalls@greatcircle.com From: vin@shore.net (Vin McLellan) Subject: Securid BAD Tech Support Cc: snd1trz@snd10.med.navy.mil, alastair@cadence.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Todd R. Zimmerman" and Alastair Young published apparently well-justified complaints about SDI's flagging Customer Support. For what it's worth, I understand SDI just had a major upheaval in their CS department. They have brought in a new director and plan to staff up considerably. That's no excuse, of course, but hopefully things are about to radically improve. And yes, half the company _does_ seems to be at InterOp. They're introducing both a 28.8 (PCMCIA) Motorola modem with a built-in SecurID token, and their new token-emulation software package, "SoftID," this week. Mr. Young may have answered Mr. Zimmerman's question about where to find the ACE/Client in the TIS Gauntlet firewall: >>The Gauntlet/fwtk tn-gw telnet gateway authenticates to the TIS authentication >>daemon (authsrv in the fwtk). This daemon has the Security Dynamics >>client code >>in it. When you set a users authentication type to "S" it does SecurID >>for that >>user. I think TIS ported SDI's ACE/Client code into the Gauntlet package last year; prior to that they had callouts to the APIs in ACE/Clients and ACE ACMs. Set-up procedures for registering an ACE/Client with the ACE/Server should be covered in SDI's ACE/Server docs, but for info on how to enable Gauntlet to channel authentication calls through the ACE/Server, you might check with the savvy folk at TIS. (Mail to should get through to TIS Support, if one of the TIS Gauntlet mavens on Firewalls-L doesn't answer you directly first.) The FWTK link is a more tenuous. The first versions of MR's neat Firewall Tool Kit (FWTK) did have a call to the appropriate APIs in an ACE access control module. However, as SDI evolved its product (and particularly after SDI developed their client/server version of ACE in '91,) there was no effort to upgrade the FWTK to maintain the SecurID option. (I've been told that some folks have jury-rigged the connection, but I don't know who or how, or if the code is available.) I suppose that's the difference between shareware like the FWTK and commercial software like Gauntlet. (Does SOS's Freeware firewall kit have callouts to the APIs on an ACE/Server or the ACM used by the other authentication token vendors? I don't know.) Mr. Young had his own unanswered question: >>The question I am trying to get an answer from SD about is: where is the >>command line interface you promised for administration functions. I asked the >>guy at the SD booth at OSS96 in Orlando last month and was assured it would be >>in the new 2.x server software. We just upgraded and I can't find hide nore >>hair of the command line interface. You were misinformed. Sorry. SDI Engineering will eventually put in a command line interface for administration in the ACE code -- and it probably will be a 2.X version of the ACE/Server, rather than a 3.X -- but it doesn't exist now and there are no plans to offer it in the immediate future. I think SDI is still trying to get a grip on the array of administrative options made possible by their new (v2.0) SQL-enabled RDBS. Suerte, _Vin Vin McLellan +The Privacy Guild+ 53 Nichols St., Chelsea, Ma. 02150 USA Tel: (617) 884-5548 <*><*><*><*><*><*><*><*><*> From firewalls-owner Thu Apr 4 14:06:17 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA15275 for firewalls-outgoing; Thu, 4 Apr 1996 13:41:10 -0800 (PST) Received: from lexicon.ins.com (lexicon.ins.com [199.0.193.11]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id NAA15209 for ; Thu, 4 Apr 1996 13:40:49 -0800 (PST) Received: from chrpc (mtv2-dynamic224.ins.com [199.0.193.224]) by lexicon.ins.com (8.7.5/8.7.3) with SMTP id NAA06542; Thu, 4 Apr 1996 13:37:47 -0800 (PST) Message-Id: <2.2.32.19960404213842.00737350@lexicon.ins.com> X-Sender: ragan@lexicon.ins.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 04 Apr 1996 15:38:42 -0600 To: raf@ezunx.com From: Charles Ragan Subject: Re: cisco logging for firewalls Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Yes, but I don't know what release the functionality began. Charles At 07:16 AM 4/4/96 PST, raf@ezunx.com wrote: >I know ciscos do logging of most packet info, but do >they support syslogd so logs can be sent to another machine? > >thanks > >-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- >** Remember -- Life is NOT a dress rehearsal! > (nor is it a small furry animal with funny feet and floppy ears...) > > From firewalls-owner Thu Apr 4 14:09:17 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA15051 for firewalls-outgoing; Thu, 4 Apr 1996 13:39:06 -0800 (PST) Received: from DUKEMC.MC.DUKE.EDU (dukemc.mc.duke.edu [152.3.78.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id NAA15018 for ; Thu, 4 Apr 1996 13:38:54 -0800 (PST) From: smith135@mc.duke.edu Received: from ccmail.duke.edu by mc.duke.edu (PMDF V5.0-5 #11367) id <01I35FD8M18W003CBE@mc.duke.edu> for firewalls-digest@greatcircle.com; Thu, 04 Apr 1996 16:37:59 -0500 (EST) Date: Thu, 04 Apr 1996 16:04 -0500 (EST) Subject: Firewalls at lower levels? To: firewalls-digest@greatcircle.com Message-id: <01I35FD8T9O2003CBE@mc.duke.edu> MIME-version: 1.0 Content-type: TEXT/PLAIN Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I was at a seminar presented by Stuart Holoman, Holocon Inc. yesterday, and he said firewalls are not effective/implementable below the session layer: layer 7 - App support layer 6 - Presentation layer 5 - Session layer 4 - Transport layer 3 - Network layer 2 - Data link layer 1 - Physical Any comments? I don't know if he was speaking in abstract terms (e.g., not many people know how to make them effective). Michael Smith Voice: 919-613-7633 Duke University and Medical Center Fax: 919-613-7631 E-mail: smith135@mc.duke.edu From firewalls-owner Thu Apr 4 14:12:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA14955 for firewalls-outgoing; Thu, 4 Apr 1996 13:38:08 -0800 (PST) Received: from actcom.co.il (actcom.co.il [192.114.47.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA14924 for ; Thu, 4 Apr 1996 13:37:56 -0800 (PST) Received: by actcom.co.il (8.6.12/actcom-0.1) id AAA10138; Fri, 5 Apr 1996 00:33:49 +0300 (rfc931-sender: hayam@localhost) Date: Fri, 5 Apr 1996 00:33:47 +0300 (EET DST) From: Avraham Hayam To: Bill Neugent cc: Gavin.Longmuir@mailhost.dpie.gov.au, bell@mitre.org, ljl@mitre.org, Firewalls@GreatCircle.COM Subject: Re: Information Required: Bell-LaPadula Security Model In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings, It's a real classic IT Security base. Look for: Bell, D.E. and LaPadula, L.J. - Secure Computer Systems: Unified Exposition and Multics Interoperation, MTR-2997 Rev. 1, MITRE Corp., Bedford Mass., March 1976. Avraham hayam ITSSC - Information technology Systems security consultants P.O.Box 11233 Jerusalem, 91112 Israel hayam@actcom.co.il On Mon, 1 Apr 1996, Bill Neugent wrote: > Gavin, > I've cc'd both David Bell and Len LaPadula, who should be able to help you. > > David, Len, Maybe you can parlay this into a trip to Australia. > > Bill > > ------------------------------ > > From: "Gavin Longmuir, x6486" > Date: Mon, 01 Apr 1996 16:50:17 +1000 > Subject: Information Required: Bell-LaPadula Security Model > > I'm looking for information on the Bell-LaPadula Security Model (? if > that is the correct name for it). I've come across this referance under > guidlines on filtering on security labels (I'm unsure if this is a > referance to the security label in a IP header or something else, hense > this request). > > Gavin. > > - -- > Gavin Longmuir - Internet Applications and Platforms Manager > Information Management and Services Branch > Commonwealth Department of Primary Industries and Energy > Voice:+61 6 271 6486 FAX:+61 6 272 4997 > Internet:Gavin.Longmuir@dpie.gov.au > > ------------------------------ > > > From firewalls-owner Thu Apr 4 14:14:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA13859 for firewalls-outgoing; Thu, 4 Apr 1996 13:26:18 -0800 (PST) Received: from actcom.co.il (actcom.co.il [192.114.47.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA13845 for ; Thu, 4 Apr 1996 13:26:08 -0800 (PST) Received: by actcom.co.il (8.6.12/actcom-0.1) id AAA07559; Fri, 5 Apr 1996 00:20:43 +0300 (rfc931-sender: hayam@localhost) Date: Fri, 5 Apr 1996 00:20:41 +0300 (EET DST) From: Avraham Hayam To: KM cc: eazuara@SUNULSA.ULSA.MX, firewalls@GreatCircle.COM Subject: Re: Security on the internet In-Reply-To: <9604012044.AA27908@hfsi> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, About Kerberos - look for COAST and CERT alert. Some volnerabilities were found in it, not long ago. Avraham hayam ITSSC - Information technology Systems security Consultants P.O.Box 11233 Jerusalem, 91112 Israel hayam@actcom.co.il From firewalls-owner Thu Apr 4 14:17:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA09347 for firewalls-outgoing; Thu, 4 Apr 1996 12:31:46 -0800 (PST) Received: from netcomsv.netcom.com (uucp12.netcom.com [163.179.3.12]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA09341 for ; Thu, 4 Apr 1996 12:31:40 -0800 (PST) Received: from kingtut.UUCP by netcomsv.netcom.com with UUCP (8.6.12/SMI-4.1) id MAA18967; Thu, 4 Apr 1996 12:10:54 -0800 Received: from auspex.ivac_eng (auspex-e2) by sis.com (4.1/SMI-4.1) id AA19369; Thu, 4 Apr 96 11:26:53 PST Received: from ivac35.ivac_eng by auspex.ivac_eng (4.1/SMI-4.1) id AA09149; Thu, 4 Apr 96 11:26:53 PST Date: Thu, 4 Apr 96 11:26:53 PST From: dengland@sis.com (Dave England) Message-Id: <9604041926.AA09149@auspex.ivac_eng> To: postmaster@microsoft.com Subject: Undeliverable: email to CEO Cc: Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does a MS customer have to resort to paper mail to send a letter to the CEO at your company? I can't believe Bill doesn't have someone reading his email for him just like all CEO's at all companies have someone reading their letters for them, if they don't read them themselves. ----- Begin Included Message ----- From Mailer-Daemon@netcomsv.netcom.com Thu Apr 4 11:11:13 1996 From: System Administrator To: Subject: Undeliverable: Re: more on mail addresses Date: Thu, 4 Apr 1996 10:47:06 -0800 Your message did not reach some or all of the intended recipients. To: Firewalls@GreatCircle.COM Cc: Bill.Gates@microsoft.com Subject: Re: more on mail addresses Sent: 4/4/96 10:47:06 AM The following recipient(s) could not be reached: Bill.Gates@microsoft.com on 4/4/96 10:47:06 AM Recipient Not Found [MSEXCH:IMC:microsoft:northamerica:RED-07-IMC] ----- End Included Message ----- From firewalls-owner Thu Apr 4 14:18:10 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA16591 for firewalls-outgoing; Thu, 4 Apr 1996 13:55:38 -0800 (PST) Received: from gatekeeper.ray.com (gatekeeper.ray.com [138.125.162.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA16553 for ; Thu, 4 Apr 1996 13:55:28 -0800 (PST) Received: from localhost (mailer@localhost) by gatekeeper.ray.com (8.6.4/8.6.5) id QAA17998; Thu, 4 Apr 1996 16:52:31 -0500 Received: from eoits1.eo.ray.com by gatekeeper.ray.com; Thu Apr 4 16:52:20 1996 Received: by eo.ray.com (5.0/SMI-SVR4) id AA03555; Thu, 4 Apr 1996 16:52:15 -0500 Date: Thu, 4 Apr 1996 16:52:15 -0500 From: hhantman@eo.ray.com (Howard Hantman) Message-Id: <9604042152.AA03555@eo.ray.com> To: epperson@vak12ed.edu, firewalls@GreatCircle.COM Subject: Re: more on mail addresses Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From: "W.C. Epperson" >Michael said: >> >> Your CEO is named Peter Smith Peter_Smith@organization.com >> You hire Pete Smith to work on graphics for the widget brochures. >> Your VP finance sends email regarding the layoff of 500 employees with a >> breakdown by department and the names of several managers to be axed >> along with the managers current salaries. He addresses it to >> Pete_Smith@organization.com >> >> Ooops! UNO-what hits the fan after Pete posts this on a public company-wide >> discussion group... >> >The VP finance _belongs_ on the layoff list if he sends such a thing without >using the CEO's public key or the like. The problem is he thinks he did! He used "Pete Smith"'s public key!!! Howard Hantman Manager, Technology Integration Corporate ITS Raytheon Company From firewalls-owner Thu Apr 4 15:12:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA21943 for firewalls-outgoing; Thu, 4 Apr 1996 14:53:15 -0800 (PST) Received: from mickey.ovid.com (mickey.ovid.com [198.242.51.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA21905 for ; Thu, 4 Apr 1996 14:52:58 -0800 (PST) Received: by mickey.ovid.com (AIX 3.2/UCB 5.64/4.03) id AA16416; Thu, 4 Apr 1996 15:48:24 -0700 Date: Thu, 4 Apr 1996 15:48:24 -0700 (MST) From: Adam Prato To: raf@ezunx.com Cc: firewalls@greatcircle.com Subject: Re: cisco logging for firewalls In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 4 Apr 1996 raf@ezunx.com wrote: > Date: Thu, 4 Apr 96 07:16:29 PST > From: raf@ezunx.com > To: firewalls@greatcircle.com > Subject: cisco logging for firewalls > > I know ciscos do logging of most packet info, but do > they support syslogd so logs can be sent to another machine? > > thanks Router# config term Router(config)# logging nnn.nnn.nnn.hhh Router(config)# logging facility local0 Router(config)# logging trap debugging This tells the router to log messages to the loghost nnn.nnn.nnn.hhh using local0 logging facility and to trap all messages above debuging (which is everything). Adam From firewalls-owner Thu Apr 4 19:57:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id TAA04557 for firewalls-outgoing; Thu, 4 Apr 1996 19:45:23 -0800 (PST) Received: from okjunc.junction.net (okjunc.junction.net [199.166.227.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id TAA04531 for ; Thu, 4 Apr 1996 19:45:14 -0800 (PST) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by okjunc.junction.net (8.6.11/8.6.11) with SMTP id TAA00371; Thu, 4 Apr 1996 19:54:10 -0800 Date: Thu, 4 Apr 1996 20:41:34 -0800 (PST) From: Michael Dillon To: Firewalls@GreatCircle.COM cc: auampdrv@ibmmail.com Subject: Re: more on mail addresses In-Reply-To: <199604041304.IAA14946@samadams.unifiedtech.com> Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 4 Apr 1996, Mike Jones wrote: > > Your CEO is named Peter Smith Peter_Smith@organization.com > > You hire Pete Smith to work on graphics for the widget brochures. > > Your VP finance sends email regarding the layoff of 500 employees with a > > breakdown by department and the names of several managers to be axed > > along with the managers current salaries. He addresses it to > > Pete_Smith@organization.com > > Ooops! UNO-what hits the fan after Pete posts this on a public company-wide > > discussion group... > > Probably the same thing that hits the fan after he sends it to > psmith@organization.com when the CEO's ID is smithp, or after he puts > the wrong address (whatever name) on it in internal mail. But what if the ID's are a7a22640@org.com and m3h33674@org.com where the first letter is the division (a - executive, m - marketing), the next two characters represent a dept code and the last 4 are an employee id within the dept and the last digit is a checksum to prevent transposition errors. Or some similar sort of employee ID scheme. Maybe exec.psmith@hq.org.com and mktg.smithp@dayton.org.com Run them all through one host via MX records and use a mapping database but at least there is far less chance of confusion than Peter.Smith@org.com. > The point here is that a message of that level of business importance > should probably be hand delivered, not sent by any medium where there's > a noticeable possibility of misdelivery. Try telling that to the VP Finance. Remember, he's a bean counter and this is an information systems expert because he has a subscription to PC magazine. > In fact, from a human factors point of view, it seems likely that > "non-obvious" (a better term might be "user hostile") mail names are > *more* likely to cause misdelivery of mail, because it is less > obvious if one has mistyped an address. I believe the scheme should be chosen to make it difficult to mistype an address. The schemes I outline above essentially require 3 pieces on info to generate a complete address, either division/dept/emp-id or dept/name/physical-location Michael Dillon Voice: +1-604-546-8022 Memra Software Inc. Fax: +1-604-546-3049 http://www.memra.com E-mail: michael@memra.com From firewalls-owner Thu Apr 4 21:13:29 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id VAA08150 for firewalls-outgoing; Thu, 4 Apr 1996 21:02:21 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id VAA07781 for ; Thu, 4 Apr 1996 21:01:06 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id PAA12560; Thu, 4 Apr 1996 15:49:55 -0800 Received: from cwis.unomaha.edu(137.48.1.5) by mycroft via smap (V1.3mjr) id sma012527; Thu Apr 4 15:49:15 1996 Received: by cwis.unomaha.edu (5.65/DEC-Ultrix/4.3) id AA29969; Thu, 4 Apr 1996 17:50:06 -0600 Date: Thu, 4 Apr 1996 17:50:06 -0600 (CST) From: oliver To: firewalls@greatcircle.com Subject: quit Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please take me out of mailing list. Thank you very much! From firewalls-owner Thu Apr 4 21:27:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id VAA07733 for firewalls-outgoing; Thu, 4 Apr 1996 21:01:01 -0800 (PST) Received: from terisa-bh.terisa.com (terisa-bh.terisa.COM [205.226.38.66]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id UAA07439 for ; Thu, 4 Apr 1996 20:59:38 -0800 (PST) Received: (from uucp@localhost) by terisa-bh.terisa.com (8.6.12/8.6.11) id VAA01866; Thu, 4 Apr 1996 21:00:07 -0800 Received: from itech.terisa.com by terisa-bh.terisa.com via smap (V1.3) id sma001858; Thu Apr 4 20:59:58 1996 Received: from kmac.daisy (kmac.terisa.COM [205.226.39.35]) by itech.terisa.com (8.6.12/8.6.4) with SMTP id UAA12327; Thu, 4 Apr 1996 20:54:18 -0800 Date: Thu, 4 Apr 1996 20:54:18 -0800 From: EKR Message-Id: <199604050454.UAA12327@itech.terisa.com> To: firewalls@GreatCircle.COM, strombrg@hydra.acs.uci.edu Subject: Re: BoS: DNS Spoofing and Java Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dan writes: >Not really - microsoft attempted to deflecte blame inappropriately and >ineffectually. In contrast, Sun has accepted more blame than they >really should have. Without going into detail about the arguments, I would observed that as Dan says below, this has been discussed essentially ad nauseum on www-security among other places, but that Dan's view is far from the consensus. Rich $alz, Steve Bellovin and I have all argued that Sun's choice to use DNS as a way to establish their security perimeter made Sun responsible for using it correctly. -Ekr From firewalls-owner Thu Apr 4 21:53:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id VAA08996 for firewalls-outgoing; Thu, 4 Apr 1996 21:07:36 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id VAA08007 for ; Thu, 4 Apr 1996 21:01:54 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id PAA12178; Thu, 4 Apr 1996 15:36:36 -0800 Received: from lint-ether.cisco.com(198.93.170.22) by mycroft via smap (V1.3mjr) id sma012171; Thu Apr 4 15:36:32 1996 Received: from pferguso-pc.cisco.com (c1robo3.cisco.com [171.68.13.3]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id PAA24241; Thu, 4 Apr 1996 15:39:25 -0800 Message-Id: <199604042339.PAA24241@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 04 Apr 1996 18:40:24 -0500 To: raf@ezunx.com From: Paul Ferguson Subject: Re: cisco logging for firewalls Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 07:16 AM 4/4/96 PST, raf@ezunx.com wrote: >I know ciscos do logging of most packet info, but do >they support syslogd so logs can be sent to another machine? > Yes. - paul >thanks > >-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- >** Remember -- Life is NOT a dress rehearsal! > (nor is it a small furry animal with funny feet and floppy ears...) > -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Thu Apr 4 21:58:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id VAA08883 for firewalls-outgoing; Thu, 4 Apr 1996 21:05:20 -0800 (PST) Received: from WYVERN.AZTECH.NET (AZTech.Net [198.182.221.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id VAA08865 for ; Thu, 4 Apr 1996 21:05:09 -0800 (PST) Received: by aztech.net (MX V4.0-1 VAX) id 1001; Thu, 04 Apr 1996 21:56:42 -700 Date: Thu, 04 Apr 1996 21:56:40 -700 From: Steve Gibbons To: Firewalls@GreatCircle.COM CC: _steve@aztech.net Message-ID: <009A05FA.11784AA0.1001@aztech.net> Subject: Re: Round-Robin DNS Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 4 Apr 96 08:54:17 PST, Bill Stout wrote: # At 08:06 PM 4/3/96 -0600, you wrote: # > # >Hello everyone. This is my first question on this list so please forgive # >the a little bit off-topic. I need to run round-robin DNS for my web servers. # >How is it done and what does it entail in terms of security ? # This is what a round-robin site looks like: [ Deletia ] # >In light of # >recent DNS/Java exploit discussions I'd like to know what the security # >gurus here think of the idea in general, and particluarly applied to # >filrewalls, etc. # I know of no relation of DNS round-robin to security, or Java. Java runs at # an application layer higher (user?) than what firewalls can filter, firewalls # in general are useless against Java attacks, which are at this point only # used against browsing web clients, not servers. First, some background: The exploit in question would have allowed some browsers to mount active attacks against any system behind some firewalls. (Admittedly, this seems to be implimentation dependant, but (as with most things) it's not the 80% that you worry about, but the 20%. Another comment: HTTP proxies already exist that will filter-out Java and JavaScript. The biggest problem at this point is with performance, since they (the proxies) have to examine and filter the entirety of every HTML document as it passes. Details: Netscape Navigator 2.01 and Sun's JDK 1.0.1 effectively disabled round-robin and other load balancing mechanisms, forcing the client to only connect to the same IP address that the java applet was downloaded from. (In the client's default configuration.) If you're interested as to why they did that see or CERT advisory CA-96.05, if you think that I'm "blowing smoke." I work for a Fortune 100 financial institution. I think Java has a lot of potential for "good stuff." Having said that, I wouldn't trust Java-behind-a-firewall (in its current state) farther than I could throw a large RS/6000. I speak from experience. After only a few hours of browsing globally available source code, and a good night's sleep, I came up with an idea for an "attack" that turned out to be quite feasable (and eventually lead to CA-96.05). For the record, this was not (initially) the full-source-code distribution, just the base Java code. I'm sure that others who are much more malicious than I, who are much more familiar with Java, have more resources at hand, and will continue to have similar experiences. As usual, comments are welcomed, -- Steve@AZTech.Net From firewalls-owner Thu Apr 4 22:35:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id VAA11775 for firewalls-outgoing; Thu, 4 Apr 1996 21:35:56 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id VAA09031 for ; Thu, 4 Apr 1996 21:08:58 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id RAA15720; Thu, 4 Apr 1996 17:18:33 -0800 Received: from sandy.sandpiper.com(204.96.232.2) by mycroft via smap (V1.3mjr) id sma015702; Thu Apr 4 17:17:46 1996 Received: by sandy.sandpiper.com (4.1/SMI-4.1) id AA04773; Thu, 4 Apr 96 17:24:27 PST Date: Thu, 4 Apr 96 17:24:27 PST From: chris@sandpiper.com (Chris Newton) Message-Id: <9604050124.AA04773@sandy.sandpiper.com> To: firewalls@greatcircle.com Subject: NCSA httpd Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I know this is off-topic, so if anyone can point me to a more appropriate place, I shall take the question there. But I guess a number of you would run this web server, so might be able to shed some light on this. Anyway, I'm trying to set up a web server running on the NCSA httpd, and am having a strange problem with my CGI scripts. I'm using numerous CGI scripts, scattered throughout my document tree, so am using a .cgi extension to identify them. I have uncommented the line in the srm.conf file which reads: AddType application/x-httpd-cgi .cgi in order to enable the filename extension recognition, and altered my Options line in access.conf, in the section for my documents, to read Options Indexes FollowSymLinks Includes ExecCGI Everything works well for a while (a number of days), and then suddenly whenever I attempt to view a page created by one of my CGI files, instead of displaying the page, it attempts to FTP it to my client machine. Sending a SIGHUP to the server cures the problem. Can anyone throw any light on this at all? I'm running Solaris 2.5 on both the client and server, which are seperate boxes. Thanx in advance chris newton one confused webmaster sandpiper software consulting From firewalls-owner Thu Apr 4 22:42:56 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id VAA18542 for firewalls-outgoing; Thu, 4 Apr 1996 21:56:55 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id VAA10275 for ; Thu, 4 Apr 1996 21:23:31 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id PAA12463; Thu, 4 Apr 1996 15:47:49 -0800 Received: from unknown(204.247.159.242) by mycroft via smap (V1.3mjr) id sma012432; Thu Apr 4 15:46:47 1996 Received: from snowball.connectix.com by apu.connectix.com (5.64/Tenon-1.35.01) id AA02678; Thu, 4 Apr 96 15:53:17 -0800 (PST) Date: Thu, 4 Apr 96 15:53:17 -0800 (PST) Message-Id: <9604042353.AA02678@apu.connectix.com> Subject: Auth requests From: Rob Sansom To: Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thanks to those of you who informed me about the Cisco access-list 'log' command. I looked through my CD for any mention of that command for IOS 10.3, and found none. _Very_ useful. This was the first 'undocumented feature' I have ever encountered in any software that I actually like. One thing that I noticed while playing with it, was that many mailers try to make a connection to the 'auth' port 113 during the first part of a transaction. I'm not too sure what 'auth' is, but I am guessing that the one server is trying to authenticate the other? For those of you who are in the dark like I was, here's how to use the log command in your Cisco extended access lists. access-list 111 deny tcp any host 123.456.7.8 eq smtp log The next step is to enable logging to whichever device you desire; console, syslogd, or memory buffer on the router. Note: You must be in configuration mode to do this. To keep logs in the memory on the router (it's better to send them to a _secure_ syslogd), use the global config command 'logging buffered' To send them to a host running syslogd, it's 'logging hostname' (hostname is the host to send the logs to) Sample Output: %SEC-6-IPACCESSLOGP: list 190 denied tcp 123.123.123.1(52894) -> 456.456.456.1 (25), 7 packets %SEC-6-IPACCESSLOGP: list 190 denied tcp 123.123.123.1(53190) -> 456.456.456.1 (25), 1 packet %SEC-6-IPACCESSLOGP: list 190 denied tcp 123.123.123.1(53190) -> 456.456.456.1 (25), 7 packets %SEC-6-IPACCESSLOGP: list 190 denied tcp 123.123.123.1(53441) -> 456.456.456.1 (25), 1 packet %SEC-6-IPACCESSLOGP: list 190 denied tcp 123.123.123.1(53441) -> 456.456.456.1 (25), 7 packets %SEC-6-IPACCESSLOGP: list 190 denied tcp 123.123.123.1(53910) -> 456.456.456.1 (25), 1 packet %SEC-6-IPACCESSLOGP: list 190 denied tcp 123.123.123.1(53910) -> 456.456.456.1 (25), 7 packets %SEC-6-IPACCESSLOGP: list 190 denied udp 123.555.666.2(137) -> 456.456.456.1(13 7), 1 packet %SEC-6-IPACCESSLOGP: list 190 denied tcp 123.123.123.1(54185) -> 456.456.456.1 (25), 1 packet By the way, what's runs on port 137 ?? If you decide log to a buffer on the router, then here are some useful commands: To see the logs: show log to clear the logs: #configure #(config)no logging buffered #(config)logging buffered Hope this helps. Rob Sansom Network/Systems Admin. Connectix Corp (415) 638-7398 sansom@connectix.com From firewalls-owner Fri Apr 5 05:00:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id EAA17116 for firewalls-outgoing; Fri, 5 Apr 1996 04:44:28 -0800 (PST) Received: from ns.iunet.it (ns.iunet.it [192.106.1.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id EAA17100 for ; Fri, 5 Apr 1996 04:44:19 -0800 (PST) Received: from omid030.omnitel.it (mailhost.omnitel.it) by ns.iunet.it with SMTP id AA24588 (5.65c8/IDA-1.4.4 for ); Fri, 5 Apr 1996 12:42:39 GMT Message-Id: <199604051241.OAA25480@argo.omnitel.it> From: Alex Pakter Subject: Re: Users who forget their passwords To: Firewalls@GreatCircle.COM Date: Fri, 5 Apr 1996 14:41:18 +0200 (MET DST) In-Reply-To: <199604042016.MAA08486@miles.greatcircle.com> from "firewalls-digest-owner@GreatCircle.COM" at Apr 4, 96 12:16:20 pm X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From: Michael Dillon (I think -- sorry if that's wrong) >> If you can't think >> of a sentence on your own, use a song: "Just sit right back >> and you'll hear a tale, a tale of a fateful trip. That started >> from this tropic port, aboard this tiny ship." ("Gilligan's Isle" >> theme song for the c ulturally depraved.) "Jsrbayhat," >> "atoaft," Tsfttp," "atts." Works for me. > >Now that this idea has become public it is no longer secure. There are >archives of song lyrics available on the Internet and it is child's play >to process them into a list of words to feed into crack. I have a fairly secure way of creating passwords (I think): Your take something around your workspace, and read the password off it. For example, it might be the reversed ISBN number off that book on the second shelf. Or the first line of the third chapter. Or the address of the company that makes your favorite computer game. Or the service ID number of your colleague's computer. There's no need to write down your password when your workspace is CRAMMED with pre-written-down passwords. You just have to pick one. Now, the important part is not to let everyone see you craning your neck to see the serial number of your computer ever 10 minutes. Be a little more subtle/clever. Alex | Alex Pakter - UNIX systems analyst ---- | Omnitel Pronto Italia - Milano, Italy | Internet Mail: Alex.Pakter@omnitel.it Have a day. | WWW Home Page: http://idiom.com/~alex (in progress) From firewalls-owner Fri Apr 5 06:10:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA18932 for firewalls-outgoing; Fri, 5 Apr 1996 05:49:19 -0800 (PST) Received: from portal.west.saic.com (portal.west.SAIC.com [198.151.12.15]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id FAA18926 for ; Fri, 5 Apr 1996 05:49:16 -0800 (PST) Received: from cpmx.west.saic.com ([139.121.16.80]) by portal.west.saic.com via smtpd (for miles.greatcircle.com [198.102.244.34]) with SMTP; 5 Apr 1996 13:47:19 UT Received: from mclqm.mail.saic.com by cpmx.saic.com; Fri, 5 Apr 96 05:46:08 -0800 Message-ID: Date: 5 Apr 1996 08:53:53 -0400 From: "Muhammad Ali" Subject: quit To: "fire walls" X-Mailer: Mail*Link SMTP-QM 3.0.2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk 4/5/96 8:45 AM Please take me off this mailing list. Thank you. muhammad Special Announcement From firewalls-owner Fri Apr 5 06:28:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA20177 for firewalls-outgoing; Fri, 5 Apr 1996 06:21:03 -0800 (PST) Received: from devildog.liii.com (devildog.liii.com [204.180.230.239]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA20151 for ; Fri, 5 Apr 1996 06:20:55 -0800 (PST) Received: (from uucp@localhost) by devildog.liii.com (8.6.12/8.6.9) id JAA26902 for ; Fri, 5 Apr 1996 09:18:56 -0500 Received: from ismochief(199.33.207.3) by devildog via smap (V1.3) id sma026900; Fri Apr 5 09:18:43 1996 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7Bit X-Mailer: BeyondMail for Windows/SMTP 2.2 To: firewalls@greatcircle.com From: Jon Freivald Subject: TIS Toolkit and Banyan VINES? Date: Fri, 5 Apr 1996 09:47:36 -0800 X-BeyondMail-Priority: 1 Message-Id: Conversation-Id: Reply-To: Jon Freivald Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please let me start by saying that this message is going to show my level of ignorance. Please excuse any "stupid" questions... I'm currently running a Linux system with the TIS Toolkit on it. The only services we are supporting is mail (using smap/smapd and netacl for pop3d), and outbound http, telnet and ftp. I have IP forwarding disabled in the Linux kernel (1.2.8 in case it matters). Anyway, our internal network is Banyan VINES. Banyan offers a TCP/IP server-to-server option, which I am being told we must move to "RSN". Management's solution is to put the VINES server outside of the firewall -- kinda makes the firewall useless, eh? I called Banyan to ask them about how the TCP/IP server-to-server worked (hoping to be able to do something with plug-gw). Instead of talking about ports, they were talking about "protocol 0x53". I'm afraid that this is where they lost me... Is there going to be any way that I can proxy this traffic, or am I going to have to look for a different solution? All answers (including "You don't have a clue - go read xxxxxx") are welcome. Thanks in advance, Jon -- Jon Freivald jaf@devildog.liii.com From firewalls-owner Fri Apr 5 06:59:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA20325 for firewalls-outgoing; Fri, 5 Apr 1996 06:25:27 -0800 (PST) Received: from uu11.psi.com (uu11.psi.com [38.8.24.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA20315 for ; Fri, 5 Apr 1996 06:25:23 -0800 (PST) Received: from gate.funb.com by uu11.psi.com (5.65b/4.0.940727-PSI/PSINet) via SMTP; id AA14870 for ; Fri, 5 Apr 96 09:19:01 -0500 Received: by funb.com (4.1/SMI-4.1) id AA27325; Fri, 5 Apr 96 09:19:00 EST Received: from cm_mailhost.capmark.funb.com by gate.funb.com via SMTP (V1.3) id sma027323; Fri Apr 5 09:18:48 1996 Received: from funws302.capmark.funb.com (funws302 [168.175.7.54]) by capmark.funb.com (8.7.4/8.7.3) with ESMTP id JAA13109; Fri, 5 Apr 1996 09:18:45 -0500 (EST) From: "Mark Horn [ Net Ops ]" Received: (mhorn@localhost) by funws302.capmark.funb.com (8.6.12/8.6.12) id JAA09872; Fri, 5 Apr 1996 09:18:44 -0500 Message-Id: <199604051418.JAA09872@funws302.capmark.funb.com> Subject: Re: Re[2]: About the firewalls using RIP or static routes To: Brian_Murrell@bctel.net (Brian Murrell) Date: Fri, 5 Apr 1996 09:18:43 -0500 (EST) Cc: pferguso@cisco.com, armando@sar.net, firewalls@GreatCircle.COM In-Reply-To: <199604012338.PAA22549@mocha.bctel.net> from "Brian Murrell" at Apr 1, 96 03:38:42 pm X-Mailer: ELM [version 2.4 PL24 ME8] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Brian Murrell says: >from the quill of Paul Ferguson on scroll ><199603290515.VAA22417@lint.cisco.com> >> Answer: No routes. > >That answer doesn't scale very well. How 'bout dynamic routing in the core >only?? > >For instance: what if your network is very large and your firewall is used >to choke many other networks all gated by routers out to the Internet. >Managing the static routes everywhere gets tedious and leaves room for >error. Why not have the routers that border the networks statically >populated but updating the firewall (who of course only listens to route >updates on it's "internal" interfaces) dynamically. I don't think that's a very workable solution. How do you enforce that routed will listen on the internal interface only? What if your firewall employs a Bastion host with only one interface? The solution that we chose was to put a router in front of the firewall. New networks that need to be supported by the firewall are not connected to the firewall network, but to an interface on this router. It listens to RIP and manages the dynamic routes. The firewall has a static route to the internal class B network via this router. This means that I don't have to run routed on the firewall, so I don't have to worry about someone on the outside forging routes. Additionally, I can put filters on that router giving us better "defense in depth". And the routing on the firewall is trivial: Internal class B -> internal router Default -> external router Cheers, -- Mark Horn mhorn@funb.com Free Advice and Opinions -- Refunds Available From firewalls-owner Fri Apr 5 07:16:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA22522 for firewalls-outgoing; Fri, 5 Apr 1996 07:08:25 -0800 (PST) Received: from mail.Clark.Net (mail.clark.net [168.143.0.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id HAA22516 for ; Fri, 5 Apr 1996 07:08:20 -0800 (PST) Received: from clark.net (mjr@clark.net [168.143.0.7]) by mail.Clark.Net (8.7.3/8.6.5) with ESMTP id KAA24330 for ; Fri, 5 Apr 1996 10:06:23 -0500 (EST) From: "Marcus J. Ranum" Received: (from mjr@localhost) by clark.net (8.7.1/8.7.1) id KAA28426 for Firewalls@GreatCircle.COM; Fri, 5 Apr 1996 10:06:21 -0500 (EST) Message-Id: <199604051506.KAA28426@clark.net> Subject: What layer? To: Firewalls@GreatCircle.COM Date: Fri, 5 Apr 1996 10:06:20 -0500 (EST) In-Reply-To: <199604050644.WAA27179@miles.greatcircle.com> from "firewalls-digest-owner@GreatCircle.COM" at Apr 4, 96 10:44:50 pm Reply-To: mjr@v-one.com Organization: V-One Corporation, Baltimore, MD Office Phone: 410-889-8569 X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk smith135@mc.duke.edu writes: >I was at a seminar presented by Stuart Holoman, Holocon Inc. >yesterday, and he said firewalls are not effective/implementable >below the session layer: >I don't know if he was speaking in abstract terms (e.g., not many >people know how to make them effective). He was probably either speaking in abstract terms, or he didn't know what he was speaking about. "Experts" are certainly crawling out of the woodwork these days, and it seems that the main qualification for teaching seminars on firewalls is to FTP my old viewgraphs from the 'net, read C&B and C&Z, and start to make grand pronouncements. :) mjr. From firewalls-owner Fri Apr 5 07:46:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA22787 for firewalls-outgoing; Fri, 5 Apr 1996 07:16:26 -0800 (PST) Received: from gateway.damark.com (GATEWAY.DAMARK.COM [204.17.145.230]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA22781 for ; Fri, 5 Apr 1996 07:16:20 -0800 (PST) Received: by gateway.damark.com; id JAA18115; Fri, 5 Apr 1996 09:14:22 -0600 Received: from unknown(172.31.254.231) by gateway.damark.com via smap (g3.0.1) id sme018111; Fri, 5 Apr 96 09:14:02 -0600 Received: by damark.com (5.65/1.2-eef) id AA14390; Fri, 5 Apr 96 09:12:17 -0600 Message-Id: <9604051512.AA14390@damark.com> From: "william.wells" To: FIREWALLS Subject: FW: Securid BAD Tech Support Date: Fri, 05 Apr 96 09:06:00 CST Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Originally From: vin@shore.net (Vin McLellan) SDI Engineering will eventually put in a command line interface for administration in the ACE code -- and it probably will be a 2.X version of the ACE/Server, rather than a 3.X -- but it doesn't exist now and there are no plans to offer it in the immediate future. I write: I personally find this the one most frustrating thing about SecurID. I can't automatically determine card usage (logs, active cards, etc) or snapshot the database using their tools. Hence, for example, I am unable to determine easily if someone slipped in somehow and created (or reactivitated) a new card (which would be a person problem on my side) or automate a map of card usage by time of day. In the drive to GUI interfaces (and I'm treating SDI's menu mechanism as a weak-GUI), people forget that without the command line interface, you can't perform automatic verification of manual processes, perform regularly schedule tasks (such as a database dump), and such. This 'new feature' frequently hampers large site automation of security checks. The fastest way for a sales person to lower my opinion of their product is for them to say that they converted their administration to a GUI since this means that they've just broken automated administration and they've now consumed 30 minutes of someone's time to do the daily peek. This is especially true if that GUI is Windows based (since DOS/Windows tasks are not easily automated anyway). William Wells Manager, Technical Support Damark International, Inc. william.wells@damark.com Normal disclaimers apply..... From firewalls-owner Fri Apr 5 07:58:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA24497 for firewalls-outgoing; Fri, 5 Apr 1996 07:40:41 -0800 (PST) Received: from tuna.wang.com (tuna.wang.com [150.124.136.4]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA24489 for ; Fri, 5 Apr 1996 07:40:36 -0800 (PST) Received: from mail.wangfed.com (ns.wangfed.com [159.94.10.19]) by tuna.wang.com (8.6.12/8.6.12tf1) with SMTP id KAA10842 for ; Fri, 5 Apr 1996 10:38:36 -0500 Received: from hfsi.hfsi.com by mail.wangfed.com (1.37.109.4/A.09.00a) id AA04719; Fri, 5 Apr 96 10:28:22 -0600 Received: from [159.94.14.48] by hfsi.hfsi.com (BULL 5.61++/B.O.S 02.01) id AA16110; Fri, 5 Apr 96 10:32:33 -0500 Date: Fri, 5 Apr 96 10:32:33 -0500 Message-Id: <9604051532.AA16110@hfsi.hfsi.com> From: "KM" Reply-To: "KM" To: firewalls@GreatCircle.com Subject: Re: Firewalls at lower levels? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message <01I35FD8T9O2003CBE@mc.duke.edu> writes: > I was at a seminar presented by Stuart Holoman, Holocon Inc. > yesterday, and he said firewalls are not effective/implementable > below the session layer: > > layer 7 - App support > layer 6 - Presentation > layer 5 - Session > layer 4 - Transport > layer 3 - Network > layer 2 - Data link > layer 1 - Physical > > Any comments? > I don't know if he was speaking in abstract terms (e.g., not many > people know how to make them effective). I find this very surprising. It would appear that Mr. Holoman is dismissing out of hand the efficacy of packet filters, which operate at the IP level. He may well feel this way, but it would have been nice of him to state *explicitly* that he didn't think *PACKET FILTERS* were effective/implementable, rather than using OSI layer mumbo-jumbo to obfuscate his message. If that was, indeed, his message (based on what he said, who can tell?). K.M. Goertzel, Program/Project Manager Secure Systems and Services Operation WANG FEDERAL, Inc. 7900 Westpark Drive - MS 700 McLean, VA 22102-4299 USA TEL: 703-827 3914 FAX: 703-827 3161 EMAIL: goertzek@wangfed.com WEB: http://www.wangfed.com +-------------------------------------------+ | I am not young enough to know everything. | | - J.M. Barrie | +-------------------------------------------+ From firewalls-owner Fri Apr 5 08:37:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA24368 for firewalls-outgoing; Fri, 5 Apr 1996 07:38:06 -0800 (PST) Received: from mail.Clark.Net (mail.clark.net [168.143.0.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id HAA24340 for ; Fri, 5 Apr 1996 07:37:59 -0800 (PST) Received: from clark.net (mjr@clark.net [168.143.0.7]) by mail.Clark.Net (8.7.3/8.6.5) with ESMTP id KAA01243 for ; Fri, 5 Apr 1996 10:36:01 -0500 (EST) From: "Marcus J. Ranum" Received: (from mjr@localhost) by clark.net (8.7.1/8.7.1) id KAA08297 for firewalls@greatcircle.com; Fri, 5 Apr 1996 10:35:52 -0500 (EST) Message-Id: <199604051535.KAA08297@clark.net> Subject: Re: complaining to the CEO To: firewalls@greatcircle.com Date: Fri, 5 Apr 1996 10:35:48 -0500 (EST) Reply-To: mjr@v-one.com Organization: V-One Corporation, Baltimore, MD Office Phone: 410-889-8569 X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Just an FYI, for those of you who haven't been there: Complaining to the CEO of a company is not an effective strategy unless what you're trying to accomplish is a short-term reduction of your blood pressure. What happens if you complain directly to the boss is either: 1) It gets seen, and a massive, inefficient firedrill is begun, which eats up lots of everyone's time, and produces a short-term solution applying to that given moment in time and next time you have the same problem you'll discover it isn't fixed. 2) It gets ignored, and your blood pressure just goes up another notch. One day, someone finds you swelled with rage like a bloated tick, and calls the bomb squad to detonate you safely. Any company that puts its CEO at the top rank of sales support is going to be a bit micromanaged. :) Bill Gates, for example, is a Pretty Busy Guy. I'm sure his shareholders would rather have him building value for the company than wading through firewalls@greatcircle.com. I know I would. :) Some CEOs read their own Email, many others have a secretary that forwards it to a nondescript mailbox, or print it for reading on a plane. In this wIrEd world, it's seen as a sign of hipness to avoid paper, but the fact is that paper's mightly portable and there's lots of paper bandwidth. I find it ironic that someone would complain that when they try to reach Security Dynamics, everyone was at N+I, but there's an expectation that the CEO will read his Email. :) What happens is it's no longer "we're all at N+I" it's now "we're all reading our Email" -- recognize that in today's environment, time is *THE* most important resource anyone has, and stop getting insulted when someone doesn't drop everything to take care of every low-priority interrupt that comes along. When we did the whitehouse.gov thing, there were a lot of folks who seemed to have the idea that Bill Clinton actually read all his Email! And they expected replies! Imagine, the CEO of the most important company (albeit not a profitable one) on the planet, and he's expected to spend all his time reading Email? I hope not, guys, that's not what we're paying them the big $$ for. Another way of thinking about the Email-to-the-CEO thing is that you *MAY* have the unique experience of having a second of a multibillionaire's time as Bill Gates reads your mail and thinks, "what a putz" as he deletes it. mjr. -- Chief Scientist, V-ONE Corporation -- "Security for a connected world" work http://www.v-one.com personal http://www.clark.net/pub/mjr/mjr-top.html From firewalls-owner Fri Apr 5 09:14:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA26561 for firewalls-outgoing; Fri, 5 Apr 1996 08:23:28 -0800 (PST) Received: from ereapp.erenj.com (ereapp.ERENJ.COM [159.70.31.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id IAA26545 for ; Fri, 5 Apr 1996 08:23:22 -0800 (PST) Received: (from smap@localhost) by ereapp.erenj.com (8.7.4/8.7.3) id MAA23089; Fri, 5 Apr 1996 12:21:21 -0400 Received: from eredns.erenj.com(159.70.1.252) by ereapp.erenj.com via smap (V1.3) id sma023085; Fri Apr 5 11:21:15 1996 Posted-Date: Fri, 5 Apr 1996 11:21:14 -0500 Received: by stargate.erenj.com; (5.65v3.2/1.1.8.2/12Feb96-1009AM/bdboyle@erenj.com) id AA01233; Fri, 5 Apr 1996 11:21:14 -0500 From: "Bryan D. Boyle" Message-Id: <9604051121.ZM1203@stargate.erenj.com> Date: Fri, 5 Apr 1996 11:21:14 -0500 In-Reply-To: "Marcus J. Ranum" "What layer?" (Apr 5, 10:06am) References: <199604051506.KAA28426@clark.net> X-Mailer: Z-Mail (3.2.1 10oct95) To: mjr@v-one.com Subject: Re: What layer? Cc: firewalls@greatcircle.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Apr 5, 10:06am, Marcus J. Ranum wrote: > He was probably either speaking in abstract terms, or he > didn't know what he was speaking about. "Experts" are certainly > crawling out of the woodwork these days, and it seems that the > main qualification for teaching seminars on firewalls is to FTP > my old viewgraphs from the 'net, read C&B and C&Z, and start to > make grand pronouncements. :) Heck, you found me out...:) Actually, the definition of a consulting expert is someone that borrows your watch to tell you the time...:) -- Bryan D. Boyle | EMAIL: bdboyle@erenj.com 908-730-3338 #include | http://www.access.digex.net/~bdboyle/index.html "It is only the ignorant who suppose themselves omniscient." --General Robert Edward Lee-- From firewalls-owner Fri Apr 5 09:15:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA27093 for firewalls-outgoing; Fri, 5 Apr 1996 08:34:20 -0800 (PST) Received: from nrtc.nrtc.northrop.com (nrtc.northrop.com [128.99.0.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA27071 for ; Fri, 5 Apr 1996 08:34:14 -0800 (PST) Received: from lazarus.nrtc.northrop.com by nrtc.nrtc.northrop.com id aa10442; 5 Apr 96 1:10 PST Received: from dns.nad.northrop.com by lazarus.nrtc.northrop.com (15.4a/15.6.b) id AA17278; Fri, 5 Apr 96 08:31:41 pst Received: from ccmail.nad.northrop.com by nad.northrop.com with SMTP (15.11/15.6.ccMail) id AA24096; Fri, 5 Apr 96 08:22:43 pst Received: from ccMail by ccmail.nad.northrop.com (IMA Internet Exchange 1.04b) id 1654ac10; Fri, 5 Apr 96 08:30:57 -0800 Mime-Version: 1.0 Date: Fri, 5 Apr 1996 08:26:40 -0800 Message-Id: <1654ac10@ccmail.nad.northrop.com> From: Michael_Beeler@ccmail.northrop.com Subject: Re[2]: Netscape Navigator and Firewalls To: firewalls@greatcircle.com, Michael Dillon Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Works with the SSL patch in version 4.2.2 of the CERN proxy (SOCKSIFIED) as well. Mike Beeler Sr. Security Specialist Northrop Grumman ______________________________ Reply Separator _________________________________ Subject: Re: Netscape Navigator and Firewalls Author: Michael Dillon at INTERNET Date: 4/4/96 12:14 AM On Mon, 1 Apr 1996, Steven W. Engle wrote: > I can only assume this is intentional behavior in order to get people to > buy Netscape's "proxy server". Has anyone ever configured and/or used one > in conjunction with a firewall? Does it really work? Works with the CERN httpd proxy server http://www.w3.org Michael Dillon Voice: +1-604-546-8022 Memra Software Inc. Fax: +1-604-546-3049 http://www.memra.com E-mail: michael@memra.com From firewalls-owner Fri Apr 5 09:45:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA02412 for firewalls-outgoing; Fri, 5 Apr 1996 09:35:11 -0800 (PST) Received: from nsco.network.com (nsco.network.com [129.191.1.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA02251 for ; Fri, 5 Apr 1996 09:33:30 -0800 (PST) Received: from anubis.network.com by nsco.network.com (4.1/1.34) id AA19839; Fri, 5 Apr 96 11:34:31 CST Received: from blefscu.network.com by anubis.network.com (4.1/SMI-4.1) id AA12781; Fri, 5 Apr 96 11:32:41 CST Date: Fri, 5 Apr 96 11:32:41 CST From: amolitor@anubis.network.com (Andrew Molitor) Message-Id: <9604051732.AA12781@anubis.network.com> To: firewalls@greatcircle.com Subject: Re: Re[2]: About the firewalls using RIP or static routes Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What, you mean to say that some barbarian is still selling a router that can't run encrypted and authenticated tunnels to its peers for pushing routing updates around? How terrifying! More seriously, you really do want to pin down whatever your firewall boxes are using for forwarding, be that a bridge forwarding table or a routing table. Make it static, do your best to filter out any attempts to send updates around, ignore ICMP redirects, etc. Take any vendor claims about how they only accept updates from defined peers etc with a big grain of salt. How hard can it possibly be to forge such an update with a forged source address (and probably a sequence number or something you have to guess). We've seen time and time again that the ONLY reliable way to be damn sure you're getting data from the box you think you're getting it from is with encryption. Since there's typically no real good reason to even want to accept routing information from anyone, in a firewall, you don't really need to justify the hassles of encryption. When the benefit is nil, the tradeoffs are easy. Andrew From firewalls-owner Fri Apr 5 10:06:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA02398 for firewalls-outgoing; Fri, 5 Apr 1996 09:35:00 -0800 (PST) Received: from nwnexus.wa.com (nwnexus.wa.com [192.135.191.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA02373 for ; Fri, 5 Apr 1996 09:34:54 -0800 (PST) Received: by nwnexus.wa.com id AA09733 (5.65c/IDA-1.4.4 for GreatCircle.com!firewalls); Fri, 5 Apr 1996 09:32:53 -0800 Message-Id: <199604051732.AA09733@nwnexus.wa.com> Received: by pern (1.38.193.4/16.2) id AA11779; Fri, 5 Apr 1996 09:22:34 -0800 From: Steve Knox Subject: Re: more on mail addresses To: firewalls@GreatCircle.com Date: Fri, 5 Apr 96 9:22:34 PST Organization: Driftwood Systems, Inc. Mailer: Elm [revision: 70.85] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all, > > On Thu, 4 Apr 1996, Mike Jones wrote: > > > > Michael writes: > > > > > > Your CEO is named Peter Smith Peter_Smith@organization.com > > > You hire Pete Smith to work on graphics for the widget brochures. > > > Your VP finance sends email regarding the layoff of 500 employees with a > > > breakdown by department and the names of several managers to be axed > > > along with the managers current salaries. He addresses it to > > > Pete_Smith@organization.com > > > Ooops! UNO-what hits the fan after Pete posts this on a public > > > company-wide discussion group... [ stuff deleted ...] > Michael Dillon: michael@memra.com responds > But what if the ID's are a7a22640@org.com and m3h33674@org.com where the > first letter is the division (a - executive, m - marketing), the next two > characters represent a dept code and the last 4 are an employee id within > the dept and the last digit is a checksum to prevent transposition errors. > > Or some similar sort of employee ID scheme. [ stuff deleted ...] > > In fact, from a human factors point of view, it seems likely that > > "non-obvious" (a better term might be "user hostile") mail names are > > *more* likely to cause misdelivery of mail, because it is less > > obvious if one has mistyped an address. > > I believe the scheme should be chosen to make it difficult to mistype an > address. The schemes I outline above essentially require 3 pieces on info > to generate a complete address, either division/dept/emp-id or > dept/name/physical-location The non-obvious naming scheme is simply going to encourage people to not use email and/or use the built-in alias/addressbook feature of the mailer to map the encoded ID into something human readable like Pete_Smith or Peter_Smith or pSmith ... You haven't solved the problem, just made it more obscure. No one will remember the scheme because they will make an alias or address book entry immediately. A more feasible naming policy for a large organization might be via domain or sub-domain Peter_Smith@corporate.organiztion.com - external Peter_Smith@corporate - internal Pete_Smith@advertising.organization.com Joe_Smith@mktg Joseph_Smith@engr etc. This is still not perfect but somewhat easier to remember and more along the lines of traditional mail where folks use mail stops or departments to segment the mail. > > The point here is that a message of that level of business importance > > should probably be hand delivered, not sent by any medium where there's > > a noticeable possibility of misdelivery. > > Try telling that to the VP Finance. Remember, he's a bean counter and > this is an information systems expert because he has a subscription to PC > magazine. Fact is the the VP Finance is responsible for the screw-up for not verifying the delivery mechanism and taking appropriate care. We love to blame technology or anything else when we screw up. Fact also is that he/she will probably get nothing more than a slap on the wrist. After all 'he' is most likely part of the good ol' boys group that is responsible for the layoff in the first place due to lack of managment skills. What it all comes down to once again is security (as a general term) must be a comprehensive part of a companys' information infrastructure. email naming conventions must be usable and understandable both internally and externally if mistakes are to be avoided. Of course it would help if we were working with an underlying infrastructure that at least considered security, authorization and authentication from the get-go. Unfortunately we are working with protocols that were designed wihtout these aspects and everything is sort of hooked on. Yes this means that your users and officers will be susceptible to mail bombs which means the firewall and or perimeter needs to have an appropriate filter installed and/or some manual scanning must take place. The perimeter filtering would be easier if we had a mail system (or better yet a communication infrastructure) that had true authentication built-in at the protocol or language level. Of course it still won't be perfect, nothing is but it would be better. Steve Knox -- Steve Knox (206) 775-6495 fortknox@driftwood.com Driftwood Systems, Inc ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Microsoft is not the answer, Microsoft is the question. No is the answer. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From firewalls-owner Fri Apr 5 11:12:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA06252 for firewalls-outgoing; Fri, 5 Apr 1996 10:23:59 -0800 (PST) Received: from SterCtl.com (p197.iwl.net [204.177.208.197]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA06246 for ; Fri, 5 Apr 1996 10:23:54 -0800 (PST) Received: (from dennis@localhost) by SterCtl.com (8.6.12/8.6.12) id MAA03893 for firewalls@greatcircle.com; Fri, 5 Apr 1996 12:23:56 -0600 From: Dennis Moroney Message-Id: <199604051823.MAA03893@SterCtl.com> Subject: Re: Interesting packets fron the net To: firewalls@greatcircle.com Date: Fri, 5 Apr 1996 12:23:54 -0600 (CST) In-Reply-To: from "W.C. Epperson" at Apr 3, 96 12:51:45 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to W.C. Epperson: > > > > > Yes, you are wrong. Add the verb 'log' to the end of an access-list > > rule and you will get the source IP address, destination IP address > > as well as the source and destination ports. > > > What version of IOS? At 10.2(11), it barfs on the "log" part, if placed > at the end of the access-list entry. Is that the correct syntax? At least IOS 10.3(8) and above. -- Dennis Moroney From firewalls-owner Fri Apr 5 11:13:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA06836 for firewalls-outgoing; Fri, 5 Apr 1996 10:34:03 -0800 (PST) Received: from hydra.acs.uci.edu (hydra.acs.uci.edu [128.200.16.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id KAA06813 for ; Fri, 5 Apr 1996 10:33:38 -0800 (PST) Received: from bingy.acs.uci.edu (strombrg@bingy.acs.uci.edu [128.200.34.36]) by hydra.acs.uci.edu (8.7.1/8.7.1) with SMTP id KAA12916 for ; Fri, 5 Apr 1996 10:31:41 -0800 (PST) Message-ID: <3165670B.230A@hydra.acs.uci.edu> Date: Fri, 05 Apr 1996 10:31:39 -0800 From: Dan Stromberg X-Mailer: Mozilla 2.01 (X11; I; SunOS 5.5 sun4m) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: Re: BoS: DNS Spoofing and Java References: <199604050454.UAA12327@itech.terisa.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk EKR still just doesn't get it, and has just pulled yet another "common logical fallacy" straight out of Logic 101: appealing to authority, rather than using deductive methods, or even handwaving in the general direction of what seems right, given a lack of axioms to apply. To summarize the bout on www-security: I keep saying it's blue-green, but mostly blue. No matter how I've phrased this, EKR has repeatedly said "no, you're quite wrong - it has a tinge of green". Care to use some reason this time around, EKR, or can we just leave this alone? EKR wrote: > > Dan writes: > >Not really - microsoft attempted to deflecte blame inappropriately and > >ineffectually. In contrast, Sun has accepted more blame than they > >really should have. > > Without going into detail about the arguments, I would observed > that as Dan says below, this has been discussed essentially > ad nauseum on www-security among other places, but that Dan's > view is far from the consensus. Rich $alz, Steve Bellovin > and I have all argued that Sun's choice to use DNS as a way > to establish their security perimeter made Sun responsible for > using it correctly. > > -Ekr From firewalls-owner Fri Apr 5 11:29:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA08847 for firewalls-outgoing; Fri, 5 Apr 1996 11:03:42 -0800 (PST) Received: from casbah.gatech.edu (casbah.gatech.edu [130.207.165.18]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA08832 for ; Fri, 5 Apr 1996 11:03:33 -0800 (PST) Received: from 130.207.200.1.130.207.200.24 (rlcpc.gtri.gatech.edu [130.207.200.24]) by casbah.gatech.edu (8.6.12/8.6.12) with SMTP id OAA21907 for ; Fri, 5 Apr 1996 14:01:33 -0500 Message-Id: <199604051901.OAA21907@casbah.gatech.edu> X-Sender: jc215@casbah.gatech.edu X-Mailer: Windows Eudora Version 2.1.1 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 05 Apr 1996 13:59:34 -0500 To: firewalls@greatcircle.com From: Jim Cannady Subject: test Sender: firewalls-owner@GreatCircle.COM Precedence: bulk please ignore this test message. Jim ================================== James Cannady | Research Scientist | Georgia Institute of Technology | GTRI/ITL/CSITD | James.Cannady@gtri.gatech.edu | (404) 894-9730 | ================================== From firewalls-owner Fri Apr 5 12:55:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA12967 for firewalls-outgoing; Fri, 5 Apr 1996 11:59:04 -0800 (PST) Received: from mocha.bunyip.com (mocha.Bunyip.Com [192.197.208.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA12939 for ; Fri, 5 Apr 1996 11:58:53 -0800 (PST) Received: by mocha.bunyip.com (5.65a/IDA-1.4.2b/CC-Guru-2b) id AA02450 (mail destined for firewalls@GreatCircle.com); Fri, 5 Apr 96 14:55:35 -0500 Date: Fri, 5 Apr 1996 14:55:34 -0500 (EST) From: David Holmes To: Steve Knox Cc: firewalls@GreatCircle.com Subject: Re: more on mail addresses In-Reply-To: <199604051732.AA09733@nwnexus.wa.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk < stuff deleted... > > > > > In fact, from a human factors point of view, it seems likely that > > > "non-obvious" (a better term might be "user hostile") mail names are > > > > I believe the scheme should be chosen to make it difficult to mistype an > > The non-obvious naming scheme is simply going to encourage people to not use > email and/or use the built-in alias/addressbook feature of the mailer to map > A more feasible naming policy for a large organization might be via domain > or sub-domain > > Peter_Smith@corporate.organiztion.com - external > Peter_Smith@corporate - internal > > Pete_Smith@advertising.organization.com <...> > This is still not perfect but somewhat easier to remember and more along the You're right about this not being perfect - I'd go further - it isn't workable in the long run. Consider the situation of one entity's subdomain matching another entity's domain. I think that part of the solution here is a directory service/mechanism such as that which can be provided with whois++. Proper integration of such a service with key management and mail systems should eliminate this problem - and should do so properly. This only really connects with firewalling in that it presents issues similar to those raised with getting users across a firewall (user training/knowledge/understanding). > Fact is the the VP Finance is responsible for the screw-up for not verifying As a VP who isn't in charge of Finance, I agree.... --david ________________________________________________________________________ David Holmes Bunyip Information Systems Inc Vice President, Operations Montreal, Canada e-mail: delphys@bunyip.com voice: +1 514 875 8611 fax: +1 514 875 8134 From firewalls-owner Fri Apr 5 13:10:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA17269 for firewalls-outgoing; Fri, 5 Apr 1996 12:46:20 -0800 (PST) Received: from taz.nda.com ([206.0.206.200]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id MAA17263 for ; Fri, 5 Apr 1996 12:46:14 -0800 (PST) Received: from amber2.corsair.com (amber2.corsair.com [204.255.192.160]) by taz.nda.com (8.7.4/8.7.3) with SMTP id MAA14444; Fri, 5 Apr 1996 12:46:16 -0800 (PST) Message-Id: <2.2.32.19960405195210.0106871c@taz.nda.com> X-Sender: kovar@taz.nda.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 05 Apr 1996 11:52:10 -0800 To: vin@shore.net (Vin McLellan), firewalls@GreatCircle.COM From: "David C. Kovar" Subject: Re: Securid BAD Tech Support Cc: snd1trz@snd10.med.navy.mil, alastair@cadence.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is there a mailing list for SDI issues? I am a new to using SDI and would prefer to announce my ignorance only to those who care about the issues related to my ignorance. Thank you very much. -David From firewalls-owner Fri Apr 5 15:00:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA24039 for firewalls-outgoing; Fri, 5 Apr 1996 13:56:52 -0800 (PST) Received: from gatekeeper.nytimes.com (gatekeeper.nytimes.com [199.181.175.201]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA24025 for ; Fri, 5 Apr 1996 13:56:46 -0800 (PST) Received: from mailgate.nytimes.com by gatekeeper.nytimes.com; (5.65/1.1.8.2/30Mar95-0352PM) id AA04713; Fri, 5 Apr 1996 16:56:39 -0500 Received: from localhost by mailgate.nytimes.com; (5.65/1.1.8.2/25Jul94-1134AM) id AA17829; Fri, 5 Apr 1996 16:57:41 -0500 Date: Fri, 5 Apr 1996 16:57:41 -0500 (EST) From: Gordy Thompson Reply-To: Gordy Thompson To: David Schnardthorst Cc: firewalls@greatcircle.com Subject: Re: New Newsgroups In-Reply-To: <199604041505.JAA25950@strydr.strydr.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It was an April Fool's hoax. Someone forged newgroup messages in tale's name for what looks like every group that failed its vote in the last few years, plus all groups now in discussion or being voted on. David Lawrence has said he will be sending out rmgroup messages to clean these up. He's also being urged in the discussion of the incident to start using PGP authentication on these messages, since forging them is so easy. Gordy -- Gordon T. Thompson gordy@nytimes.com Manager, Internet Services 212-556-1386 The New York Times fax: 212-556-1636 The Times and I have an arrangement: Neither of us speaks for the other. On Thu, 4 Apr 1996, David Schnardthorst wrote: > This may not be firewall related, however I am hoping somebody can tell > me if they are having a similiar experience. > > I have a firewall running FWTK, with NNTP plugged to an inside news server, > this morning I logged in, and I have over 200 new newsgroups, and they are > still being created. They appear to have been initiated by tale@uunet.uu.net. > > Has anybody heard of a massive update, or should I be suspicious? > > Any help is greatly appreciated. > > ============================================================================ > David Schnardthorst, Systems/Network Eng. * Phone: (314)838-6839 > Stryder Communications, Inc. * Fax: (314)838-8527 > 869 St. Francois * E-Mail: ds3721@strydr.com > Florissant, MO 63031 * URL: http://www.strydr.com > ============================================================================ > From firewalls-owner Fri Apr 5 15:02:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA25761 for firewalls-outgoing; Fri, 5 Apr 1996 14:17:22 -0800 (PST) Received: from morebbs.com (morebbs.com [206.14.146.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA25755 for ; Fri, 5 Apr 1996 14:17:18 -0800 (PST) From: brian.smith@morebbs.com Received: by morebbs.com id 0O8UU009 Fri, 05 Apr 96 17:15:32 Message-ID: <9604051715.0O8UU00@morebbs.com> Organization: MORE BBS X-Mailer: TBBS/TIGER v1.0/PRIMP 1.56p Date: Fri, 05 Apr 96 17:15:32 Subject: Software To: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone know of any publicly available software for 1) detecting, 2) tracing, unwelcome tftp connections? Hayes From firewalls-owner Fri Apr 5 15:21:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA27215 for firewalls-outgoing; Fri, 5 Apr 1996 14:28:44 -0800 (PST) Received: from terisa-bh.terisa.com (terisa-bh.terisa.COM [205.226.38.66]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA27209 for ; Fri, 5 Apr 1996 14:28:41 -0800 (PST) Received: (from uucp@localhost) by terisa-bh.terisa.com (8.6.12/8.6.11) id OAA11221; Fri, 5 Apr 1996 14:29:12 -0800 Received: from itech.terisa.com by terisa-bh.terisa.com via smap (V1.3) id sma011219; Fri Apr 5 14:29:08 1996 Received: from kmac.daisy (kmac.terisa.COM [205.226.39.35]) by itech.terisa.com (8.6.12/8.6.4) with SMTP id OAA18109; Fri, 5 Apr 1996 14:23:28 -0800 Date: Fri, 5 Apr 1996 14:23:28 -0800 From: EKR Message-Id: <199604052223.OAA18109@itech.terisa.com> To: firewalls@GreatCircle.COM, strombrg@hydra.acs.uci.edu Subject: Re: BoS: DNS Spoofing and Java Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >EKR still just doesn't get it, and has just pulled yet another "common >logical fallacy" straight out of Logic 101: appealing to authority, >rather than using deductive methods, or even handwaving in the general >direction of what seems right, given a lack of axioms to apply. No, Dan, I'm not appealing to authority. I was simply observing that you keep stating your opinion as if it's fact, when it's not even consensus, let alone fact. >Care to use some reason this time around, EKR, or can we just leave this >alone? Actually, I was planning to leave it alone. I've long since concluded that it's far beyond my abilities to help you pull your head out of your ass. -Ekr From firewalls-owner Fri Apr 5 15:28:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA27352 for firewalls-outgoing; Fri, 5 Apr 1996 14:30:12 -0800 (PST) Received: from csc.com (explorer.csc.com [20.1.10.27]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA27324 for ; Fri, 5 Apr 1996 14:30:01 -0800 (PST) Received: from @explorer.csc.com by csc.com with smtp (Smail3.1.29.1 #1) id m0u5Jz5-001AtJC; Fri, 5 Apr 96 17:27 EST Message-Id: Date: Fri, 5 Apr 96 17:27 EST X-Sender: asafier@explorer.csc.com X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: hhantman@eo.ray.com (Howard Hantman) From: Adam Safier Subject: Re: more on mail addresses Cc: epperson@vak12ed.edu, firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 04:52 PM 4/4/96 -0500, Howard Hantman wrote: >>From: "W.C. Epperson" >>Michael said: >>The VP finance _belongs_ on the layoff list if he sends such a thing without >>using the CEO's public key or the like. > >The problem is he thinks he did! He used "Pete Smith"'s public key!!! Actually he didn't have any key ... with 500 layoffs pending they could not afford to hire a security officer/expert. And the layoffs are due to dropping sales because the competition is always a step ahead. And the use the competition is always a step ahead because... ......... hmmmm. Adam Safier CSC-SED-Infosec asafier@csc.com - It's scary when people call me an "expert" in a subject just as I start to realize how little I know and how much I still need to learn. Expressed opinions are my own and might not be shared by my employer or anyone else. From firewalls-owner Fri Apr 5 15:33:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA02288 for firewalls-outgoing; Fri, 5 Apr 1996 15:13:38 -0800 (PST) Received: from hydra.acs.uci.edu (hydra.acs.uci.edu [128.200.16.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id PAA02281 for ; Fri, 5 Apr 1996 15:13:34 -0800 (PST) Received: from bingy.acs.uci.edu (strombrg@bingy.acs.uci.edu [128.200.34.36]) by hydra.acs.uci.edu (8.7.1/8.7.1) with SMTP id PAA21012 for ; Fri, 5 Apr 1996 15:11:37 -0800 (PST) Message-ID: <3165A8A7.2AD8@hydra.acs.uci.edu> Date: Fri, 05 Apr 1996 15:11:35 -0800 From: Dan Stromberg X-Mailer: Mozilla 2.01 (X11; I; SunOS 5.5 sun4m) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: Re: BoS: DNS Spoofing and Java References: <199604052223.OAA18109@itech.terisa.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk EKR wrote: > > >EKR still just doesn't get it, and has just pulled yet another "common > >logical fallacy" straight out of Logic 101: appealing to authority, > >rather than using deductive methods, or even handwaving in the general > >direction of what seems right, given a lack of axioms to apply. > > No, Dan, I'm not appealing to authority. I was simply observing > that you keep stating your opinion as if it's fact, when it's not > even consensus, let alone fact. EKR, you seem genuinely _eager_ to make a fool of yourself. You threw out some big names, and offered 0 supporting facts. It doesn't get much more clear than that - this was appealing to authority. If you don't understand what that means, you should carefully avoid addressing the issue, lest you look quite silly. You _may_ still have some chance to convince me based on some new technical argument, but so far your attempts at rational persuasion have been... well... less than productive. > >Care to use some reason this time around, EKR, or can we just leave this > >alone? > Actually, I was planning to leave it alone. I've long since concluded > that it's far beyond my abilities to help you pull your head out of your > ass. You seem just a _teensy_ bit hostile, don't you? Could it be because you're really quite afraid to discuss issues, rather than just hope that people will listen to whoever screams the loudest? From firewalls-owner Fri Apr 5 15:35:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA00829 for firewalls-outgoing; Fri, 5 Apr 1996 15:01:10 -0800 (PST) Received: from hydra.acs.uci.edu (hydra.acs.uci.edu [128.200.16.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id PAA00823 for ; Fri, 5 Apr 1996 15:01:04 -0800 (PST) Received: from bingy.acs.uci.edu (strombrg@bingy.acs.uci.edu [128.200.34.36]) by hydra.acs.uci.edu (8.7.1/8.7.1) with SMTP id OAA20650; Fri, 5 Apr 1996 14:59:00 -0800 (PST) Message-ID: <3165A5B3.ABD@hydra.acs.uci.edu> Date: Fri, 05 Apr 1996 14:58:59 -0800 From: Dan Stromberg X-Mailer: Mozilla 2.01 (X11; I; SunOS 5.5 sun4m) MIME-Version: 1.0 To: "F. L. Charles Seeger III" CC: firewalls@GreatCircle.COM Subject: Re: BoS: DNS Spoofing and Java References: <199604052220.RAA02572@rock.cis.ufl.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk F. L. Charles Seeger III wrote: > > Stuff it, Dan. He's a lot closer to being right than you are. Tee hee. From this, should I assume you were on www-security at the time? > Who's at fault if one uses a screwdriver as a chisel, the person who > does so or the designer/maker of the screwdriver? I'd say that's obvious. However, it has no bearing on the matter at hand. > +------ Dan Stromberg wrote (Fri, 5-Apr-96, 10:31 -0800): > | EKR still just doesn't get it, and has just pulled yet another "common > | logical fallacy" straight out of Logic 101: appealing to authority, > | rather than using deductive methods, or even handwaving in the general > | direction of what seems right, given a lack of axioms to apply. > | > | To summarize the bout on www-security: > | > | I keep saying it's blue-green, but mostly blue. > | > | No matter how I've phrased this, EKR has repeatedly said "no, > | you're quite wrong - it has a tinge of green". > | > | Care to use some reason this time around, EKR, or can we just leave this > | alone? > | > | EKR wrote: > | > > | > Dan writes: > | > >Not really - microsoft attempted to deflecte blame inappropriately and > | > >ineffectually. In contrast, Sun has accepted more blame than they > | > >really should have. > | > > | > Without going into detail about the arguments, I would observed > | > that as Dan says below, this has been discussed essentially > | > ad nauseum on www-security among other places, but that Dan's > | > view is far from the consensus. Rich $alz, Steve Bellovin > | > and I have all argued that Sun's choice to use DNS as a way > | > to establish their security perimeter made Sun responsible for > | > using it correctly. > | > > | > -Ekr > +------ End of excerpt from Dan Stromberg From firewalls-owner Fri Apr 5 15:40:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA20949 for firewalls-outgoing; Fri, 5 Apr 1996 13:22:53 -0800 (PST) Received: from server.vki.ac.be (server.vki.ac.be [193.190.162.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id AAA27350 for ; Thu, 4 Apr 1996 00:33:01 -0800 (PST) Received: from localhost by server.vki.ac.be; (5.65v3.2/1.1.8.2/10Aug95-0928AM) id AA23597; Thu, 4 Apr 1996 10:32:02 +0200 Message-Id: <31638902.31DF@vki.ac.be> Date: Thu, 04 Apr 1996 10:32:02 +0200 From: Frankinet Philippe X-Mailer: Mozilla 2.0 (X11; I; OSF1 V3.2 alpha) Mime-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: HELP : FIREWALL Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I run Linux-1.2.3 and a must configure this one as a gateway. INTERNET ---- GENERAL NET --- FIREWALL ROUTING LINUX ---- INTERNAL NET I must protect my internal network with a firewall ..then i need a packets-filtering-firewall (Is it correct ?). Who can help me ?? Which shareware can i use ?? Ask me more details if you don't see what i mean ... Thanks much , Franki From firewalls-owner Fri Apr 5 15:42:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA20890 for firewalls-outgoing; Fri, 5 Apr 1996 13:21:48 -0800 (PST) Received: from burka.carrier.kiev.ua (burka.carrier.kiev.ua [193.125.68.131]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA20734 for ; Fri, 5 Apr 1996 13:20:45 -0800 (PST) Received: from sivka.carrier.kiev.ua (root@sivka.carrier.kiev.ua [193.125.68.130]) by burka.carrier.kiev.ua (Sendmail 8.who.cares/5) with ESMTP id AAA20047 for ; Sat, 6 Apr 1996 00:17:00 +0300 Received: from elvisti.kiev.ua (uucp@localhost) by sivka.carrier.kiev.ua (Sendmail 8.who.cares/5) with UUCP id XAA16105 for firewalls@greatcircle.com; Fri, 5 Apr 1996 23:04:38 +0300 Received: from office.elvisti.kiev.ua (office.elvisti.kiev.ua [193.125.28.33]) by spider2.elvisti.kiev.ua (8.6.12/8.ElVisti) with ESMTP id XAA00392 for ; Fri, 5 Apr 1996 23:11:41 +0300 Received: (from stesin@localhost) by office.elvisti.kiev.ua (8.6.12/8.ElVisti) id XAA29711; Fri, 5 Apr 1996 23:11:40 +0300 From: "Andrew V. Stesin" Message-Id: <199604052011.XAA29711@office.elvisti.kiev.ua> Subject: Re: Re[2]: About the firewalls using RIP or static routes To: mhorn@funb.com (Mark Horn [ Net Ops ]) Date: Fri, 5 Apr 1996 23:11:40 +0300 (EET DST) Cc: firewalls@greatcircle.com In-Reply-To: <199604051418.JAA09872@funws302.capmark.funb.com> from "Mark Horn [ Net Ops ]" at Apr 5, 96 09:18:43 am X-Mailer: ELM [version 2.4 PL24alpha5] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk # I don't think that's a very workable solution. How do you enforce that # routed will listen on the internal interface only? Filtering UDP port 520 on input, with interfaces explicitly specified. Probably output, too? # routing on the firewall is trivial: # # Internal class B -> internal router # Default -> external router That's probably the exact thing people are doing. -- With best regards -- Andrew Stesin. +380 (44) 2760188 +380 (44) 2713457 +380 (44) 2713560 "You may delegate authority, but not responsibility." Frank's Management Rule #1. From firewalls-owner Fri Apr 5 16:00:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA04560 for firewalls-outgoing; Fri, 5 Apr 1996 15:35:50 -0800 (PST) Received: from www.hijack.org (www.hijack.org [194.152.160.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id PAA04530 for ; Fri, 5 Apr 1996 15:35:39 -0800 (PST) Received: (from etoy@localhost) by www.hijack.org (8.6.12/8.6.9) id BAA04531; Sat, 6 Apr 1996 01:28:50 +0200 Date: Sat, 6 Apr 1996 01:28:50 +0200 Message-Id: <199604052328.BAA04531@www.hijack.org> To: firewalls@greatcircle.com From: etoy@hijack.org (THE HIJACK-CREW) Subject: HANDS UP! Sender: firewalls-owner@GreatCircle.COM Precedence: bulk HI THERE! THIS IS etoy! "the digital hijack" is NOW running ! the internet-underground has decided: it is definitely time to blast SOUND and ACTION into the net !!! our software-agents have invaded the main searchservers... ++++for more information check out : http://www.hijack.org/++++++++++ or get kidnapped live --> go to infoseek (netsearch-button on your browser) and search for: UNDERGROUND - CENSORSHIP - DISCO - XTC - CLINTON - PORSCHE - CRACK - KRAFTWERK - ELVIS - TERROR - PENTHOUSE - SEGA - MONDRIAN - SEXPISTOLS - FIREARMS - TARANTINO - DJ - STONES - NETWORKS - BASE - CRIME - WAR - BUSINESS - WOMEN - NET - SOCIETY - ART - CASTRO - PARADISE - ATHLETICS - PULP - CYBER - YELLO - PETSHOPBOYS - REM - HUSTLER - BITCH - GUEVARA - SEVESO - MELODYMAKER - PORNO - GABBER - ROLLERBLADES - REBEL - OASIS - COMMUNICATIONS - PLAYBOY - BELGIUM - ORB - AND MANY MORE... these keywords will all appear on the TOP 10 - LIST. take the link to hijack.org to get the hijack-experience like millions of bored internet-users... download the hijackers-sound, get the best pictures and help us free our friend KEVIN D. MITNICK, THE SUPERHACKER (charged for electronic-terrorism, maximum sentence: 460 years prison) ! we would be very happy to welcome you on our site. spread this new internet-lifestyle to your friends and to internet-freaks + surfers ! this is a underground art-project not a bastard-business mail. our grab robot "etoy.IVANA" got your email-address by cruising the net. for the hijack-crew etoy MARTIN KUBLI email action@etoy.com fax ++41 1 363 35 57 _______________________________________________________________________ http://www.hijack.org/ for highres-pictures: ftp.etoy.com /press etoy: leaving reality behind...abusing technology...flashing the net From firewalls-owner Fri Apr 5 16:43:17 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id QAA10871 for firewalls-outgoing; Fri, 5 Apr 1996 16:39:54 -0800 (PST) Received: from emout09.mail.aol.com (emout09.mx.aol.com [198.81.11.24]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id QAA10830 for ; Fri, 5 Apr 1996 16:39:44 -0800 (PST) From: Rapitsio@aol.com Received: by emout09.mail.aol.com (8.6.12/8.6.12) id TAA02968; Fri, 5 Apr 1996 19:37:43 -0500 Date: Fri, 5 Apr 1996 19:37:43 -0500 Message-ID: <960405193742_185562159@emout09.mail.aol.com> To: kovar@nda.com, vin@shore.net, firewalls@greatcircle.com cc: snd1trz@snd10.med.navy.mil, alastair@cadence.com Subject: Re: Securid BAD Tech Support Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi folks, I am a new addition to your newsgroup. We are implementing SecurID and, at this point, find the technology (+futures) workable. However, we have also had problems with support from this company. I am getting the feeling that they are too spread out techy wise to help out the new accounts. I feel that once they make the sale, all else is back burner stuff. I can only relate this to experience with CA products in that it really depends on who (providing you can) you reach for support. Question: Is it up to us as a 'consumer' to post these concerns to the vendor or are these communications intended to remain an 'internal' discussion??? Pleaqse remember I am new to this newsgroup. Regards, Ray F. Pitts From firewalls-owner Fri Apr 5 16:44:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA19308 for firewalls-outgoing; Fri, 5 Apr 1996 13:09:20 -0800 (PST) Received: from relay1.shore.net (relay1.shore.net [192.233.85.129]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id NAA19294 for ; Fri, 5 Apr 1996 13:09:15 -0800 (PST) Received: from [198.115.179.222] (slip-3-25.shore.net [198.115.179.225]) by relay1.shore.net (8.7.5/8.7.3) with SMTP id QAA12544; Fri, 5 Apr 1996 16:07:14 -0500 (EST) X-Sender: vin@shell1.shore.net Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 5 Apr 1996 16:09:22 -0500 To: "David C. Kovar" From: vin@shore.net (Vin McLellan) Subject: Re: Securid BAD Tech Support Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk David C. Kovar asked: > Is there a mailing list for SDI issues? I am a new to using SDI and would >prefer to announce my ignorance only to those who care about the issues >related to my ignorance. No, there isn't -- but I agree there probably should be. Until there is one, I'm willing to help out and answer questions. The Privacy Guild does market analysis under contract for SDI, and I've worked with SDI since before the SecurID came on the market. (I think SDI also has a questions and comments form attached to their web site: http://securid.com.) Suerte, _Vin Vin McLellan +The Privacy Guild+ 53 Nichols St., Chelsea, Ma. 02150 USA Tel: (617) 884-5548 <*><*><*><*><*><*><*><*><*> From firewalls-owner Fri Apr 5 17:44:09 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id RAA15482 for firewalls-outgoing; Fri, 5 Apr 1996 17:22:50 -0800 (PST) Received: from bayflash.stpt.usf.edu (bayflash.stpt.usf.edu [131.247.140.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA15426 for ; Fri, 5 Apr 1996 17:22:39 -0800 (PST) Received: (johnson@localhost) by bayflash.stpt.usf.edu (8.6.11/8.6.5) id UAA29334; Fri, 5 Apr 1996 20:17:15 -0500 Date: Fri, 5 Apr 1996 20:17:15 -0500 (EST) From: Steven Johnson X-Sender: johnson@bayflash To: Firewalls@GreatCircle.COM Subject: Re: HANDS UP! In-Reply-To: <199604052328.BAA04531@www.hijack.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sat, 6 Apr 1996, THE HIJACK-CREW wrote: > download the hijackers-sound, get the best pictures and help us free our > friend KEVIN D. MITNICK, THE SUPERHACKER (charged for electronic-terrorism, > maximum sentence: 460 years prison) ! hmmmm, not only is this off-topic, but antithetical. > this is a underground art-project not a bastard-business mail. "I see", said the blind man. Then I suppose that makes it okay. All in the name of art and what-not. Would perchance you need any help in filling out an NEA Grant for your artistic endeavor? I'm sure the government would be glad to fund this project instead of another Maplethorpe project. > leaving reality behind...abusing technology...flashing the net *sigh* It would be so nice to do something more productive rather than shoring up my site from net-flashers. From firewalls-owner Fri Apr 5 17:45:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id RAA17269 for firewalls-outgoing; Fri, 5 Apr 1996 17:40:17 -0800 (PST) Received: from terisa-bh.terisa.com (terisa-bh.terisa.COM [205.226.38.66]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA17243 for ; Fri, 5 Apr 1996 17:40:10 -0800 (PST) Received: (from uucp@localhost) by terisa-bh.terisa.com (8.6.12/8.6.11) id RAA13070; Fri, 5 Apr 1996 17:40:38 -0800 Received: from itech.terisa.com by terisa-bh.terisa.com via smap (V1.3) id sma013060; Fri Apr 5 17:40:14 1996 Received: from kmac.daisy (kmac.terisa.COM [205.226.39.35]) by itech.terisa.com (8.6.12/8.6.4) with SMTP id RAA18998; Fri, 5 Apr 1996 17:34:33 -0800 Date: Fri, 5 Apr 1996 17:34:33 -0800 From: EKR Message-Id: <199604060134.RAA18998@itech.terisa.com> To: firewalls@GreatCircle.COM, strombrg@hydra.acs.uci.edu Subject: Re: BoS: DNS Spoofing and Java Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Could it be because you're really quite afraid to discuss issues, rather >than just hope that people will listen to whoever screams the loudest? Whatever you say, Dan. -Ekr From firewalls-owner Fri Apr 5 18:50:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA24774 for firewalls-outgoing; Fri, 5 Apr 1996 18:31:02 -0800 (PST) Received: from rock.cis.ufl.edu (rock.cis.ufl.edu [128.227.224.19]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id SAA24766 for ; Fri, 5 Apr 1996 18:30:57 -0800 (PST) Received: by rock.cis.ufl.edu (8.6.12/cis.ufl.edu) id VAA07583; Fri, 5 Apr 1996 21:28:35 -0500 Message-Id: <199604060228.VAA07583@rock.cis.ufl.edu> From: seeger@cis.ufl.edu (F. L. Charles Seeger III) Date: Fri, 5 Apr 1996 21:28:35 -0500 In-Reply-To: Dan Stromberg <3165A5B3.ABD@hydra.acs.uci.edu> X-Mailer: Mail User's Shell (7.2.5 10/14/92) To: Dan Stromberg Subject: Re: BoS: DNS Spoofing and Java Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk +------ Dan Stromberg wrote (Fri, 5-Apr-96, 14:58 -0800): | | Tee hee. From this, should I assume you were on www-security at the | time? FWIW, yes. Now, what brand of netiquette caused you to send a copy of my private email to you to the firewalls list? Please don't waste everyone's time by answering to the entire list. In case you're as impaired as you seem to be, that is a rhetorical question and I don't really care to get any answer at all. In fact, you're now in my mail kill file, so I'll never be tempted to waste time on you again. Sorry to everyone else for intruding into your mailbox so uselessly. Sincerely, Chuck From firewalls-owner Fri Apr 5 19:01:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA26120 for firewalls-outgoing; Fri, 5 Apr 1996 18:50:00 -0800 (PST) Received: from taz.nda.com ([206.0.206.200]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id SAA26114 for ; Fri, 5 Apr 1996 18:49:55 -0800 (PST) Received: from amber2.corsair.com (amber2.corsair.com [204.255.192.160]) by taz.nda.com (8.7.4/8.7.3) with SMTP id SAA16479; Fri, 5 Apr 1996 18:50:01 -0800 (PST) Message-Id: <2.2.32.19960406015556.0070bfc8@taz.nda.com> X-Sender: kovar@taz.nda.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 05 Apr 1996 17:55:56 -0800 To: vin@shore.net (Vin McLellan) From: "David C. Kovar" Subject: Re: Securid BAD Tech Support Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > No, there isn't -- but I agree there probably should be. Until >there is one, I'm willing to help out and answer questions. The Privacy >Guild does market analysis under contract for SDI, and I've worked with >SDI since before the SecurID came on the market. (I think SDI also has a >questions and comments form attached to their web site: >http://securid.com.) > > Suerte, > _Vin Just a minor correction. Their web site is at http://www.securid.com. There is no DNS entry for just "securid.com". -David From firewalls-owner Fri Apr 5 19:13:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id TAA26849 for firewalls-outgoing; Fri, 5 Apr 1996 19:03:11 -0800 (PST) Received: from skypoint.com (mirage.skypoint.com [199.86.32.7]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id TAA26833 for ; Fri, 5 Apr 1996 19:02:59 -0800 (PST) Received: from cpu-c.kerker.com (really [199.86.33.29]) by skypoint.com via smtpd with smtp id for ; Fri, 5 Apr 96 21:01 CST (/\==/\ Smail3.1.28.1 #28.6) Message-Id: <2.2.32.19960406030055.0070e0fc@mirage.skypoint.com> X-Sender: dpmadson@mirage.skypoint.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 05 Apr 1996 21:00:55 -0600 To: dengland@sis.com (Dave England), Firewalls@GreatCircle.COM From: Don Madson Subject: Re: more on mail addresses Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It's hard for me to imagine someone with 25,000 employee's and who knows how many customers reading all their mail everyday personally. My company only has one employee, me, and I throw out 80% of the mail I get without reading it. I pull out the checks and the bills and maybe read something if it looks really interesting. (Like your message. ) Let's say billg" was his only email address and you along with everyone else on this planet sent him what they thought were important messages. What century do you think it would be before he personally read your message? (Assuming he only worked 18-hour days, 6-days a week.) Don At 09:26 AM 4/4/96 PST, you wrote: >I think it's a plus to have customers complain to the CEO when they >can't get their customer service issues addressed. If we want to >get into the information age and out of the paper mail age, we better >not use these tools to make it harder for customers. I'm disappointed >to hear that Gates feels he has to hide behind technology and >obscurity, this seems to be counter to what he preaches. From firewalls-owner Fri Apr 5 20:43:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id UAA04301 for firewalls-outgoing; Fri, 5 Apr 1996 20:37:30 -0800 (PST) Received: from gatekeeper.qualix.com (gatekeeper.qualix.com [192.91.182.105]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id UAA04295 for ; Fri, 5 Apr 1996 20:37:26 -0800 (PST) Received: from qualix.qualix by gatekeeper.qualix.com (8.6.9/Q940531.1) id UAA25234; Fri, 5 Apr 1996 20:35:30 -0800 Received: from qualix20.qualix by qualix.qualix (4.1/SMI-4.1-Q931113.1) id AA12813; Fri, 5 Apr 96 20:35:29 PST Received: from spirit.qualix by qualix20.qualix (SMI-8.6/SMI-SVR4) id UAA00977; Fri, 5 Apr 1996 20:35:26 -0800 Received: by spirit.qualix (5.x/SMI-SVR4) id AA01121; Fri, 5 Apr 1996 20:34:07 -0800 From: security@qualix.com (Nik D. Knoth) Message-Id: <9604060434.AA01121@spirit.qualix> Subject: Re: Firewalls at lower levels? To: smith135@mc.duke.edu Date: Fri, 5 Apr 1996 20:34:07 -0800 (PST) Cc: firewalls@GreatCircle.COM In-Reply-To: <01I35FD8T9O2003CBE@mc.duke.edu> from "smith135@mc.duke.edu" at Apr 4, 96 04:04:00 pm X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Checkpoint's FireWall-1 is implemented b/w the datalink and the network layers. So, it seems that they have, in fact, been implementable below the session layer. What exactly did he mean when he said they are not "implementable?" -nik -- Nik D. Knoth Email: nik@qualix.com Qualix Support Team Office: 415.638.4106 The Qualix Group, Inc. Fax: 415.572.1300 > > I was at a seminar presented by Stuart Holoman, Holocon Inc. > yesterday, and he said firewalls are not effective/implementable > below the session layer: > > layer 7 - App support > layer 6 - Presentation > layer 5 - Session > layer 4 - Transport > layer 3 - Network > layer 2 - Data link > layer 1 - Physical > > Any comments? > I don't know if he was speaking in abstract terms (e.g., not many > people know how to make them effective). > > Michael Smith Voice: 919-613-7633 > Duke University and Medical Center Fax: 919-613-7631 > E-mail: smith135@mc.duke.edu > From firewalls-owner Fri Apr 5 20:58:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id UAA05305 for firewalls-outgoing; Fri, 5 Apr 1996 20:53:47 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id UAA05299 for ; Fri, 5 Apr 1996 20:53:43 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id UAA26662; Fri, 5 Apr 1996 20:47:12 -0800 Received: from unknown(138.25.16.3) by mycroft via smap (V1.3mjr) id sma026660; Fri Apr 5 20:47:07 1996 Received: from maverick.itd.uts.edu.au (matt@maverick.itd.uts.edu.au [138.25.16.41]) by solarnum.itd.uts.edu.au (8.7.3/8.7.1/uts) with ESMTP id OAA26460; Sat, 6 Apr 1996 14:42:58 +1000 (EAST) Received: (from matt@localhost) by maverick.itd.uts.edu.au (8.7.3/8.7.3/Jas) id OAA14264; Sat, 6 Apr 1996 14:44:48 +1000 Message-Id: <199604060444.OAA14264@maverick.itd.uts.edu.au> Subject: Re: Undeliverable: email to CEO To: dengland@sis.com (Dave England) Date: Sat, 6 Apr 1996 14:44:47 +1000 (EAST) Cc: postmaster@microsoft.com, Firewalls@GreatCircle.COM In-Reply-To: <9604041926.AA09149@auspex.ivac_eng> from "Dave England" at Apr 4, 96 11:26:53 am X-Ph: ph: +61 2 330 1390 fax: +61 2 330 1999 home: +61 2 9929 0717 X-Pager: +61 2 214 1111 #216098 or pager@maverick.itd.uts.edu.au X-Pgp-Finger: pub 2048/27FB4AE1 1995/09/30 Jas (Matthew K) X-Pgp-Finger: Key fingerprint = 3A1EEDBE7A6D498D E7953FB40A21A6C8 From: matt@uts.edu.au X-Mailer: ELM [version 2.4 PL25] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dave England wrote this... > Does a MS customer have to resort to paper mail to send a letter to > the CEO at your company? I can't believe Bill doesn't have someone > reading his email for him just like all CEO's at all companies have > someone reading their letters for them, if they don't read them > themselves. > ----- Begin Included Message ----- [mail error deleted] > ----- End Included Message ----- i doubt you'll get a reply from postmaster@microsoft.com. i have mailed said person a number of times about particular problems with their internal mail system (i send a reasonable amount of mail into microsoft everyday). i have never received a reply even to the effect of thanks i read your mail. i suspect they have a postmaster: /dev/null in their /etc/aliases (yes they run unix machines on their internet mail connection, not NT or otherwise). Matt -- #!/bin/sh echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sbA0D3F204445524F42snlbxq'|dc;exit Matthew Keenan Data Network Admin Information Technology Division University of Technology Sydney Australia It's nice to be in a position where people apologize because they assume there's humor in your work, based on past experience, but they're not sure where it is. -- Rob Pike From firewalls-owner Sat Apr 6 02:51:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id CAA17542 for firewalls-outgoing; Sat, 6 Apr 1996 02:41:36 -0800 (PST) Received: from ctrvx1.Vanderbilt.Edu (ctrvx1.Vanderbilt.Edu [129.59.1.21]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id CAA17536 for ; Sat, 6 Apr 1996 02:41:29 -0800 (PST) Received: from dial028.Vanderbilt.Edu by ctrvax.Vanderbilt.Edu (PMDF V5.0-5 #11488) id <01I37ISR9BVK8XB0GK@ctrvax.Vanderbilt.Edu> for firewalls@greatcircle.com; Sat, 06 Apr 1996 04:37:36 -0600 (CST) Date: Sat, 06 Apr 1996 04:37:36 -0600 (CST) Date-warning: Date header was inserted by ctrvax.Vanderbilt.Edu From: kwakh@ctrvax.Vanderbilt.Edu (Joon Kwak) X-Sender: kwakh@ctrvax.vanderbilt.edu (Unverified) To: firewalls@greatcircle.com Message-id: <01I37ISRRJQQ8XB0GK@ctrvax.Vanderbilt.Edu> MIME-version: 1.0 X-Mailer: Windows Eudora Version 1.4.3 Content-type: text/plain; charset="us-ascii" Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What's the major different between router and bastion host? It seems like they are doing the same thing.. Please enlight me.. Joon. From firewalls-owner Sat Apr 6 03:13:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id DAA18253 for firewalls-outgoing; Sat, 6 Apr 1996 03:08:12 -0800 (PST) Received: from anugpo.anu.edu.au (anugpo.anu.edu.au [150.203.2.6]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id DAA18247 for ; Sat, 6 Apr 1996 03:08:03 -0800 (PST) Received: from student.anu.edu.au (root@student.anu.edu.au [150.203.21.26]) by anugpo.anu.edu.au (8.6.12/8.6.12) with ESMTP id VAA06408; Sat, 6 Apr 1996 21:06:05 +1000 Received: from fenner4.anu.edu.au by student.anu.edu.au (SMI-8.6/SMI-SVR4) id VAA29953; Sat, 6 Apr 1996 21:05:36 +1000 Date: Sat, 6 Apr 1996 21:05:36 +1000 Message-Id: <199604061105.VAA29953@student.anu.edu.au> X-Sender: h9304021@student.anu.edu.au X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: matt@uts.edu.au From: Chai Harjo Subject: Re: Undeliverable: email to CEO Cc: Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 02:44 PM 4/6/96 +1000, you wrote: >Dave England wrote this... > >> Does a MS customer have to resort to paper mail to send a letter to >> the CEO at your company? I can't believe Bill doesn't have someone >> reading his email for him just like all CEO's at all companies have >> someone reading their letters for them, if they don't read them >> themselves. > > >> ----- Begin Included Message ----- > >[mail error deleted] > >> ----- End Included Message ----- > >i doubt you'll get a reply from postmaster@microsoft.com. i have >mailed said person a number of times about particular problems with >their internal mail system (i send a reasonable amount of mail into >microsoft everyday). i have never received a reply even to the effect >of thanks i read your mail. i suspect they have a > >postmaster: /dev/null > >in their /etc/aliases (yes they run unix machines on their internet >mail connection, not NT or otherwise). > How do you know about this? Are you sure they are not using NT? It is bizzare that they don't trust their own product!!! Chai Harjo From firewalls-owner Sat Apr 6 03:58:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id DAA19476 for firewalls-outgoing; Sat, 6 Apr 1996 03:42:22 -0800 (PST) Received: from ctrvx1.Vanderbilt.Edu (ctrvx1.Vanderbilt.Edu [129.59.1.21]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id DAA19470 for ; Sat, 6 Apr 1996 03:42:16 -0800 (PST) Received: from dial028.Vanderbilt.Edu by ctrvax.Vanderbilt.Edu (PMDF V5.0-5 #11488) id <01I37KX2BKOG8XUV5G@ctrvax.Vanderbilt.Edu> for firewalls@greatcircle.com; Sat, 06 Apr 1996 05:38:20 -0600 (CST) Date: Sat, 06 Apr 1996 05:38:20 -0600 (CST) Date-warning: Date header was inserted by ctrvax.Vanderbilt.Edu From: kwakh@ctrvax.Vanderbilt.Edu (Joon Kwak) Subject: Firewalls X-Sender: kwakh@ctrvax.vanderbilt.edu To: firewalls@greatcircle.com Message-id: <01I37KX2ND2A8XUV5G@ctrvax.Vanderbilt.Edu> MIME-version: 1.0 X-Mailer: Windows Eudora Version 1.4.3 Content-type: text/plain; charset="us-ascii" Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What firewalls are the most popular these days? I need some brand names.. Thanks.. Joon From firewalls-owner Sat Apr 6 06:17:10 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA22995 for firewalls-outgoing; Sat, 6 Apr 1996 06:03:00 -0800 (PST) Received: from versalink.versalink.com (mr2-202.mrtc.maui.com [199.4.33.202]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id GAA22989 for ; Sat, 6 Apr 1996 06:02:53 -0800 (PST) Received: from versalink.com (sanda.ip.holonet.net [157.151.128.192]) by versalink.versalink.com (8.7.1/8.7.1) with SMTP id EAA27097 for ; Sat, 6 Apr 1996 04:01:20 -1000 (HST) Message-Id: <199604061401.EAA27097@versalink.versalink.com> X-Sender: pstephen@versalink.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sat, 06 Apr 1996 09:59:16 -0500 To: Firewalls@GreatCircle.COM From: Peter Stephenson Subject: Re: Firewalls-Digest V5 #211 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From: "Marcus J. Ranum" >Date: Fri, 5 Apr 1996 10:06:20 -0500 (EST) >Subject: What layer? > >smith135@mc.duke.edu writes: >>I was at a seminar presented by Stuart Holoman, Holocon Inc. >>yesterday, and he said firewalls are not effective/implementable >>below the session layer: >>I don't know if he was speaking in abstract terms (e.g., not many >>people know how to make them effective). > > He was probably either speaking in abstract terms, or he >didn't know what he was speaking about. "Experts" are certainly >crawling out of the woodwork these days, and it seems that the >main qualification for teaching seminars on firewalls is to FTP >my old viewgraphs from the 'net, read C&B and C&Z, and start to >make grand pronouncements. :) > >mjr. You have to know Stuart to understand his position on this. He takes the position that any form of access control (including firewalls) can be subverted. He says that the only real security is encryption. While I think this is really just part of the story, it's interesting food for thought. In my next column for InfoSecurity News I explore a practical implementation of his theory. Also, when Stuart lectures he tends to be provocative on purpose to stimulate discussion and thought. I don't completely agree with him, but his points are certainly worth exploring and, for the many who are just beginning to feel their way in this environment, it's these types of issues that require consideration. As for being an "expert" and the rest of your indictment, in his defense I would like to point out that Stuart has been in the infosec business for a long time, has been teaching and lecturing for many years and was involved directly in the development of the ethernet standard. He has an international reputation as a consultant among the business community. While he is not what I call a "back room guru" (those who develop the new software, products and theories that those of us on the firing line depend upon for our success) he is an extremely competent security consultant and teacher. As I said, I don't always agree with Stuart, but he always makes me think. Peter Stephenson, Division President, InfoSEC Technologies division of Sanda International Corp. Headquarters Operations Center 401 Pinehurst Drive 590 Lipoa Parkway Ste 208 Rochester Hills, MI 48309 Kihei, Maui, HI 96753 (810) 650-2699 phone World Wide Web: (810) 375-2717 fax http://www.versalink.com pstephen@versalink.com From firewalls-owner Sat Apr 6 06:43:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA23556 for firewalls-outgoing; Sat, 6 Apr 1996 06:38:41 -0800 (PST) Received: from uuneo.neosoft.com (uuneo.neosoft.com [206.109.1.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id GAA23540 for ; Sat, 6 Apr 1996 06:38:35 -0800 (PST) Received: from nmti.com (ficc@localhost) by uuneo.neosoft.com (8.7.5/8.7.4) with UUCP id IAA12031; Sat, 6 Apr 1996 08:17:19 -0600 (CST) Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id IAA15807; Sat, 6 Apr 1996 08:05:38 -0600 Received: by sonic.nmti.com; id AA04040; Sat, 6 Apr 1996 08:05:37 -0600 From: peter@nmti.com (Peter da Silva) Message-Id: <9604061405.AA04040@sonic.nmti.com.nmti.com> Subject: Re: BoS: DNS Spoofing and Java To: danny@BouletFermat.ab.ca (Danny Boulet) Date: Sat, 6 Apr 1996 08:05:37 -0600 (CST) Cc: firewalls@GreatCircle.COM, strombrg@hyrdra.acs.uci.edu.BouletFermat.ab.ca In-Reply-To: <199604041820.LAA07924@nahanni.BouletFermat.ab.ca> from "Danny Boulet" at Apr 4, 96 11:20:04 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The client knows when it's using a proxy. It can simply not allow any connections in that environment. If you're using a proxy odds are you're behind a firewall in any case and you won't be able to make the connection regardless. From firewalls-owner Sat Apr 6 07:36:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA25990 for firewalls-outgoing; Sat, 6 Apr 1996 07:27:13 -0800 (PST) Received: from skypoint.com (mirage.skypoint.com [199.86.32.7]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA25976 for ; Sat, 6 Apr 1996 07:27:09 -0800 (PST) Received: from cpu-c.kerker.com (really [199.86.33.127]) by skypoint.com via smtpd with smtp id for ; Sat, 6 Apr 96 09:25 CST (/\==/\ Smail3.1.28.1 #28.6) Message-Id: <2.2.32.19960406152508.00734ef8@mirage.skypoint.com> X-Sender: dpmadson@mirage.skypoint.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sat, 06 Apr 1996 09:25:08 -0600 To: matt@uts.edu.au, dengland@sis.com (Dave England) From: Don Madson Subject: Re: Undeliverable: email to CEO Cc: postmaster@microsoft.com, Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 02:44 PM 4/6/96 +1000, matt@uts.edu.au wrote: >in their /etc/aliases (yes they run unix machines on their internet >mail connection, not NT or otherwise). I thought that MS was on a very aggressive schedule for cutting over to Exchange, quite a few should be using it already. Don Madson (dpmadson@skypoint.com) From firewalls-owner Sat Apr 6 08:02:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA26988 for firewalls-outgoing; Sat, 6 Apr 1996 07:56:24 -0800 (PST) Received: from hydra.acs.uci.edu (hydra.acs.uci.edu [128.200.16.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id HAA26982 for ; Sat, 6 Apr 1996 07:56:20 -0800 (PST) Received: from medusa.acs.uci.edu (strombrg@medusa.acs.uci.edu [128.200.16.2]) by hydra.acs.uci.edu (8.7.1/8.7.1) with ESMTP id HAA04386 for ; Sat, 6 Apr 1996 07:54:24 -0800 (PST) Received: by medusa.acs.uci.edu (8.7.4) id HAA23034; Sat, 6 Apr 1996 07:54:22 -0800 (PST) Date: Sat, 6 Apr 1996 07:54:21 -0800 (PST) From: Dan Stromberg To: firewalls@GreatCircle.COM Subject: Re: BoS: DNS Spoofing and Java In-Reply-To: <199604060228.VAA07583@rock.cis.ufl.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Perhaps I should just let these two have their respective final words, but I cannot help but be curious: Has their all-heat and no-light approach dissuaded anyone from concidering the verity of my prior statements? For that matter, did anyone really _care_ about this issue enough to think it might merit these irrational attacks? Unless some sort of discussion of relevant _technical_ issues ensues, I'll try to sit on my hands now. On Fri, 5 Apr 1996, F. L. Charles Seeger III wrote: > +------ Dan Stromberg wrote (Fri, 5-Apr-96, 14:58 -0800): > | > | Tee hee. From this, should I assume you were on www-security at the > | time? > > FWIW, yes. > > Now, what brand of netiquette caused you to send a copy of my private > email to you to the firewalls list? > > Please don't waste everyone's time by answering to the entire list. > In case you're as impaired as you seem to be, that is a rhetorical > question and I don't really care to get any answer at all. In fact, > you're now in my mail kill file, so I'll never be tempted to waste > time on you again. > > Sorry to everyone else for intruding into your mailbox so uselessly. > > Sincerely, > Chuck > From firewalls-owner Sat Apr 6 08:32:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA27414 for firewalls-outgoing; Sat, 6 Apr 1996 08:16:06 -0800 (PST) Received: from mail.crl.com (mail.crl.com [165.113.1.22]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA27408 for ; Sat, 6 Apr 1996 08:16:02 -0800 (PST) Received: from crl9.crl.com by mail.crl.com with SMTP id AA27262 (5.65c/IDA-1.5 for ); Sat, 6 Apr 1996 08:10:17 -0800 Received: by crl9.crl.com id AA01630 (5.65c/IDA-1.5); Sat, 6 Apr 1996 08:03:56 -0800 Date: Sat, 6 Apr 1996 08:03:56 -0800 (PST) From: "Joseph W. Stroup" To: Steven Johnson Cc: Firewalls@GreatCircle.COM Subject: Re: HANDS UP! In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This list is sort of going down the tubes. I nuke more mail than I read. Joseph Stroup "I have not lost my mind... it's backed up on tape somewhere" From firewalls-owner Sat Apr 6 09:28:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA29601 for firewalls-outgoing; Sat, 6 Apr 1996 09:18:03 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA29595 for ; Sat, 6 Apr 1996 09:17:59 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id JAA28538; Sat, 6 Apr 1996 09:11:28 -0800 From: alan@objtech.demon.co.uk Received: from relay-4.mail.demon.net(158.152.1.108) by mycroft via smap (V1.3mjr) id sma028536; Sat Apr 6 09:11:01 1996 Received: from post.demon.co.uk ([158.152.1.72]) by relay-4.mail.demon.net id am13670; 6 Apr 96 17:12 GMT Received: from objtech.demon.co.uk ([158.152.77.186]) by relay-3.mail.demon.net id aa06551; 6 Apr 96 18:08 +0100 X-Sender: (Unverified) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sat, 6 Apr 1996 18:10:26 +0000 To: firewalls@greatcircle.com Subject: Internet Firewalls Frequently Asked Questions Message-ID: <828810519.6551.0@objtech.demon.co.uk> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk please email me with the above Qs &As thanks From firewalls-owner Sat Apr 6 09:45:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA29858 for firewalls-outgoing; Sat, 6 Apr 1996 09:32:36 -0800 (PST) Received: from defiant.flash.net (defiant.flash.net [206.149.24.9]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA29851 for ; Sat, 6 Apr 1996 09:32:29 -0800 (PST) From: rakers@flash.net Received: from rakers.flash.net (dp-120.flash.net [206.149.31.120]) by defiant.flash.net (8.6.12/8.6.9) with SMTP id LAA03717 for ; Sat, 6 Apr 1996 11:30:09 -0600 Date: Sat, 6 Apr 1996 11:30:09 -0600 Message-Id: <199604061730.LAA03717@defiant.flash.net> X-Sender: rakers@flash.net X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com Subject: Remove me from the mailing list Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > >Please take me out of mailing list. > >Thank you very much! > > > > > From firewalls-owner Sat Apr 6 10:07:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA29642 for firewalls-outgoing; Sat, 6 Apr 1996 09:20:38 -0800 (PST) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA29636 for ; Sat, 6 Apr 1996 09:20:33 -0800 (PST) Received: (adam@localhost) by homeport.org (8.6.9/8.6.9) id MAA13145; Sat, 6 Apr 1996 12:23:18 -0500 From: Adam Shostack Message-Id: <199604061723.MAA13145@homeport.org> Subject: Re: Securid BAD Tech Support To: hroller@c2.org Date: Sat, 6 Apr 1996 12:23:17 -0500 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <960405193742_185562159@emout09.mail.aol.com> from "Rapitsio@aol.com" at Apr 5, 96 07:37:43 pm X-Mailer: ELM [version 2.4 PL24 ME8b] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk :: Request-Remailing-To: Rapitsio@aol.com ## Subject: Re: Securid BAD Tech Support I think that whats being said is that people are disatisfied with the quality of post-sales support, and that talking to the vendor, has, in many cases, failed. Given that, why should we not form a users group to discuss our problems, share code written to ease use of sdadmin, and write a 'ACE users FAQ,' or even a '10 things you should know before buying from Security Dynamics' FAQ. Cutting into the sales of the product by telling people the truth about it is a very powerful technique for fixing whats wrong. Going crazy because of 'Database locked by another administrator' is not useful to your company. Rapitsio@aol.com wrote: > However, we have also had problems with support from this company. I am > getting the feeling that they are too spread out techy wise to help out the > new accounts. I feel that once they make the sale, all else is back burner > stuff. > > I can only relate this to experience with CA products in that it really > depends on who (providing you can) you reach for support. > > Question: Is it up to us as a 'consumer' to post these concerns to the > vendor or are these communications intended to remain an 'internal' > discussion??? From firewalls-owner Sat Apr 6 10:13:19 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA29705 for firewalls-outgoing; Sat, 6 Apr 1996 09:23:44 -0800 (PST) Received: from pangaea.hypereality.co.uk (pangaea.hypereality.co.uk [194.129.42.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA29699 for ; Sat, 6 Apr 1996 09:23:39 -0800 (PST) Received: (from remail@localhost) by pangaea.hypereality.co.uk (8.6.9/8.6.9) id RAA11789 for firewalls@greatcircle.com; Sat, 6 Apr 1996 17:22:15 +0100 Hypereality Systems : Date: Sat, 6 Apr 1996 17:22:15 +0100 Message-Id: <199604061622.RAA11789@pangaea.hypereality.co.uk> To: firewalls@greatcircle.com From: cpunk@remail.ecafe.org (ECafe Anonymous Remailer) Subject: Re: Securid BAD Tech Support Remailed-By: ECafe Anonymous Remailer Complaints-To: complaints@remail.ecafe.org X-WWW: http://www.ecafe.org/~remail/ X-Notice: The contents of this message are neither appoved or X-Notice: condoned by ecafe.org or our host Hypereality Systems. X-Notice: We bear no liability for misuse of this system. X-Warn: *** This message was remailed through an anonymous remailer *** X-Warn: *** Replying to it will not send your reply to the sender *** Subject: Re: Securid BAD Tech Support Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I think that whats being said is that people are disatisfied with the quality of post-sales support, and that talking to the vendor, has, in many cases, failed. Given that, why should we not form a users group to discuss our problems, share code written to ease use of sdadmin, and write a 'ACE users FAQ,' or even a '10 things you should know before buying from Security Dynamics' FAQ. Cutting into the sales of the product by telling people the truth about it is a very powerful technique for fixing whats wrong. Going crazy because of 'Database locked by another administrator' is not useful to your company. Speak for myself, maybe. Clearly not for my employer. Rapitsio@aol.com wrote: > However, we have also had problems with support from this company. I am > getting the feeling that they are too spread out techy wise to help out the > new accounts. I feel that once they make the sale, all else is back burner > stuff. > > I can only relate this to experience with CA products in that it really > depends on who (providing you can) you reach for support. > > Question: Is it up to us as a 'consumer' to post these concerns to the > vendor or are these communications intended to remain an 'internal' > discussion??? From firewalls-owner Sat Apr 6 10:52:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA02786 for firewalls-outgoing; Sat, 6 Apr 1996 10:35:06 -0800 (PST) Received: from zeus.oanet.com (zeus.oanet.com [204.209.13.16]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id KAA02761 for ; Sat, 6 Apr 1996 10:34:58 -0800 (PST) Received: (from iceman@localhost) by zeus.oanet.com (8.7.3/8.7.3) id LAA14835; Sat, 6 Apr 1996 11:35:46 -0700 (MST) Date: Sat, 6 Apr 1996 11:35:46 -0700 (MST) From: Barry Kokotailo To: raf@ezunx.com cc: firewalls@GreatCircle.COM Subject: Re: cisco logging for firewalls In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Yes, Ciscos do log to a suslogd daemon. Even logs access filter list violations. Diplomacy is the art of saying "Good doggy" until you have the time to find a very BIG stick. On Thu, 4 Apr 1996 raf@ezunx.com wrote: > I know ciscos do logging of most packet info, but do > they support syslogd so logs can be sent to another machine? > > thanks > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > ** Remember -- Life is NOT a dress rehearsal! > (nor is it a small furry animal with funny feet and floppy ears...) > From firewalls-owner Sat Apr 6 11:07:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA03583 for firewalls-outgoing; Sat, 6 Apr 1996 10:47:01 -0800 (PST) Received: from mhinside.hcl.com (mhoutside.hcl.com [204.101.87.120]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA03576 for ; Sat, 6 Apr 1996 10:46:57 -0800 (PST) Received: (rudy@localhost) by mhinside.hcl.com (8.6.12/8.6.5) id OAA16968 for firewalls@GreatCircle.COM; Sat, 6 Apr 1996 14:02:42 -0500 From: Rudy Amid Message-Id: <199604061902.OAA16968@mhinside.hcl.com> Subject: udp To: firewalls@GreatCircle.COM Date: Sat, 6 Apr 1996 14:02:42 -0500 (EST) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Just curious, does anyone ever let UDP packets through the firewall, even if it's only through one port? Too many apps these days uses a UDP port such as NFS, RA, cuseeme, etc. Other than a tcp proxy, what other alternative are there? -- Rudy Amid (rudy@hcl.com) [Home URL] http://www.warped.com/~radix Systems Administrator #include Hummingbird Communications, Ltd. "We're IT!" -MIS Dept. 1 Sparks Ave. Toronto, Canada. M2H 2W1. 416-496-2200 [URL] http://www.hcl.com From firewalls-owner Sat Apr 6 11:43:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA06018 for firewalls-outgoing; Sat, 6 Apr 1996 11:32:49 -0800 (PST) Received: from scruz.net (nic.scruz.net [165.227.1.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id LAA06011 for ; Sat, 6 Apr 1996 11:32:45 -0800 (PST) From: raf@ezunx.com Received: from x.ezunx.com by scruz.net (8.7.3/1.34) id LAA01502; Sat, 6 Apr 1996 11:30:49 -0800 (PST) Date: Sat, 6 Apr 96 11:36:05 PST Subject: FW: port 135 ? Locater service? To: firewalls@greatcircle.com X-PRIORITY: 3 (Normal) X-Mailer: Chameleon 4.6, TCP/IP for Windows, NetManage Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I did not get any response from alpha managers list, so I will try here. Can anyone shed some light on this? --- On Fri, 5 Apr 96 09:32:18 PST raf@ezunx.com wrote: >Hi all, > > Sort of a network related question on an alpha running netscape >commerce server. > > We are seeing, about every 30 seconds a subnet broadcast coming >from this server at port 135 addressed to all nodes in the subnet. >(oops, is that a redundant statement? ) > > According to well known ports listing, 135 is "locater service". I >can't find anything about it. Anyone know what it is, or is used for? >Could something on this machine have been remapped so it is using this >port for something else? > > I can't seem to find where it is coming from, it it is not in >inetd.conf... Help? > >Thanks, >rich >-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- >** Remember -- Life is NOT a dress rehearsal! > (nor is it a small furry animal with funny feet and floppy ears...) > -----------------End of Original Message----------------- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- ** Remember -- Life is NOT a dress rehearsal! (nor is it a small furry animal with funny feet and floppy ears...) From firewalls-owner Sat Apr 6 12:04:29 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA06899 for firewalls-outgoing; Sat, 6 Apr 1996 11:52:07 -0800 (PST) Received: from ucsu.Colorado.EDU (ucsu.Colorado.EDU [128.138.129.83]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id LAA06888 for ; Sat, 6 Apr 1996 11:52:02 -0800 (PST) Received: (from sieber@localhost) by ucsu.Colorado.EDU (8.7.5/8.7.3/CNS-4.0p) id MAA22843; Sat, 6 Apr 1996 12:49:24 -0700 (MST) Date: Sat, 6 Apr 1996 12:49:24 -0700 (MST) From: chris sieber To: firewalls@greatcircle.com Subject: Filter testing Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings- I am currently testing a cisco 4000's filtering capabilities and need to test filtering on the following protocols: Bootp SMTP SNMP Filtering is configured to deny these protocols. We currently have no bootp servers or clients but still have to show that it can be filtered out. what are the most sound ways to test these? Any suggestions would be extremely helpful. Chris Sieber, University of Colorado From firewalls-owner Sat Apr 6 12:28:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA08854 for firewalls-outgoing; Sat, 6 Apr 1996 12:23:42 -0800 (PST) Received: from casbah.gatech.edu (casbah.gatech.edu [130.207.165.18]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA08848 for ; Sat, 6 Apr 1996 12:23:34 -0800 (PST) Received: from HELO DialupEudora\r\n (jc215@casbah.gatech.edu [130.207.165.18]) by casbah.gatech.edu (8.6.12/8.6.12) with SMTP id PAA17458 for ; Sat, 6 Apr 1996 15:21:16 -0500 Date: Sat, 6 Apr 1996 15:21:16 -0500 Message-Id: <199604062021.PAA17458@casbah.gatech.edu> X-Sender: jc215@casbah.gatech.edu X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: James Cannady Subject: Assistance with Intrusion Detection Research Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, I'm in the process of completing a research paper on the current work being done in the field of intrusion detection. While I realize that the topic is not specific to this list, your experience will be invaluable in this project. The results of this survey will be included in a presentation which I am giving at TISC '96 in May. Your help is greatly appreciated. Jim ----------------------------------------------------------- INTRUSION DETECTION QUESTIONNAIRE Mr. James Cannady and Mr. Jay Harrell from the Georgia Tech Research Institute are currently preparing a report on the current state of intrusion detection research. As part of that report, the thoughts and experiences of network professionals are requested as a measure of the effectiveness of current information security measures. Your assistance is greatly appreciated. All responses will be kept absolutely confidential and anonymous or partial submissions are welcome. We will present summary results at the TISC conference in May (insert URL here) We are research faculty of Georgia Institute of Technology and we can be reached by US mail, email, or telephone at the following addresses: James Cannady James.Cannady@gtri.gatech.edu Georgia Tech Research Institute Atlanta GA 30332-0832 404/894-9730 Jay Harrell Jay.Harrell@gtri.gatech.edu Georgia Tech Research Institute Atlanta GA 30332-0832 404/894-8953 Description of Host System 1. Please describe yourself -network administrator -management -network user -other (specify) 2. Please describe the nature of the organization supported by the network -Academia -Non-profit Organization -Manufacturing -Telecommunications -Computers -Transportation -Other 3. Please briefly describe the following components of your network: -Number of workstations on network -Number of users -External connections (i.e., Internet) -Operating systems Perception of Need 4. Please rate the following on a scale from 1 (minimal) to 10 (serious) a. Your concern for the security of your network b. The network administrators concern for security c. The senior management's concern for security d. The typical network user's concern for security 5. Please rate the following network threats on a scale of 1 (lowest ) to 6 (highest) a. Hackers b. Crackers c. Phreakers d. Disgruntled employees e. Foreign governments f. Economic Competitors Security Measures 6. What kinds of security measures are utilized on the network: -Operating system-based security measures -Intrusion detection systems -Firewalls -Other 7. Do you use commericial off-the-shelf security products? (Please Specify) -yes -no -don't know -can't say 8. What type of misuses which you are trying to detect? -Attempted break-in -Masquerading -Penetration by legitimate users -Viruses -Denial-of-Service -Other System Attacks 9. Has your network ever been compromised by an external or internal attack -yes -no -don't know -can't say (Please give details if you can) 10. Were any intrusion detection mechanisms or other security systems employed prior to the attack? -yes -no -don't know -can't say (Please give details if you can) 11. Were those security mechanisms successful in preventing or minimizing the attack? -yes -no -don't know -can't say (Please give details if you can) 12. Was the attack reported? -yes -no -don't know -can't say (Please give details if you can) 13. Were any additional security measures employed after the attack? -yes -no -don't know -can't say (Please give details if you can) Comments 14. Please provide any additional comments regarding the security of your system, or your thoughts on the topic of intrusion detection mechanisms. ---------------------------------------------------------------------------- ------------- From firewalls-owner Sat Apr 6 13:23:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA11657 for firewalls-outgoing; Sat, 6 Apr 1996 13:04:50 -0800 (PST) Received: from sunthing.sjsinc.com (sunthing.sjsinc.com [140.174.165.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA11651 for ; Sat, 6 Apr 1996 13:04:43 -0800 (PST) Received: by sunthing.sjsinc.com Mailer: sendmail (8.6.12/8.6.9) Protocol: Id: NAA04685; Sat, 6 Apr 1996 13:01:32 -0800 Date: Sat, 6 Apr 1996 13:01:32 -0800 From: sjs@sunthing.sjsinc.com (Stefan Jon Silverman) Message-Id: <199604062101.NAA04685@sjsinc.com> To: raf@ezunx.com Subject: Re: FW: port 135 ? Locater service? Cc: firewalls@greatcircle.com, owen@dlrgatd.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk rich: On Sat, 6 Apr 96 11:36:05 PST raf@ezunx.com wrote: > > I did not get any response from alpha managers list, so I will > try here. Can anyone shed some light on this? > > > --- On Fri, 5 Apr 96 09:32:18 PST raf@ezunx.com wrote: > > >Hi all, > > > > Sort of a network related question on an alpha running netscape > >commerce server. > > > > We are seeing, about every 30 seconds a subnet broadcast coming > >from this server at port 135 addressed to all nodes in the subnet. > >(oops, is that a redundant statement? ) > > > > According to well known ports listing, 135 is "locater service". I > >can't find anything about it. Anyone know what it is, or is used for? > >Could something on this machine have been remapped so it is using this > >port for something else? > > > > I can't seem to find where it is coming from, it it is not in > >inetd.conf... Help? > > This is really digging back in my memory (so I may be wrong) but I seem to remember when playing with a DEC Ultrix beast a few years ago that had both TCP/IP and DECNet installed it was constantly nattering on port 135 TCP/IP looking for DECNet peers to communicate with in that protocol. It would seem likely that this functionality was passed along to DEC Unix given their intention to support their own protocols in addition to TCP/IP. i.e., natter on TCP/IP-135 --> find DECNet peer --> switch to DECNet From a past life, I remember that every time I walked into a shop using both protocols my first suggestion was "sub-net the damm DECNet machines behind a filtering router!!!" The constant heart-beating between machines, harkening back to a day when networking was an iffy proposition, consumed a lot of bandwidth... Not sure how to determine if DECNet is running, haven't had much exposure to DEC Unix since Ultrix. There probably is a Unix equivilent to the VMS SHOW LICENSES (I think that's it) command. Any VMS'ers out there care to comment??? Regards, b c++'ing u, %-) sjs PS: I am my own employer, therefore: "all opinions are twice spoken for;" and they do, in fact, scare the hell out of said employer!!! ------------------------------------------------------------------------------- Stefan Jon Silverman - President SJS Associates, N.A., Inc. 572 Chestnut Street Distributed Systems Architecture & Implementation San Francisco, Ca. 94133 Phone: 415 989 2741 Fax: 415 989 7250 E-mail: sjs@sjsinc.com Cell: 415 519 3494 ------------------------------------------------------------------------------- Weebles wobble, but they don't fall down!!! ------------------------------------------------------------------------------- From firewalls-owner Sat Apr 6 15:43:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA17898 for firewalls-outgoing; Sat, 6 Apr 1996 15:35:44 -0800 (PST) Received: from scuacc.scu.edu (scuacc.scu.edu [129.210.8.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id PAA17892 for ; Sat, 6 Apr 1996 15:35:38 -0800 (PST) Received: from scupdc1.scu.edu by scuacc.scu.edu (PMDF V5.0-6 #2527) id <01I385NFA500003P8H@scuacc.scu.edu> for firewalls@greatcircle.com; Sat, 06 Apr 1996 15:32:14 -0800 (PST) Received: by scupdc1.scu.edu (4.1/SMI-4.1) id AA05434; Sat, 06 Apr 1996 15:33:46 -0800 (PST) Date: Sat, 06 Apr 1996 15:33:46 -0800 (PST) From: yliu@scupdc1.scu.edu (Yuan-Kwei Liu) Subject: Conferences/meetings To: firewalls@greatcircle.com Message-id: <9604062333.AA05434@scupdc1.scu.edu> Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, I am interested in attending a firewall/network security/cryptography related conference. I may try to submit a paper later. Could somebody tell me any meeting coming up this year or next year? Thanks in davance, Y.K. yliu@scupdc1.scu.edu From firewalls-owner Sat Apr 6 18:36:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA22961 for firewalls-outgoing; Sat, 6 Apr 1996 18:24:03 -0800 (PST) Received: from gatekeeper.panasonic.com (gatekeeper.panasonic.com [140.212.2.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA07830 for ; Fri, 5 Apr 1996 10:51:27 -0800 (PST) Received: from mecamail.panasonic.com by gatekeeper.panasonic.com (AIX 3.2/UCB 5.64/4.03) id AA12683; Fri, 5 Apr 1996 13:50:27 -0500 Received: from Microsoft Mail (PU Serial #1486) by mecamail.panasonic.com (PostalUnion/SMTP(tm) v2.1.8d for Windows NT(tm)) id AA-1996Apr05.134600.1486.34255; Fri, 05 Apr 1996 13:48:21 -0500 From: gelbe@panasonic.com (Gelb, Ed) To: firewalls@GreatCircle.COM ('firewalls') Message-Id: <1996Apr05.134600.1486.34255@mecamail.panasonic.com> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Date: Fri, 05 Apr 1996 13:48:21 -0500 Subject: Re: Firewalls at lower levels? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk KM and MC, Like you, I am confused with his statement using OSI architecture jargon. I would like to know what he was referring to ... Maybe the good doctor was saying that he depended more on the TCP/IP protocol architecture layers than the OSI. Otherwise, he was blowing smoke at the attendees. Maybe he should read Appendix C: TCP/IP Fundamentals in Brent's book. Ed ------------------------------------------------- Ed Gelb Mailstop 7F-6 Ed Gelb writes: > I was at a seminar presented by Stuart Holoman, Holocon Inc. > yesterday, and he said firewalls are not effective/implementable > below the session layer: > > layer 7 - App support > layer 6 - Presentation > layer 5 - Session > layer 4 - Transport > layer 3 - Network > layer 2 - Data link > layer 1 - Physical > > Any comments? > I don't know if he was speaking in abstract terms (e.g., not many > people know how to make them effective). I find this very surprising. It would appear that Mr. Holoman is dismissing out of hand the efficacy of packet filters, which operate at the IP level. He may well feel this way, but it would have been nice of him to state *explicitly* that he didn't think *PACKET FILTERS* were effective/implementable, rather than using OSI layer mumbo-jumbo to obfuscate his message. If that was, indeed, his message (based on what he said, who can tell?). K.M. Goertzel, Program/Project Manager Secure Systems and Services Operation WANG FEDERAL, Inc. 7900 Westpark Drive - MS 700 McLean, VA 22102-4299 USA TEL: 703-827 3914 FAX: 703-827 3161 EMAIL: goertzek@wangfed.com WEB: http://www.wangfed.com +-------------------------------------------+ | I am not young enough to know everything. | | - J.M. Barrie | +-------------------------------------------+ ------ Message Header Follows ------ Received: from gatekeeper.panasonic.com by mecamail.panasonic.com (PostalUnion/SMTP(tm) v2.1.8d for Windows NT(tm)) id AA-1996Apr05.131232.1486.21427; Fri, 05 Apr 1996 13:12:32 -0500 Received: from relay7.UU.NET by gatekeeper.panasonic.com (AIX 3.2/UCB 5.64/4.03) id AA23082; Fri, 5 Apr 1996 13:14:34 -0500 Received: from miles.greatcircle.com by relay7.UU.NET with ESMTP id QQakds22226; Fri, 5 Apr 1996 13:04:23 -0500 (EST) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA24497 for firewalls-outgoing; Fri, 5 Apr 1996 07:40:41 -0800 (PST) Received: from tuna.wang.com (tuna.wang.com [150.124.136.4]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA24489 for ; Fri, 5 Apr 1996 07:40:36 -0800 (PST) Received: from mail.wangfed.com (ns.wangfed.com [159.94.10.19]) by tuna.wang.com (8.6.12/8.6.12tf1) with SMTP id KAA10842 for ; Fri, 5 Apr 1996 10:38:36 -0500 Received: from hfsi.hfsi.com by mail.wangfed.com (1.37.109.4/A.09.00a) id AA04719; Fri, 5 Apr 96 10:28:22 -0600 Received: from [159.94.14.48] by hfsi.hfsi.com (BULL 5.61++/B.O.S 02.01) id AA16110; Fri, 5 Apr 96 10:32:33 -0500 Date: Fri, 5 Apr 96 10:32:33 -0500 Message-Id: <9604051532.AA16110@hfsi.hfsi.com> From: "KM" Reply-To: "KM" To: firewalls@GreatCircle.com Subject: Re: Firewalls at lower levels? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Sun Apr 7 00:23:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id XAA00577 for firewalls-outgoing; Sat, 6 Apr 1996 23:59:55 -0800 (PST) Received: from ns1.goodall.com (ns1.goodall.com [165.113.234.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id XAA00516 for ; Sat, 6 Apr 1996 23:59:42 -0800 (PST) Received: from speedy (speedy.goodall.com [165.113.234.90]) by ns1.goodall.com (8.6.12/8.6.12) with SMTP id XAA01251; Sat, 6 Apr 1996 23:57:54 -0800 Message-ID: <316775B0.7D08@goodall.com> Date: Sat, 06 Apr 1996 23:58:40 -0800 From: "Douglas W. Goodall" Organization: Goodall Software Engineering X-Mailer: Mozilla 2.0 (WinNT; I) MIME-Version: 1.0 To: long-morrow@CS.YALE.EDU CC: firewalls@GreatCircle.COM Subject: Re: CDROM Writer Drive as a firewall logfile 'dropsafe'? References: <199603160052.TAA13954@SPARKY.CF.CS.YALE.EDU> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Using a multi-session cd-writer has pros and cons. The good thing is that the throw away session information isn't gone and software can access specific sessions later. The bad thing is that each session must be closed for the session to be readable later and the closing data takes three minutes of the 72 minute total capacity of a contemporary 5 inch CD. This means you cannot write more than 24 sessions even at 0 length each. Douglas W. Goodall Goodall Software Engineering From firewalls-owner Sun Apr 7 05:38:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA29256 for firewalls-outgoing; Sun, 7 Apr 1996 05:33:00 -0700 (PDT) Received: from lint.cisco.com (lint-ether.cisco.com [198.93.170.22]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id FAA29240 for ; Sun, 7 Apr 1996 05:32:55 -0700 (PDT) Received: from pferguso-pc.cisco.com (c1robo1.cisco.com [171.68.13.1]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id FAA06887; Sun, 7 Apr 1996 05:29:49 -0700 Message-Id: <199604071229.FAA06887@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 07 Apr 1996 08:30:49 -0400 To: Rob Sansom From: Paul Ferguson Subject: Re: Auth requests Cc: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk For what its worth, access-list viaolation logging was added to the IOS 11.0 documentation. You can surf over to http://www.cisco.com and check it out in the on-line docs. - paul At 03:53 PM 4/4/96 -0800, Rob Sansom wrote: >Thanks to those of you who informed me about the Cisco access-list 'log' >command. I looked through my CD for any mention of that command for IOS >10.3, and found none. _Very_ useful. This was the first 'undocumented >feature' I have ever encountered in any software that I actually like. > -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Sun Apr 7 08:08:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA04792 for firewalls-outgoing; Sun, 7 Apr 1996 07:56:20 -0700 (PDT) Received: from nsco.network.com (nsco.network.com [129.191.1.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA04786 for ; Sun, 7 Apr 1996 07:56:16 -0700 (PDT) Received: from anubis.network.com by nsco.network.com (4.1/1.34) id AA03533; Sun, 7 Apr 96 09:57:52 CDT Received: from blefscu.network.com by anubis.network.com (4.1/SMI-4.1) id AA28131; Sun, 7 Apr 96 09:56:00 CDT Date: Sun, 7 Apr 96 09:56:00 CDT From: amolitor@anubis.network.com (Andrew Molitor) Message-Id: <9604071456.AA28131@anubis.network.com> To: firewalls@greatcircle.com Subject: Re: Firewalls at lower levels? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It is clear on the face of it that uou can implement firewalls at lower layers (_vide_ mjr's Ultimate Firewall). I would read the original speaker's words as: You cannot implement a useful and effective firewall system without being higher-layer aware. Note that this presumably does not mean you can't bury the code as low level as you like, but just have to snoop on higher layers. While the statement under discussion may have been stronger than the ones I usually make, there is certainly truth to it. Andrew From firewalls-owner Sun Apr 7 08:23:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA04935 for firewalls-outgoing; Sun, 7 Apr 1996 08:01:21 -0700 (PDT) Received: from nsco.network.com (nsco.network.com [129.191.1.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA04919 for ; Sun, 7 Apr 1996 08:00:51 -0700 (PDT) Received: from anubis.network.com by nsco.network.com (4.1/1.34) id AA03596; Sun, 7 Apr 96 10:02:45 CDT Received: from blefscu.network.com by anubis.network.com (4.1/SMI-4.1) id AA28152; Sun, 7 Apr 96 10:00:53 CDT Date: Sun, 7 Apr 96 10:00:53 CDT From: amolitor@anubis.network.com (Andrew Molitor) Message-Id: <9604071500.AA28152@anubis.network.com> To: firewalls@greatcircle.com Subject: Re: Auth requests Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I poked around cisco's web page, but was too dim to work out how the logging worked, in detail. Am I correct in understanding that the logging mechanism logs a text messages with source/dest IP, and dest port, when a packet is dropped by an ACL line with a 'log' option? In particular, a) you can't log packets that were permitted b) you can't log anything more than source+dest address, and dest port. Something our customers like to do is session auditing, log TCP setup/teardown packets, so I am professionally interested in whether our competition can do it. (<-- statement of purpose). Andrew From firewalls-owner Sun Apr 7 08:41:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA04483 for firewalls-outgoing; Sun, 7 Apr 1996 07:41:09 -0700 (PDT) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA04470; Sun, 7 Apr 1996 07:41:03 -0700 (PDT) Received: by mercury.Sun.COM (Sun.COM) id HAA15940; Sun, 7 Apr 1996 07:39:01 -0700 Received: from congress.East.Sun.COM by East.Sun.COM (5.x/SMI-5.3) id AA25890; Sun, 7 Apr 1996 10:38:57 -0400 Received: from traveller.East.Sun.COM by congress.East.Sun.COM (4.1/SMI-4.1) id AA21267; Sun, 7 Apr 96 10:38:30 EDT Received: by traveller.East.Sun.COM (SMI-8.6/SMI-SVR4) id KAA19535; Sun, 7 Apr 1996 10:38:51 -0400 From: Wayne.Gifford@East.Sun.COM (Wayne Gifford - Internet Commerce Group) Message-Id: <199604071438.KAA19535@traveller.East.Sun.COM> Subject: Re: Users who forget their passwords To: firewalls-owner@GreatCircle.COM (Alex Pakter) Date: Sun, 7 Apr 1996 10:38:50 -0500 (EDT) Cc: Firewalls@GreatCircle.COM In-Reply-To: <199604051241.OAA25480@argo.omnitel.it> from "Alex Pakter" at Apr 5, 96 02:41:18 pm X-Mailer: ELM [version 2.4 PL21] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > something around your workspace, and read the password off it. For > example, it might be the reversed ISBN number off that book on the second > shelf. Or the first line of the third chapter. Or the address of the > company that makes your favorite computer > game. Or the service ID number of your colleague's computer. > There's no need to write down your password when your workspace is CRAMMED > with pre-written-down passwords. You just have to pick one. > > Now, the important part is not to let everyone see you craning your neck to > see the serial number of your computer ever 10 minutes. Be a little more > subtle/clever. > Or even better, using dvorak type your common text password as if you were using a qwerty... -or pretend your qwerty is an 029 and use numeric passwords giff -- Wayne Gifford giff@incog.com Sun Internet Commerce Group Phone 703-716-6426 2100 Reston Parkway Phax 703-620-1244 Reston VA, 22091 http://www.incog.com From firewalls-owner Sun Apr 7 09:53:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA08240 for firewalls-outgoing; Sun, 7 Apr 1996 09:49:07 -0700 (PDT) Received: from mail.RC.Toronto.on.ca (rcooper.the-wire.com [198.53.192.91]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA08234 for ; Sun, 7 Apr 1996 09:49:02 -0700 (PDT) Received: from rwcooper.rc.toronto.on.ca ([205.206.47.2]) by mail.RC.Toronto.on.ca (post.office MTA v1.9.3 evaluation license) with SMTP id AAA192; Sun, 7 Apr 1996 12:46:56 -0400 Received: by rwcooper.rc.toronto.on.ca with Microsoft Mail id <01BB247F.2505BC40@rwcooper.rc.toronto.on.ca>; Sun, 7 Apr 1996 12:38:38 -0400 Message-ID: <01BB247F.2505BC40@rwcooper.rc.toronto.on.ca> From: Russ To: "raf@ezunx.com" , "'Stefan Jon Silverman'" Cc: "firewalls@GreatCircle.COM" , "owen@dlrgatd.com" Subject: port 135 ? Locater service? Date: Sun, 7 Apr 1996 12:38:36 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Microsoft Exchange uses port 135 to make its RPC connections between Exchange Servers. Cheers, Russ From firewalls-owner Sun Apr 7 11:08:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA10618 for firewalls-outgoing; Sun, 7 Apr 1996 10:53:01 -0700 (PDT) Received: from hydra.acs.uci.edu (hydra.acs.uci.edu [128.200.16.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id KAA10608 for ; Sun, 7 Apr 1996 10:52:57 -0700 (PDT) Received: from medusa.acs.uci.edu (strombrg@medusa.acs.uci.edu [128.200.16.2]) by hydra.acs.uci.edu (8.7.1/8.7.1) with ESMTP id KAA23418 for ; Sun, 7 Apr 1996 10:50:55 -0700 (PDT) Received: by medusa.acs.uci.edu (8.7.4) id KAA22098; Sun, 7 Apr 1996 10:50:51 -0700 (PDT) Date: Sun, 7 Apr 1996 10:50:51 -0700 (PDT) From: Dan Stromberg To: firewalls@GreatCircle.COM Subject: RE: BoS: DNS Spoofing and Java In-Reply-To: <01BB247D.B52DA500@rwcooper.rc.toronto.on.ca> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This was sent to me privately, along with a large amount of flame-bait which I've chosen to delete. I've responded very tersely to the list, preserving the anonymity of the sender. On Sun, 7 Apr 1996, xyzzy wrote: > Dan, this is a private email, and I would appreciate it if you could keep it private. Then you, the person who sent this message, are instructed never to e-mail me privately. A repeat performance will be construed as an invitation to take this back to the originating list, without preserving your anonymity. If you care to discuss the tech of this issue, the list _may_ benefit from it being discussed there. If you'd prefer to flame rather than discuss the tech, then I have no time for you. I have little patience for those who would prefer to scream their preferences on technical matters into acceptance, rather than conduct well thought out discussions _of_ the tech. BTW, your mailer sends messages that don't wrap at the 80th column. Please fix it. --- For a myth-destroying time, try http://www.oac.uci.edu/support/dcs/why-solaris.html From firewalls-owner Sun Apr 7 12:08:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA12672 for firewalls-outgoing; Sun, 7 Apr 1996 11:52:58 -0700 (PDT) Received: from mail.Clark.Net (mail.clark.net [168.143.0.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id LAA12666 for ; Sun, 7 Apr 1996 11:52:53 -0700 (PDT) Received: from clark.net (mjr@clark.net [168.143.0.7]) by mail.Clark.Net (8.7.3/8.6.5) with ESMTP id OAA26084 for ; Sun, 7 Apr 1996 14:50:46 -0400 (EDT) From: "Marcus J. Ranum" Received: (from mjr@localhost) by clark.net (8.7.1/8.7.1) id OAA29656 for firewalls@greatcircle.com; Sun, 7 Apr 1996 14:50:42 -0400 (EDT) Message-Id: <199604071850.OAA29656@clark.net> Subject: Re: encryption as only form of security To: firewalls@greatcircle.com Date: Sun, 7 Apr 1996 14:50:40 -0400 (EDT) Reply-To: mjr@v-one.com Organization: V-One Corporation, Baltimore, MD Office Phone: 410-889-8569 X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Peter Stephenson writes: >You have to know Stuart to understand his position on this. He takes the >position that any form of access control (including firewalls) can be >subverted. He says that the only real security is encryption. Any kind of access control based simply on packets rather than on some kind of secret sharing (e.g., encryption) is subvertable in theory, yes. But that is not the same thing as saying "firewalls above layer XXX are inherently crap." Or does he dismiss application level encryption out of hand? There is a school of thought that holds that IP-level crypto will solve everything and firewalls, etc, will go away once we've got decent encrypted packet formats and some kind of key exchange mechanism in place. I personally feel this view if naive, because it neglects the problem of defining trust boundaries and controlling access between them. Suppose I have a network of 100 machines which all talk encrypted with eachother using key 'K1'. Suppose that they trust anyone who talks to them encrypted under 'K1' - holding 'K1' means you're now a member of the network. The means by which K1 is exchanged is an implementation detail; our network security is based on a single shared secret. Any member of network K1 that is compromised means the rest of K1 is compromised. Everything is hunky-dory until one day someone realizes that we can't talk to anyone!! No SMTP mail can come in, because unless you have K1 you can't talk to my SMTP server. So I set up a listener on one of my machines that will accept in-the-clear (you no longer need K1) connections on port 25, for Email. That *IS* my firewall. Specifically, it's an Email firewall between K1 and the rest of the world. If I built that firewall using Sendmail5.56, then it's not a very good firewall, and as soon as someone pokes a hole in it, they're now a member of K1 and it's all over but the shouting. Suppose that my friend 'bob' has a network that is under 'K2' and instead of talking to the whole Internet, in the clear, I will only accept traffic from K2. Same problem. I will now only be potentially attacked from my buddy bob's K2 machines but I now have to ask bob if he's sure he's not running Sendmail5.56 or if he's not taking in-the-clear traffic from non-member networks, and how they are secured. Encryption doesn't really help much, other than making sure that your tangled web of trust is hard to interfere with from the outside. The question is what controls are in place to keep someone, anyplace, from becoming an insider. Transitive trust is still a HUGE problem in network security, and encryption, blindly applied, doesn't help with it one tiny bit. When someone is standing up saying, "encryption is the ONLY solution" then they are either selling encryption or they are only thinking about a piece of the problem. >In my next column for InfoSecurity News I explore a practical >implementation of his theory. Also, when Stuart lectures he tends to be >provocative on purpose to stimulate discussion and thought. I don't >completely agree with him, but his points are certainly worth exploring and, >for the many who are just beginning to feel their way in this environment, >it's these types of issues that require consideration. Sounds like it'll be interesting to read and I know I look forward to it. However, as you say, many are just beginning to feel their way in this environment, and it's important to try to maintain a balanced view. I say this because he's probably just making life more difficult for everyone. A number of the more moderate among us will now probably have to do some damage control to try to rationally explain his views in terms of the larger context. It's often been a source of frustration to me when I run into the kind of brain-viruses that such lecturers give their students - having to explain, for example, to a customer why outlawing ALL UDP (including DNS) is not a great idea, in spite of that the "expert" said "ALL UDP IS EVIL." mjr. -- Chief Scientist, V-ONE Corporation -- "Security for a connected world" work http://www.v-one.com personal http://www.clark.net/pub/mjr/mjr-top.html From firewalls-owner Sun Apr 7 14:23:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA17611 for firewalls-outgoing; Sun, 7 Apr 1996 14:12:03 -0700 (PDT) Received: from relay-4.mail.demon.net (relay-4.mail.demon.net [158.152.1.108]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA17603 for ; Sun, 7 Apr 1996 14:11:55 -0700 (PDT) Received: from post.demon.co.uk ([158.152.1.72]) by relay-4.mail.demon.net id ab12438; 7 Apr 96 21:09 GMT Received: from tracker.demon.co.uk ([158.152.150.126]) by relay-3.mail.demon.net id aa00649; 7 Apr 96 22:08 +0100 From: Les Carleton To: Renee Landers Cc: firewalls@greatcircle.com Subject: Re: Proxying Lotus Notes Date: Sun, 07 Apr 1996 12:08:03 GMT Organization: The Doghouse Reply-To: les@tracker.demon.co.uk Message-Id: <3167a317.1260528@post.demon.co.uk> References: <9604032242.AA16887@shlep.sware.com> In-Reply-To: <9604032242.AA16887@shlep.sware.com> X-Mailer: Forte Agent .99d/16.182 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 03 Apr 96 17:42:09 EST, you wrote: >Another idea I had was that it might be possible to use the Notes server as >a proxy, since it appears to be possible to direct/control client access to >servers this way. However, I don't have any experience administering Notes, >so I'm not sure how difficult this would be to set up, and I am also not aware >of its security holes (assuming that there are some). This might cause you more security problems than you might think, because you're giving folks on the outside direct access to hit one of your Notes Servers. _If_ someone does find a way into the server, then unless you also use some form of access list to prevent anyone hitting the server, then they can get in. Whats really required is some firewall vendor to come up with a real notes proxy which understands the protocol ... anyone volunteer? There is a market for this, certainly I know of a couple of customers who'd like it. ...Les... +-----------------------------------------------+ | Les Carleton Firewalling Consultant / "The Software Lifeguard" | These are my views ... not my employer's / les@tracker.demon.co.uk | / +-------------------------------------------+ "Open Standards ... Free Software ... Live Free or Fry!" From firewalls-owner Sun Apr 7 18:19:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA23605 for firewalls-outgoing; Sun, 7 Apr 1996 18:01:57 -0700 (PDT) Received: from mail.RC.Toronto.on.ca (rcooper.the-wire.com [198.53.192.91]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id SAA23599 for ; Sun, 7 Apr 1996 18:01:51 -0700 (PDT) Received: from rwcooper.rc.toronto.on.ca ([205.206.47.2]) by mail.RC.Toronto.on.ca (post.office MTA v1.9.3 evaluation license) with SMTP id AAA94 for ; Sun, 7 Apr 1996 20:59:44 -0400 Received: by rwcooper.rc.toronto.on.ca with Microsoft Mail id <01BB24C3.FBF85840@rwcooper.rc.toronto.on.ca>; Sun, 7 Apr 1996 20:51:24 -0400 Message-ID: <01BB24C3.FBF85840@rwcooper.rc.toronto.on.ca> From: Russ To: "'Firewalls'" Subject: FW: BoS: DNS Spoofing and Java Date: Sun, 7 Apr 1996 20:51:22 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Since Dan chose to reply to my mail in public, and left the "in reply = to" tag untouched, thereby identifying me as the anonymous poster he = strived so hard to keep anonymous, here's my message to him. ---------- From: Russ[SMTP:Russ.Cooper@RC.Toronto.on.ca] Sent: Sunday, April 07, 1996 12:28 PM To: 'Dan Stromberg' Subject: RE: BoS: DNS Spoofing and Java Dan, this is a private email, and I would appreciate it if you could = keep it private. In your first two posts on the topic you tried to indicate that it had = already been discussed ad nausium on www-security, then you go and post = a summary that was obviously slanted towards your arguments. If this = wasn't a taunt then I don't know what is. It seemed nothing more than an = attempt to bring an argument into the Firewalls list which began = somewhere else, presumably with the hopes that you could succeed here = where you had previously failed. Very childish... Then you enter into a public flamefest with EKR, including posting a = message, which was sent to you privately, to the Firewalls list. Again, = the only purpose of this was not to discuss technology, but to air your = grievances yet again. Very childish... Then, after you have ignored further technical discussion on the topic, = you have the gaul to ask if any of us have changed our views based on = your input. Since you did not see fit to respond to the technical = questions posed about your missives, how do you think you could have = effected us? Danny Boulet's message of the 4th was a direct response to = your edict, but you never responded publicly. Or Steve Gibbons' message? = Was your flame war with EKR so important that the topic became = irrelevant to you? IMHO, this is not how intelligent discussion or enlightenment occurs. = Your view may be wrong, then again, it may be right. The only way you, = or anyone else, will know for sure is if you engage in useful discussion = about the topic. Your first posts were perfectly in line with that idea, = but then you digressed... I strongly suggest that you consider the tactics which you've displayed = in this foray and decide, for yourself, whether or not you succeeded in = whatever your original, presumably selfless, motives were. I, for one, = don't think so. Cheers, Russ From firewalls-owner Sun Apr 7 19:56:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id TAA00752 for firewalls-outgoing; Sun, 7 Apr 1996 19:28:16 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id TAA00337 for ; Sun, 7 Apr 1996 19:27:03 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id SAA04381; Sun, 7 Apr 1996 18:39:37 -0700 Received: from uuneo.neosoft.com(206.109.1.3) by mycroft via smap (V1.3mjr) id sma004373; Sun Apr 7 18:39:19 1996 Received: from centurion (outpost4.ops.neosoft.com [206.109.5.34]) by uuneo.neosoft.com (8.7.5/8.7.4) with SMTP id UAA07341; Sun, 7 Apr 1996 20:43:43 -0500 (CDT) Message-Id: <2.2.32.19960408014356.002e1b90@earth.ops.neosoft.com> X-Sender: caesar@earth.ops.neosoft.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 07 Apr 1996 20:43:56 -0500 To: Chai Harjo , matt@uts.edu.au From: "William S. Duncanson" Subject: Re: Undeliverable: email to CEO Cc: Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> >>in their /etc/aliases (yes they run unix machines on their internet >>mail connection, not NT or otherwise). >> > >How do you know about this? >Are you sure they are not using NT? >It is bizzare that they don't trust their own product!!! > >Chai Harjo > Uhhh...they are running NT as their internet mail servers: > set type=mx > microsoft.com Server: centurion Address: 127.0.0.1 Non-authoritative answer: microsoft.com preference = 10, mail exchanger = abash1.microsoft.com microsoft.com preference = 10, mail exchanger = tide19.microsoft.com microsoft.com preference = 10, mail exchanger = tide21.microsoft.com Authoritative answers can be found from: microsoft.com nameserver = ATBD.microsoft.com microsoft.com nameserver = DNS1.NWNET.NET microsoft.com nameserver = DNS2.NWNET.NET abash1.microsoft.com internet address = 131.107.3.23 tide19.microsoft.com internet address = 131.107.3.29 tide21.microsoft.com internet address = 131.107.3.31 ATBD.microsoft.com internet address = 131.107.1.7 DNS1.NWNET.NET internet address = 192.220.250.1 DNS2.NWNET.NET internet address = 192.220.251.1 pluto /usr/home/caesar $ telnet tide19.microsoft.com 25 Trying 131.107.3.29... Connected to tide19.microsoft.com. Escape character is '^]'. 220 red-06-imc.itg.microsoft.com Microsoft Exchange Internet Mail Connector 4.0. 837.3 ready quit 221 closing connection Connection closed by foreign host. William S. Duncanson Neosoft Network Operations william@neosoft.com, caesar@neosoft.com (713) 968-5800 or (800) 438-6367 From firewalls-owner Sun Apr 7 20:30:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id TAA00203 for firewalls-outgoing; Sun, 7 Apr 1996 19:24:11 -0700 (PDT) Received: from mail.RC.Toronto.on.ca (rcooper.the-wire.com [198.53.192.91]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id TAA00156 for ; Sun, 7 Apr 1996 19:23:37 -0700 (PDT) Received: from rwcooper.rc.toronto.on.ca ([205.206.47.2]) by mail.RC.Toronto.on.ca (post.office MTA v1.9.3 evaluation license) with SMTP id AAA197 for ; Sun, 7 Apr 1996 22:21:26 -0400 Received: by rwcooper.rc.toronto.on.ca with Microsoft Mail id <01BB24CF.659DEF20@rwcooper.rc.toronto.on.ca>; Sun, 7 Apr 1996 22:13:06 -0400 Message-ID: <01BB24CF.659DEF20@rwcooper.rc.toronto.on.ca> From: Russ To: "'mjr@v-one.com'" Cc: "'Firewalls'" Subject: RE: encryption as only form of security Date: Sun, 7 Apr 1996 22:13:05 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I would just like to say, as a former employee of Tandem Computers, that = neither their K1 series nor their K2 series ever had a problem talking = to each other, let alone Bob. Cheers, Russ ...Tandem Himalaya K1xxx or K2xxx machines...;-] From firewalls-owner Sun Apr 7 20:55:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id UAA05312 for firewalls-outgoing; Sun, 7 Apr 1996 20:40:42 -0700 (PDT) Received: from shell.scsti.ac.cn ([168.160.75.88]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id UAA05295 for ; Sun, 7 Apr 1996 20:40:26 -0700 (PDT) Received: from info.scsti.ac.cn (info.scsti.ac.cn [168.160.75.89]) by shell.scsti.ac.cn (8.6.11/8.6.11) with SMTP id MAA02594 for ; Mon, 8 Apr 1996 12:36:34 -0500 Date: Mon, 8 Apr 1996 11:36:10 +0800 (CST) From: Su Yunfei To: firewalls@GreatCircle.COM Subject: ip masquerading In-Reply-To: <176BE715E5@lug.utb.falun.se> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, everybody. Now I donot have enough ip address, I want to put another network connect to internet using the following two way: 1. Cisco Internet Junction. This is a gateway to using ipx in local network, if one machine asked for internet function, it must attach to a ij gateway. But we found that in Win95, if you start ij client, the tcp/ip packages in Win95 Plus can't run correctly, but netscape or other winsock application is ok. And the ij Server's efficiency is an anxious problem. 2. Linux masquerading. Using a linux machine act as a gateway, and the interior machines using virtual ip address, virtual ip address can masqurade by linux another validable ip address. But they said there are some bugs in it so I worry about it's stability. Each of two ways has it's advantage and defect. Would somebody give me some advice about this, Or another way, another product. Thankful advancely. Yunfei Su From firewalls-owner Sun Apr 7 20:56:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA24836 for firewalls-outgoing; Sun, 7 Apr 1996 18:26:57 -0700 (PDT) Received: from acsweb (acsweb.acs.usm.maine.edu [130.111.128.23]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id SAA24822 for ; Sun, 7 Apr 1996 18:26:52 -0700 (PDT) Received: from doc.cs.usm.maine.edu by acsweb (5.x/SMI-SVR4) id AA16812; Sun, 7 Apr 1996 21:24:57 -0400 Received: by doc.cs.usm.maine.edu; (5.65/1.1.8.2/04Oct95-1047AM) id AA10267; Sun, 7 Apr 1996 21:24:44 -0400 From: Edward Maillet Message-Id: <9604080124.AA10267@doc.cs.usm.maine.edu> Subject: RAS and technical people To: firewalls@greatcircle.com Date: Sun, 7 Apr 1996 21:24:44 -0400 (EDT) X-Mailer: ELM [version 2.4 PL25] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hey all, Got a "touchy" question for you. There are several highly technical people that are in the engineering/software development group(s) at my wonderful place of employment. Most of them are running Windows NT workstation and being the techies that they are refuse to allow the MIS group to be administrators of their machines. It's not altogether unreasonable since I don't want to be bothered every time they need to install some new wiz bang development tool, etc. and they're generally smart enough to fix what they break on their machines. However, the also have modems in their machines and use it to RAS in from home. There is a company-wide RAS dail-in system that is (soon to be actually) SecureID'd that gives the exact same access. Is it worth the extermely heated argument to force them not to setup their modems for dial-in? And if so, does anyone have some REALLY strong technical arguments what the security risks are even when the modems are set to dial back their home? Sure, dial back can be tricked (I'm told)(or even better break into their home) and sure someone could then guess the password on their machine (or tap the phone line) but all this is an extremely(?) technical attack versus stealing a secureID card and guessing a password/PIN thingy. Is it worth the argument or should I just require them to use dial back when connecting from home and use the secureID/Corp RAS when on the road(rare)? Rational Responses only please. (Ok funny one's too.) ----- Ed Maillet From firewalls-owner Sun Apr 7 22:10:17 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id WAA11405 for firewalls-outgoing; Sun, 7 Apr 1996 22:03:49 -0700 (PDT) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id WAA11348 for ; Sun, 7 Apr 1996 22:03:33 -0700 (PDT) Message-Id: <199604080503.WAA11348@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA201769822; Mon, 8 Apr 1996 15:03:42 +1000 From: Darren Reed Subject: Re: Firewalls at lower levels? To: amolitor@anubis.network.com (Andrew Molitor) Date: Mon, 8 Apr 1996 15:03:42 +1000 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <9604071456.AA28131@anubis.network.com> from "Andrew Molitor" at Apr 7, 96 09:56:00 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Andrew Molitor, sie said: > > It is clear on the face of it that uou can implement firewalls > at lower layers (_vide_ mjr's Ultimate Firewall). I would read the original > speaker's words as: > > You cannot implement a useful and effective firewall system > without being higher-layer aware. > > Note that this presumably does not mean you can't bury the > code as low level as you like, but just have to snoop on higher layers. > While the statement under discussion may have been stronger than the > ones I usually make, there is certainly truth to it. If I can take that a bit further, to effectively do filtering at lower layers (network), you have to model what would happen at higher layers, which goes back to the virtual machine model. This can introduce problems: I've got a TCP packet, it has some data in it, but how do I know where abouts that data fits into the entire stream ? What can be found in current Linux kernels (1.3.84) is a good example of the wrong way to try and filter TCP data in the kernel (see `IP masquerading' apps, linux/net/ip_masq_app.c and friends) and is much more suited to the likes of UDP/ICMP. UDP/ICMP are much easier to handle; you only have the current packet and maybe one or two prior which tell you everything about what you should be doing, although you may have to reassemble some fragments to get the full picture. Darren From firewalls-owner Sun Apr 7 22:39:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id WAA11908 for firewalls-outgoing; Sun, 7 Apr 1996 22:15:07 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id TAA29764 for ; Sun, 7 Apr 1996 19:21:33 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id TAA04760; Sun, 7 Apr 1996 19:14:52 -0700 Received: from nic.nca.or.kr(202.30.64.22) by mycroft via smap (V1.3mjr) id sma004713; Sun Apr 7 19:14:31 1996 Received: from localhost by nic.nca.or.kr (8.6.4/8.6.4) id KAA11626 From: Song Eui Message-Id: <199604080106.KAA11626@nic.nca.or.kr> To: firewalls@GreatCircle.COM Cc: majordomo@GreatCircle.COM Subject: help me! Date: Mon, 8 Apr 96 10:06:57 KST Sender: firewalls-owner@GreatCircle.COM Precedence: bulk dear, I'm going to install http-gw of tis-fwtk. but i have some problem. when i access http server at client through http-gw, i think http-gw is not operating. what do i need to configure what system, where more? 1.1.1.1, 2.2.2.2, 3.3.3.3 is example ip address. 1.1.1.1 is client host. 2.2.2.2 is default-httpd server 3.3.3.3 is http-gw 1.1.1.1 => 3.3.3.3 => 2.2.2.2 clinet http-gw http server 1) /etc/service configuration http 80 2) /etc/inetd.conf configuration http stream tcp nowait root /usr/local/etc/http-gw 3) /usr/local/etc/netperm-table configuration http-gw: permit-hosts 1.1.1.1 http-gw: default-httpd 2.2.2.2 4) at 1.1.1.1(client) web browser, it is configured proxy server is 3.3.3.3 and port number is 80 From firewalls-owner Sun Apr 7 22:54:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id WAA13537 for firewalls-outgoing; Sun, 7 Apr 1996 22:52:09 -0700 (PDT) Received: from solarnum.itd.uts.edu.au (solarnum.itd.uts.EDU.AU [138.25.16.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id WAA13531 for ; Sun, 7 Apr 1996 22:52:01 -0700 (PDT) Received: from maverick (matt@maverick.itd.uts.edu.au [138.25.16.41]) by solarnum.itd.uts.edu.au (8.7.3/8.7.1/uts) with ESMTP id PAA13544 for ; Mon, 8 Apr 1996 15:49:19 +1000 (EAST) Received: (from matt@localhost) by maverick (8.7.3/8.7.3/Jas) id PAA21442 for firewalls@greatcircle.com; Mon, 8 Apr 1996 15:52:08 +1000 Message-Id: <199604080552.PAA21442@maverick> Subject: microsoft, correction To: firewalls@greatcircle.com (Firewalls Mailing List) Date: Mon, 8 Apr 1996 15:50:37 +1000 (EAST) X-Ph: ph: +61 2 330 1390 fax: +61 2 330 1999 home: +61 2 9929 0717 X-Pager: +61 2 214 1111 #216098 or pager@maverick.itd.uts.edu.au X-Pgp-Finger: pub 2048/27FB4AE1 1995/09/30 Jas (Matthew K) X-Pgp-Finger: Key fingerprint = 3A1EEDBE7A6D498D E7953FB40A21A6C8 From: matt@uts.edu.au X-Mailer: ELM [version 2.4 PL25] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk it would seem that microsoft has rolled out exchange since i last checked. i still wonder where their postmaster mail goes. Matt -- #!/bin/sh echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sbA0D3F204445524F42snlbxq'|dc;exit Matthew Keenan Data Network Admin Information Technology Division University of Technology Sydney Australia It's nice to be in a position where people apologize because they assume there's humor in your work, based on past experience, but they're not sure where it is. -- Rob Pike From firewalls-owner Sun Apr 7 23:09:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id WAA13159 for firewalls-outgoing; Sun, 7 Apr 1996 22:42:20 -0700 (PDT) Received: from SterCtl.com (p164.iwl.net [204.177.208.164]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id WAA13152 for ; Sun, 7 Apr 1996 22:42:11 -0700 (PDT) Received: (from dennis@localhost) by SterCtl.com (8.6.12/8.6.12) id XAA06787; Sun, 7 Apr 1996 23:42:17 -0600 From: Dennis Moroney Message-Id: <199604080542.XAA06787@SterCtl.com> Subject: Re: Auth requests To: amolitor@anubis.network.com (Andrew Molitor) Date: Sun, 7 Apr 1996 23:42:15 -0600 (CST) Cc: firewalls@GreatCircle.COM In-Reply-To: <9604071500.AA28152@anubis.network.com> from "Andrew Molitor" at Apr 7, 96 10:00:53 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to Andrew Molitor: > maybe the subject of your mail should be 'Cisco filtering help' or the like next time. :-) > I poked around cisco's web page, but was too dim to work out > how the logging worked, in detail. IMHO, it sounds like you are trying to figure out too much at one time. Remember the pygmy principle. How does a pygmy eat an elephant? One little bite at a time ... > > Am I correct in understanding that the logging mechanism logs > a text messages with source/dest IP, and dest port, when a packet is > dropped by an ACL line with a 'log' option? Yes, but 'dropped' is the wrong term to use. I will explain shortly. > > In particular, a) you can't log packets that were permitted > b) you can't log anything more than source+dest address, and dest port. a) permitted and/or denied packets can be logged, if desired. b) logging will report source IP, source port, destination IP *and* destination port. You have failed to understand how the access list(s) are evaluated. 1. The access list is evaluated from top to bottom. 2. Any access list rule that matches the specified criteria will cause evaluation of the access list to terminate. In other words, access-list 101 permit tcp any gt 1023 host aa.bb.cc.dd eq 21 will allow any source address with a source port >1023 to connect to destination host aa.bb.cc.dd at destination port 21 (Don't worry to much about my 'shorthand' style, I learned it from the router IOS by watching how it dumps the access lists and spending some time RTFM. really.) 3. The 'log' verb may be added to *any* filter rule, therefore access-list 101 permit tcp any gt 1023 host aa.bb.cc.dd eq 21 log will result in a message similar to the following: date/time router.your.domain ee.ff.gg.hh(1065) -> aa.bb.cc.dd(21) the 'permit' action could be easily changed to 'deny' and the packet would still be logged. 4. Any packet that does not match any filter rule is implicitly dropped silently. I put a big fat deny rule at the end of each list similar to the following: access-list 101 deny ip any any log to report what just got dropped on the floor. > Something our customers like to do is session auditing, log > TCP setup/teardown packets, so I am professionally interested in > whether our competition can do it. (<-- statement of purpose). [opinion on] I think logging permitted packets is a bad idea because you are setting yourself up for denial-of-service problems by making the router log possibly *every* packet that crosses its interface(s). Have you ever watched a typical FTP session at the packet level with something like tcpdump? Can whatever logging infrastructure you are thinking about handle a deluge of router messages during periods of even moderate activity? Why don't you try to find a method of logging the sessions at the at the application level? That seems to make a lot more sense from an accounting and/or auditing standpoint. [opinion off] I will send you information about a Cisco application note I used while commissioning one of their routers. In the meantime, browse the UniversCD if you have it already. One final note, I would like to move this discussion off-line. How 'bout you? -- Dennis Moroney From firewalls-owner Sun Apr 7 23:39:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id WAA11599 for firewalls-outgoing; Sun, 7 Apr 1996 22:09:13 -0700 (PDT) Received: from mail.thecia.net (mail.thecia.net [206.100.107.55]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id WAA11593 for ; Sun, 7 Apr 1996 22:09:08 -0700 (PDT) Received: from mossad.thecia.net (mossad.thecia.net [206.100.120.200]) by mail.thecia.net (8.7.5/8.7.5) with SMTP id BAA09326 for ; Mon, 8 Apr 1996 01:08:20 -0400 (EDT) Received: by mossad.thecia.net with Microsoft Mail id <01BB24E7.B2323220@mossad.thecia.net>; Mon, 8 Apr 1996 01:07:02 -0400 Message-ID: <01BB24E7.B2323220@mossad.thecia.net> From: Speed Racer Cc: "firewalls@GreatCircle.COM" Subject: RE: Firewalls at lower levels? Date: Mon, 8 Apr 1996 01:07:00 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > I was at a seminar presented by Stuart Holoman, Holocon Inc. > yesterday, and he said firewalls are not effective/implementable > below the session layer: > > layer 7 - App support > layer 6 - Presentation > layer 5 - Session > layer 4 - Transport > layer 3 - Network > layer 2 - Data link > layer 1 - Physical > > Any comments? > I don't know if he was speaking in abstract terms (e.g., not many > people know how to make them effective). I think everyone's kinda missing the obvious here... perhaps his diagram goes the OTHER direction (I know it's not 'sposed to, but maybe it does), and he meant that firewalls aren't implementable in layers 6 & 7 above. I'm almost certain they can handle traffic almost anywhere between session and the physical layer... correct me if I'm wrong. I'm also almost certain that they can't be implemented in 6 & 7, and I know the reasons are obvious to anyone who's actually read anything about firewalls, so I won't state them here. shag Judd Bourgeois shagboy@thecia.net Finger for PGP public key I've seen the other side and I say - I've been insane - And I will never be the same - 311, "Homebrew" From firewalls-owner Mon Apr 8 01:03:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id AAA23147 for firewalls-outgoing; Mon, 8 Apr 1996 00:45:40 -0700 (PDT) Received: from mail-relay-1.mv.us.adobe.com (mail-relay-1.adobe.com [130.248.1.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id AAA23141 for ; Mon, 8 Apr 1996 00:45:36 -0700 (PDT) Received: by mail-relay-1.mv.us.adobe.com; id AAA07378; Mon, 8 Apr 1996 00:43:34 -0700 Received: by corp-dns (8.6.9) with ESMTP id AAA27695; Mon, 8 Apr 1996 00:40:50 -0700 Received: by doom (8.6.9) id AAA01270; Mon, 8 Apr 1996 00:43:21 -0700 Message-Id: <199604080743.AAA01270@doom> Content-Type: text/plain MIME-Version: 1.0 (NeXT Mail 3.3 v118.2) Received: by NeXT.Mailer (1.118.2) From: Graham Orndorff Date: Mon, 8 Apr 96 00:43:17 -0700 To: Firewalls@GreatCircle.COM Subject: screend and network tuning on Alpha X-Mailer: GrahamMail [1.20] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hey now everybody. I mailed a request off to the alpha managers list, with no results - I thought I would try here. My apologies if this is an incorrect forum for this question. I have an Alpha server 1000 w/64 Megs of RAM running Digital Unix 3.2D and 2 ethernet cards working as a packet filtering router as part of my firewall. It is running fairly current gated (3.5 beta) and the version of screend that ships with Digital Unix (I have no idea which version -- probably pretty old). It runs almost nothing else. I am trying to make it run as fast as possible. My question is: Is there any reason to upgrade to the latest screend? Any problems with doing so? Also does anybody know any of any network performace tuning I can do with Digital Unix? (or just system performance tuning in general) The little documentation I have has no suggestions. Thanks for any information you can give, -graham orndorff@adobe.com From firewalls-owner Mon Apr 8 03:24:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id DAA01465 for firewalls-outgoing; Mon, 8 Apr 1996 03:17:19 -0700 (PDT) Received: from close.demon.co.uk (close.demon.co.uk [158.152.8.11]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id DAA01459 for ; Mon, 8 Apr 1996 03:17:11 -0700 (PDT) Received: (from smap@localhost) by close.demon.co.uk (8.6.12/8.6.9) id KAA16938 for ; Mon, 8 Apr 1996 10:04:43 +0100 Received: from shut.ticl.co.uk(193.32.1.3) by gate.ticl.co.uk via smap (V1.3) id sma016936; Mon Apr 8 10:04:37 1996 Received: by shut.ticl.co.uk with Microsoft Mail id <01BB253C.2CC82400@shut.ticl.co.uk>; Mon, 8 Apr 1996 11:11:46 +-100 Message-ID: <01BB253C.2CC82400@shut.ticl.co.uk> From: Peter Curran To: "firewalls@greatcircle.com" Subject: RE: encryption as only form of security Date: Mon, 8 Apr 1996 11:11:44 +-100 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Marcus J Ranum writes: > However, as you say, many are just > beginning to feel their way in this environment, and it's > important to try to maintain a balanced view. I say this because > he's probably just making life more difficult for everyone. A > number of the more moderate among us will now probably have to > do some damage control to try to rationally explain his views > in terms of the larger context. It's often been a source of > frustration to me when I run into the kind of brain-viruses > that such lecturers give their students - having to explain, > for example, to a customer why outlawing ALL UDP (including DNS) > is not a great idea, in spite of that the "expert" said "ALL > UDP IS EVIL." Marcus, as usual you are right on the button!! However, I sympathise = with the 'lecturers' to a degree. I do a bit in that line myself and am = continually amazed that I can say, for example, "You should ask yourself = 'Do I really need this?' for every UDP protocol that you want to enter = your network/firewall". A number of students will interpret this as = either "ALL UDP is bad", or "All UDP is good". A very small minority = will actually get the message that configuring a firewall is about risk = assessment and management. What I am trying to say is that whilst there are a lot of guys walking = around with tall hats and spurs invading this business, there are also a = lot of guys who wouldn't know the difference between an IP Datagram and = a telnet option negotiation making decisions on the user side. It may = not be bad information out of the mouth of the lecturer, but poor = understanding on the part of the listener (with apologies to the guy who = posted the original question). My 2p. Peter Curran From firewalls-owner Mon Apr 8 07:04:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA09518 for firewalls-outgoing; Mon, 8 Apr 1996 06:44:42 -0700 (PDT) Received: from dcc.com (ns [204.147.95.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id GAA09512 for ; Mon, 8 Apr 1996 06:44:38 -0700 (PDT) Received: from smtp.dcc.com ([204.147.93.69]) by gateway.dcc.com with SMTP id <71425>; Mon, 8 Apr 1996 08:51:40 -0500 Received: by smtp.dcc.com with Microsoft Mail id <316925C9@smtp.dcc.com>; Mon, 08 Apr 96 07:42:17 PDT From: "Moubray, Steve" To: "'firewalls@greatcircle.com'" Subject: Securing TLS Date: Mon, 8 Apr 1996 10:39:00 -0500 Message-ID: <316925C9@smtp.dcc.com> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anyone looked at the security issues with Transparent LAN Services (TLS). Basically it's a shared fiber ring similar to FDDI with the bandwidth being split into 4, 10 or 16MB segments for each customer. Is there anyway for one person on the ring to intercept and interpret the data going to another customer? TIA From firewalls-owner Mon Apr 8 08:39:29 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA13326 for firewalls-outgoing; Mon, 8 Apr 1996 08:35:17 -0700 (PDT) Received: from sunflower.singnet.com.sg (proxy.singnet.com.sg [165.21.1.58]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA13277; Mon, 8 Apr 1996 08:32:50 -0700 (PDT) Received: from equinox.singnet.com.sg (ts900-2611.singnet.com.sg [165.21.9.31]) by sunflower.singnet.com.sg (8.6.12/8.6.9) with SMTP id XAA05939; Mon, 8 Apr 1996 23:27:11 +0800 Date: Mon, 8 Apr 1996 23:27:11 +0800 Message-Id: <199604081527.XAA05939@sunflower.singnet.com.sg> X-Sender: deva@equin.com X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.COM From: Devarajan Subject: signoff firewalls shriram@fuwutai.att.com Cc: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk signoff firewalls shriram@fuwutai.att.com From firewalls-owner Mon Apr 8 09:09:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA13365 for firewalls-outgoing; Mon, 8 Apr 1996 08:36:23 -0700 (PDT) Received: from tuna.wang.com (tuna.wang.com [150.124.136.4]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA13349 for ; Mon, 8 Apr 1996 08:36:16 -0700 (PDT) Received: from mail.wangfed.com (ns.wangfed.com [159.94.10.19]) by tuna.wang.com (8.6.12/8.6.12tf1) with SMTP id LAA05977; Mon, 8 Apr 1996 11:33:36 -0400 Received: from hfsi.hfsi.com by mail.wangfed.com (1.37.109.4/A.09.00a) id AA15786; Mon, 8 Apr 96 11:23:16 -0500 Received: from [159.94.14.48] by hfsi.hfsi.com (BULL 5.61++/B.O.S 02.01) id AA08903; Mon, 8 Apr 96 11:27:24 -0400 Date: Mon, 8 Apr 96 11:27:24 -0400 Message-Id: <9604081527.AA08903@hfsi.hfsi.com> From: "KM" Reply-To: "KM" To: kwakh@ctrvax.Vanderbilt.Edu, firewalls@GreatCircle.com Subject: Re: Most Popular Firewalls Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message <01I37KX2ND2A8XUV5G@ctrvax.Vanderbilt.Edu> Joon Kwak writes: > What firewalls are the most popular these days? > I need some brand names. Trusted Information Systems' GAUNTLET, which has been licenced (or at least their publicly-published TIS firewall library has been licenced) and enhanced by a number of other vendors to create several different flavours of GAUNTLET, as well as being available in its original form directly from TIS. Checkpoint Software Technologies' FIREWALL-1 BorderWare Firewall Server Harris' CYBERGUARD has got a lot of very good press. I'm not sure, however, if that good press has translated into lots of sales for them...at least yet. K.M. Goertzel Manager, International Programs and Special Projects Secure Systems and Services Operation WANG FEDERAL, Inc. 7900 Westpark Drive - MS 700 McLean, VA 22102-4299 USA TEL: 703-827 3914 FAX: 703-827 3161 EMAIL: goertzek@wangfed.com WEB: http://www.wangfed.com +------------------------------------------+ | Never put off until Tomorrow what should | | have been Done early in the Seventies. | | - George Ade | +------------------------------------------+ From firewalls-owner Mon Apr 8 11:09:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA19082 for firewalls-outgoing; Mon, 8 Apr 1996 10:57:49 -0700 (PDT) Received: from bagout.bell-atl.com (bagout.Bell-Atl.Com [192.204.96.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA19040 for ; Mon, 8 Apr 1996 10:57:38 -0700 (PDT) Received: by bagate.BELL-ATL.COM (O) id ; Mon, 8 Apr 96 13:55 EDT Received: by bagate.BELL-ATL.COM (I1) id ; Mon, 8 Apr 96 13:15 EDT Received: by is000913.BELL-ATL.COM (4.1/SMI-4.1) id AA24872; Mon, 8 Apr 96 13:15:13 EDT From: bncqraq@is000913.BELL-ATL.COM (Morris) Message-Id: <9604081715.AA24872@is000913.BELL-ATL.COM> Subject: Re: RAS and technical people To: maillet@doc.cs.usm.maine.edu (Edward Maillet) Date: Mon, 8 Apr 1996 13:15:12 -0400 (EDT) Cc: firewalls@greatcircle.com In-Reply-To: <9604080124.AA10267@doc.cs.usm.maine.edu> from "Edward Maillet" at Apr 7, 96 09:24:44 pm X-Mailer: ELM [version 2.4 PL24 PGP2] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Hey all, > Got a "touchy" question for you. There are several highly technical > people that are in the engineering/software development group(s) at > my wonderful place of employment. Most of them are running Windows NT > workstation and being the techies that they are refuse to allow the MIS > group to be administrators of their machines. It's not altogether > unreasonable since I don't want to be bothered every time they need to > install some new wiz bang development tool, etc. and they're generally > smart enough to fix what they break on their machines. > However, the also have modems in their machines and use it to RAS in from > home. There is a company-wide RAS dail-in system that is (soon to be > actually) SecureID'd that gives the exact same access. > > Is it worth the extermely heated argument to force them not to setup their > modems for dial-in? > And if so, does anyone have some REALLY strong technical arguments what > the security risks are even when the modems are set to dial back their home? > > Sure, dial back can be tricked (I'm told)(or even better break into their > home) and sure someone could then guess the password on their machine (or > tap the phone line) but all this is an extremely(?) technical attack versus > stealing a secureID card and guessing a password/PIN thingy. > > Is it worth the argument or should I just require them to use dial back > when connecting from home and use the secureID/Corp RAS when on the > road(rare)? > > Rational Responses only please. (Ok funny one's too.) > ----- Ed Maillet > > Rational???? Funny??? Response!!!!!!! Ed, IMHO, this is primarily a security policy question. If your security policy says that this is okay, then it is. Personally, if this was the case I would reexamine the policy. However, judging from the fact that there will soon be a "company-wide RAS dial-in system" with SecurID, I suspect that use of these modems do not conform to policy. The primary reason for using SecurID is to supply two of the three (some say four - location) things needed for authentication and to avoid reusable passwords. By this I mean, the "something you know" (password) and "something you have" (the card) parts are valid, only failing the "something you are" category. If at least the same level of trust and assurances can be met by the modems then they may have a good argument. But, to throw just one more kicker in, you seem to also be implying that your company is limiting access (security policy??) to a few control points (firewalls of a type). If this is the case, then allowing them to have individual modems would be a violation of policy. As a minimum, require dial-out LINES and modems only. It is very easy to "accidently" miss-jumper a modem. Whenever someone asks me about dial-back modems and security I generally look them in the eye and ask, "Ever hear of call forwarding?" and run. Joe -- =%@%=-=%@%=-=%@%=-=%@%=-=%@%=-=%@%=-=%@%=-=%@%=-=%@%=-=%@%=-=%@%=-=%@%= Joe W. Morris Distributed Systems Security Specialist, Bell Atlantic E-mail: joe@bell-atl.com Phone: 301-236-7698 FAX: 301-236-8021 13101 Columbia Pike, Room 209B Silver Spring, MD 20904 =%@%=-=%@%=-=%@%=-=%@%=-=%@%=-=%@%=-=%@%=-=%@%=-=%@%=-=%@%=-=%@%=-=%@%= #include Any sufficiently advanced technology is indistinguishable from magic. -- Arthur C. Clarke From firewalls-owner Mon Apr 8 12:54:56 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA24102 for firewalls-outgoing; Mon, 8 Apr 1996 12:46:09 -0700 (PDT) Received: from achilles.medctr.ohio-state.edu (achilles.medctr.ohio-state.edu [140.254.128.20]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA24095 for ; Mon, 8 Apr 1996 12:46:01 -0700 (PDT) Received: from hermes.medctr.ohio-state.edu by achilles.medctr.ohio-state.edu; (5.65/1.1.8.2/14Sep94-0947PM) id AA05953; Mon, 8 Apr 1996 15:43:15 -0400 Received: from athena.medctr.ohio-state.edu (athena.medctr.ohio-state.edu) by hermes.medctr.ohio-state.EDU (PMDF V5.0-6 #15327) id <01I3AYMM2UOW8WXXZF@hermes.medctr.ohio-state.EDU> for firewalls@greatcircle.com; Mon, 08 Apr 1996 15:43:10 -0400 (EDT) Received: from NORSE.MEDCTR.OHIO-STATE.EDU by NORSE.MEDCTR.OHIO-STATE.EDU (PMDF V5.0-6 #15327) id <01I3AQ40OT4G9X46J7@NORSE.MEDCTR.OHIO-STATE.EDU>; Mon, 08 Apr 1996 15:42:43 -0400 (EDT) Date: Mon, 08 Apr 1996 15:31:40 -0400 (EDT) From: Doug Small - OSU Medical Center Network Analyst Subject: Re: Securid BAD Tech Support In-Reply-To: "Your message dated Tue, 02 Apr 1996 12:14:07 -0800" <2.2.32.19960402201407.0067d7bc@snd10.med.navy.mil> To: "Todd R. Zimmerman" Cc: firewalls@greatcircle.com, SMALL_DO@NORSE.MEDCTR.OHIO-STATE.EDU Message-Id: <01I3AYM3SUFA9X46J7@NORSE.MEDCTR.OHIO-STATE.EDU> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I have been trying desperately to speak with technical support personnel at > Security Dynamics in Cambridge, MA. Over the last week I have spent a total > of 165 minutes on hold waiting to speak with the help desk. Leaving > messages does not work because I must sit at my desk until they call back. > If I leave for some reason and miss the return call I then must call > Security Dynamics and start the process all over again. It really pisses me > off...This is totally unsatisfactory tech support. We use securid here and up until feb 96 or so the tech support was wonderful. I frequently got right to a support engineer after little or no wait. Around feb I began experiencing exactly what Todd did with customer support. As the slow response was happening fairly frequently I took the issue up with our salesperson. What I got back from them was that they are in the process of implementing a new call ticketing system as well as hiring a significant number of additional people for support. Because of all the new people a large portion of the original support engineer's time was being spent training the new people. I was assurred that response time would improve as people got trained. I have no affiliation with Security Dynamics other than as a customer and am passing this info along to provide an alternative viewpoint for the other subsribers of this list. -Doug Small ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Doug Small The Ohio State University Medical Center small-1@medctr.osu.edu Network Engineer Work: (614) 293-2034 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From firewalls-owner Mon Apr 8 13:39:29 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA25342 for firewalls-outgoing; Mon, 8 Apr 1996 13:27:35 -0700 (PDT) Received: from ccnet.ccnet.com (ccnet.ccnet.com [192.215.96.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA25332 for ; Mon, 8 Apr 1996 13:27:28 -0700 (PDT) From: vitaly@ams-net.com Received: from mail.ams-net.com ([206.80.33.36]) by ccnet.ccnet.com (8.6.12/8.6.12) with ESMTP id NAA25680 for ; Mon, 8 Apr 1996 13:20:37 -0700 Received: from mail.ams-net.com (amssmtp [206.80.33.37]) by mail.ams-net.com (8.6.8.1/SCA-6.6) with SMTP id TAA02295 for ; Mon, 8 Apr 1996 19:50:02 GMT Received: from ccMail by mail.ams-net.com (SMTPLINK V2.10.08) id AA829076619; Mon, 08 Apr 96 13:01:01 PST Date: Mon, 08 Apr 96 13:01:01 PST Message-Id: <9603098290.AA829076619@mail.ams-net.com> To: firewalls@GreatCircle.com Subject: signoff firewalls vitaly@ams-net.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk signoff firewalls vitaly@ams-net.com From firewalls-owner Mon Apr 8 14:12:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA25586 for firewalls-outgoing; Mon, 8 Apr 1996 13:36:28 -0700 (PDT) Received: from csc.com (explorer.csc.com [20.1.10.27]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA25580 for ; Mon, 8 Apr 1996 13:36:21 -0700 (PDT) Received: from @explorer.csc.com by csc.com with smtp (Smail3.1.29.1 #1) id m0u6Ndi-001AkAC; Mon, 8 Apr 96 16:34 EDT Message-Id: Date: Mon, 8 Apr 96 16:34 EDT X-Sender: asafier@explorer.csc.com X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: Adam Safier Subject: Cross Realm Kerberos/DCE Proxy, NAT, UDP Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can anyone relate war stories, gotchas and victories re: Cross Realm Kerberos or DCE across firewalls and to another Kerberized realm? I want to make sure my understanding of Kerberos traffic isn't twisted. Please make corrections if I'm missing things. We need to talk to a different organization running Kerberos (actually some are DCE - I already heard Kerberos and DCE are not 100% compatible but we all agree to support the lowest common denominator.) so we need to do cross realm authentication, ticket granting and encryption all working across a firewall. We have a client that would like to run cross realm Kerberos across the Firewall for process to process communication (no live user). Why firewall if we use Kerberos? - some nodes on the inside might not be able to run Kerberos. - we don't want to do encryption on all the traffic. - we will have some internal X-traffic. (idle curiosity - kerberized X-terminals anyone?) In addition, we like to follow Internet standards and Best Practices so Network Address Translation (RFC 1918, 1597) is a desired architectural feature. (We could drop it if it's totally incompatible with kerberos so I don't call it a requirement but it's like birthday cake without decorations.) The NAT could be a real problem. Kerberos apparently packs the nodes network address as part of the authentication packet so if your IP address is hidden by the firewall I expect the authentication at the client/server to fail when source and encrypted address are compared. (are they?). The kerberos protocol uses UDP for the initial ticket request and delivery. Simply communicating with a single outside client registered with our TGS should not be a problem - all UDP traffic with Kerberos port numbers simply gets routed to the appropriate TGS/authenticator. What I'm having a hard time with is the Kerberos V5 Cross Realm. In that scenario the internal client must get ticket from the internal TGS (I) which lets him talk to the inter-realm TGS (1) which lets him talk to the remote realm TGS (R) to get a ticket for the final destination service (D). The result is UDP packets to and from all internal clients that want to talk to the other realms. X Dest(D) TGS(R) TGS(1) X TGS(I) Client | | | X | | | | | X |---1---| | | |-------2----------| | |----------------3-------------| |--------------------4------------------| 1, 2 and 3 are UDP. Only 4 is a TCP connection XXXX=firewall All UDP packets have a "well known" Kerberos port number but that still leaves a lot of UDP flying around. The firewall can have filter rules to restrict the Kerberos UDP packets to Kerberized nodes but that only works on a small internal net. What do people do with large mixed nets? (Luckily I'm dealing with a small net so we can have the filter rules for individual clients but since I'm learning I would like to understand the other options.) True, the Kerberos ports are well known and the non-kerberized clients should not be listening on them so attacks on those ports should not work. But how many applications might there be that simply listen on incorrect ports? (I don't know. If everyone was carefull and followed standards I would feel secure, but I've hacked code in a hurry (vs. leasurly programming in a "development enviornment") so I recognize the temptations during a rushed job...;) I guess I'll be joining the Kerberos mailing list or newsgroup, but I thought this might be an appropriate discussion for Firewalls as well. By the way, while some gurus are anouncing the death of RPC due to security holes and better CORBA tools I am under the distinct impression that DCE (which is RPC based) is growing rapidly, at least from my myopic view of some government entities and a growing list of vendors. Sorry for the length of the above - I can't believe I wrote all that! Adam Safier CSC-SED-Infosec asafier@csc.com - It's scary when people call me an "expert" in a subject just as I start to realize how little I know and how much I still need to learn. Expressed opinions are my own and might not be shared by my employer or anyone else. From firewalls-owner Mon Apr 8 14:54:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA27528 for firewalls-outgoing; Mon, 8 Apr 1996 14:43:30 -0700 (PDT) Received: from vellocet.insync.net (vellocet.insync.net [204.253.208.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id OAA27522 for ; Mon, 8 Apr 1996 14:43:25 -0700 (PDT) Received: (from uurtamo@localhost) by vellocet.insync.net (8.7.1/8.7.1) id QAA12672 for firewalls@greatcircle.com; Mon, 8 Apr 1996 16:32:00 -0500 (CDT) From: Steve Uurtamo Message-Id: <199604082132.QAA12672@vellocet.insync.net> Subject: signoff firewalls uurtamo@insync.net To: firewalls@greatcircle.com Date: Mon, 8 Apr 1996 16:31:59 -0500 (CDT) X-Mailer: ELM [version 2.4 PL22] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk signoff firewalls uurtamo@insync.net From firewalls-owner Mon Apr 8 16:54:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id QAA03345 for firewalls-outgoing; Mon, 8 Apr 1996 16:48:28 -0700 (PDT) Received: from igate.hibbertco.com (hibbertco.com [204.240.226.14]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id QAA03325 for ; Mon, 8 Apr 1996 16:48:06 -0700 (PDT) Received: by igate.hibbertco.com (5.x/) id AA26685; Mon, 8 Apr 1996 17:46:10 -0600 Received: from imailgw(204.240.226.72) by igate via smap (V1.3) id sma026676; Mon Apr 8 17:45:46 1996 Message-Id: Date: 8 Apr 1996 16:45:27 -0700 From: "Anton Rager" Subject: FWTK and SNMP-GW To: "firewall-digest" X-Mailer: Mail*Link SMTP-MS 3.0.2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello all, Anyone tried to proxy SNMP get/set/traps thru a FWTK firewall????? What do you use -- plug-gw on SNMP? Anton Rager arager@hibbertco.com From firewalls-owner Mon Apr 8 17:09:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id QAA03128 for firewalls-outgoing; Mon, 8 Apr 1996 16:43:32 -0700 (PDT) Received: from gatekeep.genmagic.com (gatekeep.genmagic.com [192.216.16.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id QAA03120 for ; Mon, 8 Apr 1996 16:43:26 -0700 (PDT) Received: from (genmagic.genmagic.com [10.1.4.12]) by gatekeep.genmagic.com (8.6.9/8.6.9) with SMTP id QAA15035; Mon, 8 Apr 1996 16:41:16 -0700 Received: from abulafia.genmagic.com by genmagic (4.1/SMI-4.1/JBS) id AA08677; Mon, 8 Apr 96 16:40:45 PDT Received: by abulafia.genmagic.com (940816.SGI.8.6.9/930416.SGI) id QAA04733; Mon, 8 Apr 1996 16:40:40 -0700 Date: Mon, 8 Apr 1996 16:40:40 -0700 From: jet@abulafia.genmagic.com (J. Eric Townsend) Message-Id: <199604082340.QAA04733@abulafia.genmagic.com> To: Edward Maillet Cc: firewalls@GreatCircle.COM Subject: RAS and technical people In-Reply-To: <9604080124.AA10267@doc.cs.usm.maine.edu> References: <9604080124.AA10267@doc.cs.usm.maine.edu> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "maillet" == Edward Maillet writes: maillet> Is it worth the extermely heated argument to force them not maillet> to setup their modems for dial-in? And if so, does anyone have your PBX guru remove the DID numbers for any incoming analog lines that you don't personally approve. Works like a charm. From firewalls-owner Mon Apr 8 17:27:19 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id RAA05839 for firewalls-outgoing; Mon, 8 Apr 1996 17:20:12 -0700 (PDT) Received: from citecuh.citec.qld.gov.au (citecuh.citec.qld.gov.au [203.5.10.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id RAA05823 for ; Mon, 8 Apr 1996 17:20:05 -0700 (PDT) Received: (from mail@localhost) by citecuh.citec.qld.gov.au (8.7.5/8.7.3) id KAA03967; Tue, 9 Apr 1996 10:11:00 +1000 (EST) X-Authentication-Warning: citecuh.citec.qld.gov.au: mail set sender to using -f Received: from guru.citec.qld.gov.au(147.132.20.47) by citecuh.citec.qld.gov.au via smap (V1.3) id /mail/incoming/sma003956; Tue Apr 9 10:10:53 1996 Received: (from sgcccdc@localhost) by guru.citec.qld.gov.au (8.6.12/8.6.12) id KAA00594; Tue, 9 Apr 1996 10:18:01 +1000 From: Colin Campbell Message-Id: <199604090018.KAA00594@guru.citec.qld.gov.au> Subject: Re: more on mail addresses To: Mike.Jones@unifiedtech.com (Mike Jones) Date: Tue, 9 Apr 1996 10:18:00 +1000 (EST) Cc: Firewalls@GreatCircle.COM In-Reply-To: <199604041304.IAA14946@samadams.unifiedtech.com> from "Mike Jones" at Apr 4, 96 08:04:12 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I recall someone recently posting a "solution" to this problem: they set up an alias for every "schizoid" user that simply bounced the mail with a message like: "We have 2 psmith here. There is Pete.Smith, the manager and Peter.Smith, the widget dude Please redirect your mail to the appropriate person" Sounded like a good idea to me. Colin My mailer thinks several people said: > > [lots of stuff about the many faces of P Smith] From firewalls-owner Mon Apr 8 18:09:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA08354 for firewalls-outgoing; Mon, 8 Apr 1996 18:07:39 -0700 (PDT) Received: from ns.via.net (ns.via.net [140.174.204.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id SAA08348 for ; Mon, 8 Apr 1996 18:07:34 -0700 (PDT) Received: (from joe@localhost) by ns.via.net (8.6.9/8.6.9) id SAA17330 for firewalls@GreatCircle.com; Mon, 8 Apr 1996 18:05:50 -0700 Date: Mon, 8 Apr 1996 18:05:50 -0700 From: Joe McGuckin Message-Id: <199604090105.SAA17330@ns.via.net> To: firewalls@GreatCircle.com Subject: 3 ethernet router? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'd like to implement a bastion type firewall . Most routers are available with 1 or 2 ethernet interfaces and a sync serial poe port. Where can I get a low cost filtering router with 3 ethernet interfaces? joe joe@via.net From firewalls-owner Mon Apr 8 18:55:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA10354 for firewalls-outgoing; Mon, 8 Apr 1996 18:47:16 -0700 (PDT) Received: from livedgar.gsionline.com (livedgar.gsionline.com [204.254.209.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id SAA10348 for ; Mon, 8 Apr 1996 18:47:11 -0700 (PDT) Received: from GEORGE by livedgar.gsionline.com (NTMail 3.01.01) id ba009985; Tue, 9 Apr 1996 01:43:58 +0000 X-Sender: nick@livedgar X-Mailer: Windows Eudora Version 1.4.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: mjr@v-one.com From: nkeenan@gsionline.com (Mr. Nick Keenan) Subject: Re: complaining to the CEO Cc: firewalls@greatcircle.com Date: Tue, 9 Apr 1996 01:43:58 +0000 Message-Id: 01435825702728@gsionline.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Just an FYI, for those of you who haven't been there: >Complaining to the CEO of a company is not an effective strategy >unless what you're trying to accomplish is a short-term reduction >of your blood pressure. As a chronic complainer, I have to disagree. I have written letters of complaint to CEO's, Congressmen and Governors, and virtually every time I have gotten the action that I wanted and was unable to get through regular channels. It helps to write a reasonable and reasoned letter, and regular mail is better than email. By the way, Bill Gates is billg@microsoft.com (or was at one time). But he uses a bozo filter. Enough off topic for now. Nick Keenan Global Securities Information nkeenan@gsionline.com http://www.gsionline.com From firewalls-owner Mon Apr 8 19:09:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA10363 for firewalls-outgoing; Mon, 8 Apr 1996 18:47:32 -0700 (PDT) Received: from popmail.UCSD.EDU (popmail.ucsd.edu [132.239.1.47]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id SAA10357 for ; Mon, 8 Apr 1996 18:47:26 -0700 (PDT) Received: from [205.216.139.42] ([205.216.139.42]) by popmail.UCSD.EDU (8.7.4/8.6.9) with SMTP id SAA22693 for ; Mon, 8 Apr 1996 18:45:23 -0700 (PDT) Message-Id: <199604090145.SAA22693@popmail.UCSD.EDU> X-Sender: dschiffrin@popmail.ucsd.edu X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 08 Apr 1996 18:05:21 -0700 To: firewalls@greatcircle.com From: David Schiffrin Subject: flood attack Sender: firewalls-owner@GreatCircle.COM Precedence: bulk hello all- An actual firewall/attack post: One of my customers (a small isp) suffered an attack recently. Aside from turning off services which these hosts provide to the net, or blocking those packets at the router, I am at a loss. I'd appreciate any suggestions. More specifically, the web, inbound SMTP ,and POP servers were each flooded by SYN packets from the 'net on the services respective ports, thus denying legitemate users access to these services. I filtered some, and changed DNS/IP addresses for others, but I'm not sure (without dynamic packet filter rules) how to address this long-term. These solutions only worked because the attacker began the attack (maybe checked it for effectiveness) and seemed to leave it running unnattended. Obviously the web and SMTP servers need to be accessable to the outside, but how do I make this better. BTW hosts from a variety of assigned and unassigned networks appeared to be the source addresses, and all hosts were/are unreachable from any net-access. Could/should the 'wall be doing a ping-check back at connecting hosts?..... Ah Well....for another day -dave -------------------------------------------------------------------------------- "Sometimes you get the blues because your baby leaves you. Sometimes you get'em 'cause she comes back." --B.B. King David Schiffrin dschiffrin@ucsd.edu From firewalls-owner Mon Apr 8 20:09:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id TAA14639 for firewalls-outgoing; Mon, 8 Apr 1996 19:58:22 -0700 (PDT) Received: from relay.ashton.csc.com (relay.ashton.csc.com [20.2.54.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id TAA14624 for ; Mon, 8 Apr 1996 19:58:17 -0700 (PDT) Received: by relay.ashton.csc.com; id WAA10360; Mon, 8 Apr 1996 22:57:33 -0400 Received: from mccoy.ashton.csc.com(20.2.51.2) by relay.ashton.csc.com via smap (g3.0.1) id sma010356; Mon, 8 Apr 96 22:57:23 -0400 Received: (from ckostick@localhost) by mccoy.ashton.csc.com (8.6.12/8.6.9) id WAA29642 for firewalls@greatcircle.com; Mon, 8 Apr 1996 22:58:10 -0400 From: Chris Kostick Message-Id: <199604090258.WAA29642@mccoy.ashton.csc.com> Subject: Re: FWTK and SNMP-GW To: firewalls@greatcircle.com Date: Mon, 8 Apr 1996 22:58:09 -0400 (EDT) In-Reply-To: from "Anton Rager" at Apr 8, 96 04:45:27 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Anyone tried to proxy SNMP get/set/traps thru a FWTK firewall????? What do you > use -- plug-gw on SNMP? plug-gw is TCP based, SNMP uses UDP. For UDP you need to use something like udprelay. On another note, I've never understood, or have been unable to think of an architecture, where someone would want to get SNMP information *through* a firewall. Enlighten me someone. -- chris From firewalls-owner Mon Apr 8 20:55:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id UAA18299 for firewalls-outgoing; Mon, 8 Apr 1996 20:46:34 -0700 (PDT) Received: from hclggn.hclc-ggn.hcla.com (hclggn.hclc-ggn.hcla.com [204.160.249.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id UAA18293 for ; Mon, 8 Apr 1996 20:46:27 -0700 (PDT) Message-Id: <199604090346.UAA18293@miles.greatcircle.com> Received: by hclggn.hclc-ggn.hcla.com (1.37.109.4/16.2) id AA13098; Tue, 9 Apr 96 09:14:05 +0500 From: Ajay Arora Subject: signoff firewalls ajaya@hclggn.hcla.com To: firewalls@GreatCircle.COM Date: Tue, 9 Apr 96 9:14:04 IST Mailer: Elm [revision: 70.85] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk signoff firewalls ajaya@hclggn.hcla.com From firewalls-owner Mon Apr 8 21:09:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id UAA16823 for firewalls-outgoing; Mon, 8 Apr 1996 20:26:08 -0700 (PDT) Received: from mail.voicenet.com (mail.voicenet.com [192.204.28.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id UAA16817 for ; Mon, 8 Apr 1996 20:26:03 -0700 (PDT) Received: from wilmington26.voicenet.com (wilmington26.voicenet.com [199.234.181.215]) by mail.voicenet.com (8.6.12/8.6.12) with SMTP id XAA24139 for ; Mon, 8 Apr 1996 23:23:44 -0400 Date: Mon, 8 Apr 1996 23:23:44 -0400 Message-Id: <199604090323.XAA24139@mail.voicenet.com> X-Sender: rosatore@voicenet.com X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: "Richard E. Rosato" Subject: NT Firewalls Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What NT Firewall solutions has anybody used on NT? How do they compare to There Unix versions? Are there any limited shareware firewall toolkit ( a.k.a. TSI Toolkit ) for NT? From firewalls-owner Mon Apr 8 21:24:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id VAA19476 for firewalls-outgoing; Mon, 8 Apr 1996 21:08:47 -0700 (PDT) Received: from SterCtl.com (p193.iwl.net [204.177.208.193]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id VAA19470 for ; Mon, 8 Apr 1996 21:08:39 -0700 (PDT) Received: (from dennis@localhost) by SterCtl.com (8.6.12/8.6.12) id WAA07604; Mon, 8 Apr 1996 22:08:44 -0600 From: Dennis Moroney Message-Id: <199604090408.WAA07604@SterCtl.com> Subject: Re: Interesting packets fron the net To: epperson@vak12ed.edu (W.C. Epperson) Date: Mon, 8 Apr 1996 22:08:42 -0600 (CST) Cc: firewalls@greatcircle.com (firewalls) In-Reply-To: from "W.C. Epperson" at Apr 8, 96 11:00:02 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to W.C. Epperson: > > > > What version of IOS? At 10.2(11), it barfs on the "log" part, if placed > > > at the end of the access-list entry. Is that the correct syntax? > > > > At least IOS 10.3(8) and above. > > > Interesting that it isn't documented at any 10.3, first appears in release > notes at 11.0. And since no IOS 10.3 has reached GD, can't use on a > choke router. Your choice of Cisco IOS is well ... your choice. I have found and printed a section of the UniverCD shipped with my router. No, I do not recall if the information about extended IP access lists is buried in the release notes or stuck somewhere in the bowels of the CD. The information is still there just the same. For the record, I would like to use a GD IOS, but only IOS 11.0(4) is capable enough to get my ISDN connection going. The functionality I need is in the newer IOS at the possible risk of getting out on the bleeding edge. The connection has been reliable and the logging has been a blessing because now I can see and act upon events that happen to the connection without any hocus-pocus guesswork. -- Dennis Moroney From firewalls-owner Mon Apr 8 22:09:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id VAA22771 for firewalls-outgoing; Mon, 8 Apr 1996 21:51:23 -0700 (PDT) Received: from arnet.arn.net (arnet.arn.net [204.177.232.11]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id VAA22763 for ; Mon, 8 Apr 1996 21:51:18 -0700 (PDT) Received: from dhall.arn.net (dialup1-082.arn.net [207.19.0.82]) by arnet.arn.net (8.7.5/6.6.6) with SMTP id XAA27701 for ; Mon, 8 Apr 1996 23:50:05 -0500 (CDT) Date: Mon, 8 Apr 1996 23:50:05 -0500 (CDT) Message-Id: <199604090450.XAA27701@arnet.arn.net> X-Sender: dhall@arnet.arn.net Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.COM From: dhall@arn.net (Duane Hall) Subject: Standards for Proxy Ports X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am in the process of setting up the tis firewall toolkit. I was wondering if there is a standard for proxy ports. I need to document our setup for our firewall and internet setup. Any links to documents or attached files would be appreciated. Duane Hall Network Coordinator Northwest Texas Healthcare System Amarillo, TX 79109 dhall@arn.net The opinions expressed here are mine...Not those of my employer. From firewalls-owner Mon Apr 8 22:25:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id VAA22255 for firewalls-outgoing; Mon, 8 Apr 1996 21:45:25 -0700 (PDT) Received: from goaltender.ba.tis.com (goaltender.ba.tis.com [198.4.162.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id VAA22232 for ; Mon, 8 Apr 1996 21:45:16 -0700 (PDT) Received: by goaltender.ba.tis.com; id VAA24064; Mon, 8 Apr 1996 21:42:59 -0700 Received: from dd10-076.compuserve.com(199.174.152.76) by goaltender.ba.tis.com via smap (V3.1) id xmad24033; Mon, 8 Apr 96 21:42:22 -0700 X-Sender: thompson@198.4.162.2 Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 8 Apr 1996 20:44:06 -0700 To: Adam Safier From: thompson@tis.com (Bill Thompson) Subject: Re: Clarification on Encryption Export Using CKE Cc: heuman@mtnlake.com, firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sorry it has taken me so long to respond, I have been traveling, and believe it or not, quite a few folks are interested in this topic. At 6:52 PM 3/29/96, Adam Safier wrote: >At 10:23 PM 3/27/96 -0700, Bill Thompson wrote: > >>So while >>it is not impossible for a US govenment agency to get an encryption key, it >>is difficult, and they are not in the driver's seat. If they are motivated >>to expend this kind of energy, my bet is that we might want them to >>succeed, because they are probably protecting us. > >I doubt the CIA and other skunk works would really ask a judge, unless they >had full control of him..... > >>Why not put a reasonable >>set of rules in effect which put the process in the private sector's >>control, and open under the judicial system? The CIA, Justice Department, and any other agency headed by a cabinet position secretary are part of the Executive branch, not the Judicial one. The whole democratic idea of checks and balances revolves around the separation of powers between autonomous branches of government, and in Washington, the rival branches are always trying to prove their autonomy. Certainly it is possible for a Judge to be in the pocket of the CIA or other "skunk works", but it's illegal and it can't last forever, as zealous members of all sides are always trying to advance their personal position. > >1 - I am not willing to PAY for it. I hear you, and I am not willing to pay for a driver's license either. I do it only because it is required, it does bring some semblance of order to the highway system (maybe not as much in Texas as other parts of North America), and the cost/benefit ratio of opposing it rather than getting one just doesn't make any sense. I believe the same thing is true of the notion of recoverable encryption keys. As users we need key recovery (whether or not the government can also get access with due process), and at a cost in the range of our driver's licenses, who can really complain with conviction? > >2 - I don't believe the mafia, Iraq etc. could not get at the keys if they >kept trying. Someone will leak them somewhere sometime. True, as long as people are in the equation, there is the potential for compromise. Operating a Data Recovery Center is not for the faint of heart. You must have very stringent physical security standards, require multiple concurrence for access, and diligently verify the continued compliance of controlling personnel. While we all may sometimes express the feeling the organized crime element can do as it pleases, I hope that the mafia, Iraq, and other organized terrorist elements can be successfully thwarted by the vigilent efforts of professionals, both within our companies, and our governments > >3 - Why not simply make it a crime not to provide evidence (decrypted) when >the judicial system demands it? For the most part it already is. While there is some debate in other countries as to the rights the government has to demand encryption keys, within the US and Canada it is generally accepted that if a valid court order exists and you withhold information lawfully required, you can be incarcerated. The concern of law enforcement is that for some individuals, jail is not a sufficient deterrent. > >4 - Crooks will still use encryption without key escrow. Possibly, maybe even probably in well financed criminal organizations. But all members of criminal organizations are not geniuses, and even those who are will inevitably make mistakes. The evidence suggests that criminals will use whatever is commonly available, abetted by the fact that law enforcement usually doesn't have enough resource to cope with the volume of crime they already have to deal with. Drug dealers routinely use cellular phones, accessible to anyone with the proper radio equipment, and the World Trade Center bombers asked for the return of a large deposit on the truck they claimed was stolen, even though the FBI had already determined it had been used in the bombing prior to the time they claimed it was stolen. In my opinion, we need to achieve a proper balence between personal privacy and allowing law enforcement the ability to properly persue the job we asked them to do in the first place. By the way, this has been a raging debate in this continent since the 1700's, and I personally hope it continues in order to keep either extreme from becoming too complacent. > >5 - A key registration requirement stifles new development (assuming all >encryption is outlawed unless registered with fed. - I'm coming in a bit >late into this discussion so this may not be relevant to CKE only discussion.) CKE doesn't require registration with the government. DRC's are run by private sector organizations. Ideally, default certificates will be provided with crypto gear by the crypto vendor. The user only needs to register with a DRC if they want recovery, generally automatic if the DRC is run by your employer. >Adam Safier >CSC-SED-Infosec >asafier@csc.com > >Expressed opinions are my own and might not be shared by my employer or >anyone else. >SickPuppy deserves a pat. Thanks for your interest. I understand your concerns, and I share them. If I haven't sufficiently addressed these, or if you have others, please get back to me. I firmly believe CKE is the best available answer to our current situation. Regards. Bill *--------------------------------------------------------------------------* |R. William Thompson Business Development Consultant| |Trusted Information Systems thompson@ba.tis.com| |444 Castro Street (415) 962-8885, X3019| |Mountain View, CA 94041 Fax (415) 962-9330| |Home: 9305 Scenic Bluff Drive Home (512) 263-5936| |Austin, TX 78733 Home Fax (512) 263-9436| |75427.301@compuserve.com Bill_Thompson@compuserve.com| *--------------------------------------------------------------------------* From firewalls-owner Mon Apr 8 22:39:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id VAA22292 for firewalls-outgoing; Mon, 8 Apr 1996 21:45:41 -0700 (PDT) Received: from goaltender.ba.tis.com (goaltender.ba.tis.com [198.4.162.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id VAA22259 for ; Mon, 8 Apr 1996 21:45:27 -0700 (PDT) Received: by goaltender.ba.tis.com; id VAA24065; Mon, 8 Apr 1996 21:42:59 -0700 Received: from dd10-076.compuserve.com(199.174.152.76) by goaltender.ba.tis.com via smap (V3.1) id xmae24033; Mon, 8 Apr 96 21:42:35 -0700 X-Sender: thompson@198.4.162.2 Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 8 Apr 1996 20:44:24 -0700 To: Adam Shostack From: thompson@tis.com (Bill Thompson) Subject: Re: Clarification on Encryption Export Using CKE Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 8:57 PM 4/1/96, Adam Shostack wrote: >Bill Thompson wrote: > >| > Bill misses an important third option, and that is to go to >| >one of the many vendors of cryptographic tools who are not based in >| >the USA. TIS did a survey, and found nearly 500 selling DES >| >or stronger crypto. Its unfortunate that the US government has forced >| >good companies like TIS to develop all these silly hacks to protect >| >data confidentiality. >| > >| > TIS's survey can be found at: www.tis.com/crypto/survey.html >| >| It is true that there are vendors who purport to have tools that don't >| include a recovery mechanism, and some of these even work as advertised. > > "If your software is full of bugs, what does that say about its >security?" :) I wasn't infering that TIS's software was full of bugs (although one must continually employ a certain healty set of skepticism with any implementation), I was simply pointing out that of the available open market encryption solutions TIS has uncovered, some are real and some aren't. I further pointed out that using the real ones doesn't necessarily guarantee security, as some of the implementations are flawed, and using others that do work doesn't guarantee we can continue to do so with impunity. TIS's position on the subject is that no matter which direction begins the evolution of the deployment of encryption, i.e. no government controls, or limited export with recovery, we will likely ultimately arrive at the same point, and that is unlimited encryption strength with user controlled key recovery features. > >| Further, the users of a truly globally deployed encryption solution are not >| going to be as competent as the few users who exist today. Recovery will >| be a necessary feature, particularly with archived files. Even RSA has >| acknowledged that their corporate clients have DEMANDED that an escrow >| feature be available. Lots of other companies have ad hoc solutions for >| escrow/recovery, primarily because there is a demand for it from their >| customers. Unfortunalely, none of them work in the same way. Now I ask >| you: If the marketplace wants recovery, the government demands it in order >| to allow encryption to be exported, and TIS has a solution that satisfies >| both sides (albeit with less control than the government had in mind), why >| wouldn't we all endorse a method that puts the private sector in control, >| and has the potential to become an interoperable global standard? > > As long as the private sector is in control. This means a company >needs to be able to select my own key holders, including /dev/null. >There are documents, phone converstations, and the like, which a >company wants to be able to destroy. This is why shredders sell. If >your crypto solution makes all your documents recoverable, your >lawyers are likely to faint. > Based on the limited inputs I have, pretty much the lawyers agree only in that the DRC needs to be in control of the corporation if possible. If a document exists, it already likely will be in more than one set of hands anyway. If it isn't, lawyers can it make it pretty difficult for a disclosure request to obtain it via "fishing expeditions" unless it is specifically asked for and is relevant. If it is, I don't think there is are all that many lawyers around who would risk jail by defying the judicial process, or suggesting the document be shredded. Believe it or not, most of them advocate truth when absolutely required, they just employ obfuscation as a delaying tactic. >| Politics and personal convictions aside, whether or not an encrypted file >| or message is "escrowed" doesn't change the fact that we are required to >| provide the government with information they are legally entitled to. CKE >| places control of our "non-traditional" escrow in the hands of the private >| sector, not the government, and it formalizes the process the government >| has to go through in order to get keys from the private sector. As long as >| we can control the locaation of the key recovery, which with reasonably >| sized corporations will be at our own facilities, we are in no more of a >| data security compromise position with CKE than with no escrow at all, and >| we have introduced the ability to recover files and messages when we need >| to. > > Politics, and personal convictions aside, we're required to >provide the government with some subset of documents. In the United >States, diaries still enjoy strong protection. True, but ask Bob Packwood what happens when they are legally requested. If someone can run all the gauntlets (inference to TIS product names not necessarily inteneded) to get a court order, we must produce them. Fortunatly, we still have defense in a court of law after the submittal of requested information. > > Back, for a brief moment, to politics, this entire argument is >clearly political, and TIS would be in a more honest position if they >admitted that certain features of their DRC are required by >government, not industry. You are absolutely correct, and I hope we have never attempted to conceal or misstate this fact!!! TIS advocates the use of key recovery for archival files, because this provides tangible benefits for users. When Steve Walker first proposed this as an alternative solution to government key escrow, it was not received with universal acclaim. In fact, TIS's solution had to be embellished in order to meet the government escrow requirements for export of encryption used for communications. Generally, communications environments are self recovering, and the user community does not receive major benefit from the inclusion of a key recovery mechanism (although there are some far fetched cases where it could be possible). For communications environments, the major benefit is only in breaking the logjam preventing the global deployment of reasonable encryption to enable secure electronic commerce, and for substantial corporations to be in charge of the key recovery process. > >-- >"It is seldom that liberty of any kind is lost all at once." > -Hume May we steadfastly defend against any loss of liberty. I personally don't believe that CKE is a step in that direction, and in fact believe it provides a basis to clearly define and maintain our freedoms. If you don't agree, believe I haven't addressed your questions properly, or have additional ones, get back to me. Regards, Bill *--------------------------------------------------------------------------* |R. William Thompson Business Development Consultant| |Trusted Information Systems thompson@ba.tis.com| |444 Castro Street (415) 962-8885, X3019| |Mountain View, CA 94041 Fax (415) 962-9330| |Home: 9305 Scenic Bluff Drive Home (512) 263-5936| |Austin, TX 78733 Home Fax (512) 263-9436| |75427.301@compuserve.com Bill_Thompson@compuserve.com| *--------------------------------------------------------------------------* From firewalls-owner Tue Apr 9 00:36:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id AAA05861 for firewalls-outgoing; Tue, 9 Apr 1996 00:23:50 -0700 (PDT) Received: from gmsg-gw.gmsg.ch (gmsg.ch [143.180.22.11]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id AAA05846; Tue, 9 Apr 1996 00:23:37 -0700 (PDT) Received: by gmsg-gw.gmsg.ch (5.67b8/19950421) id AA27194; Tue, 9 Apr 1996 09:21:12 +0200 Received: from infser1 by gmsg-gw via smap (V1.3) id sma027192; Tue Apr 9 09:20:56 1996 Received: from nxser by infser1.gmsg.ch (4.1/SMI-4.1) id AA08546; Tue, 9 Apr 96 09:20:57 +0200 Received: from seix1 by nxser (NX5.67f2/NX3.0M) id AA03780; Tue, 9 Apr 96 09:20:49 +0200 Message-Id: <9604090720.AA03780@nxser> Received: by seix1 (NX5.67f2/NX3.0X) id AA00309; Tue, 9 Apr 96 09:20:43 +0200 Content-Type: text/plain Mime-Version: 1.0 (NeXT Mail 3.3 v118.2) Received: by NeXT.Mailer (1.118.2.RR) From: "walter.jenny" Date: Tue, 9 Apr 96 09:20:41 +0200 To: firewalls@GreatCircle.COM Subject: signoff firewalls Walter.Jenny@gmsg.ch Cc: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk please signoff thanks a lot From firewalls-owner Tue Apr 9 00:54:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id AAA07235 for firewalls-outgoing; Tue, 9 Apr 1996 00:45:47 -0700 (PDT) Received: from cs.sandia.gov (cs.sandia.gov [132.175.13.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id AAA07229 for ; Tue, 9 Apr 1996 00:45:41 -0700 (PDT) Received: from work.cs.sandia.gov.noname by cs.sandia.gov with smtp (Smail3.1.28.1 #5) id m0u6Y5U-000XSAC; Tue, 9 Apr 96 01:43 MDT Received: by work.cs.sandia.gov.noname (4.1/SMI-4.1) id AA17932; Tue, 9 Apr 96 01:43:41 MDT From: mccurley@cs.sandia.gov (Kevin S. McCurley) Message-Id: <9604090743.AA17932@work.cs.sandia.gov.noname> Subject: Re: encryption as only form of security To: firewalls@greatcircle.com Date: Tue, 9 Apr 1996 01:43:40 -0600 (MDT) X-Mailer: ELM [version 2.4 PL25] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Marcus wrote: > There is a school of thought that holds that IP-level crypto > will solve everything and firewalls, etc, will go away once we've > got decent encrypted packet formats and some kind of key exchange > mechanism in place. As a crypto researcher, I'd like to think this was the case. Unhappily I'll have to agree that this is naive. Marcus alluded to some of the problems in the global key management nightmare, but there are others as well. I can't tell you how many times I have heard people suggest the following solution to their security problems: "just encrypt everything". This usually evaporates when you ask them where they are going to keep the key to *decrypt* something, or where they are going to get their keys from. I believe Netscape and Kerberos both got bit on this last one... While cryptography is certainly a very useful tool, it can be oversold as a solution. For example, it does nothing for the stack overflow problem. Readers of this list can be pretty sure that firewalls are going to be here for a long time to come. They are probably going to get a lot more complicated though ... just as our trust relationships do. If you want a dose of reality, try reading comp.lang.java and count how many whining developers ask: "what do you mean I can't have the browser write to their disk???". Kevin McCurley Sandia National Laboratories From firewalls-owner Tue Apr 9 01:24:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id AAA06545 for firewalls-outgoing; Tue, 9 Apr 1996 00:37:33 -0700 (PDT) Received: from citecuh.citec.qld.gov.au (citecuh.citec.qld.gov.au [203.5.10.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id AAA06539 for ; Tue, 9 Apr 1996 00:37:26 -0700 (PDT) Received: (from mail@localhost) by citecuh.citec.qld.gov.au (8.7.5/8.7.3) id RAA05894 for ; Tue, 9 Apr 1996 17:28:30 +1000 (EST) X-Authentication-Warning: citecuh.citec.qld.gov.au: mail set sender to using -f Received: from guru.citec.qld.gov.au(147.132.20.47) by citecuh.citec.qld.gov.au via smap (V1.3) id /mail/incoming/sma005871; Tue Apr 9 17:28:09 1996 Received: (from sgcccdc@localhost) by guru.citec.qld.gov.au (8.6.12/8.6.12) id RAA01461 for firewalls@greatcircle.com; Tue, 9 Apr 1996 17:35:22 +1000 From: Colin Campbell Message-Id: <199604090735.RAA01461@guru.citec.qld.gov.au> Subject: split dns question To: firewalls@greatcircle.com Date: Tue, 9 Apr 1996 17:35:22 +1000 (EST) X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I have a more complex split dns than I think is the norm (if there is such a thing). At present I run the classic version but am not sure how to expand it to the following scenario: internet ^ | | external bind \ ... } the bastion host resolver / | | v root server (mine?) | | +-----> server of citec.qld.gov.au (me) | +-----> server for a.qld.gov.au | +-----> server for b.qld.gov.au | +-----> server for c.com.au | +-----> server for d.com.au | +-----> server for e.qld.gov.au If the picture doesn't explain my needs ... The servers for the internal domains are managed by disparate organisations all of whom have a common connection through mine. None of them have any need to resolve external names. They do however have a need to resolve names outside their own organisations. The bastion of course needs to resolve all internal and external names. Should the root server actually be a root server? (I can't see any alternative other than maybe ".au") If I point the bastion resolver at the internal root server, will it be able to resolve the entire internal namespace? Where do I configure the forwarders line? The root server will probably be 4.9.3 bind with the LAME DELEGATION stuff turned off. Colin From firewalls-owner Tue Apr 9 04:40:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id EAA17288 for firewalls-outgoing; Tue, 9 Apr 1996 04:16:20 -0700 (PDT) Received: from relay.Ieunet.ie (relay.Ieunet.ie [192.111.39.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id EAA17280 for ; Tue, 9 Apr 1996 04:16:12 -0700 (PDT) Received: from norcon by relay.Ieunet.ie via Ieunet with UUCP id ab16537; 9 Apr 96 12:13 +0100 Received: from norcon by norcontel.ie with UUPC; Tue, 09 Apr 96 10:28:33 0 (GMT) Date: Tue, 9 Apr 1996 10:29:54 +0100 To: firewalls@greatcircle.com From: Aideen Darker Cc: subscribe@norcontel.ie, firewalls-digest@norcontel.ie Message-ID: <9604091213.ab16537@relay.Ieunet.ie> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Tue Apr 9 04:40:19 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id EAA18031 for firewalls-outgoing; Tue, 9 Apr 1996 04:29:18 -0700 (PDT) Received: from emout06.mail.aol.com (emout06.mail.aol.com [198.81.10.43]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id EAA18015 for ; Tue, 9 Apr 1996 04:29:14 -0700 (PDT) From: Iltis@aol.com Received: by emout06.mail.aol.com (8.6.12/8.6.12) id HAA17918 for firewalls@greatcircle.com; Tue, 9 Apr 1996 07:27:14 -0400 Date: Tue, 9 Apr 1996 07:27:14 -0400 Message-ID: <960409072713_465627208@emout06.mail.aol.com> To: firewalls@greatcircle.com Subject: Signoff Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Signoff of mailing list From firewalls-owner Tue Apr 9 05:33:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA20658 for firewalls-outgoing; Tue, 9 Apr 1996 05:05:39 -0700 (PDT) Received: from databus.databus.com (databus.databus.com [198.186.154.34]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id FAA20642 for ; Tue, 9 Apr 1996 05:05:31 -0700 (PDT) From: Barney Wolff To: firewalls@greatcircle.com Date: Tue, 9 Apr 1996 07:51 EDT Subject: Re: flood attack Content-Type: text/plain Message-ID: <316a52100.379@databus.databus.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Date: Mon, 08 Apr 1996 18:05:21 -0700 > From: David Schiffrin > > More specifically, the web, inbound SMTP ,and POP servers were each flooded > by SYN packets from the 'net on the services respective ports, thus denying > legitemate users access to these services. I filtered some, and changed > DNS/IP addresses for others, but I'm not sure (without dynamic packet filter > rules) how to address this long-term. These solutions only worked because > the attacker began the attack (maybe checked it for effectiveness) and > seemed to leave it running unnattended. Obviously the web and SMTP servers > need to be accessable to the outside, but how do I make this better. > > BTW hosts from a variety of assigned and unassigned networks appeared to be > the source addresses, and all hosts were/are unreachable from any > net-access. Could/should the 'wall be doing a ping-check back at connecting > hosts?..... This might have been a prelude to a Mitnick-style source-address spoofing attack. What hosts trust the hosts that were flooded? Does the router make sure that incoming packets don't have source addresses apparently on internal nets? As for the ping-back check, it's probably too late for that when you become aware that there's an incoming TCP connect, unless you get inside the kernel. tcpwrapper can do a reverse & forward DNS check, and an ident check (not worth much, but at least if it succeeds you know the host is reachable), and could easily be hacked to do the ping. But inetd (or sendmail or httpd or tcpwrapper) probably does not even see the connect unless the other side ACKs the SYN-ACK from your side. Barney Wolff From firewalls-owner Tue Apr 9 05:55:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA23024 for firewalls-outgoing; Tue, 9 Apr 1996 05:47:17 -0700 (PDT) Received: from gate.ggr.co.uk (gate.ggr.co.uk [193.128.25.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id FAA23018 for ; Tue, 9 Apr 1996 05:47:09 -0700 (PDT) Received: from mailhub.ggr.co.uk (uk0x07.ggr.co.uk [147.184.146.69]) by gate.ggr.co.uk; Tue, 9 Apr 1996 13:42:41 +0100 (BST) Received: from ukwit01.ggr.co.uk (ukwit01.ggr.co.uk [147.184.219.175]) by mailhub.ggr.co.uk; Tue, 9 Apr 1996 13:37:07 +0100 (BST) Received: by ukwit01.ggr.co.uk (8.7.5/imd160294) id MAA26630; Tue, 9 Apr 1996 12:45:18 GMT From: "Lack Mr G M" Message-Id: <9604091345.ZM26628@ukwit01> Date: Tue, 9 Apr 1996 13:45:17 +0100 In-Reply-To: Mike.Jones@unifiedtech.com (Mike Jones) "Re: more on mail addresses" (Apr 4, 8:04am) References: <199604041304.IAA14946@samadams.unifiedtech.com> X-Mailer: Z-Mail (3.2.0 26oct94 MediaMail) To: Mike.Jones@unifiedtech.com (Mike Jones), Firewalls@GreatCircle.COM, michael@memra.com Subject: Re: more on mail addresses Cc: auampdrv@ibmmail.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Apr 4, 8:04am, Mike Jones wrote: >... > In fact, from a human factors point of view, it seems likely that > "non-obvious" (a better term might be "user hostile") mail names are > *more* likely to cause misdelivery of mail, because it is less > obvious if one has mistyped an address. You seem to be assuming that "non-obvious" ids are independent of each other and that as a result it might be easy to mistype one id into another. What about a scheme where it is *impossible* to get from one id to another without making at least 3 mistypes? At least what would happen then is that you will get the message returned with "no such user". Of course, if your mail system allows you to *validate* local users before you send the mail as well then most of the mis-sendings disappear too. From firewalls-owner Tue Apr 9 06:10:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA24147 for firewalls-outgoing; Tue, 9 Apr 1996 06:01:03 -0700 (PDT) Received: from oxygen.house.gov (oxygen.house.gov [137.18.128.6]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA24141 for ; Tue, 9 Apr 1996 06:00:57 -0700 (PDT) Received: by oxygen.house.gov (AIX 3.2/UCB 5.64/4.03) id AA51005; Tue, 9 Apr 1996 08:54:17 -0400 Date: Tue, 9 Apr 1996 08:54:17 -0400 From: johns@oxygen.house.gov (John Schnizlein) Message-Id: <9604091254.AA51005@oxygen.house.gov> To: firewalls@greatcircle.com, maillet@doc.cs.usm.maine.edu Subject: Re: RAS and technical people Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Is it worth the extermely heated argument to force them not to setup their > modems for dial-in? > And if so, does anyone have some REALLY strong technical arguments what > the security risks are even when the modems are set to dial back their home? The essence of this question is who is responsible if/when a successful attack occurs. If MIS is responsible, they must have the authority to protect the system. If your computers are connected internally, is is not hard to argue that the security of all depends on the security of each computer. Enforcement of this kind of policy is interesting in its own right. It is remarkably easy for a technically savy person to install a dial-in modem. If you control the telephone system, you could resort to something like blocking inbound calls to any POTS (analog) phones. That way people with modems can call out, but bad-guys cannot call in. This approach requires different phones (proprietary digital if possible) for normal telephone call-in service; these are actually quite common in PBXes. Remember the fundamentals: policy based on management's assignment of responsibility leads to access-control policy, which is implemented as well as possible. No policy means you never win these arguments. -- John From firewalls-owner Tue Apr 9 06:50:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA25577 for firewalls-outgoing; Tue, 9 Apr 1996 06:31:06 -0700 (PDT) Received: from lint.cisco.com (lint-ether.cisco.com [198.93.170.22]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA25227 for ; Tue, 9 Apr 1996 06:23:04 -0700 (PDT) Received: from pferguso-pc.cisco.com (c2robo5.cisco.com [171.68.13.37]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id GAA29770 for ; Tue, 9 Apr 1996 06:18:29 -0700 Message-Id: <199604091318.GAA29770@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 09 Apr 1996 09:19:30 -0400 To: firewalls@GreatCircle.com From: Paul Ferguson Subject: Network Engineering Technologies Announces $10,000 Firewall Challenge Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Excerpt from: -(BUSINESS WIRE) via Individual Inc. [04-08-96 at 15:41 EDT, Business Wire] [snip] The Challenge To claim the $10,000 in NET's Firewall Challenge, individuals must first register with NET, then use a computer to break into NET's secure transaction server and retrieve information stored there about paper currency totaling $10,000, namely: (1) the number of notes, (2) the denomination of each note and (3) the serial number of each note. The first person to supply the correct information to NET between 12:01 a.m. May 1 and 12:01 a.m. May 31 will win the $10,000. In the case of multiple break-ins, the first person sending the correct information to NET's e-mail address will be declared the winner. Participants must be individuals over 18 years of age, not companies, and must also agree to surrender to NET all relevant information about the methods they used to break through the firewall. Further details on the Network Engineering Technologies' $10,000 Firewall Challenge available on the World-Wide Web at http://thefirewall.com or by writing NET at 1714 Ringwood Ave., San Jose, CA 95131. [snip] -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Tue Apr 9 06:57:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA25823 for firewalls-outgoing; Tue, 9 Apr 1996 06:38:41 -0700 (PDT) Received: from sycgate.sycomore.fr (sycgate.sycomore.fr [192.134.92.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id GAA25800 for ; Tue, 9 Apr 1996 06:38:02 -0700 (PDT) Received: from [192.134.92.34] (unknown.sycomore.fr [192.134.92.34]) by sycgate.sycomore.fr (8.6.3/8.5) with SMTP id PAA05645; Tue, 9 Apr 1996 15:17:03 +0200 Date: Tue, 9 Apr 1996 15:17:03 +0200 Message-Id: <199604091317.PAA05645@sycgate.sycomore.fr> X-Sender: berenguier@sycgate.sycomore.fr Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Mailer: Eudora FF1.4 To: firewalls@greatcircle.com From: Eric.Berenguier@sycomore.fr (Eric Berenguier) Subject: free Packet filters & proxies Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, i'm looking for FREE software to make a packet filtering router and some proxies for common protocols (http, ftp, etc..) What are the available products ? Thanks Eric Berenguier From firewalls-owner Tue Apr 9 07:40:09 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA28126 for firewalls-outgoing; Tue, 9 Apr 1996 07:28:09 -0700 (PDT) Received: from sprucegoose.hhmi.org (sprucegoose.hhmi.org [192.239.66.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA28104 for ; Tue, 9 Apr 1996 07:27:52 -0700 (PDT) Received: from hq.hhmi.org by sprucegoose.hhmi.org (SMI-8.6/SMI-SVR4) id KAA27896; Tue, 9 Apr 1996 10:32:40 -0400 Received: by hq.hhmi.org with Microsoft Mail id <316A73AE@hq.hhmi.org>; Tue, 09 Apr 96 10:26:54 EDT From: "Ward, Jay" To: Firewalls Cc: "Ward, Jay" Subject: Structure Date: Tue, 09 Apr 96 10:26:00 EDT Message-ID: <316A73AE@hq.hhmi.org> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I am new to the list and new to setting up firewalls. We just recently purchased the Solstice Firewall-1 version 2.0. I currently have four Sparc 20's of which one will have the firewall package installed. One of the Sparc's is running httpd and bootp. Another is running dns and sendmail. The third server is running netmanger. >From what I have been told in the past is that I could run into problems putting the httpd server behind the firewall. Is this true? Should I be able to successfully put the three servers behind a firewall without dampering the performance of any of the systems? Any feedback would be greatly appreciated. --Jay Ward From firewalls-owner Tue Apr 9 07:41:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA25807 for firewalls-outgoing; Tue, 9 Apr 1996 06:38:15 -0700 (PDT) Received: from gate.ggr.co.uk (gate.ggr.co.uk [193.128.25.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id GAA25799 for ; Tue, 9 Apr 1996 06:38:02 -0700 (PDT) Received: from mailhub.ggr.co.uk (uk0x07.ggr.co.uk [147.184.146.69]) by gate.ggr.co.uk; Tue, 9 Apr 1996 14:34:20 +0100 (BST) Received: from ukwit01.ggr.co.uk (ukwit01.ggr.co.uk [147.184.219.175]) by mailhub.ggr.co.uk; Tue, 9 Apr 1996 14:28:45 +0100 (BST) Received: by ukwit01.ggr.co.uk (8.7.5/imd160294) id NAA26729; Tue, 9 Apr 1996 13:36:55 GMT From: "Lack Mr G M" Message-Id: <9604091436.ZM26727@ukwit01> Date: Tue, 9 Apr 1996 14:36:55 +0100 In-Reply-To: Mike.Jones@unifiedtech.com (Mike Jones) "Re: more on mail addresses" (Apr 9, 9:09am) References: <199604091309.JAA03857@samadams.unifiedtech.com> X-Mailer: Z-Mail (3.2.0 26oct94 MediaMail) To: Firewalls@GreatCircle.COM, Mike.Jones@unifiedtech.com (Mike Jones) Subject: Re: more on mail addresses Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > No, that's not the assumption I'm making at all. I'm making the > assumption that "non-obvious" mail names are, well, not obvious. > Meaning that once you've typed the address, it's not obvious to a human > observer how the address links to the intended recipient. I think your > suggestion would actually make things worse, because in order to > enforce the "3 mistypes" rule, you'll probably end up with mail names > that look like jm8093U rather than, say, mike.jones. >... > Again, I don't think so; the problem is sending to a valid, but > unintended, recipient. Well, having used a system which *does* use ids that require at least 3 mistypes to get to another valid one *and* a mail system which validates local users as you enter them as addressees (and lets you specify id, surname, stem of id etc. displaying all matching ids if what is entered is not unique...) I can say that such a system works extremely well. Oh yes, the ids exist indefinitely (even if the user has been completeley removed from all systems). From firewalls-owner Tue Apr 9 08:10:29 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA29743 for firewalls-outgoing; Tue, 9 Apr 1996 07:59:51 -0700 (PDT) Received: from pardalis.ukonline.co.uk (pardalis.ukonline.co.uk [194.80.204.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA29715 for ; Tue, 9 Apr 1996 07:59:31 -0700 (PDT) Received: from ROSEBUD (lon5-20.ukonline.co.uk [194.6.113.84]) by pardalis.ukonline.co.uk (8.6.12/8.6.10) with SMTP id PAA13931 for ; Tue, 9 Apr 1996 15:55:32 +0100 Message-Id: <199604091455.PAA13931@pardalis.ukonline.co.uk> Comments: Authenticated sender is From: "P.Gibbs" Organization: Abbey Information Systems Ltd. To: firewalls@GreatCircle.com Date: Tue, 9 Apr 1996 15:56:59 +0000 Subject: Signoff X-mailer: Pegasus Mail for Windows (v2.23) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk signoff firewalls p.gibbs@ukonline.co.uk From firewalls-owner Tue Apr 9 08:12:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA28822 for firewalls-outgoing; Tue, 9 Apr 1996 07:40:51 -0700 (PDT) Received: from lexicon.ins.com (lexicon.ins.com [199.0.193.11]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id HAA28815 for ; Tue, 9 Apr 1996 07:40:40 -0700 (PDT) Received: from chrpc (mtv2-dynamic227.ins.com [199.0.193.227]) by lexicon.ins.com (8.7.5/8.7.3) with SMTP id HAA07698; Tue, 9 Apr 1996 07:37:58 -0700 (PDT) Message-Id: <2.2.32.19960409143839.00740ba4@lexicon.ins.com> X-Sender: ragan@lexicon.ins.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 09 Apr 1996 09:38:39 -0500 To: "Richard E. Rosato" From: Charles Ragan Subject: Re: NT Firewalls Cc: Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk check out www.checkpoint.com At 11:23 PM 4/8/96 -0400, Richard E. Rosato wrote: >What NT Firewall solutions has anybody used on NT? How do they compare to >There Unix versions? Are there any limited shareware firewall toolkit ( >a.k.a. TSI Toolkit ) for NT? > > > From firewalls-owner Tue Apr 9 08:24:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA00249 for firewalls-outgoing; Tue, 9 Apr 1996 08:05:51 -0700 (PDT) Received: from igate.hibbertco.com (hibbertco.com [204.240.226.14]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA00233 for ; Tue, 9 Apr 1996 08:05:41 -0700 (PDT) Received: by igate.hibbertco.com (5.x/) id AA00294; Tue, 9 Apr 1996 09:03:45 -0600 Received: from imailgw(204.240.226.72) by igate via smap (V1.3) id sma000285; Tue Apr 9 09:03:41 1996 Message-Id: Date: 9 Apr 1996 08:03:04 -0700 From: "Anton Rager" Subject: Re: FWTK and SNMP-GW To: ckostick@ashton.csc.com, "firewall-digest" X-Mailer: Mail*Link SMTP-MS 3.0.2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 8 Apr 1996 22:58:09 -0400 (EDT), Chris Kostick replied: On another note, I've never understood, or have been unable to think of an architecture, where someone would want to get SNMP information *through* a firewall. Enlighten me someone. - -- chris _______________________________________________________ Thanks for the transport clarification -- Let's think about this -- 1 -- There is a need to manage and recieve traps from an internet router that is outside the firewall [primary packet filter] -- I want to able to access it via SNMP from my internal network console -- seems to be the only method for access list denys and hardware problem reporting [without manually checking unit]. 2 -- It would be nice to have DMZ servers/devices forward traps via SNMP to internal console [for the same reason -- service denials/errors via SNMP traps--no get/set]. SNMP would only be allowed to/from DMZ devices and Internet router....here's the basic config: | | INET--Router/Filter--| DMZ |--FWTK Firewall-- SNMP Console | | This seems like neccessary info and functionality -- Any thoughts?? What are the risks running udprelay [rules based like FWTK?]....and will it work in conjunction with FWTK??? Thanks, Anton Rager arager@hibbertco.com From firewalls-owner Tue Apr 9 08:47:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA01332 for firewalls-outgoing; Tue, 9 Apr 1996 08:29:41 -0700 (PDT) Received: from relay.ashton.csc.com (relay.ashton.csc.com [20.2.54.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA01326 for ; Tue, 9 Apr 1996 08:29:36 -0700 (PDT) Received: by relay.ashton.csc.com; id LAA12715; Tue, 9 Apr 1996 11:29:03 -0400 Received: from unknown(20.2.2.46) by relay.ashton.csc.com via smap (g3.0.1) id sma012712; Tue, 9 Apr 96 11:28:36 -0400 Received: by batman.ashton.csc.com with Microsoft Mail id <01BB2607.C1C106A0@batman.ashton.csc.com>; Tue, 9 Apr 1996 11:29:04 -0400 Message-ID: <01BB2607.C1C106A0@batman.ashton.csc.com> From: Chris Kostick To: "'Colin Campbell'" Cc: "'firewalls@greatcircle.com'" Subject: RE: FWTK and SNMP-GW Date: Tue, 9 Apr 1996 11:29:01 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Colin Campbell[SMTP:sgcccdc@citec.qld.gov.au] wrote: > My mailer thinks Chris Kostick said: > > > > > > > > Anyone tried to proxy SNMP get/set/traps thru a FWTK firewall????? What do you > > > use -- plug-gw on SNMP? > > > > plug-gw is TCP based, SNMP uses UDP. For UDP you need to use something > > like udprelay. > > > > On another note, I've never understood, or have been unable to think > > of an architecture, where someone would want to get SNMP information > > *through* a firewall. Enlighten me someone. > > > > Our network people on the inside would really like to manage the router outside the > firewall. Good point, but I usually set it up so the premise router (or whatever you call it) can be managed out-of-band rather than through the network. This solution doesn't scale for environments that would have lots of firewalls though. The new stupid-buzzword-of-the-day (SBOTD), Intranets, gave me a idea. With an architecture that has many internal firewalls, yet one network management center, I can see the need for SNMP traffic through it. This leads me to the inevitable conclusion that packet filtering firewalls are only good for Intranet environments and application proxy firewalls are only good for Internet environments! (Before anyone responds: that was a joke people. I'm laughing as I type it). -- chris From firewalls-owner Tue Apr 9 09:14:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA02670 for firewalls-outgoing; Tue, 9 Apr 1996 09:00:16 -0700 (PDT) Received: from www.ddddf.com (www.ddddf.com [199.203.68.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA02575 for ; Tue, 9 Apr 1996 09:00:00 -0700 (PDT) Received: from sunserver (gatekeeper.ddddf.com [199.203.68.2]) by www.ddddf.com (8.6.9/8.6.9) with ESMTP id SAA04969 for ; Tue, 9 Apr 1996 18:19:04 +0300 Received: from sunserver by sunserver (SMI-8.6/SMI-SVR4) id RAA09061; Tue, 9 Apr 1996 17:57:50 +0200 Date: Tue, 9 Apr 1996 18:57:50 +0300 (IDT) From: Yossi Goltz To: Firewalls@GreatCircle.COM Subject: WWW proxy to cut off Java. In-Reply-To: <199604052113.NAA19679@miles.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi! Could a nice sole advice me how to set up a proxy http server that can cut off java applets on their way in to our site. I'm becoming more and more concerned about Java (after reading the last messages from Netscape and Sun), and would like to keep off Java and Javascript until they become more safe. Best regards, Yossi. From firewalls-owner Tue Apr 9 09:25:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA03154 for firewalls-outgoing; Tue, 9 Apr 1996 09:12:50 -0700 (PDT) Received: from sabre.net (sabre.net [199.100.49.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA03138 for ; Tue, 9 Apr 1996 09:12:43 -0700 (PDT) Received: (from uucp@localhost) by sabre.net (8.6.11/8.6.11) id LAA24675 for ; Tue, 9 Apr 1996 11:10:43 -0500 Received: from ns1.amrcorp.com(144.9.33.153) by sabre.net via smap (V1.3) id sma024552; Tue Apr 9 11:10:15 1996 Received: from amrcorp.com (pngwsmtp.amrcorp.com [144.9.33.151]) by amrcorp.com (8.7.1/8.7.1) with SMTP id LAA04973 for ; Tue, 9 Apr 1996 11:10:13 -0500 (CDT) Received: from USGW2-Message_Server by amrcorp.com with Novell_GroupWise; Tue, 09 Apr 1996 11:10:39 -0600 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Tue, 09 Apr 1996 11:02:23 -0600 From: Jasjit K Singh To: firewalls@GreatCircle.COM Subject: UUCP vs. Anonymous FTP Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, We are planning to replace UUCP with anonymous FTP for transferring files. I would like to get information on security issues of anonymous FTP and the do's and don't's. What are the benefits of this and what is the latest release of anonymous FTP that is considered stable and safe enough. Any information will be welcome. Thanks!! From firewalls-owner Tue Apr 9 09:56:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA02884 for firewalls-outgoing; Tue, 9 Apr 1996 09:05:10 -0700 (PDT) Received: from mail.Clark.Net (mail.clark.net [168.143.0.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA02857 for ; Tue, 9 Apr 1996 09:04:57 -0700 (PDT) Received: from clark.net (mjr@clark.net [168.143.0.7]) by mail.Clark.Net (8.7.3/8.6.5) with ESMTP id MAA26525 for ; Tue, 9 Apr 1996 12:02:54 -0400 (EDT) From: "Marcus J. Ranum" Received: (from mjr@localhost) by clark.net (8.7.1/8.7.1) id MAA09623 for Firewalls@GreatCircle.COM; Tue, 9 Apr 1996 12:02:44 -0400 (EDT) Message-Id: <199604091602.MAA09623@clark.net> Subject: Lower layer firewalls To: Firewalls@GreatCircle.COM Date: Tue, 9 Apr 1996 12:02:41 -0400 (EDT) In-Reply-To: <199604080611.XAA14739@miles.greatcircle.com> from "firewalls-digest-owner@GreatCircle.COM" at Apr 7, 96 11:11:30 pm Reply-To: mjr@v-one.com Organization: V-One Corporation, Baltimore, MD Office Phone: 410-889-8569 X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk amolitor@anubis.network.com (bob) > You cannot implement a useful and effective firewall system > without being higher-layer aware. I think that's a *REALLY* good way of putting it! mjr. [Although, the Ultimate Firewall is not higher-layer aware because it uses a patented high-assurance DTE technology. DTE stands for Destroy The Ethernet] :) :) From firewalls-owner Tue Apr 9 10:06:29 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA24644 for firewalls-outgoing; Tue, 9 Apr 1996 06:10:49 -0700 (PDT) Received: from anchorsteam (anchorsteam.unifiedtech.com [38.251.136.100]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA24636 for ; Tue, 9 Apr 1996 06:10:42 -0700 (PDT) Received: from samadams.unifiedtech.com by anchorsteam (5.x/SMI-SVR4) id AA14325; Tue, 9 Apr 1996 09:04:42 -0400 Received: by samadams.unifiedtech.com (SMI-8.6/SMI-SVR4) id JAA03857; Tue, 9 Apr 1996 09:09:15 -0400 Date: Tue, 9 Apr 1996 09:09:15 -0400 From: Mike.Jones@unifiedtech.com (Mike Jones) Message-Id: <199604091309.JAA03857@samadams.unifiedtech.com> To: Mike.Jones@unifiedtech.com, Firewalls@GreatCircle.COM, michael@memra.com, gml4410@ggr.co.uk Subject: Re: more on mail addresses Cc: auampdrv@ibmmail.com X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Lack Mr G M wrote... > On Apr 4, 8:04am, Mike Jones wrote: > >... > > In fact, from a human factors point of view, it seems likely that > > "non-obvious" (a better term might be "user hostile") mail names are > > *more* likely to cause misdelivery of mail, because it is less > > obvious if one has mistyped an address. > You seem to be assuming that "non-obvious" ids are independent of each other > and that as a result it might be easy to mistype one id into another. What > about a scheme where it is *impossible* to get from one id to another without > making at least 3 mistypes? At least what would happen then is that you will > get the message returned with "no such user". No, that's not the assumption I'm making at all. I'm making the assumption that "non-obvious" mail names are, well, not obvious. Meaning that once you've typed the address, it's not obvious to a human observer how the address links to the intended recipient. I think your suggestion would actually make things worse, because in order to enforce the "3 mistypes" rule, you'll probably end up with mail names that look like jm8093U rather than, say, mike.jones. It's a lot easier to mistype, for instance, "mike.james" for "mike.jones", but it's also pretty obvious that the former isn't likely to go to a Mike Jones. It's harder to mistype, say "jm9803U" for "mj8093U", but it's also much harder for the sender to notice there's something wrong. > Of course, if your mail system allows you to *validate* local users before > you send the mail as well then most of the mis-sendings disappear too. Again, I don't think so; the problem is sending to a valid, but unintended, recipient. -- Mike.Jones@unifiedtech.com Money and women are the most sought after and the least known of any two things we have. - Will Rogers From firewalls-owner Tue Apr 9 10:09:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA03063 for firewalls-outgoing; Tue, 9 Apr 1996 09:11:18 -0700 (PDT) Received: from guardian.j-sainsbury.co.uk (guardian.j-sainsbury.co.uk [193.133.96.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA03057 for ; Tue, 9 Apr 1996 09:11:13 -0700 (PDT) Received: from pc-3-128 (firewall.blk.js.com) by guardian.j-sainsbury.co.uk with SMTP (1.37.109.16/16.2) id AA288386147; Tue, 9 Apr 1996 17:09:07 +0100 Message-Id: <316AFC4B.6294@mu-networks.com> Date: Tue, 09 Apr 1996 17:09:47 -0700 From: Larry Bennett Organization: mu Networks Ltd X-Mailer: Mozilla 2.0 (Win16; I) Mime-Version: 1.0 To: firewalls@GreatCircle.com Subject: Seeking Dream Firewall Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm looking for a firewall solution for a large retailer in the UK. I haven't yet found any products that meet all their requirements, so I'm posting this in the hope that vendors or any others who know of appropriate products will respond. It's important that the product meet all of the requirements. I have already found products that come close and some of them are relatively attractive. Still, if there is a product that meets all the requirements, I would like to know about it. Requirements are: - Complete, prebuilt solution. It should not require that additional software be installed. Nor should the firewall be sold as separate software that we must install onto a UNIX or other system. - Supports SOCKS. - Includes an NNTP proxy application that will allow the ISP to send news to a server inside the firewall. - Includes an SMTP proxy application for forwarding of mail to/from an internal server. - Provides a split DNS, allowing internal systems to send queries for the Internet while hiding those internal system from the Internet. - Supports NTP so that the firewall system can obtain time information from the Internet and provide it to internal systems. - Supports the Ident protocol so that systems in the Internet can query the firewall. The Ident server on the firewall should respond with something sensible that hides information about internal systems. - Has excellent performance. It's important that this be substantiated by performance testing, preferably by an independent tester. The firewall must support a user community of 400, growing potentially to 1000. - Has a sensible security architecture, preferably one in which all functions not related to being a firewall have been removed. Ideally, the underlying operating system and the firewall software would have NCSA or ITSEC certification. I realise such a firewall could be built on a UNIX system using public domain proxy applications. However, a very important requirement is that the solution be pre-built. I would be very grateful for any leads. Regards, Larry Bennett mu Networks Limited United Kingdom From firewalls-owner Tue Apr 9 10:26:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA06380 for firewalls-outgoing; Tue, 9 Apr 1996 10:15:27 -0700 (PDT) Received: from flanders.connectix.com ([204.118.199.11]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA06363 for ; Tue, 9 Apr 1996 10:15:18 -0700 (PDT) Received: from bubba.connectix.com (bubba.connectix.com [204.118.199.200]) by flanders.connectix.com (8.6.12/8.6.12-MT2.2) with SMTP id JAA07682 for ; Tue, 9 Apr 1996 09:12:01 PDT (-0700) Message-Id: <1.5.4.32.19960409031041.0066838c@flanders.connectix.com> X-Sender: sansom@flanders.connectix.com X-Mailer: Windows Eudora Light Version 1.5.4 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 08 Apr 1996 22:10:41 -0500 To: firewalls@greatcircle.com From: Rob Sansom Subject: ICMP Loopback etc.. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Here are some interesting logs I got from my router: Apr 9 15:23:03 gate247158.connectix.com 1275: %SEC-6-IPACCESSLOGDP: list 191 denied icmp 127.0.0.1 -> 204.247.159.242 (11/0), 1 packet Apr 9 15:42:03 gate247158.connectix.com 1276: %SEC-6-IPACCESSLOGDP: list 191 denied icmp 127.0.0.1 -> 204.247.159.242 (11/0), 1 packet Apr 9 15:47:03 gate247158.connectix.com 1277: %SEC-6-IPACCESSLOGDP: list 191 denied icmp 127.0.0.1 -> 204.247.159.242 (11/0), 2 packets Apr 9 15:53:03 gate247158.connectix.com 1278: %SEC-6-IPACCESSLOGDP: list 191 denied icmp 127.0.0.1 -> 204.247.159.242 (11/0), 2 packets 204.247.159.242 is our mail hub. We have had some spoofing incidents here, so I contacted CERT with this info, and they know of no way that ICMP TTL exceeded messages have been used for preveious attacks. If this is indeed a case of a deliberate attack against our mail hub, then the only attack I can think of that would use these type of packets is some sort of denial of service attack. Maybe they are trying to get an application to re-transmit packets to the loopback address on our mail host? I've gotten over 40 of these packets over the past few weeks, and tend to come in bursts. All packets are filtered on the incoming interface, so these packets cannot be coming from our net. I'm trying to get in contact with our ISP, to trace where they are coming from. All ideas are welcome. Also, I get around 10 or so echo requests (udp/7) from various foreign hosts (de, nz, au) to our web server, which may or may not be a probe to see if the host is alive. Has any one had experience with this before? Thanks in advance, Robert Sansom Connectix Corp. sansom@connectix.com (415) 638-7398 From firewalls-owner Tue Apr 9 10:43:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA06077 for firewalls-outgoing; Tue, 9 Apr 1996 10:10:01 -0700 (PDT) Received: from hitachi.com (msd.hitachi.com [137.168.1.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA06049 for ; Tue, 9 Apr 1996 10:09:48 -0700 (PDT) Received: from osc.hitachi.com by hitachi.com (4.1/SMI-4.1) id AA12249; Tue, 9 Apr 96 10:10:19 PDT Received: from enterprise ([205.158.60.129]) by osc.hitachi.com (4.1/SMI-4.1) id AA12753; Tue, 9 Apr 96 09:22:12 PDT Date: Tue, 9 Apr 96 09:22:11 PDT Message-Id: <9604091622.AA12753@osc.hitachi.com> X-Sender: bstout@osc.hitachi.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: Bill Stout Subject: RE: Firewalls at lower levels? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A firewall configuration comprises of (typically) one or two routers, network cable, and an application proxy. Layer 1 - The physical connections are limited by the cables connected. Layer 2 - Data link connections via ethernet MAC addresses are filtered out by virtue of routers separating subnets. Layer 3 - Network layer is controlled by filtering tables in the routers. Layer 4 - Transport layer is controlled by extended IP filtering in routers, and firewall configuration. Layer 5 - Session layer is controlled by firewall configuration. Layer 6 - Presentation layer can be manipulated by adding gateway functions to the firewall(like HTML-3270), though you wouldn't want to. However, does X-window filtering count? Layer 7 - Application Layer, well, do you want your Oracle database machine to act as a firewall too? Layer 8 - Political - Shareware UNIX, Corporate UNIX, NT? Not filterable. Layer 9 - Economic - Cost of firewall not filterable. If Stuart really said firewalls are not effective/implementable below the session layer, he read the books, but didn't get a grasp on the subject. At 01:07 AM 4/8/96 -0400, you wrote: > >> >> I was at a seminar presented by Stuart Holoman, Holocon Inc. >> yesterday, and he said firewalls are not effective/implementable >> below the session layer: >> >> layer 7 - App support >> layer 6 - Presentation >> layer 5 - Session >> layer 4 - Transport >> layer 3 - Network >> layer 2 - Data link >> layer 1 - Physical >> >> Any comments? >> I don't know if he was speaking in abstract terms (e.g., not many >> people know how to make them effective). > >I think everyone's kinda missing the obvious here... perhaps his >diagram goes the OTHER direction (I know it's not 'sposed to, but >maybe it does), and he meant that firewalls aren't implementable >in layers 6 & 7 above. > >I'm almost certain they can handle traffic almost anywhere between >session and the physical layer... correct me if I'm wrong. I'm also >almost certain that they can't be implemented in 6 & 7, and I know >the reasons are obvious to anyone who's actually read anything >about firewalls, so I won't state them here. > >shag > >Judd Bourgeois shagboy@thecia.net > Finger for PGP public key >I've seen the other side and I say - >I've been insane - >And I will never be the same - 311, "Homebrew" > > > <=======10========20====Ruler for Eudora users==50========60========70========80 William B. Stout | "Criticism welcome, I learn best via 'the internet Senior Systems Admin | school of fire'." Hitachi Data Systems | Open Systems Center | "If it's in a textbook, it's obsolete." Santa Clara, California | 408-970-4822 | "My opinions are my own, even when they're right." <=======10========20========30========40========50========60========70========80 From firewalls-owner Tue Apr 9 10:44:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA25929 for firewalls-outgoing; Tue, 9 Apr 1996 06:41:28 -0700 (PDT) Received: from hp01.vak12ed.edu (hp01.vak12ed.edu [141.104.150.251]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA25913 for ; Tue, 9 Apr 1996 06:41:20 -0700 (PDT) Message-Id: <199604091341.GAA25913@miles.greatcircle.com> Received: by hp01.vak12ed.edu (1.38.193.5/16.2) id AA23172; Tue, 9 Apr 1996 09:39:16 -0400 From: "W.C. Epperson" Subject: Re: Interesting packets fron the net To: dennis@SterCtl.com Date: Tue, 09 Apr 1996 9:39:16 EDT Cc: firewalls@greatcircle.com In-Reply-To: <199604090408.WAA07604@SterCtl.com>; from "Dennis Moroney" at Apr 8, 96 10:08 pm X-Mailer: Elm [revision: 109.16] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dennis sed: > > Your choice of Cisco IOS is well ... your choice. I have found and printed My choice, based on official Cisco distribution and support policy. I have pointed out to them that their support practice is not consistent with their policy. > a section of the UniverCD shipped with my router. No, I do not recall if > the information about extended IP access lists is buried in the release > notes or stuck somewhere in the bowels of the CD. The information is still > there just the same. Not on mine _anywhere_, nor does it appear in _anything_ regarding 10.3 on CIO. Curious they'd burn it on your CD but not put it on their website. > > For the record, I would like to use a GD IOS, but only IOS 11.0(4) is > capable enough to get my ISDN connection going. The functionality I need > is in the newer IOS at the possible risk of getting out on the bleeding > edge. The connection has been reliable and the logging has been a blessing > because now I can see and act upon events that happen to the connection > without any hocus-pocus guesswork. I understand your choice. My hunch is that you're safe. But I won't bet the security of my network (or my career) on my hunches, no matter how good my track record is. For me, demonstration of due care includes observing the vendor's official distribution and support policy. Until 11.0 (or whatever version first supports violation logging) makes GD, I'll use a network analyzer to keep an eye on the bad stuff. -- W.C. Epperson "I have great faith in fools. Senior SE Self-confidence, my friends call it." Information Security Officer --Edgar Allan Poe-- DBA Emeritus Curmudgeon-for-Life Virginia Dept. of Education epperson@pen.k12.va.us From firewalls-owner Tue Apr 9 11:23:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA22729 for firewalls-outgoing; Tue, 9 Apr 1996 05:41:23 -0700 (PDT) Received: from staff.cs.su.OZ.AU (staff.cs.su.OZ.AU [129.78.8.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id FAA22713 for ; Tue, 9 Apr 1996 05:41:13 -0700 (PDT) Message-Id: <199604091241.FAA22713@miles.greatcircle.com> Date: Tue, 09 Apr 1996 22:07:53 +1000 From: rex@staff.cs.su.oz.au (Rex di Bona) Subject: split dns question To: sgcccdc@citec.qld.gov.au Reply-To: rex@cs.su.oz.au Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id AAA06545 for firewalls-outgoing; Tue, 9 Apr 1996 00:37:33 -0700 (PDT) ^^^^^ Interesting :-) > Received: from citecuh.citec.qld.gov.au (citecuh.citec.qld.gov.au [203.5.10.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id AAA06539 for ; Tue, 9 Apr 1996 00:37:26 -0700 (PDT) > Received: (from mail@localhost) by citecuh.citec.qld.gov.au (8.7.5/8.7.3) id RAA05894 for ; Tue, 9 Apr 1996 17:28:30 +1000 (EST) ^^^^^ Good > X-Authentication-Warning: citecuh.citec.qld.gov.au: mail set sender to using -f > Received: from guru.citec.qld.gov.au(147.132.20.47) by citecuh.citec.qld.gov.au via smap (V1.3) ^^^^ uh-huh > id /mail/incoming/sma005871; Tue Apr 9 17:28:09 1996 > Received: (from sgcccdc@localhost) by guru.citec.qld.gov.au (8.6.12/8.6.12) id RAA01461 for firewalls@greatcircle.com; Tue, 9 Apr 1996 17:35:22 +1000 ^^^^^^ different! > From: Colin Campbell I love looking at the headers - you see so much interesting information! > Hi, > > I have a more complex split dns than I think is the norm (if there is > such a thing). At present I run the classic version but am not sure how > to expand it to the following scenario: > > > internet > ^ > | > | > external bind \ > ... } the bastion host > resolver / > | > | > v > root server (mine?) > | > | > +-----> server of citec.qld.gov.au (me) > | > +-----> server for a.qld.gov.au > | > +-----> server for b.qld.gov.au > | > +-----> server for c.com.au > | > +-----> server for d.com.au > | > +-----> server for e.qld.gov.au > This doesn't seem to be the classic split DNS, so some modifications are certainly needed. > If the picture doesn't explain my needs ... > > The servers for the internal domains are managed by disparate > organisations all of whom have a common connection through mine. None of > them have any need to resolve external names. They do however have a need > to resolve names outside their own organisations. The bastion of course > needs to resolve all internal and external names. Ok, here's the question. What information from those internal domains needs to be spread to the 'internet' The split DNS usually has 'public' information on the bastion host, and 'private' information on the internal hosts. In the senario you postulate, does the information from each domain become available to other domains behind your f/w? To the internet in general, or to each private domain? I guess you do not want to keep track of the 'public' information on the B/H (and be responsible for keeping it up-to-date). So there must be both public and private information stored somewhere... > Should the root server actually be a root server? (I can't see any > alternative other than maybe ".au") I wouldn't make it so, as I think you can do it without this.. > If I point the bastion resolver at the internal root server, will it be > able to resolve the entire internal namespace? I think you'll end up with 2 'root' servers... (see below). > Where do I configure the forwarders line? > > The root server will probably be 4.9.3 bind with the LAME DELEGATION > stuff turned off. > > Colin I think you'll end up with many split DNS configurations. Here are your choices... 1) some information from each domain public, some private to that domain (domains can't see into each other). B/H sees public information only. put 'secondary' lines for each domain in the named.boot on the B/H point the secondary to the 'public' server in each sub-domain. in each sub-domain you have a 'public' dns and a 'private' dns (standard split arrangement). You have the resolv.conf (or equiv.) on each private domain user (including the public server) point to the private server, which forwards to the public server, which forwards to the B/H (You could forward just to the B/H). The B/H's resolver points to itself. 2) all information to be shared amongst the listed domains, but only some to be available to the internet. B/H sees private info. put private and public servers (as above), but forward the private servers to a 'private' central server. This server has 'secondary' lines for each private server, and is the resolver point for each user, and private/public server. This means that all information is available within your whole mess. The public servers are 'secondary' from the B/H, which can obtain all the public information. forwarders are from the public to the B/H (not needed), from the private to the central private, and from the central private to the B/H. The B/H's resolver points to the central private server. 3) all information available to the B/H, but users can only see the public information from other domains. as above, but the private dns forwards to the local 'public' dns which forwards to the central 'public' dns. The B/H resolves to the central private dns (and is the only thing that does so), users point to their local 'private' server. 4) all information to be public. put 'secondary' lines for each 'public' server in the B/H, and forwarders from each public to the B/H - the resolvers point to the local public server. I hope this helps. Drop me a line of you nmeed clarification for any of these :-) The difference is the way information travels over 'secondary' and 'forwarders' links, and the order in which the resolve fails. In these suggestions you have to be sure to enforce where people point their resolvers, (this is normally enforced by the B/H...), to stop them seeing more than they are allowed. I would guess that the easiest (most sensible?) would be option 2 or 3. Rex. From firewalls-owner Tue Apr 9 11:27:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA04888 for firewalls-outgoing; Tue, 9 Apr 1996 09:46:25 -0700 (PDT) Received: from ccnet3.ccnet.com (ccnet3.ccnet.com [192.215.96.11]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA04872 for ; Tue, 9 Apr 1996 09:46:16 -0700 (PDT) Received: (from richterb@localhost) by ccnet3.ccnet.com (8.6.12/8.6.12) id HAA27289; Tue, 9 Apr 1996 07:52:27 -0700 Date: Tue, 9 Apr 1996 07:52:26 -0700 (PDT) From: William Richter X-Sender: richterb@ccnet3 To: firewalls-digest@greatcircle.com Subject: RAS and technical people Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Having the PBX gurus remove the DID number for incoming lines that are not approved might not be the best. This limits the number of inbound trunck to the PBX. The advent of caller ID and ANI numbers allows most folks to determine what their line is. Changing the class of service on the extension to only allow station to station calling, deny call forwarding, etc, is probably easier. Many folks still order 1MB lines to bypass the PBX cause the PBX causes interference so that fix doesn't work. Then you have to get the telco to make the telephone not accept incoming calls. Policy backed up by effective enforcement seems to make an excellent solution. From firewalls-owner Tue Apr 9 12:14:30 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA10983 for firewalls-outgoing; Tue, 9 Apr 1996 11:33:34 -0700 (PDT) Received: from maddie.atlantic.com ([204.213.233.253]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA10976 for ; Tue, 9 Apr 1996 11:33:25 -0700 (PDT) Received: (pokey@localhost) by maddie.atlantic.com (8.6.10/8.6.11) id MAA07974 for firewalls@GreatCircle.com; Tue, 9 Apr 1996 12:35:32 -0400 From: Rick Romkey Message-Id: <199604091635.MAA07974@maddie.atlantic.com> Subject: High speed throughput firewalls... To: firewalls@GreatCircle.com Date: Tue, 9 Apr 1996 12:35:32 -0400 (EDT) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Folks, Has anyone ever tried to firewall two networks that are connected via highspeed networks such as FDDI? What type of firewall did you use? Did you notice bottlenecking, etc? I'm looking for hard facts, not sales pitches... -Rick ---------------------------------------------------------------------------- Rick E Romkey | A T L A N T I C | Internet pokey@atlantic.com | Computing Technology Corporation | Specialists (203) 257-7163 | http://www.atlantic.com/ | ----------------------------------------------------------------------------- From firewalls-owner Tue Apr 9 12:26:17 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA11316 for firewalls-outgoing; Tue, 9 Apr 1996 11:39:31 -0700 (PDT) Received: from shadow.cyberdesic.com (shadow.cyberdesic.com [206.68.129.9]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA11292 for ; Tue, 9 Apr 1996 11:39:23 -0700 (PDT) Received: (from tom@localhost) by shadow.cyberdesic.com (8.6.12/8.6.12) id NAA02714; Tue, 9 Apr 1996 13:37:29 -0500 Date: Tue, 9 Apr 1996 13:37:29 -0500 From: Tom Friday Message-Id: <199604091837.NAA02714@shadow.cyberdesic.com> To: firewalls@greatcircle.com Subject: Re: Re: cisco logging for firewalls Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Yes, Ciscos do log to a suslogd daemon. Even logs access filter list >violations. > I saw someone else mention this ability (logging access lists violations) also. Apparently this is a feature undocumented by cicso? Anyway, I thought that someone had said to add the word "log" to the end of the access list rule. I tried this, but I couldn't get it to work. my rule looked like this: access-list 101 deny ip 127.0.0.0 0.255.255.255 0.0.0.0 255.255.255.255 log however, when i try to load this configuration, i get an error: access-list 101 deny ip 127.0.0.0 0.255.255.255 0.0.0.0 255.255.255.255 log ^ % Invalid input detected at '^' marker. Am I doing something wrong? Or maybe I need new firmware? I'm running IOS 10.2(5). From firewalls-owner Tue Apr 9 13:02:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA10876 for firewalls-outgoing; Tue, 9 Apr 1996 11:30:34 -0700 (PDT) Received: from tera.bctel.net (tera.bctel.net [204.174.64.252]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id LAA10870 for ; Tue, 9 Apr 1996 11:30:25 -0700 (PDT) Received: (from nobody@localhost) by tera.bctel.net (8.7.4/8.7.1) id LAA02030; Tue, 9 Apr 1996 11:28:59 -0700 (PDT) X-Authentication-Warning: tera.bctel.net: nobody set sender to using -f Received: from mocha.bctel.net(204.174.66.5) by tera via smap (V1.3) id sma002025; Tue Apr 9 11:28:34 1996 Received: (from murrell@localhost) by mocha.bctel.net (8.7.5/8.7.3) id LAA22917; Tue, 9 Apr 1996 11:29:39 -0700 (PDT) From: Brian Murrell Message-Id: <199604091829.LAA22917@mocha.bctel.net> Date: Tue, 9 Apr 1996 11:29:38 -0700 (PDT) To: ckostick@ashton.csc.com Cc: firewalls@GreatCircle.COM Subject: Re[2]: FWTK and SNMP-GW In-Reply-To: <199604090258.WAA29642@mccoy.ashton.csc.com> X-Mailer: Ishmail 1.2-960212-sol24 MIME-Version: 1.0 Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk from the quill of Chris Kostick on scroll <199604090258.WAA29642@mccoy.ashton.csc.com> > On another note, I've never understood, or have been unable to think > of an architecture, where someone would want to get SNMP information > *through* a firewall. Enlighten me someone. How 'bout having routers (dialup for instance) placed outside your firewall for the express purpose of giving people "full-on" access to the Internet - as they are not interested in the security risks. You have so many of them that they really do have to be managed to provide a good service. Where do you put the management station?? Outside the firewall?? Inside the firewall?? b. -- Brian J. Murrell Brian_Murrell@bctel.net BCTel Advanced Communications brian@ilinx.com Vancouver, B.C. brian@wimsey.com 604 454 5279 From firewalls-owner Tue Apr 9 13:10:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA13662 for firewalls-outgoing; Tue, 9 Apr 1996 12:18:40 -0700 (PDT) Received: from zeus.ci.ua.pt (zeus.ci.ua.pt [193.136.80.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id MAA13640 for ; Tue, 9 Apr 1996 12:18:30 -0700 (PDT) Message-Id: <199604091918.MAA13640@miles.greatcircle.com> Received: by zeus.ci.ua.pt (1.37.109.16/16.2) id AA237947316; Tue, 9 Apr 1996 20:15:16 +0100 From: Pedro Leite Subject: Reverse Proxy connection ... To: firewalls@GreatCircle.COM Date: Tue, 9 Apr 1996 20:15:16 +0100 (PST) Cc: webmaster@zeus.ci.ua.pt X-Mailer: ELM [version 2.4 PL25] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a pertinent question in our firewall option. I'm searching for a "resersed proxy" in the way that machine A acts as a proxy to an outside client ... The client enter the url http://AAA.aaa.AAA/ and it connects to the proxy server... the proxy server gets the request for / and fetch's it from machine B... The proxy connects to machine B and requests / then delivers transparently the information to the original client ... If the client trys to get http://AAA.aaa.AAA/other/ the proxy get's the request for /other/ and connects to machine C .. The proxy fetches / from machine C and passes-it to the client like it was /other/ ... The documents on C and B are done in a way that as they are fetched from the proxy, they appear correctly linked .... There can be local CGI-BIN's served as inline commands... they are relative to the machine B or C ... and are served to the proxy transparently ... The final point is that machine B and C cannot be accessed from the outside and only machine A is available outside our firewall ... I'm available to answer all questions about the problem ... PL -- Pedro Leite >=- WebMaster -=< Centro de Informatica >=- email: leite@ua.pt -=< Universidade de Aveiro >=- -=< 3800 Aveiro >=- PGP on request. From firewalls-owner Wed Apr 10 00:56:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id AAA12224 for firewalls-outgoing; Wed, 10 Apr 1996 00:23:24 -0700 (PDT) Received: from ns.mad.servicom.es (ns.mad.servicom.es [194.106.0.132]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id AAA12201 for ; Wed, 10 Apr 1996 00:23:15 -0700 (PDT) From: ondategui@pna.servicom.es Received: from ppp_bcn_142.inf.servicom.es by ns.mad.servicom.es (8.6.12/FI-3.3) Wed, 10 Apr 1996 09:22:00 +0200 Received: by ppp_bcn_142.inf.servicom.es with Microsoft Mail id <01BB26BE.F9C1F3E0@ppp_bcn_142.inf.servicom.es>; Wed, 10 Apr 1996 09:20:35 +-200 Message-ID: <01BB26BE.F9C1F3E0@ppp_bcn_142.inf.servicom.es> To: firewalls@GreatCircle.COM Date: Wed, 10 Apr 1996 09:10:47 +-200 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk signoff firewalls ondategui@pna.servicom.es From firewalls-owner Wed Apr 10 00:58:39 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id XAA03858 for firewalls-outgoing; Tue, 9 Apr 1996 23:26:41 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id XAA00658 for ; Tue, 9 Apr 1996 23:05:59 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id SAA13184; Tue, 9 Apr 1996 18:40:42 -0700 Received: from unknown(192.219.254.5) by mycroft via smap (V1.3mjr) id sma013182; Tue Apr 9 18:40:31 1996 Received: from babylon.montreal.qc.ca (uucp@localhost) by comsoon.login.net (8.6.12/8.6.5) with UUCP id VAA03984 for firewalls@GreatCircle.com; Tue, 9 Apr 1996 21:42:02 -0400 From: jihef@babylon.montreal.qc.ca (Jean-Francois Boileau) Reply-To: jihef@babylon.montreal.qc.ca To: firewalls@GreatCircle.com Subject: InterNotes server Date: 10 Apr 1996 00:51:55 GMT Message-Id: <1775108061.21853638@babylon.montreal.qc.ca> Organization: Babylon, Montreal, Canada Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am soon going to set up a Lotus InterNotes server on an OS/2 system. The rest of our network runs on Windows NT using Netbios protocol. The OS/2 would have 2 network cards, one TCP/IP, for our Internet connection and the other, Netbios, to communicate with our network. If anyone out there has any experience with that kind of setup, I would appreciate your input on how I could make it as secure as possible. (firewalls or any other measure). Thanks From firewalls-owner Wed Apr 10 01:28:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA16031 for firewalls-outgoing; Tue, 9 Apr 1996 13:02:04 -0700 (PDT) Received: from uuneo.neosoft.com (uuneo.neosoft.com [206.109.1.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id NAA16017 for ; Tue, 9 Apr 1996 13:01:51 -0700 (PDT) Received: from nmti.com (ficc@localhost) by uuneo.neosoft.com (8.7.5/8.7.4) with UUCP id OAA14021; Tue, 9 Apr 1996 14:21:56 -0500 (CDT) Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id OAA11627; Tue, 9 Apr 1996 14:03:40 -0500 Received: by sonic.nmti.com; id AA23701; Tue, 9 Apr 1996 14:03:38 -0500 From: peter@nmti.com (Peter da Silva) Message-Id: <9604091903.AA23701@sonic.nmti.com.nmti.com> Subject: Re: FWTK and SNMP-GW To: arager@hibbertco.com (Anton Rager) Date: Tue, 9 Apr 1996 14:03:38 -0500 (CDT) Cc: ckostick@ashton.csc.com, firewalls-digest@GreatCircle.COM In-Reply-To: from "Anton Rager" at Apr 9, 96 08:03:04 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > 1 -- There is a need to manage and recieve traps from an internet router that > is outside the firewall [primary packet filter] -- I want to able to access > it via SNMP from my internal network console -- seems to be the only method > for access list denys and hardware problem reporting [without manually > checking unit]. Run a stripped down SNMP client on one of the boxes in the DMZ that fowrwards SNMP information further in using syslog. You could even run scotty on the firewall if you had to... From firewalls-owner Wed Apr 10 01:43:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id XAA09673 for firewalls-outgoing; Tue, 9 Apr 1996 23:48:20 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id XAA01171 for ; Tue, 9 Apr 1996 23:13:34 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id PAA11005; Tue, 9 Apr 1996 15:48:46 -0700 Received: from dfw-ix2.ix.netcom.com(206.214.98.2) by mycroft via smap (V1.3mjr) id sma011001; Tue Apr 9 15:48:22 1996 Received: from (dgbrowne@ix-vf5-20.ix.netcom.com [205.184.1.180]) by dfw-ix2.ix.netcom.com (8.6.13/8.6.12) with SMTP id PAA27094 for ; Tue, 9 Apr 1996 15:50:29 -0700 Date: Tue, 9 Apr 1996 15:50:29 -0700 Message-Id: <199604092250.PAA27094@dfw-ix2.ix.netcom.com> From: dgbrowne@ix.netcom.com (Dean Browne ) Subject: http Proxies and Java To: Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Could some one please clarify this for me? I recently read a CERT document which stated, (roughly), that a malicious bit of Java code placed on a web server could gain access to manipulate local files on a machine running a Java capable web browser, ie. Netscape 2.0/2.01, in the same manner as the user running the browser is capable. If I am running Netscape 2.01 through an application gateway, that is running some kind of http proxy, to get to the server with the hostile Java applet, does the server see my client or the application gateway? ....and.... Therefore...are the files on my application gateway or my client at risk? Cheers. From firewalls-owner Wed Apr 10 01:56:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id XAA02036 for firewalls-outgoing; Tue, 9 Apr 1996 23:17:41 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id XAA00421 for ; Tue, 9 Apr 1996 23:02:10 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id UAA14593; Tue, 9 Apr 1996 20:57:11 -0700 Received: from p192.iwl.net(204.177.208.192) by mycroft via smap (V1.3mjr) id sma014591; Tue Apr 9 20:56:18 1996 Received: (from dennis@localhost) by SterCtl.com (8.6.12/8.6.12) id WAA08510; Tue, 9 Apr 1996 22:03:04 -0600 From: Dennis Moroney Message-Id: <199604100403.WAA08510@SterCtl.com> Subject: Re: Interesting packets fron the net To: epperson@vak12ed.edu (W.C. Epperson) Date: Tue, 9 Apr 1996 22:03:02 -0600 (CST) Cc: firewalls@greatcircle.com (firewalls) In-Reply-To: from "W.C. Epperson" at Apr 9, 96 09:39:16 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to W.C. Epperson: > > Not on mine _anywhere_, nor does it appear in _anything_ regarding 10.3 > on CIO. Curious they'd burn it on your CD but not put it on their website. Mea culpa. Only IOS 11.0 currently supports logging. Here is where the information is found: UniverCD Vol 2, No. 12, Rev. E0, PN: 80-0283-01, data/doc/software/11_0/rpcs/sip.htm Router Products Release Note for Cisco IOS Release 11.0, Document No. 78-2115-04, Nov. 1995, New Software Features in Release 11.0(1) pp. 23-31 I really looked at my documentation this time. Geez, I could use some humble pie right about now. -- Dennis Moroney From firewalls-owner Wed Apr 10 02:07:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id XAA09990 for firewalls-outgoing; Tue, 9 Apr 1996 23:52:41 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id XAA01173 for ; Tue, 9 Apr 1996 23:13:35 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id PAA10892; Tue, 9 Apr 1996 15:31:43 -0700 From: bustamante@taap.sps.mot.com Received: from relay5.uu.net(192.48.96.15) by mycroft via smap (V1.3mjr) id sma010889; Tue Apr 9 15:31:00 1996 Received: from uucp6.UU.NET by relay5.UU.NET with SMTP id QQakte14955; Tue, 9 Apr 1996 18:35:36 -0400 (EDT) Received: from spsgate.UUCP by uucp6.UU.NET with UUCP/RMAIL ; Tue, 9 Apr 1996 18:35:20 -0400 Received: from spsem01.sps.mot.com by spsgate.sps.mot.com (4.1/SMI-4.1/Email 2.1 10/25/93) id AA22288 for GreatCircle.COM!firewalls; Tue, 9 Apr 96 15:31:11 MST Received: from mogate (mogate.sps.mot.com) by spsem01.sps.mot.com (4.1/SMI-4.1/Email 2.1 10/25/93) id AA00190 for GreatCircle.COM!firewalls@uunet.uucp@spsem01.sps.mot.com; Tue, 9 Apr 96 15:31:00 MST Received: from emailmesa by mogate (4.1/SMI-4.1/Email-2.0) id AA15700 for GreatCircle.COM!firewalls@uunet.uucp; Tue, 9 Apr 96 15:30:29 MST Received: by taap.sps.mot.com ( 5.52 (84)/SMI-3.2/Apollo 91/03/01) id AA19011; Tue, 9 Apr 96 16:33:20 MDT Message-Id: <9604092233.AA19011@taap.sps.mot.com> Date: Tue, 9 Apr 1996 16:33:20 MDT X-Organization: Motorola, Inc., L.I.C.D., Mesa, AZ X-Mailer: Mail User's Shell (7.2.3 5/22/91) To: uunet!GreatCircle.COM!firewalls@uunet.uu.net Subject: signoff Sender: firewalls-owner@GreatCircle.COM Precedence: bulk signoff firewalls bustamante@taap.sps.mot.com -- Sergio Bustamante - SUN/HP/Apollo Support Personal Computer Services - Ocotillo Motorola Inc. ------------------------------------- email : bustamante@taap.sps.mot.com (602) 732-3302 pager 408-7497 My new address is 2501 S. Price Road Chandler, AZ 85248 mail stop G136 From firewalls-owner Wed Apr 10 02:29:29 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA13662 for firewalls-outgoing; Tue, 9 Apr 1996 12:18:40 -0700 (PDT) Received: from zeus.ci.ua.pt (zeus.ci.ua.pt [193.136.80.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id MAA13640 for ; Tue, 9 Apr 1996 12:18:30 -0700 (PDT) Message-Id: <199604091918.MAA13640@miles.greatcircle.com> Received: by zeus.ci.ua.pt (1.37.109.16/16.2) id AA237947316; Tue, 9 Apr 1996 20:15:16 +0100 From: Pedro Leite Subject: Reverse Proxy connection ... To: firewalls@GreatCircle.COM Date: Tue, 9 Apr 1996 20:15:16 +0100 (PST) Cc: webmaster@zeus.ci.ua.pt X-Mailer: ELM [version 2.4 PL25] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a pertinent question in our firewall option. I'm searching for a "resersed proxy" in the way that machine A acts as a proxy to an outside client ... The client enter the url http://AAA.aaa.AAA/ and it connects to the proxy server... the proxy server gets the request for / and fetch's it from machine B... The proxy connects to machine B and requests / then delivers transparently the information to the original client ... If the client trys to get http://AAA.aaa.AAA/other/ the proxy get's the request for /other/ and connects to machine C .. The proxy fetches / from machine C and passes-it to the client like it was /other/ ... The documents on C and B are done in a way that as they are fetched from the proxy, they appear correctly linked .... There can be local CGI-BIN's served as inline commands... they are relative to the machine B or C ... and are served to the proxy transparently ... The final point is that machine B and C cannot be accessed from the outside and only machine A is available outside our firewall ... I'm available to answer all questions about the problem ... PL -- Pedro Leite >=- WebMaster -=< Centro de Informatica >=- email: leite@ua.pt -=< Universidade de Aveiro >=- -=< 3800 Aveiro >=- PGP on request. From firewalls-owner Wed Apr 10 02:31:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA16024 for firewalls-outgoing; Tue, 9 Apr 1996 13:01:57 -0700 (PDT) Received: from tera.bctel.net (tera.bctel.net [204.174.64.252]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id NAA16009 for ; Tue, 9 Apr 1996 13:01:48 -0700 (PDT) Received: (from nobody@localhost) by tera.bctel.net (8.7.4/8.7.1) id MAA03676; Tue, 9 Apr 1996 12:59:36 -0700 (PDT) X-Authentication-Warning: tera.bctel.net: nobody set sender to using -f Received: from mocha.bctel.net(204.174.66.5) by tera via smap (V1.3) id sma003665; Tue Apr 9 12:59:08 1996 Received: (from murrell@localhost) by mocha.bctel.net (8.7.5/8.7.3) id NAA23241; Tue, 9 Apr 1996 13:00:13 -0700 (PDT) From: Brian Murrell Message-Id: <199604092000.NAA23241@mocha.bctel.net> Date: Tue, 9 Apr 1996 13:00:12 -0700 (PDT) To: mhorn@funb.com Cc: firewalls@GreatCircle.COM Subject: Re[4]: About the firewalls using RIP or static routes In-Reply-To: <199604051418.JAA09872@funws302.capmark.funb.com> X-Mailer: Ishmail 1.2-960212-sol24 MIME-Version: 1.0 Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk from the quill of "Mark Horn [ Net Ops ]" on scroll <199604051418.JAA09872@funws302.capmark.funb.com> > I don't think that's a very workable solution. How do you enforce that > routed will listen on the internal interface only? What if your firewall > employs a Bastion host with only one interface? In my example I assumed a dual-homed bastion with the model of a trusted (more or less) and an untrusted (i.e. the Internet) side. You can have the bastion only accept routing updates from the trusted side by blocking routing from the untrusted side with a filter (either on or in front of the bastion - on the untrusted side). b. -- Brian J. Murrell Brian_Murrell@bctel.net BCTel Advanced Communications brian@ilinx.com Vancouver, B.C. brian@wimsey.com 604 454 5279 From firewalls-owner Wed Apr 10 02:56:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA12423 for firewalls-outgoing; Tue, 9 Apr 1996 11:56:44 -0700 (PDT) Received: from tuna.wang.com (tuna.wang.com [150.124.136.4]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA12417 for ; Tue, 9 Apr 1996 11:56:37 -0700 (PDT) Received: from mail.wangfed.com (ns.wangfed.com [159.94.10.19]) by tuna.wang.com (8.6.12/8.6.12tf1) with SMTP id OAA28385 for ; Tue, 9 Apr 1996 14:54:24 -0400 Received: from hfsi.hfsi.com by mail.wangfed.com (1.37.109.4/A.09.00a) id AA25420; Tue, 9 Apr 96 14:44:03 -0500 Received: from [159.94.14.48] by hfsi.hfsi.com (BULL 5.61++/B.O.S 02.01) id AA19336; Tue, 9 Apr 96 14:47:53 -0400 Date: Tue, 9 Apr 96 14:47:53 -0400 Message-Id: <9604091847.AA19336@hfsi.hfsi.com> From: "KM" Reply-To: "KM" To: firewalls@GreatCircle.COM Subject: Re: complaining to the CEO Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message 01435825702728@gsionline.com Mr. Nick Keenan writes: > > Just an FYI, for those of you who haven't been there: > >Complaining to the CEO of a company is not an effective strategy > >unless what you're trying to accomplish is a short-term reduction > >of your blood pressure. > > As a chronic complainer, I have to disagree. I have written letters of > complaint to CEO's, Congressmen and Governors, and virtually every time I > have gotten the action that I wanted and was unable to get through regular > channels. > > It helps to write a reasonable and reasoned letter, and regular mail is > better than email. I also helps when it's *not* the CEO of the company you work for. K.M. Goertzel Manager, International Programs and Special Projects Secure Systems and Services Operation WANG FEDERAL, Inc. 7900 Westpark Drive - MS 700 McLean, VA 22102-4299 USA TEL: 703-827 3914 FAX: 703-827 3161 EMAIL: goertzek@wangfed.com WEB: http://www.wangfed.com +------------------------------------------+ | Never put off until Tomorrow what should | | have been Done early in the Seventies. | | - George Ade | +------------------------------------------+ From firewalls-owner Wed Apr 10 02:56:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id XAA09931 for firewalls-outgoing; Tue, 9 Apr 1996 23:50:02 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id XAA01176 for ; Tue, 9 Apr 1996 23:13:37 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id QAA11296; Tue, 9 Apr 1996 16:15:54 -0700 Received: from quark.gmi.edu(192.138.137.39) by mycroft via smap (V1.3mjr) id sma011289; Tue Apr 9 16:15:35 1996 Received: (from chiner@localhost) by quark.gmi.edu (8.7.1/8.7.1) id TAA28075 for Firewalls@GreatCircle.COM; Tue, 9 Apr 1996 19:18:36 -0400 From: Chris Hiner Message-Id: <199604092318.TAA28075@quark.gmi.edu> Subject: Re: ICMP Loopback etc.. To: Firewalls@GreatCircle.COM Date: Tue, 9 Apr 1996 19:18:36 -0400 (EDT) In-Reply-To: <199604091745.KAA07981@miles.greatcircle.com> from "firewalls-digest-owner@GreatCircle.COM" at Apr 9, 96 10:45:55 am Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: Rob Sansom > Date: Mon, 08 Apr 1996 22:10:41 -0500 > Subject: ICMP Loopback etc.. > Here are some interesting logs I got from my router: > > Apr 9 15:23:03 gate247158.connectix.com 1275: %SEC-6-IPACCESSLOGDP: list > 191 denied icmp 127.0.0.1 -> 204.247.159.242 (11/0), 1 packet > Apr 9 15:42:03 gate247158.connectix.com 1276: %SEC-6-IPACCESSLOGDP: list > 191 denied icmp 127.0.0.1 -> 204.247.159.242 (11/0), 1 packet > Apr 9 15:47:03 gate247158.connectix.com 1277: %SEC-6-IPACCESSLOGDP: list > 191 denied icmp 127.0.0.1 -> 204.247.159.242 (11/0), 2 packets > Apr 9 15:53:03 gate247158.connectix.com 1278: %SEC-6-IPACCESSLOGDP: list > 191 denied icmp 127.0.0.1 -> 204.247.159.242 (11/0), 2 packets > > 204.247.159.242 is our mail hub. We have had some spoofing incidents here, > so I contacted CERT with this info, and they know of no way that ICMP TTL > exceeded messages have been used for preveious attacks. If this is indeed a > these packets over the past few weeks, and tend to come in bursts. Hmmm... the increasing port numbers, and the fact that they come in bursts... (and TTL exceeded) I think traceroute... not sure why it'd have the funny source address, but it does sound traceroutish... Just my guesses... Chris Hiner -- chiner@quark.gmi.edu From firewalls-owner Wed Apr 10 03:00:19 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id XAA04402 for firewalls-outgoing; Tue, 9 Apr 1996 23:29:40 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id XAA01377 for ; Tue, 9 Apr 1996 23:15:14 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id OAA10573; Tue, 9 Apr 1996 14:22:38 -0700 Received: from unknown(139.103.16.13) by mycroft via smap (V1.3mjr) id sma010557; Tue Apr 9 14:21:31 1996 Received: (from musta@localhost) by shifra.info.umoncton.ca (8.6.11/8.6.9) id RAA00829; Tue, 9 Apr 1996 17:23:49 -0300 Date: Tue, 9 Apr 1996 17:23:46 -0300 (ADT) From: Mustapha To: Bill Thompson cc: Adam Safier , heuman@mtnlake.com, firewalls@GreatCircle.COM Subject: Re: Clarification on Encryption Export Using CKE In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 8 Apr 1996, Bill Thompson wrote: > [...] > While we all may sometimes express the feeling the organized crime > element can do as it pleases, I hope that the mafia, Iraq, and other > organized terrorist elements can be successfully thwarted by the > vigilent efforts of professionals, both within our companies, and our > governments. > [...] Dear Bill, Who did say first that Iraq represents an "organized terrorist element" ? And if the US goverment says so, does that really classify the country as terrorist ? Does everything said by the US goverment is necessary true ? And, finally, why Iraq six years ago was being looked as an excellent, democratic country while nowadays it is nothing but a terrorist country ? Well, maybe because six years ago the US government was in need to Iraqi regime but not anymore on these days! As you see, lets please stay on topic and not try to bring things that may lead to useless political discussions! Best Regards, -Mustapha PS: I don't speak for the Iraqi regime at all! === Actually I totally dislike that regime, but I found myself `obliged' to reply (and CC to the mailing list) because I hate such (&^@#$%#) kind of email messages. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Mustapha Obeid Student Computer Science Department, Moncton University Moncton, NB, Canada - E1A 3E9 Fields of Interests: Network Security & Cryptography. *Life would be so much easier if we could just look at the source code* -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- From firewalls-owner Wed Apr 10 03:26:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id XAA09339 for firewalls-outgoing; Tue, 9 Apr 1996 23:46:56 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id XAA01008 for ; Tue, 9 Apr 1996 23:11:14 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id QAA11764; Tue, 9 Apr 1996 16:46:12 -0700 Received: from unknown(204.247.81.10) by mycroft via smap (V1.3mjr) id sma011749; Tue Apr 9 16:45:43 1996 Received: from sol.wvs.com (sol.wvs.com [204.247.80.10]) by hades.wvs.com (8.7.4/8.7.3) with ESMTP id QAA05100 for ; Tue, 9 Apr 1996 16:50:11 -0700 (PDT) Received: from zorch.sf-bay.org (Uzorch@localhost) by sol.wvs.com (8.7.4/8.7.3) with UUCP id QAA16751 for firewalls@greatcircle.com; Tue, 9 Apr 1996 16:50:10 -0700 (PDT) X-Authentication-Warning: sol.wvs.com: Uzorch set sender to zorch.sf-bay.org!news using -f Received: (from news@localhost) by zorch.sf-bay.org (8.6.11/8.6.9) id QAA11632 for firewalls@greatcircle.com; Tue, 9 Apr 1996 16:48:59 -0700 Newsgroups: zorch.lists.firewalls Path: zorch.sf-bay.org!scott From: scott@zorch.sf-bay.org (Scott Hazen Mueller) Subject: SUMMARY: Poking at my UDP echo port? Reply-To: scott@zorch.sf-bay.org Organization: At Home; Salida, CA Message-ID: X-Nntp-Posting-Host: localhost.sf-bay.org Date: Tue, 9 Apr 1996 23:48:56 GMT Apparently-To: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I asked: >My logs say someone's apparent 'cache' server is poking at the UDP echo port >(7) on my Web site. Is anyone aware of a WWW proxy or caching implmentation >that engages in this behavior? The short answer is that the Harvest cache does this. A few folks commented that I should have UDP echo disabled, in light of recent CERT advisories on the topic. In point of fact, I do, and I noted the occurences when I turned on logging of denied packets in my border router. Joe Ramey contributed some more detailed information: http://excalibur.usc.edu/cache-html/subsection3_2_1.html#SECTION0002100000000000 000 Additionally, a cache option can be enabled that tricks the referenced URL's home site into implementing the resolution protocol. When this option is enabled, the cache sends a ``hit'' message to the UDP echo port of the object's home machine. When the object's home echos this message, it looks to the cache like a hit, as would be generated by a remote cache that had the object. This option allows the cache to retrieve the object from the home site if it happens to be closer than any of the sibling or parent caches. Thanks go out to: "Axel Schneider" Eric Wieling James R Grinter Jas (Matthew K) Joe Ramey Jonny Llama Mustapha Obeid Reagan Blundell carson@lehman.com treahy@ix.netcom.com (Barry Treahy) -- Scott Hazen Mueller | scott@zorch.SF-Bay.ORG or tandem!zorch!scott From firewalls-owner Wed Apr 10 03:41:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id XAA08139 for firewalls-outgoing; Tue, 9 Apr 1996 23:41:07 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id XAA00939 for ; Tue, 9 Apr 1996 23:10:18 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id RAA12365; Tue, 9 Apr 1996 17:34:24 -0700 Received: from explorer.csc.com(20.1.10.27) by mycroft via smap (V1.3mjr) id sma012319; Tue Apr 9 17:33:12 1996 Received: from @explorer.csc.com by csc.com with smtp (Smail3.1.29.1 #1) id m0u6nu9-001AnoC; Tue, 9 Apr 96 20:37 EDT Message-Id: Date: Tue, 9 Apr 96 20:37 EDT X-Sender: asafier@explorer.csc.com X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: thompson@tis.com (Bill Thompson) From: Adam Safier Subject: Re: Clarification on Encryption Export Using CKE Cc: heuman@mtnlake.com, firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 08:44 PM 4/8/96 -0700, Bill Thompson wrote: >Sorry it has taken me so long to respond, I have been traveling, and >believe it or not, quite a few folks are interested in this topic. At least you have an excuse that is better than too many messages in my mail box! >>1 - I am not willing to PAY for it. > >I hear you, and I am not willing to pay for a driver's license either. I >do it only because it is required, it does bring some semblance of order to >the highway system (maybe not as much in Texas as other parts of North >America), and the cost/benefit ratio of opposing it rather than getting one >just doesn't make any sense. I believe the same thing is true of the >notion of recoverable encryption keys. As users we need key recovery >(whether or not the government can also get access with due process), and >at a cost in the range of our driver's licenses, who can really complain >with conviction? This could get into a real messy discussion of individual cost for the protection of the population and I don't want to do that. However, the unlicences driver is a public nusance while private key escrow is for my own good, or at least my employer's if they choos to require it. In that case I may not be willing to pay for it but my employer may be, and he'll up the cost of his product a fraction of a cent....... Progress has a price. >CKE doesn't require registration with the government. DRC's are run by >private sector organizations. Ideally, default certificates will be >provided with crypto gear by the crypto vendor. The user only needs to >register with a DRC if they want recovery, generally automatic if the DRC >is run by your employer. As I said earlier, I came into this a little late so I missed the point that it is privately controlled. >Thanks for your interest. I understand your concerns, and I share them. >If I haven't sufficiently addressed these, or if you have others, please >get back to me. I firmly believe CKE is the best available answer to our >current situation. As long as it is driven by the economy and not mandated by law I have no problem. As someone who has lost/forgotten passwords I appreciate the safety this would provide. (I also don't have a problem if an agency _chooses_ to established a CKE program and then has to provide them as a result of a court order.) Adam Safier CSC-SED-Infosec asafier@csc.com Expressed opinions are my own and might not be shared by my employer or anyone else. From firewalls-owner Wed Apr 10 03:59:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA08396 for firewalls-outgoing; Tue, 9 Apr 1996 10:51:37 -0700 (PDT) Received: from saguaro.flyingfox.com (saguaro.flyingfox.com [204.188.109.253]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA08388 for ; Tue, 9 Apr 1996 10:51:27 -0700 (PDT) Received: (from jas@localhost) by saguaro.flyingfox.com (8.6.12/8.6.10) id KAA06804 for firewalls@greatcircle.com; Tue, 9 Apr 1996 10:46:12 -0700 Date: Tue, 9 Apr 1996 10:46:12 -0700 From: Jim Shankland Message-Id: <199604091746.KAA06804@saguaro.flyingfox.com> To: firewalls@greatcircle.com Subject: Re: Firewalls at lower levels? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > I was at a seminar presented by Stuart Holoman, Holocon Inc. > > yesterday, and he said firewalls are not effective/implementable > > below the session layer: > > > > layer 7 - App support > > layer 6 - Presentation > > layer 5 - Session > > layer 4 - Transport > > layer 3 - Network > > layer 2 - Data link > > layer 1 - Physical > > > > Any comments? > > I don't know if he was speaking in abstract terms (e.g., not many > > people know how to make them effective). > > I think everyone's kinda missing the obvious here... perhaps his > diagram goes the OTHER direction (I know it's not 'sposed to, but > maybe it does), and he meant that firewalls aren't implementable > in layers 6 & 7 above. The whole question is badly framed, IMHO. It depends entirely on what you want to screen, and what your access policy will be. For example, I have a hardware-only firewall device that functions entirely at layer 1, and is guaranteed to be 100% effective in protecting your system from attacks over the network. I will sell anyone this device for only $1,495 (VISA and MasterCard accepted, shipping and handling extra, plus sales tax in California). This device is shipped in an attractive vinyl carrying case, and bears a striking resemblance to a wire cutter. Seriously, do you want your firewall to detect/intercept/prevent an attempt to break into sendmail via a syslog buffer overrun? Do you want your firewall to be configurable to allow FTP RETRs, but not STORs? Do you want your firewall to interpose a one-time password authentication step when someone telnets in to your internal network from an external address? If so, then your firewall will be examining and/or modifying layer 5, 6, or 7 data, whether your firewall is implemented as a big, dynamically modified state machine in the kernel that every incoming packet is run through, or whether it is implemented as separate, non-transparent application proxy processes for eadh virtual circuit. Jim Shankland Flying Fox Computer Systems, Inc. From firewalls-owner Wed Apr 10 04:11:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id DAA25569 for firewalls-outgoing; Wed, 10 Apr 1996 03:52:35 -0700 (PDT) Received: from proxy.scn.de (ns.scn.de [194.112.84.17]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id DAA25532 for ; Wed, 10 Apr 1996 03:52:18 -0700 (PDT) Received: (from uucp@localhost) by proxy.scn.de (8.6.11/8.6.11) id MAA01819 for ; Wed, 10 Apr 1996 12:49:02 +0200 Received: from marina.scn.de(192.129.41.2) by proxy.scn.de via smap (V1.3) id sma001177; Wed Apr 10 12:47:14 1996 Received: (from uucp@localhost) by marina.scn.de (8.6.11/8.6.11) id MAA20741 for ; Wed, 10 Apr 1996 12:48:21 +0200 Received: from unknown(195.41.67.24) by marina.scn.de via smap (V1.3) id sma020667; Wed Apr 10 12:48:06 1996 Message-ID: <316BCA1E.79E@scn.de> Date: Wed, 10 Apr 1996 20:17:58 +0530 From: Avinash Velhal Organization: Siemens Ltd. X-Mailer: Mozilla 2.0GoldB2 (Win95; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: (no subject) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk signoff firewalls avelhal@scn.de From firewalls-owner Wed Apr 10 04:21:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA08330 for firewalls-outgoing; Tue, 9 Apr 1996 10:50:32 -0700 (PDT) Received: from emout08.mail.aol.com (emout08.mx.aol.com [198.81.11.23]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA08307; Tue, 9 Apr 1996 10:50:23 -0700 (PDT) From: LFuller314@aol.com Received: by emout08.mail.aol.com (8.6.12/8.6.12) id NAA21826; Tue, 9 Apr 1996 13:48:22 -0400 Date: Tue, 9 Apr 1996 13:48:22 -0400 Message-ID: <960409134822_267619230@emout08.mail.aol.com> To: Firewalls-owner@greatcircle.com cc: Firewalls@greatcircle.com Subject: Signoff Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Pls sign me off the mailing list. From firewalls-owner Wed Apr 10 04:28:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA06904 for firewalls-outgoing; Tue, 9 Apr 1996 10:22:52 -0700 (PDT) Received: from hitachi.com (msd.hitachi.com [137.168.1.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA06869 for ; Tue, 9 Apr 1996 10:22:42 -0700 (PDT) Received: from osc.hitachi.com by hitachi.com (4.1/SMI-4.1) id AA12969; Tue, 9 Apr 96 10:23:13 PDT Received: from enterprise ([205.158.60.129]) by osc.hitachi.com (4.1/SMI-4.1) id AA12780; Tue, 9 Apr 96 09:35:06 PDT Date: Tue, 9 Apr 96 09:35:06 PDT Message-Id: <9604091635.AA12780@osc.hitachi.com> X-Sender: bstout@osc.hitachi.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: Bill Stout Subject: Firewall-list topics Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm as guilty as anyone, but the boom of the internet has anyone internet-connected sending Q&A to the firewalls-list. There are newsgroups available for some threads: comp.unix.admin UNIX administration comp.unix.advocacy UNIX cheerleaders comp.os.ms-windows.nt.advocacy NT cheerleaders comp.os.ms-windows.nt.pre-release NT 4.0 features comp.os.ms-windows.nt.admin.misc NT administration comp.os.ms-windows.nt.admin.networking NT networking info.bind DNS administration comp.protocols.tcp-ip TCP/IP stuff comp.protocols.tcp-ip.domains DNS administration comp.security.unix UNIX security comp.security.firewalls Firewalls newsgroup alt.2600 MaNiMaL weirdness, hacker discoveries fwtk-users@tis.com TIS fwtk list <=======10========20====Ruler for Eudora users==50========60========70========80 William B. Stout | "Criticism welcome, I learn best via 'the internet Senior Systems Admin | school of fire'." Hitachi Data Systems | Open Systems Center | "If it's in a textbook, it's obsolete." Santa Clara, California | 408-970-4822 | "My opinions are my own, even when they're right." <=======10========20========30========40========50========60========70========80 From firewalls-owner Wed Apr 10 04:32:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA07587 for firewalls-outgoing; Tue, 9 Apr 1996 10:38:16 -0700 (PDT) Received: from DUKEMC.MC.DUKE.EDU (dukemc.mc.duke.edu [152.3.78.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id KAA07579 for ; Tue, 9 Apr 1996 10:38:09 -0700 (PDT) From: smith135@mc.duke.edu Received: from ccmail.duke.edu by mc.duke.edu (PMDF V5.0-5 #11367) id <01I3C8IDR59C0000BO@mc.duke.edu>; Tue, 09 Apr 1996 13:37:16 -0400 (EDT) Date: Tue, 09 Apr 1996 12:26 -0400 (EDT) Subject: Re[2]: Firewalls at lower levels? To: firewalls-digest@greatcircle.com, shagboy@thecia.net Message-id: <01I3C8IWVYPQ0000BO@mc.duke.edu> MIME-version: 1.0 Content-type: TEXT/PLAIN Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk He pointed to the area of layers 5 thru 7 as where firewalls can be implemented, and I think he was specifically meaning layer 5, the session layer. ______________________________ Reply Separator _________________________________ Subject: RE: Firewalls at lower levels? Author: shagboy@thecia.net at Internet Date: 4/8/96 1:07 AM > > I was at a seminar presented by Stuart Holoman, Holocon Inc. > yesterday, and he said firewalls are not effective/implementable > below the session layer: > > layer 7 - App support > layer 6 - Presentation > layer 5 - Session > layer 4 - Transport > layer 3 - Network > layer 2 - Data link > layer 1 - Physical > > Any comments? > I don't know if he was speaking in abstract terms (e.g., not many > people know how to make them effective). I think everyone's kinda missing the obvious here... perhaps his diagram goes the OTHER direction (I know it's not 'sposed to, but maybe it does), and he meant that firewalls aren't implementable in layers 6 & 7 above. I'm almost certain they can handle traffic almost anywhere between session and the physical layer... correct me if I'm wrong. I'm also almost certain that they can't be implemented in 6 & 7, and I know the reasons are obvious to anyone who's actually read anything about firewalls, so I won't state them here. shag Judd Bourgeois shagboy@thecia.net Finger for PGP public key I've seen the other side and I say - I've been insane - And I will never be the same - 311, "Homebrew" From firewalls-owner Wed Apr 10 04:37:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id DAA24639 for firewalls-outgoing; Wed, 10 Apr 1996 03:40:22 -0700 (PDT) Received: from relay.xlink.net (relay.xlink.net [193.141.40.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id DAA24631 for ; Wed, 10 Apr 1996 03:40:12 -0700 (PDT) Received: from saturn.eunetcom.net by relay.xlink.net id <39409-0@relay.xlink.net>; Wed, 10 Apr 1996 12:37:32 +0000 Received: by eunetcom.net (5.x/SMI-SVR4) id AA17732; Wed, 10 Apr 1996 10:37:49 GMT Received: from encmail(159.174.206.250) by saturn via smap (V1.3) id sma017726; Wed Apr 10 10:37:21 1996 Received: by encmail.encmail.eunetcom.net (IBM OS/2 SENDMAIL VERSION 1.3.2)/1.0) id AA0268; Wed, 10 Apr 96 12:35:19 -0700 Message-Id: <9604101935.AA0268@encmail.encmail.eunetcom.net> Received: from eunetcom with "Lotus Notes Mail Gateway for SMTP" id 7522798124F7C86DC12563080039EAB5; Wed, 10 Apr 96 12:35:16 To: Dennis Moroney Cc: "W.C." Epperson , firewalls From: Christopher Scott/eunetcom Date: 10 Apr 96 12:37:12 CE Subject: Re: Interesting packets fron the net Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I missed the beginning of this exchange but I am logging information with IOS 10.2 to a UNIX box. You can also do this with versions down to IOS 9.1 Best, Chris To: epperson @ vak12ed.edu (W.C. Epperson) @ SMTP cc: firewalls @ greatcircle.com @ SMTP From: dennis @ SterCtl.com (Dennis Moroney) @ SMTP Date: 09.04.96 22:03:02 Subject: Re: Interesting packets fron the net According to W.C. Epperson: > > Not on mine _anywhere_, nor does it appear in _anything_ regarding 10.3 > on CIO. Curious they'd burn it on your CD but not put it on their website. Mea culpa. Only IOS 11.0 currently supports logging. Here is where the information is found: UniverCD Vol 2, No. 12, Rev. E0, PN: 80-0283-01, data/doc/software/11_0/rpcs/sip.htm Router Products Release Note for Cisco IOS Release 11.0, Document No. 78-2115-04, Nov. 1995, New Software Features in Release 11.0(1) pp. 23-31 I really looked at my documentation this time. Geez, I could use some humble pie right about now. -- Dennis Moroney From firewalls-owner Wed Apr 10 04:41:29 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id DAA25776 for firewalls-outgoing; Wed, 10 Apr 1996 03:54:17 -0700 (PDT) Received: from smtpgate.saa-cons.co.uk (haddock.demon.co.uk [158.152.16.191]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id DAA25742 for ; Wed, 10 Apr 1996 03:54:04 -0700 (PDT) Received: from haddock.saa-cons.co.uk by smtpgate.saa-cons.co.uk with SMTP (5.65/1.3-eef) id AA03210; Wed, 10 Apr 96 11:58:53 +0100 Received: by haddock.saa-cons.co.uk (AIX 3.2/UCB 5.64/5.00) id AA21759; Wed, 10 Apr 1996 11:58:53 +0100 Date: Wed, 10 Apr 1996 11:58:52 +0100 (BST) From: Dave Roberts To: Firewalls Mailing List Subject: Solaris2.5 and BSD* - Facts Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk /* * This is actually a resend, but I never saw the original on the list, * and it was a day when our ISP appeared to have trans-atlantic problems. * Sorry to anyone who's seen it already. */ The last thing I want to do is start an O/S flame war, I think we've had far too many of those already. What I am looking for are bare honest facts. I need to put in a bastion host to handle the proxying, DNS stuff, etc. I would like to put this onto a pee-cee running BSD (either FreeBSD or BSDOS2.0). However, someone above me in the chain of things wants me to use a SparcServer running Solaris 2.5. I claimed that BSD was better suited for the purpose, and he said prove it. AFAIK, the facts stand as follows (please corrent me if I am wrong). BSD offers the immutable flag - Solaris does not. BSD gives me source code - Solaris does not. BSD allows me to compile stuff (ls etc) with static libs - Solaris does not (if I remember a thread a while ago). That's all I can think of. Please don't mail back with arguments about having source code or not, or static libraries vs dynamic, think those have been beaten to death :) What I would like are facts from people that have experience with both systems, or something that people with one of those systems feel is a big bonus, or a big headache. I'm assuming all the tools I want compile equally well on both systems (whatever kind of libs are used). ObOffTopic: anyone know a tool to to base64 decoding? Some of my users get their mail sent to ccMail, and their gateway doesn't understand MIME. A DOS util to do with would be great (I can't convert *everyone* to Unix and Pine! ;) Thanks in advance, Dave. -- Dave Roberts, Unix Systems Administrator, SAA Consultants Ltd, Plymouth, UK. "smap has the advantage [over bare sendmail] that it was written by somone who is almost certifiably paranoid" - Brent Chapman, London, 19 Oct 95. -=[ For PGP 2.6.3i public key, send mail with subject of "get pgp" ]=- From firewalls-owner Wed Apr 10 05:33:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA26205 for firewalls-outgoing; Tue, 9 Apr 1996 06:47:41 -0700 (PDT) Received: from intfw.bear.com (intfw.bear.com [206.25.172.66]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA26195 for ; Tue, 9 Apr 1996 06:47:35 -0700 (PDT) Received: by intfw.bear.com (4.1/SMI-4.1) id AA15622; Tue, 9 Apr 96 09:45:15 EDT Received: from fastbear(165.168.74.3) by intfw via smap (V1.3) id sma014971; Tue Apr 9 09:35:36 1996 Received: from ursa2.bear.com by fastbear.bear.com (4.1/SMI-4.1/1.0 AMR 12/15/94) id AA13742; Tue, 9 Apr 96 09:46:49 EDT Received: from IMAGATE.BEAR.COM by ursa2.bear.com (4.1/SMI-4.1/AMR+DJMS(2)) id AA05261; Tue, 9 Apr 96 09:35:15 EDT Received: from ccMail by IMAGATE.BEAR.COM (IMA Internet Exchange 1.04b) id 16a67800; Tue, 9 Apr 96 09:34:56 -0400 Mime-Version: 1.0 Date: Tue, 9 Apr 1996 09:48:00 -0400 Message-Id: <16a67800@imagate.bear.com> From: SREAMER@bear.com (SCOTT REAMER) Subject: signoff firewalls SREAMER@BEAR.COM To: firewalls@GreatCircle.COM Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk signoff firewalls SREAMER@BEAR.COM -- ******************************************************************************* Bear Stearns is not responsible for any recommendation, solicitation, offer or agreement or any information about any transaction, customer account or account activity contained in this communication. ******************************************************************************* From firewalls-owner Wed Apr 10 07:58:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA16494 for firewalls-outgoing; Wed, 10 Apr 1996 07:22:21 -0700 (PDT) Received: from gatekeeper.glaxo.com (gatekeeper.glaxo.com [192.58.204.201]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA16477 for ; Wed, 10 Apr 1996 07:22:17 -0700 (PDT) Received: by gatekeeper.glaxo.com (5.65/fma-120691); id AA25125; Wed, 10 Apr 96 10:19:57 -0400 Received: from ussun2f.glaxo.com by ussun1d (5.x/) id AA03125; Wed, 10 Apr 1996 10:23:57 -0400 Received: by ussun2f.glaxo.com (5.x/SMI-SVR4) id AA02347; Wed, 10 Apr 1996 10:27:40 -0400 Date: Wed, 10 Apr 1996 10:27:39 -0400 (EDT) From: "Gary G. Hull" To: Yossi Goltz Cc: Firewalls@GreatCircle.COM Subject: Re: WWW proxy to cut off Java. In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 9 Apr 1996, Yossi Goltz wrote: > Hi! > > > Could a nice sole advice me how to set up a proxy http server that > can cut off java applets on their way in to our site. > We're simply blocking Java classes by denying any access to *.class ..at our WWW proxy. Other than stopping the Java, the effect is largely invisible to the browsers.. |/ ---o0o-@@-o0o--------- Gary G. Hull - Technical Consultant Howard Systems International - Glaxo Wellcome Inc. Five Moore Drive - Raleigh, North Carolina 27709 Tel : (919) 941-4867 - Fax : (919) 248-2831 email: ggh14854@ussun2f.glaxo.com From firewalls-owner Wed Apr 10 08:10:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA16059 for firewalls-outgoing; Wed, 10 Apr 1996 07:18:11 -0700 (PDT) Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id HAA16053 for ; Wed, 10 Apr 1996 07:18:07 -0700 (PDT) From: long-morrow@CS.YALE.EDU Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU (8.7.1/res.host.cf-4.0) with ESMTP id KAA15045; Wed, 10 Apr 1996 10:15:45 -0400 (EDT) sender long-morrow@CS.YALE.EDU for Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-8.7.1/res.client.cf-4.0) id KAA01996; Wed, 10 Apr 1996 10:15:32 -0400 (EDT) Date: Wed, 10 Apr 1996 10:15:32 -0400 (EDT) Message-Id: <199604101415.KAA01996@SPARKY.CF.CS.YALE.EDU> To: Firewalls@GreatCircle.COM, yossi@sunserver.ddddf.com Subject: Re: WWW proxy to cut off Java. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From: Yossi Goltz > >Could a nice sole advice me how to set up a proxy http server that >can cut off java applets on their way in to our site. > >I'm becoming more and more concerned about Java (after reading the last >messages from Netscape and Sun), and would like to keep off Java >and Javascript until they become more safe. Check out: ftp://sparky.cs.yale.edu/pub/long/src/network/security/wwwblock-1.4.tar.gz http://sparky.cs.yale.edu/pub/long/src/network/security/wwwblock-1.4.tar.gz ftp://ftp.cs.yale.edu/pub/long/src/network/security/wwwblock-1.4.tar.gz http://www.cs.yale.edu/pub/long/src/network/security/wwwblock-1.4.tar.gz It offers filtering by filename extension and in-line stripping of most JavaScript ( Enhancements added by Brian Rogers ). - Morrow From firewalls-owner Wed Apr 10 08:17:10 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA09098 for firewalls-outgoing; Wed, 10 Apr 1996 06:01:09 -0700 (PDT) Received: from oxygen.house.gov (oxygen.house.gov [137.18.128.6]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA09087 for ; Wed, 10 Apr 1996 06:01:04 -0700 (PDT) Received: by oxygen.house.gov (AIX 3.2/UCB 5.64/4.03) id AA58054; Wed, 10 Apr 1996 08:54:08 -0400 Date: Wed, 10 Apr 1996 08:54:08 -0400 From: johns@oxygen.house.gov (John Schnizlein) Message-Id: <9604101254.AA58054@oxygen.house.gov> To: firewalls@GreatCircle.com, pokey@maddie.atlantic.com Subject: Re: High speed throughput firewalls... Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Has anyone ever tried to firewall two networks that are connected via > highspeed networks such as FDDI? What type of firewall did you use? > Did you notice bottlenecking, etc? I'm looking for hard facts, not > sales pitches... The only approach we tried for FDDI-FDDI firewalling is packet screening. Even this is not trivial, but it works. To get wire-speed with a Cisco7000 using extended access-list features (necessary to control port-level filtering) requires attention to detail: Apply the access-list only to the packet output port, use the Silicon Switch Processor, and IOS version 10.3 or later. To get the services that are safe only through application proxies, you could permit traffic of the appropriate port/protocol only to the proxy. Because this would (presumably) be just a portion of your traffic, it could scale if you use a well-tuned proxy-app. You could load-share these proxies if you use (and permit through the packet screen) load-share techniques for services that support them such as (RFC-compliant) gopher and recent WWW. I cannot tell you about success with this method, but it would be fun to try. -- John From firewalls-owner Wed Apr 10 08:24:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA19549 for firewalls-outgoing; Wed, 10 Apr 1996 08:01:22 -0700 (PDT) Received: from hatteras.ch.inri.com (hatteras.ch.inri.com [198.202.184.13]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA19256 for ; Wed, 10 Apr 1996 07:58:57 -0700 (PDT) Received: from assateague.ch.inri.com (assateague.ch.inri.com [198.202.184.111]) by hatteras.ch.inri.com (8.6.12/8.6.6) with SMTP id KAA07973; Wed, 10 Apr 1996 10:57:52 -0400 Message-Id: <2.2.32.19960410145534.006f38d8@hatteras.ch.inri.com> X-Sender: wlb@hatteras.ch.inri.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 10 Apr 1996 10:55:34 -0400 To: Tom Friday , firewalls@GreatCircle.COM From: Bill Bunting Subject: Re: Re: cisco logging for firewalls Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 01:37 PM 4/9/96 -0500, Tom Friday wrote: >>Yes, Ciscos do log to a suslogd daemon. Even logs access filter list >>violations. >> > >I saw someone else mention this ability (logging access lists >violations) also. Apparently this is a feature undocumented by cicso? > >Anyway, I thought that someone had said to add the word "log" to the >end of the access list rule. I tried this, but I couldn't get it to >work. > >my rule looked like this: > >access-list 101 deny ip 127.0.0.0 0.255.255.255 0.0.0.0 255.255.255.255 log > >however, when i try to load this configuration, i get an error: > >access-list 101 deny ip 127.0.0.0 0.255.255.255 0.0.0.0 255.255.255.255 log > ^ >% Invalid input detected at '^' marker. > > >Am I doing something wrong? Or maybe I need new firmware? I'm running >IOS 10.2(5). > > You need Cisco IOS 11.X to use access list logging. --------------------------------------- | Bill Bunting | | | | (wbunting@inri.com) | | (bunting@cs.odu.edu) | | | | WWW http://www.cs.odu.edu/~bunting | --------------------------------------- From firewalls-owner Wed Apr 10 08:27:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA14207 for firewalls-outgoing; Wed, 10 Apr 1996 07:01:54 -0700 (PDT) Received: from gemsgw.med.ge.com (gemsgw.med.ge.com [192.88.230.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA14192 for ; Wed, 10 Apr 1996 07:01:47 -0700 (PDT) From: sameer@wiproge.med.ge.com Received: from gemed.med.ge.com (gemed.med.ge.com [3.7.12.4]) by gemsgw.med.ge.com (8.6.12/8.6.12) with ESMTP id IAA08819; Wed, 10 Apr 1996 08:57:57 -0500 Received: from wiproge.med.ge.com (jogin [3.70.200.53]) by gemed.med.ge.com (8.6.12/8.6.12) with SMTP id JAA11420; Wed, 10 Apr 1996 09:00:29 -0500 Received: from everest.wiproge.med.ge.com (nilgiri) by wiproge.med.ge.com (4.1/SMI-4.1) id AA10725; Wed, 10 Apr 96 19:34:45+050 Received: by wiproge.med.ge.com (5.0/SMI-SVR4) id AA29165; Wed, 10 Apr 1996 19:33:47 +0500 Date: Wed, 10 Apr 1996 19:33:47 +0500 Message-Id: <9604110033.AA29165@wiproge.med.ge.com> To: firewalls@GreatCircle.COM, Jasjit_K_Singh@amrcorp.com Subject: Re: UUCP vs. Anonymous FTP X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I think UUCP is anyday more secure than anonymous ftp and better if you are using all Unix systems in your local network.Anonymous FTP will be more useful if you have various Operating systems interacting together to make the network...Anonymous FTP can be quite dangerous and easily compromised too... ..Sam E-Mail : sameer@wiproge.med.ge.com Wipro GE Medical Systems - Bangalore sameer@wiproge.gemse.fr Name : Sameer [Sam] From firewalls-owner Wed Apr 10 09:17:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA23157 for firewalls-outgoing; Wed, 10 Apr 1996 08:55:23 -0700 (PDT) Received: from interlock.banamex.com (interlock.banamex.com [199.221.26.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA23122 for ; Wed, 10 Apr 1996 08:55:10 -0700 (PDT) Received: from k2.banamex.com by interlock.banamex.com with SMTP id AA02061 (InterLock SMTP Gateway 3.0 for ); Wed, 10 Apr 1996 10:52:21 -0500 Message-Id: <199604101552.AA02061@interlock.banamex.com> Received: from fmora.stcs.banamex.com ([148.240.82.143]) by k2.banamex.com with SMTP (1.39.111.2/16.2) id AA157291534; Wed, 10 Apr 1996 10:52:14 -0500 X-Sender: fmora@mail.banamex.com X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Priority: 1 (Highest) Date: Wed, 10 Apr 1996 10:51:54 -0500 To: Firewalls@GreatCircle.COM From: Federico de la Mora Salazar Subject: FAX Servers Security Cc: Private_User@interlock.banamex.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm very interested in FAX Servers security and on the security of the FAX III protocol. Any comments will be greatly appreciated! ----------------------------------------------------------------- ----------------------------------------------------------------- ----------------------------------------------------------------- ----------------- Federico de la Mora Salazar ----------------- ----------------- Banco Nacional de Mexico ----------------- ----------------- fmora@banamex.com ----------------- ----------------------------------------------------------------- ----------------------------------------------------------------- ----------------------------------------------------------------- From firewalls-owner Wed Apr 10 09:29:19 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA24005 for firewalls-outgoing; Wed, 10 Apr 1996 09:06:05 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA23971 for ; Wed, 10 Apr 1996 09:05:50 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id IAA16428; Wed, 10 Apr 1996 08:59:00 -0700 Received: from relay3.uu.net(192.48.96.8) by mycroft via smap (V1.3mjr) id sma016423; Wed Apr 10 08:58:07 1996 Received: from dns.eng.auburn.edu by relay3.UU.NET with ESMTP id QQakvw22312; Wed, 10 Apr 1996 12:00:31 -0400 (EDT) Received: from netman.eng.auburn.edu (netman.eng.auburn.edu [131.204.12.24]) by dns.eng.auburn.edu (8.7.4/8.6.4) with ESMTP id KAA18934 for ; Wed, 10 Apr 1996 10:08:11 -0500 (CDT) From: Doug Hughes Received: (doug@localhost) by netman.eng.auburn.edu (SMI-8.6/8.6.4) id KAA14822; Wed, 10 Apr 1996 10:08:08 -0500 Date: Wed, 10 Apr 1996 10:08:08 -0500 Subject: Re: UUCP vs. Anonymous FTP To: firewalls@greatcircle.com Message-Id: In-Reply-To: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > >Hi, > >We are planning to replace UUCP with anonymous >FTP for transferring files. I would like to get >information on security issues of anonymous FTP >and the do's and don't's. What are the benefits >of this and what is the latest release of >anonymous FTP that is considered stable and safe >enough. Any information will be welcome. Thanks!! > > > We use the anonymous FTP from logdaemon (a tcp_wrappers addition). It works very well for this. files put in the incoming directory are set so that they cannot be read by user ftp after they are finished putting. This makes it impossible for warez junkies to use your site for exchanging copyrited software (assuming all your other permissions are set the same). Make sure you follow the permissions guidelines. They are usually documented pretty well in the ftpd man page. Of note: incoming directory owend and writable by FTP (world write is discretionary) pub directory writable by other (local users) but not by owner (ftp) other directories owned by root (bin, dev, usr, etc) and not writable [This message posted to firewalls mailing list. Replies posted to mailing list should not be CC'd to me. I will read them on the list] -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug@eng.auburn.edu Pro is to Con as progress is to congress From firewalls-owner Wed Apr 10 09:36:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id EAA01236 for firewalls-outgoing; Wed, 10 Apr 1996 04:46:23 -0700 (PDT) Received: from gemsgw.med.ge.com (gemsgw.med.ge.com [192.88.230.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id EAA01173 for ; Wed, 10 Apr 1996 04:45:58 -0700 (PDT) From: sameer@wiproge.med.ge.com Received: from gemed.med.ge.com (gemed.med.ge.com [3.7.12.4]) by gemsgw.med.ge.com (8.6.12/8.6.12) with ESMTP id GAA05082; Wed, 10 Apr 1996 06:42:14 -0500 Received: from wiproge.med.ge.com (jogin [3.70.200.53]) by gemed.med.ge.com (8.6.12/8.6.12) with SMTP id GAA07495; Wed, 10 Apr 1996 06:44:48 -0500 Received: from everest.wiproge.med.ge.com (nilgiri) by wiproge.med.ge.com (4.1/SMI-4.1) id AA09241; Wed, 10 Apr 96 17:19:05+050 Received: by wiproge.med.ge.com (5.0/SMI-SVR4) id AA24190; Wed, 10 Apr 1996 17:18:06 +0500 Date: Wed, 10 Apr 1996 17:18:06 +0500 Message-Id: <9604102218.AA24190@wiproge.med.ge.com> To: firewalls@GreatCircle.com, jihef@babylon.montreal.qc.ca Subject: Re: InterNotes server X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, You could set up the router as a firewall which connects to the Internet or configure the OS/2 to act as a filtering gateway. ...Sam ----- Begin Included Message ----- From firewalls-owner@GreatCircle.COM Wed Apr 10 15:05:44 1996 From: jihef@babylon.montreal.qc.ca (Jean-Francois Boileau) To: firewalls@GreatCircle.com Subject: InterNotes server Date: 10 Apr 1996 00:51:55 GMT I am soon going to set up a Lotus InterNotes server on an OS/2 system. The rest of our network runs on Windows NT using Netbios protocol. The OS/2 would have 2 network cards, one TCP/IP, for our Internet connection and the other, Netbios, to communicate with our network. If anyone out there has any experience with that kind of setup, I would appreciate your input on how I could make it as secure as possible. (firewalls or any other measure). Thanks ----- End Included Message ----- From firewalls-owner Wed Apr 10 09:49:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA23454 for firewalls-outgoing; Wed, 10 Apr 1996 08:58:38 -0700 (PDT) Received: from typhoon.dial.pipex.net (typhoon.dial.pipex.net [158.43.128.46]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id IAA23429 for ; Wed, 10 Apr 1996 08:58:29 -0700 (PDT) Received: from unknown by typhoon.dial.pipex.net (8.7.4/) id QAA05489; Wed, 10 Apr 1996 16:56:49 +0100 (BST) Message-ID: In-Reply-To: References: Conversation with last message To: Firewall List MIME-Version: 1.0 From: Ian Johnstone-Bryden Subject: Re: Clarification on Encryption Export Using CKE Date: Wed, 10 Apr 96 14:06:08 GMT Content-Type: text/plain; charset=US-ASCII; X-MAPIextension=".TXT" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In reply to Bill, Mustapha posted: > [valid personal view deleted] > As you see, lets please stay on topic and not try to bring things > that > may lead to useless political discussions! > Unfortunately, information has always been a political and economic property. China tried to control the silk trade and Venice, with rather more success through application of risk management, protected its glass production technology. Radio, film, and now television and electronic data communication provided the means to cross national boundaries to mass user populations. That means that the political and national views of the US and any other country affect those of us who may live and work elsewhere. Views within countries are usually produced by manipulation of information. Thats not new and populations would be less keen to go to war (commercial or hot wars) if their political leaders encouraged full and free public debate of international issues. We can content ourselves with learned discussion of fine technical detail of firewalls, but the reality is that our environment is affected just as much by political influence as any other area of human activity. Most of the challenges which face us in the protection of information assets are introduced by national interest and commercial interest. If its our national view we may be motivated to accept it enthusiastically in the same way we may oppose a different view. On an international forum we are all exposed to different views. If we ignor those views its going to cost us. Another reality is that most of the world's IT production/development is dominated by the US. As long as thats the case other US views and interests will influence our special area of interest, like how we encrypt data and what sort of firewall we can produce. If there was no national interest we would already have international agreement on encryption, computer laws, and an International Common Criteria, and we probably wouldnt be using the Internet. Ian J-B From firewalls-owner Wed Apr 10 09:55:01 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA25865 for firewalls-outgoing; Wed, 10 Apr 1996 09:33:27 -0700 (PDT) Received: from pop.spectraweb.ch (pop.spectraweb.ch [194.158.230.34]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA25838 for ; Wed, 10 Apr 1996 09:33:11 -0700 (PDT) Received: from swso_a05.spectraweb.ch by pop.spectraweb.ch (NTMail 3.01.03) id fa010743; Wed, 10 Apr 1996 18:27:19 +0200 Received: by swso_a05.spectraweb.ch with Microsoft Mail id <01BB2713.B2D84380@swso_a05.spectraweb.ch>; Wed, 10 Apr 1996 19:27:04 +-200 Message-ID: <01BB2713.B2D84380@swso_a05.spectraweb.ch> From: Kurt Krummenacher To: "firewalls@GreatCircle.COM" Subject: signoff firewalls k.krummenacher@spectraweb.ch Date: Wed, 10 Apr 1996 19:25:43 +-200 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Info: spectraWEB Mail Server Sender: firewalls-owner@GreatCircle.COM Precedence: bulk please signoff thanks a lot From firewalls-owner Wed Apr 10 14:51:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA00252 for firewalls-outgoing; Wed, 10 Apr 1996 11:31:17 -0700 (PDT) Received: from relay1.shore.net (relay1.shore.net [192.233.145.129]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id LAA00235 for ; Wed, 10 Apr 1996 11:31:11 -0700 (PDT) Received: from [198.115.179.228] (slip-3-28.shore.net [198.115.179.228]) by relay1.shore.net (8.7.5/8.7.3) with SMTP id OAA18270; Wed, 10 Apr 1996 14:28:54 -0400 (EDT) X-Sender: vin@shell1.shore.net Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 10 Apr 1996 13:31:02 -0500 To: firewalls@greatcircle.com From: vin@shore.net (Vin McLellan) Subject: Re: Securid BAD Tech Support Cc: Rapitsio@aol.com, snd1trz@snd10.med.navy.mil, alastair@cadence.com, adam@lighthouse.homeport.org, 102557.3370@compuserve.com, kovar@nda.com, small-1@medctr.osu.edu Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ray F. Pitts was among a number of ACE/SecurID customers who complained that SDI's Customer Support has become much less accessible in recent months. It was clear that this level of technical support was, is, and will be, wholly unsatisfactory. > We are implementing SecurID and, at this point, find the technology > (+futures) workable. > However, we have also had problems with support from this company. I am > getting the feeling that they are too spread out techy wise to help out the > new accounts. I feel that once they make the sale, all else is back burner > stuff. Bottom line: SDI -- the vendor of ACE/SecurID authentication -- was caught off guard by the volume of support calls that followed fall, '95, delivery of its new generation of user authentication systems, the ACE 1.3 and ACE/Server 2.X, with the new SQL-aware relational database. That's not an excuse, just a fact. They tripled the size of their support staff and still got swamped. (Prior to the new RDBS-enhanced ACE/Server, the ACE package was a fairly simple customer-installable app. IMNSHO, SDI seriously underestimated the fact that the new ACE/Server's database, with its ESQL and 4GL options, can require considerably more Unix-administration savvy at the customer site. Unix savvy many SDI customers, unfortunately, don't have in-house. Worse, SDI didn't realize that when installing an ACE/Server raised questions about Unix, SDI's Help Desk would have to field the customer's queries.) As of early this year, SDI found its CS staff dealing with a huge volume of basic Unix-support questions from customers upgrading to the 2.X ACE/Server. By February, SDI was committed to double _again_ the size of its Customer Support staff; brought in a new CS director; and came up with a new plan to off-load a lot of the Unix-support issues to a large third-party contractor which will specialize in setting up ACE/Server installations. By May 15, SDI expects that 60 percent of all incoming Customer Support calls will be directly and immediately connected to an SDI CS engineer. All other calls, in the worst case, will have an SDI response in no more than 4 hours, promises Steve Morrisey, Director of SDI Customer Services. (SDI is still hiring Customer Support staff with experience with Unix, and managing ACE/SecurID and/or Progress RDBS installations, as fast as it can find them. Anyone looking for a job in Massachusetts?) The new third-party SDI Support Services network, to closely and directly support new ACE/Server Unix sites, will also be in place by the middle of May, said Morrisey. SDI should be announcing this soon. > I can only relate this to experience with CA products in that it really > depends on who (providing you can) you reach for support. I don't this is an appropriate standard for corporate CS; but I can understand why people think this way when a straight call to the help desk doesn't seem to bring results. Still, when CS works right, you shouldn't need "a name." If you have a problem with an ACE system, anyone on the SDI Help Desk should be the Answer Man. > Question: Is it up to us as a 'consumer' to post these concerns to the > vendor or are these communications intended to remain an 'internal' > discussion??? What can I say? A hoary truth: the squeaky wheel gets the grease... maybe faster. I'm told that Chuck Stuckey, SDI's president, took the first message in this thread (the post from Todd Zimmerman last week) and stomped through SDI's corporate offices with a blowtorch in each hand. Far more than in most companies, Customer Support is the linchpin for SDI's sales. SDI fields the largest FT sales force in the world dedicated to selling computer security, but most of their sales start out with SDI installing a demo ACE system at a potential customer's site. The quality of SDI's Customer Support, particularly for new installations, is what makes the system work. When CS can't deliver up to standard, the whole system backs up; revenues get hit, and 150+ salesmen start screaming in harmony with the under-served customers. This is a Choir that could raise the dead... and it's guaranteed to briskly concentrate management attention within a public company. None of this changes the fact that there was a major miscalculation that left some ACE/SecurID customers without the technical support they needed and deserved. SDI can make its own apologies -- but with all the recent comment, I thought the List needed to know what happened, why, and what was being done to resolve the problem. Suerte, _Vin PS. Under contract to SDI, I've just finished writing a SecurID FAQ. In its current form, it doesn't go as deeply into ACE administration as the mavens on this list will want, but it may be an effective tool for educating users (and management;-) about computer security, user authentication, and the ACE and SecurID technology. It's still unofficial -- i.e., unapproved by SDI -- but I'm willing to e-mail the FAQ (20,000+ words) to anyone who requests it. (Please respond to me and not the List. Comments, criticism, and suggestions for additional FAQ topics would be welcomed.) "Who? The SecurID FAQ" should be soon available in a more readable HTML format on SDI's web site: Vin McLellan +The Privacy Guild+ 53 Nichols St., Chelsea, Ma. 02150 USA Tel: (617) 884-5548 <*><*><*><*><*><*><*><*><*> From firewalls-owner Wed Apr 10 15:37:29 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA03248 for firewalls-outgoing; Wed, 10 Apr 1996 12:29:10 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA02559 for ; Wed, 10 Apr 1996 12:27:28 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id KAA17124; Wed, 10 Apr 1996 10:56:20 -0700 Received: from uuneo.neosoft.com(206.109.1.3) by mycroft via smap (V1.3mjr) id sma017117; Wed Apr 10 10:55:42 1996 Received: from nmti.com (ficc@localhost) by uuneo.neosoft.com (8.7.5/8.7.4) with UUCP id LAA14911; Wed, 10 Apr 1996 11:02:11 -0500 (CDT) Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id KAA14596; Wed, 10 Apr 1996 10:53:52 -0500 Received: by sonic.nmti.com; id AA17563; Wed, 10 Apr 1996 10:53:50 -0500 From: peter@nmti.com (Peter da Silva) Message-Id: <9604101553.AA17563@sonic.nmti.com.nmti.com> Subject: Re: Firewall-list topics To: bstout@osc.hitachi.com (Bill Stout) Date: Wed, 10 Apr 1996 10:53:50 -0500 (CDT) Cc: Firewalls@GreatCircle.COM In-Reply-To: <9604091635.AA12780@osc.hitachi.com> from "Bill Stout" at Apr 9, 96 09:35:06 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > info.bind DNS administration I'm not familiar with this hierarchy. Could you elaborate? From firewalls-owner Wed Apr 10 15:56:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA03474 for firewalls-outgoing; Wed, 10 Apr 1996 12:29:43 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA02628 for ; Wed, 10 Apr 1996 12:27:37 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id LAA17163; Wed, 10 Apr 1996 11:04:20 -0700 Received: from unknown(199.248.201.253) by mycroft via smap (V1.3mjr) id sma017160; Wed Apr 10 11:03:41 1996 Received: from xl1.co.frederick.md.us by fredin.co.frederick.md.us with SMTP (1.38.193.4/16.2) id AA15789; Wed, 10 Apr 1996 13:46:47 -0400 Received: from CO.FREDERICK.MD.US by XL1.CO.FREDERICK.MD.US with HPDesk-FSC id 001X5A; Wed, 10 Apr 1996 13:43:06 -0500 Message-Id: <001X5A@XL1.CO.FREDERICK.MD.US> X-Mailer: DeskLink [Version B.03 95/12/18] Mime-Version: 1.0 Date: 10 Apr 96 13:43 +0500 To: firewalls@greatcircle.com Subject: Three ethernet port Raptor Firewalls X-Hpdesk-Id: 16653766 0 0 0 "NTMAIL " X-Hpdesk-Priority: 3 X-Hpdesk-System: 13 From: Alan_AMBERS@CO.FREDERICK.MD.US (Alan AMBERS) X-Hpdesk-To: "INTERNET"@[firewalls@greatcircle.com] X-Hpdesk-Cc: "Alan AMBERS"@[IDPA/AA], "Bob LEIMBACH"@[IDPA/AA] Content-Type: text/plain; Name="/HPOFFICE/NETMAIL/C0149386.txt" Content-Disposition: inline; Filename="/HPOFFICE/NETMAIL/C0149386.txt" X-Hpdesk-Subject: Message text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings. I just signed up to the list yesterday and would like to lurk more before I post, but I have a pressing question....... We currently use Raptor with one untrusted (Internet) and one trusted (us) network. We have a second untrusted network that we wish to attach. We are using a HP9000/715 as the platform and know that we would have to upgrade to a HP9000/755 that supports three ethernet cards. Is anyone doing this now with Raptor? Does anyone see any major problems? TIA /alan Alan Ambers, Frederick County Government (301) 694-1015 alan_ambers@co.frederick.md.us From firewalls-owner Wed Apr 10 16:07:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA04897 for firewalls-outgoing; Wed, 10 Apr 1996 13:00:30 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA03297 for ; Wed, 10 Apr 1996 12:29:18 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id KAA16768; Wed, 10 Apr 1996 10:08:12 -0700 Received: from relay7.uu.net(192.48.96.17) by mycroft via smap (V1.3mjr) id sma016742; Wed Apr 10 10:07:30 1996 Received: from lint.cisco.com by relay7.UU.NET with SMTP id QQakwa08363; Wed, 10 Apr 1996 13:10:23 -0400 (EDT) Received: from pferguso-pc.cisco.com (c2robo9.cisco.com [171.68.13.41]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id KAA09884; Wed, 10 Apr 1996 10:02:12 -0700 Message-Id: <199604101702.KAA09884@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 10 Apr 1996 13:03:17 -0400 To: Tom Friday From: Paul Ferguson Subject: Re: Re: cisco logging for firewalls Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 01:37 PM 4/9/96 -0500, Tom Friday wrote: >>Yes, Ciscos do log to a suslogd daemon. Even logs access filter list >>violations. >> > >I saw someone else mention this ability (logging access lists >violations) also. Apparently this is a feature undocumented by cicso? > >Anyway, I thought that someone had said to add the word "log" to the >end of the access list rule. I tried this, but I couldn't get it to >work. > >my rule looked like this: > >access-list 101 deny ip 127.0.0.0 0.255.255.255 0.0.0.0 255.255.255.255 log > >however, when i try to load this configuration, i get an error: > >access-list 101 deny ip 127.0.0.0 0.255.255.255 0.0.0.0 255.255.255.255 log > ^ >% Invalid input detected at '^' marker. > > >Am I doing something wrong? Or maybe I need new firmware? I'm running >IOS 10.2(5). > > No, you need a later IOS image. ACL violation logging wasn't added until 10.3(mumble). - paul -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Wed Apr 10 18:45:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA07976 for firewalls-outgoing; Wed, 10 Apr 1996 14:13:53 -0700 (PDT) Received: from kcsun3.kcstar.com (kcsun3.kcstar.com [204.233.165.13]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id OAA07969 for ; Wed, 10 Apr 1996 14:13:46 -0700 (PDT) Received: from kcsun3.kcstar.com (kcsun3.kcstar.com [204.233.165.13]) by kcsun3.kcstar.com (8.7.5/8.7.3) with SMTP id QAA03803 for ; Wed, 10 Apr 1996 16:11:51 -0500 (CDT) Date: Wed, 10 Apr 1996 16:11:51 -0500 (CDT) From: elroy X-Sender: elroy@kcsun3.kcstar.com To: firewalls@greatcircle.com Subject: SuperTCP Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Recently I had a flood attack on port 80 that is now being attributed (in some quarters) to a piece of software called SuperTCP. Can anyone corroborate this story? Does anyone have any experience with SuperTCP or other mis-configured tcp/ip software? I'm very interested in knowing, and really appreciate your responses. I'm not really ready to call it a day on this episode. Thanks in advance. If you wish to reply via e-mail, please send it to: jmcphail@mail.kcstar.com From firewalls-owner Wed Apr 10 19:14:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA08076 for firewalls-outgoing; Wed, 10 Apr 1996 14:16:20 -0700 (PDT) Received: from csc.com (explorer.csc.com [20.1.10.27]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA08070 for ; Wed, 10 Apr 1996 14:16:16 -0700 (PDT) Received: from @explorer.csc.com by csc.com with smtp (Smail3.1.29.1 #1) id m0u77DE-001AqWC; Wed, 10 Apr 96 17:14 EDT Message-Id: Date: Wed, 10 Apr 96 17:14 EDT X-Sender: asafier@explorer.csc.com (Unverified) X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Larry Bennett From: Adam Safier Subject: Re: Seeking Dream Firewall Cc: firewalls@GreatCircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You might try IBM. Their NetSP firewall used to support socks when I looked at it last year. Throw a lot of hardware at it and you might even get reasonable performance from an IBM box..... (I'm not an IBM fan.) I think it will let you do all you want since it is a UNIX solution. At 05:09 PM 4/9/96 -0700, Larry Bennett wrote: >I'm looking for a firewall solution for a large retailer in the UK. >I haven't yet found any products that meet all their requirements, so >I'm posting this in the hope that vendors or any others who know of >appropriate products will respond. > >It's important that the product meet all of the requirements. I have >already found products that come close and some of them are relatively >attractive. Still, if there is a product that meets all the >requirements, I would like to know about it. > >Requirements are: > >- Complete, prebuilt solution. It should not require that additional > software be installed. Nor should the firewall be sold as separate > software that we must install onto a UNIX or other system. > >- Supports SOCKS. > >- Includes an NNTP proxy application that will allow the ISP to send > news to a server inside the firewall. > >- Includes an SMTP proxy application for forwarding of mail to/from > an internal server. > >- Provides a split DNS, allowing internal systems to send queries for the > Internet while hiding those internal system from the Internet. > >- Supports NTP so that the firewall system can obtain time information > from the Internet and provide it to internal systems. > >- Supports the Ident protocol so that systems in the Internet can > query the firewall. The Ident server on the firewall should respond > with something sensible that hides information about internal systems. > >- Has excellent performance. It's important that this be > substantiated by performance testing, preferably by an independent > tester. The firewall must support a user community of 400, growing > potentially to 1000. > >- Has a sensible security architecture, preferably one in which all > functions not related to being a firewall have been removed. Ideally, > the underlying operating system and the firewall software would have > NCSA or ITSEC certification. > >I realise such a firewall could be built on a UNIX system using public >domain proxy applications. However, a very important requirement is >that the solution be pre-built. > >I would be very grateful for any leads. > >Regards, > Larry Bennett > mu Networks Limited > United Kingdom > > > Adam Safier CSC-SED-Infosec asafier@csc.com "If you show me yours, I still won't show you mine." Expressed opinions are my own and might not be shared by my employer or anyone else. From firewalls-owner Wed Apr 10 19:29:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA07236 for firewalls-outgoing; Wed, 10 Apr 1996 13:49:52 -0700 (PDT) Received: from flying.fish.com (flying.fish.com [140.174.97.13]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id NAA07227 for ; Wed, 10 Apr 1996 13:49:47 -0700 (PDT) Received: from localhost (zen@localhost) by flying.fish.com (3.7.2/8.7.1.3) with SMTP id NAA29570 for ; Wed, 10 Apr 1996 13:45:47 -0700 (PDT) Message-Id: <199604102045.NAA29570@flying.fish.com> X-Authentication-Warning: flying.fish.com: Host zen@localhost didn't use HELO protocol To: firewalls@greatcircle.com Subject: security auditing class reply-to: /dev/null@flying.fish.com Date: Wed, 10 Apr 96 13:45:46 -0700 From: Dan Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Announcement of Free Class on Internet Security Auditing and Risk Assessment *** Sponsored by Sun *** TIME & LOCATION Tuesday, April 30th, 1996 ***** This class will be given *one* time; it will *not* be repeated ***** The class will last all day - 8 or more hours [Exact building/location TBA, but will be in Mountain View, CA, USA INSTRUCTORS Dan Farmer Wietse Venema Sun Microsystems Eindhoven University of Technology GENERAL OVERVIEW *** WARNING *** *** This class will be aimed at experienced system administrators or *** *** security auditing professionals. 8 hours of class in one day is not *** *** for the faint of heart! However, there are no requirements or *** *** prerequisites needed to attend. *** *** *** Wietse and I are going to give a class on security auditing. In something like 8 hours, we are going to try and cover everything we know (or at least the highlights) on how to do an Internet security audit. Neither of us have any formal auditing training, but we feel that with our combined experience (we are the authors of the TCP wrappers, COPS, and SATAN, among other tools and papers) that we have a fair amount to say about the subject. If the class goes well, we plan on giving another talk in the summer, probably in europe next time, on securing your Unix system. CLASS TOPICS (selected, not exhaustive) Definition and purpose of security auditing Software and hardware tools used Our general philosophy about auditing Tiger teams Types of auditing/systems What to examine/ignore "Perfect" vs. incomplete data Micro vs. macro auditing Auditing large networks Passive vs. active data collection Interpretation of data collection Auditing the security policy *Our* auditing and security standards Scoring methods Overall data analysis System design analysis The report REGISTRATION NOTES & INFORMATION We don't know how many people will show up; we will try to accomodate everyone, but with finite space, we might have to limit the class size. It will be filled in a more-or-less first come, first serve basis. We will be placing some notes on the web; registered participants will be notified of where to find them. To register, you must send a *physical* letter with your name and e-mail address to my wonderful Sun administrator: Diana Behjou 2550 Garcia Avenue, MS PAL01-550 Mountain View, CA 94043-1100 USA And request a position in the Internet Security Auditing and Risk Assessment class. You will receive an e-mail reply to confirm your registration. Again, there is no charge, but *please* don't register unless you are certain that you'll be there, because others will suffer if the class fills up. E-mail will probably be ignored, unless I know you, and then I'll be pissed off that you asked me to add you to the list instead of sending a stupid letter, and you'll owe me a bottle of fine port or something. There is no ulterior motive to this, other than the fact that wietse and I are trying to write a book, and we're using this as a motivational tool. Enjoy. From firewalls-owner Wed Apr 10 20:19:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA06184 for firewalls-outgoing; Wed, 10 Apr 1996 13:19:19 -0700 (PDT) Received: from csc.com (explorer.csc.com [20.1.10.27]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA06161 for ; Wed, 10 Apr 1996 13:19:12 -0700 (PDT) Received: from @explorer.csc.com by csc.com with smtp (Smail3.1.29.1 #1) id m0u76JT-001AnNC; Wed, 10 Apr 96 16:16 EDT Message-Id: Date: Wed, 10 Apr 96 16:16 EDT X-Sender: asafier@explorer.csc.com X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: "Ward, Jay" From: Adam Safier Subject: Re: Structure Cc: Firewalls , "Ward, Jay" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 10:26 AM 4/9/96 EDT, Ward, Jay wrote: >>From what I have been told in the past is that I could run into problems >putting the httpd server behind the firewall. Is this true? Yes. If the http server is compromised from the outside so is you internal network. If the http server serves the outside world put it on the outside of the firewall. Better yet, get a third ethernet interface and create a second firewalled area for your http and DMZ traffic. Inet -----F-1 ---- Internal net | | DMZ for www servers, dial up concentrators, etc. Why isn't your firewall vendor/distriburtor helping you with these design issues? Did they take your money, leave the box and walk? How is Checkpoint on support? Adam Safier CSC-SED-Infosec asafier@csc.com "If you show me yours, I still won't show you mine." Expressed opinions are my own and might not be shared by my employer or anyone else. From firewalls-owner Wed Apr 10 20:23:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA10490 for firewalls-outgoing; Wed, 10 Apr 1996 15:05:08 -0700 (PDT) Received: from interlock.banamex.com (interlock.banamex.com [199.221.26.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id PAA10484 for ; Wed, 10 Apr 1996 15:05:01 -0700 (PDT) Received: from k2.banamex.com by interlock.banamex.com with SMTP id AA11207 (InterLock SMTP Gateway 3.0 for ); Wed, 10 Apr 1996 17:02:40 -0500 Message-Id: <199604102202.AA11207@interlock.banamex.com> Received: from fmora.stcs.banamex.com ([148.240.82.143]) by k2.banamex.com with SMTP (1.39.111.2/16.2) id AA164591090; Wed, 10 Apr 1996 13:31:30 -0500 X-Sender: fmora@mail.banamex.com X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 10 Apr 1996 13:31:11 -0500 To: firewalls@greatcircle.com From: Federico de la Mora Salazar Subject: FAX Servers Security Cc: Private_User@interlock.banamex.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm very interested in FAX Servers security and on the security of the FAX III protocol. Any comments will be greatly appreciated! ----------------------------------------------------------------- ----------------------------------------------------------------- ----------------------------------------------------------------- ----------------- Federico de la Mora Salazar ----------------- ----------------- Banco Nacional de Mexico ----------------- ----------------- fmora@banamex.com ----------------- ----------------------------------------------------------------- ----------------------------------------------------------------- ----------------------------------------------------------------- From firewalls-owner Wed Apr 10 20:29:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA10597 for firewalls-outgoing; Wed, 10 Apr 1996 15:06:16 -0700 (PDT) Received: from interlock.banamex.com (interlock.banamex.com [199.221.26.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id PAA10575 for ; Wed, 10 Apr 1996 15:06:03 -0700 (PDT) Received: from k2.banamex.com by interlock.banamex.com with SMTP id AA16954 (InterLock SMTP Gateway 3.0 for ); Wed, 10 Apr 1996 17:03:51 -0500 Message-Id: <199604102203.AA16954@interlock.banamex.com> Received: from fmora.stcs.banamex.com ([148.240.82.143]) by k2.banamex.com with SMTP (1.39.111.2/16.2) id AA164380663; Wed, 10 Apr 1996 13:24:24 -0500 X-Sender: fmora@mail.banamex.com X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 10 Apr 1996 13:24:04 -0500 To: firewalls@greatcircle.com From: Federico de la Mora Salazar Subject: FAX Servers Security Cc: Private_User@interlock.banamex.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm very interested in FAX Servers security and on the security of the FAX III protocol. Any comments will be greatly appreciated! ----------------------------------------------------------------- ----------------------------------------------------------------- ----------------------------------------------------------------- ----------------- Federico de la Mora Salazar ----------------- ----------------- Banco Nacional de Mexico ----------------- ----------------- fmora@banamex.com ----------------- ----------------------------------------------------------------- ----------------------------------------------------------------- ----------------------------------------------------------------- From firewalls-owner Wed Apr 10 20:51:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA10573 for firewalls-outgoing; Wed, 10 Apr 1996 15:06:03 -0700 (PDT) Received: from interlock.banamex.com (interlock.banamex.com [199.221.26.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id PAA10560 for ; Wed, 10 Apr 1996 15:05:55 -0700 (PDT) Received: from k2.banamex.com by interlock.banamex.com with SMTP id AA15144 (InterLock SMTP Gateway 3.0 for ); Wed, 10 Apr 1996 17:03:43 -0500 Message-Id: <199604102203.AA15144@interlock.banamex.com> Received: from fmora.stcs.banamex.com ([148.240.82.143]) by k2.banamex.com with SMTP (1.39.111.2/16.2) id AA164290615; Wed, 10 Apr 1996 13:23:35 -0500 X-Sender: fmora@mail.banamex.com X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 10 Apr 1996 13:23:16 -0500 To: firewalls-digest@GreatCircle.COM From: Federico de la Mora Salazar Subject: FAX Servers Security Cc: Private_User@interlock.banamex.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm very interested in FAX Servers security and on the security of the FAX III protocol. Any comments will be greatly appreciated! ----------------------------------------------------------------- ----------------------------------------------------------------- ----------------------------------------------------------------- ----------------- Federico de la Mora Salazar ----------------- ----------------- Banco Nacional de Mexico ----------------- ----------------- fmora@banamex.com ----------------- ----------------------------------------------------------------- ----------------------------------------------------------------- ----------------------------------------------------------------- From firewalls-owner Wed Apr 10 20:59:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id QAA16161 for firewalls-outgoing; Wed, 10 Apr 1996 16:59:29 -0700 (PDT) Received: from tera.bctel.net (tera.bctel.net [204.174.64.252]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id QAA16145 for ; Wed, 10 Apr 1996 16:59:21 -0700 (PDT) Received: (from nobody@localhost) by tera.bctel.net (8.7.4/8.7.1) id QAA17415; Wed, 10 Apr 1996 16:57:53 -0700 (PDT) X-Authentication-Warning: tera.bctel.net: nobody set sender to using -f Received: from mocha.bctel.net(204.174.66.5) by tera via smap (V1.3) id sma017408; Wed Apr 10 16:57:25 1996 Received: (from murrell@localhost) by mocha.bctel.net (8.7.5/8.7.3) id QAA00489; Wed, 10 Apr 1996 16:58:26 -0700 (PDT) From: Brian Murrell Message-Id: <199604102358.QAA00489@mocha.bctel.net> Date: Wed, 10 Apr 1996 16:58:25 -0700 (PDT) To: peter@nmti.com Cc: firewalls-digest@GreatCircle.COM Subject: Re[2]: FWTK and SNMP-GW In-Reply-To: <9604091903.AA23701@sonic.nmti.com.nmti.com> X-Mailer: Ishmail 1.2-960212-sol24 MIME-Version: 1.0 Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk from the quill of peter@nmti.com (Peter da Silva) on scroll <9604091903.AA23701@sonic.nmti.com.nmti.com> > Run a stripped down SNMP client on one of the boxes in the DMZ that > fowrwards > SNMP information further in using syslog. You could even run scotty on > the > firewall if you had to... syslog?? the original question that sparked this discussion was how to get udp past a proxy host to send snmp to a snmp network manager. b. -- Brian J. Murrell Brian_Murrell@bctel.net BCTel Advanced Communications brian@ilinx.com Vancouver, B.C. brian@wimsey.com 604 454 5279 From firewalls-owner Wed Apr 10 21:01:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA06156 for firewalls-outgoing; Wed, 10 Apr 1996 13:18:36 -0700 (PDT) Received: from csc.com (explorer.csc.com [20.1.10.27]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA06142 for ; Wed, 10 Apr 1996 13:18:31 -0700 (PDT) Received: from @explorer.csc.com by csc.com with smtp (Smail3.1.29.1 #1) id m0u76JU-001AovC; Wed, 10 Apr 96 16:16 EDT Message-Id: Date: Wed, 10 Apr 96 16:16 EDT X-Sender: asafier@explorer.csc.com X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: Adam Safier Subject: Re: Cross Realm Kerberos/DCE Proxy, NAT, UDP Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Talking to oneself is not all that uncommon nor considered impolite nor crazy in many countries. So I thought I'd do that.... Just in case anyone is interested. At 04:34 PM 4/8/96 EDT, Adam Safier wrote: >Can anyone relate war stories, gotchas and victories re: Cross Realm >Kerberos or DCE across firewalls and to another Kerberized realm? > >I want to make sure my understanding of Kerberos traffic isn't twisted. >Please make corrections if I'm missing things. I am correcting myself. >We need to talk to a different organization running Kerberos (actually some >are DCE - I already heard Kerberos and DCE are not 100% compatible but we >all agree to support the lowest common denominator.) so we need to do cross >realm authentication, ticket granting and encryption all working across a >firewall. Actually a kerberos vendor just informed me that the IP address of the delivery packet is NOT checked against the !optional! IP address included as part of the user identifier. We need some clarification from experts but this does not look like it would prevent NAT. However, I thought of another NAT killer. When a client inside the realm contacts a TGS in the other realm, I think the TGS will address the return packet to the firewall. How does the firewall know to which internal client to forward the returned UDP packet (containing the server ticket)? The rest is deleted since I have no additional comments on it. for anyone interested, RFC 1510 deals with Kerberos and there is another RFC (I don't know the number) that deals with a GSS API for security program calls. Kerberos comes from MIT but Cygnus (www.cynus.com) also distributes a popular (at NASA) version of it. I'm trying to read the RFC..zzz.zzz Adam Safier CSC-SED-Infosec asafier@csc.com "If you show me yours, I still won't show you mine." Expressed opinions are my own and might not be shared by my employer or anyone else. From firewalls-owner Wed Apr 10 21:14:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA05915 for firewalls-outgoing; Wed, 10 Apr 1996 13:11:04 -0700 (PDT) Received: from goaltender.ba.tis.com (goaltender.ba.tis.com [198.4.162.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA05909 for ; Wed, 10 Apr 1996 13:11:00 -0700 (PDT) Received: by goaltender.ba.tis.com; id NAA29770; Wed, 10 Apr 1996 13:07:35 -0700 Received: from hd19-035.compuserve.com(199.174.222.35) by goaltender.ba.tis.com via smap (V3.1) id xma029767; Wed, 10 Apr 96 13:07:01 -0700 X-Sender: thompson@198.4.162.2 Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 10 Apr 1996 12:08:51 -0700 To: Mustapha From: thompson@tis.com (Bill Thompson) Subject: Re: Clarification on Encryption Export Using CKE Cc: Adam Safier , heuman@mtnlake.com, firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Apologies for treading on sacred ground by mentioning Iraq in a response that included reference to terrorist activities. Actually I was responding verbatim to the question asked by Mr. Safier as to how DRCs could be kept safe from terrorists, but perhaps you can forgive us all for over-stating the situation, considering recent history. Regards, Bill At 5:23 PM 4/9/96, Mustapha wrote: >On Mon, 8 Apr 1996, Bill Thompson wrote: >> [...] >> While we all may sometimes express the feeling the organized crime >> element can do as it pleases, I hope that the mafia, Iraq, and other >> organized terrorist elements can be successfully thwarted by the >> vigilent efforts of professionals, both within our companies, and our >> governments. >> [...] > > >Dear Bill, > >Who did say first that Iraq represents an "organized terrorist element" ? >And if the US goverment says so, does that really classify the country >as terrorist ? Does everything said by the US goverment is necessary >true ? And, finally, why Iraq six years ago was being looked as an >excellent, democratic country while nowadays it is nothing but a terrorist >country ? >Well, maybe because six years ago the US government was in need to Iraqi >regime but not anymore on these days! > >As you see, lets please stay on topic and not try to bring things that >may lead to useless political discussions! > >Best Regards, >-Mustapha > >PS: I don't speak for the Iraqi regime at all! >=== Actually I totally dislike that regime, but I found myself `obliged' > to reply (and CC to the mailing list) because I hate such (&^@#$%#) > kind of email messages. > >-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- >Mustapha Obeid >Student >Computer Science Department, Moncton University >Moncton, NB, Canada - E1A 3E9 >Fields of Interests: Network Security & Cryptography. >*Life would be so much easier if we could just look at the source code* >-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- *--------------------------------------------------------------------------* |R. William Thompson Business Development Consultant| |Trusted Information Systems thompson@ba.tis.com| |444 Castro Street (415) 962-8885, X3019| |Mountain View, CA 94041 Fax (415) 962-9330| |Home: 9305 Scenic Bluff Drive Home (512) 263-5936| |Austin, TX 78733 Home Fax (512) 263-9436| |75427.301@compuserve.com Bill_Thompson@compuserve.com| *--------------------------------------------------------------------------* From firewalls-owner Wed Apr 10 22:23:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id RAA18329 for firewalls-outgoing; Wed, 10 Apr 1996 17:19:43 -0700 (PDT) Received: from ns.cnc.ac.cn (ns.cnc.ac.cn [159.226.1.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA18263 for ; Wed, 10 Apr 1996 17:19:29 -0700 (PDT) Received: by ns.cnc.ac.cn (5.67b/IDA-1.5) id AA10331; Thu, 11 Apr 1996 08:28:08 -0800 Date: Thu, 11 Apr 1996 08:28:08 -0800 From: Jun Li Message-Id: <199604111628.AA10331@ns.cnc.ac.cn> To: firewalls-digest@GreatCircle.COM Subject: singoff Sender: firewalls-owner@GreatCircle.COM Precedence: bulk signoff firewalls jlee@ns.cnc.ac.cn From firewalls-owner Wed Apr 10 22:38:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id RAA20134 for firewalls-outgoing; Wed, 10 Apr 1996 17:40:49 -0700 (PDT) Received: from interlock.mckesson.com (interlock.mckesson.com [199.221.43.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA20119 for ; Wed, 10 Apr 1996 17:40:43 -0700 (PDT) Received: from [128.1.53.159] by interlock.mckesson.com with SMTP id AA09399 (InterLock SMTP Gateway 3.0 for ); Wed, 10 Apr 1996 17:38:35 -0700 Message-Id: <199604110038.AA09399@interlock.mckesson.com> Subject: Re: Users who forget their passwords Date: Wed, 10 Apr 96 17:37:46 -0700 From: Bill Husler Cc: Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Received: 4/9/96 5:24 PM >From: Wayne Gifford - Internet Commerce Group, .. >> >> Now, the important part is not to let everyone see you craning your neck to >> see the serial number of your computer ever 10 minutes. Be a little more >> subtle/clever. >> .. I suppose that would be like moving your lips while counting cards at Blackjack. Bill Please remember to always flame via private eMail - the rest of the group is just not interested. From firewalls-owner Wed Apr 10 22:41:39 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id RAA20720 for firewalls-outgoing; Wed, 10 Apr 1996 17:47:17 -0700 (PDT) Received: from interlock.banamex.com (interlock.banamex.com [199.221.26.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA20702 for ; Wed, 10 Apr 1996 17:47:11 -0700 (PDT) Received: from k2.banamex.com by interlock.banamex.com with SMTP id AA03634 (InterLock SMTP Gateway 3.0 for ); Wed, 10 Apr 1996 19:45:02 -0500 Message-Id: <199604110045.AA03634@interlock.banamex.com> Received: from fmora.stcs.banamex.com ([148.240.82.143]) by k2.banamex.com with SMTP (1.39.111.2/16.2) id AA180353500; Wed, 10 Apr 1996 19:45:00 -0500 X-Sender: fmora@mail.banamex.com (Unverified) X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 10 Apr 1996 19:44:41 -0500 To: firewalls@greatcircle.com From: Federico de la Mora Salazar Subject: FAX Servers security Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm very interested in FAX Servers security and on the security of the FAX III protocol. Any comments will be greatly appreciated! ----------------------------------------------------------------- ----------------------------------------------------------------- ----------------------------------------------------------------- ----------------- Federico de la Mora Salazar ----------------- ----------------- Banco Nacional de Mexico ----------------- ----------------- fmora@banamex.com ----------------- ----------------------------------------------------------------- ----------------------------------------------------------------- ----------------------------------------------------------------- From firewalls-owner Wed Apr 10 22:44:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id RAA21135 for firewalls-outgoing; Wed, 10 Apr 1996 17:52:28 -0700 (PDT) Received: from mossad.thecia.net (mossad.thecia.net [206.100.120.200]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA21110 for ; Wed, 10 Apr 1996 17:52:18 -0700 (PDT) Received: (from shagboy@localhost) by mossad.thecia.net (8.6.12/8.6.9) id UAA00284; Wed, 10 Apr 1996 20:47:58 -0400 Date: Wed, 10 Apr 1996 20:47:58 -0400 (EDT) From: shaggenbunsenburner To: David Schiffrin cc: firewalls@GreatCircle.COM Subject: Re: flood attack In-Reply-To: <199604090145.SAA22693@popmail.UCSD.EDU> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 8 Apr 1996, David Schiffrin wrote: > One of my customers (a small isp) suffered an attack recently. Aside from > turning off services which these hosts provide to the net, or blocking those > packets at the router, I am at a loss. I'd appreciate any suggestions. > > More specifically, the web, inbound SMTP ,and POP servers were each flooded > by SYN packets from the 'net on the services respective ports, thus denying > legitemate users access to these services. I filtered some, and changed > DNS/IP addresses for others, but I'm not sure (without dynamic packet filter > rules) how to address this long-term. These solutions only worked because > the attacker began the attack (maybe checked it for effectiveness) and > seemed to leave it running unnattended. Obviously the web and SMTP servers > need to be accessable to the outside, but how do I make this better. > > BTW hosts from a variety of assigned and unassigned networks appeared to be > the source addresses, and all hosts were/are unreachable from any > net-access. Could/should the 'wall be doing a ping-check back at connecting > hosts?..... A client of mine also recently experienced one of these attacks. I'm not sure how to block them either, except to do a "ping-check" as mentioned above to at least weed out the nonexistent hosts (the attacks occurred from addresses like 12.34.56.78 and 31.3.3.37...sigh). Please respond via private email if possible. TIA, shag Judd Bourgeois | When we are planning for posterity, shagboy@thecia.net | we ought to remember that virtue is Finger for PGP key | not hereditary. Thomas Paine From firewalls-owner Thu Apr 11 00:20:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id RAA20134 for firewalls-outgoing; Wed, 10 Apr 1996 17:40:49 -0700 (PDT) Received: from interlock.mckesson.com (interlock.mckesson.com [199.221.43.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA20119 for ; Wed, 10 Apr 1996 17:40:43 -0700 (PDT) Received: from [128.1.53.159] by interlock.mckesson.com with SMTP id AA09399 (InterLock SMTP Gateway 3.0 for ); Wed, 10 Apr 1996 17:38:35 -0700 Message-Id: <199604110038.AA09399@interlock.mckesson.com> Subject: Re: Users who forget their passwords Date: Wed, 10 Apr 96 17:37:46 -0700 From: Bill Husler Cc: Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Received: 4/9/96 5:24 PM >From: Wayne Gifford - Internet Commerce Group, .. >> >> Now, the important part is not to let everyone see you craning your neck to >> see the serial number of your computer ever 10 minutes. Be a little more >> subtle/clever. >> .. I suppose that would be like moving your lips while counting cards at Blackjack. Bill Please remember to always flame via private eMail - the rest of the group is just not interested. From firewalls-owner Thu Apr 11 01:36:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA24408 for firewalls-outgoing; Wed, 10 Apr 1996 18:28:50 -0700 (PDT) Received: from mail.Clark.Net (mail.clark.net [168.143.0.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id SAA24398 for ; Wed, 10 Apr 1996 18:28:42 -0700 (PDT) Received: from clark.net (mjr@clark.net [168.143.0.7]) by mail.Clark.Net (8.7.3/8.6.5) with ESMTP id VAA09418 for ; Wed, 10 Apr 1996 21:26:35 -0400 (EDT) From: "Marcus J. Ranum" Received: (from mjr@localhost) by clark.net (8.7.1/8.7.1) id VAA16069 for Firewalls@GreatCircle.COM; Wed, 10 Apr 1996 21:26:22 -0400 (EDT) Message-Id: <199604110126.VAA16069@clark.net> Subject: Re: split DNS To: Firewalls@GreatCircle.COM Date: Wed, 10 Apr 1996 21:26:18 -0400 (EDT) In-Reply-To: <199604091745.KAA07981@miles.greatcircle.com> from "firewalls-digest-owner@GreatCircle.COM" at Apr 9, 96 10:45:55 am Reply-To: mjr@v-one.com Organization: V-One Corporation, Baltimore, MD Office Phone: 410-889-8569 X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Colin Campbell writes: > >I have a more complex split dns than I think is the norm (if there is >such a thing). At present I run the classic version but am not sure how >to expand it to the following scenario: > > > internet > ^ > | > | > external bind \ > ... } the bastion host > resolver / > | > | > v > root server (mine?) > | A few weeks ago I thought of a really mind-numbingly stupid but deadly effective solution for this problem. Now that I'm a SUIT and have had a lobodt^H^Hdotodmy - urr, brain surgery, and can no longer write code, I haven't had a chance to implement, test, and post it. But it goes like this: Put some extra smarts in resolv.conf on the firewall. I'd like to add a syntax like: nameserver outside.v-one.com 127.0.0.1 nameserver v-one.com 1.1.1.1 nameserver ^. 1.1.1.1 nameserver 1.1.1.in-addr.arpa. 1.1.1.1 nameserver 127.0.0.1 Basically, the queries would go to the local nameserver on 127.0.0.1 if they are for a machine named "outside.v-one.com" otherwise, if they were anything in v-one.com they'd go to 1.1.1.1 and if they were anything without a "." in them they'd go to the 1.1.1.1. All other stuff would default to the local nameserver. In this manner, a split DNS would then be a piece of cake to implement. Just have a nameserver with a full external database on the firewall, and the firewall knows how to decide where to resolve, whether internal or external. Then run a full internal DNS on 1.1.1.1 and it's all hunky-dory. I think the changes necessary are a few tweaks to res_init to process the extra structs, a couple of strncmp()s and a few lines of code in the lookup routines. You'd only need to run the whizzed-up code on the firewall. Comments?? If someone wants to do it, go for it. Otherwise if I manage to get some quality time with a compiler (fat chance. :() I'll see if I can do it before November. mjr. From firewalls-owner Thu Apr 11 01:50:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA23384 for firewalls-outgoing; Wed, 10 Apr 1996 18:18:08 -0700 (PDT) Received: from mail.Clark.Net (mail.clark.net [168.143.0.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id SAA23346 for ; Wed, 10 Apr 1996 18:17:52 -0700 (PDT) Received: from clark.net (mjr@clark.net [168.143.0.7]) by mail.Clark.Net (8.7.3/8.6.5) with ESMTP id VAA07262 for ; Wed, 10 Apr 1996 21:15:41 -0400 (EDT) From: "Marcus J. Ranum" Received: (from mjr@localhost) by clark.net (8.7.1/8.7.1) id VAA13708 for firewalls@greatcircle.com; Wed, 10 Apr 1996 21:15:35 -0400 (EDT) Message-Id: <199604110115.VAA13708@clark.net> Subject: CKE: mandated by law To: firewalls@greatcircle.com Date: Wed, 10 Apr 1996 21:15:30 -0400 (EDT) Reply-To: mjr@v-one.com Organization: V-One Corporation, Baltimore, MD Office Phone: 410-889-8569 X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Adam Safier writes: [about CKE] >As long as it is driven by the economy and not mandated by law I have no >problem. As someone who has lost/forgotten passwords I appreciate the >safety this would provide. Unfortunately, it is effectively mandated by law. :( For a vendor to produce exportable high-quality crypto, the government is requiring some kind of key escrow - either something like LOTUS' "differential work factor cryptography" or CKE. The CKE approach is admittedly much less palatable than LOTUS' approach, which is actually *WORSE* than Clipper. With Clipper, at least, the keys were split between "escrow" agencies, whereas with LOTUS' approach, the necessary amount of keying is just given directly to NSA. The CKE approach tries to layer a veneer of commercial acceptability on top of the key escrow requirement, to make it less onerous, but the fact is that the government's tying of exportability to key escrow amounts to a legal mandate, if you're a vendor trying to produce a product. Many nations are now following the lead of the US, Russian, and French governments, and are seeking to arrogate titular control over encryption. I say "titular" because real, actual, control is impossible and everyone with a clue knows it. All that will happen is that export control regulations will be announced as the failure they are, and governments will then argue that they need direct, *domestic* control. We're starting to see the early rumbles of that game from the FBI and Janet Reno, and every time there's a Unabomber or Freemen or Koresh we can expect another "Good thing they didn't use STRONG CRYPTO or we'd never have caught them" argument. What's so laughable about the whole thing is that I live in a town where the drug dealers do their deals in the clear with pagers and cellphones and law enforcement is still helpless. If they're helpless and incompetent against an enemy using no communications security at all, they should just give up about dealing with the *real* terrorists and spies who actually know what they're doing. Unless the KGB has agreed to escrow their one-time-pads with Ft Meade, the only benefit all this escrow crap will have for the government is helping them watch us honest but pissed-off citizens, and lining the coffers of revolving-door defense contractors. mjr. -- Chief Scientist, V-ONE Corporation -- "Security for a connected world" work http://www.v-one.com personal http://www.clark.net/pub/mjr/mjr-top.html From firewalls-owner Thu Apr 11 02:02:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id TAA00619 for firewalls-outgoing; Wed, 10 Apr 1996 19:33:31 -0700 (PDT) Received: from hobbes.orl.mmc.com (hobbes.orl.mmc.com [141.240.192.100]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id TAA00602 for ; Wed, 10 Apr 1996 19:33:22 -0700 (PDT) Date: Wed, 10 Apr 1996 22:31:14 -0400 (EDT) From: "A. Padgett Peterson P.E. Information Security" To: firewalls@greatcircle.com Message-Id: <960410223114.20228d14@hobbes.orl.mmc.com> Subject: Sure... Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I'm searching for a "resersed proxy" in the way that machine A acts >as a proxy to an outside client ... Sure: a commerce server (A) on the bastien net. 'wall allows comm between server and inside trusted hosts (B & C) only. Triple-homed system will work nicely. Warmly, Padgett From firewalls-owner Thu Apr 11 03:25:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id TAA02394 for firewalls-outgoing; Wed, 10 Apr 1996 19:49:03 -0700 (PDT) Received: from comsoon.login.net (comsoon.login.net [192.219.254.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id TAA02376 for ; Wed, 10 Apr 1996 19:48:56 -0700 (PDT) Received: from babylon.montreal.qc.ca (uucp@localhost) by comsoon.login.net (8.6.12/8.6.5) with UUCP id WAA21435; Wed, 10 Apr 1996 22:42:18 -0400 From: jihef@babylon.montreal.qc.ca (Jean-Francois Boileau) Reply-To: jihef@babylon.montreal.qc.ca To: sameer@wiproge.med.ge.com Cc: firewalls@GreatCircle.com Subject: Re: Re: InterNotes server Date: 11 Apr 1996 00:17:05 GMT Message-Id: <1775108061.27036013@babylon.montreal.qc.ca> Organization: Babylon, Montreal, Canada Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thank you for taking the time to respond. JF From firewalls-owner Thu Apr 11 04:06:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id DAA20841 for firewalls-outgoing; Thu, 11 Apr 1996 03:53:33 -0700 (PDT) Received: from europa.fcee.ucp.pt (europa.fcee.ucp.pt [158.162.2.126]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id DAA20796 for ; Thu, 11 Apr 1996 03:53:18 -0700 (PDT) Message-Id: <199604111053.DAA20796@miles.greatcircle.com> Received: from [158.162.2.60] by europa.fcee.ucp.pt with SMTP (1.37.109.4/16.2) id AA08422; Thu, 11 Apr 96 12:59:57 +0100 Date: Thu, 11 Apr 96 12:59:57 +0100 X-Sender: lmc@europa.fcee.ucp.pt X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable To: Firewalls@GreatCircle.COM From: Luis Miguel Campos Subject: Free Packet Filters & Proxies Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, i'm looking for FREE software to make a packet filtering router=20 and some proxies for common protocols (http, ftp, etc..) and a www Server. What are the available products for HP-UX? Thanks Miguel Campos ----------------------------------------------- Luis Miguel Ribeiro Campos Faculdade de Ci=EAncias Econ=F3micas e Empresariais Universidade Cat=F3lica Portuguesa 1600 Palma de Cima Tel: 351-1-7214232/0 Fax: 351-1-7270252 From firewalls-owner Thu Apr 11 04:56:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id EAA24958 for firewalls-outgoing; Thu, 11 Apr 1996 04:37:22 -0700 (PDT) Received: from netra.soft.net (netra.soft.net [164.164.128.17]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id EAA24947 for ; Thu, 11 Apr 1996 04:37:10 -0700 (PDT) Received: from adiblr1 (adiblr1.adiblr1.soft.net) by netra.soft.net (5.x/SMI-SVR4) id AA18783; Thu, 11 Apr 1996 17:00:35 +0500 Received: by adiblr1 (4.1/SMI-4.1) id AA03487; Thu, 11 Apr 96 17:12:38+050 Date: Thu, 11 Apr 1996 17:12:38 +0500 (GMT+0500) From: "S.Ramalingam" Reply-To: "S.Ramalingam" Subject: internet connection To: firewalls-digest@GreatCircle.com Cc: ram@adiblr1.soft.net Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello We are having pentium machines running with PCNFSpro 1.1 windows version. In my company, we are having radiolink to access internet. Our Management does not want to give permission to everyone to access internet except for few poeple. Right now all the staff members are using netscape to use internet. We connot control the staff members. We having router connected with RF link. IS THERE ANYWAY TO CONTROL THE POEPLE TO ACCESS THE INTERNET BASED ON IP ADDRESS. Our default gateway is Router. Ramalingam From firewalls-owner Thu Apr 11 05:06:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id EAA26138 for firewalls-outgoing; Thu, 11 Apr 1996 04:50:03 -0700 (PDT) Received: from burebista.sfos.ro (burebista.sfos.ro [193.226.100.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id EAA26059 for ; Thu, 11 Apr 1996 04:49:25 -0700 (PDT) Received: from cpcpub.sfos.ro (root@cpcpub.sfos.ro [193.226.100.190]) by burebista.sfos.ro (8.7.4/8.7.3/d: burebista.mc) with ESMTP id OAA30481; Thu, 11 Apr 1996 14:46:24 +0300 Received: (from lclsv@localhost) by cpcpub.sfos.ro (8.7.1/8.6.12) with UUCP id OAA14232; Thu, 11 Apr 1996 14:37:05 +0200 X-Authentication-Warning: cpcpub.sfos.ro: lclsv set sender to tufa@lclsv.sfos.ro using -f Received: (from tufa@localhost) by lclsv.sfos.ro (8.6.9/8.6.9) id MAA09080; Thu, 11 Apr 1996 12:13:53 +0200 Date: Thu, 11 Apr 1996 12:13:53 +0200 From: Tufa Lucian Subject: Re: UUCP vs. Anonymous FTP To: Jasjit K Singh cc: firewalls@GreatCircle.COM In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 9 Apr 1996, Jasjit K Singh wrote: > > Hi, > > We are planning to replace UUCP with anonymous > FTP for transferring files. I would like to get > information on security issues of anonymous FTP > and the do's and don't's. What are the benefits > of this and what is the latest release of > anonymous FTP that is considered stable and safe > enough. Any information will be welcome. Thanks!! FTP service is quite stabil , if is propely configured and with some firewalls product . The configuration and the security systems are available ( I think ) on many ftp sites . The principal problem is that everybody could go into Your sistem and "look around". Tufa Lucian sysadmin lclsv.sfos.ro phone 040042322028 - home 040042312892 - service From firewalls-owner Thu Apr 11 06:37:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA27089 for firewalls-outgoing; Thu, 11 Apr 1996 05:01:00 -0700 (PDT) Received: from auc-cs28.eun.eg (AUC-CS28.EUN.EG [193.227.31.178]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id FAA26963 for ; Thu, 11 Apr 1996 05:00:02 -0700 (PDT) Received: (from oshoukry@localhost) by auc-cs28.eun.eg (8.6.11/8.6.9) id OAA13150; Thu, 11 Apr 1996 14:03:56 +0200 Date: Thu, 11 Apr 1996 14:03:55 +0200 (EET) From: Osman Shokry To: firewalls@greatcircle.com Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk signoff firewalls oshoukry@auc-cs28.eun.eg From firewalls-owner Thu Apr 11 07:26:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA01932 for firewalls-outgoing; Thu, 11 Apr 1996 06:04:44 -0700 (PDT) Received: from hobbes.orl.mmc.com (hobbes.orl.mmc.com [141.240.192.100]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA01925 for ; Thu, 11 Apr 1996 06:04:40 -0700 (PDT) Date: Thu, 11 Apr 1996 9:02:29 -0400 (EDT) From: "A. Padgett Peterson P.E. Information Security" To: firewalls@greatcircle.com Message-Id: <960411090229.2022f359@hobbes.orl.mmc.com> Subject: re CKE: mandated by law Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Marcus rote: > Many nations are now following the lead of the US, Russian, >and French governments, and are seeking to arrogate titular control >over encryption. I say "titular" because real, actual, control is >impossible and everyone with a clue knows it. All that will happen >is that export control regulations will be announced as the failure >they are, and governments will then argue that they need direct, >*domestic* control. That is one viewpoint and while it is possible for a citizen to thumb their nose at France or Belgium or ..., it is not posible for a large, multi- national corporation because they must do business there - and do you think it is barely-literate rants the govs want to intercept or the plans for the F-118 that they want to intercept ? This is why I am willing to accept a certain amount of key escrow (with restrictions I have stated many times) in exchange for the foreign agreements to use strong crypto *there*. Warmly, Padgett From firewalls-owner Thu Apr 11 07:42:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA03055 for firewalls-outgoing; Thu, 11 Apr 1996 06:24:14 -0700 (PDT) Received: from bankone.com (bullwinkle.bankone.com [192.232.22.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id GAA03043 for ; Thu, 11 Apr 1996 06:24:04 -0700 (PDT) Received: from dpitts.bankone.com (Administrator@localhost) by bankone.com (1.0 (Berkeley 8.7) Build 337/Configuration 4) with SMTP id JAA00205 for ; Thu, 11 Apr 1996 09:26:11 -0400 Message-ID: <316D08D4.75FA@bankone.com> Date: Thu, 11 Apr 1996 09:27:49 -0400 From: Douglas Pitts Reply-To: dpitts@bankone.com Organization: Banc One Services Corporation X-Mailer: Mozilla 3.0B2 (Win95; I) MIME-Version: 1.0 To: firewalls@GreatCircle.com Subject: (no subject) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk signoff firewalls dpitts@bankone.com From firewalls-owner Thu Apr 11 07:42:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA01990 for firewalls-outgoing; Thu, 11 Apr 1996 06:05:23 -0700 (PDT) Received: from calima (CALIMA.CIAT.CGIAR.ORG [198.93.225.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA01968 for ; Thu, 11 Apr 1996 06:05:12 -0700 (PDT) Received: by calima (Smail3.1.29.1 #1) id m0u7L6C-00034WC; Thu, 11 Apr 96 08:03 WST Date: Thu, 11 Apr 1996 08:03:39 -0400 (WST) From: Juan Carlos Machado X-Sender: juank@calima To: Federico de la Mora Salazar cc: Firewalls@GreatCircle.COM Subject: Re: FAX Servers Security In-Reply-To: <199604101552.AA02061@interlock.banamex.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 10 Apr 1996, Federico de la Mora Salazar wrote: > Date: Wed, 10 Apr 1996 10:51:54 -0500 > From: Federico de la Mora Salazar > To: Firewalls@GreatCircle.COM > Cc: Private_User@interlock.banamex.com > Subject: FAX Servers Security > > I'm very interested in FAX Servers security and > on the security of the FAX III protocol. > > Any comments will be greatly appreciated! > > > Hello, About Fax Servers Security, I have some information: Convenient way to protect facsimiles and make certain they go only where you want them to go. Electronic keys verify your fax is sent where you intended. Establishes a protected, closed network, and eliminates the problem of transmission to wrong numbers. Can be attached between any Group 3 fax machine and phone jack. For large corporate networks NET KEY makes implementation quite simple. Touch-screen display makes the product simple to operate. Electronic mailbox (Model 3710) stores facsimiles until you are ready to retrieve them with your personal PIN number. Generates an audit trail of all facsimiles sent and received. This are AT&T machines, and I think they're the best. You can found more information (prices) at http://public.att.com/scs/docc.html _________________________________________________________ ========================================================= Juan Carlos Machado Z. jmachado@ciat.cgiar.org j.machado@cgnet.com Network Support Voice Ph#: (57-2)4450-691 >>>>>>>>>>>>>>>>>>>>>>>>>> :) <<<<<<<<<<<<<<<<<<<<<<<<<<< CIAT (International Center for Tropical Agriculture) Cali - Valle - Colombia. Phone: 4450000 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ JK:= NOT(reflect(opinions' self,opinions' employer)); From firewalls-owner Thu Apr 11 07:47:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id CAA11641 for firewalls-outgoing; Thu, 11 Apr 1996 02:03:47 -0700 (PDT) Received: from dns.sncf.fr (dns.sncf.fr [194.167.100.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id CAA11559 for ; Thu, 11 Apr 1996 02:02:18 -0700 (PDT) Received: by dns.sncf.fr; (5.65v3.2/1.3/10May95) id AA11091; Thu, 11 Apr 1996 11:00:16 +0200 Received: from RP169.dr.sncf.fr (rp169.dr.sncf.fr [193.105.96.169]) by svnet.dr.sncf.fr (8.6.4/8.6.4) with SMTP id KAA01293 for ; Thu, 11 Apr 1996 10:58:22 +0200 Message-Id: <316CC9AA.3E00@dr.sncf.fr> Date: Thu, 11 Apr 1996 10:58:18 +0200 From: Alain Berguerand Organization: S.N.C.F DR X-Mailer: Mozilla 2.0GoldB2 (Win95; I) Mime-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: (no subject) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk signoff firewalls Berguerand@dr.sncf.fr From firewalls-owner Thu Apr 11 08:01:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id XAA01600 for firewalls-outgoing; Wed, 10 Apr 1996 23:29:02 -0700 (PDT) Received: from localhost (peu-055.f.eunet.de [194.172.5.55]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id XAA00888 for ; Wed, 10 Apr 1996 23:27:33 -0700 (PDT) From: Moeller@gefm7.f.eunet.de Received: by localhost (IBM OS/2 SENDMAIL VERSION 1.3.14/2.12um) id AA0073; Thu, 11 Apr 96 08:24:44 -0400 Message-Id: <9604111224.AA0073@localhost> Mime-Version: 1.0 Date: Thu, 11 Apr 96 08:22:00 -0100 To: firewalls@Greatcircle.com Subject: cisco keep alive X-Mailer: Ultimedia Mail/2 Lite, IBM T. J. Watson Research Center Content-Id: <68_99_1_829225320> Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is it possible to get from a cisco keepalive messages to a =0D logging host ?=0D =0D //----------------------------------------------------------=0D // Markus M=F6ller=0D // GEFM=0D =FF// moeller@gefm7.f.eunet.de=0D // +49-69-910-68109=0D //----------------------------------------------------------= From firewalls-owner Thu Apr 11 08:47:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id AAA06253 for firewalls-outgoing; Thu, 11 Apr 1996 00:58:08 -0700 (PDT) Received: from quad.quadrunner.com (quad.quadrunner.com [192.187.158.31]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id AAA06246 for ; Thu, 11 Apr 1996 00:58:03 -0700 (PDT) Received: (from c-huegen@localhost) by quad.quadrunner.com (8.7.5/8.7-quad) id AAA08450; Thu, 11 Apr 1996 00:55:51 -0700 Date: Thu, 11 Apr 1996 00:55:50 -0700 (PDT) From: "Craig A. Huegen" To: Tom Friday cc: firewalls@GreatCircle.COM Subject: Re: Re: cisco logging for firewalls In-Reply-To: <199604091837.NAA02714@shadow.cyberdesic.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 9 Apr 1996, Tom Friday wrote: > access-list 101 deny ip 127.0.0.0 0.255.255.255 0.0.0.0 255.255.255.255 log > ^ > % Invalid input detected at '^' marker. > > Am I doing something wrong? Or maybe I need new firmware? I'm running > IOS 10.2(5). You will need to update your software to a later release. Logging for access-lists is supported in 10.3 and later, I believe. /cah ---- Craig A. Huegen || || Network Analyst, IS-Network/Telecom || || cisco Systems, Inc., 250 West Tasman Drive |||| |||| San Jose, CA 95134, (408) 526-8104 ..:||||||:..:||||||:.. email: chuegen@cisco.com c i s c o S y s t e m s From firewalls-owner Thu Apr 11 09:16:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id UAA07864 for firewalls-outgoing; Wed, 10 Apr 1996 20:40:45 -0700 (PDT) Received: from carshp.carsinfo.com (carshp.carsinfo.com [192.148.241.111]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id UAA07839 for ; Wed, 10 Apr 1996 20:40:32 -0700 (PDT) Received: by carshp.carsinfo.com (1.38.193.5/16.2) id AA00316; Wed, 10 Apr 1996 23:35:33 -0400 Date: Wed, 10 Apr 1996 23:35:33 -0400 (EDT) From: Richard Reno Subject: Fast Firewalls To: firewalls@GreatCircle.COM Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A little over a year ago, I setup a firewall for a local college. I used a 486dx2 66 running UnixWare, with the proxies from the fwtk. This setup worked pretty well until recently, at least after I put in the patch for http-gw. Without telling me about their intention, they recently upgraded their connection from a 56kb line to a t1 line. They are now having a lot of problems with dropped connections and other error messages. My question is this: Assuming that the firewall is mostly proxying http requests how much throughput can this system be reasonably expected to handle. Or conversely, can a pentium with PCI ethernet interfaces be expected to handle the load. Some simple calculations indicate to me that the PCI bus should have no problem with this rate but I have no feel for how much processing the http-gw does for each packet. If someone is running a similar system and having success I would be interested in hearing from them. Any other suggestions (on the topic of course!) would be welcome. It has been suggested to me that a sparc station is the only way to go to solve this problem but I am interested in other opinions. In a related question, the http-gw does not appear to properly enforce the access restrictions I have setup. The other proxies operate properly. Someone else locally told me that the http-gw has a known problem in this area. Is this in fact true? I am planning to look at the code starting next week and if someone else has already done this and would forward any patches I would really appreciate it. Thanks Richard W. Reno From firewalls-owner Thu Apr 11 10:48:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id AAA04560 for firewalls-outgoing; Thu, 11 Apr 1996 00:25:34 -0700 (PDT) Received: from gemsgw.med.ge.com (gemsgw.med.ge.com [192.88.230.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id AAA04543 for ; Thu, 11 Apr 1996 00:25:26 -0700 (PDT) Received: from gemed.med.ge.com (gemed.med.ge.com [3.7.12.4]) by gemsgw.med.ge.com (8.6.12/8.6.12) with ESMTP id CAA11180; Thu, 11 Apr 1996 02:21:25 -0500 Received: from meru (meru [3.70.200.55]) by gemed.med.ge.com (8.6.12/8.6.12) with SMTP id CAA21617; Thu, 11 Apr 1996 02:23:55 -0500 Message-Id: <199604110723.CAA21617@gemed.med.ge.com> Received: by meru (1.38.193.4/16.2) id AA03530; Thu, 11 Apr 1996 12:46:41 +0500 From: Sameer - The Terminator Subject: Re: FWTK and SNMP-GW To: arager@hibbertco.com Date: Thu, 11 Apr 96 12:46:41 IST Cc: firewalls@greatcircle.com In-Reply-To: ; from "Anton Rager" at Apr 9, 96 8:03 am Mailer: Elm [revision: 70.85] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Sorry but can anyone enlighten me about FWTK.. ...Sam > > > On Mon, 8 Apr 1996 22:58:09 -0400 (EDT), Chris Kostick replied: > > On another note, I've never understood, or have been unable to think > of an architecture, where someone would want to get SNMP information > *through* a firewall. Enlighten me someone. > > - -- > chris > _______________________________________________________ > > > Thanks for the transport clarification -- Let's think about this -- > > 1 -- There is a need to manage and recieve traps from an internet router that > is outside the firewall [primary packet filter] -- I want to able to access > it via SNMP from my internal network console -- seems to be the only method > for access list denys and hardware problem reporting [without manually > checking unit]. > > 2 -- It would be nice to have DMZ servers/devices forward traps via SNMP to > internal console [for the same reason -- service denials/errors via SNMP > traps--no get/set]. > > SNMP would only be allowed to/from DMZ devices and Internet router....here's > the basic config: > > | | > INET--Router/Filter--| DMZ |--FWTK Firewall-- SNMP Console > | | > > > This seems like neccessary info and functionality -- Any thoughts?? What are > the risks running udprelay [rules based like FWTK?]....and will it work in > conjunction with FWTK??? > > Thanks, > > Anton Rager > arager@hibbertco.com > From firewalls-owner Thu Apr 11 10:48:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA03573 for firewalls-outgoing; Thu, 11 Apr 1996 06:37:02 -0700 (PDT) Received: from dns.eng.auburn.edu (dns.eng.auburn.edu [131.204.10.13]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id GAA03567 for ; Thu, 11 Apr 1996 06:36:57 -0700 (PDT) Received: from netman.eng.auburn.edu (netman.eng.auburn.edu [131.204.12.24]) by dns.eng.auburn.edu (8.7.4/8.6.4) with ESMTP id IAA09952; Thu, 11 Apr 1996 08:34:51 -0500 (CDT) From: Doug Hughes Received: (doug@localhost) by netman.eng.auburn.edu (SMI-8.6/8.6.4) id IAA18279; Thu, 11 Apr 1996 08:34:49 -0500 Date: Thu, 11 Apr 1996 08:34:49 -0500 Subject: Re: Solaris2.5 and BSD* - Facts To: djr@saa-cons.co.uk Cc: firewalls@greatcircle.com Message-Id: In-Reply-To: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >AFAIK, the facts stand as follows (please corrent me if I am wrong). >BSD offers the immutable flag - Solaris does not. >BSD gives me source code - Solaris does not. >BSD allows me to compile stuff (ls etc) with static libs - Solaris does >not (if I remember a thread a while ago). > You 'can' compile statically on solaris, but it's a terrible hack, and not a truly supported thing to do. I have a static ls that I've been running in our anon FTP area for a year now on 2.X. The others are true. Solaris source code licenses cost $$$. > >ObOffTopic: anyone know a tool to to base64 decoding? Some of my users >get their mail sent to ccMail, and their gateway doesn't understand MIME. >A DOS util to do with would be great (I can't convert *everyone* to Unix >and Pine! ;) > Unix - get metmail DOS - mpack.exe,munpack.exe -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug@eng.auburn.edu Pro is to Con as progress is to congress From firewalls-owner Thu Apr 11 10:51:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA19071 for firewalls-outgoing; Thu, 11 Apr 1996 10:17:39 -0700 (PDT) Received: from ngw2.hns.com (ngw2.hns.com [139.85.170.32]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA19064 for ; Thu, 11 Apr 1996 10:17:31 -0700 (PDT) From: Richard_Tatem@notesgw.hns.com Received: by ngw2.hns.com (SMI-8.6/SMI-SVR4) id NAA09104; Thu, 11 Apr 1996 13:14:41 -0400 Message-Id: <199604111714.NAA09104@ngw2.hns.com> Received: by HNS (Lotus Notes Mail Gateway for SMTP V1.1) id 017205D7E5AA18DE85256309005E20B0; Thu, 11 Apr 96 13:14:40 EDT To: firewalls-digest@GreatCircle.COM Date: 11 Apr 96 13:08:32 EDT Subject: Sign Off MIME-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk sign off rtatem@hns.com From firewalls-owner Thu Apr 11 11:05:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA19291 for firewalls-outgoing; Thu, 11 Apr 1996 10:20:23 -0700 (PDT) Received: from emout07.mail.aol.com (emout07.mx.aol.com [198.81.11.22]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA19283 for ; Thu, 11 Apr 1996 10:20:13 -0700 (PDT) From: BARACCUS@aol.com Received: by emout07.mail.aol.com (8.6.12/8.6.12) id NAA04309 for firewalls@greatcircle.com; Thu, 11 Apr 1996 13:18:08 -0400 Date: Thu, 11 Apr 1996 13:18:08 -0400 Message-ID: <960411131807_373484886@emout07.mail.aol.com> To: firewalls@greatcircle.com Subject: NT Service Security Sender: firewalls-owner@GreatCircle.COM Precedence: bulk When running Web Servers or any servers on NT such as FTP Server, Sendmail Servers,etc is it better to create a login ID for that service and configure the service to login with that specific ID. As a default NT services use the SYSTEM account. Is this safe???????? What is the most secure?? Kevin B. Infoquest Technology Consulting From firewalls-owner Thu Apr 11 11:06:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA03056 for firewalls-outgoing; Thu, 11 Apr 1996 06:24:14 -0700 (PDT) Received: from irz301.inf.tu-dresden.de (irz301.inf.tu-dresden.de [141.76.1.11]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA03042 for ; Thu, 11 Apr 1996 06:24:03 -0700 (PDT) Received: from sax.sax.de by irz301.inf.tu-dresden.de (8.6.12/8.6.12-s1) with ESMTP id PAA13337; Thu, 11 Apr 1996 15:21:07 +0200 Received: by sax.sax.de (8.6.11/8.6.12-s1) with UUCP id PAA14965; Thu, 11 Apr 1996 15:21:06 +0200 Received: (from j@localhost) by uriah.heep.sax.de (8.7.5/8.6.9) id PAA05057; Thu, 11 Apr 1996 15:17:22 +0200 (MET DST) From: J Wunsch Message-Id: <199604111317.PAA05057@uriah.heep.sax.de> Subject: Re: Solaris2.5 and BSD* - Facts To: djr@saa-cons.co.uk (Dave Roberts) Date: Thu, 11 Apr 1996 15:17:21 +0200 (MET DST) Cc: Firewalls@GreatCircle.COM, freebsd-hackers@freebsd.org (FreeBSD hackers) In-Reply-To: from "Dave Roberts" at Apr 10, 96 11:58:52 am X-Phone: +49-351-2012 669 X-Mailer: ELM [version 2.4 PL24 ME8a] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk As Dave Roberts wrote: > AFAIK, the facts stand as follows (please corrent me if I am wrong). > BSD offers the immutable flag - Solaris does not. > BSD gives me source code - Solaris does not. > BSD allows me to compile stuff (ls etc) with static libs - Solaris does > not (if I remember a thread a while ago). > > That's all I can think of. Please don't mail back with arguments about > having source code or not, or static libraries vs dynamic, think those > have been beaten to death :) Sorry for bothering you again with the ``there's source code'' argument. After listening to a talk about firewalls at the last GUUG (German Unix Users Group) Sprint Meeting, i realized that kernel source is also interesting to have. You can remove all the security related ``extras'' in the kernel (IP forwarding, IP source routing, log connection attempts, ...) if you've got the source. And yes, _remove_, with vi in the source. This cannot be enabled again via an MIB variable. :-) -- cheers, J"org joerg_wunsch@uriah.heep.sax.de -- http://www.sax.de/~joerg/ -- NIC: JW11-RIPE Never trust an operating system you don't have sources for. ;-) From firewalls-owner Thu Apr 11 11:06:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA03406 for firewalls-outgoing; Thu, 11 Apr 1996 06:31:16 -0700 (PDT) Received: from mail.Clark.Net (mail.clark.net [168.143.0.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id GAA03385 for ; Thu, 11 Apr 1996 06:31:08 -0700 (PDT) Received: from clark.net (proberts@clark.net [168.143.0.7]) by mail.Clark.Net (8.7.3/8.6.5) with ESMTP id JAA22771; Thu, 11 Apr 1996 09:29:02 -0400 (EDT) Received: from localhost (proberts@localhost) by clark.net (8.7.1/8.7.1) with SMTP id JAA10484; Thu, 11 Apr 1996 09:28:58 -0400 (EDT) X-Authentication-Warning: clark.net: proberts owned process doing -bs Date: Thu, 11 Apr 1996 09:28:55 -0400 (EDT) From: "Paul D. Robertson" To: mjr@v-one.com cc: Firewalls@GreatCircle.COM Subject: Re: split DNS In-Reply-To: <199604110126.VAA16069@clark.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 10 Apr 1996, Marcus J. Ranum wrote: > Put some extra smarts in resolv.conf on the firewall. > I'd like to add a syntax like: > > nameserver outside.v-one.com 127.0.0.1 > nameserver v-one.com 1.1.1.1 > nameserver ^. 1.1.1.1 > nameserver 1.1.1.in-addr.arpa. 1.1.1.1 > nameserver 127.0.0.1 > > Basically, the queries would go to the local nameserver > on 127.0.0.1 if they are for a machine named "outside.v-one.com" > otherwise, if they were anything in v-one.com they'd go to 1.1.1.1 > and if they were anything without a "." in them they'd go to > the 1.1.1.1. All other stuff would default to the local nameserver. > Well, I'm not sure if this is what you're looking for, but here's my scheme. (I'll use v-one as an example, since we can't expect suits to think in abstract terms ;)). I've set my internal machines to have a default high-level domain of say .v-one. My internal nameserver is authoritative for .v-one. It is also authoritative for my external domain, v-one.com. Normal lookups resolve to the .v-one, so if I telent to marcus, it'll go to marcus.v-one. Since I mirror my external DNS with some minor changes on the internal one, the internal DNS can resolve marcus.v-one.com to say switchblade.v-one (or switchblade.v-one.com), mostly I do this for MX handling, so that I can just use a wildcard MX externally, and add machines on the inside, where my ops folks can get to the DNS files via direct telnet. All other queries are passed to the external server. Some of my hosts live in multiple domains, but I expect to have most of them in my 'intranet' (does anyone else loath that word?) domain, with the approprate domain fooking on my mail gateway, who knows how to pass to the inside and the outside. One of the great things about using an internal root domain is that when the lusers go home, and try to get to web.v-one (your theoretical intranet server), they don't create access violations on your bastion for you to wade through. I'm also going to get great entertainment value out of them setting up web servers on their PCs, and telling their friends that they can get great warez by going to http://luser.v-one! :) (Hrm, maybe I have been reading BOFH.general too much recently) I'd expect the obscurity fans to really love this one as well. Paul "let the kids write the code, I'll just do DNS tricks" Robertson ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From firewalls-owner Thu Apr 11 11:16:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA01051 for firewalls-outgoing; Thu, 11 Apr 1996 05:55:03 -0700 (PDT) Received: from gateway.ppg.com (gateway.ppg.com [199.221.65.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id FAA01027 for ; Thu, 11 Apr 1996 05:54:50 -0700 (PDT) Received: by gateway.ppg.com id AA02114 (SMTP Gateway for firewalls@GreatCircle.COM); Thu, 11 Apr 1996 08:50:46 -0400 Message-Id: <199604111250.AA02114@gateway.ppg.com> Received: by gateway.ppg.com (Protected-side Proxy Mail Agent-2); Thu, 11 Apr 1996 08:50:46 -0400 Received: by gateway.ppg.com (Protected-side Proxy Mail Agent-1); Thu, 11 Apr 1996 08:50:46 -0400 From: "Sacherich, Larry" To: "'Firewalls-Digest-L'" Subject: Solaris2.5 and BSD* - Facts - MIME Converters Date: Thu, 11 Apr 96 08:51:00 PDT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk 1) For the Windows 3.1 environment, we are distributing on-request a program called XferPro. This is a $10 piece of Windows shareware that is simple and works well. All popular encoding methods are supported, including MIME 1.0, UU, XX, and Binhex 4.0. 2) One other thing we are looking at is Emil v2. See emil-2.0.5.tar.gz on ftp.uu.se. - From the MS Mail SMTP Gateway List (thanks to David Miller)- Mar 3, 1995 Martin Wendel Torbjorn Wictorin UDAC (C) SUNET Emil v2 - A Conversion Filter for Internet Messages. ****************************************************** Emil v2 is a filter for converting Internet Messages. It supports three basic formats: MIME, SUN Mailtool and plain old style RFC822. It can be used with sendmail, as a mailer, or as a prefilter or backend program with a mail client program, or as a plain filter. Emil v2 is a complete rewrite of Emil-v1. New features are support for RFC1522 headers and a more robust basic structure. The purpose of Emil v2 is to facilitate the official migration to MIME for Internet Mail on SUNET (the Swedish University Network), on hosts or sites unable to support MIME. The migration is due on 1 Jan 1995. Information about this is made available by SUNET at http://www.nada.kth.se:/sunet-mime/index-en.html. What is Emil? ************* Simply put, Emil is a message format converter for Internet Messages. This is a general description: * Emil is able to convert the format, headers and structure, between messages of type MIME, Sun Mailtool and old style RFC822. * Emil is able to convert the encoding of binary data between the types Base64, BinHex and Uuencode. * Emil is able to convert the encoding of text to and from the MIME encoding Quoted-Printable. * Emil is able to convert character set of text between the character sets made available by Keld J. Simonsens strncnv package. The strncnv package handles a large number of character sets, as specified by RFC1345. * Emil contains two special conversions for text: - 7bit body conversion, which is a one-way conversion of 8bit text to the swedish national variant of ISO-646. - 7bit header conversion, which is a one-way conversion of 8bit text to characters in US-ASCII of the closest resemblance. * Emil is able to convert to and from RFC1522 format headers. * Conversion can be configured by a configuration file, emil.cf, using sender, recipient and recipient host as input parameters or by command line arguments. Why Use Emil? ************* * In the SUNET case, usage is obvious. A national network decides to migrate to MIME formatted mail. Emil is used by the hosts or sites unable to support MIME. The effect is outgoing MIME messages and incoming non-MIME messages. * Another example is non-MIME sites receiving occasional MIME messages. Emil can be configured to convert these incoming MIME messages to old style RFC822 and convert the Base64 encodings to uuencode or BinHex. * Emil can be used as a tool. A user unable to decode MIME messages can convert those messages using Emil. * et cetera. Copyright ********* Emil v2 is Copyright SUNET (The Swedish University Network). License ******* Emil v2 is made available under the terms of the GNU General Public License. Where can it be found? ********************** Emil is made available by anonymous ftp at ftp://ftp.uu.se/pub/unix/networking/mail/emil among other sites. The latest version can always be found at ftp.uu.se. The Authors ************ Emil v2 is written by Martin Wendel and Torbjorn Wictorin both employed by UDAC, Uppsala university in Sweden. ========================================================= Larry Sacherich sacherich@ppg.com The opinions expressed are those of the writer and not of PPG Industries, Inc. nor of any PPG-associated companies. ========================================================= From firewalls-owner Thu Apr 11 11:18:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id UAA07104 for firewalls-outgoing; Wed, 10 Apr 1996 20:32:30 -0700 (PDT) Received: from goaltender.ba.tis.com (goaltender.ba.tis.com [198.4.162.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id UAA07069 for ; Wed, 10 Apr 1996 20:32:19 -0700 (PDT) Received: by goaltender.ba.tis.com; id UAA00934; Wed, 10 Apr 1996 20:29:35 -0700 Received: from unknown(198.4.162.104) by goaltender.ba.tis.com via smap (V3.1) id xma000932; Wed, 10 Apr 96 20:29:01 -0700 X-Sender: thompson@198.4.162.2 Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 10 Apr 1996 19:30:50 -0700 To: Adam Safier From: thompson@tis.com (Bill Thompson) Subject: Re: Clarification on Encryption Export Using CKE Cc: heuman@mtnlake.com, firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 8:37 PM 4/9/96, Adam Safier wrote: > >As long as it is driven by the economy and not mandated by law I have no >problem. As someone who has lost/forgotten passwords I appreciate the >safety this would provide. (I also don't have a problem if an agency >_chooses_ to established a CKE program and then has to provide them as a >result of a court order.) > > > >Adam Safier >CSC-SED-Infosec >asafier@csc.com > >Expressed opinions are my own and might not be shared by my employer or >anyone else. I am only responding to the last part of your email, because I think we were in violent agreement throughout it, and in this portion I only want to add a small clarification to be sure we are completely clear on the subject. The TIS solution is a total private sector key recovery alternative to mandated government escrow for export, however, it does have some legal implications. There is no current restriction on domestic use of encryption technology, but for export there is a 64 bit key limit for US foreign subsidiaries, and certain restricted applications such as financial transactions. Other than that, the only exportable encryption is 40 bit key strength. These situations do not require escrow or key recovery, but most savvy users are building some sort of ad hoc recovery system anyway. TIS has combinined the user need for key recovery with the government requirement for escrow for export, and has prevailed in getting export approval for strong encryption by doing this, albeit not in the form the government originally intended since it is in the control of the private sector. Through this technique TIS can enable the consistent deployment of strong (64 bits in software) encryption technology so everyone can immediately use encrypted communications with not only foreign subsidiaries or for financial transactions, but also with customers, suppliers, and business partners. So to some degree adoption of CKE is motivated, if not required by the export laws. Ultimately, many companies may want to use this technique with all their encrypted information whether domestic or international, and it could result in all information having a recovery capability whether required by law or not, simply because it makes good business sense. Some in the community regard this as an underhanded government attempt to dictate how companies or individuals handle encryption without actually passing laws dictating it. Often they refer to CKE as "Son of Clipper", without benefit of knowledge as to what CKE really represents. TIS believes that no matter which direction the legislative, executive, or judicial branches take in loosening the export of encryption, we will eventually arrive at the same point, and that is: unlimited encryption strength with user controlled recovery mechanisms. There will never be enough government agents around to accomplish what they are supposed to do anyway, much less allow them time to harass private citizens without cause in a system they don't control. Currently, the government collectively in the form of the Interagency Working Group has opened an avenue in which CKE can serve as a catalyst to accomplish what we all need: Security on the Global Information Infrastructure. Therefore, TIS will continue to follow the path of least resistance in deployment and broad licensing of the CKE technology to help achieve that goal of global deployment. Sorry for the wordiness, I'll get off the soap box now. Let me know of any other thoughts. Regards, Bill *--------------------------------------------------------------------------* |R. William Thompson Business Development Consultant| |Trusted Information Systems thompson@ba.tis.com| |444 Castro Street (415) 962-8885, X3019| |Mountain View, CA 94041 Fax (415) 962-9330| |Home: 9305 Scenic Bluff Drive Home (512) 263-5936| |Austin, TX 78733 Home Fax (512) 263-9436| |75427.301@compuserve.com Bill_Thompson@compuserve.com| *--------------------------------------------------------------------------* From firewalls-owner Thu Apr 11 11:20:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA03639 for firewalls-outgoing; Thu, 11 Apr 1996 06:38:21 -0700 (PDT) Received: from brasil.moneng.mei.com (brasil.moneng.mei.com [151.186.109.160]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id GAA03608 for ; Thu, 11 Apr 1996 06:38:05 -0700 (PDT) Received: (from jgreco@localhost) by brasil.moneng.mei.com (8.7.Beta.1/8.7.Beta.1) id IAA15530; Thu, 11 Apr 1996 08:33:43 -0500 From: Joe Greco Message-Id: <199604111333.IAA15530@brasil.moneng.mei.com> Subject: Re: Solaris2.5 and BSD* - Facts To: djr@saa-cons.co.uk (Dave Roberts) Date: Thu, 11 Apr 1996 08:33:43 -0500 (CDT) Cc: Firewalls@GreatCircle.COM In-Reply-To: from "Dave Roberts" at Apr 10, 96 11:58:52 am X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > The last thing I want to do is start an O/S flame war, I think we've had > far too many of those already. What I am looking for are bare honest > facts. Not reasonable :-) Most things are opinions. As are mine: > I need to put in a bastion host to handle the proxying, DNS stuff, etc. I > would like to put this onto a pee-cee running BSD (either FreeBSD or > BSDOS2.0). However, someone above me in the chain of things wants me to > use a SparcServer running Solaris 2.5. I claimed that BSD was better > suited for the purpose, and he said prove it. > > AFAIK, the facts stand as follows (please corrent me if I am wrong). > BSD offers the immutable flag - Solaris does not. True. > BSD gives me source code - Solaris does not. False. You just have to pay an unreasonably high sum of money to obtain the source (IMHO). I've seen the source for both. > BSD allows me to compile stuff (ls etc) with static libs - Solaris does > not (if I remember a thread a while ago). Solaris will allow you to compile anything you want with static libs - but it gets sticky if you want anything that requires the nsswitch library. That would include most of the operations that do any sort of name lookup, DNS, getpwent stuff, etc. You can work around it, but it's a bear, and the solutions are all very ugly, at least the ones I've seen. > That's all I can think of. Please don't mail back with arguments about > having source code or not, or static libraries vs dynamic, think those > have been beaten to death :) Issue 4: Performance. Given identical hardware (FreeBSD vs Solaris X86), Solaris X86 is noticeably slower and requires more resources (CPU, RAM) in order to perform similarly. My interpretation of this is that it is caused by the endlessly "elegant" layering and modularization in the Solaris kernel. And anyone who has run SunOS 4.1.3 and Solaris 2.4 on a SPARC IPC will tell you the slowdown is readily apparent on SPARC machines as well. Issue 5: Reliability. My "stable and reliable" OS of choice for demanding applications (i.e. news) remains SunOS 4.1*. FreeBSD has always been "reasonably stable" in my opinion, but the ability to gain a month of uptime running a demanding application like news really didn't exist a year ago. FreeBSD is a rapidly evolving OS, and as I've watched it mature, the reliability factor has increased dramatically. At the current rate, I suspect it will pass up SunOS 4.1* in my book within a year. For less demanding applications, i.e. firewalls, routing, DNS, mail, etc., FreeBSD is already as reliable as anyone could ask for. :-) Solaris seems to have various less-obvious problems that will tend to classify a box running a particular application as being "very stable" (i.e. will run forever), "reasonably stable" (will run for a week or two), or "somewhat unstable" (crashes unpredictably). I've had a devil of a time trying to support that statement with facts, I am looking mainly at uptime's. Issue 6: Support. You get paid support (or can get it, at least) with Solaris. You may have to work at it to get support for FreeBSD. > What I would like are facts from people that have experience with both > systems, or something that people with one of those systems feel is a big > bonus, or a big headache. I'm assuming all the tools I want compile > equally well on both systems (whatever kind of libs are used). Bad assumption. Also, I am unhappy with Sun's divergence from traditional UNIX standards. For example, the inclusion of ACL's in Solaris 2.5... There is no clear cut winner. Both sides have strong advantages and disadvantages. You will need to evaluate, maybe even test, and arrive at your own conclusions. Some people have told me that I am very skewed towards FreeBSD, by the way, but I just don't see it in myself. I've _chosen_ to use FreeBSD for almost all of my applications because of the strong advantages that it holds for me. The disadvantages are minimal inconveniences _to_me_. This may not be true for other organizations. ... Joe ------------------------------------------------------------------------------- Joe Greco - Systems Administrator jgreco@ns.sol.net Solaria Public Access UNIX - Milwaukee, WI 414/546-7968 From firewalls-owner Thu Apr 11 12:08:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA19062 for firewalls-outgoing; Thu, 11 Apr 1996 10:17:05 -0700 (PDT) Received: from hamby1.lightside.net (hamby1.lightside.net [198.81.209.17]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id KAA19056 for ; Thu, 11 Apr 1996 10:16:57 -0700 (PDT) Received: from localhost (jehamby@localhost) by hamby1.lightside.net (8.7.5/8.7.3) with SMTP id KAA00515; Thu, 11 Apr 1996 10:16:32 -0700 (PDT) X-Authentication-Warning: hamby1.lightside.net: jehamby owned process doing -bs Date: Thu, 11 Apr 1996 10:16:31 -0700 (PDT) From: Jake Hamby X-Sender: jehamby@hamby1 To: Dave Roberts cc: Firewalls Mailing List Subject: Re: Solaris2.5 and BSD* - Facts In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 10 Apr 1996, Dave Roberts wrote: > /* > * This is actually a resend, but I never saw the original on the list, > * and it was a day when our ISP appeared to have trans-atlantic problems. > * Sorry to anyone who's seen it already. > */ > > The last thing I want to do is start an O/S flame war, I think we've had > far too many of those already. What I am looking for are bare honest > facts. As one who has run both FreeBSD and Solaris 2.5 (on SPARC *and* PC!) I think I can give a pretty fair comparison. > AFAIK, the facts stand as follows (please corrent me if I am wrong). > BSD offers the immutable flag - Solaris does not. > BSD gives me source code - Solaris does not. > BSD allows me to compile stuff (ls etc) with static libs - Solaris does > not (if I remember a thread a while ago). > > That's all I can think of. Please don't mail back with arguments about > having source code or not, or static libraries vs dynamic, think those > have been beaten to death :) I just want to mention that Sun doesn't recommend compiling with static libraries for two reasons: The libc in Solaris is so HUGE, and if you link dynamically, you will automatically get the benefits of tuning to these libraries in future versions of Solaris. Also, there is no disadvantage to debugging a shared program vs. a statically linked one. In spite of all this, you CAN link statically if you so desire on either operating system! > What I would like are facts from people that have experience with both > systems, or something that people with one of those systems feel is a big > bonus, or a big headache. I'm assuming all the tools I want compile > equally well on both systems (whatever kind of libs are used). BSD comes with a development environment (GCC, GDB, and utilities). You'll probably want to get GCC if you use Solaris, since most free utilities compile best under it. Sun's commercial C compiler is still K&R oriented, and lacks the GCC extensions that certain software (especially GNU) likes to use. Solaris doesn't come with any C compiler standard, so you'd have to either find a GCC binary (the route I took) or buy Sun's commercial compiler (which I didn't want to do, after reading reviews of it). Once you have GCC, programs should compile equally well on either system, and since Solaris is the most popular commercial UNIX, and BSD is the most popular free/hacker Unix, there is usually little more than a compile-time #define's difference between the two. So the big question is: which offers better performance? Since the tasks you mentioned were all networking-related, I'd lean towards FreeBSD. Its 4.4BSD-based TCP/IP code is *very* robust, *very* fast, and has many built-in security features to log suspicious activity. Also, on a system with low memory (8MB-16MB), FreeBSD will definitely perform better than Solaris due to less swapping. But since you were referring to Solaris on SPARC, not PC, the added RAM and CPU horsepower of a SPARC (32MB RAM minimum, perhaps a 64-bit UltraSparc?) will definitely edge out the PC, even running a bigger System-V based OS. You'll have to consider cost, since a SPARC will obviously cost much more, and Solaris on X86 costs about $600, while FreeBSD does not. Also, Sun offers several models, like the Netra series and Firewall-1, which come with much of the software you need pre-loaded, so they may offer a more turn-key solution at first. Finally, you'll want to consider the ultimate reliability of a PC. With a Sun you're getting all workstation-grade components which could lead to less down-time and quicker repairs (if you have a hardware maintenance contract). Not that a PC is unreliable, but if you choose a PC, by all means get a "workstation-grade" variety. I lean towards Micron (don't forget the SCSI hard drives!) but definitely pick a top-tier brand. Anyway, choose whatever meets your needs the best, but hopefully these comments will give you some food for thought to justify whichever way you decide to go. > ObOffTopic: anyone know a tool to to base64 decoding? Some of my users > get their mail sent to ccMail, and their gateway doesn't understand MIME. > A DOS util to do with would be great (I can't convert *everyone* to Unix > and Pine! ;) The cc:Mail gateway at JPL converts cc:Mail attachments to and from MIME automatically. Perhaps you simply need a newer cc:Mail server! ---Jake From firewalls-owner Thu Apr 11 12:17:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id VAA13119 for firewalls-outgoing; Wed, 10 Apr 1996 21:36:08 -0700 (PDT) Received: from SterCtl.com (p216.iwl.net [204.177.208.216]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id VAA13085 for ; Wed, 10 Apr 1996 21:35:56 -0700 (PDT) Received: (from dennis@localhost) by SterCtl.com (8.6.12/8.6.12) id WAA09491; Wed, 10 Apr 1996 22:36:09 -0600 From: Dennis Moroney Message-Id: <199604110436.WAA09491@SterCtl.com> Subject: Re: Solaris2.5 and BSD* - Facts To: djr@saa-cons.co.uk (Dave Roberts) Date: Wed, 10 Apr 1996 22:36:07 -0600 (CST) Cc: firewalls@greatcircle.com (firewalls) In-Reply-To: from "Dave Roberts" at Apr 10, 96 11:58:52 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to Dave Roberts: > > I need to put in a bastion host to handle the proxying, DNS stuff, etc. I > would like to put this onto a pee-cee running BSD (either FreeBSD or > BSDOS2.0). However, someone above me in the chain of things wants me to > use a SparcServer running Solaris 2.5. I claimed that BSD was better > suited for the purpose, and he said prove it. Throw kernel-based (and configurable) IP filtering into the pot. I have not tried it out but have heard it exists. -- Dennis Moroney From firewalls-owner Thu Apr 11 20:20:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA17757 for firewalls-outgoing; Thu, 11 Apr 1996 10:03:01 -0700 (PDT) Received: from typhoon.dial.pipex.net (typhoon.dial.pipex.net [158.43.128.46]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id KAA17751 for ; Thu, 11 Apr 1996 10:02:56 -0700 (PDT) From: ac141@typhoon.dial.pipex.net Received: from progpc11.central.oa by typhoon.dial.pipex.net (8.7.4/) id SAA29638; Thu, 11 Apr 1996 18:01:23 +0100 (BST) Message-Id: <199604111701.SAA29638@typhoon.dial.pipex.net> Comments: Authenticated sender is To: firewalls@greatcircle.com Date: Thu, 11 Apr 1996 18:00:35 +0000 Subject: Finding domain name from IP address X-mailer: Pegasus Mail for Windows (v2.23) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We have a combination of registered and unregistered IP addresses on our network (no Internet connection yet). Is there a way I can find out who the unregistered ones are really registered to? Thanks for any help, Ben From firewalls-owner Thu Apr 11 20:22:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA04913 for firewalls-outgoing; Thu, 11 Apr 1996 07:02:30 -0700 (PDT) Received: from bill.halden.scandpower.no (bill.halden.scandpower.no [193.69.136.55]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id HAA04826 for ; Thu, 11 Apr 1996 07:01:34 -0700 (PDT) Message-Id: <199604111401.HAA04826@miles.greatcircle.com> Received: from oaj.halden.scandpower.no by bill.halden.scandpower.no with SMTP (1.37.109.16/16.2) id AA233661087; Thu, 11 Apr 1996 15:58:07 +0200 X-Sender: oaj@bill.halden.scandpower.no X-Mailer: Windows Eudora Version 2.1 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 11 Apr 1996 16:07:20 -0500 To: firewalls@GreatCircle.COM From: Ole-Arnt Johnsen Subject: Digital Firewall for Unix Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Have anyone reviewed Digital Firewall for Unix ver.2.0. If so, please let me know. I have not seen any references to this product on the list. Thank you. *-----------------------------------------------------------------* Ole-Arnt Johnsen, Scandpower A/S, Os alle 9 N-1777 Halden, Norway Tlf. (+47) 69 18 41 00, Fax (+47) 69 18 44 35 X.400: G=Ole-Arnt S=Johnsen OU1=Halden P=Scandpower A=telemax C=no *-----------------------------------------------------------------* From firewalls-owner Thu Apr 11 20:25:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id VAA14834 for firewalls-outgoing; Wed, 10 Apr 1996 21:57:39 -0700 (PDT) Received: from gemsgw.med.ge.com (gemsgw.med.ge.com [192.88.230.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id VAA14818 for ; Wed, 10 Apr 1996 21:57:27 -0700 (PDT) Received: from gemed.med.ge.com (gemed.med.ge.com [3.7.12.4]) by gemsgw.med.ge.com (8.6.12/8.6.12) with ESMTP id XAA07310; Wed, 10 Apr 1996 23:53:36 -0500 Received: from meru (meru [3.70.200.55]) by gemed.med.ge.com (8.6.12/8.6.12) with SMTP id XAA14384; Wed, 10 Apr 1996 23:56:02 -0500 Message-Id: <199604110456.XAA14384@gemed.med.ge.com> Received: by meru (1.38.193.4/16.2) id AA01950; Thu, 11 Apr 1996 10:18:45 +0500 From: Sameer - The Terminator Subject: Re: High speed throughput firewalls... To: pokey@maddie.atlantic.com (Rick Romkey) Date: Thu, 11 Apr 96 10:18:45 IST Cc: firewalls@greatcircle.com In-Reply-To: <199604091635.MAA07974@maddie.atlantic.com>; from "Rick Romkey" at Apr 9, 96 12:35 (noon) Mailer: Elm [revision: 70.85] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I would like an answer to the same. ...Sam E-Mail : sameer@wiproge.med.ge.com Wipro GE Medical Systems - Bangalore sameer@wiproge.gemse.fr Name : Sameer [Sam] > > > Folks, > > Has anyone ever tried to firewall two networks that are connected via > highspeed networks such as FDDI? What type of firewall did you use? > Did you notice bottlenecking, etc? I'm looking for hard facts, not > sales pitches... > > -Rick > > ---------------------------------------------------------------------------- > Rick E Romkey | A T L A N T I C | Internet > pokey@atlantic.com | Computing Technology Corporation | Specialists > (203) 257-7163 | http://www.atlantic.com/ | > ----------------------------------------------------------------------------- > > From firewalls-owner Thu Apr 11 20:36:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA20672 for firewalls-outgoing; Thu, 11 Apr 1996 10:42:02 -0700 (PDT) Received: from kgbvax.network.com (kgbvax.network.com [129.191.202.58]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA20658 for ; Thu, 11 Apr 1996 10:41:51 -0700 (PDT) Received: (from ted@localhost) by kgbvax.network.com (8.6.9/8.6.9) id NAA06571 for firewalls@greatcircle.com; Thu, 11 Apr 1996 13:40:26 -0400 Date: Thu, 11 Apr 1996 13:40:26 -0400 From: Ted Doty Message-Id: <199604111740.NAA06571@kgbvax.network.com> To: firewalls@greatcircle.com Subject: Re: High speed throughput firewalls... In-Reply-To: Mail from 'Craig McLellan ' dated: Thu, 11 Apr 96 12:02:00 CDT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Rick Romkey wrote: > Has anyone ever tried to firewall two networks that are connected via > highspeed networks such as FDDI? What type of firewall did you use? > Did you notice bottlenecking, etc? I'm looking for hard facts, not > sales pitches... Last week at the Interop Engineer's conference, 2 people briefed their experiences. Bill Hancock from Network-1 spoke about a specific customer installation he worked on for very high speed firewalling, and Jim Hughes spoke about firewalling ATM/OC-3. You can get their papers from: http://www.network-1.com and http://www.network.com/~hughes -- - Ted -------------------------------------------------------------------------- Ted Doty, Network Systems Corporation | phone: +1 301 596-2270 8965 Guilford Road, Suite 250 | fax: +1 410 381-3320 Columbia, MD, 21046 USA | voice mail: (800) 233-1485 -------------------------------------------------------------------------- The opinion expressed in this message is fictitious. Any resemblence to real opinions, living or dead, is purely coincidental. From firewalls-owner Thu Apr 11 20:37:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id VAA09930 for firewalls-outgoing; Wed, 10 Apr 1996 21:04:31 -0700 (PDT) Received: from uuneo.neosoft.com (uuneo.neosoft.com [206.109.1.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id VAA09900 for ; Wed, 10 Apr 1996 21:04:08 -0700 (PDT) Received: from nmti.com (ficc@localhost) by uuneo.neosoft.com (8.7.5/8.7.4) with UUCP id WAA23501; Wed, 10 Apr 1996 22:00:29 -0500 (CDT) Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id VAA05384; Wed, 10 Apr 1996 21:47:22 -0500 Received: by sonic.nmti.com; id AA28593; Wed, 10 Apr 1996 21:47:20 -0500 From: peter@nmti.com (Peter da Silva) Message-Id: <9604110247.AA28593@sonic.nmti.com.nmti.com> Subject: Re: Solaris2.5 and BSD* - Facts To: djr@saa-cons.co.uk (Dave Roberts) Date: Wed, 10 Apr 1996 21:47:20 -0500 (CDT) Cc: Firewalls@GreatCircle.COM In-Reply-To: from "Dave Roberts" at Apr 10, 96 11:58:52 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We have both systems in-house. > BSD offers the immutable flag - Solaris does not. > BSD gives me source code - Solaris does not. > BSD allows me to compile stuff (ls etc) with static libs - Solaris does > not (if I remember a thread a while ago). - simpler chroot environment for proxies that require one. - harder to accidentally leave a hole open. - easier to strip out functionality. BSD has a simpler system administration interface. - harder to accidentally leave a hole open. - easier to strip out functionality. - easier to just plain understand. BSD requires fewer resources. - cheaper hardware. - easier to replace hardware. - justify redundancy. > ObOffTopic: anyone know a tool to to base64 decoding? Some of my users > get their mail sent to ccMail, and their gateway doesn't understand MIME. munpack? From firewalls-owner Thu Apr 11 20:59:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA23177 for firewalls-outgoing; Thu, 11 Apr 1996 11:09:46 -0700 (PDT) Received: from fmesch.dial.eunet.ch (fmesch.dial.eunet.ch [193.72.2.168]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA23156 for ; Thu, 11 Apr 1996 11:09:32 -0700 (PDT) Received: from fmesch (fmesch@localhost [127.0.0.1]) by fmesch.dial.eunet.ch (8.6.12/8.6.12) with SMTP id TAA00178; Thu, 11 Apr 1996 19:05:17 +0200 Message-ID: <316D3BCC.63F7719F@dial.eunet.ch> Date: Thu, 11 Apr 1996 19:05:16 +0200 From: Felix Meschberger X-Mailer: Mozilla 2.0 (X11; I; Linux 1.2.13 i486) MIME-Version: 1.0 To: Firewalls Mailing List Subject: ISOCOR N-PLEX Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all together, I got hold of a paper called 'N-PLEX Frequently Asked Questions' describing a product called N-PLEX from ISOCOR. This is piece software for Windows NT to build Internet Accesses (Mail [SMTP and X.400 with Gateway], WWW and Directory Services based on X.500). ISOCOR claims this to be a secure and straight-forward solution. Does any one know something more about this product, it's features and it's security ? Thanks in advance for any info. As another point : ISOCOR says one of the advantages of NT is that it is C2 rated. Now I think having read in this list, that NT is only C2 rated if NOT connected to any network. Can anyone comment on this please ? Thanks for this, too. Cheers, Felix --------------------------------------------------------------------- Why use Windows when there's a stable public domain unix for free ? Felix Meschberger email : fmesch@dial.eunet.ch Pappelstrasse 38 phone : ++41 (0)61 482 14 07 CH-4123 Allschwil fax : yes, but fax modem not ready Switzerland --------------------------------------------------------------------- From firewalls-owner Thu Apr 11 21:22:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id UAA09089 for firewalls-outgoing; Wed, 10 Apr 1996 20:54:21 -0700 (PDT) Received: from relay6.UU.NET (relay6.UU.NET [192.48.96.16]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id UAA09071 for ; Wed, 10 Apr 1996 20:54:12 -0700 (PDT) Received: from balder.ssds.com by relay6.UU.NET with SMTP id QQakxr16013; Wed, 10 Apr 1996 23:51:47 -0400 (EDT) Received: (from mail@localhost) by balder.ssds.com (8.6.9/8.6.9.SSDSnet-hub) id VAA21915 for ; Wed, 10 Apr 1996 21:49:19 -0600 Received: from austin.ssds.com(134.127.24.1) by balder.ssds.com via smap (V1.3) id sma021910; Wed Apr 10 21:49:13 1996 Received: by austin.ssds.com id WAA05095; Wed, 10 Apr 1996 22:49:07 -0500 (CDT) Date: Wed, 10 Apr 1996 22:49:07 -0500 (CDT) Message-Id: <199604110349.WAA05095@austin.ssds.com> X-Sender: jdm@austin.ssds.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.COM From: Jeff Maddox Subject: Sun OS Vs Solaris for secure servers Sender: firewalls-owner@GreatCircle.COM Precedence: bulk All, first I apologize for the length but the context of this is important. Also, I would really prefer not to start either a flame or religious war. I have a group of young SysAdmins who want to migrate all their Sun boxes to the same OS (Solaris 2.5 if they can get all their software to run on it, 2.4 if not). While I do not argue against the conversion of their general purpose or database servers to the same OS, I have real concern about moving the special purpose single function servers that perform the authentication, packet filtering and proxying (proxying?). At present we are running stripped, hardened versions of SunOS 4.1.4 and we have patched, moded and cleaned it to the max. While we know that the best solution is to have a kernel with source code, it wouldn't help as these guys (me too as I am not in that class of firewall engineer[yet]:-).)couldn't analyze it anyway. I, and others, are willing to trust the many people who have identified vulnerabilities and fixes in 4.1.4. My argument is that for these purposes you would have to strip Solaris to the bone anyway to close unnecessary potential holes and the act of striping Solaris is fraught with failure potential as no one I know is really certain about everything that could smack the server by being removed or what could be removed without killing it or making it unbootable. Also, the kernel is so complicated (I have been told, again without source, who can tell except by the size of the binary. A guess at best) that, I believe, potential holes must be there. However, the context is that of special purpose security servers that run one or a few small processes. What would Solaris posses that would make it more, or even as, secure in this specific instance? The final point is, we are also not talking about forever, just a year or two to allow you and the rest of the real beta, secure, OS testers to find and alert us and Sun to the potential holes and fixes. If I am off base then I would appreciate clarification, if not, evidence to allow me to end this controversy and get them moving on more important problems. Thanks in advance. Man is the only animal that can remain on friendly terms with the victims he intends to eat until he eats them. Samuel Butler Jeff Maddox SSDS Inc. 3102 Bee Caves Rd Suite A Austin, TX 78746 Phone (512) 329-5731 FAX (512) 329-5726 Pager (800) 506-5617 E-Mail jeff.maddox@ssds.com From firewalls-owner Thu Apr 11 21:37:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA20353 for firewalls-outgoing; Thu, 11 Apr 1996 10:37:47 -0700 (PDT) Received: from essi.com (wormhole.essi.com [204.57.210.254]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id KAA20347 for ; Thu, 11 Apr 1996 10:37:41 -0700 (PDT) Received: by wormhole.essi.com id <29441-1>; Thu, 11 Apr 1996 10:50:54 -0700 Message-Id: <96Apr11.105054pdt.29441-1@wormhole.essi.com> X-Mailer: Novell GroupWise 4.1 Date: Thu, 11 Apr 1996 10:38:10 -0700 From: Kevin Nelson To: Firewalls@greatcircle.com, djr@saa-cons.co.uk Subject: Hi Dave, Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Dave, Consider also the following: BorderWare, the best selling firewall now, is based on a BSD kernal, and runs on a cheap PC. On a Pentium 90, its throughput capablity is roughly four times the speed of a T1. Solaris 2.5, on the other hand, is the basis for last-year's bestselling firewall, Checkpoint. But it requires a dedicated Sparc station, which is never cheap. If you want more information, contact me. Kevin Nelson ESSI >>> Dave Roberts 4/10/96 3:58 am >>> The last thing I want to do is start an O/S flame war, I think we've had far too many of those already. What I am looking for are bare honest facts. I need to put in a bastion host to handle the proxying, DNS stuff, etc. I would like to put this onto a pee-cee running BSD (either FreeBSD or BSDOS2.0). However, someone above me in the chain of things wants me to use a SparcServer running Solaris 2.5. I claimed that BSD was better suited for the purpose, and he said prove it. AFAIK, the facts stand as follows (please corrent me if I am wrong). BSD offers the immutable flag - Solaris does not. BSD gives me source code - Solaris does not. BSD allows me to compile stuff (ls etc) with static libs - Solaris does not (if I remember a thread a while ago). That's all I can think of. Please don't mail back with arguments about having source code or not, or static libraries vs dynamic, think those have been beaten to death :) What I would like are facts from people that have experience with both systems, or something that people with one of those systems feel is a big bonus, or a big headache. I'm assuming all the tools I want compile equally well on both systems (whatever kind of libs are used). ObOffTopic: anyone know a tool to to base64 decoding? Some of my users get their mail sent to ccMail, and their gateway doesn't understand MIME. A DOS util to do with would be great (I can't convert *everyone* to Unix and Pine! ;) Thanks in advance, Dave. -- Dave Roberts, Unix Systems Administrator, SAA Consultants Ltd, Plymouth, UK. "smap has the advantage [over bare sendmail] that it was written by somone who is almost certifiably paranoid" - Brent Chapman, London, 19 Oct 95. -=[ For PGP 2.6.3i public key, send mail with subject of "get pgp" ]=- Received: from relay7.UU.NET ([192.48.96.17]) by wormhole.essi.com with ESMTP id <29441-1>; Wed, 10 Apr 1996 21:05:45 -0700 Received: from miles.greatcircle.com by relay7.UU.NET with ESMTP id QQakxq12729; Wed, 10 Apr 1996 23:43:53 -0400 (EDT) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id DAA25776 for firewalls-outgoing; Wed, 10 Apr 1996 03:54:17 -0700 (PDT) Received: from smtpgate.saa-cons.co.uk (haddock.demon.co.uk [158.152.16.191]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id DAA25742 for ; Wed, 10 Apr 1996 03:54:04 -0700 (PDT) Received: from haddock.saa-cons.co.uk by smtpgate.saa-cons.co.uk with SMTP (5.65/1.3-eef) id AA03210; Wed, 10 Apr 96 11:58:53 +0100 Received: by haddock.saa-cons.co.uk (AIX 3.2/UCB 5.64/5.00) id AA21759; Wed, 10 Apr 1996 11:58:53 +0100 Date:Wed, 10 Apr 1996 03:58:52 -0700 From: Dave Roberts To: Firewalls Mailing List Subject: Solaris2.5 and BSD* - Facts Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@greatcircle.com Precedence: bulk /* * This is actually a resend, but I never saw the original on the list, * and it was a day when our ISP appeared to have trans-atlantic problems. * Sorry to anyone who's seen it already. */ The last thing I want to do is start an O/S flame war, I think we've had far too many of those already. What I am looking for are bare honest facts. I need to put in a bastion host to handle the proxying, DNS stuff, etc. I would like to put this onto a pee-cee running BSD (either FreeBSD or BSDOS2.0). However, someone above me in the chain of things wants me to use a SparcServer running Solaris 2.5. I claimed that BSD was better suited for the purpose, and he said prove it. AFAIK, the facts stand as follows (please corrent me if I am wrong). BSD offers the immutable flag - Solaris does not. BSD gives me source code - Solaris does not. BSD allows me to compile stuff (ls etc) with static libs - Solaris does not (if I remember a thread a while ago). That's all I can think of. Please don't mail back with arguments about having source code or not, or static libraries vs dynamic, think those have been beaten to death :) What I would like are facts from people that have experience with both systems, or something that people with one of those systems feel is a big bonus, or a big headache. I'm assuming all the tools I want compile equally well on both systems (whatever kind of libs are used). ObOffTopic: anyone know a tool to to base64 decoding? Some of my users get their mail sent to ccMail, and their gateway doesn't understand MIME. A DOS util to do with would be great (I can't convert *everyone* to Unix and Pine! ;) Thanks in advance, Dave. -- Dave Roberts, Unix Systems Administrator, SAA Consultants Ltd, Plymouth, UK. "smap has the advantage [over bare sendmail] that it was written by somone who is almost certifiably paranoid" - Brent Chapman, London, 19 Oct 95. -=[ For PGP 2.6.3i public key, send mail with subject of "get pgp" ]=- From firewalls-owner Thu Apr 11 22:03:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA08808 for firewalls-outgoing; Thu, 11 Apr 1996 07:51:12 -0700 (PDT) Received: from zorro.ruca.ua.ac.be (zorro.ruca.ua.ac.be [143.129.172.200]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id HAA08778 for ; Thu, 11 Apr 1996 07:50:57 -0700 (PDT) Received: by zorro.ruca.ua.ac.be (1.37.109.15/16.2) id AA269483825; Thu, 11 Apr 1996 16:43:45 +0200 Date: Thu, 11 Apr 1996 16:43:44 +0200 (METDST) From: Marijke Verhavert To: Firewalls@GreatCircle.COM Subject: circuit-level gateways Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can anyone give me some information about circuit level gateways ? In what do they differ from the application-level gateways ? --> Are they just a subclass from the application level gateways? --> Why should you choose for an application-level gateway, why for a circuit-level gateway ? Thanks, Marijke mverhave@zorro.ruca.ua.ac.be From firewalls-owner Thu Apr 11 22:24:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA10269 for firewalls-outgoing; Thu, 11 Apr 1996 08:17:37 -0700 (PDT) Received: from typhoon.dial.pipex.net (typhoon.dial.pipex.net [158.43.128.46]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id IAA10261 for ; Thu, 11 Apr 1996 08:17:31 -0700 (PDT) From: ac141@typhoon.dial.pipex.net Received: from progpc11.central.oa by typhoon.dial.pipex.net (8.7.4/) id QAA10907; Thu, 11 Apr 1996 16:15:58 +0100 (BST) Message-Id: <199604111515.QAA10907@typhoon.dial.pipex.net> Comments: Authenticated sender is To: firewalls@greatcircle.com Date: Thu, 11 Apr 1996 16:15:10 +0000 Subject: Packet Filtering - I'm Stuck X-mailer: Pegasus Mail for Windows (v2.23) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We have a wide-area link to an external company. They use it to maintain machines on our LAN. We are about to implement an Internet connection. We do not want to permit this external company use of the Internet gateway. Let's say I put packet filtering rules on the router that seperates our LAN from the external gateway to only permit them telnet and ftp access to specific machines. Would it be possible for them to: telnet to a machine they are allowed to on our LAN, then telnet from there through the Internet gateway? Do I need to put rules on the Internet router to disallow this? Thanks for any advice. Ben From firewalls-owner Thu Apr 11 23:17:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA27214 for firewalls-outgoing; Thu, 11 Apr 1996 12:08:04 -0700 (PDT) Received: from nacg.trane.com (nacg.trane.com [198.80.4.199]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA27196 for ; Thu, 11 Apr 1996 12:07:46 -0700 (PDT) Received: by nacg.trane.com id AA13124 (InterLock SMTP Gateway 3.0 for firewalls@greatcircle.com); Thu, 11 Apr 1996 14:05:36 -0500 Message-Id: <199604111905.AA13124@nacg.trane.com> Received: by nacg.trane.com (Internal Mail Agent-1); Thu, 11 Apr 1996 14:05:36 -0500 From: "Norton, Dave" To: Firewalls-post Subject: Cracking NT via RAS Date: Thu, 11 Apr 96 14:08:00 PDT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi gang, We have a sister organization with a VPDN interconnected with our own with only router ACL's between 'em, filtering on "trusted" and "semi-trusted" IP address ranges only. Our org has limited security consciousness, theirs has none... They insist on putting Digi-boards directly on NT apppl servers, and allow remote direct dial access into same [...cringe :-( ]. I imagine that war dialers and password guessing programs will work just as well on NT/RAS as UNIX - why not - so, if an interloper can gain a session on a "trusted" NT host, he/she ought to be able to freely island-hop over to our IP VPDN with impunity, right? Second, without being too explicit, can someone out there tell me of their real tried and tested assessment as to the "swiss cheese" factor concerning security of the NT OS. Some of our "NT rocket scientists" around here persist in claiming that UNIX is not a secure environment, whereas NT is. I have to continually tell them that UNIX is much more secure(able) because we know where the holes in the cheese are... That we don't hear about NT security problems much because there hasn't been enough elapsed time since its birth to thoroughly probe and exploit it... Any comments, feedback from outside my organization will be greatly appreciated, because I blew all my intellectual credibility in-house when I accepted employment here... Sorry, but I can't tell you who we are, cause of what I've devulged to the world in this posting... Nervous... From firewalls-owner Thu Apr 11 23:32:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA26561 for firewalls-outgoing; Thu, 11 Apr 1996 11:59:15 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA26544 for ; Thu, 11 Apr 1996 11:59:05 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.6.9/8.6.9) id NAA03523; Thu, 11 Apr 1996 13:49:44 -0500 From: Adam Shostack Message-Id: <199604111849.NAA03523@homeport.org> Subject: Re: re CKE: mandated by law To: PADGETT@hobbes.orl.mmc.com (A. Padgett Peterson P.E. Information Security) Date: Thu, 11 Apr 1996 13:49:43 -0500 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <960411090229.2022f359@hobbes.orl.mmc.com> from "A. Padgett Peterson P.E. Information Security" at Apr 11, 96 09:02:29 am X-Mailer: ELM [version 2.4 PL24 ME8b] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I know that governments spy on companies. I know that many governments give the data they've stolen to national companies for bsuiness advantage. I don't see how Padgett can tell his employer to accept this without a full out fight. But to answer the question about rants v. F-118 plans, many Western governments seem better at harrassing the ranters than the spies. See CISPES, whom the FBI wasted thousands of man years on while Aldrich Ames sold secrets to the Soviets. Adam A. Padgett Peterson P.E. Information Security wrote: | Marcus rote: | > Many nations are now following the lead of the US, Russian, | >and French governments, and are seeking to arrogate titular control | >over encryption. I say "titular" because real, actual, control is | >impossible and everyone with a clue knows it. All that will happen | >is that export control regulations will be announced as the failure | >they are, and governments will then argue that they need direct, | >*domestic* control. | | That is one viewpoint and while it is possible for a citizen to thumb their | nose at France or Belgium or ..., it is not posible for a large, multi- | national corporation because they must do business there - and do you think | it is barely-literate rants the govs want to intercept or the plans for | the F-118 that they want to intercept ? | | This is why I am willing to accept a certain amount of key escrow (with | restrictions I have stated many times) in exchange for the foreign | agreements to use strong crypto *there*. | | Warmly, | Padgett | -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Thu Apr 11 23:40:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA16815 for firewalls-outgoing; Thu, 11 Apr 1996 09:50:50 -0700 (PDT) Received: from gatekeeper.Bridge.COM (gatekeeper.bridge.com [167.76.159.11]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA16791 for ; Thu, 11 Apr 1996 09:50:38 -0700 (PDT) From: ken@bridge.com Received: (from mailproxy@localhost) by gatekeeper.Bridge.COM (8.6.12/8.6.9) id LAA02686; Thu, 11 Apr 1996 11:42:36 -0500 Received: from ignatz.bridge.com(167.76.24.6) by gatekeeper.Bridge.COM via smap (V1.0mjr) id sma002673; Thu Apr 11 11:42:24 1996 Received: from ernie. (ernie.bridge.com) by ignatz.bridge.com with SMTP id AA25052 (5.67b/IDA-1.5); Thu, 11 Apr 1996 11:53:44 -0500 Received: by ernie. (SMI-8.6/SMI-SVR4) id LAA07606; Thu, 11 Apr 1996 11:44:46 -0500 Date: Thu, 11 Apr 1996 11:44:46 -0500 Message-Id: <199604111644.LAA07606@ernie.> To: Firewalls@GreatCircle.COM, djr@saa-cons.co.uk Subject: Re: Solaris2.5 and BSD* - Facts X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dave Roberts wrote: >I need to put in a bastion host to handle the proxying, DNS stuff, etc. I >would like to put this onto a pee-cee running BSD (either FreeBSD or >BSDOS2.0). However, someone above me in the chain of things wants me to >use a SparcServer running Solaris 2.5. I claimed that BSD was better >suited for the purpose, and he said prove it. ... >What I would like are facts from people that have experience with both >systems, or something that people with one of those systems feel is a big >bonus, or a big headache. I'm assuming all the tools I want compile >equally well on both systems (whatever kind of libs are used). For a very interesing comparison of Solaris 2.4, FreeBSD 2.0.5R, and Linux 1.2.8 on the exact same hardware (P100), see http://plastique.stanford.edu/~mgbaker/publications/usenix96.bench.ps An abstract in HTTP can be viewed at http://www.usenix.org/publications/library/proceedings/sd96/lai.html You'll have to make the assumption that the relevant architectural details of Solaris, and the resulting strengths/weaknesses, are consistent between the Sparc and Intel implementations. It's interesting to note for your application that FreeBSD excelled in taskswitching and networking. One Dr. Dobb's Developer Update (a discontinued ~8 page supplement to DDJ) had a disappointingly sparse comparison of Solaris on a SS5 and P90. They noted that Sparcs typically excell in bus bandwidth as compared to the typical PC. However, I'd think that a PC with a modern bus and 16-bit ethernet cards would not break a sweat keeping up with a T1 connection, e.g. You should also consider inhouse support and fallback systems; in our case we have adequate inhouse support for peecee hardware but precious little for Suns. Additionally, a spare peecee as a hot backup is cheaper and easier to find than a spare Sparc. So I've gone the Intel route even though I'm a Sun bigot at heart. I can tell you that a P120 running FreeBSD *screams*! - KH From firewalls-owner Fri Apr 12 00:05:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA26883 for firewalls-outgoing; Thu, 11 Apr 1996 12:04:16 -0700 (PDT) Received: from disclosure.com (di2.disclosure.com [206.181.208.4]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id MAA26843 for ; Thu, 11 Apr 1996 12:03:49 -0700 (PDT) Received: (from scott@localhost) by disclosure.com (8.7.3/8.7.3) id PAA03863; Thu, 11 Apr 1996 15:05:00 -0400 (EDT) Date: Thu, 11 Apr 1996 15:04:59 -0400 (EDT) From: Scott Barman To: Dave Roberts cc: Firewalls Mailing List Subject: Re: Solaris2.5 and BSD* - Facts In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 10 Apr 1996, Dave Roberts wrote: > The last thing I want to do is start an O/S flame war, I think we've had > far too many of those already. What I am looking for are bare honest > facts. I too am not trying to start an OS flame war. However, there's something Solaris 2.5 that I can't get proper answers to (I've been playing telephone tag with my Sun rep) and it bothers me. > (proposed use of BSD/OS vs Solaris removed) > > AFAIK, the facts stand as follows (please corrent me if I am wrong). > BSD offers the immutable flag - Solaris does not. > BSD gives me source code - Solaris does not. > BSD allows me to compile stuff (ls etc) with static libs - Solaris does > not (if I remember a thread a while ago). BSD does not have NIS integrated in every nook and cranny of the OS - Solaris does. And now under 2.5, this may be more of a problem! Let me explain: Last week, our web sever (an Ultra running 2.5) somehow lost its identity. What I mean on that is that if programs were to do a uname(2) or sysinfo(2) call to get the nodename (not the same name as the network interfaces) and then do a gethostbyname call, it would get the address of the "outside" (internet) network interface and not the "internal" interface, as we want for our CGI scripts. While I didn't put this system together, the person who did assures me that it has been configured the same as the SS20 running 2.4 the web server was running on. I have confirmed this. However, it seems that there are differences and it's Solaris 2.5 causing them. First, I found a program called nscd. If I RTFM, nscd(1M) says it's the "name service cache daemon." Huh? I respond dumbfoundedly. Isn't bind (in.named) supposed to do this?? But this system is not running a DNS, so what is this for? Further reading of TFM says it will cache the hosts database (among others) "through standard libc interfaces, such as gethostbyname(3N)...." Can we see the building of a problem?? In trying to figure out what it is and what it is doing, I ran truss on it (for those without Solaris or System V, truss lets you trace system calls). While it was working I found it making a call to door_info, door_call, and door_return. Back to RTFM to the door(2) page I find it is a "Solaris 2.5 internal implementation detail." Oh really?? Sun calls it "a new flavor of interprocess communication" that:is not yet available for public consumption because the interface is still evolving." Just to give youse guys the same laugh I got, here is the WARNING from the man page: Please do not attempt to reverse-engineer the interface and program to it. If you do, your program will almost certainly fail to run on future versions of Solaris, and may even be broken by a patch. This document does not constitute an API. Doors may not exist or may have a completely different set of semantics in a future release. The long and the short of it was that I killed nscd and restarted the web server and the problem went away! BTW: nscd and the door system calls are not in 2.4. And I am still waiting for a call from Sun to explain this to me! Does anyone out there know what it is? Is it safe? What impact on other things am I putting on the system by not running it? What is this new interface and why introduce it in something that can be a potential security hole? Yea, sure they didn't tell "anyone" about it, if I had time I would reverse engineer it to see what it does--and belive me, if *I* can do that, anyone can!! Back to the original question: This seems to be a case of Sun promoting Security by Obscurity! Is this who you want to trust your security systems to?? (OK, so I added it as a flame... but you sit here with company brass breathing down your back wondering why they can't demo a new feature to potential clients and see how happy you are!) I will take any and all explanation from Sun. (telephone number available on request) scott barman -- scott barman DISCLAIMER: I speak to anyone who will listen, scott@disclosure.com and I speak only for myself. barman@ix.netcom.com Java: Sun's answer to the Unix Virus! From firewalls-owner Fri Apr 12 00:59:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA28061 for firewalls-outgoing; Thu, 11 Apr 1996 12:18:50 -0700 (PDT) Received: from hosaka.smallworks.com (hosaka.SmallWorks.COM [192.207.126.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA28038 for ; Thu, 11 Apr 1996 12:18:39 -0700 (PDT) Received: from butthead.SmallWorks.COM by hosaka.smallworks.com (5.x/SMI-SVR4) id AA09611; Thu, 11 Apr 1996 14:13:24 -0500 Received: by butthead.SmallWorks.COM (4.1/SPARCbook_POP1.3) id AA16114; Thu, 11 Apr 96 14:10:39 CDT Date: Thu, 11 Apr 96 14:10:39 CDT Message-Id: <9604111910.AA16114@butthead.SmallWorks.COM> From: Jim Thompson To: Doug.Hughes@Eng.Auburn.EDU Cc: djr@saa-cons.co.uk, firewalls@GreatCircle.COM In-Reply-To: (message from Doug Hughes on Thu, 11 Apr 1996 08:34:49 -0500) Subject: Re: Solaris2.5 and BSD* - Facts Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >BSD offers the immutable flag - Solaris does not. The immutable flag is a hack. > >BSD gives me source code - Solaris does not. > Solaris source code licenses cost $$$. So do BSDI licenses and Windows licenses. BSDI costs less than either, to be sure. Software costs, just like hardware. Jim (and yes, I like 'free' software too.) From firewalls-owner Fri Apr 12 01:08:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA09751 for firewalls-outgoing; Thu, 11 Apr 1996 08:07:37 -0700 (PDT) Received: from nsco.network.com (nsco.network.com [129.191.1.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA09745 for ; Thu, 11 Apr 1996 08:07:29 -0700 (PDT) Received: from mnbp.network.com (ushub.network.com) by nsco.network.com (4.1/1.34) id AA02145; Thu, 11 Apr 96 10:08:35 CDT Received: by mnbp.network.com with Microsoft Mail id <316D1EF6@mnbp.network.com>; Thu, 11 Apr 96 10:02:14 CDT From: Greg Brennan To: firewalls mailing list Subject: FW: 3 ethernet router? Date: Thu, 11 Apr 96 10:01:00 CDT Message-Id: <316D1EF6@mnbp.network.com> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Try the Security Router from Network Systems Corp. The SR04 model comes with 4 ethernet ports and the industry's highest performance filtering software (NetSentry) which can do filtering from layers 2 through 7. Great logging and audit trail capabilities too. Home page at http://www.network.com - Greg Brennan Network Systems Corp. ---------- From: firewalls-owner To: firewalls Subject: 3 ethernet router? Date: April 8, 1996 06:05PM I'd like to implement a bastion type firewall . Most routers are available with 1 or 2 ethernet interfaces and a sync serial poe port. Where can I get a low cost filtering router with 3 ethernet interfaces? joe joe@via.net From firewalls-owner Fri Apr 12 03:12:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA28829 for firewalls-outgoing; Thu, 11 Apr 1996 12:30:27 -0700 (PDT) Received: from scifi.maid.com (scifi.emi.net [204.181.45.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA28802 for ; Thu, 11 Apr 1996 12:30:13 -0700 (PDT) Received: (from njs@localhost) by scifi.maid.com (8.6.11/8.6.9) id PAA28028; Thu, 11 Apr 1996 15:12:44 -0400 Date: Thu, 11 Apr 1996 15:12:44 -0400 (EDT) From: Nick Simicich cc: firewalls@GreatCircle.COM Subject: Re: Seeking Dream Firewall In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- On Wed, 10 Apr 1996, Adam Safier wrote: > You might try IBM. Their NetSP firewall used to support socks when I looked > at it last year. Throw a lot of hardware at it and you might even get > reasonable performance from an IBM box..... (I'm not an IBM fan.) > > I think it will let you do all you want since it is a UNIX solution. > > At 05:09 PM 4/9/96 -0700, Larry Bennett wrote: > >I'm looking for a firewall solution for a large retailer in the UK. > >I haven't yet found any products that meet all their requirements, so > >I'm posting this in the hope that vendors or any others who know of > >appropriate products will respond. > > > >It's important that the product meet all of the requirements. I have > >already found products that come close and some of them are relatively > >attractive. Still, if there is a product that meets all the > >requirements, I would like to know about it. > > > >Requirements are: > > > >- Complete, prebuilt solution. It should not require that additional > > software be installed. Nor should the firewall be sold as separate > > software that we must install onto a UNIX or other system. Unfortunately, NetSP/SNG is sold as an add-on to a specific level of AIX. You can get it pre-built, but only as a consulting deal. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Processed by mkpgp1.6, a Pine/PGP interface. iQCVAwUBMW1ZjxRmU0oGr+olAQH3XgP6Asrv0rAS6baYMp6aXkn7uI44hl9ybgwQ XCZyy1ttVkuvQtAWpKSOf62G7PdHLM8T6F8OPOgGYlCVGKywL32X433DlQaeBmlu 2DrK6k4DxiimPxXFrMpKL2l2NRTo1vLA3TM4E55v92Gsd6BqzEuBFZzo0hORwy+h bR5a6sbr7bI= =Tz/d -----END PGP SIGNATURE----- Nick Simicich - njs@scifi.emi.net - (last choice) njs@bcrvm1.vnet.ibm.com http://scifi.emi.net/njs.html -- Stop by and Light Up The World! From firewalls-owner Fri Apr 12 03:56:19 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id CAA23513 for firewalls-outgoing; Fri, 12 Apr 1996 02:59:05 -0700 (PDT) Received: from seigate.sumiden.co.jp (seigate.sumiden.co.jp [133.153.22.11]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id CAA23501 for ; Fri, 12 Apr 1996 02:58:53 -0700 (PDT) From: korekawa@rcom.sumiden.co.jp Received: from seidns.sumiden.co.jp by seigate.sumiden.co.jp (8.6.9+2.4W/R8-seigate-1.3-02/08/96) with ESMTP id SAA06443; Fri, 12 Apr 1996 18:56:39 +0900 Received: by seidns.sumiden.co.jp (8.6.9+2.4W/R8-seidns-1.0-12/11/95) id SAA07820; Fri, 12 Apr 1996 18:56:39 +0900 Received: from optsei.sumiden.co.jp by seidns.sumiden.co.jp (8.6.9+2.4W/R8-seidns-inspection-1.1-02/08/96) with ESMTP id SAA07816; Fri, 12 Apr 1996 18:56:38 +0900 Received: from comcom.rcom.sumiden.co.jp by optsei.sumiden.co.jp (8.6.9+2.4W/R8-sumiden-generic/seiux-1.2-12/11/95) with SMTP id SAA12777; Fri, 12 Apr 1996 18:55:59 +0900 Received: from baba-yaga by comcom.rcom.sumiden.co.jp (5.61/6.4J.6-COMCOM-1.04) id AA25677; Fri, 12 Apr 96 18:58:51 +0900 Received: by baba-yaga.rcom.sumiden.co.jp (4.1/6.4J.6-FOCSS-2.00) id AA01312; Fri, 12 Apr 96 18:55:49 JST Date: Fri, 12 Apr 96 18:55:49 JST Message-Id: <9604120955.AA01312@baba-yaga.rcom.sumiden.co.jp> To: firewalls@greatcircle.com X-Url: mailto:firewalls@greatcircle.com X-Mailer: Lynx, Version 2-4-1 X-Personal_Name: Norio Korekawa Subject: mailto:firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >Internet Watch > > March 1996 > > > _________________________________________________________________ > > [1]http://alumni.caltech.edu/~dank/isdn/ > > > > Net managers looking for the scoop on ISDN gear and services should > point their Web browsers to this URL. A wealth of information on > domestic and international tariffs and standards status make this site > a serious resource, and there are plenty of hotlinks to equipment > vendors and user groups. The page isn't pretty (and a couple of links > were broken during Data Comm's flyby), but this is definitely the > jumping-off place for ISDN evaluations. > [INLINE] [INLINE] [INLINE] [INLINE] [INLINE] > > [2]http://www.astral.org/ > > > > This is a good site to mine for white papers on all things token ring > (especially switching). It's run by Astral (Alliance for Strategic > Token Ring Advancement and Leadership), a vendor organization, so > don't count on unbiased opinions. > [INLINE] [INLINE] [INLINE] > > [3]firewalls@greatcircle.com > > > > This mailing list is the hot ticket for commercial and public-domain > firewalls and related issues. Topics include newly discovered security > shortfalls, product performance, and security implications of new > apps. To subscribe, send e-mail with the phrase "subscribe > firewalls-digest" in the body of the message. Net managers who want to > hold down traffic should opt for the digest format, which compiles > multiple messages. > [INLINE] [INLINE] [INLINE] [INLINE] [INLINE] [INLINE] [INLINE] > [INLINE] [INLINE] > > [4]cert-advisory-request@cert.org > > > > Corporate networkers spooked by security breaches should sign on to > this mailing list, maintained by CERT (Computer Emergency Response > Team). Founded by DARPA in the wake of 1988's Internet worm attack, > CERT monitors security on networks around the world and acts as a > clearinghouse for potential problems. Advisories are posted only after > leaks have been patched, and they can be cryptic about the original > weakness. To subscribe, send e-mail to the advisory list; messages > should include e-mail address and desire to join. > [INLINE] [INLINE] [INLINE] [INLINE] [INLINE] [INLINE] > _________________________________________________________________ > > > > [IMAGE] up to the minute > > [IMAGE] fact not fiction > > [IMAGE] on target > > [IMAGE] inbox overload > > [IMAGE] tough to reach > > [IMAGE] bozo quotient > _________________________________________________________________ > > > > [ [5]Home ] > > [ [6]Registration | [7]Subscriptions ] > [ [8]Contact Us | [9]E-Mail ] From firewalls-owner Fri Apr 12 04:38:19 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id EAA28585 for firewalls-outgoing; Fri, 12 Apr 1996 04:03:18 -0700 (PDT) Received: from mail.RC.Toronto.on.ca (rcooper.the-wire.com [198.53.192.91]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id EAA28566 for ; Fri, 12 Apr 1996 04:01:52 -0700 (PDT) Received: from rwcooper.47.206.205.in-addr.arpa ([205.206.47.2]) by mail.RC.Toronto.on.ca (post.office MTA v1.9.3 evaluation license) with SMTP id AAA226; Fri, 12 Apr 1996 06:59:39 -0400 Received: by rwcooper.47.206.205.in-addr.arpa with Microsoft Mail id <01BB283C.6AE8A180@rwcooper.47.206.205.in-addr.arpa>; Fri, 12 Apr 1996 06:51:03 -0400 Message-ID: <01BB283C.6AE8A180@rwcooper.47.206.205.in-addr.arpa> From: Russ To: "'Norton, Dave'" Cc: "'Firewalls'" Subject: RE: Cracking NT via RAS Date: Fri, 12 Apr 1996 06:51:02 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk - NT RAS does not have to allow access to the network that the RAS server is attached to, it can be restricted to allowing access to the RAS server alone. - NT logon security can force an account to be suspended after "x" invalid logon attempts. If they are set up to stay suspended until an administrator unlocks them you can limit the effect of a war-dialer/cracker program to DoS. Accounts can be suspended for a period of time as well. - If NT RAS has been set up to allow access to their network, and it is configured to use TCP/IP, then it is just a PPP server with security determined by the NT Domain security. This means they will be a node on their network. It can be set up to dynamically assign addresses from a DHCP server or a static range assigned on the server. It can also be set up to allow user selected addresses. Providing the RAS server is assigning addresses, you could filter on these addresses through your gateway thereby preventing these dial-in users access to your network. The dial-in user does not establish a "session" with the NT server. Of course, that being said, if they have access to their network and are running IP, its possible for them to subvert some machine on their network and use it (assuming its trusted) as their launchpad to your network, but this isn't an NT problem but a problem with PPP access to any network. Finally, in response to the question of the Swiss version of NT security. No OS is secure, unless it has been made secure. My security is not your security. NT, out of the box, is very unsecure. NT can be made relatively secure, although their is no way to do packet filtering on it. Frank Somar has written up some valid points about NT Security at http://www.somar.com/ which are worth reading. RPC is deemed to be the most insecure part of NT today, as through it a user who already has an account on an NT machine can access that NT machine's registry. The registry is a complex animal which stores configuration information about the NT machine's environment, and in the case of a Primary Domain Controller or Backup DC, it also contains the user accounts (SAM). All of the user accounts information is secured (even from the Administrator of the server) in encrypted format, so it is not as much at risk as the configuration information used by the machine. The registry can be made secure in a number of ways, but it is a tedious task. The Windows NT Resource Kit contains a tool to explain how to make the machine C2 compliant, but this is in a stand-alone configuration. The information, however, is still valuable in establishing base security. Remember that NT RAS can be set up to allow IP, IPX, and NetBEUI connections, so make sure your gateway between your companies is only allowing IP across and not just bridging. Assuming that is the case, then filtering access from the RAS assigned IP addresses and insisting that they not allow user assigned addresses would be the best method of securing yourself from it, next to insisting that they put something like an ACE server in place. By the sounds of things, however, this is not as much an NT security issue as it is a general security issue. Regardless of what kind of PPP server they put in place, and regardless of whether it is running on an NT machine or not, you will have these same problems. I suspect you were thinking that the RAS dial-in users would be appearing to your network with the IP address of the RAS/App NT server which you were trusting. Since this is not the case (that server's IP address is used as a router for the dial-in users, but not as a host), maybe your fears can be addressed more easily. Cheers, Russ Second, without being too explicit, can someone out there tell me of their real tried and tested assessment as to the "swiss cheese" factor concerning security of the NT OS. Some of our "NT rocket scientists" around here persist in claiming that UNIX is not a secure environment, whereas NT is. I have to continually tell them that UNIX is much more secure(able) because we know where the holes in the cheese are... That we don't hear about NT security problems much because there hasn't been enough elapsed time since its birth to thoroughly probe and exploit it... Any comments, feedback from outside my organization will be greatly appreciated, because I blew all my intellectual credibility in-house when I accepted employment here... Sorry, but I can't tell you who we are, cause of what I've devulged to the world in this posting... Nervous... From firewalls-owner Fri Apr 12 04:38:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id EAA28976 for firewalls-outgoing; Fri, 12 Apr 1996 04:08:34 -0700 (PDT) Received: from mail.RC.Toronto.on.ca (rcooper.the-wire.com [198.53.192.91]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id EAA28945 for ; Fri, 12 Apr 1996 04:07:54 -0700 (PDT) Received: from rwcooper.47.206.205.in-addr.arpa ([205.206.47.2]) by mail.RC.Toronto.on.ca (post.office MTA v1.9.3 evaluation license) with SMTP id AAA225; Fri, 12 Apr 1996 07:05:41 -0400 Received: by rwcooper.47.206.205.in-addr.arpa with Microsoft Mail id <01BB283D.42D9B2A0@rwcooper.47.206.205.in-addr.arpa>; Fri, 12 Apr 1996 06:57:06 -0400 Message-ID: <01BB283D.42D9B2A0@rwcooper.47.206.205.in-addr.arpa> From: Russ To: "firewalls@GreatCircle.com" , "'Paul Ferguson'" Subject: RE: Network Engineering Technologies Announces $10,000 Firewall Challenge Date: Fri, 12 Apr 1996 06:57:04 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "In the case of multiple break-ins, the first person sending the correct information to NET's e-mail address will be declared the winner." Guess an intelligent hacker would simply sniff their email until a message with an answer appeared and replace the headers with their own, why bother with the secure transaction server at all??? Cheers, Russ From firewalls-owner Fri Apr 12 10:06:29 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA00146 for firewalls-outgoing; Fri, 12 Apr 1996 09:10:51 -0700 (PDT) Received: from ibmmail.COM (ibmmail.com [199.171.26.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id EAA01557 for ; Fri, 12 Apr 1996 04:53:11 -0700 (PDT) From: gblolmxb@ibmmail.com Message-Id: <199604121153.EAA01557@miles.greatcircle.com> Received: from ibmmail by ibmmail.COM (IBM VM SMTP V2R3) with BSMTP id 1281; Fri, 12 Apr 96 07:50:22 EDT Date: Fri, 12 Apr 1996 07:50:59 EDT To: ac141@typhoon.dial.pipex.net, firewalls@greatcircle.com MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re Finding domain name from IP address Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ben said: >We have a combination of registered and unregistered IP addresses on >our network (no Internet connection yet). >Is there a way I can find out who the unregistered ones are really >registered to? Try telnetting to rs.internic.net and run whois. or for European registrations, try info.ripe.net, or even ns.ripe.net. Mark. From firewalls-owner Fri Apr 12 10:08:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA00869 for firewalls-outgoing; Fri, 12 Apr 1996 09:16:31 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA00391 for ; Fri, 12 Apr 1996 09:15:17 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id IAA24925; Fri, 12 Apr 1996 08:28:04 -0700 Received: from dns.eng.auburn.edu(131.204.10.13) by mycroft via smap (V1.3mjr) id sma024919; Fri Apr 12 08:27:49 1996 Received: from netman.eng.auburn.edu (netman.eng.auburn.edu [131.204.12.24]) by dns.eng.auburn.edu (8.7.4/8.6.4) with ESMTP id KAA10120; Fri, 12 Apr 1996 10:32:20 -0500 (CDT) From: Doug Hughes Received: (doug@localhost) by netman.eng.auburn.edu (SMI-8.6/8.6.4) id KAA22895; Fri, 12 Apr 1996 10:32:18 -0500 Date: Fri, 12 Apr 1996 10:32:18 -0500 Subject: Re: Sun OS Vs Solaris for secure servers To: jeff.maddox@ssds.com Cc: firewalls@greatcircle.com Message-Id: In-Reply-To: <199604110349.WAA05095@austin.ssds.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Experience is your best friend. Migrate your other machines to Solaris, gain some experience with it. When you feel comfortable with it, know the ins and outs, know the security holes, gain some good hard experience, then formulate your migration plan for your critical firewall/proxy machines. Just my take.. -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug@eng.auburn.edu Pro is to Con as progress is to congress From firewalls-owner Fri Apr 12 10:10:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA13777 for firewalls-outgoing; Thu, 11 Apr 1996 09:04:52 -0700 (PDT) Received: from server.pingnet.ch (server.pingnet.ch [194.148.8.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA13703 for ; Thu, 11 Apr 1996 09:04:37 -0700 (PDT) Received: from [194.148.8.36] (line6.urdorf.pingnet.ch [194.148.8.36]) by server.pingnet.ch (8.6.9/8.6.9) with SMTP id SAA03153 for ; Thu, 11 Apr 1996 18:03:52 +0200 Message-Id: <199604111603.SAA03153@server.pingnet.ch> To: "firewalls@GreatCircle.COM" Date: Thu, 11 Apr 96 18:04:08 -0500 From: Matthias Koller X-Mailer: E-Mail Connection v2.5.03 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -- [ From: Matthias Koller * EMC.Ver #2.5.02 ] -- signoff firewalls sandmann@pingnet.ch From firewalls-owner Fri Apr 12 10:13:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id AAA09621 for firewalls-outgoing; Fri, 12 Apr 1996 00:57:25 -0700 (PDT) Received: from tempus.ii.uni.wroc.pl (tempus.ii.uni.wroc.pl [156.17.4.97]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id AAA09602 for ; Fri, 12 Apr 1996 00:57:15 -0700 (PDT) Received: from ares.ii.uni.wroc.pl (ares.ii.uni.wroc.pl [156.17.4.105]) by tempus.ii.uni.wroc.pl (8.7.1/8.6.11) with ESMTP id JAA12615 for ; Fri, 12 Apr 1996 09:54:59 +0200 (MET DST) Received: (from roman@localhost) by ares.ii.uni.wroc.pl (8.7.1/8.6.11) id JAA01297 for firewalls@GreatCircle.COM; Fri, 12 Apr 1996 09:53:58 +0200 (MET DST) Date: Fri, 12 Apr 1996 09:53:58 +0200 (MET DST) From: Marcin.Roman@ii.uni.wroc.pl (Marcin Roman) Organization: University of Wroclaw, Institute of Computer Science Reply-To: Posted-Date: Fri, 12 Apr 1996 09:53:58 +0200 (MET DST) Message-Id: <199604120753.JAA01297@ares.ii.uni.wroc.pl> To: firewalls@GreatCircle.COM Subject: Sign Off X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk sign off roman@ii.uni.wroc.pl From firewalls-owner Fri Apr 12 10:18:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id RAA04692 for firewalls-outgoing; Thu, 11 Apr 1996 17:42:29 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA02968 for ; Thu, 11 Apr 1996 17:30:03 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id NAA20932; Thu, 11 Apr 1996 13:46:13 -0700 Received: from uu5.psi.com(38.145.226.3) by mycroft via smap (V1.3mjr) id sma020929; Thu Apr 11 13:45:49 1996 Received: from SMTP.CHILTONCO.COM by uu5.psi.com (5.65b/4.0.071791-PSI/PSINet) via SMTP; id AA12967 for firewalls@GreatCircle.COM; Thu, 11 Apr 96 16:49:03 -0400 Received: from Chilton_Radnor-Message_Server by chiltonco.com with Novell_GroupWise; Thu, 11 Apr 1996 15:34:49 -0500 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 11 Apr 1996 17:28:58 -0500 From: Tom James To: firewalls@GreatCircle.COM Subject: firewalls-digest V5 #163 -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I will be out of the office from 4/12 thru 4/19. All mail wil be handled upon my return. Regards Tom James From firewalls-owner Fri Apr 12 10:22:10 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id RAA05035 for firewalls-outgoing; Thu, 11 Apr 1996 17:49:17 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA02897 for ; Thu, 11 Apr 1996 17:29:50 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id NAA20837; Thu, 11 Apr 1996 13:40:11 -0700 Received: from uu5.psi.com(38.145.226.3) by mycroft via smap (V1.3mjr) id sma020829; Thu Apr 11 13:39:15 1996 Received: from SMTP.CHILTONCO.COM by uu5.psi.com (5.65b/4.0.071791-PSI/PSINet) via SMTP; id AA11958 for Firewalls@GreatCircle.COM; Thu, 11 Apr 96 16:42:29 -0400 Received: from Chilton_Radnor-Message_Server by chiltonco.com with Novell_GroupWise; Thu, 11 Apr 1996 15:33:08 -0500 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 11 Apr 1996 17:28:58 -0500 From: Tom James To: Firewalls@GreatCircle.COM Subject: Firewalls-Digest V5 #148 -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I will be out of the office from 4/12 thru 4/19. All mail wil be handled upon my return. Regards Tom James From firewalls-owner Fri Apr 12 10:26:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id RAA04971 for firewalls-outgoing; Thu, 11 Apr 1996 17:47:41 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA02932 for ; Thu, 11 Apr 1996 17:29:55 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id NAA20950; Thu, 11 Apr 1996 13:49:13 -0700 Received: from uu5.psi.com(38.145.226.3) by mycroft via smap (V1.3mjr) id sma020948; Thu Apr 11 13:48:33 1996 Received: from SMTP.CHILTONCO.COM by uu5.psi.com (5.65b/4.0.071791-PSI/PSINet) via SMTP; id AA13344 for firewalls@GreatCircle.COM; Thu, 11 Apr 96 16:51:49 -0400 Received: from Chilton_Radnor-Message_Server by chiltonco.com with Novell_GroupWise; Thu, 11 Apr 1996 15:35:39 -0500 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 11 Apr 1996 17:28:59 -0500 From: Tom James To: firewalls@GreatCircle.COM Subject: firewalls-digest V5 #171 -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I will be out of the office from 4/12 thru 4/19. All mail wil be handled upon my return. Regards Tom James From firewalls-owner Fri Apr 12 10:30:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id RAA04789 for firewalls-outgoing; Thu, 11 Apr 1996 17:44:12 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA02978 for ; Thu, 11 Apr 1996 17:30:06 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id NAA20777; Thu, 11 Apr 1996 13:35:10 -0700 Received: from uu5.psi.com(38.145.226.3) by mycroft via smap (V1.3mjr) id sma020769; Thu Apr 11 13:35:00 1996 Received: from SMTP.CHILTONCO.COM by uu5.psi.com (5.65b/4.0.071791-PSI/PSINet) via SMTP; id AA10988 for firewalls@GreatCircle.COM; Thu, 11 Apr 96 16:38:16 -0400 Received: from Chilton_Radnor-Message_Server by chiltonco.com with Novell_GroupWise; Thu, 11 Apr 1996 15:34:43 -0500 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 11 Apr 1996 17:28:58 -0500 From: Tom James To: firewalls@GreatCircle.COM Subject: firewalls-digest V5 #161 -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I will be out of the office from 4/12 thru 4/19. All mail wil be handled upon my return. Regards Tom James From firewalls-owner Fri Apr 12 10:35:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id RAA04881 for firewalls-outgoing; Thu, 11 Apr 1996 17:46:00 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA03001 for ; Thu, 11 Apr 1996 17:30:10 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id NAA20793; Thu, 11 Apr 1996 13:36:11 -0700 Received: from uu5.psi.com(38.145.226.3) by mycroft via smap (V1.3mjr) id sma020770; Thu Apr 11 13:35:02 1996 Received: from SMTP.CHILTONCO.COM by uu5.psi.com (5.65b/4.0.071791-PSI/PSINet) via SMTP; id AA10992 for firewalls@GreatCircle.COM; Thu, 11 Apr 96 16:38:17 -0400 Received: from Chilton_Radnor-Message_Server by chiltonco.com with Novell_GroupWise; Thu, 11 Apr 1996 15:34:46 -0500 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 11 Apr 1996 17:28:58 -0500 From: Tom James To: firewalls@GreatCircle.COM Subject: firewalls-digest V5 #162 -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I will be out of the office from 4/12 thru 4/19. All mail wil be handled upon my return. Regards Tom James From firewalls-owner Fri Apr 12 11:22:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id BAA13459 for firewalls-outgoing; Fri, 12 Apr 1996 01:25:28 -0700 (PDT) Received: from gemsgw.med.ge.com (gemsgw.med.ge.com [192.88.230.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id BAA13390 for ; Fri, 12 Apr 1996 01:25:02 -0700 (PDT) From: sameer@wiproge.med.ge.com Received: from gemed.med.ge.com (gemed.med.ge.com [3.7.12.4]) by gemsgw.med.ge.com (8.6.12/8.6.12) with ESMTP id DAA26956; Fri, 12 Apr 1996 03:21:07 -0500 Received: from wiproge.med.ge.com (jogin [3.70.200.53]) by gemed.med.ge.com (8.6.12/8.6.12) with SMTP id DAA22302; Fri, 12 Apr 1996 03:23:37 -0500 Received: from everest.wiproge.med.ge.com (nilgiri) by wiproge.med.ge.com (4.1/SMI-4.1) id AA05829; Fri, 12 Apr 96 13:57:52+050 Received: by wiproge.med.ge.com (5.0/SMI-SVR4) id AA15086; Fri, 12 Apr 1996 13:57:47 +0500 Date: Fri, 12 Apr 1996 13:57:47 +0500 Message-Id: <9604121857.AA15086@wiproge.med.ge.com> To: sameer@wiproge.med.ge.com, firewalls@GreatCircle.COM, Jasjit_K_Singh@amrcorp.com, boyd@france3.fr Subject: Re: UUCP vs. Anonymous FTP X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, That is news to me too...Could you please elaborate on it..It might help to give me some added info..Thanks..Sam From firewalls-owner Fri Apr 12 11:29:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id BAA13718 for firewalls-outgoing; Fri, 12 Apr 1996 01:27:14 -0700 (PDT) Received: from gemsgw.med.ge.com (gemsgw.med.ge.com [192.88.230.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id BAA13694 for ; Fri, 12 Apr 1996 01:26:59 -0700 (PDT) From: sameer@wiproge.med.ge.com Received: from gemed.med.ge.com (gemed.med.ge.com [3.7.12.4]) by gemsgw.med.ge.com (8.6.12/8.6.12) with ESMTP id DAA26980; Fri, 12 Apr 1996 03:23:05 -0500 Received: from wiproge.med.ge.com (jogin [3.70.200.53]) by gemed.med.ge.com (8.6.12/8.6.12) with SMTP id DAA22322; Fri, 12 Apr 1996 03:25:28 -0500 Received: from everest.wiproge.med.ge.com (nilgiri) by wiproge.med.ge.com (4.1/SMI-4.1) id AA05842; Fri, 12 Apr 96 13:59:39+050 Received: by wiproge.med.ge.com (5.0/SMI-SVR4) id AA15096; Fri, 12 Apr 1996 13:59:34 +0500 Date: Fri, 12 Apr 1996 13:59:34 +0500 Message-Id: <9604121859.AA15096@wiproge.med.ge.com> To: firewalls@GreatCircle.COM, Jasjit_K_Singh@amrcorp.com, boyd@france3.fr Subject: Re: UUCP vs. Anonymous FTP X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk hi, I did not include ur mail for ur reference..sorry.. ..sam From: sameer@wiproge.med.ge.com Hi, I think UUCP is anyday more secure than anonymous ftp and better if you are using all ... >From Boyd : that's an interesting statement. in '87 i was almost convinced to write a uucp worm, based on the premise that many uucp setups allow remote execute via mail. i decided against it. ----- End Included Message ----- From firewalls-owner Fri Apr 12 11:33:39 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id BAA14057 for firewalls-outgoing; Fri, 12 Apr 1996 01:28:31 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id BAA13797 for ; Fri, 12 Apr 1996 01:27:28 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id AAA22346; Fri, 12 Apr 1996 00:34:57 -0700 Received: from route1.france3.fr(194.51.91.1) by mycroft via smap (V1.3mjr) id sma022329; Fri Apr 12 00:34:36 1996 Received: from PACIFIC.mdrf.france3.fr. by route1.france3.fr (8.7.1/SMI-4.1) id JAA08410; Fri, 12 Apr 1996 09:38:31 GMT Received: by PACIFIC.mdrf.france3.fr. (4.1/SMI-4.1) id AA15399; Fri, 12 Apr 96 09:39:00 GMT From: Boyd Roberts Date: Fri, 12 Apr 1996 09:36:04 GMT To: sameer@wiproge.med.ge.com, firewalls@GreatCircle.COM, Jasjit_K_Singh@amrcorp.com Subject: Re: UUCP vs. Anonymous FTP In-Reply-To: <9604110033.AA29165@wiproge.med.ge.com> Message-Id: <199604120936.11160.fw.bafem@france3.fr> X-Face: "9FXa*}.a4Ig(\sR0OM#]_y|o`\^3d}2f+7(xe0-vrPty-IDXF?pIZ<]+6t6*4`$o.O$bfZ+O=Y#@~tCyN-k|k,v84QVoh(? J`Xat3vNF!wX+{RuJ[{X?3x^4HR7h`I.z&> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From: sameer@wiproge.med.ge.com Hi, I think UUCP is anyday more secure than anonymous ftp and better if you are using all ... that's an interesting statement. in '87 i was almost convinced to write a uucp worm, based on the premise that many uucp setups allow remote execute via mail. i decided against it. From firewalls-owner Fri Apr 12 11:37:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA15091 for firewalls-outgoing; Thu, 11 Apr 1996 09:20:56 -0700 (PDT) Received: from sparky.cassens.com (gatekeeper.cassens.com [199.217.138.34]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA15074 for ; Thu, 11 Apr 1996 09:20:47 -0700 (PDT) Received: (from smap@localhost) by sparky.cassens.com (8.6.11/8.6.9) id MAA15233; Thu, 11 Apr 1996 12:24:20 -0500 Received: from zed.cassens.com(204.27.204.71) by sparky.cassens.com via smap (V1.3) id sma015231; Thu Apr 11 12:24:00 1996 Received: (from pj@localhost) by zot.cassens.com (8.6.12/8.6.12) id LAA05021; Thu, 11 Apr 1996 11:15:41 -0500 From: Phillippe Welsh Message-Id: <199604111615.LAA05021@zot.cassens.com> Subject: Re: UUCP vs. Anonymous FTP To: tufa@lclsv.sfos.ro (Tufa Lucian) Date: Thu, 11 Apr 1996 11:15:40 CDT Cc: firewalls@GreatCircle.COM In-Reply-To: ; from "Tufa Lucian" at Apr 11, 96 12:13 (noon) X-Mailer: Elm [revision: 109.14] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 9 Apr 1996, Jasjit K Singh wrote: > > Hi, > > We are planning to replace UUCP with anonymous > FTP for transferring files. I would like to get > information on security issues of anonymous FTP > and the do's and don't's. What are the benefits > of this and what is the latest release of > anonymous FTP that is considered stable and safe > enough. Any information will be welcome. Thanks!! Check out "How to set up a Secure Anonymous FTP Site" FAQ from: http://iss.net/sec_info/anonftp.html -- Internet: | Phillippe J. Welsh | welshpj@cassens.com| Cassens Transport | Std disclaimers apply. Voice: | 145 N. Kansas Str. | (But you knew that!) | Edwardsville, IL 62025 | From firewalls-owner Fri Apr 12 11:45:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id BAA13190 for firewalls-outgoing; Fri, 12 Apr 1996 01:23:41 -0700 (PDT) Received: from gemsgw.med.ge.com (gemsgw.med.ge.com [192.88.230.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id BAA13154 for ; Fri, 12 Apr 1996 01:23:28 -0700 (PDT) From: sameer@wiproge.med.ge.com Received: from gemed.med.ge.com (gemed.med.ge.com [3.7.12.4]) by gemsgw.med.ge.com (8.6.12/8.6.12) with ESMTP id DAA26917; Fri, 12 Apr 1996 03:18:36 -0500 Received: from wiproge.med.ge.com (jogin [3.70.200.53]) by gemed.med.ge.com (8.6.12/8.6.12) with SMTP id DAA22262; Fri, 12 Apr 1996 03:21:06 -0500 Received: from everest.wiproge.med.ge.com (nilgiri) by wiproge.med.ge.com (4.1/SMI-4.1) id AA05812; Fri, 12 Apr 96 13:55:21+050 Received: by wiproge.med.ge.com (5.0/SMI-SVR4) id AA15069; Fri, 12 Apr 1996 13:55:16 +0500 Date: Fri, 12 Apr 1996 13:55:16 +0500 Message-Id: <9604121855.AA15069@wiproge.med.ge.com> To: firewalls-digest@GreatCircle.com, srm@adiblr1.soft.net Subject: Re: internet connection Cc: ram@adiblr1.soft.net X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, The router you are using should be supporting disabling by IP addresses.I don't remember the exact syntax but you should be able to do it. ..Try it..Sam..Do let me know what happened... E-Mail : sameer@wiproge.med.ge.com Wipro GE Medical Systems - Bangalore sameer@wiproge.gemse.fr Name : Sameer [Sam] ----- Begin Included Message ----- From firewalls-owner@GreatCircle.COM Fri Apr 12 12:55:52 1996 Date: Thu, 11 Apr 1996 17:12:38 +0500 (GMT+0500) From: "S.Ramalingam" Subject: internet connection To: firewalls-digest@GreatCircle.com Cc: ram@adiblr1.soft.net Mime-Version: 1.0 Hello We are having pentium machines running with PCNFSpro 1.1 windows version. In my company, we are having radiolink to access internet. Our Management does not want to give permission to everyone to access internet except for few poeple. Right now all the staff members are using netscape to use internet. We connot control the staff members. We having router connected with RF link. IS THERE ANYWAY TO CONTROL THE POEPLE TO ACCESS THE INTERNET BASED ON IP ADDRESS. Our default gateway is Router. Ramalingam ----- End Included Message ----- From firewalls-owner Fri Apr 12 11:49:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA11630 for firewalls-outgoing; Thu, 11 Apr 1996 08:40:05 -0700 (PDT) Received: from ns1.eds.com (ns1.eds.com [192.85.154.78]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA11624 for ; Thu, 11 Apr 1996 08:40:00 -0700 (PDT) Received: by ns1.eds.com (hello) id LAA20797; Thu, 11 Apr 1996 11:36:28 -0400 Received: by nnsa.eds.com (hello) id LAA27356; Thu, 11 Apr 1996 11:35:57 -0400 Received: from josh.itp.eds.com (josh.itp.eds.com [204.230.136.189]) by plan9.itp.eds.com (8.6.12/8.6.9) with SMTP id LAA26848; Thu, 11 Apr 1996 11:58:23 -0400 Message-Id: <1.5.4b12.32.19960411153723.006bc224@mail.itp.eds.com> X-Sender: josh@mail.itp.eds.com X-Mailer: Windows Eudora Light Version 1.5.4b12 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 11 Apr 1996 11:37:23 -0400 To: "A. Padgett Peterson P.E. Information Security" , firewalls@GreatCircle.COM From: Joshua Cole Subject: Re: re CKE: mandated by law Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:02 AM 4/11/96 -0400, A. Padgett Peterson P.E. Information Security wrote: >That is one viewpoint and while it is possible for a citizen to thumb their >nose at France or Belgium or ..., it is not posible for a large, multi- >national corporation because they must do business there - and do you think >it is barely-literate rants the govs want to intercept or the plans for >the F-118 that they want to intercept ? > >This is why I am willing to accept a certain amount of key escrow (with >restrictions I have stated many times) in exchange for the foreign >agreements to use strong crypto *there*. I'm sure that this has been covered before, but I'll re-state some things anyway. Problem 1: With key escrow is that the legal tests for probable cause to decrypt messages and release the "magic" key(s) can be different throughout the world. In other words, one man's probable cause is another man's fascism. Sure, nobody in the US Government is going to care about secret DoD plans (unless they're spies). That doesn't address the rest of the world. Multinational corporations may not have a choice of crypto systems if they want to do business in a given country, but they don't have to like it. Problem 2: No matter how much governments mandate this, that or the other thing, do you really think that the criminals and terrorists care? Heck no, they're criminals and terrorists! They're going to protect their information with the best cryptographic tools that money can buy (or can be FTP'd). Neither problem can be legislated away. --Joshua Cole EDS I don't speak for my employer and they aren't interested in what I have to say anyway. From firewalls-owner Fri Apr 12 11:57:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id BAA17114 for firewalls-outgoing; Fri, 12 Apr 1996 01:57:20 -0700 (PDT) Received: from myall.awadi.com.au (myall.awadi.com.AU [150.207.2.65]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id BAA17089 for ; Fri, 12 Apr 1996 01:57:08 -0700 (PDT) Received: from bunya.awadi ([150.207.2.63]) by myall.awadi.com.au (8.7.5/8.7.5) with SMTP id SAA09683; Fri, 12 Apr 1996 18:24:16 +0930 (CST) Received: from mallee.awadi by bunya.awadi (5.x/SMI-SVR4) id AA15865; Fri, 12 Apr 1996 18:24:08 +0930 Received: by mallee.awadi (SMI-8.6/SMI-SVR4) id SAA04874; Fri, 12 Apr 1996 18:24:08 +0930 From: blymn@awadi.com.au (Brett Lymn) Message-Id: <199604120854.SAA04874@mallee.awadi> Subject: Re: Solaris2.5 and BSD* - Facts To: jim@butthead.SmallWorks.COM (Jim Thompson) Date: Fri, 12 Apr 1996 18:24:08 +0930 (CST) Cc: firewalls@greatcircle.com In-Reply-To: <9604111910.AA16114@butthead.SmallWorks.COM> from "Jim Thompson" at Apr 11, 96 02:10:39 pm X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to Jim Thompson: > >> >BSD gives me source code - Solaris does not. >> Solaris source code licenses cost $$$. >So do BSDI licenses and Windows licenses. BSDI costs less than >either, to be sure. > Ahhh but FreeBSD and NetBSD do not. Well, admittedly, you can buy the cdrom which will set you back < $50 but it is still a very low price option. >Software costs, just like hardware. > Hmmm the words "all the market can bear" come to mind. Software seems particularly bad for this. I am not saying that programmers should not get paid for their work nor that it justifies pirating the software but I find a large discrepancy between the amount of money charged for a package and what you actually get. Yeah sure there are overheads, costs of printing manuals, distributing blah blah blah but the price asked is still steep. Especially these days when a lot of companies are distributing software on CD-ROM, this cuts a big cost item from the package - duplicating disks. Did we see a drop in price due to this? Hell no. Even worse is when you look at the Unix software market - it seems like a license to add a 0 to the end of the price. I refuse to believe that the cost of programming in a unix environment is higher than that of windows. Sure you need to target each platform so paying a bit more would not be unreasonable. Some companies (WordPerfect aka Novell) did not even charge more for their unix versions. In fact, in some cases it was cheaper to buy the unix version. <\rant> >(and yes, I like 'free' software too.) > So do I - The only commercial software I have bought is Doom I & II because I liked them so much and the price was reasonable.... -- Brett Lymn, Computer Systems Administrator, AWA Defence Industries =============================================================================== "Upgrading your memory gives you MORE RAM!" - ad in MacWAREHOUSE catalogue. From firewalls-owner Fri Apr 12 12:01:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA15100 for firewalls-outgoing; Thu, 11 Apr 1996 09:21:09 -0700 (PDT) Received: from gaia.internex.net (gaia.internex.net [198.67.38.22]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA15092 for ; Thu, 11 Apr 1996 09:21:00 -0700 (PDT) Received: from hidata.com by gaia.internex.net (8.6.9/InterNex-SM8.6.9) id JAA22119; Thu, 11 Apr 1996 09:18:50 -0700 Received: by hidata.com (SMI-8.6/SMI-SVR4) id JAA14975; Thu, 11 Apr 1996 09:18:47 -0700 Received: from osc(205.158.62.10) by hds-gw via smap (V1.3) id sma014973; Thu Apr 11 09:18:28 1996 Received: from enterprise by osc.hidata.com (SMI-8.6/SMI-SVR4) id JAA05255; Thu, 11 Apr 1996 09:18:27 -0700 Date: Thu, 11 Apr 1996 09:18:27 -0700 Message-Id: <199604111618.JAA05255@osc.hidata.com> X-Sender: bstout@osc.hidata.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: Bill Stout Subject: Re: CKE: mandated by law Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > Many nations are now following the lead of the US, Russian, >and French governments, and are seeking to arrogate titular control >over encryption. I say "titular" because real, actual, control is >impossible and everyone with a clue knows it. All that will happen >is that export control regulations will be announced as the failure >they are, and governments will then argue that they need direct, >*domestic* control. We're starting to see the early rumbles of >that game from the FBI and Janet Reno, and every time there's a >Unabomber or Freemen or Koresh we can expect another "Good thing >they didn't use STRONG CRYPTO or we'd never have caught them" >argument. > > What's so laughable about the whole thing is that I live >in a town where the drug dealers do their deals in the clear with >pagers and cellphones and law enforcement is still helpless. If >they're helpless and incompetent against an enemy using no >communications security at all, they should just give up about >dealing with the *real* terrorists and spies who actually know >what they're doing. Unless the KGB has agreed to escrow their >one-time-pads with Ft Meade, the only benefit all this escrow >crap will have for the government is helping them watch us >honest but pissed-off citizens, and lining the coffers of >revolving-door defense contractors. > >mjr. > > I agree 100%. Outlaw secret crypto, and only crooks will have secret crypto. This will only impact business and personal use of the internet, with zero impact on crime. (Reminds me of the Panama invasion, which was justified by drug traffic reasons, which of course increased afterwards. Noriega probably wasn't sharing his cut.) As usual, I believe the propoganda machine is manipulating opinion/law by associating a technology with drugs/terrorism/child molesters/killers. One could outlaw sports cars or station wagons that way. Reguardless of the outcome of secret vs. registered keys, I believe there will be a plethoria of encryption products next year. Either way, criminals organizations will use strong secret crypto without escrow. From firewalls-owner Fri Apr 12 12:12:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id BAA13437 for firewalls-outgoing; Fri, 12 Apr 1996 01:25:22 -0700 (PDT) Received: from brian.dynasuk.co.uk (brian.dynasuk.co.uk [194.200.17.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id BAA13381 for ; Fri, 12 Apr 1996 01:24:55 -0700 (PDT) Received: (from uucp@localhost) by brian.dynasuk.co.uk (8.6.11/8.6.9) id JAA25858; Fri, 12 Apr 1996 09:22:20 +0100 Received: from zeberdee.dynasuk.co.uk(192.188.129.134) by brian.dynasuk.co.uk via smap (V1.3) id sma025856; Fri Apr 12 09:22:03 1996 Received: from zeberdee.dynasuk.co.uk (zeberdee.dynasuk.co.uk [192.188.129.134]) by zeberdee.dynasuk.co.uk (8.6.12/8.6.12) with SMTP id JAA04134; Fri, 12 Apr 1996 09:24:46 +0100 Date: Fri, 12 Apr 1996 09:24:46 +0100 (BST) From: Martin Hepworth To: "Norton, Dave" cc: Firewalls-post Subject: Re: Cracking NT via RAS In-Reply-To: <199604111905.AA13124@nacg.trane.com> Message-ID: X-Address: DynaSoft 8 South Parade Summertown Oxford OX2 7JL UK X-Voice: +44 (01)865 316333 X-Fax: +44 (01)865 316444 X-WWW: http://www.dynas.se MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 11 Apr 1996, Norton, Dave wrote: > > Hi gang, > We have a sister organization with a VPDN interconnected with > our own with only router ACL's between 'em, filtering on "trusted" > and "semi-trusted" IP address ranges only. Our org has limited > security consciousness, theirs has none... They insist on putting > Digi-boards directly on NT apppl servers, and allow remote direct > dial access into same [...cringe :-( ]. > > I imagine that war dialers and password guessing programs will > work just as well on NT/RAS as UNIX - why not - so, if an interloper > can gain a session on a "trusted" NT host, he/she ought to be able > to freely island-hop over to our IP VPDN with impunity, right? > > Second, without being too explicit, can someone out there tell > me of their real tried and tested assessment as to the "swiss > cheese" factor concerning security of the NT OS. Some of our > "NT rocket scientists" around here persist in claiming that UNIX is > not a secure environment, whereas NT is. I have to continually > tell them that UNIX is much more secure(able) because we know > where the holes in the cheese are... That we don't hear about > NT security problems much because there hasn't been enough > elapsed time since its birth to thoroughly probe and exploit it... check out the ntsecurity dudes on their mailing list... ntsecurity-request@iss.net with "subscribe ntsecurity" in the message body > > Any comments, feedback from outside my organization will be greatly > appreciated, because I blew all my intellectual credibility in-house > when I accepted employment here... Sorry, but I can't tell you who > we are, cause of what I've devulged to the world in this posting... > So did you mail from you emloyers 'trane.com' ;-) ***************************************************************** * Martin Hepworth * Tel No. +44 (0)1865 316333 * * Dynasoft Ltd * GSM +44 (0)468 461684 * * 8 South Parade * Fax +44 (0)1865 316444 * * Summertown * Support +44 (0)1865 316070 * * Oxford * E-mail: martin@dynasuk.co.uk * * OX2 7JL, UK * WWW : http://www.dynas.se * ***************************************************************** 1st rule of computer security - WYDSIWGY: What You Don't See Is What Gets You From firewalls-owner Fri Apr 12 14:37:39 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA04121 for firewalls-outgoing; Fri, 12 Apr 1996 09:42:27 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA00986 for ; Fri, 12 Apr 1996 09:16:48 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id HAA24710; Fri, 12 Apr 1996 07:37:59 -0700 From: Iltis@aol.com Received: from emout04.mail.aol.com(198.81.10.12) by mycroft via smap (V1.3mjr) id sma024708; Fri Apr 12 07:37:38 1996 Received: by emout04.mail.aol.com (8.6.12/8.6.12) id KAA05355 for firewalls-digest@greatcircle.com; Fri, 12 Apr 1996 10:42:11 -0400 Date: Fri, 12 Apr 1996 10:42:11 -0400 Message-ID: <960412104210_189766973@emout04.mail.aol.com> To: firewalls-digest@greatcircle.com Subject: Re: Sign Off Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sign off iltis@aol.com From firewalls-owner Fri Apr 12 14:40:10 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id RAA05408 for firewalls-outgoing; Thu, 11 Apr 1996 17:57:23 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA03026 for ; Thu, 11 Apr 1996 17:30:13 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id NAA20742; Thu, 11 Apr 1996 13:33:08 -0700 Received: from uu5.psi.com(38.145.226.3) by mycroft via smap (V1.3mjr) id sma020729; Thu Apr 11 13:32:20 1996 Received: from SMTP.CHILTONCO.COM by uu5.psi.com (5.65b/4.0.071791-PSI/PSINet) via SMTP; id AA10576 for Firewalls@GreatCircle.COM; Thu, 11 Apr 96 16:35:27 -0400 Received: from Chilton_Radnor-Message_Server by chiltonco.com with Novell_GroupWise; Thu, 11 Apr 1996 15:32:52 -0500 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 11 Apr 1996 17:28:58 -0500 From: Tom James To: Firewalls@GreatCircle.COM Subject: Firewalls-Digest V5 #145 -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I will be out of the office from 4/12 thru 4/19. All mail wil be handled upon my return. Regards Tom James From firewalls-owner Fri Apr 12 14:43:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id RAA05308 for firewalls-outgoing; Thu, 11 Apr 1996 17:54:52 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA02995 for ; Thu, 11 Apr 1996 17:30:09 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id NAA20756; Thu, 11 Apr 1996 13:34:10 -0700 Received: from uu5.psi.com(38.145.226.3) by mycroft via smap (V1.3mjr) id sma020748; Thu Apr 11 13:33:40 1996 Received: from SMTP.CHILTONCO.COM by uu5.psi.com (5.65b/4.0.071791-PSI/PSINet) via SMTP; id AA10750 for firewalls@GreatCircle.COM; Thu, 11 Apr 96 16:36:56 -0400 Received: from Chilton_Radnor-Message_Server by chiltonco.com with Novell_GroupWise; Thu, 11 Apr 1996 15:34:05 -0500 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 11 Apr 1996 17:28:58 -0500 From: Tom James To: firewalls@GreatCircle.COM Subject: firewalls-digest V5 #155 -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I will be out of the office from 4/12 thru 4/19. All mail wil be handled upon my return. Regards Tom James From firewalls-owner Fri Apr 12 14:43:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id RAA05233 for firewalls-outgoing; Thu, 11 Apr 1996 17:53:07 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA02984 for ; Thu, 11 Apr 1996 17:30:07 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id NAA20758; Thu, 11 Apr 1996 13:34:10 -0700 Received: from uu5.psi.com(38.145.226.3) by mycroft via smap (V1.3mjr) id sma020751; Thu Apr 11 13:33:56 1996 Received: from SMTP.CHILTONCO.COM by uu5.psi.com (5.65b/4.0.071791-PSI/PSINet) via SMTP; id AA10814 for firewalls@GreatCircle.COM; Thu, 11 Apr 96 16:37:12 -0400 Received: from Chilton_Radnor-Message_Server by chiltonco.com with Novell_GroupWise; Thu, 11 Apr 1996 15:34:37 -0500 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 11 Apr 1996 17:28:58 -0500 From: Tom James To: firewalls@GreatCircle.COM Subject: firewalls-digest V5 #159 -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I will be out of the office from 4/12 thru 4/19. All mail wil be handled upon my return. Regards Tom James From firewalls-owner Fri Apr 12 14:57:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id RAA05115 for firewalls-outgoing; Thu, 11 Apr 1996 17:51:04 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA02990 for ; Thu, 11 Apr 1996 17:30:08 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id OAA21110; Thu, 11 Apr 1996 14:00:17 -0700 Received: from uu5.psi.com(38.145.226.3) by mycroft via smap (V1.3mjr) id sma021101; Thu Apr 11 13:59:11 1996 Received: from SMTP.CHILTONCO.COM by uu5.psi.com (5.65b/4.0.071791-PSI/PSINet) via SMTP; id AA15215 for Firewalls@GreatCircle.COM; Thu, 11 Apr 96 17:02:27 -0400 Received: from Chilton_Radnor-Message_Server by chiltonco.com with Novell_GroupWise; Thu, 11 Apr 1996 15:32:56 -0500 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 11 Apr 1996 17:28:58 -0500 From: Tom James To: Firewalls@GreatCircle.COM Subject: Firewalls-Digest V5 #146 -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I will be out of the office from 4/12 thru 4/19. All mail wil be handled upon my return. Regards Tom James From firewalls-owner Fri Apr 12 15:43:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id AAA08552 for firewalls-outgoing; Fri, 12 Apr 1996 00:49:41 -0700 (PDT) Received: from godel2.bim.be (godel2.bim.be [141.253.4.135]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id AAA08494 for ; Fri, 12 Apr 1996 00:49:27 -0700 (PDT) Received: from galileo.mumath by godel2.bim.be (SMI-8.6/SMI-SVR4) id JAA14470; Fri, 12 Apr 1996 09:50:02 +0200 Received: by galileo.mumath (5.x/SMI-SVR4) id AA06114; Fri, 12 Apr 1996 09:47:15 +0200 Date: Fri, 12 Apr 1996 09:47:15 +0200 From: pc@godel2.bim.be (Philippe Cayphas) Message-Id: <9604120747.AA06114@galileo.mumath> To: pokey@maddie.atlantic.com Subject: Re: High speed throughput firewalls... Cc: firewalls@GreatCircle.com X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> Has anyone ever tried to firewall two networks that are connected via >> highspeed networks such as FDDI? What type of firewall did you use? >> Did you notice bottlenecking, etc? I'm looking for hard facts, not >> sales pitches... Have a look to the B1 Harris Cyberguard Firewall. It's based on a real time UNIX. It should support FDDI. Philippe -- Ph. Cayphas Senior Engineer E-Mail: pc@bim.be Telephone: +32(10)47.08.32 Fax : +32(10)47.08.11 Postal Mail : Ph. Cayphas BIM sa 4, Av. Albert Einstein 1348 Louvain-La-Neuve Belgium From firewalls-owner Fri Apr 12 15:52:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id CAA18348 for firewalls-outgoing; Fri, 12 Apr 1996 02:07:35 -0700 (PDT) Received: from relay4.oleane.net (Relay4.OLEANE.NET [194.2.1.6]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id CAA18149 for ; Fri, 12 Apr 1996 02:06:39 -0700 (PDT) Received: from pcfm.dial.OLEANE.com (dyn-30.vin.oleane.com [194.2.6.30]) by relay4.oleane.net (8.7.5/8.7.3) with SMTP id LAA01685 for ; Fri, 12 Apr 1996 11:04:23 +0200 (MET DST) Date: Fri, 12 Apr 1996 11:04:23 +0200 (MET DST) Message-Id: <199604120904.LAA01685@relay4.oleane.net> X-Sender: fm004@pop.dial.oleane.com X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@greatcircle.com From: Francois Mauchamp Subject: Re: Cross Realm Kerberos/DCE Proxy, NAT, UDP Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 16:16 10/04/1996 EDT, you wrote: >The rest is deleted since I have no additional comments on it. for anyone >interested, RFC 1510 deals with Kerberos and there is another RFC (I don't >know the number) Not too far from Kerberos ! There are two of them : RFC 1508 / RFC 1509 Generic Security Service Application Program InterfaceStatus Generic Security Service API : C-bindingsStatus > that deals with a GSS API for security program calls. >Kerberos comes from MIT but Cygnus (www.cynus.com) also distributes a >popular (at NASA) version of it. I'm trying to read the RFC..zzz.zzz > FM. From firewalls-owner Fri Apr 12 16:02:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id RAA02515 for firewalls-outgoing; Thu, 11 Apr 1996 17:28:58 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA02091 for ; Thu, 11 Apr 1996 17:27:39 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id QAA21734; Thu, 11 Apr 1996 16:13:29 -0700 Received: from explorer.csc.com(20.1.10.27) by mycroft via smap (V1.3mjr) id sma021725; Thu Apr 11 16:12:38 1996 Received: from @explorer.csc.com by csc.com with smtp (Smail3.1.29.1 #1) id m0u7Vaa-001AiaC; Thu, 11 Apr 96 19:15 EDT Message-Id: Date: Thu, 11 Apr 96 19:15 EDT X-Sender: asafier@explorer.csc.com X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: johns@oxygen.house.gov (John Schnizlein) From: Adam Safier Subject: Re: High speed throughput firewalls... Cc: firewalls@GreatCircle.com, pokey@maddie.atlantic.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 08:54 AM 4/10/96 -0400, John Schnizlein wrote: >> Has anyone ever tried to firewall two networks that are connected via >> highspeed networks such as FDDI? What type of firewall did you use? >> Did you notice bottlenecking, etc? I'm looking for hard facts, not >> sales pitches... > I've only heard the tale of some firewall vendors setting up a bunch of their firewalls in parallel to handle very large / fast firewalling needs. One Authentication server external to the firewall boxes makes for manageble authentication maintenance. Adam Safier CSC-SED-Infosec asafier@csc.com "If you show me yours, I still won't show you mine." Expressed opinions are my own and might not be shared by my employer or anyone else. From firewalls-owner Fri Apr 12 16:58:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA06901 for firewalls-outgoing; Thu, 11 Apr 1996 18:24:13 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA02906 for ; Thu, 11 Apr 1996 17:29:51 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id NAA20839; Thu, 11 Apr 1996 13:40:12 -0700 Received: from uu5.psi.com(38.145.226.3) by mycroft via smap (V1.3mjr) id sma020830; Thu Apr 11 13:39:22 1996 Received: from SMTP.CHILTONCO.COM by uu5.psi.com (5.65b/4.0.071791-PSI/PSINet) via SMTP; id AA11974 for Firewalls@GreatCircle.COM; Thu, 11 Apr 96 16:42:34 -0400 Received: from Chilton_Radnor-Message_Server by chiltonco.com with Novell_GroupWise; Thu, 11 Apr 1996 15:33:11 -0500 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 11 Apr 1996 17:28:58 -0500 From: Tom James To: Firewalls@GreatCircle.COM Subject: Firewalls-Digest V5 #149 -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I will be out of the office from 4/12 thru 4/19. All mail wil be handled upon my return. Regards Tom James From firewalls-owner Fri Apr 12 17:08:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA05696 for firewalls-outgoing; Thu, 11 Apr 1996 18:01:28 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA02943 for ; Thu, 11 Apr 1996 17:29:57 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id NAA20868; Thu, 11 Apr 1996 13:42:12 -0700 Received: from uu5.psi.com(38.145.226.3) by mycroft via smap (V1.3mjr) id sma020864; Thu Apr 11 13:41:32 1996 Received: from SMTP.CHILTONCO.COM by uu5.psi.com (5.65b/4.0.071791-PSI/PSINet) via SMTP; id AA12374 for firewalls@GreatCircle.COM; Thu, 11 Apr 96 16:44:46 -0400 Received: from Chilton_Radnor-Message_Server by chiltonco.com with Novell_GroupWise; Thu, 11 Apr 1996 15:35:10 -0500 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 11 Apr 1996 17:28:58 -0500 From: Tom James To: firewalls@GreatCircle.COM Subject: firewalls-digest V5 #165 -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I will be out of the office from 4/12 thru 4/19. All mail wil be handled upon my return. Regards Tom James From firewalls-owner Fri Apr 12 17:08:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA06929 for firewalls-outgoing; Thu, 11 Apr 1996 18:24:48 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA02974 for ; Thu, 11 Apr 1996 17:30:04 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id NAA20794; Thu, 11 Apr 1996 13:36:11 -0700 Received: from uu5.psi.com(38.145.226.3) by mycroft via smap (V1.3mjr) id sma020771; Thu Apr 11 13:35:10 1996 Received: from SMTP.CHILTONCO.COM by uu5.psi.com (5.65b/4.0.071791-PSI/PSINet) via SMTP; id AA11026 for firewalls@GreatCircle.COM; Thu, 11 Apr 96 16:38:25 -0400 Received: from Chilton_Radnor-Message_Server by chiltonco.com with Novell_GroupWise; Thu, 11 Apr 1996 15:35:16 -0500 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 11 Apr 1996 17:28:59 -0500 From: Tom James To: firewalls@GreatCircle.COM Subject: firewalls-digest V5 #166 -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I will be out of the office from 4/12 thru 4/19. All mail wil be handled upon my return. Regards Tom James From firewalls-owner Fri Apr 12 17:17:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA05771 for firewalls-outgoing; Thu, 11 Apr 1996 18:03:09 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA02883 for ; Thu, 11 Apr 1996 17:29:48 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id NAA20869; Thu, 11 Apr 1996 13:42:12 -0700 Received: from uu5.psi.com(38.145.226.3) by mycroft via smap (V1.3mjr) id sma020851; Thu Apr 11 13:41:06 1996 Received: from SMTP.CHILTONCO.COM by uu5.psi.com (5.65b/4.0.071791-PSI/PSINet) via SMTP; id AA12300 for firewalls@GreatCircle.COM; Thu, 11 Apr 96 16:44:21 -0400 Received: from Chilton_Radnor-Message_Server by chiltonco.com with Novell_GroupWise; Thu, 11 Apr 1996 15:35:30 -0500 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 11 Apr 1996 17:28:59 -0500 From: Tom James To: firewalls@GreatCircle.COM Subject: firewalls-digest V5 #169 -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I will be out of the office from 4/12 thru 4/19. All mail wil be handled upon my return. Regards Tom James From firewalls-owner Fri Apr 12 17:29:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id RAA05550 for firewalls-outgoing; Thu, 11 Apr 1996 17:59:18 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA02927 for ; Thu, 11 Apr 1996 17:29:54 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id NAA20898; Thu, 11 Apr 1996 13:44:15 -0700 Received: from uu5.psi.com(38.145.226.3) by mycroft via smap (V1.3mjr) id sma020884; Thu Apr 11 13:43:59 1996 Received: from SMTP.CHILTONCO.COM by uu5.psi.com (5.65b/4.0.071791-PSI/PSINet) via SMTP; id AA12741 for firewalls@GreatCircle.COM; Thu, 11 Apr 96 16:47:14 -0400 Received: from Chilton_Radnor-Message_Server by chiltonco.com with Novell_GroupWise; Thu, 11 Apr 1996 15:34:59 -0500 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 11 Apr 1996 17:28:58 -0500 From: Tom James To: firewalls@GreatCircle.COM Subject: firewalls-digest V5 #164 -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I will be out of the office from 4/12 thru 4/19. All mail wil be handled upon my return. Regards Tom James From firewalls-owner Fri Apr 12 17:36:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA06552 for firewalls-outgoing; Thu, 11 Apr 1996 18:17:03 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA02962 for ; Thu, 11 Apr 1996 17:30:01 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id NAA20957; Thu, 11 Apr 1996 13:51:14 -0700 Received: from uu5.psi.com(38.145.226.3) by mycroft via smap (V1.3mjr) id sma020954; Thu Apr 11 13:50:44 1996 Received: from SMTP.CHILTONCO.COM by uu5.psi.com (5.65b/4.0.071791-PSI/PSINet) via SMTP; id AA13703 for firewalls@GreatCircle.COM; Thu, 11 Apr 96 16:53:59 -0400 Received: from Chilton_Radnor-Message_Server by chiltonco.com with Novell_GroupWise; Thu, 11 Apr 1996 15:35:37 -0500 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 11 Apr 1996 17:28:59 -0500 From: Tom James To: firewalls@GreatCircle.COM Subject: firewalls-digest V5 #170 -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I will be out of the office from 4/12 thru 4/19. All mail wil be handled upon my return. Regards Tom James From firewalls-owner Fri Apr 12 17:38:17 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA06336 for firewalls-outgoing; Thu, 11 Apr 1996 18:12:20 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA02915 for ; Thu, 11 Apr 1996 17:29:52 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id NAA20895; Thu, 11 Apr 1996 13:44:15 -0700 Received: from uu5.psi.com(38.145.226.3) by mycroft via smap (V1.3mjr) id sma020883; Thu Apr 11 13:43:39 1996 Received: from SMTP.CHILTONCO.COM by uu5.psi.com (5.65b/4.0.071791-PSI/PSINet) via SMTP; id AA12703 for firewalls@GreatCircle.COM; Thu, 11 Apr 96 16:46:55 -0400 Received: from Chilton_Radnor-Message_Server by chiltonco.com with Novell_GroupWise; Thu, 11 Apr 1996 15:35:26 -0500 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 11 Apr 1996 17:28:59 -0500 From: Tom James To: firewalls@GreatCircle.COM Subject: firewalls-digest V5 #168 -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I will be out of the office from 4/12 thru 4/19. All mail wil be handled upon my return. Regards Tom James From firewalls-owner Fri Apr 12 17:49:39 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA06303 for firewalls-outgoing; Thu, 11 Apr 1996 18:12:00 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA03007 for ; Thu, 11 Apr 1996 17:30:11 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id NAA20757; Thu, 11 Apr 1996 13:34:10 -0700 Received: from uu5.psi.com(38.145.226.3) by mycroft via smap (V1.3mjr) id sma020749; Thu Apr 11 13:33:45 1996 Received: from SMTP.CHILTONCO.COM by uu5.psi.com (5.65b/4.0.071791-PSI/PSINet) via SMTP; id AA10771 for firewalls@GreatCircle.COM; Thu, 11 Apr 96 16:37:00 -0400 Received: from Chilton_Radnor-Message_Server by chiltonco.com with Novell_GroupWise; Thu, 11 Apr 1996 15:34:14 -0500 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 11 Apr 1996 17:28:58 -0500 From: Tom James To: firewalls@GreatCircle.COM Subject: firewalls-digest V5 #157 -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I will be out of the office from 4/12 thru 4/19. All mail wil be handled upon my return. Regards Tom James From firewalls-owner Fri Apr 12 18:31:39 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA07458 for firewalls-outgoing; Thu, 11 Apr 1996 18:34:01 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA03031 for ; Thu, 11 Apr 1996 17:30:14 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id NAA20791; Thu, 11 Apr 1996 13:36:09 -0700 Received: from uu5.psi.com(38.145.226.3) by mycroft via smap (V1.3mjr) id sma020772; Thu Apr 11 13:35:11 1996 Received: from SMTP.CHILTONCO.COM by uu5.psi.com (5.65b/4.0.071791-PSI/PSINet) via SMTP; id AA11035 for firewalls@GreatCircle.COM; Thu, 11 Apr 96 16:38:27 -0400 Received: from Chilton_Radnor-Message_Server by chiltonco.com with Novell_GroupWise; Thu, 11 Apr 1996 15:33:26 -0500 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 11 Apr 1996 17:28:58 -0500 From: Tom James To: firewalls@GreatCircle.COM Subject: firewalls-digest V5 #153 -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I will be out of the office from 4/12 thru 4/19. All mail wil be handled upon my return. Regards Tom James From firewalls-owner Fri Apr 12 18:34:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA05977 for firewalls-outgoing; Thu, 11 Apr 1996 18:07:11 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA03016 for ; Thu, 11 Apr 1996 17:30:12 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id NAA20743; Thu, 11 Apr 1996 13:33:09 -0700 Received: from uu5.psi.com(38.145.226.3) by mycroft via smap (V1.3mjr) id sma020733; Thu Apr 11 13:32:22 1996 Received: from SMTP.CHILTONCO.COM by uu5.psi.com (5.65b/4.0.071791-PSI/PSINet) via SMTP; id AA10586 for Firewalls@GreatCircle.COM; Thu, 11 Apr 96 16:35:29 -0400 Received: from Chilton_Radnor-Message_Server by chiltonco.com with Novell_GroupWise; Thu, 11 Apr 1996 15:32:59 -0500 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 11 Apr 1996 17:28:58 -0500 From: Tom James To: Firewalls@GreatCircle.COM Subject: Firewalls-Digest V5 #144 -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I will be out of the office from 4/12 thru 4/19. All mail wil be handled upon my return. Regards Tom James From firewalls-owner Fri Apr 12 18:46:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA07352 for firewalls-outgoing; Thu, 11 Apr 1996 18:30:45 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA02947 for ; Thu, 11 Apr 1996 17:29:58 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id NAA20796; Thu, 11 Apr 1996 13:36:12 -0700 Received: from uu5.psi.com(38.145.226.3) by mycroft via smap (V1.3mjr) id sma020782; Thu Apr 11 13:35:37 1996 Received: from SMTP.CHILTONCO.COM by uu5.psi.com (5.65b/4.0.071791-PSI/PSINet) via SMTP; id AA11104 for firewalls@GreatCircle.COM; Thu, 11 Apr 96 16:38:52 -0400 Received: from Chilton_Radnor-Message_Server by chiltonco.com with Novell_GroupWise; Thu, 11 Apr 1996 15:34:02 -0500 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 11 Apr 1996 17:28:58 -0500 From: Tom James To: firewalls@GreatCircle.COM Subject: firewalls-digest V5 #156 -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I will be out of the office from 4/12 thru 4/19. All mail wil be handled upon my return. Regards Tom James From firewalls-owner Fri Apr 12 19:04:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA05828 for firewalls-outgoing; Thu, 11 Apr 1996 18:04:43 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA02936 for ; Thu, 11 Apr 1996 17:29:56 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id NAA20792; Thu, 11 Apr 1996 13:36:12 -0700 Received: from uu5.psi.com(38.145.226.3) by mycroft via smap (V1.3mjr) id sma020773; Thu Apr 11 13:35:12 1996 Received: from SMTP.CHILTONCO.COM by uu5.psi.com (5.65b/4.0.071791-PSI/PSINet) via SMTP; id AA11040 for firewalls@GreatCircle.COM; Thu, 11 Apr 96 16:38:28 -0400 Received: from Chilton_Radnor-Message_Server by chiltonco.com with Novell_GroupWise; Thu, 11 Apr 1996 15:35:19 -0500 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 11 Apr 1996 17:28:59 -0500 From: Tom James To: firewalls@GreatCircle.COM Subject: firewalls-digest V5 #167 -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I will be out of the office from 4/12 thru 4/19. All mail wil be handled upon my return. Regards Tom James From firewalls-owner Fri Apr 12 19:06:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA07358 for firewalls-outgoing; Thu, 11 Apr 1996 18:30:53 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA03021 for ; Thu, 11 Apr 1996 17:30:13 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id NAA20759; Thu, 11 Apr 1996 13:34:10 -0700 Received: from uu5.psi.com(38.145.226.3) by mycroft via smap (V1.3mjr) id sma020750; Thu Apr 11 13:33:49 1996 Received: from SMTP.CHILTONCO.COM by uu5.psi.com (5.65b/4.0.071791-PSI/PSINet) via SMTP; id AA10788 for firewalls@GreatCircle.COM; Thu, 11 Apr 96 16:37:04 -0400 Received: from Chilton_Radnor-Message_Server by chiltonco.com with Novell_GroupWise; Thu, 11 Apr 1996 15:34:24 -0500 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 11 Apr 1996 17:28:58 -0500 From: Tom James To: firewalls@GreatCircle.COM Subject: firewalls-digest V5 #160 -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I will be out of the office from 4/12 thru 4/19. All mail wil be handled upon my return. Regards Tom James From firewalls-owner Fri Apr 12 19:23:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA06518 for firewalls-outgoing; Thu, 11 Apr 1996 18:16:32 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA02922 for ; Thu, 11 Apr 1996 17:29:53 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id NAA20878; Thu, 11 Apr 1996 13:43:11 -0700 Received: from uu5.psi.com(38.145.226.3) by mycroft via smap (V1.3mjr) id sma020865; Thu Apr 11 13:42:18 1996 Received: from SMTP.CHILTONCO.COM by uu5.psi.com (5.65b/4.0.071791-PSI/PSINet) via SMTP; id AA12485 for Firewalls@GreatCircle.COM; Thu, 11 Apr 96 16:45:34 -0400 Received: from Chilton_Radnor-Message_Server by chiltonco.com with Novell_GroupWise; Thu, 11 Apr 1996 15:33:05 -0500 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 11 Apr 1996 17:28:58 -0500 From: Tom James To: Firewalls@GreatCircle.COM Subject: Firewalls-Digest V5 #147 -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I will be out of the office from 4/12 thru 4/19. All mail wil be handled upon my return. Regards Tom James From firewalls-owner Fri Apr 12 19:32:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA05992 for firewalls-outgoing; Thu, 11 Apr 1996 18:07:36 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA02952 for ; Thu, 11 Apr 1996 17:30:00 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id NAA20795; Thu, 11 Apr 1996 13:36:12 -0700 Received: from uu5.psi.com(38.145.226.3) by mycroft via smap (V1.3mjr) id sma020783; Thu Apr 11 13:35:44 1996 Received: from SMTP.CHILTONCO.COM by uu5.psi.com (5.65b/4.0.071791-PSI/PSINet) via SMTP; id AA11140 for firewalls@GreatCircle.COM; Thu, 11 Apr 96 16:38:59 -0400 Received: from Chilton_Radnor-Message_Server by chiltonco.com with Novell_GroupWise; Thu, 11 Apr 1996 15:34:21 -0500 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 11 Apr 1996 17:28:58 -0500 From: Tom James To: firewalls@GreatCircle.COM Subject: firewalls-digest V5 #158 -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I will be out of the office from 4/12 thru 4/19. All mail wil be handled upon my return. Regards Tom James From firewalls-owner Fri Apr 12 19:46:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id RAA04518 for firewalls-outgoing; Thu, 11 Apr 1996 17:38:25 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA02406 for ; Thu, 11 Apr 1996 17:28:40 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id PAA21489; Thu, 11 Apr 1996 15:08:25 -0700 Received: from riscsm.scripps.edu(137.131.120.6) by mycroft via smap (V1.3mjr) id sma021481; Thu Apr 11 15:07:26 1996 Received: from vishnu.scripps.edu by scripps.edu (5.61/1.34) id AA21149; Thu, 11 Apr 96 15:10:40 -0700 Received: from vishnu by vishnu.scripps.edu (SMI-8.6/SMI-SVR4) id PAA09473; Thu, 11 Apr 1996 15:10:39 -0700 Message-Id: <316D835F.1786@scripps.edu> Date: Thu, 11 Apr 1996 15:10:39 -0700 From: David Edgar Liebke Organization: The Scripps Research Institute X-Mailer: Mozilla 2.0 (X11; I; SunOS 5.5 sun4m) Mime-Version: 1.0 To: firewalls@greatcircle.com Subject: Java port of S/Key? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I know it is kind of perverse, but has anybody ported the S/Key password generator to Java? Thanks, David From firewalls-owner Fri Apr 12 20:01:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA06456 for firewalls-outgoing; Thu, 11 Apr 1996 18:14:53 -0700 (PDT) Received: from bramber.windsor.com (bramber.windsor.com [199.181.96.54]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id SAA06450 for ; Thu, 11 Apr 1996 18:14:45 -0700 (PDT) Received: (from erics@localhost) by bramber.windsor.com (8.6.12/8.6.12) id VAA08275 for firewalls@greatcircle.com; Thu, 11 Apr 1996 21:12:39 -0400 From: "Eric V. Smith" Message-Id: <199604120112.VAA08275@bramber.windsor.com> Subject: info needed to write https proxy To: firewalls@greatcircle.com Date: Thu, 11 Apr 1996 21:12:39 -0400 (EDT) Reply-To: EricSmith@windsor.com X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I need to add a proxy for https, so I've finally decided to break down and write my own. Where can I find the info on how Netscape talks to an https proxy? Is https SSL 2.0, or is it something else? Any pointers are appreciated. I'll summarize if I get any good information. -- Eric V. Smith | Some for renown on scraps of learning dote, EricSmith@windsor.com | And think they grow immortal as they quote. Windsor Software Corp +----------------------------------+ Edward Young http://www.windsor.com/ Windows NT, Unix, SQL Server | English poet From firewalls-owner Fri Apr 12 20:20:29 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA05924 for firewalls-outgoing; Thu, 11 Apr 1996 18:05:57 -0700 (PDT) Received: from ecua.net.ec (ecua.net.ec [157.100.1.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id SAA05916 for ; Thu, 11 Apr 1996 18:05:48 -0700 (PDT) Received: from [157.100.8.254] by ecua.net.ec (AIX 4.1/UCB 5.64/4.04) id AA39608; Thu, 11 Apr 1996 20:02:54 -0500 Received: from [157.100.1.53] by ucsg.edu.ec (4.1/1.34) id AA03059; Thu, 11 Apr 96 20:07:32 EDT Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 11 Apr 1996 20:06:25 -0500 To: firewalls@greatcircle.com From: jvelasco@ucsg.edu.ec ( =?iso-8859-1?Q?Mart=EDn?= Velasco) Subject: Firewalls evaluation Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi. Please forgive my ignorance regarding this topic, which I think has been treated before. When you build a new system -any kind-, one of the ways to evaluate it is to have a group of "tests" or "tasks" to be done, first without the new system, then using the new system, and then comparing the results. I think this a common part of any system evaluation. When you test a firewall, Can you use this same kind of evaluation? What should you consider when having this evaluation? What's the best way to prove (others) that your firewall (or any firewall) will protect their network from external threats? It should be easily understandable having a network of Unix machines, but what about NT, Win95 or mixed networks? Thanks in advance to you all. -Martin Velasco From firewalls-owner Fri Apr 12 20:31:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA07537 for firewalls-outgoing; Thu, 11 Apr 1996 18:35:13 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA03069 for ; Thu, 11 Apr 1996 17:30:27 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id OAA21220; Thu, 11 Apr 1996 14:16:19 -0700 Received: from gateway.bose.com(139.68.136.1) by mycroft via smap (V1.3mjr) id sma021216; Thu Apr 11 14:16:06 1996 Received: from mingus.bose.com by cubs.bose.com (8.7.5/BoseFirewall.1.0) id RAA13790; Thu, 11 Apr 1996 17:06:56 -0400 Received: from chpnt by mingus.bose.com (4.1/SMI-4.1) id AA17305; Thu, 11 Apr 96 17:06:54 EDT Message-Id: <1.5.4b12.32.19960411210639.002b534c@mailhost> X-Sender: perry@mailhost X-Mailer: Windows Eudora Light Version 1.5.4b12 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 11 Apr 1996 17:06:39 -0400 To: firewalls@greatcircle.com From: "Christopher H. Perry" Subject: FireWalls for Windows NT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Would some kind sole recommend fiewall software for NT. We are putting together a test Web site using NT and Microsoft Internet Server, and would appreciate any suggestions on what to try for firewall protection. Should we be using Socks, and is it recommended that the firewall software run on a separate machine from the Internet Server? Thanks, Chris Perry Software Engineer Bose Corporation (508) 766-6230 INTERNET: perry@bose.com ----------------------------------------------------------------------------- BOSE CORPORATION "Better Sound Through Research" From firewalls-owner Fri Apr 12 20:49:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA04795 for firewalls-outgoing; Fri, 12 Apr 1996 09:49:57 -0700 (PDT) Received: from SantaClara01.pop.internex.net (SantaClara01.POP.InterNex.Net [205.158.3.18]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA04789 for ; Fri, 12 Apr 1996 09:49:53 -0700 (PDT) From: carl@hdshq.com Received: from SYSMKT.hdshq.com ([206.215.16.130]) by SantaClara01.pop.internex.net (post.office MTA v1.9.3 ID# 0-11030) with ESMTP id AAA28082; Fri, 12 Apr 1996 09:47:28 -0700 Received: from [198.92.130.5] (lan.hdshq.com [198.92.130.5]) by SYSMKT.hdshq.com (1/HDS MAIL SYSTEM) with SMTP id JAA12807; Fri, 12 Apr 1996 09:47:26 -0700 (PDT) Message-Id: <199604121647.JAA12807@SYSMKT.hdshq.com> X-Sender: carl@lan.hdshq.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 12 Apr 1996 09:47:27 -0800 To: yossi@sunserver.ddddf.com Subject: WWW Proxy to cut off Java Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi. I have developed a patch, which is applied against the TIS fwtk release 1.3 (latest production release), to create an http proxy which can be configured to selectively screen out Java, JavaScript or both from web pages on the fly. The patch and documentation is at http://www.hdshq.com/fixes/fwtk/welcome.html The TIS firewall toolkit is at ftp://ftp.tis.com/pub/firewalls/toolkit/fwtk.tar.Z The update to http-gw which provides the base upon which my patch is applied, is ftp://ftp.tis.com/pub/firewalls/toolkit/patches/http-gw.patch.tar.Z My patch is provided as a context diff, and is best applied using the widely available program patch. Contact me if you have any questions by private email, to lower the noise ratio on this list. Carl V Claunch Hitachi Data Systems From firewalls-owner Fri Apr 12 21:16:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA07222 for firewalls-outgoing; Fri, 12 Apr 1996 10:14:52 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA02756 for ; Fri, 12 Apr 1996 09:21:20 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id FAA23530; Fri, 12 Apr 1996 05:06:34 -0700 Received: from lint-ether.cisco.com(198.93.170.22) by mycroft via smap (V1.3mjr) id sma023525; Fri Apr 12 05:05:58 1996 Received: from pferguso-pc.cisco.com (c1robo8.cisco.com [171.68.13.8]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id FAA24852; Fri, 12 Apr 1996 05:08:34 -0700 Message-Id: <199604121208.FAA24852@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 12 Apr 1996 08:09:41 -0400 To: ac141@typhoon.dial.pipex.net From: Paul Ferguson Subject: Re: Finding domain name from IP address Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 06:00 PM 4/11/96 +0000, ac141@typhoon.dial.pipex.net wrote: >We have a combination of registered and unregistered IP addresses on >our network (no Internet connection yet). > >Is there a way I can find out who the unregistered ones are really >registered to? > Yes -- use the WHOIS database. - paul >Thanks for any help, > >Ben > -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Fri Apr 12 21:25:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA07679 for firewalls-outgoing; Thu, 11 Apr 1996 18:39:18 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA02456 for ; Thu, 11 Apr 1996 17:28:48 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id PAA21475; Thu, 11 Apr 1996 15:05:25 -0700 Received: from explorer.csc.com(20.1.10.27) by mycroft via smap (V1.3mjr) id sma021471; Thu Apr 11 15:05:04 1996 Received: from @explorer.csc.com by csc.com with smtp (Smail3.1.29.1 #1) id m0u7UXL-001AgzC; Thu, 11 Apr 96 18:08 EDT Message-Id: Date: Thu, 11 Apr 96 18:08 EDT X-Sender: asafier@explorer.csc.com X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: mjr@v-one.com From: Adam Safier Subject: Re: CKE: mandated by law Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:15 PM 4/10/96 -0400, Marcus J. Ranum wrote: >the only benefit all this escrow >crap will have for the government is helping them watch us >honest but pissed-off citizens, and lining the coffers of >revolving-door defense contractors. > Actually it is not driven by security but by economics and, like most projects, politics. The government needs to make sure unemployment does not skyrocket so this is their welfare program for unemployed would-be security experts. I'm glad you did not include my company in your comments. At least I've never seen a revolving door at any sites or projects I've ever been on - we always try to use the governments building facilities..... I'm also going to make a real attempt not to respond anymore to this off-firewalls-topic for a while. At least not here. Adam Expressed opinions are really my own and really really really do not reflect my employer, company or management. Adam Safier CSC-SED-Infosec asafier@csc.com "If you show me yours, I still won't show you mine." Expressed opinions are my own and might not be shared by my employer or anyone else. From firewalls-owner Sat Apr 13 11:32:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA07550 for firewalls-outgoing; Fri, 12 Apr 1996 10:19:16 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA01556 for ; Fri, 12 Apr 1996 09:18:15 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id GAA24061; Fri, 12 Apr 1996 06:24:44 -0700 Received: from relay.ashton.csc.com(20.2.54.2) by mycroft via smap (V1.3mjr) id sma024053; Fri Apr 12 06:23:38 1996 Received: by relay.ashton.csc.com; id JAA27063; Fri, 12 Apr 1996 09:28:17 -0400 Received: from unknown(20.2.2.72) by relay.ashton.csc.com via smap (g3.0.1) id sma027061; Fri, 12 Apr 96 09:28:01 -0400 Received: by redrum.ashton.csc.com with Microsoft Mail id <01BB2851.DCB2FBC0@redrum.ashton.csc.com>; Fri, 12 Apr 1996 09:24:34 -0400 Message-ID: <01BB2851.DCB2FBC0@redrum.ashton.csc.com> From: Ty Gast To: "firewalls@GreatCircle.COM" , "'Ole-Arnt Johnsen'" Subject: RE: Digital Firewall for Unix Date: Fri, 12 Apr 1996 09:24:32 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thursday, April 11, 1996 5:07 PM, Ole-Arnt = Johnsen[SMTP:Ole-Arnt.Johnsen@halden.scandpower.no] wrote: > Have anyone reviewed Digital Firewall for Unix ver.2.0. If so, please = let me > know. I have not seen any references to this product on the list. >=20 > Thank you. >=20 >=20 We have done some work with it. It's a relatively strong firewall but = is lacking in some areas. For instance, it doesn't support = transparencies. Also, authentication procedures for coming inside from = the outside are limited to just one method (tokens)... you cannot use = other methods such as username/passwords (as if you would), or s/key. = The interface uses a web browser (just like SATAN). Fairly easy to set = up and get started, too. Ty <-><-><-><-><-><-><-><-><-><-><-> Ty Gast (tdgast@ashton.csc.com) <-><-><-><-><-><-><-><-><-><-><-> From firewalls-owner Sat Apr 13 12:39:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA07607 for firewalls-outgoing; Thu, 11 Apr 1996 18:37:12 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA02464 for ; Thu, 11 Apr 1996 17:28:49 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id OAA21429; Thu, 11 Apr 1996 14:57:24 -0700 Received: from okjunc.junction.net(199.166.227.1) by mycroft via smap (V1.3mjr) id sma021426; Thu Apr 11 14:56:52 1996 Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by okjunc.junction.net (8.6.11/8.6.11) with SMTP id OAA29951 for ; Thu, 11 Apr 1996 14:58:53 -0700 Date: Thu, 11 Apr 1996 15:46:29 -0700 (PDT) From: Michael Dillon To: firewalls@GreatCircle.COM Subject: Re: RAS and technical people In-Reply-To: <9604081715.AA24872@is000913.BELL-ATL.COM> Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 8 Apr 1996, Morris wrote: > Whenever someone asks me about dial-back modems and security I generally > look them in the eye and ask, "Ever hear of call forwarding?" and run. In alt.2600 someone once gave a detailled description of how to hook a laptop into someone's phone line outside their house where the line enters the building. If they are in the habit of answering after only a few rings and they do not have a passworded account with the telco then anyone can put No Answer Call Forward on their line with a high number of rings. You should require site visits of their home including the internal wiring as well as a password on their telco account and their whole family including children over the age of 8 should be required to attend a company "security awareness" seminar. I'm not sure if I'm joking, paranoid or serious here.... ;-) Michael Dillon Voice: +1-604-546-8022 Memra Software Inc. Fax: +1-604-546-3049 http://www.memra.com E-mail: michael@memra.com From firewalls-owner Sat Apr 13 13:08:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id AAA04603 for firewalls-outgoing; Fri, 12 Apr 1996 00:08:18 -0700 (PDT) Received: from xdus02.transtec.de (xdus02.transtec.de [153.94.1.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id AAA04577 for ; Fri, 12 Apr 1996 00:08:05 -0700 (PDT) Received: from syssrv2 (syssrv2.ttde.transtec.de) by xdus02.transtec.de with SMTP id AA18559 (5.67b8/IDA-1.4.4 for ); Fri, 12 Apr 1996 09:05:20 +0200 Received: from cpu1 (cpu1.ttde.transtec.de) by syssrv2 with SMTP id AA18542 (5.67b8+/IDA-1.4.4); Fri, 12 Apr 1996 09:06:52 +0200 Received: by cpu1 id AA04435 (5.67b8+/IDA-1.4.4); Fri, 12 Apr 1996 09:06:50 +0200 From: Mario Mistrik Message-Id: <199604120706.AA04435@cpu1> Subject: Re: Packet Filtering - I'm Stuck To: ac141@typhoon.dial.pipex.net Date: Fri, 12 Apr 1996 09:06:49 +0200 (MET DST) Cc: firewalls@greatcircle.com In-Reply-To: <199604111515.QAA10907@typhoon.dial.pipex.net> from "ac141@typhoon.dial.pipex.net" at Apr 11, 96 04:15:10 pm X-Mailer: ELM [version 2.4 PL21] Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Ben, I'm a student about to take my diploma in information technology. Therefore, i'll implement a firewall for our company. We also have wide-area connections via frame-relay to external companies. To disallow telnet-connections from your external company through LAN-machines to the internet you can deny the specific machines in your LAN a direct internet access by a rule(s) in the Internet router. That means, you can allow a login from the specific machines to other machines in your LAN by using an authentication and welcomed user can open Internet connections from this machine. In my opinion, it's a solution to prevent an unauthorized access to the Internet. If there are other possibilities, I'm very interested too. Regards, Mario > > We have a wide-area link to an external company. They use it to > maintain machines on our LAN. > > We are about to implement an Internet connection. We do not want to > permit this external company use of the Internet gateway. > > Let's say I put packet filtering rules on the router that seperates > our LAN from the external gateway to only permit them telnet and ftp > access to specific machines. Would it be possible for them to: > > telnet to a machine they are allowed to on our LAN, then > telnet from there through the Internet gateway? > > Do I need to put rules on the Internet router to disallow this? > > Thanks for any advice. > > Ben > From firewalls-owner Sat Apr 13 13:09:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA07744 for firewalls-outgoing; Thu, 11 Apr 1996 18:40:35 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA03201 for ; Thu, 11 Apr 1996 17:30:48 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id NAA20813; Thu, 11 Apr 1996 13:37:11 -0700 Received: from sydney2.world.net(198.142.12.2) by mycroft via smap (V1.3mjr) id sma020784; Thu Apr 11 13:36:16 1996 Received: from suburbia.net (suburbia.net [203.4.184.1]) by world.net (8.7.4/8.6.6) with ESMTP id GAA23204; Fri, 12 Apr 1996 06:32:54 +1000 (EST) Received: (proff@localhost) by suburbia.net (8.7.4/Proff-950810) id GAA14374; Fri, 12 Apr 1996 06:33:35 +1000 From: Julian Assange Message-Id: <199604112033.GAA14374@suburbia.net> Subject: Re: FAX Servers Security To: fmora@banamex.com (Federico de la Mora Salazar) Date: Fri, 12 Apr 1996 06:33:34 +1000 (EST) Cc: firewalls@greatcircle.com, Private_User@interlock.banamex.com In-Reply-To: <199604102202.AA11207@interlock.banamex.com> from "Federico de la Mora Salazar" at Apr 10, 96 01:31:11 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > I'm very interested in FAX Servers security and > on the security of the FAX III protocol. > > Any comments will be greatly appreciated! > > > > ----------------------------------------------------------------- > ----------------------------------------------------------------- > ----------------------------------------------------------------- > ----------------- Federico de la Mora Salazar ----------------- > ----------------- Banco Nacional de Mexico ----------------- > ----------------- fmora@banamex.com ----------------- > ----------------------------------------------------------------- > ----------------------------------------------------------------- > ----------------------------------------------------------------- > > Once was Enough! -- "I mean, after all; you have to consider we're only made out of dust. That's admittedly not much to go on and we shouldn't forget that. But even considering, I mean it's sort of a bad beginning, we're not doing too bad. So I personally have faith that even in this lousy situation we're faced with we can make it. You get me?" - Leo Bulero/PKD +---------------------+--------------------+----------------------------------+ |Julian Assange RSO | PO Box 2031 BARKER | Secret Analytic Guy Union | |proff@suburbia.net | VIC 3122 AUSTRALIA | finger for PGP key hash ID = | |proff@gnu.ai.mit.edu | FAX +61-3-98199066 | 0619737CCC143F6DEA73E27378933690 | +---------------------+--------------------+----------------------------------+ From firewalls-owner Sat Apr 13 13:22:17 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id RAA03886 for firewalls-outgoing; Thu, 11 Apr 1996 17:32:30 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA03450 for ; Thu, 11 Apr 1996 17:31:27 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id NAA20986; Thu, 11 Apr 1996 13:53:16 -0700 Received: from hobbes.orl.mmc.com(141.240.192.100) by mycroft via smap (V1.3mjr) id sma020976; Thu Apr 11 13:53:03 1996 Date: Thu, 11 Apr 1996 16:56:10 -0400 (EDT) From: "A. Padgett Peterson P.E. Information Security" To: firewalls@greatcircle.com Message-Id: <960411165610.20229e7a@hobbes.orl.mmc.com> Subject: re: CKE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Problem 1: With key escrow is that the legal tests for probable cause to >decrypt messages and release the "magic" key(s) can be different throughout >the world. In other words, one man's probable cause is another man's >fascism. Sure, nobody in the US Government is going to care about secret DoD >plans (unless they're spies). That doesn't address the rest of the world. >Multinational corporations may not have a choice of crypto systems if they >want to do business in a given country, but they don't have to like it. Evidently I need to re-iterate the position I presented at Gaithersburg: The reason for a corporation to accept key escrow (provided they hold their own keys (remember I said "quid pro quo" - can handle three letter Latin words 8*)) was if, as intimated in item three, the United States Government arranged for the International reciprocal treaties/agreements which would allow strong crypto (and still think 64 bit symmetric keys are "enough" if different for every message). This means that we would hold the keys in the US and that if a foreign soverign wanted to peek, they would have to contact the US Gov, if convinced the Gov would present us with a court order, and we would supply the key *to the US Government*. The second issue was that we would then know that this had been done (as a corporate security department, not necessarily as the individuals under investigation). One of the important benefits for a multinational would be such protection that can only be negotiated between governments and which (under regulation of foreign commerce) is actualy part of the Gov's charter. On that line of thinking, I envision three types of keyholders: 1) US Gov for the business it conducts (prob held by NSA or NIST) 2) Major corporations hold their own (American Express for example) 3) Independant, bonded escrow agents for those who wanted to outsource. (e.g. Verisign) Agree, many will not bother, but for those concerned with things such as "due care" & "business continuity" as encrypted E-Mail becomes the standard of communications, key escrow will become the rule rather than the exception in corporate America and a necessity for foreign commerce. Warmly, Padgett ps of course is just my opinion. pps watch out for the FCC From firewalls-owner Sat Apr 13 13:55:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA07865 for firewalls-outgoing; Thu, 11 Apr 1996 18:43:10 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA02323 for ; Thu, 11 Apr 1996 17:28:24 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id QAA21741; Thu, 11 Apr 1996 16:14:30 -0700 Received: from explorer.csc.com(20.1.10.27) by mycroft via smap (V1.3mjr) id sma021732; Thu Apr 11 16:13:34 1996 Received: from @explorer.csc.com by csc.com with smtp (Smail3.1.29.1 #1) id m0u7Vac-001AnNC; Thu, 11 Apr 96 19:15 EDT Message-Id: Date: Thu, 11 Apr 96 19:15 EDT X-Sender: asafier@explorer.csc.com X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: mjr@v-one.com From: Adam Safier Subject: Re: split DNS Cc: Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:26 PM 4/10/96 -0400, Marcus J. Ranum wrote: I'm missing something fundumental in what is being done here. Don't multiple zones on the internal DNS server take care of your problem? Last time I set up SmartWall I set it to be the external DNS server but to resolve it's own queries from the internal DNS server. It's right in the config menu. The internal DNS server is slaved off the firewall. When the firewall makes a query it hits the interal server. If the name is found all is fine, else the internal server forwards to the firewall which queries the Internic and forwards replys to the internal server which answers the firewall. A little extra traffic when the firewall does an external DNS query but it works just fine. Queries from other internal clients are pass with no extra overhead. I think (how soon we forget) we maintained the DNS from the internal DNS server and did a Zone transfer of the firewall DNS table FROM the inside DNS server to minimize maintenance. One zone for outside.com and another for inside.com. We had LOTS of zones flying around so I may be wrong and we might have had to maintain the external zone with duplicate entries. V-One? I've got O'Reily's DNS book on order! >>I have a more complex split dns than I think is the norm (if there is >>such a thing). At present I run the classic version but am not sure how >>to expand it to the following scenario: >> >> >> internet >> ^ >> | >> | >> external bind \ >> ... } the bastion host >> resolver / >> | >> | >> v >> root server (mine?) >> | > Put some extra smarts in resolv.conf on the firewall. > Basically, the queries would go to the local nameserver >on 127.0.0.1 if they are for a machine named "outside.v-one.com" >otherwise, if they were anything in v-one.com they'd go to 1.1.1.1 >and if they were anything without a "." in them they'd go to >the 1.1.1.1. All other stuff would default to the local nameserver. > > In this manner, a split DNS would then be a piece of cake >to implement. Just have a nameserver with a full external database >on the firewall, and the firewall knows how to decide where to >resolve, whether internal or external. Then run a full internal >DNS on 1.1.1.1 and it's all hunky-dory. Adam Safier CSC-SED-Infosec asafier@csc.com "If you show me yours, I still won't show you mine." Expressed opinions are my own and might not be shared by my employer or anyone else. From firewalls-owner Sat Apr 13 16:22:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA07753 for firewalls-outgoing; Fri, 12 Apr 1996 10:22:48 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA01101 for ; Fri, 12 Apr 1996 09:17:05 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id IAA24870; Fri, 12 Apr 1996 08:11:01 -0700 Received: from eagle.twinds.com(206.153.22.1) by mycroft via smap (V1.3mjr) id sma024864; Fri Apr 12 08:10:05 1996 Received: from hawk.twinds.com by eagle.twinds.com with SMTP (1.37.109.16/16.2) id AA247272163; Fri, 12 Apr 1996 11:16:03 -0400 Date: Fri, 12 Apr 1996 11:17:05 -0400 (EDT") From: Arley Carter X-Sender: ac@hawk.twinds.com To: "Norton, Dave" Cc: Firewalls-post Subject: Re: Cracking NT via RAS In-Reply-To: <199604111905.AA13124@nacg.trane.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You forgot the part about M$ putting out a service pack for their proprietary code. This results in an immediately and probably significant degradation in the confidence level of all prior knowledge about the holes in the swiss cheese. This should make you exponentially nervous. Or.... as Agent Moulder said "Be afraid, be very afraid." Arley Carter Tradewinds Technologies, Inc. email: ac@hawk.twinds.com www: http://www.twinds.com "Trust me. This is a secure product. I'm from ." > Any comments, feedback from outside my organization will be greatly > appreciated, because I blew all my intellectual credibility in-house > when I accepted employment here... Sorry, but I can't tell you who > we are, cause of what I've devulged to the world in this posting... You mean you aren't from Trane Corporation, the HVAC mfrs? From firewalls-owner Sat Apr 13 16:37:19 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA07923 for firewalls-outgoing; Fri, 12 Apr 1996 10:26:50 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA01142 for ; Fri, 12 Apr 1996 09:17:12 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id IAA24843; Fri, 12 Apr 1996 08:04:02 -0700 Received: from artemis.rus.uni-stuttgart.de(129.69.18.28) by mycroft via smap (V1.3mjr) id sma024828; Fri Apr 12 08:03:17 1996 Received: from visbl.rus.uni-stuttgart.de (visbl.rus.uni-stuttgart.de [129.69.50.72]) by artemis.rus.uni-stuttgart.de with ESMTP id RAA10228 (8.6.13/IDA-1.6); Fri, 12 Apr 1996 17:06:34 +0200 Received: by visbl.rus.uni-stuttgart.de (950511.SGI.8.6.12.PATCH526/930416.SGI/BelWue-1.1) id RAA07378; Fri, 12 Apr 1996 17:10:38 +0200 From: Bernd.Lehle@RUS.Uni-Stuttgart.DE (Bernd Lehle) Message-Id: <199604121510.RAA07378@visbl.rus.uni-stuttgart.de> Subject: Re: High speed throughput firewalls... To: ted@kgbvax.network.com (Ted Doty) Date: Fri, 12 Apr 1996 17:10:38 +0100 (DST) Cc: firewalls@GreatCircle.COM In-Reply-To: <199604111740.NAA06571@kgbvax.network.com> from "Ted Doty" at Apr 11, 96 01:40:26 pm X-Scapegoat: Blame any mailing Problems on this header entry. X-pgp-fingerprint: 3E B0 35 8D 59 D5 AE AA 5A F9 60 80 9E E0 55 48 MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > Has anyone ever tried to firewall two networks that are connected via > > highspeed networks such as FDDI? What type of firewall did you use? > > Did you notice bottlenecking, etc? I'm looking for hard facts, not > > sales pitches... > Here in Stuttgart we are trying to firewall a 622 Mbit ATM connection. This will probably be done by firewalling all the connections that go into a GigaRouter (FDDI, Ethernet, HIPPI ?, ATM) and leave the out- going big 622-MB pipe unfiltered.. The final design is not decided. The GigaRouter can filter some hundred lines of packet-rules on an FDDI connection (so the folks say) - we will see. -- > Bernd Lehle - Stuttgart University Computer Center * A supercomputer < > Visualization / SFB 382 / Astrophysics * is a machine < > lehle@rus.uni-stuttgart.de Tel:+49-711-685-5531 * that runs an < > http://www.tat.physik.uni-tuebingen.de/~lehle * endless loop < > pgp? -> finger bernd@visbl.rus.uni-stuttgart.de * in 2 seconds < From firewalls-owner Sat Apr 13 17:06:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id WAA26316 for firewalls-outgoing; Thu, 11 Apr 1996 22:53:45 -0700 (PDT) Received: from xochiphili.zerby.com (xochiphili.zerby.com [205.254.178.202]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id WAA26302 for ; Thu, 11 Apr 1996 22:53:37 -0700 (PDT) Received: (from jwright@localhost) by xochiphili.zerby.com (8.7.5/8.7.3) id BAA21739; Fri, 12 Apr 1996 01:49:14 -0400 From: Jason Wright Message-Id: <199604120549.BAA21739@xochiphili.zerby.com> Subject: Re: Three ethernet port Raptor Firewalls To: Alan_AMBERS@CO.FREDERICK.MD.US (Alan AMBERS) Date: Fri, 12 Apr 1996 01:49:13 -0400 (EDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <001X5A@XL1.CO.FREDERICK.MD.US> from "Alan AMBERS" at Apr 10, 96 01:43:00 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > We currently use Raptor with one untrusted (Internet) and one trusted > (us) network. We have a second untrusted network that we wish to > attach. We are using a HP9000/715 as the platform and know that we > would have to upgrade to a HP9000/755 that supports three ethernet > cards. > > Is anyone doing this now with Raptor? Does anyone see any major > problems? Yep, one of my clients has a Raptor FW running on a Sparc5 (Solaris 2.4) with three ethernet interfaces. It works fine, now that I have upgraded the system from Eagle version 3.0 to version 3.1. It did not work fine before I upgraded though...I had problems with poor throughput, which may or may not have been caused by the third interface. I only know that 3.1 fixed it. The big problem that I had while trying to use three interfaces under 3.0 was this: The client has two internal interfaces (one with a rack of dialup modems and a news server) and the other being their main network. The third interface is a to the Internet. I had to use 3.0's proxyd to pass my news feed to and from their server and I had to write a rule on top of that (using the GSP) to allow the main network to read news off their server. Raptor's tech support confirmed that I had the GSP and allow rule set up properly, it just didn't work, as the Eagle sent all NNTP traffic coming from the main network to the external news server (mine). Upgrading to 3.1 and doing away with proxyd fixed the problem. Feel free to email me if you have any other questions. Jason Wright -- jwright@zerby.com (personal) jwright@netrex.com (work) From firewalls-owner Sat Apr 13 17:07:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA08314 for firewalls-outgoing; Fri, 12 Apr 1996 10:35:20 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA01779 for ; Fri, 12 Apr 1996 09:18:53 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id GAA24336; Fri, 12 Apr 1996 06:41:51 -0700 Received: from nsco.network.com(129.191.1.1) by mycroft via smap (V1.3mjr) id sma024333; Fri Apr 12 06:41:34 1996 Received: from mnbp.network.com (ushub.network.com) by nsco.network.com (4.1/1.34) id AA18970; Fri, 12 Apr 96 08:49:25 CDT Received: by mnbp.network.com with Microsoft Mail id <316E5DE7@mnbp.network.com>; Fri, 12 Apr 96 08:43:03 CDT From: Craig McLellan To: firewalls Subject: RE: Network Engineering Technologies Announces $10,000 Firewall Challenge Date: Fri, 12 Apr 96 08:42:00 CDT Message-Id: <316E5DE7@mnbp.network.com> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Well at least this beats a bomber jacket! Although, I wouldn't be able to walk around and brag about it. RGRDS.....clm ---------- From: firewalls-owner To: firewalls Subject: Network Engineering Technologies Announces $10,000 Firewall Challenge Date: April 9, 1996 09:19 Excerpt from: -(BUSINESS WIRE) via Individual Inc. [04-08-96 at 15:41 EDT, Business Wire] [snip] The Challenge To claim the $10,000 in NET's Firewall Challenge, individuals must first register with NET, then use a computer to break into NET's secure transaction server and retrieve information stored there about paper currency totaling $10,000, namely: (1) the number of notes, (2) the denomination of each note and (3) the serial number of each note. The first person to supply the correct information to NET between 12:01 a.m. May 1 and 12:01 a.m. May 31 will win the $10,000. In the case of multiple break-ins, the first person sending the correct information to NET's e-mail address will be declared the winner. Participants must be individuals over 18 years of age, not companies, and must also agree to surrender to NET all relevant information about the methods they used to break through the firewall. Further details on the Network Engineering Technologies' $10,000 Firewall Challenge available on the World-Wide Web at http://thefirewall.com or by writing NET at 1714 Ringwood Ave., San Jose, CA 95131. [snip] -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Sat Apr 13 17:07:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA08125 for firewalls-outgoing; Fri, 12 Apr 1996 10:31:14 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA02460 for ; Fri, 12 Apr 1996 09:20:39 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id GAA23984; Fri, 12 Apr 1996 06:10:43 -0700 Received: from hawk.tml.co.za(196.4.87.22) by mycroft via smap (V1.3mjr) id sma023978; Fri Apr 12 06:10:13 1996 Received: from gavin.tml.co.za (gavin.tml.co.za [196.4.92.45]) by hawk.tml.co.za (8.6.12/8.6.12) with SMTP id PAA29959 for ; Fri, 12 Apr 1996 15:16:26 -0200 Received: by gavin.tml.co.za with Microsoft Mail id <01BB2883.15E86840@gavin.tml.co.za>; Fri, 12 Apr 1996 15:16:55 +-200 Message-ID: <01BB2883.15E86840@gavin.tml.co.za> From: Gavin Ferreiro To: "'firewalls@GreatCircle.COM'" , "'S.Ramalingam'" Subject: RE: internet connection Date: Fri, 12 Apr 1996 15:16:53 +-200 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The simplist way to control access, is to block all ip addresses being = forwarded to the internet. You then open only the IP addresss that you = want to have access. Remember, when you start using a router to block or filter, the network = speed will slow down. I would rather think of putting in a firewall. and = control it through that. What do the other people think? ---------- From: S.Ramalingam[SMTP:srm@adiblr1.soft.net] Sent: 11 April 1996 07:12 To: firewalls-digest@GreatCircle.COM Cc: ram@adiblr1.soft.net Subject: internet connection Hello We are having pentium machines running with PCNFSpro 1.1 windows = version. In my company, we are having radiolink to access internet. Our = Management=20 does not want to give permission to everyone to access internet except=20 for few poeple. Right now all the staff members are using netscape to use internet. We=20 connot control the staff members. We having router connected with RF link. IS THERE ANYWAY TO CONTROL THE POEPLE TO ACCESS THE INTERNET BASED ON IP = ADDRESS.=20 Our default gateway is Router. Ramalingam ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Gavin Ferreiro +27 11 4972634 gavin@tml.co.za My personal points of view: 1.You are put on earth to help others.IF YOU CAN NOT HELP THEM THEN at least do not hurt them 2. Computer security is a state of mind. NOT a deliberation. 3. All people are equal, MALE and FEMALE, I just like to=20 treat FEMALES like ladies. 4. People with Epilepsy are good to know. 5. IF YOU DO NOT LIKE MY OPINIONS, I HAVE MANY MORE! ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ From firewalls-owner Sat Apr 13 17:23:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA08445 for firewalls-outgoing; Fri, 12 Apr 1996 10:40:25 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA01820 for ; Fri, 12 Apr 1996 09:18:59 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id HAA24580; Fri, 12 Apr 1996 07:18:56 -0700 From: ken@bridge.com Received: from gatekeeper.bridge.com(167.76.159.11) by mycroft via smap (V1.3mjr) id sma024568; Fri Apr 12 07:18:25 1996 Received: (from mailproxy@localhost) by gatekeeper.Bridge.COM (8.6.12/8.6.9) id JAA04771; Fri, 12 Apr 1996 09:19:17 -0500 Received: from ignatz.bridge.com(167.76.24.6) by gatekeeper.Bridge.COM via smap (V1.0mjr) id sma004769; Fri Apr 12 09:19:12 1996 Received: from ernie.bridge.com by ignatz.bridge.com with SMTP id AA21058 (5.67b/IDA-1.5); Fri, 12 Apr 1996 09:30:32 -0500 Received: by ernie.bridge.com (SMI-8.6/SMI-SVR4) id JAA09538; Fri, 12 Apr 1996 09:21:32 -0500 Date: Fri, 12 Apr 1996 09:21:32 -0500 Message-Id: <199604121421.JAA09538@ernie.bridge.com> To: Firewalls@GreatCircle.COM, djr@saa-cons.co.uk Subject: Re: Solaris2.5 and BSD* - Facts X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I said: >For a very interesing comparison of Solaris 2.4, FreeBSD 2.0.5R, and >Linux 1.2.8 on the exact same hardware (P100), see ... >You'll have to make the assumption that the relevant architectural details of Solaris, >and the resulting strengths/weaknesses, are consistent between the Sparc and >Intel implementations. On futher reflection, that's perhaps not a totally valid assumption. One of the main conclusions of the paper cited was that none of these OSes properly takes proper advantage of the Pentium's architecture for memory writes (presumably to be compatible with lesser x86's): Our results show that none of the systems adequately delivers the Pentium's memory write performance. For example, the Pentium can copy data at over 160 megabytes/second using a prefetching copy routine, yet none of the systems we tested have implemented such a routine. As described below, the prefetching routines address the fact that the Pentium does not have a write-allocate cache. Without this optimization, the same routines copy data at about 40 megabytes/second. I'd expect that a Sun OS running on a Sun box would take full advantage of the hardware's capability. I cannot parlay any of this into hard figures for your evaluation, though. The tests used memcpy and memset, figuring the kernel used the same, or similar, routines. (They didn't examine any kernel code.) I wouldn't be too surprised to see any or all of these OSes in future versions adapt to the type of hardware, at least in the kernel, if not in the std. C library routines. This very interesting (to me, at leaast) subject risks getting too far afield from the proper topic for this list. I humbly suggest that anyone who wants to delve into these OS/hardware issues to a degree not related to firewalls do so in a more appropriate forum. - KH From firewalls-owner Sat Apr 13 17:45:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA08512 for firewalls-outgoing; Fri, 12 Apr 1996 10:40:55 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA02559 for ; Fri, 12 Apr 1996 09:20:52 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id GAA24019; Fri, 12 Apr 1996 06:16:44 -0700 Received: from hawk.tml.co.za(196.4.87.22) by mycroft via smap (V1.3mjr) id sma024013; Fri Apr 12 06:16:35 1996 Received: from gavin.tml.co.za (gavin.tml.co.za [196.4.92.45]) by hawk.tml.co.za (8.6.12/8.6.12) with SMTP id PAA00112; Fri, 12 Apr 1996 15:22:39 -0200 Received: by gavin.tml.co.za with Microsoft Mail id <01BB2883.F4867560@gavin.tml.co.za>; Fri, 12 Apr 1996 15:23:09 +-200 Message-ID: <01BB2883.F4867560@gavin.tml.co.za> From: Gavin Ferreiro To: "'ac141@typhoon.dial.pipex.net'" , "firewalls@GreatCircle.COM" Subject: RE: Packet Filtering - I'm Stuck Date: Fri, 12 Apr 1996 15:23:07 +-200 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Once the outside people are inside your network, they can get throught = to the internet, if the internet router allows those machines access to = the internet. I would actually allow them to attache to the hosts, but at router = level, not allow the hosts access to the internet. This totally depends on whether you wish to allow those hosts access to = the internet. I also surmise that the company has "root" or supervisor = access to your hosts. I would go for the router filtering, and block all access to those hosts = from the internet side and access to the internet from those hosts from = your LAN side. Remember, you can not do this with an SMTP server. Best of luck ---------- From: ac141@typhoon.dial.pipex.net[SMTP:ac141@typhoon.dial.pipex.net] Sent: 11 April 1996 06:15 To: firewalls@GreatCircle.COM Subject: Packet Filtering - I'm Stuck We have a wide-area link to an external company. They use it to=20 maintain machines on our LAN. We are about to implement an Internet connection. We do not want to=20 permit this external company use of the Internet gateway. Let's say I put packet filtering rules on the router that seperates=20 our LAN from the external gateway to only permit them telnet and ftp=20 access to specific machines. Would it be possible for them to: telnet to a machine they are allowed to on our LAN, then telnet from there through the Internet gateway? Do I need to put rules on the Internet router to disallow this? Thanks for any advice. Ben ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Gavin Ferreiro +27 11 4972634 gavin@tml.co.za My personal points of view: 1.You are put on earth to help others.IF YOU CAN NOT HELP THEM THEN at least do not hurt them 2. Computer security is a state of mind. NOT a deliberation. 3. All people are equal, MALE and FEMALE, I just like to=20 treat FEMALES like ladies. 4. People with Epilepsy are good to know. 5. IF YOU DO NOT LIKE MY OPINIONS, I HAVE MANY MORE! ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ From firewalls-owner Sat Apr 13 18:58:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA10853 for firewalls-outgoing; Fri, 12 Apr 1996 11:24:36 -0700 (PDT) Received: from kyrene.k12.az.us ([204.43.65.129]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id LAA10817 for ; Fri, 12 Apr 1996 11:23:50 -0700 (PDT) Received: by ksddns.kyrene.k12.az.us id <30723>; Fri, 12 Apr 1996 11:21:02 -0700 From: "Myers, Bill" To: "firewalls-digest@GreatCircle.COM" , "'Richard_Tatem@notesgw.hns.com'" Subject: RE: Sign Off Date: Fri, 12 Apr 1996 10:41:00 -0700 X-Mailer: Microsoft Mail V3.0 Message-Id: <96Apr12.112102mst.30723@ksddns.kyrene.k12.az.us> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk How do you get off this list? I have tried the majordomo and I still get mail even though it says I'm not on the list. ---------- From: Richard_Tatem@notesgw.hns.com[SMTP:Richard_Tatem@notesgw.hns.com] Sent: Thursday, April 11, 1996 11:09 AM To: firewalls-digest@GreatCircle.COM Subject: Sign Off sign off rtatem@hns.com From firewalls-owner Sat Apr 13 21:07:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA09349 for firewalls-outgoing; Fri, 12 Apr 1996 10:56:05 -0700 (PDT) Received: from www.allensysgroup.com (www.naplesoft.com [205.245.8.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id KAA09343 for ; Fri, 12 Apr 1996 10:56:01 -0700 (PDT) Received: from www ([205.245.8.4]) by www.allensysgroup.com (post.office MTA v1.9.3 evaluation license) with SMTP id AAA183 for ; Fri, 12 Apr 1996 13:54:13 -0400 Message-ID: <316E98C5.A69@naplesoft.com> Date: Fri, 12 Apr 1996 13:54:13 -0400 From: bbrown@allensysgroup.com (Bobby Brown) Organization: Allen Systems Group, INC X-Mailer: Mozilla 2.01Gold (WinNT; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: Pressure for firewall install Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Yes, questions is very open. I am pressured to get a firewall in place by the end of April. Rushing into a firewall selection and placement is not good, but the higher powers rule. Situation : I will leave the web server outside the firewall. Internal wants access to e-mail, and limited ftp and http for selected users. I would like good logging ability and user authentication to use ftp or http protocols. We want to use i86 box as the firewall host. I would appreciate recommendations and suggestions on tested packages and support of various suppliers. Tall request, but hopefully some of you can spare a moment of your knowledge and experience in rushed situations. Bobby Brown bbrown@allensysgroup.com From firewalls-owner Sat Apr 13 22:10:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA08740 for firewalls-outgoing; Fri, 12 Apr 1996 10:46:07 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA02115 for ; Fri, 12 Apr 1996 09:19:46 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id GAA24388; Fri, 12 Apr 1996 06:50:53 -0700 Received: from balder.ssds.com(204.131.72.62) by mycroft via smap (V1.3mjr) id sma024379; Fri Apr 12 06:50:14 1996 Received: (from mail@localhost) by balder.ssds.com (8.6.9/8.6.9.SSDSnet-hub) id HAA07258 for ; Fri, 12 Apr 1996 07:54:39 -0600 Received: from denver(134.127.16.1) by balder via smap (V1.3) id smac07250; Fri Apr 12 07:54:34 1996 Received: by denver.ssds.com id HAA24327; Fri, 12 Apr 1996 07:23:11 -0600 (MDT) Message-Id: <2.2.32.19960412132250.00d09908@denver.ssds.com> X-Sender: cds@denver.ssds.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 12 Apr 1996 08:22:50 -0500 To: Jeff Maddox From: "Chris Liljenstolpe - SSDS INFOSEC Eng." Subject: Re: Sun OS Vs Solaris for secure servers Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings, I agree with one caveat - it depends on the level of security provided by the firewall. For a high security system, such as a proxy, I agree, for a lower level of security (say a packet screen), The solaris environment matches the level of security of the firewall. Therefore, would I run a Gauntlet on Solaris, no. Would I run Fireball-1 on Solaris 2.5, maybe. Regards, -=Chris At 22:49 96/04/10 -0500, the sage, Jeff Maddox, uttered these words: (>All, first I apologize for the length but the context of this is important. (>Also, I would really prefer not to start either a flame or religious war. I (>have a group of young SysAdmins who want to migrate all their Sun boxes to (>the same OS (Solaris 2.5 if they can get all their software to run on it, (>2.4 if not). (> (>While I do not argue against the conversion of their general purpose or (>database servers to the same OS, I have real concern about moving the (>special purpose single function servers that perform the authentication, (>packet filtering and proxying (proxying?). (> (>At present we are running stripped, hardened versions of SunOS 4.1.4 and we (>have patched, moded and cleaned it to the max. While we know that the best (>solution is to have a kernel with source code, it wouldn't help as these (>guys (me too as I am not in that class of firewall (>engineer[yet]:-).)couldn't analyze it anyway. I, and others, are willing to (>trust the many people who have identified vulnerabilities and fixes in 4.1.4. (> (>My argument is that for these purposes you would have to strip Solaris to (>the bone anyway to close unnecessary potential holes and the act of striping (>Solaris is fraught with failure potential as no one I know is really certain (>about everything that could smack the server by being removed or what could (>be removed without killing it or making it unbootable. Also, the kernel is (>so complicated (I have been told, again without source, who can tell except (>by the size of the binary. A guess at best) that, I believe, potential holes (>must be there. (> (>However, the context is that of special purpose security servers that run (>one or a few small processes. What would Solaris posses that would make it (>more, or even as, secure in this specific instance? (> (>The final point is, we are also not talking about forever, just a year or (>two to allow you and the rest of the real beta, secure, OS testers to find (>and alert us and Sun to the potential holes and fixes. (> (>If I am off base then I would appreciate clarification, if not, evidence to (>allow me to end this controversy and get them moving on more important problems. (> (>Thanks in advance. (> (> (> (>Man is the only animal that can remain on friendly terms with the victims he (>intends to eat until he eats them. (> (>Samuel Butler (> (> (>Jeff Maddox (>SSDS Inc. (>3102 Bee Caves Rd Suite A (>Austin, TX 78746 (>Phone (512) 329-5731 (>FAX (512) 329-5726 (>Pager (800) 506-5617 (>E-Mail jeff.maddox@ssds.com (> (> (> Regards, -=Chris -- ( ( | ( Chris Liljenstolpe ) ) (| ), inc. SSDS, Inc; 8400 Normandale Lake Blvd.; Suite 993 business driven Bloomington, MN 55437; technology solutions TEL 612.921.2392 FAX 612.921.2395 Fram Fram Free! PGP Key 1024/E8546BD5 FE 43 BD A6 3C 13 6C DB 89 B3 E4 A1 BF 6D 2A A9 From firewalls-owner Sat Apr 13 22:21:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA13985 for firewalls-outgoing; Fri, 12 Apr 1996 12:24:01 -0700 (PDT) Received: from uu5.psi.com (uu5.psi.com [38.145.226.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA13959 for ; Fri, 12 Apr 1996 12:23:06 -0700 (PDT) Received: from SMTP.CHILTONCO.COM by uu5.psi.com (5.65b/4.0.071791-PSI/PSINet) via SMTP; id AA07837 for Firewalls@GreatCircle.COM; Fri, 12 Apr 96 15:18:17 -0400 Received: from Chilton_Radnor-Message_Server by chiltonco.com with Novell_GroupWise; Fri, 12 Apr 1996 14:14:59 -0500 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Fri, 12 Apr 1996 14:14:46 -0500 From: Tom James To: Firewalls@GreatCircle.COM Subject: Firewalls-Digest V5 #226 -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I will be out of the office from 4/12 thru 4/19. All mail wil be handled upon my return. Regards Tom James From firewalls-owner Sun Apr 14 01:29:01 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id BAA04583 for firewalls-outgoing; Sun, 14 Apr 1996 01:03:10 -0700 (PDT) Received: from typhoon.dial.pipex.net (typhoon.dial.pipex.net [158.43.128.46]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id BAA04575 for ; Sun, 14 Apr 1996 01:03:02 -0700 (PDT) Received: from unknown by typhoon.dial.pipex.net (8.7.4/) id JAA21795; Sun, 14 Apr 1996 09:01:24 +0100 (BST) Message-ID: In-Reply-To: References: Conversation with last message To: Tom James , firewalls@GreatCircle.COM MIME-Version: 1.0 From: Ian Johnstone-Bryden Subject: Re: firewalls-digest V5 #160 -Reply Date: Sun, 14 Apr 96 08:10:27 GMT Content-Type: text/plain; charset=US-ASCII; X-MAPIextension=".TXT" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > I will be out of the office from 4/12 thru 4/19. > All mail wil be handled upon my return. > > Regards > Tom James > Wonder if Tom is trying to see if his insurance policy pays out on theft. OTOH maybe he just wants to see if there are any black hats reading firewall. He certainly wants to make sure the world knows that he is out. Ian J-B From firewalls-owner Sun Apr 14 01:43:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA15160 for firewalls-outgoing; Fri, 12 Apr 1996 12:52:27 -0700 (PDT) Received: from nowhere_linux.nowhere.aetna.com (tx.ultranet.com [146.115.242.246]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA15154 for ; Fri, 12 Apr 1996 12:52:19 -0700 (PDT) Received: (from damdum@localhost) by nowhere_linux.nowhere.aetna.com (8.6.12/8.6.9) id PAA00197; Fri, 12 Apr 1996 15:58:31 -0400 Date: Fri, 12 Apr 1996 15:58:30 -0400 (EDT) From: Mike Eddington To: "S.Ramalingam" cc: firewalls-digest@GreatCircle.COM, ram@adiblr1.soft.net Subject: Re: internet connection In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk the only way to controle access based on IP would be if every one accessed the net though one computer "there" computer and had static IPs. Then you would only need to setup filetering on the router to allow only certain IPs though. Notice you are blocking all and allowing some not the otherway around. On Thu, 11 Apr 1996, S.Ramalingam wrote: > > Hello > > We are having pentium machines running with PCNFSpro 1.1 windows version. > In my company, we are having radiolink to access internet. Our Management > does not want to give permission to everyone to access internet except > for few poeple. > > Right now all the staff members are using netscape to use internet. We > connot control the staff members. > > We having router connected with RF link. > > IS THERE ANYWAY TO CONTROL THE POEPLE TO ACCESS THE INTERNET BASED ON IP > ADDRESS. > > Our default gateway is Router. > > Ramalingam > > > From firewalls-owner Sun Apr 14 02:29:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA15024 for firewalls-outgoing; Fri, 12 Apr 1996 12:47:51 -0700 (PDT) Received: from nowhere_linux.nowhere.aetna.com (tx.ultranet.com [146.115.242.246]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA15010 for ; Fri, 12 Apr 1996 12:47:31 -0700 (PDT) Received: (from damdum@localhost) by nowhere_linux.nowhere.aetna.com (8.6.12/8.6.9) id PAA00191; Fri, 12 Apr 1996 15:54:28 -0400 Date: Fri, 12 Apr 1996 15:54:27 -0400 (EDT) From: Mike Eddington To: firewalls@GreatCircle.COM Subject: Re: Packet Filtering - I'm Stuck In-Reply-To: <199604111515.QAA10907@typhoon.dial.pipex.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk you can block them from accessing the internet though there WAN connection via packet filtering, yes. HOWEVER, if they have access to machines at your site, then they could always telnet/ftp from thoughs accounts. The only ways to keep them from doing that would be to not allow those machines access to the internet. the only solution I can think of to stop them gainning interent access would be to run identd on the computers they have access to and look for there IDs at the firwall/gateway. You could restrict access to the binaries but its too easy to compile the source any bypass that :( hope this helps! - Mike On Thu, 11 Apr 1996 ac141@typhoon.dial.pipex.net wrote: > We have a wide-area link to an external company. They use it to > maintain machines on our LAN. > > We are about to implement an Internet connection. We do not want to > permit this external company use of the Internet gateway. > > Let's say I put packet filtering rules on the router that seperates > our LAN from the external gateway to only permit them telnet and ftp > access to specific machines. Would it be possible for them to: > > telnet to a machine they are allowed to on our LAN, then > telnet from there through the Internet gateway? > > Do I need to put rules on the Internet router to disallow this? > > Thanks for any advice. > > Ben > > From firewalls-owner Sun Apr 14 02:33:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id CAA10126 for firewalls-outgoing; Sun, 14 Apr 1996 02:02:00 -0700 (PDT) Received: from netcomsv.netcom.com (uucp5.netcom.com [163.179.3.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id CAA09968 for ; Sun, 14 Apr 1996 02:01:17 -0700 (PDT) Received: from kingtut.UUCP by netcomsv.netcom.com with UUCP (8.6.12/SMI-4.1) id BAA28613; Sun, 14 Apr 1996 01:52:58 -0700 Received: from auspex.ivac_eng (auspex-e2) by kingtut (4.1/SMI-4.1) id AA09815; Sun, 14 Apr 96 01:44:14 PDT Received: from kingtut by auspex.ivac_eng (4.1/SMI-4.1) id AA02695; Sun, 14 Apr 96 01:44:13 PDT Received: from relay6.UU.NET by netcomsv.netcom.com with ESMTP (8.6.12/SMI-4.1) id BAA11033; Sun, 14 Apr 1996 01:33:38 -0700 Received: from miles.greatcircle.com by relay6.UU.NET with ESMTP id QQaljm10665; Sun, 14 Apr 1996 04:32:19 -0400 (EDT) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id AAA09621 for firewalls-outgoing; Fri, 12 Apr 1996 00:57:25 -0700 (PDT) Received: from tempus.ii.uni.wroc.pl (tempus.ii.uni.wroc.pl [156.17.4.97]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id AAA09602 for ; Fri, 12 Apr 1996 00:57:15 -0700 (PDT) Received: from ares.ii.uni.wroc.pl (ares.ii.uni.wroc.pl [156.17.4.105]) by tempus.ii.uni.wroc.pl (8.7.1/8.6.11) with ESMTP id JAA12615 for ; Fri, 12 Apr 1996 09:54:59 +0200 (MET DST) Received: (from roman@localhost) by ares.ii.uni.wroc.pl (8.7.1/8.6.11) id JAA01297 for firewalls@GreatCircle.COM; Fri, 12 Apr 1996 09:53:58 +0200 (MET DST) Date: Fri, 12 Apr 1996 09:53:58 +0200 (MET DST) From: Marcin.Roman@ii.uni.wroc.pl (Marcin Roman) Organization: University of Wroclaw, Institute of Computer Science Reply-To: Posted-Date: Fri, 12 Apr 1996 09:53:58 +0200 (MET DST) Message-Id: <199604120753.JAA01297@ares.ii.uni.wroc.pl> To: firewalls@GreatCircle.COM Subject: Sign Off X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk sign off roman@ii.uni.wroc.pl From firewalls-owner Sun Apr 14 02:43:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA13301 for firewalls-outgoing; Fri, 12 Apr 1996 12:07:54 -0700 (PDT) Received: from relay3.UU.NET (relay3.UU.NET [192.48.96.8]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id MAA13285 for ; Fri, 12 Apr 1996 12:07:42 -0700 (PDT) Received: from bastion.ppt.com by relay3.UU.NET with ESMTP id QQalds06286; Fri, 12 Apr 1996 15:04:28 -0400 (EDT) Received: from firewall.ppt.com (fw.ppt.com [206.220.97.2]) by bastion.ppt.com (8.7.3/8.7.3) with ESMTP id LAA06789 for ; Fri, 12 Apr 1996 11:58:47 -0700 (PDT) Received: from ruby.ppt.com (ruby.ppt.com [198.102.200.15]) by firewall.ppt.com (8.7.3/8.7.3) with ESMTP id LAA02227 for ; Fri, 12 Apr 1996 11:58:46 -0700 (PDT) Received: (from drc@localhost) by ruby.ppt.com (8.7.3/8.7.3) id LAA03184 for firewalls@GreatCircle.COM; Fri, 12 Apr 1996 11:58:50 -0700 (PDT) From: "David Coelho" Message-Id: <9604121158.ZM3182@ppt.com> Date: Fri, 12 Apr 1996 11:58:50 -0700 X-Mailer: Z-Mail (3.2.1 10oct95) To: firewalls@GreatCircle.COM Subject: hung ftp processes? Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We've got a wu-ftp based ftp server setup. We're using a screening router as part of our firewall. We're currently blocking all new TCP session packets with source address > 1023 and dest address > 1023. As a result, PASV ftp sessions will fail. The problem we're having is that our ftp starts accumulating what appear to be hung ftp processes, with a status of 'RETR'. These just keep accumulating until our ftp max session limit is hit, and then users can no longer ftp into the site. My guess is that these are failed PASV ftp sessions from Web browers like netscape, but I'm not certain. I was wondering whether anyone has had experience with this type of problem, and whether they have a solution. FYI, for security reasons, we are not willing to open up PASV ftp sessions... -- david r. coelho email: drc@ppt.COM personal productivity tools, inc http://www.ppt.com 14141 miranda rd voice: (415) 917-7000 los altos hills, ca 94022-2045 usa fax: (415) 917-7010 From firewalls-owner Sun Apr 14 02:55:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id VAA02517 for firewalls-outgoing; Sat, 13 Apr 1996 21:30:50 -0700 (PDT) Received: from netcomsv.netcom.com (uucp5.netcom.com [163.179.3.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id VAA02509 for ; Sat, 13 Apr 1996 21:30:42 -0700 (PDT) Received: from kingtut.UUCP by netcomsv.netcom.com with UUCP (8.6.12/SMI-4.1) id VAA22437; Sat, 13 Apr 1996 21:12:28 -0700 Received: from auspex.ivac_eng (auspex-e2) by kingtut (4.1/SMI-4.1) id AA09463; Sat, 13 Apr 96 21:02:12 PDT Received: from kingtut by auspex.ivac_eng (4.1/SMI-4.1) id AA01298; Sat, 13 Apr 96 21:02:12 PDT Received: from relay7.UU.NET by netcomsv.netcom.com with ESMTP (8.6.12/SMI-4.1) id UAA29437; Sat, 13 Apr 1996 20:45:44 -0700 Received: from miles.greatcircle.com by relay7.UU.NET with ESMTP id QQalis28621; Sat, 13 Apr 1996 23:38:53 -0400 (EDT) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id EAA28976 for firewalls-outgoing; Fri, 12 Apr 1996 04:08:34 -0700 (PDT) Received: from mail.RC.Toronto.on.ca (rcooper.the-wire.com [198.53.192.91]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id EAA28945 for ; Fri, 12 Apr 1996 04:07:54 -0700 (PDT) Received: from rwcooper.47.206.205.in-addr.arpa ([205.206.47.2]) by mail.RC.Toronto.on.ca (post.office MTA v1.9.3 evaluation license) with SMTP id AAA225; Fri, 12 Apr 1996 07:05:41 -0400 Received: by rwcooper.47.206.205.in-addr.arpa with Microsoft Mail id <01BB283D.42D9B2A0@rwcooper.47.206.205.in-addr.arpa>; Fri, 12 Apr 1996 06:57:06 -0400 Message-Id: <01BB283D.42D9B2A0@rwcooper.47.206.205.in-addr.arpa> From: Russ To: "firewalls@GreatCircle.com" , "'Paul Ferguson'" Subject: RE: Network Engineering Technologies Announces $10,000 Firewall Challenge Date: Fri, 12 Apr 1996 06:57:04 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "In the case of multiple break-ins, the first person sending the correct information to NET's e-mail address will be declared the winner." Guess an intelligent hacker would simply sniff their email until a message with an answer appeared and replace the headers with their own, why bother with the secure transaction server at all??? Cheers, Russ From firewalls-owner Sun Apr 14 02:56:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA14430 for firewalls-outgoing; Fri, 12 Apr 1996 12:32:52 -0700 (PDT) Received: from whiz.mfi.com (whiz.mfi.com [198.71.19.34]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA14422 for ; Fri, 12 Apr 1996 12:32:48 -0700 (PDT) Received: from ccmail.mfi.com by whiz.mfi.com (AIX 3.2/UCB 5.64/4.03) id AA17701; Fri, 12 Apr 1996 12:18:21 -0700 Received: from ccMail by mfi.com id AA829337004 Fri, 12 Apr 96 12:23:24 PST Date: Fri, 12 Apr 96 12:23:24 PST From: "Power, Richard" Message-Id: <9603128293.AA829337004@mfi.com> To: Firewalls@GreatCircle.COM Subject: Re: Firewalls-Digest V5 #226 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Free firewall product matrix available from CSI SAN FRANCSICO -- Firewall revenues are estimated to surge from $160 million in 1995 to $980 million in 2000. But a recent CSI survey shows that 30% of Internet-based intrusions occured with a firewall installed. Clearly, there is a vital need for better information on which to make buying decisions. The CSI 1996 Firewall Product Matrix is a practical tool. The comprehensive evaluation of 22 different firewall products covers every feature of firewall design: e.g., administration, reports, alarms, encryption, training costs. It even lists proxies, gateways and servers. "You should be leery of vendor-sponsored evaluations," says Richard Power, CSI editor, "They lack the real-world perspective of practitioners. Our matrix was developed with input from both actual practitioners and leading independent experts in the field." "This year's firewall matrix attempts to pick out the areas that indicate a product's capabilities in filtering out attacks while passing other data through transparently," says Rik Farrow, a leading authority on Internet and UNIX security who worked on the matrix. "We looked for indications of flexibility that do not come at the expense of security. We want to provide you with a good starting point on your search." To obtain a free copy of the CSI 1996 Firewall Product Matrix, e-mail your address to prapalus@mfi.com, phone 415/905-2310 or fax 415/905-2218. This document is not available electronically. ### Computer Security Institute is the oldest international membership organization specifically serving the information security professional. Established in 1974, CSI has thousands of members worldwide and provides a wide variety of information and educational programs to assist practitioner in protecting the information assets of corporations and governmental organizations. From firewalls-owner Sun Apr 14 04:14:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id CAA10123 for firewalls-outgoing; Sun, 14 Apr 1996 02:01:57 -0700 (PDT) Received: from netcomsv.netcom.com (uucp5.netcom.com [163.179.3.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id CAA09999 for ; Sun, 14 Apr 1996 02:01:21 -0700 (PDT) Received: from kingtut.UUCP by netcomsv.netcom.com with UUCP (8.6.12/SMI-4.1) id BAA28610; Sun, 14 Apr 1996 01:52:56 -0700 Received: from auspex.ivac_eng (auspex-e2) by kingtut (4.1/SMI-4.1) id AA09803; Sun, 14 Apr 96 01:44:11 PDT Received: from kingtut by auspex.ivac_eng (4.1/SMI-4.1) id AA02689; Sun, 14 Apr 96 01:44:10 PDT Received: from relay7.UU.NET by netcomsv.netcom.com with ESMTP (8.6.12/SMI-4.1) id AAA09602; Sun, 14 Apr 1996 00:49:09 -0700 Received: from miles.greatcircle.com by relay7.UU.NET with ESMTP id QQaljj14547; Sun, 14 Apr 1996 03:47:49 -0400 (EDT) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA03639 for firewalls-outgoing; Thu, 11 Apr 1996 06:38:21 -0700 (PDT) Received: from brasil.moneng.mei.com (brasil.moneng.mei.com [151.186.109.160]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id GAA03608 for ; Thu, 11 Apr 1996 06:38:05 -0700 (PDT) Received: (from jgreco@localhost) by brasil.moneng.mei.com (8.7.Beta.1/8.7.Beta.1) id IAA15530; Thu, 11 Apr 1996 08:33:43 -0500 From: Joe Greco Message-Id: <199604111333.IAA15530@brasil.moneng.mei.com> Subject: Re: Solaris2.5 and BSD* - Facts To: djr@saa-cons.co.uk (Dave Roberts) Date: Thu, 11 Apr 1996 08:33:43 -0500 (CDT) Cc: Firewalls@GreatCircle.COM In-Reply-To: from "Dave Roberts" at Apr 10, 96 11:58:52 am X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > The last thing I want to do is start an O/S flame war, I think we've had > far too many of those already. What I am looking for are bare honest > facts. Not reasonable :-) Most things are opinions. As are mine: > I need to put in a bastion host to handle the proxying, DNS stuff, etc. I > would like to put this onto a pee-cee running BSD (either FreeBSD or > BSDOS2.0). However, someone above me in the chain of things wants me to > use a SparcServer running Solaris 2.5. I claimed that BSD was better > suited for the purpose, and he said prove it. > > AFAIK, the facts stand as follows (please corrent me if I am wrong). > BSD offers the immutable flag - Solaris does not. True. > BSD gives me source code - Solaris does not. False. You just have to pay an unreasonably high sum of money to obtain the source (IMHO). I've seen the source for both. > BSD allows me to compile stuff (ls etc) with static libs - Solaris does > not (if I remember a thread a while ago). Solaris will allow you to compile anything you want with static libs - but it gets sticky if you want anything that requires the nsswitch library. That would include most of the operations that do any sort of name lookup, DNS, getpwent stuff, etc. You can work around it, but it's a bear, and the solutions are all very ugly, at least the ones I've seen. > That's all I can think of. Please don't mail back with arguments about > having source code or not, or static libraries vs dynamic, think those > have been beaten to death :) Issue 4: Performance. Given identical hardware (FreeBSD vs Solaris X86), Solaris X86 is noticeably slower and requires more resources (CPU, RAM) in order to perform similarly. My interpretation of this is that it is caused by the endlessly "elegant" layering and modularization in the Solaris kernel. And anyone who has run SunOS 4.1.3 and Solaris 2.4 on a SPARC IPC will tell you the slowdown is readily apparent on SPARC machines as well. Issue 5: Reliability. My "stable and reliable" OS of choice for demanding applications (i.e. news) remains SunOS 4.1*. FreeBSD has always been "reasonably stable" in my opinion, but the ability to gain a month of uptime running a demanding application like news really didn't exist a year ago. FreeBSD is a rapidly evolving OS, and as I've watched it mature, the reliability factor has increased dramatically. At the current rate, I suspect it will pass up SunOS 4.1* in my book within a year. For less demanding applications, i.e. firewalls, routing, DNS, mail, etc., FreeBSD is already as reliable as anyone could ask for. :-) Solaris seems to have various less-obvious problems that will tend to classify a box running a particular application as being "very stable" (i.e. will run forever), "reasonably stable" (will run for a week or two), or "somewhat unstable" (crashes unpredictably). I've had a devil of a time trying to support that statement with facts, I am looking mainly at uptime's. Issue 6: Support. You get paid support (or can get it, at least) with Solaris. You may have to work at it to get support for FreeBSD. > What I would like are facts from people that have experience with both > systems, or something that people with one of those systems feel is a big > bonus, or a big headache. I'm assuming all the tools I want compile > equally well on both systems (whatever kind of libs are used). Bad assumption. Also, I am unhappy with Sun's divergence from traditional UNIX standards. For example, the inclusion of ACL's in Solaris 2.5... There is no clear cut winner. Both sides have strong advantages and disadvantages. You will need to evaluate, maybe even test, and arrive at your own conclusions. Some people have told me that I am very skewed towards FreeBSD, by the way, but I just don't see it in myself. I've _chosen_ to use FreeBSD for almost all of my applications because of the strong advantages that it holds for me. The disadvantages are minimal inconveniences _to_me_. This may not be true for other organizations. ... Joe ------------------------------------------------------------------------------- Joe Greco - Systems Administrator jgreco@ns.sol.net Solaria Public Access UNIX - Milwaukee, WI 414/546-7968 From firewalls-owner Sun Apr 14 04:29:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id VAA05010 for firewalls-outgoing; Sat, 13 Apr 1996 21:51:34 -0700 (PDT) Received: from netcomsv.netcom.com (uucp5.netcom.com [163.179.3.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id VAA04962 for ; Sat, 13 Apr 1996 21:51:21 -0700 (PDT) Received: from kingtut.UUCP by netcomsv.netcom.com with UUCP (8.6.12/SMI-4.1) id VAA23227; Sat, 13 Apr 1996 21:42:06 -0700 Received: from auspex.ivac_eng (auspex-e2) by kingtut (4.1/SMI-4.1) id AA09483; Sat, 13 Apr 96 21:12:27 PDT Received: from kingtut by auspex.ivac_eng (4.1/SMI-4.1) id AA01304; Sat, 13 Apr 96 21:12:26 PDT Received: from relay3.UU.NET by netcomsv.netcom.com with ESMTP (8.6.12/SMI-4.1) id VAA00230; Sat, 13 Apr 1996 21:03:17 -0700 Received: from miles.greatcircle.com by relay3.UU.NET with ESMTP id QQalit26294; Sat, 13 Apr 1996 23:57:35 -0400 (EDT) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA10853 for firewalls-outgoing; Fri, 12 Apr 1996 11:24:36 -0700 (PDT) Received: from kyrene.k12.az.us ([204.43.65.129]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id LAA10817 for ; Fri, 12 Apr 1996 11:23:50 -0700 (PDT) Received: by ksddns.kyrene.k12.az.us id <30723>; Fri, 12 Apr 1996 11:21:02 -0700 From: "Myers, Bill" To: "firewalls-digest@GreatCircle.COM" , "'Richard_Tatem@notesgw.hns.com'" Subject: RE: Sign Off Date: Fri, 12 Apr 1996 10:41:00 -0700 X-Mailer: Microsoft Mail V3.0 Message-Id: <96Apr12.112102mst.30723@ksddns.kyrene.k12.az.us> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk How do you get off this list? I have tried the majordomo and I still get mail even though it says I'm not on the list. ---------- From: Richard_Tatem@notesgw.hns.com[SMTP:Richard_Tatem@notesgw.hns.com] Sent: Thursday, April 11, 1996 11:09 AM To: firewalls-digest@GreatCircle.COM Subject: Sign Off sign off rtatem@hns.com From firewalls-owner Sun Apr 14 04:43:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id WAA07446 for firewalls-outgoing; Sat, 13 Apr 1996 22:12:02 -0700 (PDT) Received: from netcomsv.netcom.com (uucp5.netcom.com [163.179.3.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id WAA07284 for ; Sat, 13 Apr 1996 22:11:18 -0700 (PDT) Received: from kingtut.UUCP by netcomsv.netcom.com with UUCP (8.6.12/SMI-4.1) id WAA23659; Sat, 13 Apr 1996 22:02:26 -0700 Received: from auspex.ivac_eng (auspex-e2) by kingtut (4.1/SMI-4.1) id AA09515; Sat, 13 Apr 96 21:42:33 PDT Received: from kingtut by auspex.ivac_eng (4.1/SMI-4.1) id AA01368; Sat, 13 Apr 96 21:42:33 PDT Received: from relay6.UU.NET by netcomsv.netcom.com with ESMTP (8.6.12/SMI-4.1) id VAA01955; Sat, 13 Apr 1996 21:31:00 -0700 Received: from miles.greatcircle.com by relay6.UU.NET with ESMTP id QQaliv26367; Sun, 14 Apr 1996 00:29:33 -0400 (EDT) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA09751 for firewalls-outgoing; Thu, 11 Apr 1996 08:07:37 -0700 (PDT) Received: from nsco.network.com (nsco.network.com [129.191.1.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA09745 for ; Thu, 11 Apr 1996 08:07:29 -0700 (PDT) Received: from mnbp.network.com (ushub.network.com) by nsco.network.com (4.1/1.34) id AA02145; Thu, 11 Apr 96 10:08:35 CDT Received: by mnbp.network.com with Microsoft Mail id <316D1EF6@mnbp.network.com>; Thu, 11 Apr 96 10:02:14 CDT From: Greg Brennan To: firewalls mailing list Subject: FW: 3 ethernet router? Date: Thu, 11 Apr 96 10:01:00 CDT Message-Id: <316D1EF6@mnbp.network.com> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Try the Security Router from Network Systems Corp. The SR04 model comes with 4 ethernet ports and the industry's highest performance filtering software (NetSentry) which can do filtering from layers 2 through 7. Great logging and audit trail capabilities too. Home page at http://www.network.com - Greg Brennan Network Systems Corp. ---------- From: firewalls-owner To: firewalls Subject: 3 ethernet router? Date: April 8, 1996 06:05PM I'd like to implement a bastion type firewall . Most routers are available with 1 or 2 ethernet interfaces and a sync serial poe port. Where can I get a low cost filtering router with 3 ethernet interfaces? joe joe@via.net From firewalls-owner Sun Apr 14 04:58:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id WAA07456 for firewalls-outgoing; Sat, 13 Apr 1996 22:12:07 -0700 (PDT) Received: from netcomsv.netcom.com (uucp5.netcom.com [163.179.3.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id WAA07296 for ; Sat, 13 Apr 1996 22:11:20 -0700 (PDT) Received: from kingtut.UUCP by netcomsv.netcom.com with UUCP (8.6.12/SMI-4.1) id WAA23656; Sat, 13 Apr 1996 22:02:23 -0700 Received: from auspex.ivac_eng (auspex-e2) by kingtut (4.1/SMI-4.1) id AA09508; Sat, 13 Apr 96 21:42:32 PDT Received: from kingtut by auspex.ivac_eng (4.1/SMI-4.1) id AA01365; Sat, 13 Apr 96 21:42:31 PDT Received: from relay7.UU.NET by netcomsv.netcom.com with ESMTP (8.6.12/SMI-4.1) id VAA01513; Sat, 13 Apr 1996 21:20:45 -0700 Received: from miles.greatcircle.com by relay7.UU.NET with ESMTP id QQaliv01525; Sun, 14 Apr 1996 00:19:27 -0400 (EDT) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA05924 for firewalls-outgoing; Thu, 11 Apr 1996 18:05:57 -0700 (PDT) Received: from ecua.net.ec (ecua.net.ec [157.100.1.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id SAA05916 for ; Thu, 11 Apr 1996 18:05:48 -0700 (PDT) Received: from [157.100.8.254] by ecua.net.ec (AIX 4.1/UCB 5.64/4.04) id AA39608; Thu, 11 Apr 1996 20:02:54 -0500 Received: from [157.100.1.53] by ucsg.edu.ec (4.1/1.34) id AA03059; Thu, 11 Apr 96 20:07:32 EDT Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 11 Apr 1996 20:06:25 -0500 To: firewalls@greatcircle.com From: jvelasco@ucsg.edu.ec ( =?iso-8859-1?Q?Mart=EDn?= Velasco) Subject: Firewalls evaluation Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi. Please forgive my ignorance regarding this topic, which I think has been treated before. When you build a new system -any kind-, one of the ways to evaluate it is to have a group of "tests" or "tasks" to be done, first without the new system, then using the new system, and then comparing the results. I think this a common part of any system evaluation. When you test a firewall, Can you use this same kind of evaluation? What should you consider when having this evaluation? What's the best way to prove (others) that your firewall (or any firewall) will protect their network from external threats? It should be easily understandable having a network of Unix machines, but what about NT, Win95 or mixed networks? Thanks in advance to you all. -Martin Velasco From firewalls-owner Sun Apr 14 05:13:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id DAA17893 for firewalls-outgoing; Sun, 14 Apr 1996 03:21:55 -0700 (PDT) Received: from netcomsv.netcom.com (uucp5.netcom.com [163.179.3.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id DAA17796 for ; Sun, 14 Apr 1996 03:21:27 -0700 (PDT) Received: from kingtut.UUCP by netcomsv.netcom.com with UUCP (8.6.12/SMI-4.1) id DAA00293; Sun, 14 Apr 1996 03:12:47 -0700 Received: from auspex.ivac_eng (auspex-e2) by kingtut (4.1/SMI-4.1) id AA09896; Sun, 14 Apr 96 03:02:29 PDT Received: from kingtut by auspex.ivac_eng (4.1/SMI-4.1) id AA02759; Sun, 14 Apr 96 03:02:29 PDT Received: from relay7.UU.NET by netcomsv.netcom.com with ESMTP (8.6.12/SMI-4.1) id CAA11868; Sun, 14 Apr 1996 02:14:52 -0700 Received: from miles.greatcircle.com by relay7.UU.NET with ESMTP id QQaljo19838; Sun, 14 Apr 1996 05:13:31 -0400 (EDT) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id BAA14057 for firewalls-outgoing; Fri, 12 Apr 1996 01:28:31 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id BAA13797 for ; Fri, 12 Apr 1996 01:27:28 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id AAA22346; Fri, 12 Apr 1996 00:34:57 -0700 Received: from route1.france3.fr(194.51.91.1) by mycroft via smap (V1.3mjr) id sma022329; Fri Apr 12 00:34:36 1996 Received: from PACIFIC.mdrf.france3.fr. by route1.france3.fr (8.7.1/SMI-4.1) id JAA08410; Fri, 12 Apr 1996 09:38:31 GMT Received: by PACIFIC.mdrf.france3.fr. (4.1/SMI-4.1) id AA15399; Fri, 12 Apr 96 09:39:00 GMT From: Boyd Roberts Date: Fri, 12 Apr 1996 09:36:04 GMT To: sameer@wiproge.med.ge.com, firewalls@GreatCircle.COM, Jasjit_K_Singh@amrcorp.com Subject: Re: UUCP vs. Anonymous FTP In-Reply-To: <9604110033.AA29165@wiproge.med.ge.com> Message-Id: <199604120936.11160.fw.bafem@france3.fr> X-Face: "9FXa*}.a4Ig(\sR0OM#]_y|o`\^3d}2f+7(xe0-vrPty-IDXF?pIZ<]+6t6*4`$o.O$bfZ+O=Y#@~tCyN-k|k,v84QVoh(? J`Xat3vNF!wX+{RuJ[{X?3x^4HR7h`I.z&> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From: sameer@wiproge.med.ge.com Hi, I think UUCP is anyday more secure than anonymous ftp and better if you are using all ... that's an interesting statement. in '87 i was almost convinced to write a uucp worm, based on the premise that many uucp setups allow remote execute via mail. i decided against it. From firewalls-owner Sun Apr 14 05:26:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id DAA17895 for firewalls-outgoing; Sun, 14 Apr 1996 03:21:56 -0700 (PDT) Received: from netcomsv.netcom.com (uucp5.netcom.com [163.179.3.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id DAA17804 for ; Sun, 14 Apr 1996 03:21:29 -0700 (PDT) Received: from kingtut.UUCP by netcomsv.netcom.com with UUCP (8.6.12/SMI-4.1) id DAA00302; Sun, 14 Apr 1996 03:13:07 -0700 Received: from auspex.ivac_eng (auspex-e2) by kingtut (4.1/SMI-4.1) id AA09906; Sun, 14 Apr 96 03:02:32 PDT Received: from kingtut by auspex.ivac_eng (4.1/SMI-4.1) id AA02765; Sun, 14 Apr 96 03:02:31 PDT Received: from relay3.UU.NET by netcomsv.netcom.com with ESMTP (8.6.12/SMI-4.1) id CAA14210; Sun, 14 Apr 1996 02:38:28 -0700 Received: from miles.greatcircle.com by relay3.UU.NET with ESMTP id QQaljq20004; Sun, 14 Apr 1996 05:32:41 -0400 (EDT) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA15160 for firewalls-outgoing; Fri, 12 Apr 1996 12:52:27 -0700 (PDT) Received: from nowhere_linux.nowhere.aetna.com (tx.ultranet.com [146.115.242.246]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA15154 for ; Fri, 12 Apr 1996 12:52:19 -0700 (PDT) Received: (from damdum@localhost) by nowhere_linux.nowhere.aetna.com (8.6.12/8.6.9) id PAA00197; Fri, 12 Apr 1996 15:58:31 -0400 Date: Fri, 12 Apr 1996 15:58:30 -0400 (EDT) From: Mike Eddington To: "S.Ramalingam" Cc: firewalls-digest@GreatCircle.COM, ram@adiblr1.soft.net Subject: Re: internet connection In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk the only way to controle access based on IP would be if every one accessed the net though one computer "there" computer and had static IPs. Then you would only need to setup filetering on the router to allow only certain IPs though. Notice you are blocking all and allowing some not the otherway around. On Thu, 11 Apr 1996, S.Ramalingam wrote: > > Hello > > We are having pentium machines running with PCNFSpro 1.1 windows version. > In my company, we are having radiolink to access internet. Our Management > does not want to give permission to everyone to access internet except > for few poeple. > > Right now all the staff members are using netscape to use internet. We > connot control the staff members. > > We having router connected with RF link. > > IS THERE ANYWAY TO CONTROL THE POEPLE TO ACCESS THE INTERNET BASED ON IP > ADDRESS. > > Our default gateway is Router. > > Ramalingam > > > From firewalls-owner Sun Apr 14 05:28:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id DAA17894 for firewalls-outgoing; Sun, 14 Apr 1996 03:21:55 -0700 (PDT) Received: from netcomsv.netcom.com (uucp5.netcom.com [163.179.3.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id DAA17813 for ; Sun, 14 Apr 1996 03:21:30 -0700 (PDT) Received: from kingtut.UUCP by netcomsv.netcom.com with UUCP (8.6.12/SMI-4.1) id DAA00296; Sun, 14 Apr 1996 03:12:57 -0700 Received: from auspex.ivac_eng (auspex-e2) by kingtut (4.1/SMI-4.1) id AA09902; Sun, 14 Apr 96 03:02:31 PDT Received: from kingtut by auspex.ivac_eng (4.1/SMI-4.1) id AA02762; Sun, 14 Apr 96 03:02:30 PDT Received: from relay6.UU.NET by netcomsv.netcom.com with ESMTP (8.6.12/SMI-4.1) id CAA12707; Sun, 14 Apr 1996 02:37:49 -0700 Received: from miles.greatcircle.com by relay6.UU.NET with ESMTP id QQaljq13692; Sun, 14 Apr 1996 05:36:26 -0400 (EDT) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA15091 for firewalls-outgoing; Thu, 11 Apr 1996 09:20:56 -0700 (PDT) Received: from sparky.cassens.com (gatekeeper.cassens.com [199.217.138.34]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA15074 for ; Thu, 11 Apr 1996 09:20:47 -0700 (PDT) Received: (from smap@localhost) by sparky.cassens.com (8.6.11/8.6.9) id MAA15233; Thu, 11 Apr 1996 12:24:20 -0500 Received: from zed.cassens.com(204.27.204.71) by sparky.cassens.com via smap (V1.3) id sma015231; Thu Apr 11 12:24:00 1996 Received: (from pj@localhost) by zot.cassens.com (8.6.12/8.6.12) id LAA05021; Thu, 11 Apr 1996 11:15:41 -0500 From: Phillippe Welsh Message-Id: <199604111615.LAA05021@zot.cassens.com> Subject: Re: UUCP vs. Anonymous FTP To: tufa@lclsv.sfos.ro (Tufa Lucian) Date: Thu, 11 Apr 1996 11:15:40 CDT Cc: firewalls@GreatCircle.COM In-Reply-To: ; from "Tufa Lucian" at Apr 11, 96 12:13 (noon) X-Mailer: Elm [revision: 109.14] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 9 Apr 1996, Jasjit K Singh wrote: > > Hi, > > We are planning to replace UUCP with anonymous > FTP for transferring files. I would like to get > information on security issues of anonymous FTP > and the do's and don't's. What are the benefits > of this and what is the latest release of > anonymous FTP that is considered stable and safe > enough. Any information will be welcome. Thanks!! Check out "How to set up a Secure Anonymous FTP Site" FAQ from: http://iss.net/sec_info/anonftp.html -- Internet: | Phillippe J. Welsh | welshpj@cassens.com| Cassens Transport | Std disclaimers apply. Voice: | 145 N. Kansas Str. | (But you knew that!) | Edwardsville, IL 62025 | From firewalls-owner Sun Apr 14 06:13:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id AAA01159 for firewalls-outgoing; Sun, 14 Apr 1996 00:01:04 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id XAA00494 for ; Sat, 13 Apr 1996 23:59:39 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id XAA09994; Sat, 13 Apr 1996 23:22:07 -0700 Received: from mhoutside.hcl.com(204.101.87.120) by mycroft via smap (V1.3mjr) id sma009960; Sat Apr 13 23:20:59 1996 Received: (rudy@localhost) by mhinside.hcl.com (8.6.12/8.6.5) id CAA12187 for Firewalls@GreatCircle.COM; Sun, 14 Apr 1996 02:23:54 -0400 From: Rudy Amid Message-Id: <199604140623.CAA12187@mhinside.hcl.com> Subject: Re: Firewalls-Digest V5 #147 -Reply To: Firewalls@GreatCircle.COM Date: Sun, 14 Apr 1996 02:23:54 -0400 (EDT) In-Reply-To: from "Tom James" at Apr 11, 96 05:28:58 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Could SOMEONE turn off this guy's answering machine!!!!? An excerpt from Tom James message: > > I will be out of the office from 4/12 thru 4/19. > All mail wil be handled upon my return. > > Regards > Tom James > > -- Rudy Amid (rudy@hcl.com) [Home URL] http://www.warped.com/~radix Systems Administrator #include Hummingbird Communications, Ltd. "We're IT!" -MIS Dept. 1 Sparks Ave. Toronto, Canada. M2H 2W1. 416-496-2200 [URL] http://www.hcl.com From firewalls-owner Sun Apr 14 06:43:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id TAA20739 for firewalls-outgoing; Sat, 13 Apr 1996 19:30:16 -0700 (PDT) Received: from uuneo.neosoft.com (uuneo.neosoft.com [206.109.1.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id TAA20703 for ; Sat, 13 Apr 1996 19:30:03 -0700 (PDT) Received: from nmti.com (ficc@localhost) by uuneo.neosoft.com (8.7.5/8.7.4) with UUCP id UAA09353; Sat, 13 Apr 1996 20:45:16 -0500 (CDT) Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id UAA06242; Sat, 13 Apr 1996 20:38:13 -0500 Received: by sonic.nmti.com; id AA15036; Sat, 13 Apr 1996 20:38:11 -0500 From: peter@nmti.com (Peter da Silva) Message-Id: <9604140138.AA15036@sonic.nmti.com.nmti.com> Subject: Re: Solaris2.5 and BSD* - Facts To: jehamby@lightside.com (Jake Hamby) Date: Sat, 13 Apr 1996 20:38:11 -0500 (CDT) Cc: djr@saa-cons.co.uk, Firewalls@GreatCircle.COM In-Reply-To: from "Jake Hamby" at Apr 11, 96 10:16:31 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Finally, you'll want to consider the ultimate reliability of a PC. With a > Sun you're getting all workstation-grade components which could lead to > less down-time and quicker repairs (if you have a hardware maintenance > contract). Not that a PC is unreliable, but if you choose a PC, by all > means get a "workstation-g